Tweet
Tweet

Slide 1

Slide 1 text

Thoughts on Rust Cryptography Tony Arcieri Mozilla SF December 19th, 2014

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

This Talk • 2014: This year in cryptography • Is Rust a good language for crypto? • Survey of the Rust crypto landscape • A Rust common crypto library • Measuring timing variability in Rust

Slide 6

Slide 6 text

2014 Year In Review

Slide 7

Slide 7 text

• Java: Bleichenbacher OOB MitM (JCE) • Apple: “goto fail” MitM (SecureTransport) • GNUTLS: “goto cleanup” MitM • OpenSSL: “Heartbleed” Memory Exposure • TLS: Triple-Handshake MitM • NSS: “BERserk” MitM (Firefox/Chrome) • SSLv3: “POODLE” ciphertext recovery • Microsoft: “Winshock” RCE (SChannel)

Slide 8

Slide 8 text

• Java: Bleichenbacher OOB MitM (JCE) • Apple: “goto fail” MitM (SecureTransport) • GNUTLS: “goto cleanup” MitM • OpenSSL: “Heartbleed” Memory Exposure • TLS: Triple-Handshake MitM • NSS: “BERserk” MitM (Firefox/Chrome) • SSLv3 (and TLS): “POODLE” ciphertext recovery • Microsoft: “Winshock” RCE (SChannel) BITES AGAIN!!!

Slide 9

Slide 9 text

Themes?

Slide 10

Slide 10 text

• Java: Bleichenbacher OOB MitM (JCE) • Apple: “goto fail” MitM (SecureTransport) • GNUTLS: “goto cleanup” MitM • OpenSSL: “Heartbleed” Memory Exposure • TLS: Triple-Handshake MitM • NSS: “BERserk” MitM (Firefox/Chrome) • SSLv3 (and TLS): “POODLE” ciphertext recovery • Microsoft: “Winshock” RCE (SChannel) SSL/TLS Design Flaws

Slide 11

Slide 11 text

• Java: Bleichenbacher OOB MitM (JCE) • Apple: “goto fail” MitM (SecureTransport) • GNUTLS: “goto cleanup” MitM • OpenSSL: “Heartbleed” Memory Exposure • TLS: Triple-Handshake MitM • NSS: “BERserk” MitM (Firefox/Chrome) • SSLv3 (and TLS): “POODLE” ciphertext recovery • Microsoft: “Winshock” RCE (SChannel) SSL/TLS Design Flaws

Slide 12

Slide 12 text

https://xkcd.com/1354/

Slide 13

Slide 13 text

• Java: Bleichenbacher OOB MitM (JCE) • Apple: “goto fail” MitM (SecureTransport) • GNUTLS: “goto cleanup” MitM • OpenSSL: “Heartbleed” Memory Exposure • TLS: Triple-Handshake MitM • NSS: “BERserk” MitM (Firefox/Chrome) • SSLv3 (and TLS): “POODLE” ciphertext recovery • Microsoft: “Winshock” RCE (SChannel) SSL/TLS Design Flaws

Slide 14

Slide 14 text

• Java: Bleichenbacher OOB MitM (JCE) • Apple: “goto fail” MitM (SecureTransport) • GNUTLS: “goto cleanup” MitM • OpenSSL: “Heartbleed” Memory Exposure • TLS: Triple-Handshake MitM • NSS: “BERserk” MitM (Firefox/Chrome) • SSLv3 (and TLS): “POODLE” ciphertext recovery • Microsoft: “Winshock” RCE (SChannel) C is a crappy language

Slide 15

Slide 15 text

“goto fail” Apple SecureTransport

Slide 16

Slide 16 text

http://tinyurl.com/tlsundersiege

Slide 17

Slide 17 text

“goto fail”

Slide 18

Slide 18 text

“goto fail” oops

Slide 19

Slide 19 text

“goto fail” dead code

Slide 20

Slide 20 text

“goto fail” mandatory braces?

Slide 21

Slide 21 text

“goto fail” automatic cleanup?

Slide 22

Slide 22 text

“goto fail” goto considered harmful maybe?

Slide 23

Slide 23 text

“goto cleanup” GNUTLS http://www.cigital.com/justice-league-blog/2014/03/07/understanding-gnutls-certificate-verification-bug/

Slide 24

Slide 24 text

GOTO BAD!!!

Slide 25

Slide 25 text

Actually, it’s about representing booleans as integers

Slide 26

Slide 26 text

_gnutls_verify_certificate2

Slide 27

Slide 27 text

_gnutls_verify_certificate2 zero == NOT CA

Slide 28

Slide 28 text

check_if_ca 0: false 1: true

Slide 29

Slide 29 text

check_if_ca

Slide 30

Slide 30 text

check_if_ca less-than-zero == ERROR

Slide 31

Slide 31 text

check_if_ca less-than-zero == ERROR

Slide 32

Slide 32 text

check_if_ca less-than-zero == ERROR

Slide 33

Slide 33 text

_gnutls_verify_certificate2 less-than-zero != zero

Slide 34

Slide 34 text

_gnutls_verify_certificate2 less-than-zero == IT’S A CA!!!

Slide 35

Slide 35 text

How do we fix this?

Slide 36

Slide 36 text

“Should’ve used != 1”

Slide 37

Slide 37 text

true and false

Slide 38

Slide 38 text

true and false and maybe get rid of goto…

Slide 39

Slide 39 text

Is zero false or true?

Slide 40

Slide 40 text

What’s going on? https://www.openssl.org/docs/ssl/SSL_shutdown.html

Slide 41

Slide 41 text

What’s going on? https://www.openssl.org/docs/ssl/SSL_shutdown.html when in doubt, call twice

Slide 42

Slide 42 text

OpenSSL

Slide 43

Slide 43 text

No content

Slide 44

Slide 44 text

Which was the worst?

Slide 45

Slide 45 text

“Winshock” Microsoft SChannel Remote Code Execution

Slide 46

Slide 46 text

Remote Code Execution

Slide 47

Slide 47 text

How do we fix this?

Slide 48

Slide 48 text

Memory Safety

Slide 49

Slide 49 text

Things that might help • Dead code detection • Mandatory braces • Automatic resource management • No goto statement • true/false (and better ways of handling errors) • Memory safety

Slide 50

Slide 50 text

Is Rust a good language for crypto?

Slide 51

Slide 51 text

Things Rust has • Dead code detection • Mandatory braces • Automatic resource management • No goto statement • true/false (and better ways of handling errors) • Memory safety

Slide 52

Slide 52 text

What problems do we need to solve to create robust cryptography?

Slide 53

Slide 53 text

Timing side-channels

Slide 54

Slide 54 text

http://cr.yp.to/antiforgery/cachetiming-20050414.pdf

Slide 55

Slide 55 text

http://cr.yp.to/antiforgery/cachetiming-20050414.pdf

Slide 56

Slide 56 text

http://tonyarcieri.com/cream-the-scary-ssl-attack-youve-probably-never-heard-of

Slide 57

Slide 57 text

Bad: OpenSSL

Slide 58

Slide 58 text

Good: djb

Slide 59

Slide 59 text

Lucky 13 http://www.ieee-security.org/TC/SP2013/papers/4977a526.pdf

Slide 60

Slide 60 text

— Nadhem J. AlFardan and Kenneth G. Paterson "In this sense, the attacks do not pose a significant danger to ordinary users of TLS in their current form. However, it is a truism that attacks only get better with time, and we cannot anticipate what improvements to our attacks, or entirely new attacks, may yet be discovered."

Slide 61

Slide 61 text

http://www.ieee-security.org/TC/SP2013/papers/4977a526.pdf

Slide 62

Slide 62 text

https://github.com/dmayer/time_trial

Slide 63

Slide 63 text

What rules must we follow to create robust cryptographic implementations?

Slide 64

Slide 64 text

Cryptocoding.net Rules • Compare secret strings in constant time • Avoid branchings controlled by secret data • Avoid table look-ups indexed by secret data • Avoid secret-dependent loop bounds • Prevent compiler interference with security-critical operations • Prevent confusion between secure and insecure APIs • Avoid mixing security and abstraction levels of cryptographic primitives in the same API layer • Use unsigned bytes to represent binary data • Use separate types for secret and non-secret information • Use separate types for different types of information • Clean memory of secret data • Use strong randomness

Slide 65

Slide 65 text

Constant Time Operation • Compare secret strings in constant time • Avoid branchings controlled by secret data • Avoid table look-ups indexed by secret data • Avoid secret-dependent loop bounds

Slide 66

Slide 66 text

Avoid “Optimizations” • Prevent compiler interference with security- critical operations

Slide 67

Slide 67 text

Clear Abstractions • Prevent confusion between secure and insecure APIs • Avoid mixing security and abstraction levels of cryptographic primitives in the same API layer

Slide 68

Slide 68 text

Types! • Use unsigned bytes to represent binary data • Use separate types for secret and non-secret information • Use separate types for different types of information

Slide 69

Slide 69 text

Clean Up Secrets Zero out memory when done

Slide 70

Slide 70 text

Use Strong Randomess

Slide 71

Slide 71 text

People are working on solutions to all of these problems already

Slide 72

Slide 72 text

No changes to Rust needed!

Slide 73

Slide 73 text

No content

Slide 74

Slide 74 text

No content

Slide 75

Slide 75 text

Crypto in the standard library limits agility

Slide 76

Slide 76 text

We need all the agility we can get

Slide 77

Slide 77 text

Crypto libraries should be developed and released by crypto experts

Slide 78

Slide 78 text

Survey of the Rust crypto landscape

Slide 79

Slide 79 text

What Rust crypto libraries should I use today?

Slide 80

Slide 80 text

rust-openssl https://github.com/sfackler/rust-openssl

Slide 81

Slide 81 text

rust-openssl https://github.com/sfackler/rust-openssl

Slide 82

Slide 82 text

rust-openssl https://github.com/sfackler/rust-openssl

Slide 83

Slide 83 text

http://tinyurl.com/tlsundersiege

Slide 84

Slide 84 text

sodiumoxide https://github.com/dnaq/sodiumoxide

Slide 85

Slide 85 text

No content

Slide 86

Slide 86 text

Is it safe?

Slide 87

Slide 87 text

libsodium • Portable repackaging of the Networking and Cryptography Library (NaCl a.k.a. “salt”) • Includes Ed25519 and ChaCha20 • Includes the scrypt password hashing function • Includes the Blake2 hash function • Includes SipHash • Some optional libsodium-specific utility functions

Slide 88

Slide 88 text

Pure Rust Crypto WARNING: Proceed with caution!

Slide 89

Slide 89 text

No content

Slide 90

Slide 90 text

rust-crypto https://github.com/DaGenix/rust-crypto

Slide 91

Slide 91 text

rust-crypto • Promising start! • Some good implementations • Some questionable implementations • Sometimes they’re the same!

Slide 92

Slide 92 text

AES-NI “Advanced Encryption Standard New Instructions” Hardware implementation of AES from Intel

Slide 93

Slide 93 text

https://github.com/DaGenix/rust-crypto/blob/master/src/rust-crypto/aesni.rs

Slide 94

Slide 94 text

https://github.com/DaGenix/rust-crypto/blob/master/src/rust-crypto/aesni.rs o_O “aseni? Did you mean “aesni"?

Slide 95

Slide 95 text

https://github.com/DaGenix/rust-crypto/blob/master/src/rust-crypto/aesni.rs

Slide 96

Slide 96 text

asm!

Slide 97

Slide 97 text

Avoid “Optimizations” • Prevent compiler interference with security- critical operations

Slide 98

Slide 98 text

https://github.com/DaGenix/rust-crypto/blob/master/src/rust-crypto/aesni.rs

Slide 99

Slide 99 text

https://github.com/DaGenix/rust-crypto/blob/master/src/rust-crypto/aesni.rs

Slide 100

Slide 100 text

Fast and safe!

Slide 101

Slide 101 text

rust-crypto tl;dr • Good effort! • No immediate security problems on cursory inspection • Clear signs the code has not been well-reviewed • Needs more expert scrutiny to be trusted

Slide 102

Slide 102 text

TARS Protected memory buffers for Rust https://github.com/seb-m/tars

Slide 103

Slide 103 text

Protect Keys! • mprotect! PROT_NONE guard pages • mlock! prevents keys from being swapped out • volatile zero on drop

Slide 104

Slide 104 text

rust-consttime WARNING: DO NOT USE THIS!!!!!!!!!!

Slide 105

Slide 105 text

No content

Slide 106

Slide 106 text

Warning: While this library tries to avoid branches or input-dependent memory operations, the code optimizer may reintroduce them and you should carefully verify the assembly in order to use this.

Slide 107

Slide 107 text

you should carefully verify the assembly in order to use this.

Slide 108

Slide 108 text

No content

Slide 109

Slide 109 text

How do we escape from LLVM’s optimizations?

Slide 110

Slide 110 text

asm!

Slide 111

Slide 111 text

ASM Problems • Architecture specific • Hard to write • Error-prone • Difficult to verify

Slide 112

Slide 112 text

Is it possible to generate constant-time assembly from Rust source code?

Slide 113

Slide 113 text

nadeko Constant-time syntax extension for a limited subset of Rust https://github.com/klutzy/nadeko

Slide 114

Slide 114 text

BLACK F&@KING MAGIC! WARNING:

Slide 115

Slide 115 text

No content

Slide 116

Slide 116 text

Is it constant time?

Slide 117

Slide 117 text

NOPE!

Slide 118

Slide 118 text

NOPE! THANKS LLVM!

Slide 119

Slide 119 text

With nadeko No branches!

Slide 120

Slide 120 text

ROT13 Super-secure constant time version

Slide 121

Slide 121 text

No content

Slide 122

Slide 122 text

No content

Slide 123

Slide 123 text

nadeko • Constant-time arithmetic and bitwise ops • Constant-time basic “if” • No support for “for” yet

Slide 124

Slide 124 text

suruga Ultra-modern (i.e. practically useless) TLS stack https://github.com/klutzy/suruga

Slide 125

Slide 125 text

No content

Slide 126

Slide 126 text

Towards a Rust common crypto library

Slide 127

Slide 127 text

What should a common crypto library provide?

Slide 128

Slide 128 text

Isn’t that just
 rust-crypto?

Slide 129

Slide 129 text

Shared Unsafe Code rust-openssl sodiumoxide rust-crypto Encapsulate and reuse unsafe primitives

Slide 130

Slide 130 text

Rust Common Crypto • Handle zeroing buffers on drop • Protected buffers for keys (ala TARS) • Traits! Traits! Traits! • Constant-time primitives (ala Nadeko)

Slide 131

Slide 131 text

sodiumoxide example

Slide 132

Slide 132 text

sodiumoxide example

Slide 133

Slide 133 text

sodiumoxide example

Slide 134

Slide 134 text

Can we do better?

Slide 135

Slide 135 text

Common crypto library • Common foundation for all crypto libraries • Solve unsafe concerns in one place • Solve constant-time operation in one place • Promote interoperability

Slide 136

Slide 136 text

Measuring timing variability in Rust

Slide 137

Slide 137 text

Verifying constant time operation requires counting CPU cycles

Slide 138

Slide 138 text

Modern CPU • Example clock speed: 2.5 GHz • 2,500,000,000 CPU cycles per second • 0.4 nanoseconds per cycle • 400 picoseconds per cycle

Slide 139

Slide 139 text

Mind Your Nanoseconds!

Slide 140

Slide 140 text

How do we measure CPU cycles?

Slide 141

Slide 141 text

Timestamp Counter (TSC)

Slide 142

Slide 142 text

RDTSC in Rust TSC: 85211194993141998

Slide 143

Slide 143 text

Cyclometer https://github.com/cryptosphere/cyclometer

Slide 144

Slide 144 text

Cyclometer • Automated testing for data-dependent timing variability in Rust cryptographic libraries • Use RDTSC to measure timing • Collect a large number of samples and apply statistical test (e.g. Box Test) to determine if timing variability is distinguishable

Slide 145

Slide 145 text

Lucky 13 http://www.ieee-security.org/TC/SP2013/papers/4977a526.pdf

Slide 146

Slide 146 text

Automatically detect data-dependent timing

Slide 147

Slide 147 text

Vaporware Pull requests accepted!

Slide 148

Slide 148 text

Final thoughts • Rust has immense potential for cryptography but we must tread carefully • Rust code without any branches isn’t necessarily constant time. Beware LLVM! • Stick with wrappers to mainstream crypto libraries until pure Rust crypto is more mature

Slide 149

Slide 149 text

Join the Rust crypto IRC channel! irc.mozilla.org:6697 #rust-crypto

Slide 150

Slide 150 text

That’s all folks!

Slide 151

Slide 151 text

Twitter @bascule Blog tonyarcieri.com IRC Mozilla: bascule Freenode: tarcieri