CryptoDB
High-assurance Go cryptography in practice
| Authors: | |
|---|---|
| Download: | |
| Presentation: | Slides |
| Abstract: | In this talk we look at all the different techniques we employ to keep the Go cryptography standard library safe. These libraries ship with the Go language and power millions of applications, including most of the “cloud”. They have a stellar security track record when compared with most other mainstream cryptography libraries. The talk will be focused on practical examples of strategies in current use in our Go codebases, from low level to general principles. Naturally, we’ll talk about testing. We especially like large, reusable sets of test vectors like those provided by the Wycheproof or CCTV projects. For higher level code, we’ll talk about the value of building robust test frameworks that make it easy to produce many complex test scenarios. For example, the acmetest package, the age testkit, and BoringSSL’s BoGo. Finally, we’ll look at fuzzing. Fuzzers often struggle with the large unstructured value distributions of cryptography, so we’ll look at how we can weight the dice to make edge cases more likely. Testing is about finding bugs. We can also try not to write them in the first place. We’ll look at how safe internal interfaces like our unexported elliptic curve packages make it easier to reason about our own code and prevent mistakes in the first place. We’ll also look at how we use code generation to produce especially tricky code. We got a lot of value out of the fiat-crypto formally-verified generator, and out of the avo assembly generator. The real secret behind the Go standard library’s security track record though is how aggressively it limits its complexity. Our Cryptography Principles help us decide what to implement, so that we address 95% of the use cases with 5% of the complexity. Our Assembly Policy focuses extra effort in the parts of the codebase that is more likely to be wrong. Finally, we are constantly deprecating and reducing exposed settings that aren’t necessary anymore, while maintaining a strict Compatibility Promise. The last trick is maybe the most underrated in cryptography engineering: we believe cryptographic code, being more complex, needs to be *more* readable than average, not less, and invest a lot in readability. We’re not done, and we’ll mention techniques we wish to experiment more with, like interface tests, mutation testing, and reusing other projects test suites. |
| Video: | https://youtu.be/lahO3de3k_0?t=1409 |
BibTeX
@misc{rwc-2023-35465,
title={High-assurance Go cryptography in practice},
note={Video at \url{https://youtu.be/lahO3de3k_0?t=1409}},
howpublished={Talk given at RWC 2023},
author={Filippo Valsorda},
year=2023
}