Abstract
One of the biggest implementation challenges in security-critical network protocols is nested state machines. In practice today, state machines are either implemented manually at a low level, risking bugs easily missed in audits; or are written using higher-level abstractions like threads, depending on runtime systems that may sacrifice performance or compatibility with the ABIs of important platforms (e.g., resource-constrained IoT systems). We present a compiler-based technique allowing the best of both worlds, coding protocols in a natural high-level form, using freer monads to represent nested coroutines, which are then compiled automatically to lower-level code with explicit state. In fact, our compiler is implemented as a tactic in the Coq proof assistant, structuring compilation as search for an equivalence proof for source and target programs. As such, it is straightforwardly (and soundly) extensible with new hints, for instance regarding new data structures that may be used for efficient lookup of coroutines. As a case study, we implemented a core of TLS sufficient for use with popular Web browsers, and our experiments show that the extracted Haskell code achieves reasonable performance.
Supplemental Material
- Gilles Barthe, Benjamin Grégoire, and Santiago Zanella-Béguelin. 2009. Formal Certification of Code-Based Cryptographic Proofs. In 36th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2009. ACM, 90–101. http://software.imdea.org/~szanella/Zanella.2009.POPL.pdfGoogle Scholar
- Bruce Belson, Jason Holdsworth, Wei Xiang, and Bronson Philippa. 2019. A Survey of Asynchronous Programming Using Coroutines in the Internet of Things and Embedded Systems. ACM Trans. Embed. Comput. Syst. 18, 3, Article 21 (June 2019), 21 pages. issn:1539-9087 https://arxiv.org/pdf/1906.00367.pdf Google Scholar
Digital Library
- Eli Bendersky. 2009. Co-routines as an alternative to state machines. https://eli.thegreenplace.net/2009/08/29/co-routines-as-an-alternative-to-state-machines/ Retrieved 2020-08-20.Google Scholar
- Lennart Beringer, Adam Petcher, Katherine Q. Ye, and Andrew W. Appel. 2015. Verified Correctness and Security of OpenSSL HMAC. In 24th USENIX Security Symposium. 207–221. https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-beringer.pdfGoogle Scholar
- B. Beurdouche, K. Bhargavan, A. Delignat-Lavaud, C. Fournet, M. Kohlweiss, A. Pironti, P. Strub, and J. K. Zinzindohoue. 2015. A Messy State of the Union: Taming the Composite State Machines of TLS. In 2015 IEEE Symposium on Security and Privacy. 535–552. https://smacktls.com/smack.pdfGoogle Scholar
- B. Blanchet. 2006. A computationally sound mechanized prover for security protocols. In 2006 IEEE Symposium on Security and Privacy (S&P’06). 15 pp.–154. Google Scholar
Digital Library
- Adam Chlipala. 2021. Skipping the Binder Bureaucracy with Mixed Embeddings in a Semantics Course (Functional Pearl). In Proc. ICFP. http://adam.chlipala.net/papers/FrapICFP21/Google Scholar
Digital Library
- Joeri de Ruiter and Erik Poll. 2015. Protocol State Fuzzing of TLS Implementations. In 24th USENIX Security Symposium (USENIX Security 15). USENIX Association, Washington, D.C., 193–206. isbn:978-1-939133-11-3 https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/de-ruiterGoogle Scholar
- Benjamin Delaware, Clément Pit-Claudel, Jason Gross, and Adam Chlipala. 2015. Fiat: Deductive Synthesis of Abstract Data Types in a Proof Assistant. In ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2015, Mumbai, India, January 15-17, 2015. 689–700. Google Scholar
Digital Library
- Benjamin Delaware, Sorawit Suriyakarn, Clément Pit-Claudel, Qianchuan Ye, and Adam Chlipala. 2019. Narcissus: Correct-By-Construction Derivation of Decoders and Encoders from Binary Formats. In Proc. ICFP (Berlin, Germany). http://adam.chlipala.net/papers/NarcissusICFP19/Google Scholar
Digital Library
- Ralf S. Engelschall. 2000. Portable Multithreading: The Signal Stack Trick for User-Space Thread Creation. In Proceedings of the Annual Conference on USENIX Annual Technical Conference (San Diego, California) (ATC ’00). USENIX Association, USA, 20. https://www.usenix.org/legacy/publications/library/proceedings/usenix2000/general/full_papers/engelschall/engelschall.pdfGoogle Scholar
- Andres Erbsen, Jade Philipoom, Jason Gross, Robert Sloan, and Adam Chlipala. 2019. Simple High-Level Code For Cryptographic Arithmetic – With Proofs, Without Compromises. In IEEE Security & Privacy (San Francisco, CA, USA). http://adam.chlipala.net/papers/FiatCryptoSP19/Google Scholar
- Roshan P James and Amr Sabry. 2011. Yield: Mainstream delimited continuations. In First International Workshop on the Theory and Practice of Delimited Continuations (TPDC 2011). 20 pages. https://legacy.cs.indiana.edu/~sabry/papers/yield.pdfGoogle Scholar
- David Kaloper-Meršinjak, Hannes Mehnert, Anil Madhavapeddy, and Peter Sewell. 2015. Not-Quite-so-Broken TLS: Lessons in Re-Engineering a Security Protocol Specification and Implementation. In Proceedings of the 24th USENIX Conference on Security Symposium (Washington, D.C.) (SEC’15). USENIX Association, USA, 223–238. isbn:9781931971232Google Scholar
- Satoru Kawahara and Yukiyoshi Kameyama. 2020. One-Shot Algebraic Effects as Coroutines. In Trends in Functional Programming, Aleksander Byrski and John Hughes (Eds.). Springer International Publishing, Cham, 159–179. isbn:978-3-030-57761-2 https://link.springer.com/content/pdf/10.1007Google Scholar
- Masashi Kikuchi. 2014. How I discovered CCS Injection Vulnerability. http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.htmlGoogle Scholar
- Oleg Kiselyov and Hiromi Ishii. 2015. Freer Monads, More Extensible Effects. In Proceedings of the 2015 ACM SIGPLAN Symposium on Haskell (Vancouver, BC, Canada) (Haskell ’15). Association for Computing Machinery, New York, NY, USA, 94–105. isbn:9781450338080 Google Scholar
Digital Library
- Nicolas Koh, Yao Li, Yishuai Li, Li-yao Xia, Lennart Beringer, Wolf Honoré, William Mansky, Benjamin C. Pierce, and Steve Zdancewic. 2019. From C to Interaction Trees: Specifying, Verifying, and Testing a Networked Server. In Proceedings of the 8th ACM SIGPLAN International Conference on Certified Programs and Proofs (Cascais, Portugal) (CPP 2019). Association for Computing Machinery, New York, NY, USA, 234–248. isbn:9781450362221 Google Scholar
Digital Library
- Adam Langley. 2014. Early ChangeCipherSpec Attack. https://www.imperialviolet.org/2014/06/05/earlyccs.htmlGoogle Scholar
- Xavier Leroy. 2009. A Formally Verified Compiler Back-end. J. Autom. Reason. 43, 4 (Dec. 2009), 363–446. issn:0168-7433 http://gallium.inria.fr/~xleroy/publi/compcert-backend.pdfGoogle Scholar
Digital Library
- Tyler Mandry. 2019. How Rust optimizes async/await. https://tmandry.gitlab.io/blog/posts/optimizing-await-1/ Retrieved 2020-08-20.Google Scholar
- Ana Lúcia De Moura and Roberto Ierusalimschy. 2009. Revisiting Coroutines. ACM Trans. Program. Lang. Syst. 31, 2, Article 6 (Feb. 2009), 31 pages. issn:0164-0925 http://www.cs.tufts.edu/comp/250RTS/archive/roberto-ierusalimschy/revisiting-coroutines.pdf Google Scholar
Digital Library
- Gor Nishanov. 2018. N4760: Working Draft, C++ Extensions for Coroutines.Google Scholar
- Adam Petcher and Greg Morrisett. 2015. The Foundational Cryptography Framework. In Proceedings of the 4th International Conference on Principles of Security and Trust - Volume 9036. Springer-Verlag New York, Inc., New York, NY, USA, 53–72. isbn:978-3-662-46665-0 http://adam.petcher.net/papers/FCF.pdf Google Scholar
Digital Library
- Simon L. Peyton Jones and Philip Wadler. 1993. Imperative Functional Programming. In Proceedings of the 20th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (Charleston, South Carolina, USA) (POPL ’93). Association for Computing Machinery, New York, NY, USA, 71–84. isbn:0897915607 Google Scholar
Digital Library
- Clément Pit-Claudel, Peng Wang, Benjamin Delaware, Jason Gross, and Adam Chlipala. 2020. Extensible Extraction of Efficient Imperative Programs with Foreign Functions, Manually Managed Memory, and Proofs. In IJCAR’20: Proceedings of the 9th International Joint Conference on Automated Reasoning (Paris, France).Google Scholar
Digital Library
- G. Plotkin and M. Pretnar. 2008. A Logic for Algebraic Effects. In 2008 23rd Annual IEEE Symposium on Logic in Computer Science. 118–129. Google Scholar
Digital Library
- Aleksandar Prokopec and Fengyun Liu. 2018. Theory and Practice of Coroutines with Snapshots. In 32nd European Conference on Object-Oriented Programming, ECOOP 2018, July 16-21, 2018, Amsterdam, The Netherlands. 3:1–3:32. https://drops.dagstuhl.de/opus/volltexte/2018/9208/pdf/LIPIcs-ECOOP-2018-3.pdf Google Scholar
Cross Ref
- Jonathan Protzenko, Bryan Parno, Aymeric Fromherz, Chris Hawblitzel, Marina Polubelova, Karthikeyan Bhargavan, Benjamin Beurdouche, Joonwon Choi, Antoine Delignat-Lavaud, Cédric Fournet, Natalia Kulatova, Tahina Ramananandro, Aseem Rastogi, Nikhil Swamy, Christoph M. Wintersteiger, and Santiago Zanella-Béguelin. 2020. EverCrypt: A Fast, Verified, Cross-Platform Cryptographic Provider. In IEEE Symposium on Security and Privacy. IEEE. https://www.microsoft.com/en-us/research/publication/evercrypt-a-fast-veriGoogle Scholar
- Alex Reinking, Ningning Xie, Leonardo de Moura, and Daan Leijen. 2021. Perceus: Garbage Free Reference Counting with Reuse. In Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation (Virtual, Canada) (PLDI 2021). Association for Computing Machinery, New York, NY, USA, 96–111. isbn:9781450383912 Google Scholar
Digital Library
- John C. Reynolds. 1972. Definitional Interpreters for Higher-Order Programming Languages. In Proceedings of the ACM Annual Conference - Volume 2 (Boston, Massachusetts, USA) (ACM ’72). Association for Computing Machinery, New York, NY, USA, 717–740. isbn:9781450374927 Google Scholar
Digital Library
- Richard Smith, Daveed Vandevoorde, Geoffrey Romer, Gor Nishanov, Nathan Sidwell, Iain Sandoe, and Lewis Baker. 2019. Coroutines: Language and Implementation Impact. http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2019/p1492r0.pdf P1492 R0.Google Scholar
- Sebastian Ullrich and Leonardo de Moura. 2020. Counting Immutable Beans: Reference Counting Optimized for Purely Functional Programming. In International Symposium on Implementation and Applicationof Functional Languages (IFL’19). New York, NY, USA, 12 pages. https://arxiv.org/abs/1908.05647Google Scholar
- Li-yao Xia, Yannick Zakowski, Paul He, Chung-Kil Hur, Gregory Malecha, Benjamin C. Pierce, and Steve Zdancewic. 2020. Interaction trees: representing recursive and impure programs in Coq. Proc. ACM Program. Lang. 4, POPL (2020), 51:1–51:32. Distinguished paper award. Google Scholar
Digital Library
- Tarun Yadav and Koustav Sadhukhan. 2019. Identification of Bugs and Vulnerabilities in TLS Implementation for Windows Operating System Using State Machine Learning. In Security in Computing and Communications, Sabu M. Thampi, Sanjay Madria, Guojun Wang, Danda B. Rawat, and Jose M. Alcaraz Calero (Eds.). Springer Singapore, Singapore, 348–362. isbn:978-981-13-5826-5 https://arxiv.org/pdf/1902.07471.pdfGoogle Scholar
- Katherine Q. Ye, Matthew Green, Naphat Sanguansin, Lennart Beringer, Adam Petcher, and Andrew W. Appel. 2017. Verified Correctness and Security of MbedTLS HMAC-DRBG. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (Dallas, Texas, USA) (CCS ’17). Association for Computing Machinery, New York, NY, USA, 2007–2020. isbn:9781450349468 Google Scholar
Digital Library
- Hengchu Zhang, Wolf Honoré, Nicolas Koh, Yao Li, Yishuai Li, Li-yao Xia, Lennart Beringer, William Mansky, Benjamin C. Pierce, and Steve Zdancewic. 2021. Verifying an HTTP Key-Value Server with Interaction Trees and VST. In 12th International Conference on Interactive Theorem Proving, ITP 2021, June 29 to July 1, 2021, Rome, Italy (Virtual Conference) (LIPIcs, Vol. 193), Liron Cohen and Cezary Kaliszyk (Eds.). Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 32:1–32:19. Google Scholar
Cross Ref
Index Terms
Certifying derivation of state machines from coroutines
Recommendations
Coroutines in FORTRAN
A method is described for using coroutines within the strict confines of ANSI FORTRAN. A FORTRAN preprocessor that has been implemented to transform FORTRAN programs, written as if coroutines were allowed, to standard ANSI FORTRAN programs is also ...
Revisiting coroutines
This article advocates the revival of coroutines as a convenient general control abstraction. After proposing a new classification of coroutines, we introduce the concept of full asymmetric coroutines and provide a precise definition for it through an ...
A calculus of coroutines
Automata, languages and programming: Logic and semantics (ICALP-B 2004)We describe a simple but expressive calculus of sequential processes, represented as coroutines. We show that this calculus can be used to express a variety of programming language features including procedure calls, labelled jumps, integer references ...






Comments