|
1 | 1 | # Security and Functional Correctness Proofs for Bertie |
2 | 2 |
|
3 | | -The `proofs/` directory holds ProVerif F\* proofs for code compiled by |
| 3 | +The `proofs/` directory holds ProVerif, F\*, and SSProve proofs for code compiled by |
4 | 4 | hax from the Bertie Rust implementation of TLS 1.3. |
5 | 5 |
|
6 | | -## Correctness Proofs in F\* |
| 6 | +## Prerequisites |
| 7 | +### Setting up the hax toolchain |
| 8 | +We use the hax toolchain to extract proof artifacts from the Rust |
| 9 | +source code in `src`. To be able to reproduce this extraction for |
| 10 | +yourself, please follow the installation instructions for `hax` |
| 11 | +provided at: |
| 12 | + |
| 13 | +https://github.com/cryspen/hax?tab=readme-ov-file#installation |
| 14 | + |
| 15 | +#### `hax-driver.py` |
| 16 | +We use the Python 3 script `hax-driver.py` to drive extraction and |
| 17 | +verification of the proof artifacts, so an installation of Python 3 is |
| 18 | +required. |
| 19 | + |
| 20 | +### Setting up F* |
| 21 | +We use F* version 2025.03.25 to prove runtime safety and transcript |
| 22 | +unambiguity as described in section 7 of the paper submission. To |
| 23 | +reproduce these results for yourself, please install F* following the |
| 24 | +instructions at: |
| 25 | + |
| 26 | +https://fstar-lang.org/index.html#download |
| 27 | + |
| 28 | +### Setting up Rocq + SSProve |
| 29 | +We use Rocq version 8.18.0 and SSProve for the security proofs of the |
| 30 | +key schedule as described in section 5 of the paper submission. Installation |
| 31 | +instructions can be found at: |
| 32 | + |
| 33 | +https://rocq-prover.org/install |
| 34 | +https://github.com/SSProve/ssprove |
| 35 | + |
| 36 | +Furthermore, Rust core library, which is used by the Hax translation, for Rocq/SSProve is located at: |
| 37 | + |
| 38 | +https://github.com/cryspen/hax/tree/main/proof-libs |
| 39 | + |
| 40 | +### Setting up ProVerif |
| 41 | +We use ProVerif version 2.05 to perform protocol security analysis of the |
| 42 | +implementation, as described in section 6 of the paper submission. |
| 43 | +To be able to reproduce the analysis, please follow the installation |
| 44 | +instructions provided at: |
| 45 | + |
| 46 | +https://bblanche.gitlabpages.inria.fr/proverif/ |
| 47 | + |
| 48 | +## Proof extraction using hax |
| 49 | +### F* |
| 50 | +To regenerate the extraction to F*, run |
| 51 | +``` |
| 52 | +./hax-driver.py extract-fstar |
| 53 | +``` |
| 54 | + |
| 55 | +### SSProve |
| 56 | +To regenerate the extraction for the key schedule in SSProve, run |
| 57 | +``` |
| 58 | +./hax-driver.py extract-ssprove |
| 59 | +``` |
| 60 | + |
| 61 | +To get the code running we apply a patch |
| 62 | +``` |
| 63 | +patch -d extraction/ < extraction.patch |
| 64 | +rm -rf fextraction/ |
| 65 | +mv extraction/ fextraction/ |
| 66 | +``` |
| 67 | + |
| 68 | +### ProVerif |
| 69 | +The ProVerif proofs described in section 6 of the paper submission can |
| 70 | +be extracted from the Rust source code by running |
| 71 | +``` |
| 72 | +./hax-driver.py extract-proverif |
| 73 | +``` |
| 74 | + |
| 75 | +This will generate the file `proofs/proverif/extraction/lib.pvl` from |
| 76 | +the Rust source code. |
| 77 | + |
| 78 | +## Running the Proofs |
| 79 | +### F* |
| 80 | +To run the F* proofs, run the following command: |
| 81 | +``` |
| 82 | +./hax-driver.py typecheck |
| 83 | +``` |
| 84 | + |
| 85 | +### SSProve |
| 86 | +First generate the Makefile from the _CoqProject |
| 87 | +``` |
| 88 | +coq_makefile -f _CoqProject -o Makefile |
| 89 | +``` |
| 90 | +and run `make`. |
| 91 | + |
| 92 | +### ProVerif |
| 93 | +To run the ProVerif analysis, as described in section 6 of the paper |
| 94 | +submission, run |
| 95 | +``` |
| 96 | +./hax-driver.py typecheck-proverif |
| 97 | +``` |
| 98 | + |
| 99 | +This will run the command |
| 100 | +``` |
| 101 | +proverif -lib proofs/proverif/handwritten_lib.pvl -lib |
| 102 | +proofs/proverif/extraction/lib.pvl proofs/proverif/extraction/analysis.pv |
| 103 | +``` |
| 104 | +to start the analysis. The file `handwritten_lib.pvl` exists for |
| 105 | +technical reasons and contains early |
| 106 | +definitions of certain terms. The file `analysis.pvl` contains the |
| 107 | +top-level protocol process and analysis queries, as described in |
| 108 | +section 6 of the paper submission. |
| 109 | + |
| 110 | +## Results |
| 111 | + |
| 112 | +### Correctness Proofs in F\* |
7 | 113 |
|
8 | 114 | Each Rust module `m` in the implementation is translated to two files: |
9 | 115 | `M.fst` contains the functionalized F\* code compiled from Rust, and |
@@ -54,31 +160,30 @@ the verified code will never create a panic. Of course, there is other |
54 | 160 | code outside the verification boundary that may yet panic and we intend |
55 | 161 | to expand the scope of our verification ocer time. |
56 | 162 |
|
57 | | -## Security Proofs in ProVerif |
| 163 | +### Security Proofs in ProVerif |
58 | 164 |
|
59 | 165 | We also prove security for the TLS 1.3 protocol code in Bertie. |
60 | 166 | Using hax, we generate a ProVerif model of the TLS 1.3 handshake |
61 | 167 | in `proofs/proverif/extraction/lib.pvl`. This file contains the bulk of the extraction, |
62 | 168 | while `analysis.pv` contains the top-level processes are set up and analysis queries. |
63 | 169 |
|
64 | | -We provide patches that include changes to the extracted model (described below), which allow us to show |
| 170 | +We can show |
65 | 171 | * that the modeled handshake can fully complete for both parties (as a baseline for further analysis) |
66 | | -* Server authenticity, assuming neither the certificate signing key nor a potential pre-shared key have been compromised |
67 | | -* Secrecy of the resulting session key under the same assumptions. |
| 172 | +* Server authenticity, assuming the certificate signing key is not |
| 173 | + compromised |
| 174 | +* Forward secrecy of the resulting session key under the same assumptions. |
68 | 175 |
|
69 | | -The intended flow using the driver is to run |
| 176 | +### Security of the Key Schedule in SSProve |
70 | 177 |
|
71 | | -./hax-driver.py extract-proverif to extract the ProVerif model to proofs/proverif/extraction. |
72 | | -./hax-driver.py patch-proverif to apply the patches on the extracted model. |
73 | | -./hax-driver.py typecheck-proverif to run the analysis on the patched model. |
| 178 | +We extract the implementation of the Key Schedule from SSProve. |
| 179 | +We then fix the implementation to only include the parts we need and make sure the translation is actually valid. |
| 180 | +This is done with a patch file to allow easier updates to the implementation. |
74 | 181 |
|
75 | | -The patches are necessary for parts of the model that we cannot currently generate (properly, or at all): |
76 | | -* a top-level process structure which instantiates Client and Server with ciphersuites and psk-mode configuration, |
77 | | -* event definitions and analysis queries, |
78 | | -* cryptographic operations and their semantics |
79 | | -* tls13formats related code, especially anything that relates to concatenation primitives |
| 182 | +The proof for security of the key schedule is done on a specification. |
| 183 | +The entry functions of the specification are generalized and then instantiated with the functions in the implementation. |
| 184 | +We show the implemented functions fulfill some properties to be valid in the key schedule proof. |
80 | 185 |
|
81 | | -Additionally, the patches introduce the following modifications: |
82 | | -* A mock certificate validation, checking that the name in the certificate agrees with the name of the expected peer from the top-level process. This is because Bertie does not include full certificate validation at this time, but some binding between the name and the certificate is necessary for showing server authentication. |
83 | | -* A model-side fix for the issue that is fixed on the Rust side in Correct argument order for process_psk_binder_zero_rtt #101 (until that is fixed on the Rust side). |
84 | | -* The removal of all automatically generated events, since that leads to poor performance from ProVerif and is not necessary at all for the analysis (cf. [ProVerif] Emitting events unnecessarily blows up the extracted model hacspec/hax#581) |
| 186 | +The proof for the specification follows the proof in "Key-schedule Security for the TLS 1.3 Standard." |
| 187 | +We prove the Core Key Schedule Theorem by showing the main lemma D6. |
| 188 | +The other lemmas are a direct consequence of the correct implementation of the cryptographic primitives, which we inherit from libcrux. |
| 189 | +These lemmas are therefore only stated, and the proof is Admitted. |
0 commit comments