Hacker News new | past | comments | ask | show | jobs | submit login
Introducing Transport Layer Security in pure OCaml (openmirage.org)
106 points by tizoc on July 8, 2014 | hide | past | favorite | 43 comments

It looks like they have some odd cipher suite selection mechanic.

https://tls.openmirage.org negotiates TLS_RSA_WITH_RC4_128_SHA which is the second worse suite that Chrome 35 will offer by default. If I renegotiate, the server will suggets TLS_RSA_WITH_AES_256_CBC_SHA, so it looks like the server wants to change the cipher later, which seems odd.

This means it doesn't support PFS or several other advantages in the newer protocols.

I'd be very interested to know about side channel attacks which may be possible in OCaml, as opposed to in another languages - there doesn't seem to be any discussion of them here.

They also refer to the Apple Goto fail bug as a memory safety issue - that's not true, it was a programming flaw that could be made in a GCed language.

Finally, if I look at the issue tracker I see things like https://github.com/mirleft/ocaml-tls/issues/6 - closed, with no explanation and marked as a security concern - which gives me no confidence that the issue was addressed.

Well done on noticing the slightly random cipher negotiation. That was actually deliberately put into the demo server on tls.openmirage.org to help us get more test coverage from visitors to the site (see the https://github.com/mirleft/ocaml-tls/tree/demo-random branch). We've mitigated most of the commonly known client incompatibilities, but there are no doubt obscure cipher-specific mitigations remaining, and the only way to uncover those is by forcing their negotiation ahead of better ciphers.

We've looked into timing side channels attacks quite a bit, but decided to focus on the core protocol support before tackling the big issue of data-dependent control flow attacks See https://github.com/mirleft/ocaml-tls/pull/49 for discussion on the Lucky 13 mitigation that isn't merged in for example.

Editing the goto-fail reference to reflect that it's not purely memory safety (but of course we believe that more structured programming abstractions will help mitigate this class of errors). I've asked Hannes about the #6 issue as well, as that shouldn't have been closed with no explanation -- do feel free to post queries on such issues yourself as polling HN threads for feedback isn't reliable.


(Disclaimer: one of the authors)

We randomize the connection parameters on each connect to help us gauge the stack's behavior with various combinations (see https://github.com/mirleft/ocaml-tls/issues/159 ). Normally it uses first available from the list here: https://github.com/mirleft/ocaml-tls/blob/master/lib/config.....

(For some reason the RSA variant got on top; it should have been DHE_RSA, which does provide PFS.)

Side channel attacks were a very big concern, and I invite you to read the entire series of articles we plan on publishing in the next few days, where we try to lay down our strategy and explain what we know and what we don't. Or even skim through the handshake code and check some of the comments there.

We were already warned that CVE-2014-1266 CVE-2014-0224 are not memory safety issues. The article is badly worded there. What was meant is that they are, at least in our pretty firm opinion, issues with C (something we will elaborate in more detail in further articles, but in essence, you get regular control-flow in a functional language and you can encode state machines in a far more explicit manner). Working to update the post and clarify this.

As for the issue #6, yes, its closing was not documented too well. This does not mean we didn't expend significant effort to actually address the points there :) .

Thank you for the input and please have patience with us. We still have (at least) four more articles to publish!

> What was meant is that they are, at least in our pretty firm opinion, issues with C

I am very interested in the idea that ML can maintain security correctness under source line duplication.

It should be pretty easy to check for this condition too: for every line in every file, duplicate it. Discard instances where this causes invalid syntax; this will be most of them. Now either by running a test suite or inspection, see what the effect was on the program semantics.

Sounds like a nice exercise, I'll try it.

But since by and large the lines we have are expression and not statements (the core handler is purely functional, using a monad to thread errors through), this amounts to type errors immediately.

The blogpost does mention that implementing more cipher suites is a work in progress.

Edit: the server uses a random protocol version for testing purposes, so that might explain the odd renegotiations that you observed: https://github.com/mirleft/ocaml-tls/issues/159

The work on Mirage is very interesting. If I understand it correctly, it may be possible to run a Xen domain with a Linux application server, and with a TLS reverse proxy in front using another Xen domain (in the form of a unikernel).

This would be fantastic and does not change a lot how you run your application, except that you get hardened crypto for free.

That's assuming that ocaml-tls has no "high level" bugs (not memory corruption related) of course, but I'm quite sure that it is way easier to review than existing TLS implementations.

One thing that concerns me is the entropy source in Xen guest domains, but hopefully that'll be worked out for the final version.

We're putting together a front/backend ring (rndfront/rndback) that will proxy entropy from dom0 directly into the guest. It'll take some time for this to percolate into the public cloud, so we'll need to do what Linux does in the meanwhile (harvest entropy from interrupt timings, attempt RDRAND, and so on).

The ENTROPY module type supports this sort of callback in 1.2.0: https://github.com/mirage/mirage/blob/master/types/V1.mli#L7...

(If you're interested in contributing, the entropy harvesting is in sore need of more eyes and help!)

/me grumbles about virtio-rng and reinventing ABIs ...

Dave Scott's added support for a low-bandwidth channel into XL with the intention of reusing virtio-rng (and virtio-serial and friends). http://lists.xen.org/archives/html/xen-devel/2014-06/msg0293...

On the other hand, I disagree that we're reinventing an ABI given that:

1) virtio isn't the supported PV interface in Xen -- rndfront/back follows the same design principles as net/blk/fb/usb/pci/console etc.

2) The Xen shared-ring interface is older than virtio, and much simpler for pure PV guests such as Mirage (no PCI emulation to worry about). I do wonder what happened to that GSoC project from a few years to add virtio support to Xen though...I don't think any patches ever appeared.

s/added/currently trying to add/ :-)

For HVM guests I hope that virtio-rng would work as-is (if it could be turned on via the control path). That's definitely worth a look.

For PV guests like Mirage I'm currently plumbing through a Xen PV analogue of virtio-serial by hijacking^Wextending the existing PV console support. Since the backend for that is in qemu already it might be possible to hook up the entropy source (with all the rate limiting etc). I think the trick would be to get the guest to recognise the frontend for what it is -- I imagine the virtio-rng device in the guest presents itself as a magic hardware PCI device and 'just works'.

It concerns us too. Right now the entropy in Xen domains is weak, but we are working with the rest of the team to feed some actual environmental noise to keep Fortuna well-fed.

You can also run the library on Unix, of course, and there the RNG is periodically seeded from /dev/urandom.

Are we finally approaching consensus in the field of systems programming that security is more important than performance (thanks to heartbleed)?

Or put differently: have we reached the point where computers are fast enough so that we can move on and sacrifice some of those abundant MIPS and extra RAM for much improved clarity in our critical infrastructure code?

OCaml could actually be a great choice for maintaining a solid TLS layer.

I hope so.

We already had safer systems programming languages around the time UNIX spread outside AT&T.

There is a quote from Hoare how engineers asked him to not allow to disable bounds checking in Algol, for example[0].

Also the rise in security exploits has helped Ada/SPARK to move outside their original niche into areas where human lifes are at risk, like medical equipments and train control systems. At least from the FOSDEM talks.

I am looking forward to the days when we can recover the systems programming security C took away.

[0] later compiler versions allowed it.

For the sake of moving things forward: every time we have this discussion, someone always points out that functional languages would make it easier to get correct behaviour from a crypto library, and someone always replies that garbage collection opens you up to side-channel (timing, in this case) attacks.

Interesting, I didn't know that. I always wondered why (non "functional") Ada doesn't get mentioned more often in these kinds of discussions:



And it's "cousin" SPARK, which adds proof capabilities: http://git.codelabs.ch/?p=spark-crypto.git

Last time it was brought up, there appeared to be some lingering confusion and issues with how the compiler and runtime was and is licensed.

The latest version of Ada is available for a (large) fee from Adacore and for free under the GPL. There is also a version published as part of gcc, that trails the upstream version a little in terms of features -- but like the rest of gcc, the relevant parts are under LGPL, so not all binaries distributed to third parties need be distributed under the GPL, but can be under any licence one choose[1] -- without the need for a commercial licence from Adacore.

It would appear the lack of an up-to-date, gratis, version of Ada was a real problem for adoption at some point -- and the impression of Ada being difficult to get access to outside of large contractors put a damper on its popularity (justified or not).

[1] The "problem" with a compiler under GPL is that most compilers will have some kind of library code or language runtime that needs to be distributed with resulting binaries, thus forcing all projects to adopt GPL, rather than just the projects that build directly on the compiler.

More than price, what really hindered Ada was lack of adoption by popular OS vendors and hardware requirements for the early compilers.

Back in the day everyone was paying for compilers, the prices were the normal ones for the target audience.

Rational Software first product was an advanced Ada Machine, providing an early 80's InteliJ experience. Which followed the same fate as all special purpose computers.

UNIX, mainframe and other enterprise OS vendors that eventually provided an Ada compiler, treated it as second class citizen in regard to their main systems programming language.

Home computers lacked the required hardware to implement a proprer Ada compiler.

A systems programming language really needs to be "the language" an OS vendor SDK requires, otherwise it becomes just another application language that can also go low level.

Besides Ada Core, there are a few embedded and real time OS vendors providing Ada compilers.

> Home computers lacked the required hardware to implement a proprer Ada compiler.

Could you elaborate? Are you thinking 80s home computers like the Amiga 1000, or more classical PCs?

Both, from the Spectrum days up to the time we could get them to run on 32 bits.

On those days I and many older than me were still writing business applications in Assembly. Compilers for higher level languages were constrained in what they could achieve in the amount of memory that was available.

And Ada did required lots of it. Funny enough I would bet modern Ada compilers are less resource intensive than C++ ones.

I know nothing about crypto, but I know a bit about languages. I don't really get this.

Say you're coding in a language with no garbage collection like C. If your code is not "symmetric" (more below), you still have timing attacks due to cache usage patterns, correct? After all, C hasn't been a very good model of any CPU designed since 1985.

Coming from the outside, I would think the way to tackle this would be to simple ensure your code is "symmetric"; that every legal code path through an algorithm perform the same operations, regardless of what data it is presented with, even if this means operating on fake data. That way the timing of any operation is always identical (barring uncorrelated noise).

It seems to me that this technique would apply equally to languages with and without garbage collection. Why is this not so?

Interesting. Maybe an area where linear types can shine?

Rust is probably the most trendy language offering linear types at the moment, although I'd say it much closer to being "a safer C" than "a linear OCaml", so it wouldn't really make things more functional (although it would be safer!).

ATS is descended from DependentML, but for some reason most ATS code I've seen is written in a "safer C" style too. Maybe that's just pragmatism, since ATS has very few native libraries, so it's usually easier to call out to C.

Linear Lisp might be a nice choice, but its dynamic typing may be a problem for security-critical code.

Fun bit of trivia: Rust was originally implemented _in_ OCaml, and takes a lot of cues from it.

I saw a bit of OCaml code in Rust code-base recently, can you say what it's used for? I know that Rust is self-hosting now, but I swear I saw some .ml files there...

  ~/rust $ find -name '*.ml' | wc -l
  ~/rust $ find -name '*.ml' | grep -v ./src/llvm | wc -l
i.e. there are some OCaml files in a Rust checkout, but they're all part of LLVM, mostly part of the "OCaml Kaleidoscope": http://llvm.org/docs/tutorial/OCamlLangImpl1.html

Isn't even C pretty vulnerable to timing attacks? (I'm thinking primarily through things like L1/L2 cache effects, etc.)

The actual crypto primitives are still implemented in C, do those timing attack apply to the high-level part implemented in OCaml too?

That is exactly the question we have. And yes, the primitives are in C largely due to timing concerns.

> OCaml could actually be a great choice for maintaining a solid TLS layer.

Maybe; it uses GC and it's difficult to embed. I would much prefer something that compiles without a runtime (or with a minimal one for resource allocation).

The OCaml runtime is very easy to embed, as runtimes go. We've got it compiling in Mirage as a standalone kernel, as a FreeBSD kernel module, and others have had it running on 8-bit PIC microcontrollers: http://www.algo-prog.info/ocaml_for_pic/web/index.php?id=oca...

A fun project that I discussed with the Rust devs at last year's OSCON would be to rewrite the OCaml GC in Rust. Get in touch with me if you're interested and want some guidance on how to go about this.

Consider me interested.

Looking at the development history it would appear that this project started in Feb 2014: https://github.com/mirleft/ocaml-tls/commit/10b53cd1ebde0360... . Writing an (almost complete) TLS 1.2 stack in such a short amount of time is amazing! (compared to how long it took for NSS to gain TLS 1.2).

Looking forward to the next blogpost in this series.

Security is too damn important to use languages that are insecure by default and that require rigorous discipline and extensive auditing, such as C and C++. The world needs to move its entire crypto and networking layer to functional languages focusing on immutability, thereby immensely reducing the surface of attack.

Secure implementations require more than formal, logical correctness. They must also not leak information to adversaries--i.e. the must be free of side-channels. Unfortunately, ensuring this usually requires the developers to be aware of the low-level behavior of the underlying architecture, which is difficult in functional languages since unlike C, they abstract away behaviors of the underlying hardware that can leak information.

I suppose you could extend the functional language's type system to tag data as e.g. needing to be compared to other data in constant time, or needing to be accessed in a particular way to avoid cache-timing attacks, and so on, but this just off-loads the problem to the compiler (i.e. the problem must still be addressed, and not in a high-level functional language). But if you're going to go that far, you might as well put the requisite safe code primitives into a shared library, so if you find bugs in them later (or discover new side-channels you didn't think about earlier), you can update the library without having to re-compile and re-deploy everything affected by it.

Just an additional note that this is the first in a series of posts about the OCaml TLS stack. More are coming in the next few days [1].

[1] https://github.com/mirage/mirage/issues/257

On one side I see the flaws in the existing openssl and other C-based libraries and when written languages such as OCaml or Haskell those just would not happen.

On the other hand those existing libraries work. Which can not be said of the new ones. At least the Haskell TLS library has logic flaws in it that I'm wondering why it works at all. And a lot of Haskell projects use the native tls package instead of the openssl bindings. It is not fun at all having to spend two days to debug something that just works in literally every mainstream language. I hope ocaml-tls doesn't make the same mistake.

The Conduit I/O library that we're building in Mirage/OCaml allows the application to select which SSL transport layer implementation that it's linking with. Both Lwt_ssl (which binds to OpenSSL) and OCaml-TLS will be supported when it's released for exactly this reason. There's a blog post due about this next week.

As to your other complaint that OpenSSL "just works", note that numerous issues have been swept under the rug over the years (see the LibreSSL CVS logs for more pointers). I'd suggest reading this paper about the most dangerous code in the world for more background: http://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-b...

So when you're using the Haskell library and running into bugs, think of the time you're spending bugfixing and filing patches as a little social tax that contributes to fixing an important technical issue that threatens the stability of the Internet if it's not comprehensively addressed.

There's also miTLS http://www.mitls.org/wsgi/home - a verified reference implementation of TLS written in F#

it would probably be a good idea to make some mention of 1/n-1 record splitting, lest confusion arise regarding the apparent "new line" between G and ET in the HTTP requests

Any benchmarks? I am very interested in this, it looks really cool!

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact