Abstract
Cryptographic hash functions are used inside many applications that critically rely on their resistance against cryptanalysis attacks and the correctness of their implementations. Nevertheless, vulnerabilities in cryptographic hash function implementations can remain unnoticed for more than a decade, as shown by the recent discovery of a buffer overflow in the implementation of SHA-3 in the eXtended Keccak Code Package (XKCP), impacting Python, PHP, and several other software projects. This paper explains how this buffer overflow vulnerability in XKCP was found. More generally, we explore the application of formal methods to the five finalist submission packages to the NIST SHA-3 competition, allowing us to (re-)discover vulnerabilities in the implementations of Keccak and BLAKE, and also discover a previously undisclosed vulnerability in the implementation of Grøstl. We also show how the same approach rediscovers a vulnerability affecting 11 out of the 12 implemented cryptographic hash functions in Apple’s CoreCrypto library. Our approach consists of removing certain lines of code and then using KLEE as a tool to prove functional equivalence. We discuss the advantages and limitations of our approach and hope that our attempt to consolidate some earlier approaches can lead to new insights.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
AdaCore, Thales: Implementation Guidance for the Adoption of SPARK (2020). https://www.adacore.com/uploads/books/pdf/Spark-Guidance-1.2-web.pdf
Aumasson, J.P., Henzen, L., Meier, W., Phan, R.C.W.: SHA-3 proposal BLAKE. submission to the NIST SHA-3 competition (round 3) (2010). https://www.aumasson.jp/blake/blake.pdf
Aumasson, J.P., Romailler, Y.: Automated testing of crypto software using differential fuzzing. Black Hat USA 2017 (2017). https://yolan.romailler.ch/ddl/talks/CDF-wp_BHUSA2017.pdf
Aumasson, J.P.: SHA-3 proposal BLAKE (2015). https://web.archive.org/web/20150921185010/https://131002.net/blake/
Ball, T., Cook, B., Levin, V., Rajamani, S.K.: SLAM and static driver verifier: technology transfer of formal methods inside Microsoft. In: Boiten, E.A., Derrick, J., Smith, G. (eds.) IFM 2004. LNCS, vol. 2999, pp. 1–20. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24756-2_1
Benmocha, G., Biham, E., Perle, S.: Unintended features of APIs: cryptanalysis of incremental HMAC. In: Dunkelman, O., Jacobson, Jr., M.J., O’Flynn, C. (eds.) SAC 2020. LNCS, vol. 12804, pp. 301–325. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-81652-0_12
Bernstein, D.J., Lange, T.: eBACS: ECRYPT benchmarking of cryptographic systems (2022). https://bench.cr.yp.to
Bertoni, G., Daemen, J., Hoffert, S., Peeters, M., Assche, G.V., Keer, R.V.: eXtended Keccak code package (2022). https://github.com/XKCP/XKCP
Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: The Keccak SHA-3 submission. Submission to the NIST SHA-3 competition (round 3) (2011). https://keccak.team/files/Keccak-submission-3.pdf
Bleichenbacher, D., Duong, T., Kasper, E., Nguyen, Q.: Project Wycheproof (2019). https://github.com/google/wycheproof
Cadar, C., Dunbar, D., Engler, D.R.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: Draves, R., van Renesse, R. (eds.) OSDI 2008, pp. 209–224. USENIX Association (2008)
Cadar, C., Ganesh, V., Pawlowski, P.M., Dill, D.L., Engler, D.R.: EXE: automatically generating inputs of death. In: Juels, A., Wright, R.N., di Vimercati, S.D.C. (eds.) CCS 2006, pp. 322–335. ACM (2006). https://doi.org/10.1145/1180405.1180445
Chapman, R., Botcazou, E., Wallenburg, A.: SPARKSkein: a formal and fast reference implementation of skein. In: Simao, A., Morgan, C. (eds.) SBMF 2011. LNCS, vol. 7021, pp. 16–27. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25032-3_2
Chong, N., et al.: Code-level model checking in the software development workflow at Amazon web services. Softw. Pract. Exp. 51(4), 772–797 (2021). https://doi.org/10.1002/spe.2949
Chudnov, A., et al.: Continuous formal verification of Amazon s2n. In: Chockler, H., Weissenbacher, G. (eds.) CAV 2018. LNCS, vol. 10982, pp. 430–446. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96142-2_26
Clarke, E., Kroening, D., Lerda, F.: A tool for checking ANSI-C programs. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 168–176. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24730-2_15
Ferguson, N., et al.: The skein hash function family. Submission to the NIST SHA-3 competition (round 3) (2010). https://www.schneier.com/wp-content/uploads/2015/01/skein.pdf
Forsythe, J., Held, D.: NIST SHA-3 competition security audit results (2009). https://web.archive.org/web/20120222155656if_/http://blog.fortify.com/repo/Fortify-SHA-3-Report.pdf
Ganesh, V., Dill, D.L.: A decision procedure for bit-vectors and arrays. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 519–531. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73368-3_52
Gauravaram, P., et al.: Grøstl - a SHA-3 candidate. Submission to the NIST SHA-3 competition (round 3) (2011). https://www.groestl.info/Groestl.pdf
Lattner, C., Adve, V.S.: LLVM: a compilation framework for lifelong program analysis & transformation. In: CGO 2004, pp. 75–88. IEEE Computer Society (2004). https://doi.org/10.1109/CGO.2004.1281665
Mouha, N., Celi, C.: Extending NIST’s CAVP testing of cryptographic hash function implementations. In: Jarecki, S. (ed.) CT-RSA 2020. LNCS, vol. 12006, pp. 129–145. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-40186-3_7
Mouha, N., Celi, C.: A vulnerability in implementations of SHA-3, SHAKE, EdDSA, and other NIST-approved algorithms. In: Rosulek, M. (ed.) CT-RSA 2023. LNCS, vol. 13871, pp. 3–28. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30872-7_1
Mouha, N., Raunak, M.S., Kuhn, D.R., Kacker, R.: Finding bugs in cryptographic hash function implementations. IEEE Trans. Reliab. 67(3), 870–884 (2018). https://doi.org/10.1109/TR.2018.2847247
National Bureau of Standards: Validating the Correctness of Hardware Implementations of the NBS Data Encryption Standard. NBS Special Publication 500-20 (1977). https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nbsspecialpublication500-20e1977.pdf
National Institute of Standards and Technology: Announcing Request for Candidate Algorithm Nominations for a New Cryptographic Hash Algorithm (SHA-3) Family. 72 Fed. Reg. (2007). https://www.federalregister.gov/d/E7-21581
National Institute of Standards and Technology: ANSI C Cryptographic API Profile for SHA-3 Candidate Algorithm Submissions (2008). https://csrc.nist.gov/CSRC/media/Projects/Hash-Functions/documents/SHA3-C-API.pdf
National Institute of Standards and Technology: Description of Known Answer Test (KAT) and Monte Carlo Test (MCT) for SHA-3 Candidate Algorithm Submissions (2008). https://csrc.nist.gov/CSRC/media/Projects/Hash-Functions/documents/SHA3-KATMCT1.pdf
National Institute of Standards and Technology: Hash Functions: SHA-3 Project (2020). https://csrc.nist.gov/projects/hash-functions/sha-3-project
National Vulnerability Database: CVE-2019-8741 (2020). https://nvd.nist.gov/vuln/detail/CVE-2019-8741
National Vulnerability Database: CVE-2022-37454 (2022). https://nvd.nist.gov/vuln/detail/CVE-2022-37454
Polubelova, M., et al.: HACLxN: verified generic SIMD crypto (for all your favourite platforms). In: Ligatti, J., Ou, X., Katz, J., Vigna, G. (eds.) CCS 2020, pp. 899–918. ACM (2020). https://doi.org/10.1145/3372297.3423352
Protzenko, J., Ho, S.: Functional pearl: zero-cost, meta-programmed, dependently-typed stateful functors in F\(^*\). CoRR abs/2102.01644 (2021). https://arxiv.org/abs/2102.01644
Saarinen, M.J.O.: BRUTUS (2016). https://github.com/mjosaarinen/brutus
Vranken, G.: Cryptofuzz - differential cryptography fuzzing (2022). https://github.com/guidovranken/cryptofuzz
Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_2
Wu, H.: The hash function JH. Submission to the NIST SHA-3 competition (round 3) (2011). https://www3.ntu.edu.sg/home/wuhj/research/jh/jh_round3.pdf
Zinzindohoué, J.K., Bhargavan, K., Protzenko, J., Beurdouche, B.: HACL\(^*\): a verified modern cryptographic library. In: Thuraisingham, B., Evans, D., Malkin, T., Xu, D. (eds.) CCS 2017, pp. 1789–1806. ACM (2017). https://doi.org/10.1145/3133956.3134043
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Mouha, N. (2023). Exploring Formal Methods for Cryptographic Hash Function Implementations. In: Simpson, L., Rezazadeh Baee, M.A. (eds) Information Security and Privacy. ACISP 2023. Lecture Notes in Computer Science, vol 13915. Springer, Cham. https://doi.org/10.1007/978-3-031-35486-1_9
Download citation
DOI: https://doi.org/10.1007/978-3-031-35486-1_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-35485-4
Online ISBN: 978-3-031-35486-1
eBook Packages: Computer ScienceComputer Science (R0)