-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add unbounded AES-GCM verification, isolate newer SAW from other proofs #144
Add unbounded AES-GCM verification, isolate newer SAW from other proofs #144
Conversation
This patch ensures that the AES_KW(P) proof developments all use files that are isolated from the proof developments for AES (previously, the former depended on the latter). In a subsequent commit, we will modify the AES proof developments to support unbounded AES-GCM, and we want to ensure that changes to AES do not interfere with the proofs for AES_KW(P).
Ah, I mistakenly introduced some changes to |
This proves unbounded AES-GCM functions, building on top of the cryptol-specs work in GaloisInc/cryptol-specs#72 and the saw-script work in GaloisInc/saw-script#2037. This requires a newer version of SAW to work than what aws-lc-verification's CI currently uses, so I isolated these proofs into their own SAW scripts, Cryptol specs, shell scripts, Docker image, and CI action. Moreover, some of the AES-GCM proofs use Z3's Constrained Horn Clause (CHC) feature, which is buggy on Z3-4.8.8. aws-lc-verification's other CI jobs are currently using Z3-4.8.8, so I specifically chose a newer version (Z3-4.8.14) for the new, AES-GCM–specific CI job. Co-authored-by: Robert Dockins <rdockins@galois.com> Co-authored-by: Samuel Breese <samuel@chame.co> Co-authored-by: Andrei Stefanescu <andrei@stefanescu.io>
78dc4cd
to
20effa9
Compare
At long last, the CI finally passes! Ready for review, @apetcher-amazon and @pennyannn. |
I have a few high-level comments before I examine the details.
|
Yes, a fair point. I can experiment locally to see how well we can parallelize it, although my local machine only has 32 GB of RAM.
Ah, good to know. I'll do that.
Yes, quite so. One of the challenges here is that much of the Cryptol code checked in here is not meant to reflect the official NIST AES-GCM specification so much as it is an aid for SAW to help identify the loop structure of the C code itself, so it is written in a much more "low-level" style than what you'd find in the NIST spec. The Cryptol code that is closer to the NIST spec is found in GaloisInc/cryptol-specs#72 (in That being said, the comments could definitely explain all this better. I'll do that and add some more commentary where I can.
Sure, will do. |
I want to confirm if my understanding is correct. In this proof, the bulk processing functions For all other functions, they are all bounded proofs serving some purpose, and this includes proofs for the top-level EVP functions as well. For example, For top-level EVP function, I believe only one set of verification parameter is chosen for the proof, so it is also a bounded proof. The override matching to bulk functions Is my understanding correct? If so, could you add some comments to the proof command for the top-level EVP functions (the various |
This makes them more unbounded and closer in design to the EVP_{Encrypt,Decrypt}Update proofs.
These are a leftover from the previous AES-GCM development that used bounded proofs. Now that we have unbounded proofs, there is no longer a reason to keep them around.
For now, we only check the following (mres, res_mres) pairs: (0, 0), (0, 15), (1, 0), (1, 15)
2d911a9
to
2b37d26
Compare
Wow, this is so cool! All workflow pass and apparently the proofs now run faster even though we are checking more combinations of parameters! I wonder if it is because you removed the bounded proofs. I will start reviewing. Thank you so much for the help, @RyanGlScott ! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have reviewed the workflow, shell scripts and most of the SAW files (excluding goal-rewrites files). I will send another review for the Cryptol files and the goal-rewrites.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I finished reviewing goal-rewrites and the Cryptol files.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. I just had one minor comment.
This proves unbounded AES-GCM functions, building on top of the cryptol-specs work in GaloisInc/cryptol-specs#72 and the saw-script work in GaloisInc/saw-script#2037. This supersedes previous efforts in #80, #139, and #143.
This requires a newer version of SAW to work than what aws-lc-verification's CI currently uses, so I isolated these proofs into their own SAW scripts, Cryptol specs, shell scripts, Docker image, and CI action. Moreover, some of the AES-GCM proofs use Z3's Constrained Horn Clause (CHC) feature, which is buggy on Z3-4.8.8. aws-lc-verification's other CI jobs are currently using Z3-4.8.8, so I specifically chose a newer version (Z3-4.8.14) for the new, AES-GCM–specific CI job.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.