Results 1  10
of
40
Towards a practical programming language based on dependent type theory
, 2007
"... ..."
(Show Context)
Secure distributed programming with valuedependent types
 In: Proceedings of the 13th ACM SIGPLAN International Conference on Functional Programming (ICFP
, 2011
"... Distributed applications are difficult to program reliably and securely. Dependently typed functional languages promise to prevent broad classes of errors and vulnerabilities, and to enable program verification to proceed sidebyside with development. However, as recursion, effects, and rich librar ..."
Abstract

Cited by 47 (14 self)
 Add to MetaCart
(Show Context)
Distributed applications are difficult to program reliably and securely. Dependently typed functional languages promise to prevent broad classes of errors and vulnerabilities, and to enable program verification to proceed sidebyside with development. However, as recursion, effects, and rich libraries are added, using types to reason about programs, specifications, and proofs becomes challenging. We present F ⋆ , a fullfledged design and implementation of a new dependently typed language for secure distributed programming. Unlike prior languages, F ⋆ provides arbitrary recursion while maintaining a logically consistent core; it enables modular reasoning about state and other effects using affine types; and it supports proofs of refinement properties using a mixture of cryptographic evidence and logical proof terms. The key mechanism is a new kind system that tracks several sublanguages within F ⋆ and controls their interaction. F ⋆ subsumes two previous languages, F7 and Fine. We prove type soundness (with proofs mechanized in Coq) and logical consistency for F ⋆. We have implemented a compiler that translates F ⋆ to.NET bytecode, based on a prototype for Fine. F ⋆ provides access to libraries for concurrency, networking, cryptography, and interoperability with C#, F#, and the other.NET languages. The compiler produces verifiable binaries with 60 % code size overhead for proofs and types, as much as a 45x improvement over the Fine compiler, while still enabling efficient bytecode verification. To date, we have programmed and verified more than 20,000 lines of F ⋆ including (1) new schemes for multiparty sessions; (2) a zeroknowledge privacypreserving payment protocol; (3) a provenanceaware curated database; (4) a suite of 17 webbrowser extensions verified for authorization properties; and (5) a cloudhosted multitier web application with a verified reference monitor.
Firstclass type classes
, 2008
"... Abstract. Type Classes have met a large success in Haskell and Isabelle, as a solution for sharing notations by overloading and for specifying with abstract structures by quantification on contexts. However, both systems are limited by secondclass implementations of these constructs, and these limi ..."
Abstract

Cited by 39 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Type Classes have met a large success in Haskell and Isabelle, as a solution for sharing notations by overloading and for specifying with abstract structures by quantification on contexts. However, both systems are limited by secondclass implementations of these constructs, and these limitations are only overcomed by adhoc extensions to the respective systems. We propose an embedding of type classes into a dependent type theory that is firstclass and supports some of the most popular extensions right away. The implementation is correspondingly cheap, general and integrates well inside the system, as we have experimented in Coq. We show how it can be used to help structured programming and proving by way of examples. 1
The implicit calculus of constructions as a programming language with dependent types
 In Amadio [6
"... Abstract. In this paper, we show how Miquel’s Implicit Calculus of Constructions (ICC) can be used as a programming language featuring dependent types. Since this system has an undecidable typechecking, we introduce a more verbose variant, called ICC ∗ which fixes this issue. Datatypes and program ..."
Abstract

Cited by 30 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we show how Miquel’s Implicit Calculus of Constructions (ICC) can be used as a programming language featuring dependent types. Since this system has an undecidable typechecking, we introduce a more verbose variant, called ICC ∗ which fixes this issue. Datatypes and program specifications are enriched with logical assertions (such as preconditions, postconditions, invariants) and programs are decorated with proofs of those assertions. The point of using ICC ∗ rather than the Calculus of Constructions (the core formalism of the Coq proof assistant) is that all of the static information (types and proof objects) is transparent, in the sense that it does not affect the computational behavior. This is concretized by a builtin extraction procedure that removes this static information. We also illustrate the main features of ICC ∗ on classical examples of dependently typed programs. 1
Semantic subtyping with an SMT solver
, 2010
"... We study a firstorder functional language with the novel combination of the ideas of refinement type (the subset of a type to satisfy a Boolean expression) and typetest (a Boolean expression testing whether a value belongs to a type). Our core calculus can express a rich variety of typing idioms; ..."
Abstract

Cited by 20 (1 self)
 Add to MetaCart
(Show Context)
We study a firstorder functional language with the novel combination of the ideas of refinement type (the subset of a type to satisfy a Boolean expression) and typetest (a Boolean expression testing whether a value belongs to a type). Our core calculus can express a rich variety of typing idioms; for example, intersection, union, negation, singleton, nullable, variant, and algebraic types are all derivable. We formulate a semantics in which expressions denote terms, and types are interpreted as firstorder logic formulas. Subtyping is defined as valid implication between the semantics of types. The formulas are interpreted in a specific model that we axiomatize using standard firstorder theories. On this basis, we present a novel typechecking algorithm able to eliminate many dynamic tests and to detect many errors statically. The key idea is to rely on an SMT solver to compute subtyping efficiently. Moreover, interpreting types as formulas allows us to call the SMT solver at runtime to compute instances of types.
The Power of Pi
, 2008
"... This paper exhibits the power of programming with dependent types by dint of embedding three domainspecific languages: Cryptol, a language for cryptographic protocols; a small data description language; and relational algebra. Each example demonstrates particular design patterns inherent to depende ..."
Abstract

Cited by 20 (0 self)
 Add to MetaCart
This paper exhibits the power of programming with dependent types by dint of embedding three domainspecific languages: Cryptol, a language for cryptographic protocols; a small data description language; and relational algebra. Each example demonstrates particular design patterns inherent to dependentlytyped programming. Documenting these techniques paves the way for further research in domainspecific embedded type systems.
A Hoare Logic for CallbyValue Functional Programs
"... Abstract. We present a Hoare logic for a callbyvalue programming language equipped with recursive, higherorder functions, algebraic data types, and a polymorphic type system in the style of Hindley and Milner. It is the theoretical basis for a tool that extracts proof obligations out of programs ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We present a Hoare logic for a callbyvalue programming language equipped with recursive, higherorder functions, algebraic data types, and a polymorphic type system in the style of Hindley and Milner. It is the theoretical basis for a tool that extracts proof obligations out of programs annotated with logical assertions. These proof obligations, expressed in a typed, higherorder logic, are discharged using offtheshelf automated or interactive theorem provers. Although the technical apparatus that we exploit is by now standard, its application to callbyvalue functional programming languages appears to be new, and (we claim) deserves attention. As a sample application, we check the partial correctness of a balanced binary search tree implementation. 1
PROGRAMing finger trees in Coq
 In ACM SIGPLAN International Conference on Functional Programming. Association for Computing Machinery
, 2007
"... Finger Trees (Hinze and Paterson 2006) are a general purpose persistent data structure with good performance. Their genericity permits developing a wealth of structures like ordered sequences or interval trees on top of a single implementation. However, the type systems used by current functional la ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
(Show Context)
Finger Trees (Hinze and Paterson 2006) are a general purpose persistent data structure with good performance. Their genericity permits developing a wealth of structures like ordered sequences or interval trees on top of a single implementation. However, the type systems used by current functional languages do not guarantee the coherent parameterization and specialization of Finger Trees, let alone the correctness of their implementation.We present a certified implementation of Finger Trees solving these problems using the PROGRAM extension of COQ. We not only implement the structure but also prove its invariants along the way, which permit building certified structures on top of Finger Trees in an elegant way. Categories and Subject Descriptors D.2.4 [Software/Program
Verifying Stateful Programs with Substructural State and Hoare Types
"... A variety of techniques have been proposed to verify stateful functional programs by developing Hoare logics for the state monad. For better automation, we explore a different point in the design space: we propose using affine types to model state, while relying on refinement type checking to prove ..."
Abstract

Cited by 10 (4 self)
 Add to MetaCart
A variety of techniques have been proposed to verify stateful functional programs by developing Hoare logics for the state monad. For better automation, we explore a different point in the design space: we propose using affine types to model state, while relying on refinement type checking to prove assertion safety. Our technique is based on verification by translation, starting from FX, an imperative objectbased surface language with specifications including object invariants and Hoare triple computation types, and translating into FINE, a functional language with dependent refinements and affine types. The core idea of the translation is the division of a stateful object into a pure value and an affine token whose type mentions the current state of the object. We prove our methodology sound via a simulation between imperative FX programs and their functional FINE translation. Our approach enables modular verification of FX programs supported by an SMT solver. We demonstrate its versatility by several examples, including verifying clients of stateful APIs, even in the presence of aliasing, and tracking information flow through sideeffecting computations.
VeriML: Typed computation of logical terms inside a language with effects
, 2010
"... Modern proof assistants such as Coq and Isabelle provide high degrees of expressiveness and assurance because they support formal reasoning in higherorder logic and supply explicit machinecheckable proof objects. Unfortunately, large scale proof development in these proof assistants is still an ex ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
(Show Context)
Modern proof assistants such as Coq and Isabelle provide high degrees of expressiveness and assurance because they support formal reasoning in higherorder logic and supply explicit machinecheckable proof objects. Unfortunately, large scale proof development in these proof assistants is still an extremely difficult and timeconsuming task. One major weakness of these proof assistants is the lack of a single language where users can develop complex tactics and decision procedures using a rich programming model and in a typeful manner. This limits the scalability of the proof development process, as users avoid developing domainspecific tactics and decision procedures. In this paper, we present VeriML—a novel language design that couples a typesafe effectful computational language with firstclass support for manipulating logical terms such as propositions and proofs. The main idea behind our design is to integrate a rich logical framework—similar to the one supported by Coq—inside a computational language inspired by ML. The language design is such that the added features are orthogonal to the rest of the computational language, and also do not require significant additions to the logic language, so soundness is guaranteed. We have built a prototype implementation of VeriML including both its typechecker and an interpreter. We demonstrate the effectiveness of our design by showing a number of typesafe tactics and decision procedures written in VeriML.