IETF Logo Mail Archive

Re: [irtf-discuss] [115attendees] Usable formal methods side meeting at IETF 115

Jonathan Hoyland <jonathan.hoyland@gmail.com> Tue, 06 December 2022 12:03 UTC

Return-Path: <jonathan.hoyland@gmail.com>
X-Original-To: irtf-discuss@ietfa.amsl.com
Delivered-To: irtf-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D09DDC14CE5F for <irtf-discuss@ietfa.amsl.com>; Tue, 6 Dec 2022 04:03:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xtgdjt5sddRk for <irtf-discuss@ietfa.amsl.com>; Tue, 6 Dec 2022 04:03:34 -0800 (PST)
Received: from mail-pj1-x1036.google.com (mail-pj1-x1036.google.com [IPv6:2607:f8b0:4864:20::1036]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9A2DC14CE55 for <irtf-discuss@irtf.org>; Tue, 6 Dec 2022 04:03:34 -0800 (PST)
Received: by mail-pj1-x1036.google.com with SMTP id t17so14197318pjo.3 for <irtf-discuss@irtf.org>; Tue, 06 Dec 2022 04:03:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ERmg64h1ukuoc57xkocUQ/k4NRl/uerGz9+rJiUcBl4=; b=CHP8zcIe4xgMEf4LdnojPUzjx502UtZTZJxsEuOlEdyRE5vKytCmJasc7DmLaEgnPQ qPWNeRuYMQmDzG28QRYeohEFOVp8aPDLnO5yhQi2IBsBhasjFsPEIVkhk357JhDBC2b2 G6l3ZfUgPD1fJ/IvrpDeuh9DjngarTvgfzo7siEDxRYPFrReH5L/O/nskUT6x3D8uz4h yh0vn20yTcDfCWAYJNm1sBvCS7pjWhCmnwIBzURB9tGL+yvClevMG4f7OtSb7/YCV+6R SXkEoBKQ694MQm6nOo/qnSZ5TQXz3TCjARW+lYlVkODHySOd7yXuNA1Aheh+aA9UxcrM KInA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ERmg64h1ukuoc57xkocUQ/k4NRl/uerGz9+rJiUcBl4=; b=ohF2x1ANY74AN7JdYNyQ5nB/UaXPsVjz5/Qxkc3oyD1f6pDcPkJNsbwaM86kUhi4vk Z3cre4kzwI8iJOsHJChjFeN/UrbyvbnVH/mZouzCCQgmTdZJriRFfDCG6axSTGO84APG kT+x2nne1WOHZlghuTwdmnN4VsL4v6mVr21GOwcCuPiQxGYzANjm5FEtCFJ91P759XyU H14TXXzDM+Wf0+KIi7xxh1aDr20k68nbo77hsUru4c8wNTdQrTRMXm9Nzac/pBPJAQWl 4KLHEXXa7wwcN6EIJxWmb99JqkDcpQ/UZPxto0fn/mnoQ9guMcAGJFht8/zujnv6Buw0 nkzQ==
X-Gm-Message-State: ANoB5pnIuNIzTftAC3kGRvOtEsWvTxqN7Bee3vHn1xGTEF8k9cbdw33k 10KmknVtF0Vue7wzJTMRy2j5+xouLvu9q8jKNDs=
X-Google-Smtp-Source: AA0mqf65OVfRLyTlGr0e8NDTKtEk+kj7qwrgiM44Hi2j/WTCRK2MjMg+wBQYw7GVM8x89fEDrdt+LJT6lWH3QF4iWaM=
X-Received: by 2002:a17:902:e9c2:b0:189:e206:2226 with SMTP id 2-20020a170902e9c200b00189e2062226mr6130806plk.102.1670328213674; Tue, 06 Dec 2022 04:03:33 -0800 (PST)
MIME-Version: 1.0
References: <C91D3863-37D3-4E09-B1F9-588C316240CD@csperkins.org> <281e560d-0b89-53a5-de75-bfe68004917c@uni-mate.hu> <f03ea379-b15f-81b-76fa-f893a57f527@lakka.kapsi.fi> <439e42fe-0070-bcd8-602d-33f750224a44@uni-mate.hu> <CACykbs3VQ6SYwzXxG50TheX2qEwsGGZCyDs8CgqiPFyPCNYeQA@mail.gmail.com> <52331f26-3a3-7857-4b3b-e5e7e2a99b34@lakka.kapsi.fi>
In-Reply-To: <52331f26-3a3-7857-4b3b-e5e7e2a99b34@lakka.kapsi.fi>
From: Jonathan Hoyland <jonathan.hoyland@gmail.com>
Date: Tue, 06 Dec 2022 12:03:21 +0000
Message-ID: <CACykbs1vE1tzuhXh8+kLPksVhX2QXt_O+6XUDo-t1wNxVrtznQ@mail.gmail.com>
To: Sampo Syreeni <decoy@iki.fi>
Cc: Buday Gergely <buday.gergely.istvan=40uni-mate.hu@dmarc.ietf.org>, Colin Perkins <csp@csperkins.org>, irtf-discuss@irtf.org, 115attendees@ietf.org
Content-Type: multipart/alternative; boundary="000000000000d59efc05ef2797ec"
Archived-At: <https://mailarchive.ietf.org/arch/msg/irtf-discuss/cQcoa4_ouPLeY5DdtpXy0n1ixL0>
Subject: Re: [irtf-discuss] [115attendees] Usable formal methods side meeting at IETF 115
X-BeenThere: irtf-discuss@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IRTF general and new-work discussion list <irtf-discuss.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/irtf-discuss>, <mailto:irtf-discuss-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/irtf-discuss/>
List-Post: <mailto:irtf-discuss@irtf.org>
List-Help: <mailto:irtf-discuss-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/irtf-discuss>, <mailto:irtf-discuss-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Dec 2022 12:03:35 -0000

Hi Sampo,

I don't think we disagree on what is possible, but I'd like to emphasise
the value and importance of tooling.
Whilst it is totally possible to apply formal methods by hand there are two
huge issues.

First, humans are really bad at applying a set of rules with perfect
consistency thousands and thousands of times.
Our formal analysis of TLS 1.3 comes out to ~750,000 steps.
Is that doable by hand? Maybe
Is it doable without a single error? Probably not

Second, humans are really bad at checking that a set of rules has been
applied with perfect consistency thousands and thousands of times.
Manual proofs are basically uncheckable in the peer review system.
I once took two weeks to go through a 40 page proof someone had submitted.
I found 19 mistakes.
Other reviewers who didn't have time (or perhaps the inclination) to take
two weeks to validate someone else's proof would have had to simply accept
the proof at face value.

When I write about formal analysis (and in particular Tamarin) I'm talking
about tool-assisted formal analysis.
Specifically, it's not just about writing down a specification and some
properties, or even manually proving the spec has the properties, it's
about coming up with a machine checkable proof where it is easy for a human
to understand the proof's claim, and we can then rely on the machine to
check that the claim is true.

As you pointed out, FA is very complex in the general case, and so I think
it's unlikely that we will ever want to use one language to describe every
IETF protocol.
Something expressive enough to capture all possible protocols would likely
be so expressive that the problem is undecidable (as it is in the general
case).
Tamarin is one of the most powerful tools available, and even though there
are some things it can't capture efficiently, it's already only
semi-decidable.
My goal would be to come up with a small stable of domain specific
languages with good tooling that can efficiently make and check proofs for
the protocols we care most about.
Trying to get to one-language-to-rule-them-all seems like a very arbitrary
and not especially useful goal.

With respect to the language the code is written in, unfortunately it
matters a lot, even if in theory it doesn't need to.
Only a tiny handful of languages have the tooling for proving functional
correctness, let alone the tooling necessary to prove things like
side-channel resistance.
Whilst in theory you can prove code is correct entirely manually it's both
hugely difficult and highly error prone.
With F# in particular you can write preconditions and invariants everywhere
if you have a mind to; I was including correctness as a key property for
proof of security.

Knowing what code means logically, and ascertaining its validity are again,
possible by hand, but even if you can check the code is correct, you can't
easily convince someone else of that.
They effectively have to know and trust that you did the proof with
sufficient care and attention, and that you didn't miss some edge case, etc.
With good tooling they only have to trust the tool, and it's much easier to
check a tool for bugs than a person's brain.

Regards,

Jonathan



On Mon, 5 Dec 2022 at 04:18, Sampo Syreeni <decoy@iki.fi> wrote:

> On 2022-11-08, Jonathan Hoyland wrote:
>
> > A common method for formally analysing protocols is to express them in
> > some kind of rewriting system, and then check that the system has some
> > LTL property.
>
> That doesn't really answer the question, though. Because *anything* at
> *all*, *any* computation can be expressed as a rewritng system. Just
> look at lambda calculus and the Church-Turing thesis.
>
> It's not about what is *possible* or how it's mathematically expressed.
> It's about how it's *structured* for *human* consumpition.
>
> > For example Tamarin is a software tool that uses multi-set rewriting
> > to express protocols, [...]
>
> You said it yourself, just now. It's about how to structure your logic.
> In this case using multilsets.
>
> > [...] and a fragment of first order logic to analyse them. It was used
> > to analyse, for example, TLS 1.3, and find mistakes in some of the
> > drafts.
>
> "A fragment", yes. Because the whole deal might be intractable.
>
> Also, if you want to formalize and analyze protocols, you most likely
> need to apply temporal/modal logics. Quite beyond the kinds of logics
> uhnderpinning e.g. free or even tagged-tree or heaven forbid attribute
> grammars. (Which, by the way, under their most general semantics,
> approach in their generality the Church-Turing bound.)
>
> > Formal verification looks at code and checks that it implements some
> > spec.
>
> So it it's spec, duh. So the sages of the field defined it, from the
> beginning.
>
> > One technique for formally verifying protocols is to write the code in
> > some restricted programming language, and then use tools to check that
> > that code has some property.
>
> It doesn't matter which language the code is written in. The only thing
> which matters is whether we know what the code *means*, *logically*,
> and so whether we can ascertain its validity.
>
>
> > For example you can use EasyCrypt and Jasmin to write low-level crypto
> > code, and verify its security properties, including checking for
> > things like side channel safety. Alternatively you can use F# with F7
> > to analyse code. There are formally verified implementations of things
> > from ChaChaPoly to TLS 1.3. Formally verified code is deployed in
> > projects such as Chrome and Firefox.
>
> True, but we could do even better. Why not just write preconditions and
> invariants everywhere? All over the code? So that theorem provers could
> make sure our code is correct throughout? Notify the coder if something
> was amiss?
>
> That's not too difficult to do, and would definitely cut a bug or two
> every here and then.
>
> > The idea of generating prose from a specification is interesting, but
> > not something I have seen any work on so far.
>
> I've seen some work around these parts already. Even GPT-3 has been
> applied to this problem. However, that work only solves the problem of
> generating prose from a specification, somehow intuitionistically. It
> does not solve the problem of generating a proper, valid and sound
> logical document, from a description. "You can't be sure about what
> you're reading."
> --
> Sampo Syreeni, aka decoy - decoy@iki.fi, http://decoy.iki.fi/front
> +358-40-3751464 <http://decoy.iki.fi/front+358-40-3751464>, 025E D175
> ABE5 027C 9494 EEB0 E090 8BA9 0509 85C2
>

v2.23.0 | Report a Bug | By Email