Linard Arquint

Gobra is a deductive program verification tool for the Go programming language. The Go programming language provides interesting challenges for code verification such as structural subtyping and channel-based concurrency. Additionally, we extend and use Gobra to verify case studies demonstrating the feasibility of methodologies that we develop to solve research problems.

The Centre of Cyber Trust is looking at new ways to transfer trust from the physical to the digital world. It is an extensive and international research project involving researchers from three different groups at ETH Zurich and another group at the University of Bonn.

Using separation logic for proving security protocol implementations secure

Security protocols are essential building blocks of modern IT systems. Subtle flaws in their design or implementation may compromise the security of entire systems. It is, thus, important to prove the absence of such flaws through formal verification. Much existing work focuses on the verification of protocol models, which is not sufficient to show that their implementations are actually secure. Verification techniques for protocol implementations (e.g., via code generation or model extraction) typically impose severe restrictions on the used programming language and code design, which may lead to sub-optimal implementations.

In this talk, we present a methodology for the modular verification of strong security properties directly on the level of protocol implementations. By leveraging separation logic, we not only support a wide range of implementations and programming languages but, to the best of our knowledge, we are the first to modularly prove injective agreement, i.e., the absence of replay attacks. We evaluate our methodology on Go and C implementations of several security protocols, including the WireGuard VPN protocol for which we prove forward secrecy and injective agreement.

A Generic Methodology for the Modular Verification of Security Protocol Implementations

Security protocols are essential building blocks of modern IT systems. Subtle flaws in their design or implementation may compromise the security of entire systems. It is, thus, important to prove the absence of such flaws through formal verification. Much existing work focuses on the verification of protocol models, which is not sufficient to show that their implementations are actually secure. Verification techniques for protocol implementations (e.g., via code generation or model extraction) typically impose severe restrictions on the used programming language and code design, which may lead to sub-optimal implementations. In this paper, we present a methodology for the modular verification of strong security properties directly on the level of the protocol implementations. Our methodology leverages state-of-the-art verification logics and tools to support a wide range of implementations and programming languages. We demonstrate its effectiveness by verifying memory safety and security of Go implementations of the Needham-Schroeder-Lowe, Diffie-Hellman key exchange, and WireGuard protocols, including forward secrecy and injective agreement for WireGuard. We also show that our methodology is agnostic to a particular language or program verifier with a prototype implementation for C.

Sound Verification of Security Protocols: From Design to Interoperable Implementations

We provide a framework consisting of tools and metatheorems for the end-to-end verification of security protocols, which bridges the gap between automated protocol verification and code-level proofs. We automatically translate a Tamarin protocol model into a set of I/O specifications expressed in separation logic. Each such specification describes a protocol role’s intended I/O behavior against which the role’s implementation is then verified. Our soundness result guarantees that the verified implementation inherits all security (trace) properties proved for the Tamarin model. Our framework thus enables us to leverage the substantial body of prior verification work in Tamarin to verify new and existing implementations. The possibility to use any separation logic code verifier provides flexibility regarding the target language. To validate our approach and show that it scales to real-world protocols, we verify a substantial part of the official Go implementation of the WireGuard VPN key exchange protocol.

Code-Level Protocol Verification

Recent bugs in implementations, such as Heartbleed or in the Matrix chat application, demonstrate that formally verifying security properties for protocol models is an important first step but not enough to also guarantee them for implementations. We present a bottom-up verification approach to prove trace-based security properties directly on the level of existing implementations. The trace, recording relevant actions performed by all protocol participants, is made explicit but is only present at verification-time. Targeting existing implementations poses several additional challenges that we tackle by making the following contributions: (1) Our approach treats the global trace as a concurrent data structure and does not restrict the adversary. In particular, the granularity of methods has no influence on the considered interleavings. (2) We clearly separate the implementation from the trace and all annotations that are needed for verification. The so-called ghost code will be erased by the compiler and thus do not affect the implementation’s runtime behavior. Therefore, our approach does not impose restrictions on how implementations represent the program state. In particular, we support heap-manipulating programs. (3) We employ the same logic that we use to reason about heap manipulations to prove security properties. This not only simplifies the proof of certain security properties but also enables proving additional security properties, such as injective agreement.

Gobra: Modular Specification and Verification of Go Programs

Go is an increasingly-popular systems programming language targeting, especially, concurrent and distributed systems. Go differentiates itself from other imperative languages by offering structural subtyping and lightweight concurrency through goroutines with message-passing communication. This combination of features poses interesting challenges for static verification, most prominently the combination of a mutable heap and advanced concurrency primitives. We present Gobra, a modular, deductive program verifier for Go that proves memory safety, crash safety, data-race freedom, and user-provided specifications. Gobra is based on separation logic and supports a large subset of Go. Its implementation translates an annotated Go program into the Viper intermediate verification language and uses an existing SMT-based verification backend to compute and discharge proof obligations.

I’m developing techniques to prove that a program implements a security protocol and satisfies security properties, which also includes that cryptographic libraries are used correctly. Besides my research, I’m involved in maintaining tools related to Viper, supervising BSc and MSc theses, and teaching [more].

We have studied a security protocol used in the AWS Systems Manager enabling customers to establish secure connections to their AWS resources, such as EC2 instances, for executing commands. Hundreds of thousands such connections are established each day by AWS customers. We have created a detailed protocol model, which includes interactions with the AWS Key Management Service (KMS), and used the Tamarin protocol verifier to prove secrecy and authentication properties. In a second step, we prove that the official AWS SSM Agent implementation refines the protocol model using the Go program verifier Gobra. This proof guarantees that the security properties not only hold for the protocol model but also the implementation.

My role as project leader at infix was mostly focused on the development of iOS and Android applications. I was responsible for the customer base employing Bluetooth Low Energy (Bluetooth Smart). Besides leading project, my responsibilities included consulting for upcoming products of our customers, teaching Android app development to apprentices, and integrating Apple HomeKit into a kitchen appliance.

Actively working as part of the OberonHAP engineering team on an implementation of Apple’s HomeKit Accessory Protocol.

Creation of the HDM mobile App for iOS and Android, which communicates with Hamilton Sensors over Bluetooth Low Energy (Bluetooth Smart).

Development of an iOS app to control lamps via Bluetooth Low Energy (Bluetooth Smart).

In my Master’s thesis, I’ve explored how to visualize the operations of a symbolic execution engine to easen the identification of performance-related issues.

My BSc thesis “Implementation of a Smartphone-based Visible Light Communication System using the Camera as a Receiver” uses the slow-motion capable camera from an off-the-shelf smartphone to receive data packets sent by a Visible Light Communication (VLC) system by exploiting the rolling shutter effect.

A-Level with a major in physics & applied maths.

My A-Level work is titled “Hamilton ARC-online” and is early work in the area of the Internet of Things. In particular, it consists of a client for Windows to upload measurement values from pH, conductivity, and oxygen sensors and a webpage optimized for desktop computers and mobile devices to visualize these values.

Together with João C. Pereira, we won the “Innovative Tool Feature” award at VerifyThis 2023 for the support of first class predicates in our Gobra program verifier. First class predicates enable us to conveniently use any predicate as a lock or channel invariant.

VerifyThis is a series of program verification competitions that takes places annually. Teams can use a program verifier of their choice to attempt the three challenges each year. Each challenge lasts 90 min and is presented in natural language or pseudo code. Within this time limit, participants have to formalize the requirements, implement a solution, and formally verify that the implementation adheres to the specification.

I’ve finished high school with the best overall grade of my school.

Contributing in various positions to represent the interests of scientific staff within the department, foster networking and collaborations, and provide support to our members.

• Vice-President (May 2022 - present)
• Executive Board Member (Nov 2021 - present)
• Studies Committee Delegate (Jan 2021 - Dec 2021)
• Department Conference Delegate (Feb 2020 - present)

Head Teaching Assistant of the Computer Science course for electrical (D-ITET) and mechanical (D-MAVT) engineering students. Students learn C++ and first concepts of computer science. Using the online IDE CodeExpert, students get hands on experience with C++, do not need to install anything on their machines, and can submit their code to receive direct feedback from teaching assistants. Responsibilities of the Head Teaching Assistant include supporting and supervising roughly 35 teaching assistants in giving exercise sessions and marking weekly homework. In addition, weekly homework has to be prepared and distributed via CodeExpert to over 850 students. At the end of the course, several tasks related to organizing, conducting, and grading the computer-based exam have to be managed.

• Spring semester 2022
• Spring semester 2021
• Spring semester 2020

Representing the interests of Bachelor’s and Master’s students within the relevant decision-making bodies of the department.

• Member of the Higher Education Policy Commission (Mar 2016 - Mar 2021)
• Department Conference Delegate (Mar 2016 - Jan 2020)