Building a business with Haskell

Case Studies: Cryptol, HaLVM, Copilot
Don Stewart | BelHac | Nov 5, 2010

This talk...
 Earlier talk, “A decade of functional programming at Galois” described how we use Haskell at Galois  This talk introduces three case studies from some of our projects: • Cryptol – a cryptography language and toolchain • HaLVM – OS component isolation via GHC + Xen • Copilot – a Haskell EDSL for avionics monitoring  Less about Haskell itself, more about the kinds of things we build with it  To give a flavor of how to think functionally about client problems, and hopefully inspire you!
© 2010 Galois, Inc. All rights reserved.

 Building systems that are trustworthy  ~40 employees in Portland, Oregon  11 years in business

© 2010 Galois, Inc. All rights reserved.

What does Galois do?
 Computer science R&D with a particular brand: • Formal methods (theorem proving, model checking) • Typed functional languages • Compilers, DSLs, analysis tools  For building kernels, file systems, networks, servers, compilers, security systems, desktop apps, ...  Haskell for pretty much everything
French mathematician Évariste Galois

© 2010 Galois, Inc. All rights reserved.

1. Cryptol
 What is it? A DSL for cryptography  How? Compilers, interpreters, support tools, all in Haskell  Client need: to establish correctness of crypto algorithm implementations  Not just a government problem:
25% of algorithms submitted for FIPS validation had security flaws
– Director NIST CMVP, March 26, 2002

© 2010 Galois, Inc. All rights reserved.

Approach: Specification and Formal Tools
 Start with a declarative specification language
• Make it close to the crypto domain notation • With custom types and constructs for cryptography • Designed with feedback from NSA cryptographers

 Add execution and validation tools
• Generate different implementations (FPGA, C, …) • Use different verification tools

 In use by crypto implementers

© 2010 Galois, Inc. All rights reserved.

More specifically
 Purely functional stream-based language
• Allows for high level, rapid exploration of the design

 Automated synthesis to FPGA
• Using algebraic transformations and term rewriting

 Automated verification
• Equivalence checking of programs against each other, in AIG form • To show implementation matches the spec • Using SAT and SMT solvers

© 2010 Galois, Inc. All rights reserved.

Some of the design requirements
 Should be a high-level language close to the crypto math
• But also executable

 Specifications guide and document implementations
• And can even generate them

 Has to be neutral about execution platform
• Don't bake in Von Neumann assumptions

 High level language needs support for low level features
• Bit patterns, wiring

© 2010 Galois, Inc. All rights reserved.

Key language ideas in Cryptol
 Sequences (comprehensions) and recursion  Views on data: machine independent data transforms  Size types: algorithms parameterized by size
• Size types from Cryptol coming to GHC soon (Diatchki)

 Values and functions  Type inference
x : [4][32]; x = [23 13 1 0]; F : ([16],[16]) -> [16]; F (x, x’) = 2 * x + x’;
© 2010 Galois, Inc. All rights reserved.

Cryptol Types
Types express size and shape of data
[[0x1FE 0x11] [0x132 0x183] [0x1B4 0x5C] [0x26 0x7A]]

has type


Strong typing with usual power:  Inference  Parametric polymorphism All to support the unambiguous specification of interfaces, to the bit level

© 2010 Galois, Inc. All rights reserved.

Converting specs into types

blockEncrypt : {k} (k >= 2, 4 >= k) => ([128], [64*k]) → [128]
… between 2 and 4 First input is a sequence of 128 bits Second input is a sequence of 128, 192, or 256 bits Output is a sequence of 128 bits

For all k

© 2010 Galois, Inc. All rights reserved.

An example: DES
des : ([64],[56]) -> [64]; des (pt, key) = permute (FP, last) where { pt’ = permute (IP, pt); iv = [| round (lr, key, rnd) || rnd <- [0 .. 15] || lr <- [(split pt’)] # iv |]; last = join (swap (iv @ 15)); swap [a b] = [b a]; }; round : ([2][32], [56], [4]) -> [2][32]; round([l r], key, rnd) = [r (l^f(r, kx))] where { kx = expand(key, rnd); f(r,k) = permute(PP, SBox(k^permute(EP, r))); };
© 2010 Galois, Inc. All rights reserved.

Cryptol on FPGAs
 Why? Lack of trust in commodity hardware
• Evaluators can see as much of the solution as possible • Do not have to ship designs off-shore • FPGAs are more flexible than programmable custom crypto processors

 Natural match between Cryptography and FPGAs
• Manipulation of arbitrary length bit sequences • Highly-parallel stream processing

 And FPGAs are fast…

© 2010 Galois, Inc. All rights reserved.

Case Study at Rockwell-Collins
High Speed Encryptor Project
AES reference specification (Cryptol)

Symbolic simulator

Crypto Developer

Simulator Experiment with system integration and control logic.

Reference Reference model model

Make highlevel targetspecific refinements. Verify equivalence with reference specification. Key
Galois tools Third party tools Data files

specification specification

Target Target

compiler compiler

Equivalence check
Equivalence evidence


Calibrate time/space trade-offs and connectivity issues. Verify equivalence with target specification.

Target Target model model

Symbolic simulator

Netlist model

Place and route
Netlist model Bitfile

Equivalence check
Equivalence evidence

Evaluation/Certification evidence Input to tool Feedback to designer © 2010 Galois, Inc. All rights reserved.

Equivalence check
Equivalence evidence

Equivalence Checking Cryptol
 Use SAT to check program equivalence in AIG form
• Equivalence Checking of various versions of AES and DES against both reference models and internal FPGA models take < 5 minutes (most take < 30 seconds) • Models typically have ~106 nodes

 However, it has its limitations
• The Hash Function MD5 on 2 bits takes nearly 10 minutes… • The block cipher RC6, however takes, uh, too long (32-bit multiply) • Only works on core ciphers — not modes (finite input/output) • The equivalence checker typically yields an answer promptly, or it times out

© 2010 Galois, Inc. All rights reserved.

Other Cryptol Assurance tools
 “Quickcheck” property-based testing
• User gives a property, Cryptol automatically tests it on random inputs.

 Translators to SAT- and SMT-based property checkers
• User can give more general properties to these tools • SAT: Checks for satisfiability of large Boolean formulas • SMT extends SAT with higher-level constraint solvers (linear arithmetic, arrays, functions, etc.)

 Safety checking
• Automatically checks that a Cryptol function will never raise an exception • Some possible exceptions: Divide-by-zero, Out-of-bounds array access, assertion failures

 Semi-automatic theorem proving
• Translator from Cryptol to Isabelle theorem prover • User can specify arbitrary Cryptol properties, but proof may need human guidance
© 2010 Galois, Inc. All rights reserved.

2. The HaLVM
 Xen hypervisor for clean separation between OS components  Haskell runtime as OS on top, for fast, small system prototypes

© 2010 Galois, Inc. All rights reserved.

HaLVM goals
 Rapid exploration of decomposed, high assurance OS design space  A sandbox for experimentation with OS components  The HaLVM:
• Libraries + runtime on top of the Xen hypervisor • Boot your (Haskell) OS in < 1s

 Write OS components quickly in Haskell, glue them together safely, via Xen

© 2010 Galois, Inc. All rights reserved.

An example: web server separation

© 2010 Galois, Inc. All rights reserved.

High level architecture

© 2010 Galois, Inc. All rights reserved.

HaLVM summary
 What we have:
• A rapid prototyping system for OS designs • Build minimalist, strongly separated systems, in Haskell, without a host OS • Write drivers in Haskell • Many gory details in practice...

 Particularly useful for rolling systems with interesting network stacks quickly  Uses the rich GHC runtime and language to solve the client need for fast, small prototypes and rapid exploration  While giving more assurance than C
© 2010 Galois, Inc. All rights reserved.

3. Copilot: a DSL for hard realtime monitors • Hard Real-Time systems
• Others already do soft real-time

• Synchronized systems
• Common in avionics

• Periodic Schedules
• Time-trigged systems • Monitoring by sampling

© 2010 Galois, Inc. All rights reserved.

Copilot design
Copilot is a Haskell eDSL targeted at monitoring hard real-time systems.

Synchronous language defined by a set of stream equations (simple data-flow model).

Uses the Atom Haskell eDSL as an intermediate language to generate hard real-time C.

● ●

eDSLs building on eDSLs! Atom is co-maintained by Galois and Eaton.

Generates it's own schedule---no RTOS needed.

© 2010 Galois, Inc. All rights reserved.

Example Copilot Specification
If the temperature rises more than 2.3 degrees within 2 seconds, then engine is shut off.

engine:: Streams engine = do temps .= [0,0,0] ++ extF temp 1 overTempRise .= drop 2 (var temps) > const 2.3 + var temps trigger .= (var overTempRise) implies (extB shutoff 2)

© 2010 Galois, Inc. All rights reserved.

Representative of fault-tolerant systems

• 4 X STM microcontrollers • ARM Cortex M3 cores clocked at 72 Mhz • MPXV5004DP differential pressure sensor
• Senses dynamic and static pressure • Pitot tubes measure airspeed

• Designed to fit in UAS (unpiloted air system)
• Power, weight,...

© 2010 Galois, Inc. All rights reserved.

© 2010 Galois, Inc. All rights reserved.

© 2010 Galois, Inc. All rights reserved.

© 2010 Galois, Inc. All rights reserved.

 Copilot is open source! eDSL on Hackage:
• cabal install copilot

 Used EDSL approach now (Cryptol's size types required DSL approach back in the day)  Haskell dev environment generates verifiable C code  That C code then runs on the embedded device  Again, uses ideas for strong types, declarative specifications, rapid prototyping, and formal verification

© 2010 Galois, Inc. All rights reserved.

Keep an eye out for other things from Galois
 Nettle, a policy language for network routing
• cabal install nettle-openflow

 Haskell Verifier project
• Integrate Haskell and Isabelle once and for all

 Grid 2.0 - IdM on the Open Science Grid, for LHC users  TSE: storage device for multiple security levels of data  New Cryptol backends: Java, LLVM  Tearline Wiki: wiki for classified data with strong separation  ASA: information flow analysis tool for C code, integrated into commercial toolchain  And actually, a lot more...
© 2010 Galois, Inc. All rights reserved.

 You can build a thriving engineering business using functional programming skills and ideas – as long as you are client-focused  Seek problem domain problems that can be made safer, faster, easier … quickly demonstrate value to the client  Our tools are ready: GHC, Cabal, Hackage, Isabelle: a rich ecosystem for getting things done quickly – and can be integrated into existing systems and toolchains  But Haskell is not the message: what value to the client do you provide – faster, sooner, safer, cheaper?  Give back to the community if you can: code, servers, infrastructure, hackathons … we all benefit from any individual success
© 2010 Galois, Inc. All rights reserved.



© 2010 Galois, Inc. All rights reserved.

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.