-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EverParse+Pulse: Verified parsing and serialization with separation logic #155
Open
tahina-pro
wants to merge
100
commits into
master
Choose a base branch
from
_taramana_pulse
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…rd field accesses, normalize with postprocess_with, etc.
tahina-pro
force-pushed
the
_taramana_pulse
branch
from
October 25, 2024 23:15
a8adacc
to
eab7990
Compare
tahina-pro
force-pushed
the
_taramana_pulse
branch
from
October 25, 2024 23:18
eab7990
to
2c3edcc
Compare
At this point, |
This reverts commit 3593766.
…ed_filter_elim_trade, pts_to_serialized_lseq_bytes_intro, elim
tahina-pro
force-pushed
the
_taramana_pulse
branch
from
December 22, 2024 11:04
35a2f66
to
f3ae96b
Compare
this has become necessary because of FStarLang/pulse#246, following project-everest/everest#121
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
tl;dr: this PR proposes separation logic-based implementation combinators for LowParse based on Pulse, the new separation logic language embedded in F*. This PR supersedes #54 .
Motivation
Coming up with a domain-specific language for formally verified parsing and serialization at the right level of abstraction with runtime efficiency in mind is much larger a research project than one may think, and we at Project Everest have been working on that for a very long time. Several challenges:
Our USENIX Security 2019 paper, particularly Sections 4.4 and 4.5, presents our first attempt in Low*, as done in miTLS, based on LowParse.Low.* validators and accessors. As described there, EverParse already produces such validators, accessors and serializer primitives for the user to write a Low* program reading and writing valid packets, and we extensively use them in miTLS and EverQuic, but layout details (e.g. offsets to the input/output buffers) are still very much exposed to the user.
This PR: Pulse+EverParse
In this PR, I propose to use Pulse, a separation logic framework for F*, to model resources for byte arrays containing byte representations valid with respect to a given parser specification:
LowParse.Pulse.*
If
a
is a Pulse slice ands
is a LowParse serializer specification, thenLowParse.Pulse.Base.pts_to_serialized s a v
says thata
exactly contains bytes valid with respect to the parserp
associated tos
:p
consumes all bytes ofa
and succeeds. Such a model seems to work with most parsers currently supported by LowParse, which either consume all their input or have the strong prefix property.By using Pulse, the main goal is to hide most, if not all, offset reasoning away from the user.