EverParse: Verified Secure Zero-Copy Parsers for Authenticated Message Formats

We present EverParse, a framework for generating parsers and serializers from tag-length-value binary message format descriptions. The resulting code is verified to be safe (no overflow, no use after free), correct (parsing is the inverse of serialization) and non-malleable (each message has a unique binary representation). These guarantees underpin the security of cryptographic message authentication, and they enable testing to focus on interoperability and performance issues. EverParse consists of two parts: LowParse, a library of parser combinators and their formal properties written in F*; and QuackyDucky, a compiler from a domain-specific language of RFC message formats down to low-level F* code that calls LowParse. While LowParse is fully verified, we do not formalize the semantics of the input language and keep QuackyDucky outside our trusted computing base. Instead, it also outputs a formal message specification, and F* automatically verifies our implementation against this specification. EverParse yields efficient zero-copy implementations, usable both in F* and in C. We evaluate it in practice by fully implementing the message formats of the Transport Layer Security standard and its extensions (TLS 1.0–1.3, 293 datatypes) and by integrating them into miTLS, an F* implementation of TLS. We illustrate its generality by implementing the Bitcoin block and transaction formats, and the ASN.1 DER payload of PKCS#1 RSA signatures. We integrate them into C applications and measure their runtime performance, showing significant improvements over prior handwritten libraries. EverParse is open-source and publicly available on GitHub. You can view Antoine Delignat-Lavaud’s presentation at USENIX Security 2019.

[1]  Alessandro Barenghi,et al.  Systematic parsing of X.509: Eradicating security issues with a parse tree , 2018, J. Comput. Secur..

[2]  Alfredo Pironti,et al.  FLEXTLS: A Tool for Testing TLS Implementations , 2015, WOOT.

[3]  Christian Decker,et al.  Bitcoin Transaction Malleability and MtGox , 2014, ESORICS.

[4]  Patrick Cousot,et al.  Grammar Analysis and Parsing by Abstract Interpretation , 2006, Program Analysis and Compilation.

[5]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.

[6]  Raj Srinivasan,et al.  XDR: External Data Representation Standard , 1995, RFC.

[7]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[8]  Cédric Fournet,et al.  miTLS: Verifying Protocol Implementations against Real-World Attacks , 2016, IEEE Security & Privacy.

[9]  Norbert Schirmer,et al.  Verification of sequential imperative programs in Isabelle-HOL , 2006 .

[10]  Satoshi Nakamoto Bitcoin : A Peer-to-Peer Electronic Cash System , 2009 .

[11]  David A. Schmidt,et al.  Abstract LR-Parsing , 2011, Formal Modeling: Actors, Open Systems, Biological Systems.

[12]  David Benjamin Applying GREASE to TLS Extensibility , 2019 .

[13]  Son T. Vuong,et al.  An Overview of ASN.1 , 1992, Comput. Networks ISDN Syst..

[14]  Olivier Levillain,et al.  Parsifal: A Pragmatic Solution to the Binary Parsing Problems , 2014, 2014 IEEE Security and Privacy Workshops.

[15]  Frederik Vercauteren,et al.  A cross-protocol attack on the TLS protocol , 2012, CCS.

[16]  Juraj Somorovsky,et al.  Systematic Fuzzing and Testing of TLS Libraries , 2016, CCS.

[17]  Xavier Leroy,et al.  Validating LR(1) Parsers , 2012, ESOP.

[18]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[19]  Nikhil Swamy,et al.  Everest: Towards a Verified, Drop-in Replacement of HTTPS , 2017, SNAPL.

[20]  P. Cochat,et al.  Et al , 2008, Archives de pediatrie : organe officiel de la Societe francaise de pediatrie.

[21]  Qianchuan Ye,et al.  A verified protocol buffer compiler , 2019, CPP.

[22]  Daan Leijen,et al.  Parsec: direct style monadic parser combinators for the real world , 2001 .

[23]  Nikhil Swamy,et al.  Verified low-level programming embedded in F* , 2017, Proc. ACM Program. Lang..

[24]  Graham Hutton,et al.  Higher-order functions for parsing , 1992, Journal of Functional Programming.

[25]  Adam Koprowski,et al.  TRX: A Formally Verified Parser Interpreter , 2010, Log. Methods Comput. Sci..

[26]  Kostya Serebryany,et al.  OSS-Fuzz - Google's continuous fuzzing service for open source software , 2017 .

[27]  Trevor Jim,et al.  Efficient Earley Parsing with Regular Right-hand Sides , 2010, Electron. Notes Theor. Comput. Sci..

[28]  David J. Scott,et al.  Unikernels: the rise of the virtual library operating system , 2013, CACM.

[29]  Hao Zhou,et al.  Transport Layer Security (TLS) Session Resumption without Server-Side State , 2008, RFC.

[30]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[31]  Trevor Jim,et al.  A New Method for Dependent Parsing , 2011, ESOP.

[32]  Xavier Leroy,et al.  Formal certification of a compiler back - end , 2005 .

[33]  Peter C. Johnson,et al.  Finite State Machine Parsing for Internet Protocols: Faster Than You Think , 2014, 2014 IEEE Security and Privacy Workshops.

[34]  Kazukuni Kobara,et al.  A New Variant for an Attack Against RSA Signature Verification Using Parameter Field , 2007, EuroPKI.

[35]  Pierre-Yves Strub,et al.  Dependent types and multi-monadic effects in F* , 2016, POPL.