An end-to-end verification architecture for building Certified Implementations of Robust, Cryptographically Secure web applications

The security of modern web applications depends on cryptographic components like the Transport Layer Security (TLS) protocol, which is deployed in all web browsers and servers.
However, despite their widespread use, their security guarantees remain poorly understood, resulting in subtle implementation bugs and insecure deployments.
For example, a series of attacks, some discovered by our team, has shown that many popular modes of the TLS are obsolete and no longer reliable.

In response to these attacks and other weaknesses, the cryptographic community is proposing a series of new standards for cryptographic algorithms and protocols.
Our team contributed to a new version of TLS that has been published by the IETF and is being implemented by all web browsers and servers.
These new mechanisms hold much promise but need careful scrutiny.

The goal of CIRCUS was to bring together state-of-the-art research in software verification and cryptographic protocol analysis that can be applied to these mechanisms.
We aimed to develop new tools and techniques that make it possible to verify the security of emerging security protocols like TLS 1.3 to develop high-assurance high-performance libraries that implement modern
cryptographic algorithms and protocols, and to enable new web applications that can rely on these verified mechanisms to provide strong and proven security and privacy guarantees to all Internet users.

At the conclusion of the project, we have achieved and perhaps exceeded our goals. We built HACL*, the first verified cryptographic library that implements all the algorithms needed by modern cryptographic protocols and applications, and we helped deploy HACL* code within mainstream software like Mozilla Firefox, WireGuard, Linux Kernel, Microsoft WinQuic, Tezos Blockchain, and ElectionGuard. We helped design, analyze, and standardize the TLS 1.3 protocol, which is now deployed on all web browsers and a large number of websites. We also helped standardize a new messaging protocol called MLS and a new encryption algorithm called HPKE. We developed a verification technique for building high-assurance high-performance software in C and in WebAssembly and used it to verify HACL* and implementations of protocols like TLS 1.3 and Signal. We also developed new security analysis techniques for JavaScript programs and for large security protocols modeled in F*. In summary, we developed and successfully applied a scalable verification architecture for the end-to-end verification of cryptographic web applications.

Over the lifetime of the project, we have achieved important results on all work packages. Below we note our main achievements.

WP1: From verified F* code to efficient C and WebAssembly programs
We developed the theoretical foundations for writing efficient stateful code in the F* verification-oriented programming language
in a way that the code can be compiled to programs in the C programming language. We designed and developed a compiler, called KreMLin,
from F* to C and used it to implement a full cryptographic library called HACL* as well as implementations of TLS 1.3 and Signal. Subsequently,
we extended KreMLin to compile F* code to WebAssembly, a new runtime environment for the Web. This work resulted in papers at ICFP 2017, IEEE S&P 2019, and ICFP 2020.

WP2: HACL* - A Verified Modern Cryptographic Library
We designed and developed HACL*: the first cryptographic library in C to be verified for memory safety, functional correctness, and side-channel resistance.
Our library includes a full suite of modern cryptographic algorithms and can be used as a drop-in replacement for crypto libraries currently used in protocol libraries
and web applications. Our code is not only verified, it is as fast as state-of-the-art handwritten C code. In subsequent work, we extended HACL* with verified assembly code.
We also developed and incorporated a new methodology called HACLxN for verifying vectorized cryptographic code that relies on the single-instruction multiple-data (SIMD) parallelism provided by modern processors.
The HACL* library is now being used in production software including Mozilla Firefox, the WireGuard VPN, the Linux kernel, the Tezos blockchain, the Microsoft WinQuic stack, and ElectionGuard.
As such, this library is a significant achievement, both for research and technological transfer. Our work on HACL* was published at ACM CCS 2017, IEEE S&P 2020, and ACM CCS 2020.

WP3: The Design, Analysis, and Implementation of the TLS 1.3 Standard
We participated in the design and standardization of the TLS 1.3 protocol, and our work is acknowledged in the TLS 1.3 standard.
We published detailed proofs of the TLS 1.3 protocol using verification tools developed in our research group at INRIA.
We also developed two high-assurance implementations of the TLS 1.3 protocol, one in JavaScript and the other in F*.
Our work on TLS 1.3 resulted in two publications at IEEE S&P 2017, one of which was awarded the Distinguished Paper Award.

WP4: New Verification Tools for Cryptographic Web Applications
We developed a novel verification framework called ProScript that
can be used to verify JavaScript crypto applications, resulting in
papers at IEEE Euro S&P 2017 and IEEE S&P 2017.
We also developed a compiler from the F* programming language to WebAssembly and used this compiler to develop
a verified cryptographic library and verified protocol implementation in WebAssembly, resulting in a paper at IEEE S&P 2019.

WP5: Landmark Case Studies for Cryptographic Protocol Verification
We analyzed implementations of the Signal protocol, used by popular messaging
applications like WhatsApp and Skype, esulting in publications
at IEEE Euro S&P 2017, IEEE S&P 2019, and IEEE Euro S&P 2021.

We developed a mechanized cryptographic proof of the WireGuard VPN
protocol used in the Linux Kernel with CryptoVerif, resulting in a paper
at IEEE Euro S&P 2019 [19].

We also designed a new encryption standard called HPKE and published
its formal analysis at EUROCRYPT 2021.

Our verification methodology, based on proving our source code in F* and compiling the verified code to C and WebAssembly, is one of the most advanced frameworks for developing high-assurance high-performance software. We have already used this methodology to build a state-of-the-art cryptographic library and implementations of popular protocols like TLS 1.3 and Signal. We plan to continue improving this toolchain to make it easier to use for security-oriented developers, and to use this framework for even more ambitious verification projects.

Our cryptographic library pushes the state-of-the-art for fast verified crypto and is already widely used in mainstream software applications like the Firefox web browser and the Linux kernel. We plan to work on improving the performance of this library even more using SIMD vectorization. We are also working on implementing and verifying more advanced cryptographic constructions, including multi-party computation and post-quantum cryptography.

After the success of TLS 1.3 we are participating in the design and standardization of a new secure messaging protocol at the IETF called Messaging Layer Security (MLS). We designed the core protocol mechanism in MLS and are helping analyze this important upcoming standard.