Results 1  10
of
153
Foundational ProofCarrying Code
, 2001
"... Proofcarrying code is a framework for the mechanical verification of safety properties of machine language programs, but the problem arises of quis custodiat ipsos custodeswho will verify the verifier itself? Foundational proofcarrying code is verification from the smallest possible set of axio ..."
Abstract

Cited by 254 (9 self)
 Add to MetaCart
Proofcarrying code is a framework for the mechanical verification of safety properties of machine language programs, but the problem arises of quis custodiat ipsos custodeswho will verify the verifier itself? Foundational proofcarrying code is verification from the smallest possible set of axioms, using the simplest possible verifier and the smallest possible runtime system. I will describe many of the mathematical and engineering problems to be solved in the construction of a foundational proofcarrying code system.
A syntactic approach to foundational proofcarrying code
 In Seventeenth IEEE Symposium on Logic in Computer Science
, 2002
"... ProofCarrying Code (PCC) is a general framework for verifying the safety properties of machinelanguage programs. PCC proofs are usually written in a logic extended with languagespecific typing rules. In Foundational ProofCarrying Code (FPCC), on the other hand, proofs are constructed and verifie ..."
Abstract

Cited by 96 (19 self)
 Add to MetaCart
(Show Context)
ProofCarrying Code (PCC) is a general framework for verifying the safety properties of machinelanguage programs. PCC proofs are usually written in a logic extended with languagespecific typing rules. In Foundational ProofCarrying Code (FPCC), on the other hand, proofs are constructed and verified using strictly the foundations of mathematical logic, with no typespecific axioms. FPCC is more flexible and secure because it is not tied to any particular type system and it has a smaller trusted base. Foundational proofs, however, are much harder to construct. Previous efforts on FPCC all required building sophisticated semantic models for types. In this paper, we present a syntactic approach to FPCC that avoids the difficulties of previous work. Under our new scheme, the foundational proof for a typed machine program simply consists of the typing derivation plus the formalized syntactic soundness proof for the underlying type system. We give a translation from a typed assembly language into FPCC and demonstrate the advantages of our new system via an implementation in the Coq proof assistant. 1.
Statedependent representation independence
 In Proceedings of the 36th ACM SIGPLANSIGACT Symposium on Principles of Programming Languages
, 2009
"... Mitchell’s notion of representation independence is a particularly useful application of Reynolds ’ relational parametricity — two different implementations of an abstract data type can be shown contextually equivalent so long as there exists a relation between their type representations that is pre ..."
Abstract

Cited by 88 (24 self)
 Add to MetaCart
(Show Context)
Mitchell’s notion of representation independence is a particularly useful application of Reynolds ’ relational parametricity — two different implementations of an abstract data type can be shown contextually equivalent so long as there exists a relation between their type representations that is preserved by their operations. There have been a number of methods proposed for proving representation independence in various pure extensions of System F (where data abstraction is achieved through existential typing), as well as in Algol or Javalike languages (where data abstraction is achieved through the use of local mutable state). However, none of these approaches addresses the interaction of existential type abstraction and local state. In particular, none allows one to prove representation independence results for generative ADTs — i.e., ADTs that both maintain some local state and define abstract types whose internal
Semantics of Types for Mutable State
, 2004
"... Proofcarrying code (PCC) is a framework for mechanically verifying the safety of machine language programs. A program that is successfully verified by a PCC system is guaranteed to be safe to execute, but this safety guarantee is contingent upon the correctness of various trusted components. For in ..."
Abstract

Cited by 62 (5 self)
 Add to MetaCart
(Show Context)
Proofcarrying code (PCC) is a framework for mechanically verifying the safety of machine language programs. A program that is successfully verified by a PCC system is guaranteed to be safe to execute, but this safety guarantee is contingent upon the correctness of various trusted components. For instance, in traditional PCC systems the trusted computing base includes a large set of lowlevel typing rules. Foundational PCC systems seek to minimize the size of the trusted computing base. In particular, they eliminate the need to trust complex, lowlevel type systems by providing machinecheckable proofs of type soundness for real machine languages. In this thesis, I demonstrate the use of logical relations for proving the soundness of type systems for mutable state. Specifically, I focus on type systems that ensure the safe allocation, update, and reuse of memory. For each type in the language, I define logical relations that explain the meaning of the type in terms of the operational semantics of the language. Using this model of types, I prove each typing rule as a lemma. The major contribution is a model of System F with general references — that is, mutable cells that can hold values of any closed type including other references, functions, recursive types, and impredicative quantified types. The model is based on ideas from both possible worlds and the indexed model of Appel and McAllester. I show how the model of mutable references is encoded in higherorder logic. I also show how to construct an indexed possibleworlds model for a von Neumann machine. The latter is used in the Princeton Foundational PCC system to prove type safety for a fullfledged lowlevel typed assembly language. Finally, I present a semantic model for a region calculus that supports typeinvariant references as well as memory reuse. iii
The impact of higherorder state and control effects on local relational reasoning
, 2010
"... Reasoning about program equivalence is one of the oldest problems in semantics. In recent years, useful techniques have been developed, based on bisimulations and logical relations, for reasoning about equivalence in the setting of increasingly realistic languages—languages nearly as complex as ML o ..."
Abstract

Cited by 56 (16 self)
 Add to MetaCart
Reasoning about program equivalence is one of the oldest problems in semantics. In recent years, useful techniques have been developed, based on bisimulations and logical relations, for reasoning about equivalence in the setting of increasingly realistic languages—languages nearly as complex as ML or Haskell. Much of the recent work in this direction has considered the interesting representation independence principles enabled by the use of local state, but it is also important to understand the principles that powerful features like higherorder state and control effects disable. This latter topic has been broached extensively within the framework of game semantics, resulting in what Abramsky dubbed the “semantic cube”: fully abstract gamesemantic characterizations of various axes in the design space of MLlike languages. But when it comes to reasoning about many actual examples, game semantics does not yet supply a useful technique for proving equivalences. In this paper, we marry the aspirations of the semantic cube to the powerful proof method of stepindexed Kripke logical relations. Building on recent work of Ahmed, Dreyer, and Rossberg, we define the first fully abstract logical relation for an MLlike language with recursive types, abstract types, general references and call/cc. We then show how, under orthogonal restrictions to the expressive power of our language—namely, the restriction to firstorder state and/or the removal of call/cc—we can enhance the proving power of our possibleworlds model in correspondingly orthogonal ways, and we demonstrate this proving power on a range of interesting examples. Central to our story is the use of state transition systems to model the way in which properties of local state evolve over time.
Distance makes the types grow stronger: A calculus for differential privacy
 In ICFP
, 2010
"... We want assurances that sensitive information will not be disclosed when aggregate data derived from a database is published. Differential privacy offers a strong statistical guarantee that the effect of the presence of any individual in a database will be negligible, even when an adversary has auxi ..."
Abstract

Cited by 54 (4 self)
 Add to MetaCart
(Show Context)
We want assurances that sensitive information will not be disclosed when aggregate data derived from a database is published. Differential privacy offers a strong statistical guarantee that the effect of the presence of any individual in a database will be negligible, even when an adversary has auxiliary knowledge. Much of the prior work in this area consists of proving algorithms to be differentially private one at a time; we propose to streamline this process with a functional language whose type system automatically guarantees differential privacy, allowing the programmer to write complex privacysafe query programs in a flexible and compositional way. The key novelty is the way our type system captures function sensitivity, a measure of how much a function can magnify the distance between similar inputs: welltyped programs not only can’t go wrong, they can’t go too far on nearby inputs. Moreover, by introducing a monad for random computations, we can show that the established definition of differential privacy falls out naturally as a special case of this soundness principle. We develop examples including known differentially private algorithms, privacyaware variants of standard functional programming idioms, and compositionality principles for differential privacy.
A bisimulation for type abstraction and recursion
 SYMPOSIUM ON PRINCIPLES OF PROGRAMMING LANGUAGES
, 2005
"... We present a bisimulation method for proving the contextual equivalence of packages in λcalculus with full existential and recursive types. Unlike traditional logical relations (either semantic or syntactic), our development is “elementary, ” using only sets and relations and avoiding advanced mach ..."
Abstract

Cited by 54 (6 self)
 Add to MetaCart
(Show Context)
We present a bisimulation method for proving the contextual equivalence of packages in λcalculus with full existential and recursive types. Unlike traditional logical relations (either semantic or syntactic), our development is “elementary, ” using only sets and relations and avoiding advanced machinery such as domain theory, admissibility, and ⊤⊤closure. Unlike other bisimulations, ours is complete even for existential types. The key idea is to consider sets of relations—instead of just relations—as bisimulations.
Environmental bisimulations for higherorder languages
 In TwentySecond Annual IEEE Symposium on Logic in Computer Science
, 2007
"... Developing a theory of bisimulation in higherorder languages can be hard. Particularly challenging can be: (1) the proof of congruence, as well as enhancements of the bisimulation proof method with “upto context ” techniques, and (2) obtaining definitions and results that scale to languages with d ..."
Abstract

Cited by 50 (14 self)
 Add to MetaCart
Developing a theory of bisimulation in higherorder languages can be hard. Particularly challenging can be: (1) the proof of congruence, as well as enhancements of the bisimulation proof method with “upto context ” techniques, and (2) obtaining definitions and results that scale to languages with different features. To meet these challenges, we present environmental bisimulations, a form of bisimulation for higherorder languages, and its basic theory. We consider four representative calculi: pure λcalculi (callbyname and callbyvalue), callbyvalue λcalculus with higherorder store, and then HigherOrder πcalculus. In each case: we present the basic properties of environmental bisimilarity, including congruence; we show that it coincides with contextual equivalence; we develop some upto techniques, including upto context, as examples of possible enhancements of the associated bisimulation method. Unlike previous approaches (such as applicative bisimulations, logical relations, SumiiPierceKoutavasWand), our method does not require induction/indices on evaluation derivation/steps (which may complicate the proofs of congruence, transitivity, and the combination with upto techniques), or sophisticated methods such as Howe’s for proving congruence. It also scales from the pure λcalculi to the richer calculi with simple congruence proofs. 1
A Provably Sound TAL for Backend Optimization
, 2003
"... Typed assembly languages provide a way to generate machinecheckable safety proofs for machinelanguage programs. But the soundness proofs of most existing typed assembly languages are handwritten and cannot be machinechecked, which is worrisome for such large calculi. We have designed and impleme ..."
Abstract

Cited by 44 (10 self)
 Add to MetaCart
(Show Context)
Typed assembly languages provide a way to generate machinecheckable safety proofs for machinelanguage programs. But the soundness proofs of most existing typed assembly languages are handwritten and cannot be machinechecked, which is worrisome for such large calculi. We have designed and implemented a lowlevel typed assembly language (LTAL) with a semantic model and established its soundness from the model. Compared to existing typed assembly languages, LTAL is more scalable and more secure; it has no macro instructions that hinder lowlevel optimizations such as instruction scheduling; its type constructors are expressive enough to capture dataflow information, support the compiler's choice of data representations and permit typed positionindependent code; and its typechecking algorithm is completely syntaxdirected.
Unifying Type Checking and property checking for lowlevel code
, 2009
"... We present a unified approach to type checking and property checking for lowlevel code. Type checking for lowlevel code is challenging because type safety often depends on complex, programspecific invariants that are difficult for traditional type checkers to express. Conversely, property checking ..."
Abstract

Cited by 43 (15 self)
 Add to MetaCart
(Show Context)
We present a unified approach to type checking and property checking for lowlevel code. Type checking for lowlevel code is challenging because type safety often depends on complex, programspecific invariants that are difficult for traditional type checkers to express. Conversely, property checking for lowlevel code is challenging because it is difficult to write concise specifications that distinguish between locations in an untyped program’s heap. We address both problems simultaneously by implementing a type checker for lowlevel code as part of our property checker. We present a lowlevel formalization of a C program’s heap and its types that can be checked with an SMT solver, and we provide a decision procedure for checking type safety. Our type system is flexible enough to support a combination of nominal and structural subtyping for C, on a perstructure basis. We discuss several case studies that demonstrate the ability of this tool to express and check complex type invariants in lowlevel C code, including several small Windows device drivers.