Results 1 
9 of
9
CakeML: A verified implementation of ML
 In Principles of Programming Languages (POPL
, 2014
"... We have developed and mechanically verified an ML system called CakeML, which supports a substantial subset of Standard ML. CakeML is implemented as an interactive readevalprint loop (REPL) in x8664 machine code. Our correctness theorem ensures that this REPL implementation prints only those resu ..."
Abstract

Cited by 14 (5 self)
 Add to MetaCart
(Show Context)
We have developed and mechanically verified an ML system called CakeML, which supports a substantial subset of Standard ML. CakeML is implemented as an interactive readevalprint loop (REPL) in x8664 machine code. Our correctness theorem ensures that this REPL implementation prints only those results permitted by the semantics of CakeML. Our verification effort touches on a breadth of topics including lexing, parsing, type checking, incremental and dynamic compilation, garbage collection, arbitraryprecision arithmetic, and compiler bootstrapping. Our contributions are twofold. The first is simply in building a system that is endtoend verified, demonstrating that each piece of such a verification effort can in practice be composed with the others, and ensuring that none of the pieces rely on any oversimplifying assumptions. The second is developing novel approaches to some of the more challenging aspects of the verification. In particular, our formally verified compiler can bootstrap itself: we apply the verified compiler to itself to produce a verified machinecode implementation of the compiler. Additionally, our compiler proof handles diverging input programs with a lightweight approach based on logical timeout exceptions. The entire development was carried out in the HOL4 theorem prover.
Validating LR(1) Parsers
"... Abstract. An LR(1) parser is a finitestate automaton, equipped with a stack, which uses a combination of its current state and one lookahead symbol in order to determine which action to perform next. We present a validator which, when applied to a contextfree grammar G and an automaton A, checks t ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
(Show Context)
Abstract. An LR(1) parser is a finitestate automaton, equipped with a stack, which uses a combination of its current state and one lookahead symbol in order to determine which action to perform next. We present a validator which, when applied to a contextfree grammar G and an automaton A, checks that A and G agree. Validating the parser provides the correctness guarantees required by verified compilers and other highassurance software that involves parsing. The validation process is independent of which technique was used to construct A. The validator is implemented and proved correct using the Coq proof assistant. As an application, we build a formallyverified parser for the C99 language. 1
S.: Proofproducing synthesis of ML from higherorder logic
 International Conference on Functional Programming (ICFP). ACM (2012
"... The higherorder logic found in proof assistants such as Coq and various HOL systems provides a convenient setting for the development and verification of pure functional programs. However, to efficiently run these programs, they must be converted (or “extracted”) to functional programs in a program ..."
Abstract

Cited by 4 (3 self)
 Add to MetaCart
(Show Context)
The higherorder logic found in proof assistants such as Coq and various HOL systems provides a convenient setting for the development and verification of pure functional programs. However, to efficiently run these programs, they must be converted (or “extracted”) to functional programs in a programming language such as ML or Haskell. With current techniques, this step, which must be trusted, relates similar looking objects that have very different semantic definitions, such as the settheoretic model of a logic and the operational semantics of a programming language. In this paper, we show how to increase the trustworthiness of this step with an automated technique. Given a functional program expressed in higherorder logic, our technique provides the corresponding program for a functional language defined with an operational semantics, and it provides a mechanically checked theorem relating the two. This theorem can then be used to transfer verified properties of the logical function to the program. We have implemented our technique in the HOL4 theorem prover, translating functions to a core subset of Standard ML, and have applied it to examples including functional data structures, a parser generator, cryptographic algorithms, and a garbage collector.
RockSalt: Better, Faster, Stronger SFI for the x86
"... Softwarebased fault isolation (SFI), as used in Google’s Native Client (NaCl), relies upon a conceptually simple machinecode analysis to enforce a security policy. But for complicated architectures such as the x86, it is all too easy to get the details of the analysis wrong. We have built a new ch ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Softwarebased fault isolation (SFI), as used in Google’s Native Client (NaCl), relies upon a conceptually simple machinecode analysis to enforce a security policy. But for complicated architectures such as the x86, it is all too easy to get the details of the analysis wrong. We have built a new checker that is smaller, faster, and has a much reduced trusted computing base when compared to Google’s original analysis. The key to our approach is automatically generating the bulk of the analysis from a declarative description which we relate to a formal model of a subset of the x86 instruction set architecture. The x86 model, developed in Coq, is of independent interest and should be usable for a wide range of machinelevel verification tasks.
Lehigh University
"... Softwarebased fault isolation (SFI), as used in Google’s Native Client (NaCl), relies upon a conceptually simple machinecode analysis to enforce a security policy. But for complicated architectures such as the x86, it is all too easy to get the details of the analysis wrong. We have built a new ch ..."
Abstract
 Add to MetaCart
(Show Context)
Softwarebased fault isolation (SFI), as used in Google’s Native Client (NaCl), relies upon a conceptually simple machinecode analysis to enforce a security policy. But for complicated architectures such as the x86, it is all too easy to get the details of the analysis wrong. We have built a new checker that is smaller, faster, and has a much reduced trusted computing base when compared to Google’s original analysis. The key to our approach is automatically generating the bulk of the analysis from a declarative description which we relate to a formal model of a subset of the x86 instruction set architecture. The x86 model, developed in Coq, is of independent interest and should be usable for a wide range of machinelevel verification tasks.
Additional services for Journal of Functional Programming:
"... Proofproducing translation of higherorder logic into pure and stateful ML ..."
Abstract
 Add to MetaCart
Proofproducing translation of higherorder logic into pure and stateful ML
DOI: 10.1007/9783642288692_20 Validating LR(1) Parsers
, 2013
"... Abstract. An LR(1) parser is a finitestate automaton, equipped with a stack, which uses a combination of its current state and one lookahead symbol in order to determine which action to perform next. We present a validator which, when applied to a contextfree grammar G and an automaton A, checks t ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. An LR(1) parser is a finitestate automaton, equipped with a stack, which uses a combination of its current state and one lookahead symbol in order to determine which action to perform next. We present a validator which, when applied to a contextfree grammar G and an automaton A, checks that A and G agree. Validating the parser provides the correctness guarantees required by verified compilers and other highassurance software that involves parsing. The validation process is independent of which technique was used to construct A. The validator is implemented and proved correct using the Coq proof assistant. As an application, we build a formallyverified parser for the C99 language. 1