Adds CBMC proof for aws_cryptosdk_priv_try_gen_key #661
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
alex-chew
reviewed
Dec 15, 2020
...fication/cbmc/proofs/aws_cryptosdk_priv_try_gen_key/aws_cryptosdk_priv_try_gen_key_harness.c
Outdated
Show resolved
Hide resolved
...fication/cbmc/proofs/aws_cryptosdk_priv_try_gen_key/aws_cryptosdk_priv_try_gen_key_harness.c
Outdated
Show resolved
Hide resolved
...fication/cbmc/proofs/aws_cryptosdk_priv_try_gen_key/aws_cryptosdk_priv_try_gen_key_harness.c
Outdated
Show resolved
Hide resolved
...fication/cbmc/proofs/aws_cryptosdk_priv_try_gen_key/aws_cryptosdk_priv_try_gen_key_harness.c
Outdated
Show resolved
Hide resolved
adpaco-aws
previously requested changes
Dec 19, 2020
source/session_encrypt.c
Outdated
Comment on lines
51
to
61
| AWS_PRECONDITION(session != NULL); | ||
| AWS_PRECONDITION(aws_cryptosdk_cmm_base_is_valid(session->cmm)); | ||
| AWS_PRECONDITION(aws_cryptosdk_alg_properties_is_valid(session->alg_props)); | ||
| AWS_PRECONDITION(aws_cryptosdk_hdr_is_valid(&session->header)); | ||
| AWS_PRECONDITION(aws_cryptosdk_keyring_trace_is_valid(&session->keyring_trace)); | ||
| AWS_PRECONDITION(aws_allocator_is_valid(session->alloc)); | ||
| AWS_PRECONDITION(aws_cryptosdk_commitment_policy_is_valid(session->commitment_policy)); | ||
| AWS_PRECONDITION(session->state == ST_GEN_KEY); | ||
| AWS_PRECONDITION(session->mode == AWS_CRYPTOSDK_ENCRYPT); |
There was a problem hiding this comment.
Can you open an issue so that I do not forget replacing this by the session validator that I am writing?
There was a problem hiding this comment.
Made one here - #670
verification/cbmc/proofs/aws_cryptosdk_priv_try_gen_key/Makefile
Outdated
Show resolved
Hide resolved
verification/cbmc/proofs/aws_cryptosdk_priv_try_gen_key/Makefile
Outdated
Show resolved
Hide resolved
verification/cbmc/proofs/aws_cryptosdk_priv_try_gen_key/cbmc-batch.yaml
Outdated
Show resolved
Hide resolved
feliperodri
requested changes
Dec 21, 2020
verification/cbmc/proofs/aws_cryptosdk_priv_try_gen_key/Makefile
Outdated
Show resolved
Hide resolved
...fication/cbmc/proofs/aws_cryptosdk_priv_try_gen_key/aws_cryptosdk_priv_try_gen_key_harness.c
Outdated
Show resolved
Hide resolved
...fication/cbmc/proofs/aws_cryptosdk_priv_try_gen_key/aws_cryptosdk_priv_try_gen_key_harness.c
Outdated
Show resolved
Hide resolved
adpaco-aws
force-pushed
the
cbmc_priv_try_gen_key
branch
from
76096d6 to
2340de6
Compare
adpaco-aws
force-pushed
the
cbmc_priv_try_gen_key
branch
2 times, most recently
from
93cf80d to
00e277b
Compare
adpaco-aws
force-pushed
the
cbmc_priv_try_gen_key
branch
from
faff1c2 to
fd16bf3
Compare
adpaco-aws
reviewed
Jan 19, 2021
There was a problem hiding this comment.
This PR is now ready to review! Here is a summary of the changes I have introduced since the last time you reviewed it:
- The session validator now allows
session->alg_propsto be null or valid. - Due to the previous change, the proofs for
sign_headerandderive_data_keywere broken (they assumedsession->alg_propsto be always valid). Therefore, I have added additional assumptions/preconditions to enforcesession->alg_propsto be valid. - All stubs that were defined in the harness have been moved to their own file on the stubs folder.
- I have included the stub for
aws_cryptosdk_hdr_writethat I wrote for thesign_headerproof in this PR. This reduced the time to complete this proof from ~2h to ~30mins. - Buffer validity is asserted for
okmin the HKDF stub.
As noted in the harness, we do not use the session_setup function because would be creating objects that are not used or need to be replaced later (costly in proofs like this one).
feliperodri
approved these changes
Jan 19, 2021
| @@ -103,7 +103,7 @@ AWS_CRYPTOSDK_STATIC_INLINE bool aws_cryptosdk_session_is_valid(const struct aws | |||
| bool cmm_valid = aws_cryptosdk_cmm_base_is_valid(session->cmm); | |||
| bool hdr_valid = aws_cryptosdk_hdr_is_valid(&session->header); | |||
| bool keyring_trace_valid = aws_cryptosdk_keyring_trace_is_valid(&session->keyring_trace); | |||
| bool alg_props_valid = aws_cryptosdk_alg_properties_is_valid(session->alg_props); | |||
| bool alg_props_valid = session->alg_props == NULL || aws_cryptosdk_alg_properties_is_valid(session->alg_props); | |||
There was a problem hiding this comment.
I'd add parenthesis.
bool alg_props_valid = (session->alg_props == NULL || aws_cryptosdk_alg_properties_is_valid(session->alg_props));And makes sure @alex-chew agree that a valid aws_cryptosdk_session can have a NULL alg_props.
There was a problem hiding this comment.
Indeed session->alg_props can be NULL.
Comment on lines
+96
to
+98
| if (aws_byte_buf_init(&session->header.message_id, session->alloc, message_id_len) != AWS_OP_SUCCESS) { | ||
| goto out; | ||
| } |
| * multiple functions (see Makefile). It also requires a quite specific | ||
| * configuration for the session struct (cmm's vtable must include a | ||
| * pointer to the function declared above, alg_props can be NULL or valid, | ||
| * etc.) so we do not use the session_setup method to initialize it |
There was a problem hiding this comment.
/*
* ... to initialize it.
*/
Comment on lines
19
to
20
| * A generator function as described in the comment | ||
| * in aws_cryptosdk_hash_elems_array_init_stub.c |
There was a problem hiding this comment.
You should describe it again here.
Comment on lines
+20
to
+26
| /* Stub this until https://github.com/diffblue/cbmc/issues/5344 is fixed | ||
| Original function is here: | ||
| https://github.com/aws/aws-encryption-sdk-c/blob/master/source/edk.c#L44 */ | ||
| void aws_cryptosdk_edk_list_clean_up(struct aws_array_list *encrypted_data_keys) { | ||
| assert(aws_cryptosdk_edk_list_is_valid(encrypted_data_keys)); | ||
| aws_array_list_clean_up(encrypted_data_keys); | ||
| } |
There was a problem hiding this comment.
We need a github issue to track this in this project, please, create one.
There was a problem hiding this comment.
Looks like that issue has been solved, but we should determine the correctness/performance impact next. That alone would make an outstanding PR, so I have created the corresponding issue here: #690
adpaco-aws
force-pushed
the
cbmc_priv_try_gen_key
branch
from
a0d13b3 to
dfadf04
Compare
adpaco-aws
force-pushed
the
cbmc_priv_try_gen_key
branch
from
dfadf04 to
ec5b382
Compare
alex-chew
reviewed
Jan 19, 2021
alex-chew
approved these changes
Jan 19, 2021
robin-aws
pushed a commit
to robin-aws/aws-encryption-sdk-c
that referenced
this pull request
Apr 26, 2021
* Adds check in case byte_buf_init fails * Adds harness, Makefile and yaml for priv_try_gen_key * Adds preconditions to source code * Update to harness * yaml update to boiler plate default * Remove unneccessary remove functions * Added preconditions of lne of byte bufs * Use CBMC_OBJECT_BITS = 9 flag * Use session setup and validator functions * Move stubs in harness to stubs folder * Weaken preconditions. Allow null in session members * Remove CBMC_OBJECT_BITS flag * Add comments and assert for `okm` in hkdf stub * Add props assumptions in sign_header and derive_data_key proofs * Remove unused stub `aws_default_allocator` * Add missing source file in `sign_header` proof * Add minor improvements Co-authored-by: Adrian Palacios <[email protected]>
robin-aws
pushed a commit
to robin-aws/aws-encryption-sdk-c
that referenced
this pull request
Apr 29, 2021
* Adds check in case byte_buf_init fails * Adds harness, Makefile and yaml for priv_try_gen_key * Adds preconditions to source code * Update to harness * yaml update to boiler plate default * Remove unneccessary remove functions * Added preconditions of lne of byte bufs * Use CBMC_OBJECT_BITS = 9 flag * Use session setup and validator functions * Move stubs in harness to stubs folder * Weaken preconditions. Allow null in session members * Remove CBMC_OBJECT_BITS flag * Add comments and assert for `okm` in hkdf stub * Add props assumptions in sign_header and derive_data_key proofs * Remove unused stub `aws_default_allocator` * Add missing source file in `sign_header` proof * Add minor improvements Co-authored-by: Adrian Palacios <[email protected]>
robin-aws
pushed a commit
to robin-aws/aws-encryption-sdk-c
that referenced
this pull request
May 4, 2021
* Adds check in case byte_buf_init fails * Adds harness, Makefile and yaml for priv_try_gen_key * Adds preconditions to source code * Update to harness * yaml update to boiler plate default * Remove unneccessary remove functions * Added preconditions of lne of byte bufs * Use CBMC_OBJECT_BITS = 9 flag * Use session setup and validator functions * Move stubs in harness to stubs folder * Weaken preconditions. Allow null in session members * Remove CBMC_OBJECT_BITS flag * Add comments and assert for `okm` in hkdf stub * Add props assumptions in sign_header and derive_data_key proofs * Remove unused stub `aws_default_allocator` * Add missing source file in `sign_header` proof * Add minor improvements Co-authored-by: Adrian Palacios <[email protected]>
robin-aws
pushed a commit
to robin-aws/aws-encryption-sdk-c
that referenced
this pull request
May 4, 2021
* Adds check in case byte_buf_init fails * Adds harness, Makefile and yaml for priv_try_gen_key * Adds preconditions to source code * Update to harness * yaml update to boiler plate default * Remove unneccessary remove functions * Added preconditions of lne of byte bufs * Use CBMC_OBJECT_BITS = 9 flag * Use session setup and validator functions * Move stubs in harness to stubs folder * Weaken preconditions. Allow null in session members * Remove CBMC_OBJECT_BITS flag * Add comments and assert for `okm` in hkdf stub * Add props assumptions in sign_header and derive_data_key proofs * Remove unused stub `aws_default_allocator` * Add missing source file in `sign_header` proof * Add minor improvements Co-authored-by: Adrian Palacios <[email protected]>
robin-aws
pushed a commit
that referenced
this pull request
May 5, 2021
* Adds check in case byte_buf_init fails * Adds harness, Makefile and yaml for priv_try_gen_key * Adds preconditions to source code * Update to harness * yaml update to boiler plate default * Remove unneccessary remove functions * Added preconditions of lne of byte bufs * Use CBMC_OBJECT_BITS = 9 flag * Use session setup and validator functions * Move stubs in harness to stubs folder * Weaken preconditions. Allow null in session members * Remove CBMC_OBJECT_BITS flag * Add comments and assert for `okm` in hkdf stub * Add props assumptions in sign_header and derive_data_key proofs * Remove unused stub `aws_default_allocator` * Add missing source file in `sign_header` proof * Add minor improvements Co-authored-by: Adrian Palacios <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds Makefile, harness and yaml for proof of aws_cryptosdk_priv_try_gen_key.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Check any applicable: