Journal Publications

Refereed Conference Publications

  • Certified Computer-Aided Cryptography: Efficient Provably Secure Machine Code from High-Level Implementations, with J. C. Bacelar Almeida, Manuel Barbosa and Gilles Barthe. in Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security (CCS'13), pages 1217--1230. Berlin, November 2013.

    We present a computer-aided framework for proving concrete security bounds for cryptographic machine code implementations. The front-end of the framework is an interactive verification tool that extends the EasyCrypt framework to reason about relational properties of C-like programs extended with idealised probabilistic operations in the style of code-based security proofs. The framework also incorporates an extension of the CompCert certified compiler to support trusted libraries providing complex arithmetic calculations or instantiating idealised components such as sampling operations. This certified compiler allows us to carry to executable code the security guarantees established at the high-level, and is also instrumented to detect when compilation may interfere with side-channel countermeasures deployed in source code. We demonstrate the applicability of the framework with the RSA-OAEP encryption scheme, as standardized in PKCS#1 v2.1. The outcome is a rigorous analysis of the advantage of an adversary to break the security of assembly implementations of the algorithms specified by the standard. The example also provides two contributions of independent interest: it is the first application of computer-aided cryptographic tools to real-world security, and the first application of CompCert to cryptographic software.

  • Guiding a General-Purpose C Verifier to Prove Cryptographic Protocols, with Andrew D. Gordon, Jan Jürjens and David A. Naumann. in Proceedings of the 24th IEEE Symposium on Computer Security Foundations (CSF'11), pages 3--17. Paris, June 2011.

    We describe how to verify security properties of C code for cryptographic protocols by using a general-purpose verifier. We prove security theorems in the symbolic model of cryptography. Our techniques include: use of ghost state to attach formal algebraic terms to concrete byte arrays and to detect collisions when two distinct terms map to the same byte array; decoration of a crypto API with contracts based on symbolic terms; and expression of the attacker model in terms of C programs. We rely on the general-purpose verifier VCC; we guide VCC to prove security simply by writing suitable header files and annotations in implementation files, rather than by changing VCC itself. We formalize the symbolic model in Coq in order to justify the addition of axioms to VCC.

    Tech Report (external) | Preprint [.pdf] | Sample Code [tar.gz] | Short slide deck [.pdf] | Full slide deck [.pdf]

Non-Refereed Publications

Dissertations, Reports and Manuscripts