Cryptology ePrint Archive: Report 2019/542

Formally Verified Cryptographic Web Applications in WebAssembly

Jonathan Protzenko and Benjamin Beurdouche and Denis Merigoux and Karthikeyan Bhargavan

Abstract: After suffering decades of high-profile attacks, the need for formal verification of security-critical software has never been clearer. Verification-oriented programming languages like F* are now being used to build high-assurance cryptographic libraries and implementations of standard protocols like TLS. In this paper, we seek to apply these verification techniques to modern Web applications, like WhatsApp, that embed sophisticated custom cryptographic components. The problem is that these components are often implemented in JavaScript, a language that is both hostile to cryptographic code and hard to reason about. So we instead target WebAssebmy, a new instruction set that is supported by all major JavaScript runtimes.

We present a new toolchain that compiles Low*, a low-level subset of the F* programming language, into WebAssembly. Unlike other WebAssembly compilers like Emscripten, our compilation pipeline is focused on compactness and auditability: we formalize the full translation rules in the paper and implement it in a few thousand lines of OCaml. Using this toolchain, we present two case studies. First, we build WHACL*, a WebAssembly version of the existing, verified HACL* cryptographic library. Then, we present LibSignal*, a brand new, verified implementation of the Signal protocol in WebAssembly, that can be readily used by messaging applications like WhatsApp, Skype, and Signal.

Category / Keywords: implementation / protocols, applications, verification

Original Publication (with minor differences): IEEE Security & Privacy 2019

Date: received 21 May 2019, last revised 22 May 2019

Contact author: protz at microsoft com, benjamin beurdouche@inria fr, denis merigoux@inria fr, karthikeyan bhargavan@inria fr

Available format(s): PDF | BibTeX Citation

Note: Typo in the email of an author on the pdf paper (berudouche -> beurdouche)

Version: 20190522:182908 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]