Results 1  10
of
12
Enforcing Stateful Authorization and Information Flow Policies in FINE
"... Abstract. Proving software free of security bugs is hard. Languages that ensure that programs correctly enforce their security policies would help, but, to date, no securitytyped language has the ability to verify the enforcement of the kinds of policies used in practice—dynamic, stateful policies ..."
Abstract

Cited by 30 (9 self)
 Add to MetaCart
Abstract. Proving software free of security bugs is hard. Languages that ensure that programs correctly enforce their security policies would help, but, to date, no securitytyped language has the ability to verify the enforcement of the kinds of policies used in practice—dynamic, stateful policies which address a range of concerns including forms of access control and information flow tracking. This paper presents FINE, a new sourcelevel securitytyped language that, through the use of a simple module system and dependent, refinement, and affine types, checks the enforcement of dynamic security policies applied to real software. FINE is proven sound. A prototype implementation of the compiler and several example programs are available from
Typepreserving Compilation for Endtoend Verification of Security Enforcement
"... A number of programming languages use rich type systems to verify security properties of code. Some of these languages are meant for source programming, but programs written in these languages are compiled without explicit security proofs, limiting their utility in settings where proofs are necessar ..."
Abstract

Cited by 15 (7 self)
 Add to MetaCart
A number of programming languages use rich type systems to verify security properties of code. Some of these languages are meant for source programming, but programs written in these languages are compiled without explicit security proofs, limiting their utility in settings where proofs are necessary, e.g., proofcarrying authorization. Others languages do include explicit proofs, but these are generally lambda calculi not intended for source programming, that must be further compiled to an executable form. A language suitable for source programming backed by a compiler that enables endtoend verification is missing. In this paper, we present a typepreserving compiler that translates programs written in FINE, a sourcelevel functional language with dependent refinements and affine types, to DCIL, a new extension of the.NET Common Intermediate Language. FINE is type checked using an external SMT solver to reduce the proof burden on source programmers. We extract explicit LCFstyle proof terms from the solver and carry these proof terms in the compilation to DCIL, thereby removing the solver from the trusted computing base. Explicit proofs enable DCIL to be used in a number of important scenarios, including the verification of mobile code, proofcarrying authorization, and evidencebased auditing. We report on our experience using FINE to build reference monitors for several applications, ranging from a pluginbased email client to a conference management server.
Selfcertification: Bootstrapping certified typecheckers in F* with Coq
 In POPL
, 2012
"... Wellestablished dependentlytyped languages like Agda and Coq provide reliable ways to build and check formal proofs. Several other dependentlytyped languages such as Aura, ATS, Cayenne, Epigram, F ⋆ , F7, Fine, Guru, PCML5, and Ur also explore reliable ways to develop and verify programs. All the ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
Wellestablished dependentlytyped languages like Agda and Coq provide reliable ways to build and check formal proofs. Several other dependentlytyped languages such as Aura, ATS, Cayenne, Epigram, F ⋆ , F7, Fine, Guru, PCML5, and Ur also explore reliable ways to develop and verify programs. All these languages shine in their own regard, but their implementations do not themselves enjoy the degree of safety provided by machinechecked verification. We propose a general technique called selfcertification that allows a typechecker for a suitably expressive language to be certified for correctness. We have implemented this technique for F ⋆ , a dependently typed language on the.NET platform. Selfcertification involves implementing a typechecker for F ⋆ in F ⋆ , while using all the conveniences F ⋆ provides for the compilerwriter (e.g., partiality, effects, implicit conversions, proof automation, libraries). This typechecker is given a specification (in F ⋆ ) strong enough to ensure that it computes valid typing derivations. We obtain a typing derivation for the core typechecker by running it on itself, and we export it to Coq as a typederivation certificate. By typechecking this derivation (in Coq) and applying the F ⋆ metatheory (also mechanized in Coq), we conclude that our type checker is correct. Once certified in this manner, the F ⋆ typechecker is emancipated from Coq. Selfcertification leads to an efficient certification scheme—we no longer depend on verifying certificates in Coq—as well as a more broadly applicable one. For instance, the selfcertified F ⋆ checker is suitable for use in adversarial settings where Coq is not intended for use, such as runtime certification of mobile code.
Dependent types and program equivalence
 In Proceedings of the 37th ACM SIGACTSIGPLAN Symposium on Principles of Programming Languages (POPL). ACM
, 2009
"... The definition of type equivalence is one of the most important design issues for any typed language. In dependentlytyped languages, because terms appear in types, this definition must rely on a definition of term equivalence. In that case, decidability of type checking requires decidability for the ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
The definition of type equivalence is one of the most important design issues for any typed language. In dependentlytyped languages, because terms appear in types, this definition must rely on a definition of term equivalence. In that case, decidability of type checking requires decidability for the term equivalence relation. Almost all dependentlytyped languages require this relation to be decidable. Some, such as Coq, Epigram or Agda, do so by employing analyses to force all programs to terminate. Conversely, others, such as DML, ATS, Ωmega, or Haskell, allow nonterminating computation, but do not allow those terms to appear in types. Instead, they identify a terminating index language and use singleton types to connect indices to computation. In both cases, decidable type checking comes at a cost, in terms of complexity and expressiveness. Conversely, the benefits to be gained by decidable type checking are modest. Termination analyses allow dependently typed programs to verify total correctness properties. However, decidable type checking is not a prerequisite for type safety. Furthermore, decidability does not imply tractability. A decidable approximation of program equivalence may not be useful in practice. Therefore, we take a different approach: instead of a fixed notion for term equivalence, we parameterize our type system with an abstract relation that is not necessarily decidable. We then design a novel set of typing rules that require only weak properties of this abstract relation in the proof of the preservation and progress lemmas. This design provides flexibility: we compare valid instantiations of term equivalence which range from betaequivalence, to contextual equivalence, to some exotic equivalences.
Dependent Interoperability
"... In this paper we study the problem of interoperability—combining constructs from two separate programming languages within one program—in the case where one of the two languages is dependently typed and the other is simply typed. We present a core calculus called SD, which combines dependently and ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
In this paper we study the problem of interoperability—combining constructs from two separate programming languages within one program—in the case where one of the two languages is dependently typed and the other is simply typed. We present a core calculus called SD, which combines dependently and simplytyped sublanguages and supports userdefined (dependent) datatypes, among other standard features. SD has “boundary terms ” that mediate the interaction between the two sublanguages. The operational semantics of SD demonstrates how the necessary dynamic checks, which must be done when passing a value from the simplytyped world to the dependently typed world, can be extracted from the dependent type constructors themselves, modulo userdefined functions for marshaling values across the boundary. We establish typesafety and other metatheoretic properties of SD, and contrast this approach to others in the literature. Categories and Subject Descriptors D.3.1 [Programming Languages]:
Termination Casts: A Flexible Approach to Termination with General Recursion
"... This paper proposes a typeandeffect system called T eq ↓ , which distinguishes terminating terms and total functions from possibly diverging terms and partial functions, for a lambda calculus with general recursion and equality types. The central idea is to include a primitive typeform “Terminate ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
This paper proposes a typeandeffect system called T eq ↓ , which distinguishes terminating terms and total functions from possibly diverging terms and partial functions, for a lambda calculus with general recursion and equality types. The central idea is to include a primitive typeform “Terminates t”, expressing that term t is terminating; and then allow terms t to be coerced from possibly diverging to total, using a proof of Terminates t. We call such coercions termination casts, and show how to implement terminating recursion using them. For the metatheory of the system, we describe a translation from T eq ↓ to a logical theory of termination for general recursive, simply typed functions. Every typing judgment of T eq ↓ is translated to a theorem expressing the appropriate termination property of the computational part of the T eq ↓ term. 1
Author manuscript, published in "39th ACM SIGPLANSIGACT Symposium on Principles of Programming Languages POPL'12 (2012)" SelfCertification Bootstrapping Certified Typecheckers in F ⋆ with Coq
, 2011
"... Wellestablished dependentlytyped languages like Agda and Coq provide reliable ways to build and check formal proofs. Several other dependentlytyped languages such as Aura, ATS, Cayenne, Epigram, F ⋆ , F7, Fine, Guru, PCML5, and Ur also explore reliable ways to develop and verify programs. All the ..."
Abstract
 Add to MetaCart
Wellestablished dependentlytyped languages like Agda and Coq provide reliable ways to build and check formal proofs. Several other dependentlytyped languages such as Aura, ATS, Cayenne, Epigram, F ⋆ , F7, Fine, Guru, PCML5, and Ur also explore reliable ways to develop and verify programs. All these languages shine in their own regard, but their implementations do not themselves enjoy the degree of safety provided by machinechecked verification. We propose a general technique called selfcertification that allows a typechecker for a suitably expressive language to be certified for correctness. We have implemented this technique for F ⋆ , a dependently typed language on the.NET platform. Selfcertification involves implementing a typechecker for F ⋆ in F ⋆ , while using all the conveniences F ⋆ provides for the compilerwriter (e.g., partiality, effects, implicit conversions, proof automation, libraries). This
Draft for submission to ICFP 2013 Towards dependently typed Haskell: System FC with kind equality
"... System FC, the core language of the Glasgow Haskell Compiler, is an explicitlytyped variant of System F with firstclass type equality proofs called coercions. This extensible proof system forms the foundation for type system extensions such as type families (typelevel functions) and Generalized Al ..."
Abstract
 Add to MetaCart
System FC, the core language of the Glasgow Haskell Compiler, is an explicitlytyped variant of System F with firstclass type equality proofs called coercions. This extensible proof system forms the foundation for type system extensions such as type families (typelevel functions) and Generalized Algebraic Datatypes (GADTs). Such features, in conjunction with kind polymorphism and datatype promotion, support expressive compiletime reasoning. However, the core language lacks explicit kind equality proofs. As a result, typelevel computation does not have access to kindlevel functions or promoted GADTs, the typelevel analogues to expressionlevel features that have been so useful. In this paper, we eliminate such discrepancies by introducing kind equalities to System FC. Our approach is based on dependent type systems with heterogeneous equality and the “TypeinType ” axiom, yet it preserves the metatheoretic properties of FC. In particular, type checking is simple, decidable and syntax directed. We prove the preservation and progress theorems for the extended language. 1.
Automating Theorem Proving with SMT
, 2013
"... Abstract. The power and automation offered by modern satisfiabilitymodulotheories (SMT) solvers is changing the landscape for mechanized formal theorem proving. For instance, the SMTbased program verifier Dafny supports a number of proof features traditionally found only in interactive proof assis ..."
Abstract
 Add to MetaCart
Abstract. The power and automation offered by modern satisfiabilitymodulotheories (SMT) solvers is changing the landscape for mechanized formal theorem proving. For instance, the SMTbased program verifier Dafny supports a number of proof features traditionally found only in interactive proof assistants, like inductive, coinductive, and declarative proofs. To show that proof tools rooted in SMT are growing up, this paper presents, using Dafny, a series of examples that illustrate how theorems are expressed and proved. Since the SMT solver takes care of many formal trivialities automatically, users can focus more of their time on the creative ingredients of proofs. 0
reports/930 Termination Casts: A Flexible Approach to Termination with General Recursion (Technical Appendix)
"... This paper proposes a typeandeffect system called Teq ↓ , which distinguishes terminating terms and total functions from possibly diverging terms and partial functions, for a lambda calculus with general recursion and equality types. The central idea is to include a primitive typeform “Terminates ..."
Abstract
 Add to MetaCart
This paper proposes a typeandeffect system called Teq ↓ , which distinguishes terminating terms and total functions from possibly diverging terms and partial functions, for a lambda calculus with general recursion and equality types. The central idea is to include a primitive typeform “Terminates t”, expressing that term t is terminating; and then allow terms t to be coerced from possibly diverging to total, using a proof of Terminates t. We call such coercions termination casts, and show how to implement terminating recursion using them. For the metatheory of the system, we describe a translation from Teq ↓ to a logical theory of termination for general recursive, simply typed functions. Every typing judgment of Teq ↓ is translated to a theorem expressing the appropriate termination property of the computational part of the Teq ↓ term. 1