We present a compiler for generating custom cryptographic protocols from high-level multiparty sessions.Sessions specify pre-arranged patterns of message exchanges between distributed participants and their data accesses to a shared store. We define integrity and confidentiality properties of sessions, in a setting where the network and arbitrary compromised parties may be controlled by an adversary. Our compiler enforces these security properties by guarding the sending and receiving of session messages by efficient cryptographic operations and checks.Given a session, our compiler generates an ML module and an interface that exposes send and receive functions that can be called by application code for each party. We prove that this generated code is secure by relying on a recent refinement type system for ML. Functions in the module interface are given dependent types that express invariants of the session state. We typecheck the program against this interface, and complete the proof by a brief, handcrafted argument.We illustrate and evaluate our implementation on a series of typical protocols, inspired by web services. In comparison with prior work, our source language is more expressive, our implementation more efficient, and our proof technique novel. Most of the proof is performed by mechanized type checking of the generated code, and does not rely on the correctness of our compiler. We obtain the strongest session security guarantees to date in a model that accounts for the actual details of protocol code.
Security by compilationTaking advantage of modern programming tools and generic wire formats, one can sometimes design, develop, and deploy complex distributed protocols in a matter of hours-relying on automated proxy generators, for example, to rapidly expose existing applications as networked services. The situation is less favorable when attempting to ensure application security subject to realistic assumptions on the network and remote parties. The problem is that most widely-available protocols for cryptographic communications (say TLS or IPSEC) operate at a lower level; they provide authenticity and confidentiality guarantees only for messages exchanged between two endpoints (URLs or IP addresses), but they leave the interpretation of these messages and endpoints to the application programmer. Hence, any guarantee that involves more than two parties (say, a multi-tiered web application with a client, a gateway, and two servers) must be carefully established by linking lowerlevel guarantees on related messages, or by layering ad hoc cryptographic mechanisms on top of communications, for instance by embedding certificates in message payloads.When considering protocols between participants in an open, networked environment, each participant may belong to a different domain, with its own configuration and security policy; although all participants are willing to run the protocol, they may not trust one another. Although it is straightforward to protect the participants of the protocol from netw...
