Formal Methods at Scale in Microsoft

Transcription

1 Formal Methods at Scale in Microsoft Thomas Ball Microsoft Research 4 October 2017

2 Code Integ. Tests Unit Test Testing-based Development Commit, Build Review

3 Web app Web browser Web server Code HTTPS Integ. Tests Unit Test TLS Crypto Commit, Build Review

4 Some bugs in OpenSSL s Poly1305

5 Program Correctness Memory safety Functional correctness Termination Minimize side-channel leaks Cryptographic security

6 Reduction to Logic In theory, all problems of program correctness can be reduced to problems of logic von Neumann, 1961 Floyd, 1967 Hoare, 1969

7 Reduction to Logic int Puzzle(int x) { int res = x; res = res + (res << 10); res = res ^ (res >> 6); if (x > 0 && res == x + 1) throw new Exception("bug"); return res; } x = Automated Theorem Prover

8 Reduction To Logic In practice, many problems of program correctness 15+ years of R&D at Microsoft, building on 35+ years of related work can be compiled to problems of logic and solved by automated theorem provers

9 The Many Uses of Z3 Automated Theorem Prover Logic Boolean Algebra Floating Point Bit Vectors First-order Axioms Linear Arithmetic Sets, Maps,

10 The Many Uses of Z3 Interactive Functional Verification White-box Test Generation Automated Theorem Prover Logic Boolean Algebra Floating Point Bit Vectors First-order Axioms Linear Arithmetic Sets/Maps/

11 Specifications Code Global Verification Local Verification Interactive Functional Verification Commit, Build Review

12 MSR s Project Everest Goal: verified HTTPS replacement Challenges: - scalability of verification - performance - usable tool chain Edge Certification Authority X.509 Services & Applications curl WebKit Skype IIS Apache Clients HTTPS ASN.1 Servers Nginx TLS *** RSA SHA ECDH 4Q Crypto Algorithms Network buffers Untrusted network (TCP, UDP, )

13 Subgoal: Verified low-level crypto

14 Efficient crypto requires customizations Poly1305: Uses the prime field with p = Need 130 bits to represent a number Efficient implementations require custom bignum libraries to delay carries Everest subgoal: On X86: use 5 32-bit words, but using only 26 bits in each word On X64: use 3 64-bit words, but using only 44 bits in each word generic, efficient Curve25519: Uses the prime field with p = bignum libraries On X64: use 5 64-bit words, but using only 51 bits per word OpenSSL has 12 unverified bignum libraries optimized for each case

15 A generic bignum library Bignum code can be shared between Curve25519, Ed25519 and Poly1305, which all use different fields Only modulo is specific to the field (optimized) Consequently: - write once - verify once - extract three times

16 Prove correct in F*, extract to efficient C val poly1305_mac: tag:nbytes 16 len:u32 msg:nbytes len{disjoint tag msg} key:nbytes 32 {disjoint msg key disjoint tag key} ST unit (requires (λ h msg h key h tag h)) (ensures (λ h0 _ h1 let r=spec.clamp h0.[sub key 0 16] in let s=h0.[sub key 16 16] in modifies {tag} h0 h1 h1.[tag] == Spec.mac_1305 (encode_bytes h0.[msg]) r s)) Mathematical spec in F* poly1305_mac: (1) computes a polynomial in GF( ), (2) stores the result in tag, (3) does not modify anything else void poly1305_mac(uint8_t *tag, uint32_t len, uint8_t *msg, uint8_t *key) { uint64_t tmp [10] = { 0 }; uint64_t *acc = tmp uint64_t *r = tmp + (uint32_t)5; uint8_t s[16] = { 0 }; Crypto_Symmetric_Poly1305_poly1305_init(r, s, key); Crypto_Symmetric_Poly1305_poly1305_process(msg, len, acc, r); Crypto_Symmetric_Poly1305_poly1305_finish(tag, acc, s); } Efficient C implementation Verification imposes no runtime performance overhead Sample code Poly1305 MAC

17 F* source: core-ml with dependent types and effects let poly1305_mac: tag:nbytes 16 len:u32 msg:nbytes len{disjoint tag msg} key:nbytes 32 {disjoint msg key disjoint tag key} ST unit (requires (λ h msg h key h tag h)) (ensures (λ h0 _ h1 )) = Z3 Type-checker + compiler C source, tuned for readability, compliance with C linters etc. Erases types + inlining etc. Core ML kremlin monomorphization, more inlining, void poly1305_mac(uint8_t *tag, uint32_t len, uint8_t *msg, uint8_t *key) { uint64_t tmp [10] = { 0 }; uint64_t *acc = tmp uint64_t *r = tmp + (uint32_t)5; uint8_t s[16] = { 0 }; Crypto_Symmetric_Poly1305_poly1305_init(r, s, key); Crypto_Symmetric_Poly1305_poly1305_process(msg, len, acc, r); Crypto_Symmetric_Poly1305_poly1305_finish(tag, acc, s); }

18 Performance of Everest s High Assurance Crypto Library (HACL*) Low* Several complete TLS ciphersuites Verification can scale up! Verification enables using 64x64 bit multiplications, without fear of getting it wrong cycles/ecdh With performance as good as or better than hand-written C

19 verified-cryptography-firefox-57/ Mozilla has partnered with INRIA and Project Everest (Microsoft Research, CMU, INRIA) to bring components from their formally verified HACL* cryptographic library into NSS, the security engine which powers Firefox.

20 Project Everest: Open Source

21 Application Logic Algorithms Frameworks file parsers OS Many security vulnerabilities are due to programming errors in file parsers Security testing hunting for million-dollar bugs Write A/V (always exploitable), Read A/V (sometimes exploitable),

22 The Many Uses of Z3 Interactive Functional Verification Whitebox Test Generation Automated Theorem Prover Logic Boolean Algebra Floating Point Bit Vectors First-order Axioms Linear Arithmetic Sets/Maps/

23 void top(char input[4]) { input = good bood baod badd bad! Gen 1 Gen 2 Gen 3 Gen 4 int cnt = 0; Path constraint: if (input[0] == b ) cnt++; I 0!= b I 0 = b bood if (input[1] == a ) cnt++; I 1!= a I 1 = a gaod baod if (input[2] == d ) cnt++; I 2!= d I 2 = d godd badd if (input[3] ==! ) cnt++; I 3!=! I 3 =! goo! bad! } if (cnt >= 4) crash(); good

24 White Box Fuzzing (SAGE) Input0 Coverage Data Constraints Check for Crashes Code Coverage Generate Path Constraints Solve Constraints (Z3) Input1 Input2 InputN

25 White Box Fuzzing (SAGE) Results Since 2007: many new security bugs found Apps: decoders, media players, document processors, Bugs: Write A/Vs, Read A/Vs, Crashes, Many triaged as security critical, severity 1, priority 1 100s of apps, 100s of bugs Bug fixes shipped quietly (no MSRCs) to 1 Billion+ PCs Millions of dollars saved (for Microsoft and the world) Practical Verification <5 security bulletins in SAGE-cleaned parsers since 2009

26 Microsoft Security Risk Detection Security Risk Detection (SRD) is Microsoft's unique fuzz testing service for finding security critical bugs in software Security Risk Detection helps customers quickly adopt practices and technology (SAGE) battle-tested over the last 15 years at Microsoft Result: Your code is highly reliable and resilient to attack

27 27 Step 1: The user manually uploads the target binaries and seed Files to the Customer VM, and uses the wizard to configure the job Step 2: Security Risk Detection validates the job, minimizes the seed files, and then clones the customer VM dozens of times based on workload Repro VM Step 4: Any time an execution fails, the offending file is sent to the repro VM to ensure the bug is reproducible Customer VM Parallelized Runs Step 3: Multiple fuzzers run for multiple days: the target app is executed roughly 8,000,000 times, each time with a slightly modified input file that s intended to crash the target Job Results API/Portal Page Step 5: Bugs that repro (along with the file, stack trace, and other debug info) are available in the portal and API in real time

28 Microsoft Security Risk Detection Results No false positives each reported issue has been verifiably reproduced Issues are deduplicated via stack trace hash these likely share the same root bug Issues can be sorted by type or severity, ensuring the most urgent issues can be addressed first Each issue includes the culprit file, stack trace, and other debug data so developers can repro and fix issues in their own environments Note: Due to the non-deterministic nature of fuzzing, results can appear early or late in the job, uniformly or in clusters

29 Summary Correctness of software critical to global infrastructure and economy MSR leads in R&D and application of formal methods at scale Automated theorem proving and verification Programming languages with rich specifications (type systems) Systematic testing tools Examples Greenfield: Verified HTTPS stack (Project Everest) Legacy: Microsoft Security Risk Detection

30 Thanks To Teams: Everest Security Risk Detection