Vivienne: Relational Verification of Cryptographic Implementations in WebAssembly

We investigate the use of relational symbolic execution to counter timing side channels in WebAssembly programs. We design and implement Vivienne, an open-source tool to automatically analyze WebAssembly cryptographic libraries for constant-time violations. Our approach features various optimizations that leverage the structure of WebAssembly and automated theorem provers, including support for loops via relational invariants. We evaluate Vivienne on 57 real-world cryptographic implementations, including a previously unverified implementation of the HACL* library in WebAssembly. The results indicate that Vivienne is a practical solution for constant-time analysis of cryptographic libraries in WebAssembly.

[1]  Alon Zakai,et al.  Bringing the web up to speed with WebAssembly , 2017, PLDI.

[2]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[3]  Bruno Dutertre,et al.  Yices 2.2 , 2014, CAV.

[4]  Deian Stefan,et al.  CT-wasm: type-driven secure cryptography for the web ecosystem , 2018, Proc. ACM Program. Lang..

[5]  Armin Biere,et al.  Boolector: An Efficient SMT Solver for Bit-Vectors and Arrays , 2009, TACAS.

[6]  Tamara Rezk,et al.  Binsec/Rel: Efficient Relational Symbolic Execution for Constant-Time at Binary-Level , 2019, 2020 IEEE Symposium on Security and Privacy (SP).

[7]  Christopher L. Conway,et al.  Cvc4 , 2011, CAV.

[8]  Daniel Lehmann,et al.  Everything Old is New Again: Binary Security of WebAssembly , 2020, USENIX Security Symposium.

[9]  Andreas Rossberg,et al.  Weakening WebAssembly , 2019, Proc. ACM Program. Lang..

[10]  Roberto Guanciale,et al.  Automating Information Flow Analysis of Low Level Code , 2014, CCS.

[11]  Kenneth G. Paterson,et al.  Lucky Thirteen: Breaking the TLS and DTLS Record Protocols , 2013, 2013 IEEE Symposium on Security and Privacy.

[12]  Shravan Narayan,et al.  Swivel: Hardening WebAssembly against Spectre , 2021, USENIX Security Symposium.

[13]  David Schultz,et al.  The Program Counter Security Model: Automatic Detection and Removal of Control-Flow Side Channel Attacks , 2005, ICISC.

[14]  Karthikeyan Bhargavan,et al.  Formally Verified Cryptographic Web Applications in WebAssembly , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[15]  Marco Gaboardi,et al.  Relational Symbolic Execution , 2017, PPDP.

[16]  Gilles Barthe,et al.  Verifiable side-channel security of cryptographic implementations: constant-time MEE-CBC , 2016, IACR Cryptol. ePrint Arch..

[17]  Craig Disselkoen,et al.  Automatically eliminating speculative leaks from cryptographic code with blade , 2020, Proc. ACM Program. Lang..

[18]  Gilles Barthe,et al.  Verifying Constant-Time Implementations , 2016, USENIX Security Symposium.

[19]  Karthikeyan Bhargavan,et al.  HACL*: A Verified Modern Cryptographic Library , 2017, CCS.