Not-quite-so-broken TLS in OCaml

This is an idea proposed in 2014 as a good starter project, and has been completed by Hannes Mehnert and David Kaloper-Mersinjak. It was supervised by Anil Madhavapeddy and Peter Sewell.

Transport Layer Security (TLS) implementations have a history of security flaws. The immediate causes of these are often programming errors, e.g. in memory manage- ment, but the root causes are more fundamental: the challenges of interpreting the ambiguous prose specification, the complexities inherent in large APIs and code bases, inherently unsafe programming choices, and the impossibility of directly testing conformance between implementations and the specification.

This internship was to work on nqsb-TLS, our re-engineered approach to security protocol specification and implementation that addresses the above root causes. The same source code serves two roles: it is both a specification of TLS, executable as a test oracle to check conformance of traces from arbitrary implementations, and a usable implementation of TLS; a modular and declarative programming style provides clean separation between its components. Many security flaws are thus excluded by construction.

nqsb-TLS can be used in standalone Unix applications, which we demonstrate with a messaging client, and can also be compiled into Xen unikernels (see Unikernels) with a trusted computing base (TCB) that is 4% of a standalone system running a standard Linux/OpenSSL stack, with all network traffic being handled in a memory-safe language; this supports applications including HTTPS, IMAP, Git, and Websocket clients and servers. Despite the dual-role design, the high-level implementation style, and the functional programming language we still achieved reasonable performance, with the same handshake performance as OpenSSL and 73%–84% for bulk throughput.

Links

• Hannes Mehnert and David Kaloper-Mersinjak worked on this in an internship after discovering the MirageOS project online, and came over in the summer of 2014. The results have been hguely successful within the OCaml community, as the ocaml-tls is still widely used as the defacto TLS stack in many popular OCaml applications.
• The paper was published in USENIX Security; see Not-Quite-So-Broken TLS.
• For other stuff that happened during that internship period, see Reviewing the second year of OCaml Labs in 2014.

# 1st Jan 2014   ideas idea-beginner idea-done mirageos ocaml protocols security tls

Related News

• Not-Quite-So-Broken TLS / Aug 2015
• Reviewing the second year of OCaml Labs in 2014 (via cl.cam.ac.uk) / Apr 2015
• Unikernels / Jan 2010
• Functional Internet Services / Jan 2003