Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Thoughts on Rust Cryptography

tarcieri
December 19, 2014

Thoughts on Rust Cryptography

Bay Area Rust Meetup - Mozilla SF (2014)

Video: https://www.youtube.com/watch?v=fO_ox-DGDqw

tarcieri

December 19, 2014
Tweet

More Decks by tarcieri

Other Decks in Programming

Transcript

  1. Thoughts on
    Rust Cryptography
    Tony Arcieri
    Mozilla SF
    December 19th, 2014

    View full-size slide

  2. This Talk
    • 2014: This year in cryptography
    • Is Rust a good language for crypto?
    • Survey of the Rust crypto landscape
    • A Rust common crypto library
    • Measuring timing variability in Rust

    View full-size slide

  3. 2014
    Year In Review

    View full-size slide

  4. • Java: Bleichenbacher OOB MitM (JCE)
    • Apple: “goto fail” MitM (SecureTransport)
    • GNUTLS: “goto cleanup” MitM
    • OpenSSL: “Heartbleed” Memory Exposure
    • TLS: Triple-Handshake MitM
    • NSS: “BERserk” MitM (Firefox/Chrome)
    • SSLv3: “POODLE” ciphertext recovery
    • Microsoft: “Winshock” RCE (SChannel)

    View full-size slide

  5. • Java: Bleichenbacher OOB MitM (JCE)
    • Apple: “goto fail” MitM (SecureTransport)
    • GNUTLS: “goto cleanup” MitM
    • OpenSSL: “Heartbleed” Memory Exposure
    • TLS: Triple-Handshake MitM
    • NSS: “BERserk” MitM (Firefox/Chrome)
    • SSLv3 (and TLS): “POODLE” ciphertext recovery
    • Microsoft: “Winshock” RCE (SChannel) BITES AGAIN!!!

    View full-size slide

  6. • Java: Bleichenbacher OOB MitM (JCE)
    • Apple: “goto fail” MitM (SecureTransport)
    • GNUTLS: “goto cleanup” MitM
    • OpenSSL: “Heartbleed” Memory Exposure
    • TLS: Triple-Handshake MitM
    • NSS: “BERserk” MitM (Firefox/Chrome)
    • SSLv3 (and TLS): “POODLE” ciphertext recovery
    • Microsoft: “Winshock” RCE (SChannel)
    SSL/TLS Design Flaws

    View full-size slide

  7. • Java: Bleichenbacher OOB MitM (JCE)
    • Apple: “goto fail” MitM (SecureTransport)
    • GNUTLS: “goto cleanup” MitM
    • OpenSSL: “Heartbleed” Memory Exposure
    • TLS: Triple-Handshake MitM
    • NSS: “BERserk” MitM (Firefox/Chrome)
    • SSLv3 (and TLS): “POODLE” ciphertext recovery
    • Microsoft: “Winshock” RCE (SChannel)
    SSL/TLS Design Flaws

    View full-size slide

  8. https://xkcd.com/1354/

    View full-size slide

  9. • Java: Bleichenbacher OOB MitM (JCE)
    • Apple: “goto fail” MitM (SecureTransport)
    • GNUTLS: “goto cleanup” MitM
    • OpenSSL: “Heartbleed” Memory Exposure
    • TLS: Triple-Handshake MitM
    • NSS: “BERserk” MitM (Firefox/Chrome)
    • SSLv3 (and TLS): “POODLE” ciphertext recovery
    • Microsoft: “Winshock” RCE (SChannel)
    SSL/TLS Design Flaws

    View full-size slide

  10. • Java: Bleichenbacher OOB MitM (JCE)
    • Apple: “goto fail” MitM (SecureTransport)
    • GNUTLS: “goto cleanup” MitM
    • OpenSSL: “Heartbleed” Memory Exposure
    • TLS: Triple-Handshake MitM
    • NSS: “BERserk” MitM (Firefox/Chrome)
    • SSLv3 (and TLS): “POODLE” ciphertext recovery
    • Microsoft: “Winshock” RCE (SChannel)
    C is a crappy language

    View full-size slide

  11. “goto fail”
    Apple SecureTransport

    View full-size slide

  12. http://tinyurl.com/tlsundersiege

    View full-size slide

  13. “goto fail”

    View full-size slide

  14. “goto fail”
    oops

    View full-size slide

  15. “goto fail”
    dead code

    View full-size slide

  16. “goto fail”
    mandatory
    braces?

    View full-size slide

  17. “goto fail”
    automatic
    cleanup?

    View full-size slide

  18. “goto fail”
    goto
    considered
    harmful
    maybe?

    View full-size slide

  19. “goto cleanup”
    GNUTLS
    http://www.cigital.com/justice-league-blog/2014/03/07/understanding-gnutls-certificate-verification-bug/

    View full-size slide

  20. Actually, it’s about representing
    booleans as integers

    View full-size slide

  21. _gnutls_verify_certificate2

    View full-size slide

  22. _gnutls_verify_certificate2
    zero == NOT CA

    View full-size slide

  23. check_if_ca
    0: false
    1: true

    View full-size slide

  24. check_if_ca
    less-than-zero == ERROR

    View full-size slide

  25. check_if_ca
    less-than-zero == ERROR

    View full-size slide

  26. check_if_ca
    less-than-zero == ERROR

    View full-size slide

  27. _gnutls_verify_certificate2
    less-than-zero != zero

    View full-size slide

  28. _gnutls_verify_certificate2
    less-than-zero == IT’S A CA!!!

    View full-size slide

  29. How do we fix this?

    View full-size slide

  30. “Should’ve used != 1”

    View full-size slide

  31. true and false

    View full-size slide

  32. true and false
    and maybe get rid of goto…

    View full-size slide

  33. Is zero false or true?

    View full-size slide

  34. What’s going on?
    https://www.openssl.org/docs/ssl/SSL_shutdown.html

    View full-size slide

  35. What’s going on?
    https://www.openssl.org/docs/ssl/SSL_shutdown.html
    when in doubt, call twice

    View full-size slide

  36. Which was the worst?

    View full-size slide

  37. “Winshock”
    Microsoft SChannel Remote Code Execution

    View full-size slide

  38. Remote Code Execution

    View full-size slide

  39. How do we fix this?

    View full-size slide

  40. Memory Safety

    View full-size slide

  41. Things that might help
    • Dead code detection
    • Mandatory braces
    • Automatic resource management
    • No goto statement
    • true/false (and better ways of handling errors)
    • Memory safety

    View full-size slide

  42. Is Rust a good
    language for crypto?

    View full-size slide

  43. Things Rust has
    • Dead code detection
    • Mandatory braces
    • Automatic resource management
    • No goto statement
    • true/false (and better ways of handling errors)
    • Memory safety

    View full-size slide

  44. What problems do we
    need to solve to create
    robust cryptography?

    View full-size slide

  45. Timing side-channels

    View full-size slide

  46. http://cr.yp.to/antiforgery/cachetiming-20050414.pdf

    View full-size slide

  47. http://cr.yp.to/antiforgery/cachetiming-20050414.pdf

    View full-size slide

  48. http://tonyarcieri.com/cream-the-scary-ssl-attack-youve-probably-never-heard-of

    View full-size slide

  49. Bad: OpenSSL

    View full-size slide

  50. Lucky 13
    http://www.ieee-security.org/TC/SP2013/papers/4977a526.pdf

    View full-size slide

  51. — Nadhem J. AlFardan and Kenneth G. Paterson
    "In this sense, the attacks do not pose a
    significant danger to ordinary users of TLS in
    their current form. However, it is a truism that
    attacks only get better with time, and we
    cannot anticipate what improvements to our
    attacks, or entirely new attacks, may yet be
    discovered."

    View full-size slide

  52. http://www.ieee-security.org/TC/SP2013/papers/4977a526.pdf

    View full-size slide

  53. https://github.com/dmayer/time_trial

    View full-size slide

  54. What rules must we follow to
    create robust cryptographic
    implementations?

    View full-size slide

  55. Cryptocoding.net Rules
    • Compare secret strings in constant time
    • Avoid branchings controlled by secret data
    • Avoid table look-ups indexed by secret data
    • Avoid secret-dependent loop bounds
    • Prevent compiler interference with security-critical operations
    • Prevent confusion between secure and insecure APIs
    • Avoid mixing security and abstraction levels of cryptographic primitives in the same API layer
    • Use unsigned bytes to represent binary data
    • Use separate types for secret and non-secret information
    • Use separate types for different types of information
    • Clean memory of secret data
    • Use strong randomness

    View full-size slide

  56. Constant Time Operation
    • Compare secret strings in constant time
    • Avoid branchings controlled by secret data
    • Avoid table look-ups indexed by secret data
    • Avoid secret-dependent loop bounds

    View full-size slide

  57. Avoid “Optimizations”
    • Prevent compiler interference with security-
    critical operations

    View full-size slide

  58. Clear Abstractions
    • Prevent confusion between secure and insecure
    APIs
    • Avoid mixing security and abstraction levels of
    cryptographic primitives in the same API layer

    View full-size slide

  59. Types!
    • Use unsigned bytes to represent binary data
    • Use separate types for secret and non-secret
    information
    • Use separate types for different types of
    information

    View full-size slide

  60. Clean Up Secrets
    Zero out memory when done

    View full-size slide

  61. Use Strong
    Randomess

    View full-size slide

  62. People are working on
    solutions to all of these
    problems already

    View full-size slide

  63. No changes to Rust
    needed!

    View full-size slide

  64. Crypto in the standard
    library limits agility

    View full-size slide

  65. We need all the agility
    we can get

    View full-size slide

  66. Crypto libraries should be
    developed and released
    by crypto experts

    View full-size slide

  67. Survey of the Rust
    crypto landscape

    View full-size slide

  68. What Rust crypto libraries
    should I use today?

    View full-size slide

  69. rust-openssl
    https://github.com/sfackler/rust-openssl

    View full-size slide

  70. rust-openssl
    https://github.com/sfackler/rust-openssl

    View full-size slide

  71. rust-openssl
    https://github.com/sfackler/rust-openssl

    View full-size slide

  72. http://tinyurl.com/tlsundersiege

    View full-size slide

  73. sodiumoxide
    https://github.com/dnaq/sodiumoxide

    View full-size slide

  74. libsodium
    • Portable repackaging of the Networking and
    Cryptography Library (NaCl a.k.a. “salt”)
    • Includes Ed25519 and ChaCha20
    • Includes the scrypt password hashing function
    • Includes the Blake2 hash function
    • Includes SipHash
    • Some optional libsodium-specific utility functions

    View full-size slide

  75. Pure Rust Crypto
    WARNING: Proceed with caution!

    View full-size slide

  76. rust-crypto
    https://github.com/DaGenix/rust-crypto

    View full-size slide

  77. rust-crypto
    • Promising start!
    • Some good implementations
    • Some questionable implementations
    • Sometimes they’re the same!

    View full-size slide

  78. AES-NI
    “Advanced Encryption Standard New Instructions”
    Hardware implementation of AES from Intel

    View full-size slide

  79. https://github.com/DaGenix/rust-crypto/blob/master/src/rust-crypto/aesni.rs

    View full-size slide

  80. https://github.com/DaGenix/rust-crypto/blob/master/src/rust-crypto/aesni.rs
    o_O “aseni? Did you mean “aesni"?

    View full-size slide

  81. https://github.com/DaGenix/rust-crypto/blob/master/src/rust-crypto/aesni.rs

    View full-size slide

  82. Avoid “Optimizations”
    • Prevent compiler interference with security-
    critical operations

    View full-size slide

  83. https://github.com/DaGenix/rust-crypto/blob/master/src/rust-crypto/aesni.rs

    View full-size slide

  84. https://github.com/DaGenix/rust-crypto/blob/master/src/rust-crypto/aesni.rs

    View full-size slide

  85. Fast and safe!

    View full-size slide

  86. rust-crypto tl;dr
    • Good effort!
    • No immediate security problems on cursory
    inspection
    • Clear signs the code has not been well-reviewed
    • Needs more expert scrutiny to be trusted

    View full-size slide

  87. TARS
    Protected memory buffers for Rust
    https://github.com/seb-m/tars

    View full-size slide

  88. Protect Keys!
    • mprotect! PROT_NONE guard pages
    • mlock! prevents keys from being swapped out
    • volatile zero on drop

    View full-size slide

  89. rust-consttime
    WARNING: DO NOT USE THIS!!!!!!!!!!

    View full-size slide

  90. Warning: While this library tries to avoid
    branches or input-dependent memory
    operations, the code optimizer may
    reintroduce them and you should carefully
    verify the assembly in order to use this.

    View full-size slide

  91. you should carefully
    verify the assembly in
    order to use this.

    View full-size slide

  92. How do we escape from
    LLVM’s optimizations?

    View full-size slide

  93. ASM Problems
    • Architecture specific
    • Hard to write
    • Error-prone
    • Difficult to verify

    View full-size slide

  94. Is it possible to generate
    constant-time assembly
    from Rust source code?

    View full-size slide

  95. nadeko
    Constant-time syntax extension for a limited subset of Rust
    https://github.com/klutzy/nadeko

    View full-size slide

  96. BLACK
    F&@KING
    MAGIC!
    WARNING:

    View full-size slide

  97. Is it constant time?

    View full-size slide

  98. NOPE!
    THANKS LLVM!

    View full-size slide

  99. With nadeko
    No branches!

    View full-size slide

  100. ROT13
    Super-secure constant time version

    View full-size slide

  101. nadeko
    • Constant-time arithmetic and bitwise ops
    • Constant-time basic “if”
    • No support for “for” yet

    View full-size slide

  102. suruga
    Ultra-modern (i.e. practically useless) TLS stack
    https://github.com/klutzy/suruga

    View full-size slide

  103. Towards a Rust
    common crypto library

    View full-size slide

  104. What should a common
    crypto library provide?

    View full-size slide

  105. Isn’t that just

    rust-crypto?

    View full-size slide

  106. Shared Unsafe Code
    rust-openssl sodiumoxide rust-crypto
    Encapsulate and reuse
    unsafe primitives

    View full-size slide

  107. Rust Common Crypto
    • Handle zeroing buffers on drop
    • Protected buffers for keys (ala TARS)
    • Traits! Traits! Traits!
    • Constant-time primitives (ala Nadeko)

    View full-size slide

  108. sodiumoxide example

    View full-size slide

  109. sodiumoxide example

    View full-size slide

  110. sodiumoxide example

    View full-size slide

  111. Can we do better?

    View full-size slide

  112. Common crypto library
    • Common foundation for all crypto libraries
    • Solve unsafe concerns in one place
    • Solve constant-time operation in one place
    • Promote interoperability

    View full-size slide

  113. Measuring timing
    variability in Rust

    View full-size slide

  114. Verifying constant time
    operation requires
    counting CPU cycles

    View full-size slide

  115. Modern CPU
    • Example clock speed: 2.5 GHz
    • 2,500,000,000 CPU cycles per second
    • 0.4 nanoseconds per cycle
    • 400 picoseconds per cycle

    View full-size slide

  116. Mind Your Nanoseconds!

    View full-size slide

  117. How do we measure
    CPU cycles?

    View full-size slide

  118. Timestamp Counter
    (TSC)

    View full-size slide

  119. RDTSC in Rust
    TSC: 85211194993141998

    View full-size slide

  120. Cyclometer
    https://github.com/cryptosphere/cyclometer

    View full-size slide

  121. Cyclometer
    • Automated testing for data-dependent timing
    variability in Rust cryptographic libraries
    • Use RDTSC to measure timing
    • Collect a large number of samples and apply
    statistical test (e.g. Box Test) to determine if
    timing variability is distinguishable

    View full-size slide

  122. Lucky 13
    http://www.ieee-security.org/TC/SP2013/papers/4977a526.pdf

    View full-size slide

  123. Automatically detect
    data-dependent timing

    View full-size slide

  124. Vaporware
    Pull requests accepted!

    View full-size slide

  125. Final thoughts
    • Rust has immense potential for cryptography but
    we must tread carefully
    • Rust code without any branches isn’t necessarily
    constant time. Beware LLVM!
    • Stick with wrappers to mainstream crypto
    libraries until pure Rust crypto is more mature

    View full-size slide

  126. Join the Rust crypto
    IRC channel!
    irc.mozilla.org:6697
    #rust-crypto

    View full-size slide

  127. That’s all folks!

    View full-size slide

  128. Twitter
    @bascule
    Blog
    tonyarcieri.com
    IRC
    Mozilla: bascule
    Freenode: tarcieri

    View full-size slide