research-article

Open Access

CT-wasm: type-driven secure cryptography for the web ecosystem

Authors:
Conrad Watt

University of Cambridge, UK

University of Cambridge, UK
View Profile

,
John Renner

University of California at San Diego, USA

University of California at San Diego, USA
View Profile

,
Natalie Popescu

University of California at San Diego, USA

University of California at San Diego, USA
View Profile

,
Sunjay Cauligi

University of California at San Diego, USA

University of California at San Diego, USA
View Profile

,
Deian Stefan

University of California at San Diego, USA

University of California at San Diego, USA
View Profile

Proceedings of the ACM on Programming Languages Volume 3 Issue POPLArticle No.: 77pp 1–29https://doi.org/10.1145/3290390

Published:02 January 2019Publication History

Proceedings of the ACM on Programming Languages

Abstract

A significant amount of both client and server-side cryptography is implemented in JavaScript. Despite widespread concerns about its security, no other language has been able to match the convenience that comes from its ubiquitous support on the "web ecosystem" - the wide variety of technologies that collectively underpins the modern World Wide Web. With the introduction of the new WebAssembly bytecode language (Wasm) into the web ecosystem, we have a unique opportunity to advance a principled alternative to existing JavaScript cryptography use cases which does not compromise this convenience.

We present Constant-Time WebAssembly (CT-Wasm), a type-driven, strict extension to WebAssembly which facilitates the verifiably secure implementation of cryptographic algorithms. CT-Wasm's type system ensures that code written in CT-Wasm is both information flow secure and resistant to timing side channel attacks; like base Wasm, these guarantees are verifiable in linear time. Building on an existing Wasm mechanization, we mechanize the full CT-Wasm specification, prove soundness of the extended type system, implement a verified type checker, and give several proofs of the language's security properties.

We provide two implementations of CT-Wasm: an OCaml reference interpreter and a native implementation for Node.js and Chromium that extends Google's V8 engine. We also implement a CT-Wasm to Wasm rewrite tool that allows developers to reap the benefits of CT-Wasm's type system today, while developing cryptographic algorithms for base Wasm environments. We evaluate the language, our implementations, and supporting tools by porting several cryptographic primitives - Salsa20, SHA-256, and TEA - and the full TweetNaCl library. We find that CT-Wasm is fast, expressive, and generates code that we experimentally measure to be constant-time.

Supplemental Material

a77-renner.webm

webm

85.6 MB

Download

References

José Bacelar Almeida, Manuel Barbosa, Gilles Barthe, Arthur Blot, Benjamin Grégoire, Vincent Laporte, Tiago Oliveira, Hugo Pacheco, Benedikt Schmidt, and Pierre-Yves Strub. 2017. Jasmin: High-assurance and high-speed cryptography. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM. Google ScholarDigital Library
José Bacelar Almeida, Manuel Barbosa, Gilles Barthe, and François Dupressoir. 2016a. Verifiable Side-Channel Security of Cryptographic Implementations: Constant-Time MEE-CBC. In Revised Selected Papers of the International Conference on Fast Software Encryption. Springer-Verlag New York, Inc. Google ScholarDigital Library
Jose Bacelar Almeida, Manuel Barbosa, Gilles Barthe, François Dupressoir, and Michael Emmi. 2016b. Verifying ConstantTime Implementations. In Proceedings of the USENIX Security Symposium. USENIX Association. Google ScholarDigital Library
Marc Andrysco, David Kohlbrenner, Keaton Mowery, Ranjit Jhala, Sorin Lerner, and Hovav Shacham. 2015. On Subnormal Floating Point and Abnormal Timing. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society. Google ScholarDigital Library
Marc Andrysco, Andres Nötzli, Fraser Brown, Ranjit Jhala, and Deian Stefan. 2018. Towards Verified, Constant-time Floating Point Operations. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM. Google ScholarDigital Library
Roberto Baldoni, Emilio Coppa, Daniele Cono D’Elia, Camil Demetrescu, and Irene Finocchi. 2018. A Survey of Symbolic Execution Techniques. Comput. Surveys 51, 3, Article 50 (2018). Google ScholarDigital Library
Manuel Barbosa, David Castro, and Paulo F. Silva. 2014. Compiling CAO: From Cryptographic Specifications to C Implementations. In Proceedings of Principles of Security and Trust, Martín Abadi and Steve Kremer (Eds.). Springer Berlin Heidelberg.Google Scholar
Manuel Barbosa, Andrew Moss, Dan Page, Nuno F. Rodrigues, and Paulo F. Silva. 2012. Type Checking Cryptography Implementations. In Fundamentals of Software Engineering, Farhad Arbab and Marjan Sirjani (Eds.). Springer Berlin Heidelberg. Google ScholarDigital Library
Gilles Barthe, Gustavo Betarte, Juan Campo, Carlos Luna, and David Pichardie. 2014. System-level Non-interference for Constant-time Cryptography. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM. Google ScholarDigital Library
Gilles Barthe, Benjamin Grégoire, and Vincent Laporte. 2017. Provably secure compilation of side-channel countermeasures. Cryptology ePrint Archive, Report 2017/1233. (2017). https://eprint.iacr.org/2017/1233 .Google Scholar
Gilles Barthe, Benjamin Grégoire, and Vincent Laporte. 2018. Secure Compilation of Side-Channel Countermeasures: The Case of Cryptographic “Constant-Time”. In Proceedings of the IEEE Computer Security Foundations Symposium. IEEE Computer Society.Google ScholarCross Ref
Daniel J Bernstein. 2005a. Cache-timing attacks on AES. (2005).Google Scholar
Daniel J Bernstein. 2005b. The Poly1305-AES message-authentication code. In Proceedings of the International Workshop on Fast Software Encryption. Springer. Google ScholarDigital Library
Daniel J Bernstein. 2005c. salsa20-ref.c. (2005). Retrieved July 5, 2018 from https://cr.yp.to/snuffle/salsa20/ref/salsa20.cGoogle Scholar
Daniel J Bernstein. 2006. Curve25519: new Diffie-Hellman speed records. In Proceedings of the International Workshop on Public Key Cryptography. Springer. Google ScholarDigital Library
Daniel J Bernstein. 2007. Writing high-speed software. (2007). Retrieved June 11, 2018 from http://cr.yp.to/qhasm.htmlGoogle Scholar
Daniel J Bernstein. 2008. The Salsa20 family of stream ciphers. In New stream cipher designs. Springer. Google ScholarDigital Library
Daniel J Bernstein, Tanja Lange, and Peter Schwabe. 2016. NaCl: Networking and cryptography library. (2016). Retrieved June 23, 2018 from https://nacl.cr.yp.toGoogle Scholar
Daniel J Bernstein, Bernard Van Gastel, Wesley Janssen, Tanja Lange, Peter Schwabe, and Sjaak Smetsers. 2014. TweetNaCl: A crypto library in 100 tweets. In Proceedings of the International Conference on Cryptology and Information Security in Latin America. Springer.Google Scholar
Benjamin Beurdouche. 2017. Verified cryptography for Firefox 57. (2017). https://blog.mozilla.org/security/2017/09/13/ verified-cryptography-firefox-57/Google Scholar
Karthikeyan Bhargavan, Antoine Delignat-Lavaud, and Sergio Maffeis. 2014. Defensive JavaScript. In Foundations of Security Analysis and Design VII. Springer.Google Scholar
Sandrine Blazy, David Pichardie, and Alix Trieu. 2017. Verifying Constant-Time Implementations by Abstract Interpretation. In Proceedings of the European Symposium on Research in Computer Security, Simon N. Foley, Dieter Gollmann, and Einar Snekkenes (Eds.). Springer International Publishing.Google ScholarCross Ref
Barry Bond, Chris Hawblitzel, Manos Kapritsos, K. Rustan M. Leino, Jacob R. Lorch, Bryan Parno, Ashay Rane, Srinath Setty, and Laure Thompson. 2017. Vale: Verifying High-Performance Cryptographic Assembly Code. In Proceedings of the USENIX Security Symposium. USENIX Association. Google ScholarDigital Library
Michele Boreale. 2009. Quantifying Information Leakage in Process Calculi. Information and Computation 207, 6 (2009). Google ScholarDigital Library
David Brumley and Dan Boneh. 2005. Remote timing attacks are practical. Computer Networks 48, 5 (2005). Google ScholarDigital Library
Mykola Bubelich. 2017. JS-Salsa20. (2017). Retrieved July 5, 2018 from https://www.npmjs.com/package/js-salsa20Google Scholar
Sunjay Cauligi, Gary Soeller, Fraser Brown, Brian Johannesmeyer, Yunlu Huang, Ranjit Jhala, and Deian Stefan. 2017. FaCT: A Flexible, Constant-Time Programming Language. In Proceedings of the IEEE Cybersecurity Development Conference. IEEE.Google ScholarCross Ref
Dmitry Chestnykh. 2016. TweetNaCl.js. (2016). Retrieved June 23, 2018 from https://www.npmjs.com/package/tweetnaclGoogle Scholar
Cliff Click and Michael Paleczny. 1995. A Simple Graph-based Intermediate Representation. In Proceedings of the ACM SIGPLAN Workshop on Intermediate Representations. ACM. Google ScholarDigital Library
Brad Conte. 2012. crypto-algorithms. (2012). Retrieved July 5, 2018 from https://github.com/B-Con/crypto-algorithmsGoogle Scholar
Daniel Cousens. 2014. pbkdf2. (2014). Retrieved June 23, 2018 from https://www.npmjs.com/package/pbkdf2Google Scholar
Cryptography Coding Standard. 2016. Coding rules. (2016). Retrieved June 11, 2018 from https://cryptocoding.net/index. php/Coding_rulesGoogle Scholar
Jerry Cuomo. 2013. Mobile app development, JavaScript everywhere and “the three amigos". (2013). White paper, IBM.Google Scholar
Denis, Frank. 2018. libsodium. (2018). Retrieved July 12, 2018 from https://github.com/jedisct1/libsodiumGoogle Scholar
ECMA International. 2018. ECMAScript 2018 Language Specification. (2018). https://www.ecma-international.org/ publications/files/ECMA-ST/Ecma-262.pdfGoogle Scholar
Andres Erbsen, Jade Philipoom, Jason Gross, Robert Sloan, and Adam Chlipala. 2019. Simple High-Level Code For Cryptographic Arithmetic – With Proofs, Without Compromises. In Proceedings of the IEEE Symposium on Security and Privacy.Google Scholar
Richard Forster. 1999. Non-Interference Properties for Nondeterministic Processes. Ph.D. Dissertation. University of Cambridge.Google Scholar
Galois. 2016. Cryptol: The Language of Cryptography. https://cryptol.net/files/ProgrammingCryptol.pdf . (2016).Google Scholar
Matthew Green. 2012. The anatomy of a bad idea. (2012). Retrieved June 23, 2018 from https://blog.cryptographyengineering. com/2012/12/28/the-anatomy-of-bad-idea/Google Scholar
Andreas Haas, Andreas Rossberg, Derek L. Schuff, Ben L. Titzer, Michael Holman, Dan Gohman, Luke Wagner, Alon Zakai, and JF Bastien. 2017. Bringing the Web Up to Speed with WebAssembly. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation. ACM. Google ScholarDigital Library
Harry Halpin. 2014. The W3C Web Cryptography API: Design and Issues. In Proceedings of the International Workshop on Web APIs and RESTful design.Google Scholar
David Herman, Luke Wagner, and Alon Zakai. 2014. asm.js. (2014). Retrieved October 7, 2017 from http://asmjs.org/spec/ latestGoogle Scholar
Julio C Hernandez and Pedro Isasi. 2004. Finding efficient distinguishers for cryptographic mappings, with an application to the block cipher TEA. Computational Intelligence 20, 3 (2004).Google Scholar
Peter V. Homeier. 2001. Quotient Types. In Supplemental Proceedings of the International Conference on Theorem Proving in Higher Order Logics. University of Edinburgh.Google Scholar
Seokhie Hong, Deukjo Hong, Youngdai Ko, Donghoon Chang, Wonil Lee, and Sangjin Lee. 2003. Differential Cryptanalysis of TEA and XTEA. In Proceedings of the International Conference on Information Security and Cryptology. Springer.Google Scholar
Brian Huffman and Ondřej Kunăar. 2013. Lifting and Transfer: A Modular Design for Quotients in Isabelle/HOL. In Proceedings of the ACM SIGPLAN International Conference on Certified Programs and Proofs. Springer-Verlag. Google ScholarDigital Library
Fedor Indutny. 2014. Elliptic. (2014). Retrieved June 23, 2018 from https://www.npmjs.com/package/ellipticGoogle Scholar
Intel. 2016. Intel® 64 and IA-32 Architectures Software Developer’s Manual. Volume 2: Instruction Set Reference, A-Z (2016).Google Scholar
Paul Johnston and Contributors. 2017. sha.js. (2017). Retrieved July 5, 2018 from https://www.npmjs.com/package/sha.jsGoogle Scholar
John Kelsey, Bruce Schneier, and David Wagner. 1997. Related-key cryptanalysis of 3-way, biham-des, cast, des-x, newdes, rc2, and tea. In Proceedings of the International Conference on Information and Communications Security. Springer. Google ScholarDigital Library
Nadim Kobeissi, Karthikeyan Bhargavan, and Bruno Blanchet. 2017. Automated verification for secure messaging protocols and their implementations: A symbolic and computational approach. In Proceedings of the IEEE European Symposium on Security and Privacy. IEEE Computer Society.Google ScholarCross Ref
Paul Kocher. 1996. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In Proceedings of Advances in Cryptology. Springer. Google ScholarDigital Library
David Kohlbrenner and Hovav Shacham. 2017. On the effectiveness of mitigations against floating-point timing channels. In Proceedings of the USENIX Security Symposium. USENIX Association. Google ScholarDigital Library
K Rustan M Leino. 2010. Dafny: An automatic program verifier for functional correctness. In Proceedings of the International Conference on Logic for Programming Artificial Intelligence and Reasoning. Springer. Google ScholarDigital Library
Heiko Mantel. 2000. Possibilistic Definitions of Security - An Assembly Kit. In Proceedings of the IEEE Workshop on Computer Security Foundations. IEEE Computer Society. Google ScholarDigital Library
Microsoft. 2018a. Type Compatibility - TypeScript. (2018). Retrieved June 11, 2018 from https://www.typescriptlang.org/ docs/handbook/type-compatibility.htmlGoogle Scholar
Microsoft. 2018b. TypeScript. (2018). Retrieved June 11, 2018 from https://www.typescriptlang.org/Google Scholar
Andrew C Myers. 1999. JFlow: Practical mostly-static information flow control. In Proceedings of the ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. ACM. Google ScholarDigital Library
Andrew C Myers, Lantian Zheng, Steve Zdancewic, Stephen Chong, and Nathaniel Nystrom. 2001. Jif: Java information flow. Software release. Located at http://www. cs. cornell. edu/jif 2005 (2001).Google Scholar
Amos Ndegwa. 2016. What is Page Load Time? (2016). Retrieved June 11, 2018 from https://www.maxcdn.com/one/ visual-glossary/page-load-time/Google Scholar
Nebulet. 2018. Lachlan Sneff. (2018). Retrieved July 4, 2018 from https://github.com/nebulet/nebuletGoogle Scholar
NIST. 2002. Secure Hash Standard. FIPS PUB 180-2 (2002).Google Scholar
Node.js Foundation. 2018. Node.js. (2018). Retrieved June 11, 2018 from https://nodejs.org/docs/latest-v10.x/api/crypto.htmlGoogle Scholar
Open Whisper Systems. 2016. Signal Protocol library for JavaScript. (2016). Retrieved June 23, 2018 from https://github. com/signalapp/libsignal-protocol-javascriptGoogle Scholar
Yossef Oren, Vasileios P. Kemerlis, Simha Sethumadhavan, and Angelos D. Keromytis. 2015. The Spy in the Sandbox: Practical Cache Attacks in JavaScript and Their Implications. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM. Google ScholarDigital Library
Dag Arne Osvik, Adi Shamir, and Eran Tromer. 2006. Cache attacks and countermeasures: the case of AES. In Proceedings of the Cryptographers’ Track at the RSA Conference. Springer. Google ScholarDigital Library
D. Page. 2006. A Note On Side-Channels Resulting From Dynamic Compilation. In Cryptology ePrint Archive. https: //eprint.iacr.org/2006/349Google Scholar
Andrei Popescu, Johannes Hölzl, and Tobias Nipkow. 2012. Proving Concurrent Noninterference. In Proceedings of the ACM SIGPLAN International Conference on Certified Programs and Proofs. Springer-Verlag. Google ScholarDigital Library
Thomas Pornin. 2017. Why Constant-Time Crypto? (2017). Retrieved June 11, 2018 from https://www.bearssl.org/ constanttime.htmlGoogle Scholar
François Pottier and Vincent Simonet. 2003. Information flow inference for ML. ACM Transactions on Programming Languages and Systems 25, 1 (2003). Google ScholarDigital Library
Project Everest. 2018. HACL*, a formally verified cryptographic library written in F*. (2018). Retrieved July 12, 2018 from https://github.com/project-everest/hacl-starGoogle Scholar
John Renner, Sunjay Cauligi, and Deian Stefan. 2018. Constant-Time WebAssembly. In Principles of Secure Compilation.Google Scholar
Oscar Reparaz, Josep Balasch, and Ingrid Verbauwhede. 2017. Dude, is My Code Constant Time?. In Proceedings of the Conference on Design, Automation and Test in Europe. European Design and Automation Association. Google ScholarDigital Library
A. Sabelfeld and A. C. Myers. 2006. Language-based Information-flow Security. IEEE Journal on Selected Areas in Communications 21, 1 (2006). Google ScholarDigital Library
Andrei Sabelfeld and David Sands. 2000. Probabilistic Noninterference for Multi-Threaded Programs. In Proceedings of the IEEE Workshop on Computer Security Foundations. IEEE Computer Society. Google ScholarDigital Library
Ryan Sleevi. 2013. W3C Web Crypto API Update. (2013). https://datatracker.ietf.org/meeting/86/materials/slides-86-saag-5 IETF 86.Google Scholar
Dominik Strohmeier and Peter Dolanjski. 2017. Comparing Browser Page Load Time: An Introduction to Methodology. (2017). Retrieved June 11, 2018 from https://hacks.mozilla.org/2017/11/ comparing-browser-page-load-time-an-introduction-to-methodology/Google Scholar
Torsten Stüber. 2017. TweetNacl-WebAssembly. (2017). https://github.com/TorstenStueber/TweetNacl-WebAssemblyGoogle Scholar
Dominic Tarr. 2013. crypto-browserify. (2013). Retrieved June 23, 2018 from https://www.npmjs.com/package/ crypto-browserifyGoogle Scholar
David Terei, Simon Marlow, Simon Peyton Jones, and David Mazières. 2012. Safe Haskell. In ACM SIGPLAN Notices, Vol. 47. ACM. Google ScholarDigital Library
Tom Van Goethem, Wouter Joosen, and Nick Nikiforakis. 2015. The Clock is Still Ticking: Timing Attacks in the Modern Web. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM. Google ScholarDigital Library
Dennis Volpano, Cynthia Irvine, and Geoffrey Smith. 1996. A Sound Type System for Secure Flow Analysis. Journal of Computer Security 4, 2-3 (1996). Google ScholarDigital Library
Conrad Watt. 2018. Mechanising and Verifying the WebAssembly Specification. In Proceedings of the ACM SIGPLAN International Conference on Certified Programs and Proofs. ACM. Google ScholarDigital Library
Conrad Watt, John Renner, Natalie Popescu, Sunjay Cauligi, and Deian Stefan. 2018. CT-Wasm: Type-driven Secure Cryptography for the Web Ecosystem. (2018). http://ct-wasm.programming.systems/Google Scholar
WebAssembly Community Group. 2018a. Module Instances. (2018). Retrieved June 11, 2018 from https://webassembly. github.io/spec/core/exec/runtime.html?highlight=instance#module-instancesGoogle Scholar
WebAssembly Community Group. 2018b. reference-types. (2018). Retrieved June 11, 2018 from https://github.com/ WebAssembly/reference-typesGoogle Scholar
WebAssembly Community Group. 2018c. WebAssembly. (2018). Retrieved June 11, 2018 from http://webassembly.orgGoogle Scholar
WebAssembly Community Group. 2018d. WebAssembly. (2018). Retrieved June 11, 2018 from https://github.com/ WebAssembly/spec/tree/master/interpreterGoogle Scholar
David J. Wheeler and Roger M. Needham. 1994. TEA, a tiny encryption algorithm. In Lecture Notes in Computer Science. Springer.Google Scholar
A.K. Wright and M. Felleisen. 1994. A Syntactic Approach to Type Soundness. Information and Computation 115, 1 (1994). Google ScholarDigital Library
Bennet Yee, David Sehr, Gregory Dardyk, J Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar. 2009. Native Client: A sandbox for portable, untrusted x86 native code. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society. Google ScholarDigital Library
Alon Zakai. 2015. Compiling to WebAssembly: It’s Happening! (2015). Retrieved July 12, 2018 from https://hacks.mozilla. org/2015/12/compiling-to-webassembly-its-happening/Google Scholar
Jean-Karim Zinzindohoué, Karthikeyan Bhargavan, Jonathan Protzenko, and Benjamin Beurdouche. 2017. HACL*: A verified modern cryptographic library. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM. Google ScholarDigital Library

Index Terms

CT-wasm: type-driven secure cryptography for the web ecosystem

Recommendations

Secure public-key encryption scheme without random oracles

Since the first practical and secure public-key encryption scheme without random oracles proposed by Cramer and Shoup in 1998, Cramer-Shoup's scheme and its variants remained the only practical and secure public-key encryption scheme without random ...
Read More
Cryptography in the Web: The Case of Cryptographic Design Flaws in ASP.NET
SP '11: Proceedings of the 2011 IEEE Symposium on Security and Privacy

This paper discusses how cryptography is misused in the security design of a large part of the Web. Our focus is on ASP.NET, the web application framework developed by Microsoft that powers 25% of all Internet web sites. We show that attackers can abuse ...
Read More
Nonmalleable Cryptography

The notion of nonmalleable cryptography, an extension of semantically secure cryptography, is defined. Informally, in the context of encryption the additional requirement is that given the ciphertext it is impossible to generate a different ciphertext ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in

Proceedings of the ACM on Programming Languages Volume 3, Issue POPL
January 2019
2275 pages
EISSN:2475-1421
DOI:10.1145/3302515
Issue’s Table of Contents

Copyright © 2019 Owner/Author
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 2 January 2019
Published in pacmpl Volume 3, Issue POPL

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Badges
- Artifacts Available
- Artifacts Evaluated & Reusable
Author Tags
WebAssembly
constant-time
cryptography
information flow control
Qualifiers
- research-article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 40
  Total Citations
  View Citations
- 1,540
  Total Downloads
- Downloads (Last 12 months)250
- Downloads (Last 6 weeks)29
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

CT-wasm: type-driven secure cryptography for the web ecosystem

Proceedings of the ACM on Programming Languages

Abstract

Supplemental Material

References

Cited By

Index Terms

Recommendations

Secure public-key encryption scheme without random oracles

Cryptography in the Web: The Case of Cryptographic Design Flaws in ASP.NET

Nonmalleable Cryptography