
Verified cryptography for Firefox 57 - ttaubert
https://blog.mozilla.org/security/2017/09/13/verified-cryptography-firefox-57/
======
SwellJoe
Most interesting to me is that it's implemented in a language I'd never heard
of, F* ([https://www.fstar-lang.org/](https://www.fstar-lang.org/)), which is
an ML that compiles to OCaml, F#, or a subset of the language can compile to
C. It's intended for just this sort of work ("verified effectful programming"
is seemingly one of their taglines for the thing).

That's pretty neat. I like seeing exotic languages used in mainstream
projects. It's just fun, ya know? Firefox is also shipping with some Rust code
these days.

~~~
dsacco
F* is somewhat well known in circles of information security, but it's not
widely used in general. It's frequently used for formal verification of
cryptographic protocols. If you look at the papers on the website you'll see a
variety of applications for provable security in crypto.

I wouldn't call it a general purpose language (in the sense that you can
productively use it for just about anything), but to be fair I've only read
papers about/using the language; I've not used it personally. It's a great
leap forward for provable security in general, though.

------
azinman2
As CS was originally born largely from people with math backgrounds, formal
proofs were all the rage for software early on. As time passed and software
became more complex, that requirement effectively dropped off to some academia
and defense/high-risk (aka nuclear controls) projects.

Now amazon is trying to formally verify a lot of AWS with TLA+ and other
techniques. Here Mozilla is trying to verify it’s crypto.

Given the increasing rise of cyber security problems and their consequences,
will formal verifications once again become more standard in software
engineering? At minimum, we’ll need to see more user-friendly variants of TLA+
and other techniques for average developers to be able to use. Probably it
should be taught in normal CS education. Even better would be for some kind of
AI to help take existing code or specs and put it into something that can be
formally proved.

~~~
lower
> Here Mozilla is trying to verify it’s crypto.

If you look at the paper describing this work
<[https://arxiv.org/abs/1703.00053>](https://arxiv.org/abs/1703.00053>),
you'll see that this is an academic effort and 7 of 12 authors are actually at
Microsoft Research. But kudos to Mozilla for bringing all this advanced stuff
to their products.

~~~
lomnakkus
Bad link. Should be:
[https://arxiv.org/abs/1703.00053](https://arxiv.org/abs/1703.00053)

------
ZiiS
Beware of bugs in the above code; I have only proved it correct, not tried it.

    
    
        Donald Knuth

~~~
lomnakkus
While this is a fun aphorism, it's getting less and less applicable these days
since many proof systems (and programming languages that double as such) allow
for code extraction to e.g. ML or C code. Naturally, the usual caveats apply:
You'll want proof that the code extractor is correct. (But then, you'd want
proof that the proof system _itself_ is correct, regardless.)

Nevertheless, the aphorism is part of the reason that I'm (also) sceptical of
using proof systems that _don 't_ allow for code extraction. Assuming you're
actually trying to prove things about programs and just just proving things
for e.g. math.

~~~
roca
You don't need to prove that the proof system is correct. It suffices to
extract a proof of the properties you care about for the particular program
you care about, and then check that that particular proof is correct. This can
generally be done with a very simple proof-checker whose own correctness can
fairly easily be checked by hand.

~~~
lomnakkus
True, but that adds an extra burden for programmers... and if proof systems
are ever going to gain widespread acceptance (that'll be the day!), the
ergonomics of using them need to be improved. (That is, having an extra manual
step is not acceptable.)

------
aorth
> _As an additional bonus, besides being formally verified, the HACL
> Curve25519 implementation is also almost 20% faster on 64 bit platforms than
> the existing NSS implementation_

Bravo! Looking forward to that.

------
tfcata
Sadly, formal verification works only for small amount of code, a few
thousands lines of code when I looked at it a while back. It doesn't stop us
from imagining a fully verified firefox though.

~~~
lower
> a few thousands lines of code when I looked at it a while back.

That's not true anymore. Have a look at CompCert, CakeML or CertiKOS, for
example. Verification still takes a big effort, but it's getting better a lot.

