September 19, 2021
  • September 19, 2021

Build validated code using F *

By on August 25, 2021 0

Internally, it is still mathematics, as much as it is abstract and industrialized programming. The underlying mathematics of the software drives programming languages ​​and algorithms and provides the tools and concepts used to create code.

Code is complex and is a node of functions that are performed in different ways at different times. We can think it works and we can see it working, but can we prove it works? You can use some of the concepts at the heart of functional programming to design a language that produces mathematically provable code, so you can use static analysis techniques to code with different starting conditions. Can understand how is performed.

If you need a secure code, it’s important to have a provable code. You should be able to see where your code is violating type security and where there is a risk of unexpected failures and out of memory. Knowing how a code failure affects the security of your application, you must be able to prove that your code will never break the security model.

A look at the forefront of computer science reveals the intersection of mathematics and code in experimental tools and languages ​​aimed at implementing some of these techniques. One of these projects is undertaken by Microsoft Research and the French National Research Center. Inria..

Presentation of F *

F * (F-star to friends) is a functional programming language It is designed to support program verification techniques. Write the code in F *, validate it, then export the code either in the target language or in the environment. The language is mature enough to be used to compile with OCaml and develop With the active development community on GitHub..

It has already shown some interesting results and is being used to develop a secure and validated version of HTTPS. Everest project.. This interesting academic project provides formal proof of the key security technologies that underpin many today’s e-commerce environments.

The Everest project is already being used to create part of the HTTPS stack that contains the TLS-1.3 record layer. It is an important part of the protocol and acts as a bridge between the application and the inside of HTTPS. It must be secure to handle encrypted messages and ensure that the only weakness in the system is the encryption library. By implementing Project Everest with F *, you can ensure that the recording layer itself is safe. MiTLS code result It is part of Microsoft’s implementation of the QUICHTTP standard.

F * is also used to create validated versions of common crypto libraries, export their code as C, and export assemblies as part of the High Guarantee Crypto Library (HACL *) and ValeCrypt Libraries. .. It is also used by the top level encryption provider EverCrypt. Use HACL * and ValeCrypt to select the best implementation of the selected algorithm based on processor and runtime environment. Used by the Azure Confidential Consortium framework. WireGuard VPN Used in the Linux kernel.

Other tools that have benefited from the F * implementation include the WebAssembly implementation of the Signal Secure Messaging protocol and a validated version of the Device Identifier Composition Engine (DICE) measurement starter tool running in microcontroller firmware. You can find many works from Project Everest Use source code on GitHub When Linux Docker Image It is being built every day.

Work with F *

So how do you use F *? It’s a surprisingly flexible language with the most popular editorial tools. Includes Visual Studio code.. Write your code in F *, run it in a verifier, and when you’re ready to use it, export it to your target language for use. The author describes it as a “dependent” language, with an emphasis on functional precision and the management of security properties and resource usage. NOT. Language wiki Provides resources to get you started Online programming guide with F *..

There are few things you cannot do with F *. Thanks to functional programming techniques, it can be used like any other programming language. It is used in a sense, which is a low level system programming language. Another way to use it is to build distributed, message-based apps that are ready to use in the public cloud alongside other microservices tools.

As a language, F * should be viewed as an ecosystem of different languages, each focused on a particular use case. These internal, domain-specific languages ​​are the best way to approach F * programming and choose the language closest to both your experience and your application.

One of the more practical options is low *. This is for situations where you would normally use C, for low level system applications where security is important. You can use the familiar Type C programming method. Internal compiler This will generate C code for compilation as part of a C-based project. There are also stack and heap memory management structures and tools for handling precision. Low * functions have a type signature indicating that they are safe and correct. This creates a proof which is used to ensure that the code works as stated.

Dependent and theorem prover

At the heart of F * is the concept of dependent types. Here, the type definition depends on the value. For example, constructing a dependent function whose return type depends on a value of the argument of a function, or constructing a dependent pair whose value type depends on the first value. This approach helps to secure the type of the function and ensures that the array does not exceed the predefined size.

This approach allows F * tools to check types and values ​​as part of the proof checking function and generate code to test the application based on the dependency structure used. F * uses this to verify that you have proof of your code. It can be used on its own to compare the certificate to a security policy, for example, to ensure memory security.

F * uses an automated theorem proof device to verify the code using modulo satisfaction theory (SMT). When the code is verified, F * gathers the facts to be proven to create a proof, which goes through F *. Z3SMT solver.. It’s an award-winning tool used to quickly solve complex problems that take a long time to calculate, like checking Azure firewall code in seconds instead of millions of years. Using Z3 can be tricky, especially if you have to build the model manually. F * automates the process, making it a tool anyone can use.

From IT to everyday coding

One of the most useful features of F * is the ability to target many different development environments, including WebAssembly. With increasing importance as a cross-platform runtime environment for all classes of devices, support for WASM makes a lot of sense to simplify aspects of the F * compiler. This is because if the default target for correct code is the sandboxed runtime, the security risk is greatly reduced. Combination of F * and WASM (using the stand-alone WebAssembly system interface of WebAssembly) [WASI] (Runtime) can provide a way to improve the security of industrial SCADA systems.

It’s good to see that just a few years ago, pure computer science research began its journey to become the norm. F * is not quite mainstream yet, but it is a far cry from the original Z3 SMT and shows how provable code can be part of the daily development environment.

You can imagine that as F * acquires a new domain-specific language, it will become part of a technology like the Roslyn compiler. By using .NET to build a dependency and treating it like another F * domain specific language, you can imagine a very secure C # application and mitigate the risk for your users. .. It’s a long way to go, but Microsoft’s internal use of F * to build and validate its own QUIC network stack shows that it’s almost ready for prime time.

Copyright © 2021 IDG Communications, Inc.


Source link

Leave a comment

Your email address will not be published. Required fields are marked *