Results 1 
3 of
3
Foundational Proof Checkers with Small Witnesses
, 2003
"... Proof checkers for proofcarrying code (and similar systems) can su#er from two problems: huge proof witnesses and untrustworthy proof rules. No previous design has addressed both of these problems simultaneously. We show the theory, design, and implementation of a proofchecker that permits small p ..."
Abstract

Cited by 24 (6 self)
 Add to MetaCart
Proof checkers for proofcarrying code (and similar systems) can su#er from two problems: huge proof witnesses and untrustworthy proof rules. No previous design has addressed both of these problems simultaneously. We show the theory, design, and implementation of a proofchecker that permits small proof witnesses and machinecheckable proofs of the soundness of the system.
A costeffective foundational certified code system
, 2005
"... Certified code systems enable untrusted programs to be proven safe to execute in a machine–checkable manner. Recent work has focused on building foundational certified code systems, where safety is defined relative to a concrete machine architecture. We wish to build a cost–effective system, with pr ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Certified code systems enable untrusted programs to be proven safe to execute in a machine–checkable manner. Recent work has focused on building foundational certified code systems, where safety is defined relative to a concrete machine architecture. We wish to build a cost–effective system, with practicality along two dimensions — the intellectual effort to engineer the proofs, and the resource usage by the machine in verifying these proofs. Thus, we factor the proof that a particular program is safe to execute into two parts, a generic part and a program–specific part. These parts are linked by a mediating logic, typically a type system, which we call the safety condition. Consequently, we must prove that all programs that satisfy this condition are safe to execute, and then, we prove that the particular program satisfies this safety condition. Moreover, each of these proofs must be done in a cost–effective manner. In previous work, we have described a machine–checkable proof for the first part, based on defining an operational semantics in LF and using the Twelf metalogic. For the second part, experience has shown that proof terms for a reasonable logic, or type system, are too big to generate, send across the network, and check. We wish to check adherence to the safety condition by an untrusted functional program. It remains to prove (in a machine–checkable manner) that the program implements the logic specified in a LF signature. We propose to accomplish this by static typechecking. We have designed an expressive type system using dependent refinements for this purpose. 1
A syntactic account of singleton types via hereditary substitution
, 2009
"... We give a syntactic proof of decidability and consistency of equivalence for the singleton type calculus, which lies at the foundation of modern module systems such as that of ML. Unlike existing proofs, which work by constructing a model, our syntactic proof makes few demands on the underlying proo ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
We give a syntactic proof of decidability and consistency of equivalence for the singleton type calculus, which lies at the foundation of modern module systems such as that of ML. Unlike existing proofs, which work by constructing a model, our syntactic proof makes few demands on the underlying proof theory and mathematical foundation. Consequently, it can be — and has been — entirely formulated in the Twelf metalogic, and provides an important piece of a Twelfformalized typesafety proof for Standard ML. The proof works by translation of the singleton type calculus into a canonical presentation, adapted from work on logical frameworks, in which equivalent terms are written identically. Canonical forms are not preserved under standard substitution, so we employ an alternative definition of substitution called hereditary substitution, which contracts redices that arise during substitution. 1