Results 1  10
of
107
Secure information flow in a multithreaded imperative language
 IN PROC. ACM SYMP. ON PRINCIPLES OF PROGRAMMING LANGUAGES
, 1998
"... Previously, we developed a type system to ensure secure information flow in a sequential, imperative programming language [VSI96]. Program variables are classified as either high or low security; intuitively, we wish to prevent information from flowing from high variables to low variables. Here, we ..."
Abstract

Cited by 203 (8 self)
 Add to MetaCart
Previously, we developed a type system to ensure secure information flow in a sequential, imperative programming language [VSI96]. Program variables are classified as either high or low security; intuitively, we wish to prevent information from flowing from high variables to low variables. Here, we extend the analysis to deal with a multithreaded language. We show that the previous type system is insufficient to ensure a desirable security property called noninterference. Noninterference basically means that the final values of low variables are independent of the initial values of high variables. By modifying the sequential type system, we are able to guarantee noninterference for concurrent programs. Crucial to this result, however, is the use of purely nondeterministic thread scheduling. Since implementing such scheduling is problematic, we also show how a more restrictive type system can guarantee noninterference, given a more deterministic (and easily implementable) scheduling policy, such as roundrobin time slicing. Finally, we consider the consequences of adding a clock to the language.
Approximation in Databases
 In PPCP'93, First International Workshop on Principles and Practice of Constraint Programming
, 1995
"... One source of partial information in databases is the need to combine information from several databases. Even if each database is complete for some "world", the combined databases will not be, and answers to queries against such combined databases can only be approximated. In this paper we describe ..."
Abstract

Cited by 126 (12 self)
 Add to MetaCart
One source of partial information in databases is the need to combine information from several databases. Even if each database is complete for some "world", the combined databases will not be, and answers to queries against such combined databases can only be approximated. In this paper we describe various situations in which a precise answer cannot be obtained for a query asked against multiple databases. Based on an analysis of these situations, we propose a classification of constructs that can be used to model approximations. A major goal is to obtain universality properties for these models of approximations. Universality properties suggest syntax for languages with approximations based on the operations which are naturally associated with them. We prove universality properties for most of the approximation constructs. Then we use them to design languages built around datatypes given by the approximation constructs. A straightforward approach results in langauges that have a numb...
Abstract Models of Memory Management
, 1995
"... Most specifications of garbage collectors concentrate on the lowlevel algorithmic details of how to find and preserve accessible objects. Often, they focus on bitlevel manipulations such as "scanning stack frames," "marking objects," "tagging data," etc. While these details are important in some c ..."
Abstract

Cited by 90 (16 self)
 Add to MetaCart
Most specifications of garbage collectors concentrate on the lowlevel algorithmic details of how to find and preserve accessible objects. Often, they focus on bitlevel manipulations such as "scanning stack frames," "marking objects," "tagging data," etc. While these details are important in some contexts, they often obscure the more fundamental aspects of memory management: what objects are garbage and why? We develop a series of calculi that are just lowlevel enough that we can express allocation and garbage collection, yet are sufficiently abstract that we may formally prove the correctness of various memory management strategies. By making the heap of a program syntactically apparent, we can specify memory actions as rewriting rules that allocate values on the heap and automatically dereference pointers to such objects when needed. This formulation permits the specification of garbage collection as a relation that removes portions of the heap without affecting the outcome of the evaluation. Our highlevel approach allows us to specify in a compact manner a wide variety of memory management techniques, including standard tracebased garbage collection (i.e., the family of copying and mark/sweep collection algorithms), generational collection, and typebased, tagfree collection. Furthermore, since the definition of garbage is based on the semantics of the underlying language instead of the conservative approximation of inaccessibility, we are able to specify and prove the idea that type inference can be used to collect some objects that are accessible but never used.
MultiStage Programming: Its Theory and Applications
, 1999
"... MetaML is a statically typed functional programming language with special support for program generation. In addition to providing the standard features of contemporary programming languages such as Standard ML, MetaML provides three staging annotations. These staging annotations allow the construct ..."
Abstract

Cited by 86 (18 self)
 Add to MetaCart
MetaML is a statically typed functional programming language with special support for program generation. In addition to providing the standard features of contemporary programming languages such as Standard ML, MetaML provides three staging annotations. These staging annotations allow the construction, combination, and execution of objectprograms. Our thesis is that MetaML's three staging annotations provide a useful, theoretically sound basis for building program generators. This dissertation reports on our study of MetaML's staging constructs, their use, their implementation, and their formal semantics. Our results include an extended example of where MetaML allows us to produce efficient programs, an explanation of why implementing these constructs in traditional ways can be challenging, two formulations of MetaML's semantics, a type system for MetaML, and a proposal for extending ...
Eliminating Covert Flows with Minimum Typings
 In Proc. 10th IEEE Computer Security Foundations Workshop
, 1997
"... A type system is given that eliminates two kinds of covert flows in an imperative programming language. The first kind arises from nontermination and the other from partial operations that can raise exceptions. The key idea is to limit the source of nontermination in the language to constructs with ..."
Abstract

Cited by 67 (6 self)
 Add to MetaCart
A type system is given that eliminates two kinds of covert flows in an imperative programming language. The first kind arises from nontermination and the other from partial operations that can raise exceptions. The key idea is to limit the source of nontermination in the language to constructs with minimum typings, and to evaluate partial operations within expressions of try commands which also have minimum typings. A mutual progress theorem is proved that basically states that no two executions of a welltyped program can be distinguished on the basis of nontermination versus abnormal termination due to a partial operation. The proof uses a new style of programming language semantics which we call a natural transition semantics.
Semantics of Types for Mutable State
, 2004
"... Proofcarrying code (PCC) is a framework for mechanically verifying the safety of machine language programs. A program that is successfully verified by a PCC system is guaranteed to be safe to execute, but this safety guarantee is contingent upon the correctness of various trusted components. For in ..."
Abstract

Cited by 55 (5 self)
 Add to MetaCart
Proofcarrying code (PCC) is a framework for mechanically verifying the safety of machine language programs. A program that is successfully verified by a PCC system is guaranteed to be safe to execute, but this safety guarantee is contingent upon the correctness of various trusted components. For instance, in traditional PCC systems the trusted computing base includes a large set of lowlevel typing rules. Foundational PCC systems seek to minimize the size of the trusted computing base. In particular, they eliminate the need to trust complex, lowlevel type systems by providing machinecheckable proofs of type soundness for real machine languages. In this thesis, I demonstrate the use of logical relations for proving the soundness of type systems for mutable state. Specifically, I focus on type systems that ensure the safe allocation, update, and reuse of memory. For each type in the language, I define logical relations that explain the meaning of the type in terms of the operational semantics of the language. Using this model of types, I prove each typing rule as a lemma. The major contribution is a model of System F with general references — that is, mutable cells that can hold values of any closed type including other references, functions, recursive types, and impredicative quantified types. The model is based on ideas from both possible worlds and the indexed model of Appel and McAllester. I show how the model of mutable references is encoded in higherorder logic. I also show how to construct an indexed possibleworlds model for a von Neumann machine. The latter is used in the Princeton Foundational PCC system to prove type safety for a fullfledged lowlevel typed assembly language. Finally, I present a semantic model for a region calculus that supports typeinvariant references as well as memory reuse. iii
Tagless Staged Interpreters for Typed Languages
 In the International Conference on Functional Programming (ICFP ’02
, 2002
"... Multistage programming languages provide a convenient notation for explicitly staging programs. Staging a definitional interpreter for a domain specific language is one way of deriving an implementation that is both readable and efficient. In an untyped setting, staging an interpreter "removes a co ..."
Abstract

Cited by 53 (11 self)
 Add to MetaCart
Multistage programming languages provide a convenient notation for explicitly staging programs. Staging a definitional interpreter for a domain specific language is one way of deriving an implementation that is both readable and efficient. In an untyped setting, staging an interpreter "removes a complete layer of interpretive overhead", just like partial evaluation. In a typed setting however, HindleyMilner type systems do not allow us to exploit typing information in the language being interpreted. In practice, this can have a slowdown cost factor of three or more times.
The Specification and Execution of Heterogeneous Synchronous Reactive Systems
 University of California, Berkeley
, 1995
"... Electronic systems are becoming more complex. Using subproblemspecific languages simplifies their design, but presents the problem of connecting the parts. I propose a system description scheme for reactive systems (systems that maintain a dialog with their environment) that supports such heterogen ..."
Abstract

Cited by 50 (0 self)
 Add to MetaCart
Electronic systems are becoming more complex. Using subproblemspecific languages simplifies their design, but presents the problem of connecting the parts. I propose a system description scheme for reactive systems (systems that maintain a dialog with their environment) that supports such heterogeneity. I expect to contribute the system description scheme, a mathematical framework for it, a set of efficient algorithms for simulating these systems, and a practical implementation of the scheme. My prototype compiler suggests this scheme can be made practical, and the mathematical framework is nearly complete. I expect this work to make designing complex, heterogeneous reactive systems fast and simple. 1 Introduction Electronic systems are growing more complex. Describing these with a diverse set of languages, each suited to a particular subtask, can greatly simplify designing these systems, but the problem of connecting the subtasks arises. For example, a convenient descriptionof the d...
Domains for Computation in Mathematics, Physics and Exact Real Arithmetic
 Bulletin of Symbolic Logic
, 1997
"... We present a survey of the recent applications of continuous domains for providing simple computational models for classical spaces in mathematics including the real line, countably based locally compact spaces, complete separable metric spaces, separable Banach spaces and spaces of probability dist ..."
Abstract

Cited by 48 (10 self)
 Add to MetaCart
We present a survey of the recent applications of continuous domains for providing simple computational models for classical spaces in mathematics including the real line, countably based locally compact spaces, complete separable metric spaces, separable Banach spaces and spaces of probability distributions. It is shown how these models have a logical and effective presentation and how they are used to give a computational framework in several areas in mathematics and physics. These include fractal geometry, where new results on existence and uniqueness of attractors and invariant distributions have been obtained, measure and integration theory, where a generalization of the Riemann theory of integration has been developed, and real arithmetic, where a feasible setting for exact computer arithmetic has been formulated. We give a number of algorithms for computation in the theory of iterated function systems with applications in statistical physics and in period doubling route to chao...
Static caching for incremental computation
 ACM Trans. Program. Lang. Syst
, 1998
"... A systematic approach is given for deriving incremental programs that exploit caching. The cacheandprune method presented in the article consists of three stages: (I) the original program is extended to cache the results of all its intermediate subcomputations as well as the nal result, (II) the e ..."
Abstract

Cited by 47 (19 self)
 Add to MetaCart
A systematic approach is given for deriving incremental programs that exploit caching. The cacheandprune method presented in the article consists of three stages: (I) the original program is extended to cache the results of all its intermediate subcomputations as well as the nal result, (II) the extended program is incrementalized so that computation on a new input can use all intermediate results on an old input, and (III) unused results cached by the extended program and maintained by the incremental program are pruned away, l e a ving a pruned extended program that caches only useful intermediate results and a pruned incremental program that uses and maintains only the useful results. All three stages utilize static analyses and semanticspreserving transformations. Stages I and III are simple, clean, and fully automatable. The overall method has a kind of optimality with respect to the techniques used in Stage II. The method can be applied straightforwardly to provide a systematic approach to program improvement via caching.