Verifying and Synthesizing Constant-Resource Implementations with Types

Ngo, Van Chan; Dehesa-Azuara, Mario; Fredrikson, Matthew; Hoffmann, Jan

doi:10.1109/sp.2017.53

Cited by 34 publications

(27 citation statements)

References 92 publications

(136 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There are different approaches to the problem that are based on type systems [30,37,18,15,27], abstract interpretation [25,5,16], recurrence relations [20,4,36], termination analysis [46,11,8,31], and other techniques [14,19]. Among the applications of this research we find the prevention of side channels that leak secret information [38,6,35], identification of complexity bugs [39], support of scheduling decisions [1], and help in profiling [26].…”

Section: Introductionmentioning

confidence: 99%

Work Analysis with Resource-Aware Session Types

Das

Hoffmann

Pfenning

2018

Proceedings of the 33rd Annual ACM/IEEE Symposium on Logic in Computer Science

Self Cite

View full text Add to dashboard Cite

While there exist several successful techniques for supporting programmers in deriving static resource bounds for sequential code, analyzing the resource usage of message-passing concurrent processes poses additional challenges. To meet these challenges, this article presents an analysis for statically deriving worst-case bounds on the total work performed by message-passing processes. To decompose interacting processes into components that can be analyzed in isolation, the analysis is based on novel resource-aware session types, which describe protocols and resource contracts for inter-process communication. A key innovation is that both messages and processes carry potential to share and amortize cost while communicating. To symbolically express resource usage in a setting without static data structures and intrinsic sizes, resource contracts describe bounds that are functions of interactions between processes. Resource-aware session types combine standard binary session types and type-based amortized resource analysis in a linear type system. This type system is formulated for a core session-type calculus of the language SILL and proved sound with respect to a multiset-based operational cost semantics that tracks the total number of messages that are exchanged in a system. The effectiveness of the analysis is demonstrated by analyzing standard examples from amortized analysis and the literature on session types and by a comparative performance analysis of different concurrent programs implementing the same interface. arXiv:1712.08310v2 [cs.PL] 27 Apr 2018components that can be analyzed in isolation. After all, the resource usage of each component crucially depends on its interactions with the world.In this paper, we study the foundations of worst-case resource analysis for message-passing processes. A key idea of our approach is to rely on resourceaware session types to describe structure, protocols, and resource bounds for inter-process communication that we can use to perform a compositional and precise amortized analysis. Session types [32,33,12,13,45] prescribe bidirectional communication protocols for message-passing processes. Binary session types govern the interaction of two processes along a single channel, prescribing complementary send and receive actions for the processes at the two endpoints of a channel. We use such protocols as the basis of resource usage contracts that not only specify the type but also the potential of a message that is sent along a channel. The potential (in the sense of classic amortized analysis [43]) may be spent sending other messages as part of the network of interacting processes, or maintained locally for future interactions. Resource analysis is static, using the type system, and the runtime behavior of programs is not affected.

show abstract

Section: Introductionmentioning

confidence: 99%

Work Analysis with Resource-Aware Session Types

Das

Hoffmann

Pfenning

2018

Proceedings of the 33rd Annual ACM/IEEE Symposium on Logic in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…Cryptographic constant-time is an appealing property to study in the context of secure compilation. On the theoretical side, cryptographic constant-time is an instance of observational non-interference, an information-flow property that reasons about instrumented semantics of programsÐsee [Barthe et al 2018;Ngo et al 2017] for notions of observational non-interference. Therefore, techniques for proving preservation of cryptographic constant-time could form a good starting point for proving preservation of observational non-interference policies and more generally relational properties.…”

Section: Introductionmentioning

confidence: 99%

Formal verification of a constant-time preserving C compiler

Barthe

Blazy

Grégoire

et al. 2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

Timing side-channels are arguably one of the main sources of vulnerabilities in cryptographic implementations. One effective mitigation against timing side-channels is to write programs that do not perform secret-dependent branches and memory accesses. This mitigation, known as łcryptographic constant-timež, is adopted by several popular cryptographic libraries. This paper focuses on compilation of cryptographic constant-time programs, and more specifically on the following question: is the code generated by a realistic compiler for a constant-time source program itself provably constant-time? Surprisingly, we answer the question positively for a mildly modified version of the CompCert compiler, a formally verified and moderately optimizing compiler for C. Concretely, we modify the CompCert compiler to eliminate sources of potential leakage. Then, we instrument the operational semantics of CompCert intermediate languages so as to be able to capture cryptographic constant-time. Finally, we prove that the modified CompCert compiler preserves constant-time. Our mechanization maximizes reuse of the CompCert correctness proof, through the use of new proof techniques for proving preservation of constant-time. These techniques achieve complementary trade-offs between generality and tractability of proof effort, and are of independent interest. CCS Concepts: • Security and privacy → Logic and verification.

show abstract

“…AARA has been introduced [Hofmann and Jost 2003] for automatically deriving linear worstcase bounds for first-order functional programs. The technique has been generalized to derive polynomial bounds [Hoffmann et al 2011;Hoffmann and Hofmann 2010;Hofmann and Moser 2015], lower bounds [Ngo et al 2017], higher-order functions Jost et al 2010], lazy functional programs [Simões et al 2012;Vasconcelos et al 2015], user defined data types Jost et al 2009], and numeric imperative program [Carbonneaux et al 2017[Carbonneaux et al , 2015. It Type-Guided Worst-Case Input Generation 13:27 also has been integrated into separation logic [Atkey 2010] and proof assistants [Charguéraud and Pottier 2015;Nipkow 2015].…”

Section: Related Workmentioning

confidence: 99%

Type-guided worst-case input generation

Wang

Hoffmann

2019

Proc. ACM Program. Lang.

Self Cite

View full text Add to dashboard Cite

This paper presents a novel technique for type-guided worst-case input generation for functional programs. The technique builds on automatic amortized resource analysis (AARA), a type-based technique for deriving symbolic bounds on the resource usage of functions. Worst-case input generation is performed by an algorithm that takes as input a function, its resource-annotated type derivation in AARA, and a skeleton that describes the shape and size of the input that is to be generated. If successful, the algorithm fills in integers, booleans, and data structures to produce a value of the shape given by the skeleton. The soundness theorem states that the generated value exhibits the highest cost among all arguments of the functions that have the shape of the skeleton. This cost corresponds exactly to the worst-case bound that is established by the type derivation. In this way, a successful completion of the algorithm proves that the bound is tight for inputs of the given shape. Correspondingly, a relative completeness theorem is proved to show that the algorithm succeeds if and only if the derived worst-case bound is tight. The theorem is relative because it depends on a decision procedure for constraint solving. The technical development is presented for a simple first-order language with linear resource bounds. However, the technique scales to and has been implemented for Resource Aware ML, an implementation of AARA for a fragment of OCaml with higher-order functions, user-defined data types, and types for polynomial bounds. Experiments demonstrate that the technique works effectively and can derive worst-case inputs with hundreds of integers for sorting algorithms, operations on search trees, and insertions into hash tables.

show abstract

Verifying and Synthesizing Constant-Resource Implementations with Types

Cited by 34 publications

References 92 publications

Work Analysis with Resource-Aware Session Types

Work Analysis with Resource-Aware Session Types

Formal verification of a constant-time preserving C compiler

Type-guided worst-case input generation

Contact Info

Product

Resources

About