IETF Logo Mail Archive

Re: [Ufmrg] bugs in formal methods software

Nadim Kobeissi <nadim@symbolic.software> Fri, 08 September 2023 17:17 UTC

Return-Path: <nadim@symbolic.software>
X-Original-To: ufmrg@ietfa.amsl.com
Delivered-To: ufmrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5F44C151080 for <ufmrg@ietfa.amsl.com>; Fri, 8 Sep 2023 10:17:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=symbolic.software header.b="nI/78iAi"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="0XHD7xdo"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tu8NY8eOnBlf for <ufmrg@ietfa.amsl.com>; Fri, 8 Sep 2023 10:17:10 -0700 (PDT)
Received: from wnew4-smtp.messagingengine.com (wnew4-smtp.messagingengine.com [64.147.123.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B84ECC14CE40 for <Ufmrg@irtf.org>; Fri, 8 Sep 2023 10:17:10 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailnew.west.internal (Postfix) with ESMTP id A38B22B000A8; Fri, 8 Sep 2023 13:17:07 -0400 (EDT)
Received: from imap51 ([10.202.2.101]) by compute1.internal (MEProxy); Fri, 08 Sep 2023 13:17:07 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= symbolic.software; h=cc:content-type:content-type:date:date:from :from:in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm2; t=1694193427; x= 1694197027; bh=gAfjY5EQpcpPklDuO+dKRk9U+dj9XdV64b0Irc99TbM=; b=n I/78iAiplbBAy69P55/WmFYOS2D6XA1LQnsixI49AbAnTiYwfsw/+F6xnkGiUzbV upxnNBG6Nq0An116DooozXMi1+izchkWSp2hrE81WDk0qUw+wYMKACTIL0TzTCiu tD86jqkVC+h0eIPq0zI2X1cT4aleQ1LCPc1lrGsIWIQkO4bOvdUQ+tFSbxfx9kSp XhYYl7zawGyVqT03Pd4SgdxdYjzqyvfB1d5P84q3lAQ6N6r1FqaEmLIcGy7bfkXF ienlR3j06ePAarX9IL7TAm5HxUz/etCpOPGnbxJx7MX+5sQWc3b6F+HjZ/Q3i7+H AvmiW3eF6+zo63VDOAFgA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; t=1694193427; x=1694197027; bh=gAfjY5EQpcpPk lDuO+dKRk9U+dj9XdV64b0Irc99TbM=; b=0XHD7xdooDeQA05keNKX4HkP03CU4 2+UWplyo32WXUME2UxlPlo7tmYlr9xGRViHpGThF7PoSCNcADcFMHZnQxz0NRxqB bhOIq8fB+pkykm6mPHu08p57uNHlley9ObTR41iXobstUO/GiR2GqQ0oZjAZK/mW HSmZYlgW2NQNSmiXQnvQbp38btY70o7/yBryFSdokU5Bm5MwgpfW+csSHFrYME8c V87eZK+LkcpR7RuAaiY+UGrHR4+pyV/Iam4fs97lGMZ8LBlvGrsZcQCg/TYidwcN ZVhnCJBnsTnsFwt629EYJuBiiE7IcvjYtcm/OnOSj7F5c0Pu2FR2gTneg==
X-ME-Sender: <xms:Elf7ZBrJHGsyHWg7CD7zHmWv2OkXkDuPVfpxK-U30LH0IqjIZPqf0w> <xme:Elf7ZDoY3a_lM0nECffdqPLKfkEB2dPdC6sBApk6eJYhfQywRAo98QJLerPJL1xgE 0En3zU9t1Z3fW6JHHY>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedviedrudehjedguddutdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefofgggkfgjfhffhffvufgtsegrtderreerreejnecuhfhrohhmpedfpfgr ughimhcumfhosggvihhsshhifdcuoehnrgguihhmsehshihmsgholhhitgdrshhofhhtfi grrhgvqeenucggtffrrghtthgvrhhnpeeiffejhfehheelffdtheetgfdukeekgfdujedv veduvdehieehveduuefgudduudenucffohhmrghinhepihhnrhhirgdrfhhrpdhnohhish gvvgigphhlohhrvghrrdgtohhmpdhgihhthhhusgdrtghomhdpfihikhhiphgvughirgdr ohhrghdpvhgvrhhifhhprghlrdgtohhmpdhtuhdqughrvghsuggvnhdruggvpdhshihmsg holhhitgdrshhofhhtfigrrhgvnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghm pehmrghilhhfrhhomhepnhgrughimhesshihmhgsohhlihgtrdhsohhfthifrghrvg
X-ME-Proxy: <xmx:Elf7ZOPEvx2xfCaRH1Vhg3fnrH4EXlPJgWic9Ab7rBlzwqPcVThWdQ> <xmx:Elf7ZM4yspVIdqjm4bdsrn0QnTOWkP8YCJzxDw-VC8kR0FBkTakzEw> <xmx:Elf7ZA56sIznUdvn_88r_SO_atfULqv7maSxrrNDuHnCCmF2GY4VIg> <xmx:Elf7ZFh7HYvG6AtraEmRVYDU8GUZEthDEg4q-nHI6Y8e50E9SJNke_yln5o>
Feedback-ID: i6d3949ed:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 3642AB60089; Fri, 8 Sep 2023 13:17:06 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-711-g440737448e-fm-20230828.001-g44073744
Mime-Version: 1.0
Message-Id: <c3efb674-f84b-4878-83c5-0e876d4a355f@app.fastmail.com>
In-Reply-To: <0deef4889098416391db79bde18afc3f@tu-dresden.de>
References: <CAHgAKgQQCyoLuOXpv_YbiYhT-typqc8Apx59D_rGj7cNtA4VwQ@mail.gmail.com> <0deef4889098416391db79bde18afc3f@tu-dresden.de>
Date: Fri, 08 Sep 2023 19:16:44 +0200
From: Nadim Kobeissi <nadim@symbolic.software>
To: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>, Gergely Buday <g.buday=40sheffield.ac.uk@dmarc.ietf.org>, "Ufmrg@irtf.org" <Ufmrg@irtf.org>
Content-Type: multipart/alternative; boundary="6ac2a548e98342ed9d787ac86f8727b0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ufmrg/bW1_UkoGI6shm0bgi8A99dJLlW8>
Subject: Re: [Ufmrg] bugs in formal methods software
X-BeenThere: ufmrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Usable Formal Methods Research Group <ufmrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/ufmrg>, <mailto:ufmrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ufmrg/>
List-Post: <mailto:ufmrg@irtf.org>
List-Help: <mailto:ufmrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/ufmrg>, <mailto:ufmrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Sep 2023 17:17:15 -0000

Dear Gergely,

Ahh, how to answer this! The bugs that I've seen are rather mostly anecdotal, I'm afraid. I suspect this is largely because of the way formal methods tools tend to be used:

1. If you find a bug in a formal methods tool, it's likely because you're one of the very few people doing something very advanced or unusual with it.
2. If you're doing something advanced or unusual with a formal methods tool, you are almost certainly in a Slack or Zulip with its creators. (It's impossible to learn how to use EasyCrypt or F* to do something advanced otherwise, that's just the truth!)
3. If you find the bug, you're likely to report it then and there, and it gets patched rather informally, again, given the size of the user base and the academic nature of the tooling.

Some anecdotes I can share:
1. I remember a long time ago an early version of CryptoVerif mixed namespaces: you could have two `let`s in different scopes and if the variable name matched, you'd get mixing. This was fixed rather quickly in 2015 if I recall correctly.
2. At one point, there was an F* build that forgot the commutative property of addition. i.e. a + b == b + a returned false. I remember that was a funny moment and it was also fixed quickly.
3. Tons of subtle issues with ProVerif that led to crashes, eating up all the RAM, etc. -- most of these were discovered due to our work back in the day on modeling Signal [1] and Noise [2] in ProVerif, and Bruno's team released, as a result, major updates to ProVerif which shortened the analysis time of our Noise models in once instance from 170 hours to 20 minutes [3]

There are also a bunch of stories about bugs in Coq, but again, I ran past those in real life while working at Inria, and it wasn't a sort of situation where they were documented anywhere.

Of course, Verifpal has probably had more bugs than any other three formal analysis tools combined! Although the bug that Usama mentions (found during the Eurocrypt 2022 workshop) was indeed amply documented [4] and an update was released with credit to Oskar Goldhahn, who found the bug [5]. Luckily the bug was only due to some ill-thought code optimization that I dreamt up that I thought would make analysis faster. The optimization was promptly removed.

Unrelatedly, Verifpal has really painted itself into a corner due to its extreme focus on acting as a learning tool and ease of use: the language is so small and inexpressive that at this point it can never be used to reason protocols in a truly nuanced way, and the analysis logic is inspired by the language (Chomsky was right? [6]) I also think it was a mistake to write it in Go, but what can you do. I still get really excited when it's used in undergraduate courses, and I was nutty enough to ship a manual with a full-blown manga of Verifpal punching bad guys. [7]

It's important to remember that in the end, all of this stuff is software, too. Software verifies software (or logical representations), but who verifies the verifiers? You've got to put your trust somewhere, which is why, anyway, I've always advocated for making models easier to read: if the modeling tool/language is so complex that the tool itself (Be it EasyCrypt, Tamarin, whatever) can check the model, but you (or others) can't even read it, then what's the point? You're just blindly trusting that software at that point, and Haskell/OCaml code ain't perfect, either.

It's fun to talk about this stuff, I hope we can have more discussions like this!

References:
[1] https://bblanche.gitlabpages.inria.fr/proverif/publications/KobeissiBhargavanBlanchetEuroSP17.html
[2] https://noiseexplorer.com 
[3] https://bblanche.gitlabpages.inria.fr/proverif/publications/BlanchetEtAlSP22.html
[4] https://github.com/symbolicsoft/verifpal/commit/eeaed68fecae463b3fbb9f57357591d5e73b9df0
[5] https://github.com/symbolicsoft/verifpal/commit/dad640afa0ff544b6f0d0e960ec3c49130a9e4b5
[6] https://en.wikipedia.org/wiki/Language_and_thought
[7] https://verifpal.com/res/pdf/manual.pdf

On Fri, Sep 8, 2023, at 5:31 PM, Muhammad Usama Sardar wrote:
> Hello Gergely, 
> 
> One of these bugs was found in Verifpal by one of the trainees during the tutorial in Eurocrypt 2021. I don't find it documented, though. 
> 
> 
> 
> ------------------------------------------------------------------------------------------------------------------------------------------
> Best Regards, 
> Muhammad Usama Sardar (M.Sc.)
> 
> Research Associate
> 
> Technische Universität Dresden
> 
> 
> 
> Faculty of Computer Science
> 
> Institute of Systems Architecture
> 
> Chair of Systems Engineering
> 
> 
> 
> Office: APB 3073
> 
> Phone: +49 351 463-42048
> 
> Email: muhammad_usama.sardar@tu-dresden.de
> 
> Website: https://tu-dresden.de/ing/informatik/sya/se/die-professur/beschaeftigte/muhammad-usama-sardar
> 
> ------------------------------------------------------------------------------------------------------------------------------------------
> 
> 
> *Von:* Ufmrg <ufmrg-bounces@irtf.org> im Auftrag von Gergely Buday <g.buday=40sheffield.ac.uk@dmarc.ietf.org>
> *Gesendet:* Freitag, 8. September 2023 15:39:55
> *An:* nadim@symbolic.software; Ufmrg@irtf.org
> *Betreff:* [Ufmrg] bugs in formal methods software
>  
> Dear Nadim
> 
> at the interim meeting you were talking about discovered bugs in formal methods software for security protocols.
> 
> Could you please tell us a few words about these as it is interesting: what kind of bugs are these, where can we read about them and how they influence the use of these tools?
> 
> Yours
> 
> - Gergely

Nadim Kobeissi
Symbolic Software • https://symbolic.software

v2.23.0 | Report a Bug | By Email