Hacker News new | comments | show | ask | jobs | submit login
Verified cryptography for Firefox 57 (blog.mozilla.org)
155 points by ttaubert 10 months ago | hide | past | web | favorite | 14 comments

Most interesting to me is that it's implemented in a language I'd never heard of, F* (https://www.fstar-lang.org/), which is an ML that compiles to OCaml, F#, or a subset of the language can compile to C. It's intended for just this sort of work ("verified effectful programming" is seemingly one of their taglines for the thing).

That's pretty neat. I like seeing exotic languages used in mainstream projects. It's just fun, ya know? Firefox is also shipping with some Rust code these days.

F* is somewhat well known in circles of information security, but it's not widely used in general. It's frequently used for formal verification of cryptographic protocols. If you look at the papers on the website you'll see a variety of applications for provable security in crypto.

I wouldn't call it a general purpose language (in the sense that you can productively use it for just about anything), but to be fair I've only read papers about/using the language; I've not used it personally. It's a great leap forward for provable security in general, though.

F* is a great project and under very active development. Basically at every POPL you find papers with genuine improvements and simplifications to the core of F*. I don't know of any other language that's improving this rapidly.

As CS was originally born largely from people with math backgrounds, formal proofs were all the rage for software early on. As time passed and software became more complex, that requirement effectively dropped off to some academia and defense/high-risk (aka nuclear controls) projects.

Now amazon is trying to formally verify a lot of AWS with TLA+ and other techniques. Here Mozilla is trying to verify it’s crypto.

Given the increasing rise of cyber security problems and their consequences, will formal verifications once again become more standard in software engineering? At minimum, we’ll need to see more user-friendly variants of TLA+ and other techniques for average developers to be able to use. Probably it should be taught in normal CS education. Even better would be for some kind of AI to help take existing code or specs and put it into something that can be formally proved.

> Here Mozilla is trying to verify it’s crypto.

If you look at the paper describing this work <https://arxiv.org/abs/1703.00053>, you'll see that this is an academic effort and 7 of 12 authors are actually at Microsoft Research. But kudos to Mozilla for bringing all this advanced stuff to their products.

Bad link. Should be: https://arxiv.org/abs/1703.00053

> At minimum, we’ll need to see more user-friendly variants of TLA+ and other techniques for average developers to be able to use.

TLA+ is quite user-friendly, certainly more than most other formal methods. It takes about two weeks to become fully productive, without any guidance other than the freely available tutorials. It's easier to learn than most programming languages.

> Probably it should be taught in normal CS education.

I agree.

Beware of bugs in the above code; I have only proved it correct, not tried it.

    Donald Knuth

While this is a fun aphorism, it's getting less and less applicable these days since many proof systems (and programming languages that double as such) allow for code extraction to e.g. ML or C code. Naturally, the usual caveats apply: You'll want proof that the code extractor is correct. (But then, you'd want proof that the proof system itself is correct, regardless.)

Nevertheless, the aphorism is part of the reason that I'm (also) sceptical of using proof systems that don't allow for code extraction. Assuming you're actually trying to prove things about programs and just just proving things for e.g. math.

You don't need to prove that the proof system is correct. It suffices to extract a proof of the properties you care about for the particular program you care about, and then check that that particular proof is correct. This can generally be done with a very simple proof-checker whose own correctness can fairly easily be checked by hand.

True, but that adds an extra burden for programmers... and if proof systems are ever going to gain widespread acceptance (that'll be the day!), the ergonomics of using them need to be improved. (That is, having an extra manual step is not acceptable.)

> As an additional bonus, besides being formally verified, the HACL Curve25519 implementation is also almost 20% faster on 64 bit platforms than the existing NSS implementation

Bravo! Looking forward to that.

Sadly, formal verification works only for small amount of code, a few thousands lines of code when I looked at it a while back. It doesn't stop us from imagining a fully verified firefox though.

> a few thousands lines of code when I looked at it a while back.

That's not true anymore. Have a look at CompCert, CakeML or CertiKOS, for example. Verification still takes a big effort, but it's getting better a lot.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact