Results 1  10
of
14
Evidencebased Audit
"... Authorization logics provide a principled and flexible approach to specifying access control policies. One of their compelling benefits is that a proof in the logic is evidence that an accesscontrol decision has been made in accordance with policy. Using such proofs for auditing purposes is implici ..."
Abstract

Cited by 42 (14 self)
 Add to MetaCart
Authorization logics provide a principled and flexible approach to specifying access control policies. One of their compelling benefits is that a proof in the logic is evidence that an accesscontrol decision has been made in accordance with policy. Using such proofs for auditing purposes is implicit in much of the work on authorization logics and proofcarrying authorization. This paper explores some ramifications of adopting this “proofs as log entries ” approach to auditing. Two benefits of evidencebased audit are a reduced trusted computing base and the ability to detect flaws in complex authorization policies. Moreover, the proof structure is itself useful, because operations like proof normalization can yield information about the relevance of policy statements. To explain these observations concretely, we develop a rich authorization logic based on a dependentlytyped variant of DCC and prove the metatheoretic properties of subjectreduction and normalization. We show untrusted but welltyped applications, that access resources through an appropriate interface, must obey the access control policy and create proofs useful for audit. We show the utility of proofbased auditing in a number of examples and discuss several pragmatic issues, such as proof size, that must be addressed in this context. 1
Subset coercions in Coq
 In Selected papers from the International Workshop on Types for Proofs and Programs (TYPES’06
, 2006
"... Abstract. We propose a new language for writing programs with dependent types which can be elaborated into partial Coq terms. This language permits to establish a phase distinction between writing and proving algorithms in the Coq environment. Concretely, this means allowing to write algorithms as e ..."
Abstract

Cited by 39 (2 self)
 Add to MetaCart
Abstract. We propose a new language for writing programs with dependent types which can be elaborated into partial Coq terms. This language permits to establish a phase distinction between writing and proving algorithms in the Coq environment. Concretely, this means allowing to write algorithms as easily as in a practical functional programming language whilst giving them as rich a specification as desired and proving that the code meets the specification using the whole Coq proof apparatus. This is achieved by extending conversion to an equivalence which relates types and subsets based on them, a technique originating from the “Predicate subtyping ” feature of PVS and following mathematical convention. The typing judgements can be translated to the Calculus of (Co)Inductive Constructions (Cic) by means of an interpretation which inserts coercions at the appropriate places. These coercions can contain existential variables representing the propositional parts of the final term, corresponding to proof obligations (or PVS typechecking conditions). A prototype implementation of this process is integrated with the Coq environment. 1
The Calculus of Algebraic Constructions
 In Proc. of the 10th Int. Conf. on Rewriting Techniques and Applications, LNCS 1631
, 1999
"... Abstract. In a previous work, we proved that an important part of the Calculus of Inductive Constructions (CIC), the basis of the Coq proof assistant, can be seen as a Calculus of Algebraic Constructions (CAC), an extension of the Calculus of Constructions with functions and predicates defined by hi ..."
Abstract

Cited by 27 (10 self)
 Add to MetaCart
Abstract. In a previous work, we proved that an important part of the Calculus of Inductive Constructions (CIC), the basis of the Coq proof assistant, can be seen as a Calculus of Algebraic Constructions (CAC), an extension of the Calculus of Constructions with functions and predicates defined by higherorder rewrite rules. In this paper, we prove that almost all CIC can be seen as a CAC, and that it can be further extended with nonstrictly positive types and inductiverecursive types together with nonfree constructors and patternmatching on defined symbols. 1.
On \Piconversion in the lambdacube and the combination with abbreviations
, 1997
"... Typed calculus uses two abstraction symbols ( and \Pi) which are usually treated in different ways: x: :x has as type the abstraction \Pi x: :, yet \Pi x: : has type 2 rather than an abstraction; moreover, ( x:A :B)C is allowed and fireduction evaluates it, but (\Pi x:A :B)C is rarely allowed. Fu ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
Typed calculus uses two abstraction symbols ( and \Pi) which are usually treated in different ways: x: :x has as type the abstraction \Pi x: :, yet \Pi x: : has type 2 rather than an abstraction; moreover, ( x:A :B)C is allowed and fireduction evaluates it, but (\Pi x:A :B)C is rarely allowed. Furthermore, there is a general consensus that and \Pi are different abstraction operators. While we agree with this general consensus, we find it nonetheless important to allow \Pi to act as an abstraction operator. Moreover, experience with AUTOMATH and the recent revivals of \Pireduction as in [KN 95b, PM 97], illustrate the elegance of giving \Piredexes a status similar to redexes. However, \Pireduction in the cube faces serious problems as shown in [KN 95b, PM 97]: it is not safe as regards subject reduction, it does not satisfy type correctness, it loses the property that the type of an expression is wellformed and it fails to make any expression that contains a \Piredex wellfor...
A Simple Model Construction for the Calculus of Constructions
 Types for Proofs and Programs, International Workshop TYPES'95
, 1996
"... . We present a model construction for the Calculus of Constructions (CC) where all dependencies are carried out in a settheoretical setting. The Soundness Theorem is proved and as a consequence of it Strong Normalization for CC is obtained. Some other applications of our model constructions are: sh ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
. We present a model construction for the Calculus of Constructions (CC) where all dependencies are carried out in a settheoretical setting. The Soundness Theorem is proved and as a consequence of it Strong Normalization for CC is obtained. Some other applications of our model constructions are: showing that CC + Classical logic is consistent (by constructing a model for it) and showing that the Axiom of Choice is not derivable in CC (by constructing a model in which the type that represents the Axiom of Choice is empty). 1 Introduction In the literature there are many investigations on the semantics of polymorphic calculus with dependent types (see for example [12, 11, 10, 1, 5, 13]). Most of the existing models present a semantics for systems in which the inhabitants of the impredicative universe (types) are "lifted" to inhabitants of the predicative universe (kinds) (see [16]). Such systems are convenient to be modeled by locally Cartesianclosed categories having small Cartesia...
Coq in Coq
, 1997
"... . We formalize the definition and the metatheory of the Calculus of Constructions (CC) using the proof assistant Coq. In particular, we prove strong normalization and decidability of type inference. From the latter proof, we extract a certified Objective Caml program which performs type inference in ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
. We formalize the definition and the metatheory of the Calculus of Constructions (CC) using the proof assistant Coq. In particular, we prove strong normalization and decidability of type inference. From the latter proof, we extract a certified Objective Caml program which performs type inference in CC and use this code to build a smallscale certified proofchecker. Key words: Type Theory, proofchecker, Calculus of Constructions, metatheory, strong normalization proof, program extraction. 1. Introduction 1.1. Motivations This work can be described as the formal certification in Coq of a proofchecker for the Calculus of Constructions (CC). We view it as a first experimental step towards a certified kernel for the whole Coq system, of which CC is a significative fragment. In decidable type theories, a proofchecker is a program which verifies whether a given judgement (input) is valid or not (output). Valid meaning that there exists a derivation for that judgement following the in...
Towards Normalization by Evaluation for the βηCalculus of Constructions
"... Abstract. We consider the Calculus of Constructions with typed betaeta equality and an algorithm which computes long normal forms. The normalization algorithm evaluates terms into a semantic domain, and reifies the values back to terms in normal form. To show termination, we interpret types as part ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract. We consider the Calculus of Constructions with typed betaeta equality and an algorithm which computes long normal forms. The normalization algorithm evaluates terms into a semantic domain, and reifies the values back to terms in normal form. To show termination, we interpret types as partial equivalence relations between values and type constructors as operators on PERs. This models also yields consistency of the betaetaCalculus of Constructions. The model construction can be carried out directly in impredicative type theory, enabling a formalization in Coq. 1
The Calculus of Algebraic and Inductive Constructions
, 1998
"... ions can occur in the rewriting rules (either in the lefthand side or in the righthand side). \Delta In higherorder rewrite rules, recursive calls can be compared through a combination of multiset and lexicographic orderings instead of just a multiset ordering. \Delta An adpated version of the ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
ions can occur in the rewriting rules (either in the lefthand side or in the righthand side). \Delta In higherorder rewrite rules, recursive calls can be compared through a combination of multiset and lexicographic orderings instead of just a multiset ordering. \Delta An adpated version of the new "General schema" of Jouannaud and Okada [JO97b] catches the recursor rules of any strictly positive inductive type. \Delta For the calculus part, we use a much shorter and simpler strong normalization proof inspired from Geuvers [Geu95]. \Delta For the reducibility of higherorder function symbols, we simplify and improve the proof of Jouannaud and Okada [JO97b]. Definition 2.1 (Algebraic types) Given a set S of sorts, the set T S of algebraic types is inductively defined by the following grammar rule: s := s j (s!s) where s ranges over S. ! associates to the right such that s 1 ! (s 2 !s 3 ) can be written as s 1 !s 2 !s 3 . An algebraic type s 1 ! : : : ! s n is firstorder if s i...
Evidencebased audit, technical appendix
, 2008
"... Authorization logics provide a principled and flexible approach to specifying access control policies. One of their compelling benefits is that a proof in the logic is evidence that an accesscontrol decision has been made in accordance with policy. Using such proofs for auditing reduces the trusted ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Authorization logics provide a principled and flexible approach to specifying access control policies. One of their compelling benefits is that a proof in the logic is evidence that an accesscontrol decision has been made in accordance with policy. Using such proofs for auditing reduces the trusted computing base and enables the ability to detect flaws in complex authorization policies. Moreover, the proof structure is itself useful, because proof normalization can yield information about the relevance of policy statements. Untrusted, but welltyped, applications that access resources through an appropriate interface must obey the access control policy and create proofs useful for audit. This paper presents AURA0, an authorization logic based on a dependentlytyped variant of DCC and proves the metatheoretic properties of subjectreduction and normalization. It shows the utility of proofbased auditing in a number of examples and discusses several pragmatic issues that must be addressed in this context. 1
Metatheoretical properties of ...: A leftlinear variant of ...
, 1997
"... : In this paper we consider explicit substitutions calculi that allow open terms. In particular, we propose a variant of the oe calculus, that we call OE . For this calculus and its simplytyped version, we study its metatheoretical properties. The OE calculus enjoys the same general character ..."
Abstract
 Add to MetaCart
: In this paper we consider explicit substitutions calculi that allow open terms. In particular, we propose a variant of the oe calculus, that we call OE . For this calculus and its simplytyped version, we study its metatheoretical properties. The OE calculus enjoys the same general characteristics as oe , i.e. a simple and finitary firstorder presentation, confluent on terms with metavariables, with a composition operator and with simultaneous substitutions. However, OE does not have the nonleftlinear surjective pairing rule of oe which raises technical problems in some frameworks. (R'esum'e : tsvp) Cesar.Munoz@inria.fr Unit'e de recherche INRIA Rocquencourt Domaine de Voluceau, Rocquencourt, BP 105, 78153 LE CHESNAY Cedex (France) T'el'ephone : (33 1) 39 63 55 11  T'el'ecopie : (33 1) 39 63 53 30 Propri'et'es m'etath'eoriques de OE : Une variante lin'eaire `a gauche de oe R'esum'e : Dans cet article, on s'int'eresse aux calculs avec substitutions explicites q...