Visible to the public Formally Verified Cryptographic Web Applications in WebAssembly

TitleFormally Verified Cryptographic Web Applications in WebAssembly
Publication TypeConference Paper
Year of Publication2019
AuthorsProtzenko, Jonathan, Beurdouche, Benjamin, Merigoux, Denis, Bhargavan, Karthikeyan
Conference Name2019 IEEE Symposium on Security and Privacy (SP)
Date Publishedmay
Keywordsauthoring languages, Browsers, CoMP, compilation pipeline, compiler, compiler security, compositionality, cryptographic code, cryptographic protocols, cryptographic-library, cryptographic-protocol-verification, cryptography, formal verification, high-assurance cryptographic libraries, high-profile attacks, instruction set, Java, JavaScript runtimes, Libraries, low-level subset, Metrics, modern Web applications, program compilers, program diagnostics, program verification, Protocols, pubcrawl, public domain software, Resiliency, Scalability, security-critical software, Servers, signal, sophisticated custom cryptographic components, standard protocols, Standards, toolchain, verification, verification techniques, verification-oriented programming languages, verified cryptographic Web applications, verified HACL cryptographic library, verified implementation, verified-software, web-security, Webassembly, WebAssembly compilers, WebAssembly version, whatsapp
AbstractAfter suffering decades of high-profile attacks, the need for formal verification of security-critical software has never been clearer. Verification-oriented programming languages like F* are now being used to build high-assurance cryptographic libraries and implementations of standard protocols like TLS. In this paper, we seek to apply these verification techniques to modern Web applications, like WhatsApp, that embed sophisticated custom cryptographic components. The problem is that these components are often implemented in JavaScript, a language that is both hostile to cryptographic code and hard to reason about. So we instead target WebAssembly, a new instruction set that is supported by all major JavaScript runtimes. We present a new toolchain that compiles Low*, a low-level subset of the F* programming language, into WebAssembly. Unlike other WebAssembly compilers like Emscripten, our compilation pipeline is focused on compactness and auditability: we formalize the full translation rules in the paper and implement it in a few thousand lines of OCaml. Using this toolchain, we present two case studies. First, we build WHACL*, a WebAssembly version of the existing, verified HACL* cryptographic library. Then, we present LibSignal*, a brand new, verified implementation of the Signal protocol in WebAssembly, that can be readily used by messaging applications like WhatsApp, Skype, and Signal.
DOI10.1109/SP.2019.00064
Citation Keyprotzenko_formally_2019