Unifying Compilers for SNARKs, SMT, and More

The programming languages community, the cryptography community, and others rely on translating programs in highlevel source languages (e.g., C) to logical constraint representations. Unfortunately, building compilers for this task is difficult and time consuming. In this work, we show that all of these communities can build upon a shared compiler infrastructure, because they all share a common abstraction: stateless, non-deterministic computations that we call existentially quantified circuits, or EQCs. To make our approach concrete we create CirC, an infrastructure for building compilers to EQCs. CirC makes it easy to add support for new EQCs: we build support for two, one used by the PL community and one used by the cryptography community, in ≈2000 LOC. It’s also easy to extend CirC to support new source languages: we build a featurecomplete compiler for a cryptographic language in one week and ≈700 LOC, whereas the reference compiler for the same language took years to write, comprises ≈24000 LOC, and produces worse-performing output than our compiler. Finally, CirC enables novel applications that combine multiple EQCs. For example, we build the first pipeline that (1) automatically identifies bugs in programs, then (2) automatically constructs cryptographic proofs of the bugs’ existence.

[1]  S. Rajamani,et al.  A decade of software model checking with SLAM , 2011, Commun. ACM.

[2]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[3]  Emina Torlak,et al.  A lightweight symbolic virtual machine for solver-aided host languages , 2014, PLDI.

[4]  Dan Grossman,et al.  Verified peephole optimizations for CompCert , 2016, PLDI.

[5]  Carsten Sinz,et al.  A Precise Memory Model for Low-Level Bounded Model Checking , 2010, SSV.

[6]  Luka Daoud,et al.  A Survey of High Level Synthesis Languages, Tools, and Compilers for Reconfigurable High Performance Computing , 2013, ICSS.

[7]  Aron Laszka,et al.  The Rules of Engagement for Bug Bounty Programs , 2018, Financial Cryptography.

[8]  Brian W. Kernighan,et al.  AMPL: A Modeling Language for Mathematical Programming , 1993 .

[9]  Nikolaj Bjrner,et al.  Applications of SMT solvers to Program Verication , 2014 .

[10]  Dawson R. Engler,et al.  Under-Constrained Symbolic Execution: Correctness Checking for Real Code , 2015, USENIX Annual Technical Conference.

[11]  Dirk Beyer,et al.  Automatic Verification of C and Java Programs: SV-COMP 2019 , 2019, TACAS.

[12]  Nirav Dave,et al.  Smten with satisfiability-based search , 2014, OOPSLA 2014.

[13]  Jorge A. Navas,et al.  A Context-Sensitive Memory Model for Verification of C/C++ Programs , 2017, SAS.

[14]  Benjamin Braun,et al.  Resolving the conflict between generality and plausibility in verified computation , 2013, EuroSys '13.

[15]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[16]  Craig Gentry,et al.  Pinocchio: Nearly Practical Verifiable Computation , 2013, 2013 IEEE Symposium on Security and Privacy.

[17]  Juan Chen,et al.  Verifying higher-order programs with the dijkstra monad , 2013, PLDI.

[18]  Zvonimir Rakamaric,et al.  SMACK: Decoupling Source Language Details from Verifier Implementations , 2014, CAV.

[19]  Manuel Blum,et al.  Checking the correctness of memories , 2005, Algorithmica.

[20]  Monica S. Lam,et al.  Maximizing Multiprocessor Performance with the SUIF Compiler , 1996, Digit. Tech. J..

[21]  Roberto Baldoni,et al.  A Survey of Symbolic Execution Techniques , 2016, ACM Comput. Surv..

[22]  Koushik Sen,et al.  Symbolic execution for software testing: three decades later , 2013, CACM.

[23]  Emina Torlak,et al.  Growing solver-aided languages with rosette , 2013, Onward!.

[24]  Matthias Schunter,et al.  Fair Exchange , 2011, Encyclopedia of Cryptography and Security.

[25]  Ranjit Jhala,et al.  Refinement types for Haskell , 2014, ICFP.

[26]  Benjamin Braun Compiling computations to constraints for verified computation , 2012 .

[27]  Ari Juels,et al.  Enter the Hydra: Towards Principled Bug Bounties and Exploit-Resistant Smart Contracts , 2018, IACR Cryptol. ePrint Arch..

[28]  Stefan Tai,et al.  ZoKrates - Scalable Privacy-Preserving Off-Chain Computations , 2018, 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData).

[29]  Wolfram Schulte,et al.  A Precise Yet Efficient Memory Model For C , 2009, Electron. Notes Theor. Comput. Sci..

[30]  Armin Biere,et al.  Boolector: An Efficient SMT Solver for Bit-Vectors and Arrays , 2009, TACAS.

[31]  Meng Xu,et al.  QSYM : A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing , 2018, USENIX Security Symposium.

[32]  Yehuda Lindell,et al.  Secure Multiparty Computation (MPC) , 2020, IACR Cryptol. ePrint Arch..

[33]  R. M. Burstall,et al.  Some Techniques for Proving Correctness of Programs which Alter Data Structures , 2013 .

[34]  Eli Ben-Sasson,et al.  Zerocash: Decentralized Anonymous Payments from Bitcoin , 2014, 2014 IEEE Symposium on Security and Privacy.

[35]  George Danezis,et al.  Pinocchio coin: building zerocoin from a succinct pairing-based proof system , 2013, PETShop '13.

[36]  Emina Torlak,et al.  Scaling symbolic evaluation for automated verification of systems code with Serval , 2019, SOSP.

[37]  Andrew J. Blumberg,et al.  Verifying computations without reexecuting them: from theoretical possibility to near-practicality , 2013, Electron. Colloquium Comput. Complex..

[38]  Donald Beaver,et al.  Efficient Multiparty Protocols Using Circuit Randomization , 1991, CRYPTO.

[39]  K. Rustan M. Leino,et al.  Dafny: An Automatic Program Verifier for Functional Correctness , 2010, LPAR.

[40]  Helmut Veith,et al.  Secure two-party computations in ANSI C , 2012, CCS.

[41]  Aina Niemetz,et al.  Bitwuzla at the SMT-COMP 2020 , 2020, ArXiv.

[42]  Peter Müller,et al.  Viper: A Verification Infrastructure for Permission-Based Reasoning , 2016, VMCAI.

[43]  Zvonimir Rakamaric,et al.  Verifying Rust Programs with SMACK , 2018, ATVA.

[44]  Ákos Hajdu,et al.  solc-verify: A Modular Verifier for Solidity Smart Contracts , 2019, VSTTE.

[45]  Sumit Gulwani,et al.  From program verification to program synthesis , 2010, POPL '10.

[46]  Benjamin Braun,et al.  Verifying computations with state , 2013, IACR Cryptol. ePrint Arch..

[47]  Santosh Nagarakatte,et al.  Alive-FP: Automated Verification of Floating Point Based Peephole Optimizations in LLVM , 2016, SAS.

[48]  Eli Ben-Sasson,et al.  SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge , 2013, CRYPTO.

[49]  Daniel Kroening,et al.  JBMC: A Bounded Model Checking Tool for Verifying Java Bytecode , 2018, CAV.

[50]  Jens Groth,et al.  Nearly Linear-Time Zero-Knowledge Proofs for Correct Program Execution , 2018, IACR Cryptol. ePrint Arch..

[51]  Benny Pinkas,et al.  Fairplay - Secure Two-Party Computation System , 2004, USENIX Security Symposium.

[52]  Uday Bondhugula,et al.  MLIR: A Compiler Infrastructure for the End of Moore's Law , 2020, ArXiv.

[53]  Pierre-Yves Strub,et al.  Dependent types and multi-monadic effects in F* , 2016, POPL.

[54]  Thomas Ball,et al.  The Static Driver Verifier Research Platform , 2010, CAV.

[55]  Wei Wang,et al.  Partitioned Memory Models for Program Analysis , 2017, VMCAI.

[56]  Benjamin Livshits,et al.  ZØ: An Optimizing Distributing Zero-Knowledge Compiler , 2014, USENIX Security Symposium.

[57]  Viktor Kuncak,et al.  Constraints as control , 2012, POPL '12.

[58]  Deian Stefan,et al.  Pretend synchrony: synchronous verification of asynchronous distributed programs , 2019, Proc. ACM Program. Lang..

[59]  Matthew Green,et al.  ZEXE: Enabling Decentralized Private Computation , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[60]  Sanjeev Arora,et al.  Computational Complexity: A Modern Approach , 2009 .

[61]  Christopher Krügel,et al.  Driller: Augmenting Fuzzing Through Selective Symbolic Execution , 2016, NDSS.

[62]  Zuocheng Ren,et al.  Efficient RAM and control flow in verifiable outsourced computation , 2015, NDSS.

[63]  Patrice Godefroid,et al.  SAGE: Whitebox Fuzzing for Security Testing , 2012, ACM Queue.

[64]  Nikolai Kosmatov,et al.  Frama-C: A software analysis perspective , 2015, Formal Aspects of Computing.

[65]  Andres Nötzli,et al.  LifeJacket: verifying precise floating-point optimizations in LLVM , 2016, SOAP@PLDI.

[66]  Stefan Katzenbeisser,et al.  HyCC: Compilation of Hybrid Protocols for Practical Secure Computation , 2018, CCS.

[67]  Jean-Christophe Filliâtre,et al.  Why3 - Where Programs Meet Provers , 2013, ESOP.

[68]  George Candea,et al.  S2E: a platform for in-vivo multi-path analysis of software systems , 2011, ASPLOS XVI.

[69]  Alexander Aiken,et al.  Saturn: A scalable framework for error detection using Boolean satisfiability , 2007, TOPL.

[70]  Eli Ben-Sasson,et al.  Scalable Zero Knowledge Via Cycles of Elliptic Curves , 2014, Algorithmica.

[71]  Aron Laszka,et al.  Banishing Misaligned Incentives for Validating Reports in Bug-Bounty Platforms , 2016, ESORICS.

[72]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[73]  Alexander Aiken,et al.  TASO: optimizing deep learning computation with automatic generation of graph substitutions , 2019, SOSP.

[74]  Benjamin Braun,et al.  Taking Proof-Based Verified Computation a Few Steps Closer to Practicality , 2012, USENIX Security Symposium.

[75]  Peter Müller,et al.  The Axiom Profiler: Understanding and Debugging SMT Quantifier Instantiations , 2019, TACAS.

[76]  Jonathan Katz,et al.  vSQL: Verifying Arbitrary SQL Queries over Dynamic Outsourced Databases , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[77]  Dan Boneh,et al.  Scaling Verifiable Computation Using Efficient Set Accumulators , 2019, IACR Cryptol. ePrint Arch..

[78]  Ahmad-Reza Sadeghi,et al.  TASTY: tool for automating secure two-party computations , 2010, CCS '10.

[79]  Clark W. Barrett,et al.  The SMT-LIB Standard Version 2.0 , 2010 .

[80]  Silvio Micali,et al.  A Completeness Theorem for Protocols with Honest Majority , 1987, STOC 1987.

[81]  Andrew Chi-Chih Yao,et al.  Protocols for secure computations , 1982, FOCS 1982.

[82]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[83]  Frank Piessens,et al.  The VeriFast program verifier , 2008 .

[84]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[85]  Eli Ben-Sasson,et al.  Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture , 2014, USENIX Security Symposium.

[86]  Niki Vazou,et al.  Liquid Haskell: Haskell as a Theorem Prover , 2016 .

[87]  Benny Pinkas,et al.  FairplayMP: a system for secure multi-party computation , 2008, CCS.

[88]  John Regehr,et al.  Provably correct peephole optimizations with alive , 2015, PLDI.

[89]  Rafail Ostrovsky,et al.  Zero-knowledge from secure multiparty computation , 2007, STOC '07.

[90]  Srinath T. V. Setty,et al.  A Hybrid Architecture for Interactive Verifiable Computation , 2013, 2013 IEEE Symposium on Security and Privacy.

[91]  Sanjit A. Seshia,et al.  Combinatorial sketching for finite programs , 2006, ASPLOS XII.

[92]  Jon Howell,et al.  Geppetto: Versatile Verifiable Computation , 2015, 2015 IEEE Symposium on Security and Privacy.

[93]  Elaine Shi,et al.  xJsnark: A Framework for Efficient Verifiable Computation , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[94]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[95]  Ari Juels,et al.  The Hydra Framework for Principled, Automated Bug Bounties , 2019, IEEE Security & Privacy.

[96]  Viktor Kuncak,et al.  Synthesis modulo recursive functions , 2013, OOPSLA.

[97]  Avi Wigderson,et al.  Completeness Theorems for Non-Cryptographic Fault-Tolerant Distributed Computation (Extended Abstract) , 1988, STOC.

[98]  Bernd Fischer,et al.  SMT-Based Bounded Model Checking for Embedded ANSI-C Software , 2012, IEEE Transactions on Software Engineering.

[99]  Aurélien Francillon,et al.  Symbolic execution with SymCC: Don't interpret, compile! , 2020, USENIX Security Symposium.

[100]  Chang Liu,et al.  Term rewriting and all that , 2000, SOEN.

[101]  Bruno Dutertre,et al.  Yices 2.2 , 2014, CAV.

[102]  Abhi Shelat,et al.  Full Accounting for Verifiable Outsourcing , 2017, CCS.

[103]  Albert Rubio,et al.  Synthesis of Super-Optimized Smart Contracts Using Max-SMT , 2020, CAV.

[104]  Fan Zhang,et al.  Sealed-Glass Proofs: Using Transparent Enclaves to Prove and Sell Knowledge , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[105]  François Bobot,et al.  Deductive Proof of Ethereum Smart Contracts Using Why3 , 2019, ArXiv.

[106]  K. Rustan M. Leino,et al.  This is Boogie 2 , 2016 .

[107]  Bor-Yuh Evan Chang,et al.  Boogie: A Modular Reusable Verifier for Object-Oriented Programs , 2005, FMCO.

[108]  Jan Smans,et al.  Verification of Concurrent Programs with Chalice , 2009, FOSAD.

[109]  Deian Stefan,et al.  Sys: A Static/Symbolic Tool for Finding Good Bugs in Good (Browser) Code , 2020, USENIX Security Symposium.