Securing the Web with CT-Wasm

Table of Contents

1. Introduction
2. Why Do We Need Secure Cryptography for the Web?
3. Challenges with Writing Crypto Code
4. The Problem with Writing Crypto in JavaScript
5. Existing Solutions and Limitations
6. Introducing CG Wasm: Secure Cryptography for the Web
7. How CG Wasm Works
8. Addressing Explicit and Implicit Leaks
9. Preventing Branching on Secrets
10. Disallowing Vulnerable Instructions
11. Building CG Wasm Into Real Systems
12. Performance and Overhead
13. Empirical Analysis of Timing Behavior
14. Using CT to Wasm Tool
15. Future Goals and Enhancements

Introduction

In this article, we will explore the concept of secure cryptography for the web and introduce CG Wasm, an extension to WebAssembly that provides secure cryptography capabilities. We will discuss the challenges involved in writing crypto code and why the traditional approaches fall short in ensuring security. Furthermore, we will Delve into the details of CG Wasm and how it addresses the issues of explicit and implicit leaks, branching on secrets, and vulnerable instructions. We will also examine the performance and overhead of using CG Wasm in real-world scenarios. Finally, we will provide insights into the future goals and enhancements of CG Wasm.

Why Do We Need Secure Cryptography for the Web?

Securing communications and protecting sensitive data on the web is of paramount importance. However, writing secure cryptography code is notoriously difficult. Regular code correctness is not enough when it comes to cryptography, as subtle timing and side-Channel vulnerabilities can lead to the compromise of private keys and sensitive information.

Challenges with Writing Crypto Code

Writing crypto code poses unique challenges due to the high level of scrutiny it requires. Insecure implementations can lead to devastating consequences, including the theft of private keys and unauthorized access to encrypted information. Additionally, crypto code must be able to resist advanced attacks such as timing attacks and cache side-channel attacks.

The Problem with Writing Crypto in JavaScript

While cryptography libraries in C have been carefully crafted to address vulnerabilities, the situation is different when it comes to writing crypto code in JavaScript. JavaScript becomes a "meat grinder" that optimizes code for performance, prioritizing speed over security. The JavaScript runtime can introduce vulnerabilities and timing leaks, making it unsuitable for writing secure cryptography code.

Existing Solutions and Limitations

Developers have limited options when it comes to writing secure cryptography code for the web. Using platform-provided crypto primitives like Web Crypto on the front end and Node.js crypto on the backend is one approach, but they lack support for modern crypto algorithms and require developers to ship their own code. Moreover, the use of JavaScript crypto libraries can lead to vulnerabilities due to the dynamic nature of the language.

Introducing CG Wasm: Secure Cryptography for the Web

CG Wasm is an extension to WebAssembly that aims to provide secure cryptography for the web ecosystem. It offers a solution that meets the needs of portable cryptography while addressing the limitations of existing approaches. By leveraging the low-level nature of WebAssembly and introducing explicit secrecy, CG Wasm ensures that crypto code remains constant time and resistant to timing and side-channel attacks.

How CG Wasm Works

CG Wasm introduces new types for secret integers in WebAssembly, distinguishing them from public integers. By explicitly marking secret values, CG Wasm prevents explicit and implicit leaks, ensuring that secrets remain secret. Furthermore, CG Wasm disallows branching on secrets and certain instructions that are not constant time, mitigating vulnerabilities that can be exploited through timing information.

Addressing Explicit and Implicit Leaks

CG Wasm enforces strict rules on storing secret values into public variables and prevents the leakage of secrets through memory operations. By introducing separate memories for secret and public data, CG Wasm ensures that secrets are kept confidential and inaccessible to potential attackers. Additionally, CG Wasm disallows indexing into memory using secret values to mitigate cache-Based side-channel attacks.

Preventing Branching on Secrets

Branching on secrets is a known vulnerability in cryptographic code. CG Wasm eliminates this risk by disallowing secrets to impact control flow. By restricting the ability to branch on secrets, CG Wasm ensures that the execution path remains independent of secret values, making it harder for attackers to exploit timing differences and gain information about secrets.

Disallowing Vulnerable Instructions

Certain instructions and operations are not constant time and can leak information through timing variations. CG Wasm disallows these vulnerable instructions, ensuring that all supported operations are constant time and resistant to timing attacks. By disallowing instructions like division and remainder, CG Wasm provides developers with a language that can be used to write secure crypto code.

Building CG Wasm Into Real Systems

To evaluate the effectiveness of CG Wasm, it has been implemented in two systems: the reference interpreter provided by the WebAssembly committee and the V8 runtime used in Node.js and Chrome. These implementations allow for real-world analysis of the performance and security guarantees provided by CG Wasm. Crypto libraries, such as the Salsa20 stream cipher and the TweetNaCl library, have been successfully implemented using CG Wasm.

Performance and Overhead

CG Wasm introduces some overhead in terms of binary size and Type checking time. However, the impact is relatively small and negligible in real-world scenarios. The binary size increase is around 15% due to the use of additional byte prefixes for new opcodes. Type checking requires additional time, but the overall performance remains satisfactory, with sub-millisecond execution times for crypto functions.

Empirical Analysis of Timing Behavior

To ensure that CG Wasm achieves its goal of constant-time execution, extensive empirical analysis has been conducted. Tools like DudeCT, which measures the statistical relationship between inputs and execution time, have been used to validate the constant-time property of CG Wasm implementations. The analysis demonstrates that CG Wasm code remains constant time, providing assurance against timing attacks.

Using CT to Wasm Tool

To facilitate the adoption of CG Wasm, a tool called CT to Wasm has been developed. This tool takes annotated code and generates WebAssembly code that incorporates the secure cryptography features of CG Wasm. It provides a best-effort program transformation to protect against runtime vulnerabilities. With CT to Wasm, developers can use CG Wasm today and benefit from its type checking guarantees.

Future Goals and Enhancements

While CG Wasm has shown promising results, there are still areas for improvement and future enhancements. One of the goals is to achieve verified compilation, ensuring that the entire compilation process can be formally verified. Additionally, exploring the integration of C2K, a secure crypto language, and label inference techniques can further enhance the usability and security of CG Wasm.

CG Wasm: Secure Cryptography for the Web

With the increasing need for secure cryptography on the web, traditional approaches to writing crypto code fall short. JavaScript runtime and existing libraries introduce vulnerabilities and timing leaks, making it challenging to ensure the confidentiality of sensitive information. In response to this problem, CG Wasm, an extension to WebAssembly, has been introduced to provide secure cryptography for the web ecosystem.

CG Wasm addresses the challenges of writing crypto code by introducing explicit secrecy and preventing explicit and implicit leaks. By disallowing branching on secrets and certain vulnerable instructions, CG Wasm ensures that the execution path remains independent of secret values, making it harder for attackers to exploit timing differences. Additionally, by introducing separate memories for secret and public data, CG Wasm mitigates cache-based side-channel attacks.

Implementations of CG Wasm in the reference interpreter and V8 runtime have demonstrated its effectiveness in real-world systems. Crypto libraries, such as the Salsa20 stream cipher and TweetNaCl, have been successfully implemented using CG Wasm. The performance overhead of CG Wasm is minimal, with sub-millisecond execution times for crypto functions.

To facilitate the adoption of CG Wasm, the CT to Wasm tool has been developed. This tool allows developers to generate WebAssembly code that incorporates the secure cryptography features of CG Wasm. By using CT to Wasm, developers can benefit from the type checking guarantees and protection against runtime vulnerabilities.

While CG Wasm has shown promising results, future enhancements include achieving verified compilation and integrating C2K, a secure crypto language, to further enhance the usability and security of CG Wasm. With CG Wasm, developers can write secure crypto code for the web ecosystem, ensuring the confidentiality of sensitive data and protecting against advanced attacks.