Add CBMC proof for default_cmm_generate_enc_materials #656
Conversation
adpaco-aws
force-pushed
the
default-materials-proof
branch
5 times, most recently
from
22aa393
to
33b1cd1
Compare
.../cbmc/proofs/default_cmm_generate_enc_materials/default_cmm_generate_enc_materials_harness.c
Outdated
Show resolved
Hide resolved
source/default_cmm.c
Outdated
| AWS_PRECONDITION(cmm != NULL); | ||
| AWS_PRECONDITION(output != NULL); |
There was a problem hiding this comment.
Why don't we check for the validity functions of aws_cryptosdk_cmm and aws_cryptosdk_enc_materials, respectively?
There was a problem hiding this comment.
In this function, output is just a placeholder for encryption materials so we are okay with them not being valid (@alex-chew please correct me if I am wrong). I have added the validator function for it but we can discuss it further.
For aws_cryptosdk_cmm we now have validator function for default_cmm.
Edit: The test suite seems to fail if we add more complex preconditions for output, so I am using the previous version (non-null check).
There was a problem hiding this comment.
You are correct that output is an out parameter for the generated encryption materials, and at the start of the function it is typically not the case that **output is a valid encryption materials struct. A stronger precondition that would make sense might be to assert that output is writable for sizeof(*output) bytes.
| # Local vars | ||
| MAX_NUM_ITEMS ?= 1 | ||
| # In OBJ_txt2nid, this value unwinds strcmp(s, "prime256v1") |
There was a problem hiding this comment.
Added a comment.
| PROOF_SOURCES += $(PROOF_SOURCE)/make_common_data_structures.c | ||
| PROOF_SOURCES += $(PROOF_STUB)/aws_base64_encode.c | ||
|
|
||
| REMOVE_FUNCTION_BODY += aws_base64_encode |
There was a problem hiding this comment.
Why? Could you add a comment?
There was a problem hiding this comment.
Looks like it was not required. Thanks for catching it!
| int on_encrypt( | ||
| struct aws_cryptosdk_keyring *keyring, | ||
| struct aws_allocator *request_alloc, | ||
| struct aws_byte_buf *unencrypted_data_key, | ||
| struct aws_array_list *keyring_trace, | ||
| struct aws_array_list *edks, | ||
| const struct aws_hash_table *enc_ctx, | ||
| enum aws_cryptosdk_alg_id alg) { | ||
| /* Check validity for all inputs to avoid memory-safety violations. */ | ||
| assert(aws_cryptosdk_keyring_is_valid(keyring)); | ||
| assert(aws_allocator_is_valid(request_alloc)); | ||
| assert(aws_byte_buf_is_valid(unencrypted_data_key)); | ||
| assert(aws_cryptosdk_keyring_trace_is_valid(keyring_trace)); | ||
| assert(aws_cryptosdk_edk_list_is_valid(edks)); | ||
| assert(aws_cryptosdk_edk_list_elements_are_valid(edks)); | ||
| assert((enc_ctx == NULL) || aws_hash_table_is_valid(enc_ctx)); | ||
|
|
||
| if (unencrypted_data_key->buffer == NULL) { | ||
| const struct aws_cryptosdk_alg_properties *props = aws_cryptosdk_alg_props(alg); | ||
| if (props != NULL) { | ||
| __CPROVER_assume(aws_byte_buf_is_bounded(unencrypted_data_key, props->data_key_len)); | ||
| ensure_byte_buf_has_allocated_buffer_member(unencrypted_data_key); | ||
| /* | ||
| * This satisfies the post-condition that if this keyring | ||
| * generated data key, it must be the right length. | ||
| * The nondeterminism increases coverage. | ||
| */ | ||
| if (nondet_bool()) unencrypted_data_key->len = props->data_key_len; | ||
| unencrypted_data_key->allocator = request_alloc; | ||
| __CPROVER_assume(aws_byte_buf_is_valid(unencrypted_data_key)); | ||
| } | ||
| } else { | ||
| /* | ||
| * If the buffer is not NULL, the byte buffer must not have been modified; | ||
| * however, this allocation modifies the buffer and increases coverage. | ||
| */ | ||
| if (nondet_bool()) ensure_byte_buf_has_allocated_buffer_member(unencrypted_data_key); | ||
| } | ||
| int ret; | ||
| return ret; | ||
| } |
There was a problem hiding this comment.
Why is this function here? Is it a stub? If so, we need to move it to the stub folder and add proper header documentation, which must say "why" we may need this stub.
There was a problem hiding this comment.
I remember other proofs might do the same, do you think we could just use one on_encrypt implementation across them all?
There was a problem hiding this comment.
You are right, I have put this function into the stubs folder.
|
|
||
| void default_cmm_generate_enc_materials_harness() { | ||
| /* Nondet input required to init cmm */ | ||
| struct aws_cryptosdk_keyring *keyring = malloc(sizeof(*keyring)); |
There was a problem hiding this comment.
The allocator should contain this initial allocation.
| void default_cmm_generate_enc_materials_harness() { | ||
| /* Nondet input required to init cmm */ | ||
| struct aws_cryptosdk_keyring *keyring = malloc(sizeof(*keyring)); | ||
| const struct aws_cryptosdk_keyring_vt vtable = { .vt_size = sizeof(struct aws_cryptosdk_keyring_vt), |
There was a problem hiding this comment.
Why can't we have a non-deterministic number here? Does this assumption maps into an assertion into the code?
There was a problem hiding this comment.
Yes, we have it now.
| __CPROVER_assume(keyring->vtable != NULL); | ||
|
|
||
| /* Nondet input */ | ||
| struct aws_cryptosdk_cmm *cmm = aws_cryptosdk_default_cmm_new(can_fail_allocator(), keyring); |
There was a problem hiding this comment.
Why are you calling aws_cryptosdk_default_cmm_new to initialize cmm? This should only be done by allocators and validity functions. Any extra requirements should be add as an assumption and mapped as an assertion into the codebase.
There was a problem hiding this comment.
I have created a new allocator function for default_cmm (which is an extension of cmm). We are not using this function anymore.
| struct aws_cryptosdk_enc_materials **output = malloc(sizeof(*output)); | ||
| struct aws_cryptosdk_enc_request *request = malloc(sizeof(*request)); | ||
|
|
||
| /* Assumptions */ | ||
| __CPROVER_assume(cmm != NULL); | ||
|
|
||
| __CPROVER_assume(output != NULL); | ||
|
|
||
| __CPROVER_assume(request != NULL); | ||
| request->alloc = can_fail_allocator(); | ||
| __CPROVER_assume(aws_allocator_is_valid(request->alloc)); | ||
| request->enc_ctx = malloc(sizeof(*request->enc_ctx)); | ||
| __CPROVER_assume(request->enc_ctx != NULL); | ||
| ensure_allocated_hash_table(request->enc_ctx, MAX_NUM_ITEMS); | ||
| __CPROVER_assume(aws_cryptosdk_enc_request_is_valid(request)); |
There was a problem hiding this comment.
Where are the allocators functions for aws_cryptosdk_enc_materials and aws_cryptosdk_enc_request?
.../cbmc/proofs/default_cmm_generate_enc_materials/default_cmm_generate_enc_materials_harness.c
Outdated
Show resolved
Hide resolved
.../cbmc/proofs/default_cmm_generate_enc_materials/default_cmm_generate_enc_materials_harness.c
Outdated
Show resolved
Hide resolved
|
/cbmc run checks |
adpaco-aws
force-pushed
the
default-materials-proof
branch
from
33b1cd1
to
2c7bbea
Compare
.../cbmc/proofs/default_cmm_generate_enc_materials/default_cmm_generate_enc_materials_harness.c
Outdated
Show resolved
Hide resolved
.../cbmc/proofs/default_cmm_generate_enc_materials/default_cmm_generate_enc_materials_harness.c
Outdated
Show resolved
Hide resolved
source/default_cmm.c
Outdated
| AWS_PRECONDITION(cmm != NULL); | ||
| AWS_PRECONDITION(output != NULL); |
There was a problem hiding this comment.
In this function, output is just a placeholder for encryption materials so we are okay with them not being valid (@alex-chew please correct me if I am wrong). I have added the validator function for it but we can discuss it further.
For aws_cryptosdk_cmm we now have validator function for default_cmm.
Edit: The test suite seems to fail if we add more complex preconditions for output, so I am using the previous version (non-null check).
| # Local vars | ||
| MAX_NUM_ITEMS ?= 1 | ||
| # In OBJ_txt2nid, this value unwinds strcmp(s, "prime256v1") |
There was a problem hiding this comment.
Added a comment.
.../cbmc/proofs/default_cmm_generate_enc_materials/default_cmm_generate_enc_materials_harness.c
Outdated
Show resolved
Hide resolved
| PROOF_SOURCES += $(PROOF_SOURCE)/make_common_data_structures.c | ||
| PROOF_SOURCES += $(PROOF_STUB)/aws_base64_encode.c | ||
|
|
||
| REMOVE_FUNCTION_BODY += aws_base64_encode |
There was a problem hiding this comment.
Looks like it was not required. Thanks for catching it!
| int on_encrypt( | ||
| struct aws_cryptosdk_keyring *keyring, | ||
| struct aws_allocator *request_alloc, | ||
| struct aws_byte_buf *unencrypted_data_key, | ||
| struct aws_array_list *keyring_trace, | ||
| struct aws_array_list *edks, | ||
| const struct aws_hash_table *enc_ctx, | ||
| enum aws_cryptosdk_alg_id alg) { | ||
| /* Check validity for all inputs to avoid memory-safety violations. */ | ||
| assert(aws_cryptosdk_keyring_is_valid(keyring)); | ||
| assert(aws_allocator_is_valid(request_alloc)); | ||
| assert(aws_byte_buf_is_valid(unencrypted_data_key)); | ||
| assert(aws_cryptosdk_keyring_trace_is_valid(keyring_trace)); | ||
| assert(aws_cryptosdk_edk_list_is_valid(edks)); | ||
| assert(aws_cryptosdk_edk_list_elements_are_valid(edks)); | ||
| assert((enc_ctx == NULL) || aws_hash_table_is_valid(enc_ctx)); | ||
|
|
||
| if (unencrypted_data_key->buffer == NULL) { | ||
| const struct aws_cryptosdk_alg_properties *props = aws_cryptosdk_alg_props(alg); | ||
| if (props != NULL) { | ||
| __CPROVER_assume(aws_byte_buf_is_bounded(unencrypted_data_key, props->data_key_len)); | ||
| ensure_byte_buf_has_allocated_buffer_member(unencrypted_data_key); | ||
| /* | ||
| * This satisfies the post-condition that if this keyring | ||
| * generated data key, it must be the right length. | ||
| * The nondeterminism increases coverage. | ||
| */ | ||
| if (nondet_bool()) unencrypted_data_key->len = props->data_key_len; | ||
| unencrypted_data_key->allocator = request_alloc; | ||
| __CPROVER_assume(aws_byte_buf_is_valid(unencrypted_data_key)); | ||
| } | ||
| } else { | ||
| /* | ||
| * If the buffer is not NULL, the byte buffer must not have been modified; | ||
| * however, this allocation modifies the buffer and increases coverage. | ||
| */ | ||
| if (nondet_bool()) ensure_byte_buf_has_allocated_buffer_member(unencrypted_data_key); | ||
| } | ||
| int ret; | ||
| return ret; | ||
| } |
There was a problem hiding this comment.
You are right, I have put this function into the stubs folder.
| void default_cmm_generate_enc_materials_harness() { | ||
| /* Nondet input required to init cmm */ | ||
| struct aws_cryptosdk_keyring *keyring = malloc(sizeof(*keyring)); | ||
| const struct aws_cryptosdk_keyring_vt vtable = { .vt_size = sizeof(struct aws_cryptosdk_keyring_vt), |
There was a problem hiding this comment.
Yes, we have it now.
| __CPROVER_assume(keyring->vtable != NULL); | ||
|
|
||
| /* Nondet input */ | ||
| struct aws_cryptosdk_cmm *cmm = aws_cryptosdk_default_cmm_new(can_fail_allocator(), keyring); |
There was a problem hiding this comment.
I have created a new allocator function for default_cmm (which is an extension of cmm). We are not using this function anymore.
| struct aws_cryptosdk_enc_materials **output = malloc(sizeof(*output)); | ||
| struct aws_cryptosdk_enc_request *request = malloc(sizeof(*request)); | ||
|
|
||
| /* Assumptions */ | ||
| __CPROVER_assume(cmm != NULL); | ||
|
|
||
| __CPROVER_assume(output != NULL); | ||
|
|
||
| __CPROVER_assume(request != NULL); | ||
| request->alloc = can_fail_allocator(); | ||
| __CPROVER_assume(aws_allocator_is_valid(request->alloc)); | ||
| request->enc_ctx = malloc(sizeof(*request->enc_ctx)); | ||
| __CPROVER_assume(request->enc_ctx != NULL); | ||
| ensure_allocated_hash_table(request->enc_ctx, MAX_NUM_ITEMS); | ||
| __CPROVER_assume(aws_cryptosdk_enc_request_is_valid(request)); |
adpaco-aws
force-pushed
the
default-materials-proof
branch
from
2c7bbea
to
493ee2a
Compare
|
@alex-chew I have tried the first one in here
and (in case you meant Also, I am not sure how to check that |
adpaco-aws
force-pushed
the
default-materials-proof
branch
3 times, most recently
from
f34515e
to
656eadd
Compare
Oops, that's my bad. If the call fails, it should be the case that
You can save its value prior to calling the function under verification and check that its value is unchanged by the call. e.g. https://github.com/aws/aws-encryption-sdk-c/blob/master/verification/cbmc/proofs/aws_cryptosdk_priv_hdr_parse_alg_id/aws_cryptosdk_priv_hdr_parse_alg_id_harness.c |
adpaco-aws
force-pushed
the
default-materials-proof
branch
from
0f2499b
to
face741
Compare
|
@alex-chew Ok, I have removed the assert in case of failure. I have also added code to check that |
source/default_cmm.c
Outdated
| @@ -180,3 +185,10 @@ int aws_cryptosdk_default_cmm_set_alg_id(struct aws_cryptosdk_cmm *cmm, enum aws | |||
| self->default_alg = alg_id; | |||
| return AWS_OP_SUCCESS; | |||
| } | |||
|
|
|||
| bool aws_cryptosdk_default_cmm_is_valid(const struct aws_cryptosdk_cmm *cmm) { | |||
| AWS_PRECONDITION(cmm != NULL); | |||
There was a problem hiding this comment.
It should return false in case cmm is NULL, not fail on an assertion.
There was a problem hiding this comment.
Right, I am happy you saw this because I had my doubts about it.
| __CPROVER_assume(cmm != NULL); | ||
| __CPROVER_assume(aws_cryptosdk_default_cmm_is_valid(cmm)); |
There was a problem hiding this comment.
You wouldn't need it if aws_cryptosdk_default_cmm_is_valid returned false in case cmm is NULL.
There was a problem hiding this comment.
Removed non-null assumption, thanks!
| __CPROVER_assume(request != NULL); | ||
| __CPROVER_assume(aws_allocator_is_valid(request->alloc)); | ||
| __CPROVER_assume(request->enc_ctx != NULL); | ||
| __CPROVER_assume(aws_cryptosdk_enc_request_is_valid(request)); |
There was a problem hiding this comment.
This looks odd to me too. Why the first three assumptions are not part of the validity check for aws_cryptosdk_enc_request?
There was a problem hiding this comment.
This is probably from my early days of proof-writing. The assumptions were not needed so I removed them.
| struct aws_cryptosdk_cmm base; | ||
| struct aws_allocator *alloc; | ||
| struct aws_cryptosdk_keyring *kr; | ||
| // Invariant: this is either DEFAULT_ALG_UNSET or is a valid algorithm ID |
There was a problem hiding this comment.
Avoid cpp comments.
/* Invariant: this is either DEFAULT_ALG_UNSET or is a valid algorithm ID. */There was a problem hiding this comment.
I copied this from the source code, so I fixed it in both places.
| /* Assumptions required to init cmm */ | ||
| ensure_cryptosdk_keyring_has_allocated_members(keyring, vtable); | ||
| __CPROVER_assume(aws_cryptosdk_keyring_is_valid(keyring)); | ||
| __CPROVER_assume(keyring->vtable != NULL); |
There was a problem hiding this comment.
Create a GitHub issue to investigate a way to move these assumptions to the validity function and not to the allocator.
There was a problem hiding this comment.
Opened one here: #675
| struct default_cmm *self = NULL; | ||
| if (cmm) { | ||
| self = (struct default_cmm *)cmm; | ||
| self->alloc = can_fail_allocator(); |
There was a problem hiding this comment.
Could it be NULL? We should be as nondet as possible here.
There was a problem hiding this comment.
Yes, I missed that one. It can be NULL now.
| int ret; | ||
| return ret; |
adpaco-aws
force-pushed
the
default-materials-proof
branch
2 times, most recently
from
97bb1bd
to
a8d9dd0
Compare
adpaco-aws
force-pushed
the
default-materials-proof
branch
from
34604fe
to
f9b0169
Compare
Change variable name and add comment for it on Makefile Merge changes from 'master'
Do intial allocation as usual and pass output by reference Remove request_alg assertion in case of failure
Replace precondition by false case in enc_request validator
adpaco-aws
force-pushed
the
default-materials-proof
branch
from
f9b0169
to
ecec9b5
Compare
| bool aws_cryptosdk_default_cmm_is_valid(const struct aws_cryptosdk_cmm *cmm) { | ||
| if (cmm == NULL) return false; | ||
|
|
||
| struct default_cmm *self = (struct default_cmm *)cmm; | ||
| return aws_cryptosdk_cmm_base_is_valid(&self->base) && aws_allocator_is_valid(self->alloc) && | ||
| aws_cryptosdk_keyring_is_valid(self->kr); | ||
| } |
There was a problem hiding this comment.
Why this function wasn't written like...
bool default_cmm_is_valid(const struct default_cmm *cmm) {
return (cmm != NULL) &&
aws_cryptosdk_cmm_base_is_valid(&cmm->base) &&
aws_allocator_is_valid(cmm->alloc) &&
aws_cryptosdk_keyring_is_valid(cmm->kr);
}Shouldn't we validate both structures separately (i.e., on validity function for each data structure)?
There was a problem hiding this comment.
In general, extensions of aws_cryptosdk_cmm are always handled like this in the source code: The type is used as a parameter/return type and the struct is cast before doing any operations on it. This way, we are following API guidelines.
I am not sure what you mean by "validate both structures separately". We have aws_cryptosdk_cmm_base_is_valid for validating aws_cryptosdk_cmm structs and this one to validate default_cmm structs.
| if (cmm) { | ||
| self = (struct default_cmm *)cmm; | ||
| self->alloc = nondet_bool() ? NULL : can_fail_allocator(); | ||
| self->kr = keyring; | ||
| } | ||
| return (struct aws_cryptosdk_cmm *)self; |
| * limitations under the License. | ||
| */ | ||
|
|
||
| #include <stdlib.h> |
There was a problem hiding this comment.
Why do you need that include?
There was a problem hiding this comment.
You are right, this was not required.
* Add proof files for default_cmm_generate_enc_materials * Move on_encrypt function to its own file * Add validator and allocator functions Change variable name and add comment for it on Makefile Merge changes from 'master' * Add and edit allocators for materials and cmm * Add missing file to Makefile (algorithm_is_known) * Remove unnecessary assumptions * Edit preconditions and postconditions * Fix style checks * Restore simpler precondition * Check that output remains unchanged (top-level check only) Do intial allocation as usual and pass output by reference Remove request_alg assertion in case of failure * Fix style issues * Use C-style comments and add space * Remove unneeded assumptions and use nondet values Replace precondition by false case in enc_request validator * Remove copyright year on Makefile
* Add proof files for default_cmm_generate_enc_materials * Move on_encrypt function to its own file * Add validator and allocator functions Change variable name and add comment for it on Makefile Merge changes from 'master' * Add and edit allocators for materials and cmm * Add missing file to Makefile (algorithm_is_known) * Remove unnecessary assumptions * Edit preconditions and postconditions * Fix style checks * Restore simpler precondition * Check that output remains unchanged (top-level check only) Do intial allocation as usual and pass output by reference Remove request_alg assertion in case of failure * Fix style issues * Use C-style comments and add space * Remove unneeded assumptions and use nondet values Replace precondition by false case in enc_request validator * Remove copyright year on Makefile
* Add proof files for default_cmm_generate_enc_materials * Move on_encrypt function to its own file * Add validator and allocator functions Change variable name and add comment for it on Makefile Merge changes from 'master' * Add and edit allocators for materials and cmm * Add missing file to Makefile (algorithm_is_known) * Remove unnecessary assumptions * Edit preconditions and postconditions * Fix style checks * Restore simpler precondition * Check that output remains unchanged (top-level check only) Do intial allocation as usual and pass output by reference Remove request_alg assertion in case of failure * Fix style issues * Use C-style comments and add space * Remove unneeded assumptions and use nondet values Replace precondition by false case in enc_request validator * Remove copyright year on Makefile
* Add proof files for default_cmm_generate_enc_materials * Move on_encrypt function to its own file * Add validator and allocator functions Change variable name and add comment for it on Makefile Merge changes from 'master' * Add and edit allocators for materials and cmm * Add missing file to Makefile (algorithm_is_known) * Remove unnecessary assumptions * Edit preconditions and postconditions * Fix style checks * Restore simpler precondition * Check that output remains unchanged (top-level check only) Do intial allocation as usual and pass output by reference Remove request_alg assertion in case of failure * Fix style issues * Use C-style comments and add space * Remove unneeded assumptions and use nondet values Replace precondition by false case in enc_request validator * Remove copyright year on Makefile
* Add proof files for default_cmm_generate_enc_materials * Move on_encrypt function to its own file * Add validator and allocator functions Change variable name and add comment for it on Makefile Merge changes from 'master' * Add and edit allocators for materials and cmm * Add missing file to Makefile (algorithm_is_known) * Remove unnecessary assumptions * Edit preconditions and postconditions * Fix style checks * Restore simpler precondition * Check that output remains unchanged (top-level check only) Do intial allocation as usual and pass output by reference Remove request_alg assertion in case of failure * Fix style issues * Use C-style comments and add space * Remove unneeded assumptions and use nondet values Replace precondition by false case in enc_request validator * Remove copyright year on Makefile
* Add proof files for default_cmm_generate_enc_materials * Move on_encrypt function to its own file * Add validator and allocator functions Change variable name and add comment for it on Makefile Merge changes from 'master' * Add and edit allocators for materials and cmm * Add missing file to Makefile (algorithm_is_known) * Remove unnecessary assumptions * Edit preconditions and postconditions * Fix style checks * Restore simpler precondition * Check that output remains unchanged (top-level check only) Do intial allocation as usual and pass output by reference Remove request_alg assertion in case of failure * Fix style issues * Use C-style comments and add space * Remove unneeded assumptions and use nondet values Replace precondition by false case in enc_request validator * Remove copyright year on Makefile
This PR adds a CBMC proof for default_cmm_generate_enc_materials, a function from default_cmm.c,
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Check any applicable: