Building a business with Haskell

Case Studies: Cryptol, HaLVM, Copilot

Don Stewart | BelHac | Nov 5, 2010
 This talk...

 Earlier talk, “A decade of functional programming at

Galois” described how we use Haskell at Galois
 This talk introduces three case studies from some of
our projects:
• Cryptol – a cryptography language and toolchain
• HaLVM – OS component isolation via GHC + Xen
• Copilot – a Haskell EDSL for avionics monitoring
 Less about Haskell itself, more about the kinds of
things we build with it
 To give a flavor of how to think functionally about
client problems, and hopefully inspire you!
© 2010 Galois, Inc. All rights reserved.
 Galois

 Building systems that are trustworthy

 ~40 employees in Portland, Oregon
 11 years in business

© 2010 Galois, Inc. All rights reserved.

 What does Galois do?

 Computer science R&D with a particular brand:

• Formal methods (theorem proving, model
checking)
• Typed functional languages
• Compilers, DSLs, analysis tools
 For building kernels, file systems, networks, servers,
compilers, security systems, desktop apps, ...
 Haskell for pretty much everything

French mathematician Évariste Galois

© 2010 Galois, Inc. All rights reserved.

 1. Cryptol

 What is it? A DSL for cryptography

 How? Compilers, interpreters, support tools, all in Haskell
 Client need: to establish correctness of crypto algorithm
implementations
 Not just a government problem:
25% of algorithms submitted for FIPS validation had security flaws
– Director NIST CMVP, March 26, 2002

© 2010 Galois, Inc. All rights reserved.

 Approach: Specification and Formal Tools

 Start with a declarative specification language

• Make it close to the crypto domain notation
• With custom types and constructs for cryptography
• Designed with feedback from NSA cryptographers
 Add execution and validation tools
• Generate different implementations (FPGA, C, …)
• Use different verification tools
 In use by crypto implementers

© 2010 Galois, Inc. All rights reserved.

 More specifically

 Purely functional stream-based language

• Allows for high level, rapid exploration of the design
 Automated synthesis to FPGA
• Using algebraic transformations and term rewriting
 Automated verification
• Equivalence checking of programs against each other, in AIG form
• To show implementation matches the spec
• Using SAT and SMT solvers

© 2010 Galois, Inc. All rights reserved.

 Some of the design requirements

 Should be a high-level language close to the crypto math

• But also executable
 Specifications guide and document implementations
• And can even generate them
 Has to be neutral about execution platform
• Don't bake in Von Neumann assumptions
 High level language needs support for low level features
• Bit patterns, wiring

© 2010 Galois, Inc. All rights reserved.

 Key language ideas in Cryptol

 Sequences (comprehensions) and recursion

 Views on data: machine independent data transforms
 Size types: algorithms parameterized by size
• Size types from Cryptol coming to GHC soon (Diatchki)
 Values and functions
 Type inference

x : [4][32];
x = [23 13 1 0];

F : ([16],[16]) -> [16];

F (x, x’) = 2 * x + x’;

© 2010 Galois, Inc. All rights reserved.

 Cryptol Types

Types express size and shape of data

[[0x1FE 0x11] [0x132 0x183] [0x1B4 0x5C] [0x26 0x7A]]
has type [4][2][9]

Strong typing with usual power:

 Inference
 Parametric polymorphism

All to support the unambiguous specification of interfaces,

to the bit level

© 2010 Galois, Inc. All rights reserved.

 Converting specs into types

blockEncrypt : {k} (k >= 2, 4 >= k) => ([128], [64*k]) → [128]

First input is Second input Output is a

…
For all k a sequence is a sequence sequence of
between
of 128 bits of 128, 192, 128 bits
2 and 4
or 256 bits

†
http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

© 2010 Galois, Inc. All rights reserved.

 An example: DES
des : ([64],[56]) -> [64];
des (pt, key) = permute (FP, last)
where {
pt’ = permute (IP, pt);
iv = [| round (lr, key, rnd)
|| rnd <- [0 .. 15]
|| lr <- [(split pt’)] # iv
|];
last = join (swap (iv @ 15));
swap [a b] = [b a];
};

round : ([2][32], [56], [4]) -> [2][32];

round([l r], key, rnd) = [r (l^f(r, kx))]
where {
kx = expand(key, rnd);
f(r,k) = permute(PP, SBox(k^permute(EP, r)));
};
© 2010 Galois, Inc. All rights reserved.
 Cryptol on FPGAs

 Why? Lack of trust in commodity hardware

• Evaluators can see as much of the solution as possible
• Do not have to ship designs off-shore
• FPGAs are more flexible than programmable custom crypto processors
 Natural match between Cryptography and FPGAs
• Manipulation of arbitrary length bit sequences
• Highly-parallel stream processing

 And FPGAs are fast…

© 2010 Galois, Inc. All rights reserved.

 Case Study at Rockwell-Collins
High Speed Encryptor Project
AES reference
specification
(Cryptol)
Simulator Experiment with
system integration and
Symbolic Crypto
simulator Developer
control logic.
Reference
Reference C
C
model
model Target
Target
specification
specification Cryptol
Make high- compiler
compiler
VHDL
VHDL
level target- Equivalence Calibrate time/space trade-offs and
specific check connectivity issues. Verify equivalence
with target specification.
refinements. Equivalence
evidence
Verify Symbolic
Place and
simulator Synthesis
equivalence Target
Target route
with reference model
model Netlist Netlist
Bitfile
model model
specification.
Key
Galois tools

Third party tools

Equivalence
Data files check Equivalence
Evaluation/Certification evidence Equivalence check
evidence Equivalence
Input to tool
evidence
Feedback
© 2010 Galois, to All
Inc. designer
rights reserved.
 Equivalence Checking Cryptol

 Use SAT to check program equivalence in AIG form

• Equivalence Checking of various versions of AES and DES against
both reference models and internal FPGA models take < 5 minutes
(most take < 30 seconds)
• Models typically have ~106 nodes
 However, it has its limitations
• The Hash Function MD5 on 2 bits takes nearly 10 minutes…
• The block cipher RC6, however takes, uh, too long
(32-bit multiply)
• Only works on core ciphers — not modes (finite input/output)
• The equivalence checker typically yields an answer promptly,
or it times out

© 2010 Galois, Inc. All rights reserved.

 Other Cryptol Assurance tools

 “Quickcheck” property-based testing

• User gives a property, Cryptol automatically tests it on random inputs.
 Translators to SAT- and SMT-based property checkers
• User can give more general properties to these tools
• SAT: Checks for satisfiability of large Boolean formulas
• SMT extends SAT with higher-level constraint solvers (linear arithmetic,
arrays, functions, etc.)
 Safety checking
• Automatically checks that a Cryptol function will never raise an exception
• Some possible exceptions: Divide-by-zero, Out-of-bounds array access,
assertion failures
 Semi-automatic theorem proving
• Translator from Cryptol to Isabelle theorem prover
• User can specify arbitrary Cryptol properties, but proof may need human
guidance

© 2010 Galois, Inc. All rights reserved.

 2. The HaLVM

 Xen hypervisor for clean separation between OS

components
 Haskell runtime as OS on top, for fast, small system
prototypes

© 2010 Galois, Inc. All rights reserved.

 HaLVM goals

 Rapid exploration of decomposed, high assurance OS

design space
 A sandbox for experimentation with OS components
 The HaLVM:
• Libraries + runtime on top of the Xen hypervisor
• Boot your (Haskell) OS in < 1s
 Write OS components quickly in Haskell, glue them
together safely, via Xen

© 2010 Galois, Inc. All rights reserved.

 An example: web server separation

© 2010 Galois, Inc. All rights reserved.

 High level architecture

© 2010 Galois, Inc. All rights reserved.

 HaLVM summary

 What we have:
• A rapid prototyping system for OS designs
• Build minimalist, strongly separated systems, in Haskell, without a
host OS
• Write drivers in Haskell
• Many gory details in practice...
 Particularly useful for rolling systems with interesting
network stacks quickly
 Uses the rich GHC runtime and language to solve the
client need for fast, small prototypes and rapid exploration
 While giving more assurance than C

© 2010 Galois, Inc. All rights reserved.

 3. Copilot: a DSL for hard realtime monitors

• Hard Real-Time systems

• Others already do soft real-time
• Synchronized systems
• Common in avionics
• Periodic Schedules
• Time-trigged systems
• Monitoring by sampling

© 2010 Galois, Inc. All rights reserved.

 Copilot design

●
Copilot is a Haskell eDSL targeted at monitoring hard
real-time systems.
●
Synchronous language defined by a set of stream
equations (simple data-flow model).
●
Uses the Atom Haskell eDSL as an intermediate
language to generate hard real-time C.
●
eDSLs building on eDSLs!
●
Atom is co-maintained by Galois and Eaton.
●
Generates it's own schedule---no RTOS needed.

© 2010 Galois, Inc. All rights reserved.

 Example Copilot Specification
If the temperature rises more than 2.3 degrees within 2
seconds, then engine is shut off.

engine:: Streams
engine = do
temps .= [0,0,0] ++ extF temp 1
overTempRise .= drop 2 (var temps)
> const 2.3 + var temps
trigger .= (var overTempRise)
implies (extB shutoff 2)

© 2010 Galois, Inc. All rights reserved.

 Testbed

●
Representative of fault-tolerant systems
• 4 X STM microcontrollers
• ARM Cortex M3 cores clocked at 72 Mhz
• MPXV5004DP differential pressure sensor
• Senses dynamic and static pressure
• Pitot tubes measure airspeed
• Designed to fit in UAS (unpiloted air system)
• Power, weight,...

© 2010 Galois, Inc. All rights reserved.

© 2010 Galois, Inc. All rights reserved.
© 2010 Galois, Inc. All rights reserved.
© 2010 Galois, Inc. All rights reserved.
 Copilot

 Copilot is open source! eDSL on Hackage:

• cabal install copilot
 Used EDSL approach now (Cryptol's size types required
DSL approach back in the day)
 Haskell dev environment generates verifiable C code
 That C code then runs on the embedded device
 Again, uses ideas for strong types, declarative
specifications, rapid prototyping, and formal verification

© 2010 Galois, Inc. All rights reserved.

 Keep an eye out for other things from Galois
 Nettle, a policy language for network routing
• cabal install nettle-openflow
 Haskell Verifier project
• Integrate Haskell and Isabelle once and for all
 Grid 2.0 - IdM on the Open Science Grid, for LHC users
 TSE: storage device for multiple security levels of data
 New Cryptol backends: Java, LLVM
 Tearline Wiki: wiki for classified data with strong
separation
 ASA: information flow analysis tool for C code, integrated
into commercial toolchain
 And actually, a lot more...
© 2010 Galois, Inc. All rights reserved.
 Summary
 You can build a thriving engineering business using
functional programming skills and ideas – as long as you
are client-focused
 Seek problem domain problems that can be made safer,
faster, easier … quickly demonstrate value to the client
 Our tools are ready: GHC, Cabal, Hackage, Isabelle: a
rich ecosystem for getting things done quickly – and can be
integrated into existing systems and toolchains
 But Haskell is not the message: what value to the client
do you provide – faster, sooner, safer, cheaper?
 Give back to the community if you can: code, servers,
infrastructure, hackathons … we all benefit from any
individual success
© 2010 Galois, Inc. All rights reserved.
 Questions?

Questions?

© 2010 Galois, Inc. All rights reserved.