Results 1  10
of
91
A Uniform Type Structure for Secure Information Flow
, 2002
"... The \picalculus is a formalism of computing in which we can compositionally represent dynamics of major programming constructs by decomposing them into a single communication primitive, the name passing. This work reports our experience in using a linear/affine typed \picalculus for the analysis a ..."
Abstract

Cited by 76 (11 self)
 Add to MetaCart
The \picalculus is a formalism of computing in which we can compositionally represent dynamics of major programming constructs by decomposing them into a single communication primitive, the name passing. This work reports our experience in using a linear/affine typed \picalculus for the analysis and development of type systems of programming languages, focussing on secure information flow analysis. After presenting a basic typed calculus for secrecy, we demonstrate its usage by a sound embedding of the dependency core calculus (DCC) and by the development of a novel type discipline for imperative programs which extends both a secure multithreaded imperative language by Smith and Volpano and (a callbyvalue version of) DCC. In each case, the embedding gives a simple proof of noninterference.
Semantics of Types for Mutable State
, 2004
"... Proofcarrying code (PCC) is a framework for mechanically verifying the safety of machine language programs. A program that is successfully verified by a PCC system is guaranteed to be safe to execute, but this safety guarantee is contingent upon the correctness of various trusted components. For in ..."
Abstract

Cited by 55 (5 self)
 Add to MetaCart
Proofcarrying code (PCC) is a framework for mechanically verifying the safety of machine language programs. A program that is successfully verified by a PCC system is guaranteed to be safe to execute, but this safety guarantee is contingent upon the correctness of various trusted components. For instance, in traditional PCC systems the trusted computing base includes a large set of lowlevel typing rules. Foundational PCC systems seek to minimize the size of the trusted computing base. In particular, they eliminate the need to trust complex, lowlevel type systems by providing machinecheckable proofs of type soundness for real machine languages. In this thesis, I demonstrate the use of logical relations for proving the soundness of type systems for mutable state. Specifically, I focus on type systems that ensure the safe allocation, update, and reuse of memory. For each type in the language, I define logical relations that explain the meaning of the type in terms of the operational semantics of the language. Using this model of types, I prove each typing rule as a lemma. The major contribution is a model of System F with general references — that is, mutable cells that can hold values of any closed type including other references, functions, recursive types, and impredicative quantified types. The model is based on ideas from both possible worlds and the indexed model of Appel and McAllester. I show how the model of mutable references is encoded in higherorder logic. I also show how to construct an indexed possibleworlds model for a von Neumann machine. The latter is used in the Princeton Foundational PCC system to prove type safety for a fullfledged lowlevel typed assembly language. Finally, I present a semantic model for a region calculus that supports typeinvariant references as well as memory reuse. iii
Secure Information Flow as Typed Process Behaviour
, 2000
"... We propose a new type discipline for the calculus in which secure information ow is guaranteed by static type checking. Secrecy levels are assigned to channels and are controlled by subtyping. A behavioural notion of types capturing causality of actions plays an essential role for ensuring safe ..."
Abstract

Cited by 52 (0 self)
 Add to MetaCart
We propose a new type discipline for the calculus in which secure information ow is guaranteed by static type checking. Secrecy levels are assigned to channels and are controlled by subtyping. A behavioural notion of types capturing causality of actions plays an essential role for ensuring safe information ow in diverse interactive behaviours, making the calculus powerful enough to embed known calculi for typebased security. The paper introduces the core part of the calculus, presents its basic syntactic properties, and illustrates its use as a tool for programming language analysis by a sound embedding of a secure multithreaded imperative calculus of Volpano and Smith. The embedding leads to a practically meaningful extension of their original type discipline.
Algorithmic Game Semantics
 In Schichtenberg and Steinbruggen [16
, 2001
"... Introduction SAMSON ABRAMSKY (samson@comlab.ox.ac.uk) Oxford University Computing Laboratory 1. Introduction Game Semantics has emerged as a powerful paradigm for giving semantics to a variety of programming languages and logical systems. It has been used to construct the first syntaxindependen ..."
Abstract

Cited by 47 (3 self)
 Add to MetaCart
Introduction SAMSON ABRAMSKY (samson@comlab.ox.ac.uk) Oxford University Computing Laboratory 1. Introduction Game Semantics has emerged as a powerful paradigm for giving semantics to a variety of programming languages and logical systems. It has been used to construct the first syntaxindependent fully abstract models for a spectrum of programming languages ranging from purely functional languages to languages with nonfunctional features such as control operators and locallyscoped references [4, 21, 5, 19, 2, 22, 17, 11]. A substantial survey of the state of the art of Game Semantics circa 1997 was given in a previous Marktoberdorf volume [6]. Our aim in this tutorial presentation is to give a first indication of how Game Semantics can be developed in a new, algorithmic direction, with a view to applications in computerassisted verification and program analysis. Some promising steps have already been taken in this
An observationally complete program logic for imperative higherorder functions
 In Proc. LICS’05
, 2005
"... Abstract. We propose a simple compositional program logic for an imperative extension of callbyvalue PCF, built on Hoare logic and our preceding work on program logics for pure higherorder functions. A systematic use of names and operations on them allows precise and general description of comple ..."
Abstract

Cited by 39 (11 self)
 Add to MetaCart
Abstract. We propose a simple compositional program logic for an imperative extension of callbyvalue PCF, built on Hoare logic and our preceding work on program logics for pure higherorder functions. A systematic use of names and operations on them allows precise and general description of complex higherorder imperative behaviour. The proof rules of the logic exactly follow the syntax of the language and can cleanly embed, justify and extend the standard proof rules for total correctness of Hoare logic. The logic offers a foundation for general treatment of aliasing and local state on its basis, with minimal extensions. After establishing soundness, we prove that valid assertions for programs completely characterise their behaviour up to observational congruence, which is proved using a variant of finite canonical forms. The use of the logic is illustrated through reasoning examples which are hard to assert and infer using existing program logics.
A Semantic analysis of control
, 1998
"... This thesis examines the use of denotational semantics to reason about control flow in sequential, basically functional languages. It extends recent work in game semantics, in which programs are interpreted as strategies for computation by interaction with an environment. Abramsky has suggested that ..."
Abstract

Cited by 32 (5 self)
 Add to MetaCart
This thesis examines the use of denotational semantics to reason about control flow in sequential, basically functional languages. It extends recent work in game semantics, in which programs are interpreted as strategies for computation by interaction with an environment. Abramsky has suggested that an intensional hierarchy of computational features such as state, and their fully abstract models, can be captured as violations of the constraints on strategies in the basic functional model. Nonlocal control flow is shown to fit into this framework as the violation of strong and weak ‘bracketing ’ conditions, related to linear behaviour. The language µPCF (Parigot’s λµ with constants and recursion) is adopted as a simple basis for highertype, sequential computation with access to the flow of control. A simple operational semantics for both callbyname and callbyvalue evaluation is described. It is shown that dropping the bracketing condition on games models of PCF yields fully abstract models of µPCF.
The impact of higherorder state and control effects on local relational reasoning
, 2010
"... Reasoning about program equivalence is one of the oldest problems in semantics. In recent years, useful techniques have been developed, based on bisimulations and logical relations, for reasoning about equivalence in the setting of increasingly realistic languages—languages nearly as complex as ML o ..."
Abstract

Cited by 32 (14 self)
 Add to MetaCart
Reasoning about program equivalence is one of the oldest problems in semantics. In recent years, useful techniques have been developed, based on bisimulations and logical relations, for reasoning about equivalence in the setting of increasingly realistic languages—languages nearly as complex as ML or Haskell. Much of the recent work in this direction has considered the interesting representation independence principles enabled by the use of local state, but it is also important to understand the principles that powerful features like higherorder state and control effects disable. This latter topic has been broached extensively within the framework of game semantics, resulting in what Abramsky dubbed the “semantic cube”: fully abstract gamesemantic characterizations of various axes in the design space of MLlike languages. But when it comes to reasoning about many actual examples, game semantics does not yet supply a useful technique for proving equivalences. In this paper, we marry the aspirations of the semantic cube to the powerful proof method of stepindexed Kripke logical relations. Building on recent work of Ahmed, Dreyer, and Rossberg, we define the first fully abstract logical relation for an MLlike language with recursive types, abstract types, general references and call/cc. We then show how, under orthogonal restrictions to the expressive power of our language—namely, the restriction to firstorder state and/or the removal of call/cc—we can enhance the proving power of our possibleworlds model in correspondingly orthogonal ways, and we demonstrate this proving power on a range of interesting examples. Central to our story is the use of state transition systems to model the way in which properties of local state evolve over time.
Game models for open systems
 Theory and Practice: Essays Dedicated to Zohar Manna on the Occasion of His 64th Birthday, volume 2772 of LNCS
, 2004
"... Abstract. An open system is a system whose behavior is jointly determined by its internal structure, and by the input it receives from the environment. To solve control and verification problems, open systems have often been modeled as games between the system and the environment; we argue that the ..."
Abstract

Cited by 31 (4 self)
 Add to MetaCart
Abstract. An open system is a system whose behavior is jointly determined by its internal structure, and by the input it receives from the environment. To solve control and verification problems, open systems have often been modeled as games between the system and the environment; we argue that the game view of open systems should be extended also to the definitions of system refinement and composition. We give a symmetrical interpretation to games between system and environment: the moves of the system represent the outputs that the system can generate (the output guarantees), and symmetrically, the moves of the environment represent the inputs that the system can accept (the input assumptions). We argue in favor of defining refinement of open systems in terms of alternating simulation, which is the relation between games that plays the same role of simulation between transition systems. Alternating simulation captures the principle that a component refines another if it has weaker input assumptions, and stronger output guarantees. Furthermore, we argue in favor of a notion of composition that accounts for the compatibility between input assumptions and output guarantees, and that enables the synthesis of new input guarantees for the composed system. These gametheoretical notions of refinement and compatibility are related to the typetheoretical notions of subtyping and type compatibility, and give rise to an expressive modeling framework for componentbased design and verification. 1
Probabilistic Game Semantics
 Computer Science Society
, 2000
"... A category of HO/Nstyle games and probabilistic strategies is developedwhere the possible choices of a strategy are quantified so as to give a measure of the likelihood of seeing a given play. A 2sided die is shown to be universal in this category, in the sense that any strategy breaks down into a ..."
Abstract

Cited by 31 (1 self)
 Add to MetaCart
A category of HO/Nstyle games and probabilistic strategies is developedwhere the possible choices of a strategy are quantified so as to give a measure of the likelihood of seeing a given play. A 2sided die is shown to be universal in this category, in the sense that any strategy breaks down into a composition between some deterministic strategy and that die. The interpretative power of the category is then demonstrated by delineating a Cartesian closed subcategory which provides a fully abstract model of a probabilistic extension of Idealized Algol.