►
From YouTube: hacspec: succinct, executable, verifiable specifications for high-assurance cryptography
Description
Denis Merigoux, Franziskus Kiefer and Karthikeyan Bhargavan
A
Yes,
so
so
today,
I'm
going
to
talk
to
you
to
conclude
this
workshop,
I'm
going
to
take
the
kind
of
opposite
approach,
then
smack
so
you'll
be
able
to
compare
the
advantages
and
drawbacks,
because
I'm
going
to
talk
to
you
about
hackspec,
which
is
a
since
it's
executable,
very
verifiable
specification
language
for
high
assurance,
cryptography
and
rust.
A
A
This
is
joint
work
with
my
phd
advisor
kartike
embargo
van
and
franciscus
kiefer
from
wire,
the
messaging
app
company
and
I'll
begin
this
presentation
by
the
story
of
how
we
came
to
design
hack,
spec,
which
is
kind
of
a
tale
of
two
worlds,
because
it's
going
to
be
the
world
of
thrust
on
one
side,
underwater
cryptography
on
another
side
and
we'll
start
by
the
observation
that
rust
is
memory
safe
well
with
all
the
asterisks
within
safe
code,
etc,
and
that's
prompted
cryptographers
to
select
it
as
a
language
of
choice
to
write
higher
assurance
cryptography
because
most
of
the
bugs
related
to
cryptography
and
security
are
related
to
memory
safety.
A
So
choosing
grass,
as
you
all
know,
is
a
way
to
circumvent
that.
Hence
there
is
a
new
shiny,
rust
band
for
photography.
Libraries
with
names
such
as
transcriptor
bella,
cryptography
ring
raspy
for
post
quantum
cryptography,
but
also
whole
protocols
written
in
rest,
such
as
rastialis,
and
this
new
band
has
kind
of
distance
from
the
old
verified.
Gourd
of
cryptography
verified,
cryptography
libraries
with
projects
such
as
evercrypt
apple,
star
veil,
which
are
all
like,
bundled
in
the
same
thing,
but
also
fiat
crypto
from
the
mit
or
jasmine
crypt
from
the
equipment,
technique
and
other
institutions.
A
A
It
poses
no
problem,
but
we
want
to
go
a
little
bit
further
than
that,
because
we
want
actually
to
verify
a
crypto
implementation
rust,
because
not
only
you
need
crypto
primitives,
but
you
want
to
build
on
those
primitives
to
build
constructs
and
then
protocols
and
larger
and
larger
high
assurance
applications.
A
And,
as
you
have
been
able
to
see
in
this
workshop,
the
verification
tools
are
still
maturing.
Hopefully,
one
day
they
will
handle
the
full
functional
correctness,
proof
for
crypto
libraries
with
like
10
000
or
100
000
lines
of
code,
but
they
still
still
not
there.
So
we
have
to
find
something
in
the
meantime
and
our
approach
is
rather
focused
on
crypto
and
we
do
not
aim
to
become
like
a
general
purpose.
A
Verification
tool
for
us,
but
we
found
that
there's
an
achilles
heel
in
verified
implementations
and
this
achilles
heel
is
the
specific,
are
the
specifications.
A
Indeed,
the
verified
implementations
usually
prove
functional
correctness,
but
functional
correctness
has
to
be
proven
with
respect
to
something
and
this
something
is
a
specification
that
has
to
be
written
in
the
specific
specification
language
of
the
proof
assistant
and
usually
it's
written
by
students
and
the
source
for
the
from
the
specifications
are
like
some
pseudo
code,
written
in
some
rfc
or
some
informal
description
of
on
of
how
the
the
contemporary
should
work,
and
this
is
of
course,
informal
specs
lead
to
specification
bugs
which
render
completely
useless
all
attempts
to
verify
implementations.
A
But
it
had
little
traction,
maybe
because
of
python
we
don't
know,
but
we're
coming
again
to
an
attempt
at
having
formal
executable
specifications
as
cryptographers
can
write
in
order
to
fix
that
achilles
heel
of
verified
implementations,
and
the
idea
is
that,
since
cryptographic
code
is
dsl
friendly,
it
doesn't
exercise
like
all
the
corner
cases
of
divine
behavior
and
other
cryptic
language
features.
A
A
Of
course
those
won't
be
performance
oriented,
but
so
we
also
want
for
them
to
be
easily
to
have
the
possibility
to
easily
switch
to
a
native
rust,
like
hanse-fevi,
optimize
implementation
and
for
proof
people.
Well.
This
language
is
aimed
at
providing
the
proof
of
people
with
a
steady
source
of
correct
reviewed
by
domain
experts.
Specifications
that
they
they
can
they
take
to
as
a
basis
for
their
functional
correctness.
Proofs,
therefore
reducing
the
trusted
computing
base
for
proof
development.
A
A
Indeed,
since
we
wanted
this
dsl
to
have
simple
semantics,
which
mean
that
we
had
to
take
radical
decisions
in
order
to
cut
whole
branches
of
complex
rusty
medicines,
which
we
didn't
want
to
talk
about,
and
the
actual
trade-off
that
we
had
while
designing
this
language
is
on
the.
On
the
one
hand,
that
cryptographers
should
be
able
to
write
beautiful,
specs
like
succinct
and
that
don't
look
ugly
and
on
the
other
hand,
we
don't
want
to
too
much
features
in
language
in
order
to
avoid
the
semantics
creep,
which
will
lead
to
very
complex
formalizations.
A
And
I
know
some
people
in
the
audience
have
yet
dealt
with
all
that.
Those
semantics
complications
in
rust
and
we
didn't
want
to
go
through
that.
We
leave
that
to
experts
and
for
more
complicated
functions
like
this
main
poly
loop.
You
can
see
that
it's
all
about
like
for
calling
functions
with
some
kind
of
sequences,
so
we
have
like
slicing.
A
We
have
four
loops
that
are
indexed
by
integers
and
it's
generally
a
feeling
of
us.
We
have
also
mutable
variables,
which
are
then
translated
to
some
kind
of
state
monad
with
that
keep
like
the
variables
as
the
state
of
the
variable
as
the
the
states,
and
you
can
see
that
we
a
little
bit
of
boring
but
in
various
very
very
particular
places
it's
only
at
the
top
level
in
only
in
function.
A
A
We
have
two
kind
of
fixed
length
array,
one
which
is
like
whose
length
is
known
at
compile
time
and
the
other,
whose
name
is
not
known,
compile
time.
This
distinction
is
useful
because,
with
the
first
kind,
you
can
implement
the
copy
type,
which
is
very
useful
to
have
specs
look
nice
to
not
insert
blue
and
everywhere.
A
Concerning
statements,
we
have
fairly
limited.
It's
only
led
bindings
conditional
for
loops
and
also
array
updates
scenario,
indexing
and,
concerning
the
expression,
were
fairly
straightforward.
We
have
tuples,
we
currently
don't
have
structs
in
inner,
so
we're
planning
to
add
them
in
the
future,
and
we
have
also
array
indexing
and
all
of
the
usual
operator
on
the
integers.
A
We
provide
this
language
with
a
simple
call
by
value
symbolics
with
context
such
as
the
variables
the
local
variables
of
a
function,
so
values
are
like
usual
values,
plus
arrays
and
doubles,
and
the
shape
of
our
judgments
is
really
simple.
We
just
have
this
variable
context
and
the
expression
or
function
argument
or
statement
divides
to
a
certain
value
while
changing
the
variable
context.
A
All
the
rules
for
semantics
are
presented
in
the
paper.
I
you
should
go
and
read
the
technical
reports.
If
you
want
to
get
more
precision
about
that,
we
also
provide
a
typing
judgment
that
is
meant
to
respect
rust,
specificities
with
linear
typing.
So
we
have
a
typing
context
containing
both
tuple
functions
and
variables.
A
We
have
a
type
dictionary
to
provide
the
indirection
and
the
nominal
nature
of
rust,
struct
typing,
and
we
have
a
linear
context
splitting
to
implement
the
linear
nature
of
frost
type
system
which,
with
an
escape
hatch,
which
is
the
implementation
of
the
carby
traits,
we
don't
implement
traits,
we
don't
formalize
traits
in
our
language.
We
take
it
as
some
types
to
implement
them
and
some
of
them
don't
it's
part
of
the
context
and
we
have
a
simple
typing
judgments.
A
The
rules
are
a
little
bit
tricky
because
we
have
to
kind
of
manual
to
provide
manual
cases
for
each
times
where
you're
allowed
to
borrow.
But
since
we
keep
borrowing
to
a
very
reduced
number
of
places,
the
rules
are
manageable
and
you
can
see
the
full
formulation
in
paper.
A
So
then,
because
we
want
to
offer
convenient
tooling
to
cryptographers,
we
had
to
implement
a
type
checker
and
basically
compiler
for
this
embedded
dsl
and
of
course
we
do
that
as
a
plug-in
to
the
ras
compiler.
But
then
and
we
we
took
an
unusual
choice
with
respect
to
the
other
tools
presented
in
workshop,
because
we
wanted
our
representation
to
be
very,
very
close
to
the
source
code
and,
as
you
guys
can,
as
you
know,
mir
is
very
distributed
and
is
in
basic
blocks
form.
And
so
I
know
they're
working
around
around.
A
You
can
work
around
that
by
like
restructuring
the
control
flow,
but
we
really
wanted
to
have
something:
that's
very
close
to
the
source
code,
because
because
we
want
to
translate
to
other
verification
tools,
we
want
the
specs
translated
to
look
almost
as
the
same
as
the
original
source
code,
hence
at
the
expense
of
having
to
reimplement
some
of
the
of
the
things
that
are
done
between
asc
and
mir
like
traits
and
method
resolution
or
the
borrower
checking
which
you
have
to
read
on
by
hand
which
shows
the
ast
as
our
source
intermediate
representation
within
the
the
hackspace
compiler.
A
And
so
let
me
show
you
a
little
architecture,
diagram
of
the
spectacular,
so
it's
in
implemented
as
a.
Why
not
use
hir.
This
is
a
good
good
question,
because
hrr
has
a
little
bit
of
syntactic
sugar
and
we
didn't
want
to
deal
with
that,
especially
with
respect
to
four
loops.
It
disregards
the
for
loop
into
a
while
loop,
I
think,
and
it
was
not
convenient
for
our
users,
so
we
took
asd
also
because
it
allows
us
to
control
more
easily
with
respect
to
what
we
get
in
the
source
group.
A
We
translate
it
into
a
hackspace
ksc
by
re
and
in
the
process
rejecting
all
the
programs
that
are
outside
the
bounds
of
the
dsl,
and
then
we
perform
the
hotspot
type
checking
and
we
can
also.
We
also
have
support
for
external
crates,
meaning
that
you
can
have.
You
can
split
your
programs
in
several
crates
and
we
integrated
compiler
architecture
that
lets
you
split
your
hack,
spec
programs
into
several
crates,
which
is
something
that
is
quite
painful
in
terms
of
engineering
but
which
we
thought
was
crucial.
A
A
For
the
moment,
although
we're
working
on
some
more
ambitious
programs,
such
as
our
implementation
of
the
tls
one
free
client,
which
is
about
like
a
1,
000
1
hundred
lines
of
code,
so
we
put
the
hackle
star
column
as
a
comparison
to
show
you
that
the
specs
that
we
write
in
hack
spec
are
very
succinct
and
as
or
more
succinct
as
the
specs
that
are
traditionally
used
inside
the
proof,
assistance
to
serve
as
the
basis
of
functional
correctness.
A
And
this
was
very
important
because
we
want
to
the
specs
to
be
succinct
and
as
small
as
possible
because
they're
the
trusted
computed
base.
So
we
want
to
then
to
minimize
that-
and
here
is
what
the
the
outputs
in
a
verification,
backend
look
looks
like,
and
you
can
see
that
the
charge
align
function
which
I
was
showing
to
you
earlier.
A
Here
we
put
a
little
bit
of
a
type
refinement
that
we
have
to
put
manually
in
order
for
it
to
type
check
in
future
work
we
want
to
use
some
of
the
specification
require
a
sensory
language
that
has
been
developed
by
somebody
else
to
be
able
to
generate
those
kind
of
type
refinements
automatically
from
the
source
code,
and
the
array
updates
are
just
simply
distributed
into
functional
updates
to
the
same
variable,
and
we
have
a
little
bit
of
name
resolution
passed
to
ensure
that
everything
is
running
smoothly.
A
But
the
output
of
our
tool
chain
is
relatively
similar
to
the
original
code,
and
we
want
that
because
then
proof
people
are
going
to
look
at
that
code
to
prove
functional
correctness
against
implementation.
So
we
were
seeing
sickness
and
pleasantness
to
read
is
definitely
something
that
we
look
for.
A
On
top
of
the
language,
we
have
several
libraries
that
provide
convenient
functions
that
cryptographers
always
use
in
the
recommendations.
We
have
a
great
for
secret
integers
that
are
just
wrappers
around
sine
and
unsigned
integers,
but
that
forbids
all
non-constant
time
operations.
You
can
also
use
that
crates
separately
from
the
hexpec
language.
Actually,
we
have
a
crate
for
abstract
integers
that
are
a
verification
freely
bound
in
natural
integers
and
because
they're
bounded,
we
can
fit
them
inside
an
array,
a
few
eighths
that
implements
the
copy
traits.
A
A
We
use
little
schemes
like
that
to
really
improve
the
successful
specs,
it's
adapted
for
a
field
arithmetic
based
specification,
which
is
a
big
thing
in
crypto
and
lastly,
we
have
the
main
the
standard
library
of
hackspec
which
you
are
required
to
import
whenever
you
want
to
e
to
use
the
hackspec
dsl,
because
some
of
the
the
objects
in
that
library
are
have
a
hardcoded
translation
to
some
of
the
libraries
in
the
verification
backend,
which
is
so
the
hackspec
library,
is
also
part
of
the
trespass
trusted
computing
base.
A
In
some
sense,
we
have
a
copyable,
constant
left
array
with
array,
the
rare
macro,
linear,
fixed
length,
variable
sex
sec
and
we
have
traits
and
helper
for
the
specification
writers
those
are
integrated
with
the
type
checker
with
a
weightless
system.
A
In
conclusion,
this
is
an
ongoing
research
collaboration
between
full
methods.
People
mostly
represented
by
inria,
with
my
phd
advisor
kartik
and
me,
but
also
with
many
cryptographers,
the
first
of
whom
being
a
franciscan
foreign,
but
we
also
are
talking
with
various
professors
that
are
leading
verified,
crypto
implementations,
research
teams
all
over
the
world.
A
So
there's
a
website
whose
link
is
on
the
screen.
The
code
is,
of
course,
available
online,
both
the
code
for
the
hackspec
programs
written
so
far,
and
the
code
of
the
compiler
in
type
checker,
and
there
is
a
technical
report,
so
you
can
refer
to
if
you
want
more
details
on
the
formalization
and
on
any
of
this.
B
Thanks
for
that
talk
dennis
we
do
have
time
for
a
few
questions.
So
yannick
has
a
question.
Do
you
just
want
to
ask
a
question.
A
Yes,
yes
thanks
yannick,
so
crypto
is
it's
kind
of
the
same
family
of
languages.
I
don't
have
a
precise
comparison
of
what
of
in
terms
of
what
features
are
missing
in
hack
spec
and
what
feature
are
in
a
in
crypto.
So,
yes
for
the
recording.
The
question
is:
how
do
you
compare
hacks
back
with
crypto?
Do
you
gain
in
exclusivity,
for
instance,
compared
to
fixed
styles
of
data
in
crypto,
so
my
understanding
is
that
crypto
is
heavily
screwed
toward
spitting
out
assembly.
Isn't
it.
C
A
Yes,
which
is
why
you
have
fixed
size
of
data,
so
high
spec
is
a
little
bit
expressive
because
it's
it's
mostly
aimed
at
spitting
out
or
camel,
let's
say
ml,
so
and
and
then
it's
it's
used
to
verify,
implementations
that
are
in
c.
So
there's
a
little
bit
more
flexibility
in
terms
of
exclusivity,
so,
for
instance,
our
sec.
You
can
pass
an
arbitrary
sized
buffer
as
input
your
encryption
encryption
function,
for
instance,.
C
I
could
say
a
little
bit
more
about
the
comparison
with
with
kryptol,
if
folks
would
be
interested
in
that.
So
I
think
the
biggest
difference
between
them
is
just
the
structure.
The
kryptol
is
a
a
purely
functional
language
and
uses
sort
of
functional
idioms
for
describing
programs,
whereas
a
hackspec,
you
know,
even
though
it
is
copying
things
around
uses,
a
you
know,
uses
rest
and
is
is
kind
of
more
imperatively,
structured
and
probably
more
familiar
to
to
a
lot
of
programmers.
C
But
it
does
mean
that
you
are
kind
of
constricted
when
you're
writing
a
program
to
be
sure
that
all
of
your
functions
correctly
preserve
the
sizes
that
are
described
in
the
types.
So
a
big
part
of
it
is
that
it's
got
a
type
system
that
that
tracks
the
size
of
everything,
and
so
it
is
fixed
for
any
particular
run
of
the
program,
but
not
necessarily
for
the
definition
of
a
particular
function.
A
Well:
okay,
thanks
for
the
precision,
so
ralph
asks.
What's
in
what
the
next
step
is:
wiring
up
some
automatic
river
for
roscoe,
with
xp
as
a
spec
language.
Well,
it's
it's
one
of
the
next
steps
involved.
So
I
I
started
this
project
with
the
goal
of
doing
some
razerification
in
the
in
the
spirit
of
pristi
or
cruzo
or
other
projects,
and
then
I
I
got
sidetracked
mainly
because
doing
grass
repetition
is
really
difficult
and
the
goal
of
this
project,
which
is
prosecco's
goal,
is
tracked
to
link
up
cryptography
and
formal
methods.
A
So
I
ended
up
with
a
different
direction,
but
I
would
say
that
since
high
spec
has
a
special
as
a
formalization-
and
we
know
precisely
what
are
the
balance
of
the
language,
then
I
think
you
can
take
those
expect
programs
and
wire
them
up,
as
you
say,
with
other
existing
improvers,
maybe
maybe
a
pristine,
maybe
crossover,
maybe
even
translate
to
rust
belt
for
verification
for
two
servers
as
a
basis
for
let's
say
a
fiat
crypto
specification.
A
I
think
the
the
doors
are
open
at
that
stage,
but
I
think
it's
still
future
work.
There's
a
question
from
yusuke:
do
you
have
a
plan
about
supporting
mutable
references?
I
believe
that
I
believe
that
you
can
use
rust
horns
reduction
for
that.
A
A
So
right
now,
I'm
mostly
adding
a
few
features
to
the
hex
back
language,
which
are
a
little
bit
disruptive,
but
not
too
much
one
is
the
ability
to
have
early
return
in
your
functions,
because
when
you
write
protocols,
you
always
put
question
marks
at
the
end
of
your
statements
and
we
don't
want
cryptographers
to
relinquish
that's
really
good
styling
with
some
like.
A
If
then
else,
and
so
we
we
want
that-
and
we
want
to
support
like
strikes
and
enums,
because
when
you
write
some
meaningful
programs,
these
are
really
important
but
yeah.
I
think
it's
it's
possible
and
I
think
it's
the
path.
I
would
choose
to
extend
that
the
hex
back
spirit
to
video
referencing.