Results 1  10
of
80
Stack Inspection: Theory and Variants
 ACM TRANSACTIONS ON PROGRAMMING LANGUAGES AND SYSTEMS
, 2001
"... Stack inspection is a security mechanism implemented in runtimes such as the JVM and the CLR to accommodate components with diverse levels of trust. Although stack inspection enables the finegrained expression of access control policies, it has rather a complex and subtle semantics. We present a ..."
Abstract

Cited by 90 (4 self)
 Add to MetaCart
Stack inspection is a security mechanism implemented in runtimes such as the JVM and the CLR to accommodate components with diverse levels of trust. Although stack inspection enables the finegrained expression of access control policies, it has rather a complex and subtle semantics. We present a formal semantics and an equational theory to explain how stack inspection a#ects program behaviour and code optimisations. We discuss the security properties enforced by stack inspection, and also consider variants with stronger, simpler properties.
Reasoning with higherorder abstract syntax in a logical framework
 ACM Transactions on Computational Logic
, 2002
"... Logical frameworks based on intuitionistic or linear logics with highertype quantification have been successfully used to give highlevel, modular, and formal specifications of many important judgments in the area of programming languages and inference systems. Given such specifications, it is natu ..."
Abstract

Cited by 90 (23 self)
 Add to MetaCart
Logical frameworks based on intuitionistic or linear logics with highertype quantification have been successfully used to give highlevel, modular, and formal specifications of many important judgments in the area of programming languages and inference systems. Given such specifications, it is natural to consider proving properties about the specified systems in the framework: for example, given the specification of evaluation for a functional programming language, prove that the language is deterministic or that evaluation preserves types. One challenge in developing a framework for such reasoning is that higherorder abstract syntax (HOAS), an elegant and declarative treatment of objectlevel abstraction and substitution, is difficult to treat in proofs involving induction. In this paper, we present a metalogic that can be used to reason about judgments coded using HOAS; this metalogic is an extension of a simple intuitionistic logic that admits higherorder quantification over simply typed λterms (key ingredients for HOAS) as well as induction and a notion of definition. The latter concept of definition is a prooftheoretic device that allows certain theories to be treated as “closed ” or as defining fixed points. We explore the difficulties of formal metatheoretic analysis of HOAS encodings by considering encodings of intuitionistic and linear logics, and formally derive the admissibility of cut for important subsets
Semantics of Types for Mutable State
, 2004
"... Proofcarrying code (PCC) is a framework for mechanically verifying the safety of machine language programs. A program that is successfully verified by a PCC system is guaranteed to be safe to execute, but this safety guarantee is contingent upon the correctness of various trusted components. For in ..."
Abstract

Cited by 55 (5 self)
 Add to MetaCart
Proofcarrying code (PCC) is a framework for mechanically verifying the safety of machine language programs. A program that is successfully verified by a PCC system is guaranteed to be safe to execute, but this safety guarantee is contingent upon the correctness of various trusted components. For instance, in traditional PCC systems the trusted computing base includes a large set of lowlevel typing rules. Foundational PCC systems seek to minimize the size of the trusted computing base. In particular, they eliminate the need to trust complex, lowlevel type systems by providing machinecheckable proofs of type soundness for real machine languages. In this thesis, I demonstrate the use of logical relations for proving the soundness of type systems for mutable state. Specifically, I focus on type systems that ensure the safe allocation, update, and reuse of memory. For each type in the language, I define logical relations that explain the meaning of the type in terms of the operational semantics of the language. Using this model of types, I prove each typing rule as a lemma. The major contribution is a model of System F with general references — that is, mutable cells that can hold values of any closed type including other references, functions, recursive types, and impredicative quantified types. The model is based on ideas from both possible worlds and the indexed model of Appel and McAllester. I show how the model of mutable references is encoded in higherorder logic. I also show how to construct an indexed possibleworlds model for a von Neumann machine. The latter is used in the Princeton Foundational PCC system to prove type safety for a fullfledged lowlevel typed assembly language. Finally, I present a semantic model for a region calculus that supports typeinvariant references as well as memory reuse. iii
A bisimulation for type abstraction and recursion
 SYMPOSIUM ON PRINCIPLES OF PROGRAMMING LANGUAGES
, 2005
"... We present a bisimulation method for proving the contextual equivalence of packages in λcalculus with full existential and recursive types. Unlike traditional logical relations (either semantic or syntactic), our development is “elementary, ” using only sets and relations and avoiding advanced mach ..."
Abstract

Cited by 47 (4 self)
 Add to MetaCart
We present a bisimulation method for proving the contextual equivalence of packages in λcalculus with full existential and recursive types. Unlike traditional logical relations (either semantic or syntactic), our development is “elementary, ” using only sets and relations and avoiding advanced machinery such as domain theory, admissibility, and ⊤⊤closure. Unlike other bisimulations, ours is complete even for existential types. The key idea is to consider sets of relations—instead of just relations—as bisimulations.
A bisimulation for dynamic sealing
 In Proceedings 31st Annual ACM Symposium on Principles of Programming Languages
, 2004
"... We define λseal, an untyped callbyvalue λcalculus with primitives for protecting abstract data by sealing, and develop a bisimulation proof method that is sound and complete with respect to contextual equivalence. This provides a formal basis for reasoning about data abstraction in open, dynamic ..."
Abstract

Cited by 42 (6 self)
 Add to MetaCart
We define λseal, an untyped callbyvalue λcalculus with primitives for protecting abstract data by sealing, and develop a bisimulation proof method that is sound and complete with respect to contextual equivalence. This provides a formal basis for reasoning about data abstraction in open, dynamic settings where static techniques such as type abstraction and logical relations are not applicable.
Extensionality and Intensionality of the Ambient Logics
"... The ambient logic has been proposed for expressing properties of process mobility in the calculus of Mobile Ambients (MA), and as a basis for query languages on semistructured data. To understand the extensionality and the intensionality of the logic, the equivalence on MA processes induced by the ..."
Abstract

Cited by 41 (2 self)
 Add to MetaCart
The ambient logic has been proposed for expressing properties of process mobility in the calculus of Mobile Ambients (MA), and as a basis for query languages on semistructured data. To understand the extensionality and the intensionality of the logic, the equivalence on MA processes induced by the logic (=L) is compared with the standard MA behavioural equivalence and with structural congruence (an intensional equivalence, used as an auxiliary relation in the definition of satisfaction of the logic). The main contributions include a coinductive characterisation of =L as a form of labelled bisimilarity, and axiomatisations of =L on the synchronous and asynchronous (finite) calculus. The study shows that, surprisingly, the logic allows us to observe the internal structure of the processes at a very finegrained detail, much in the same way as structural congruence does. A spinoff of the study is a better understanding of behavioural equivalence in Ambientlike calculi. For instance, behavioural equivalence is shown to be insensitive to stuttering phenomena originated by processes that may repeatedly enter and exit an ambient.
A Congruence Theorem for Structured Operational Semantics of HigherOrder Languages
, 1997
"... In this paper we describe the promoted tyft/tyxt rule format for defining higherorder languages. The rule format is a generalization of Groote and Vaandrager 's tyft/tyxt format in which terms are allowed as labels on transitions in rules. We prove that bisimulation is a congruence for any languag ..."
Abstract

Cited by 36 (0 self)
 Add to MetaCart
In this paper we describe the promoted tyft/tyxt rule format for defining higherorder languages. The rule format is a generalization of Groote and Vaandrager 's tyft/tyxt format in which terms are allowed as labels on transitions in rules. We prove that bisimulation is a congruence for any language defined in promoted tyft/tyxt format and demonstrate the usefulness of the rule format by presenting promoted tyft/tyxt definitions for the lazy calculus, CHOCS and the ßcalculus. 1 Introduction For a programming language definition that uses bisimulation as the notion of equivalence, it is desirable for the bisimulation relation to be compatible with the language constructs; i.e. that bisimulation be a congruence. Several rule formats have been defined, so that as long as a definition satisfies certain syntactic constraints, then the defined bisimulation relation is guaranteed to be a congruence. However these rule formats have not been widely used for defining languages with higher...
Operational Properties of Lily, a Polymorphic Linear Lambda Calculus with Recursion
"... Plotkin has advocated the combination of linear lambda calculus, polymorphism and fixed point recursion as an expressive semantic metalanguage. We study its expressive power from an operational point of view. We show that the naturally callbyvalue operators of linear lambda calculus can be given a ..."
Abstract

Cited by 35 (1 self)
 Add to MetaCart
Plotkin has advocated the combination of linear lambda calculus, polymorphism and fixed point recursion as an expressive semantic metalanguage. We study its expressive power from an operational point of view. We show that the naturally callbyvalue operators of linear lambda calculus can be given a callbyname semantics without affecting termination at exponential types and hence without affecting ground contextual equivalence. This result is used to prove properties of a logical relation that provides a new extensional characterisation of ground contextual equivalence and relational parametricity properties of polymorphic types.
Environmental bisimulations for higherorder languages
 In TwentySecond Annual IEEE Symposium on Logic in Computer Science
, 2007
"... Developing a theory of bisimulation in higherorder languages can be hard. Particularly challenging can be: (1) the proof of congruence, as well as enhancements of the bisimulation proof method with “upto context ” techniques, and (2) obtaining definitions and results that scale to languages with d ..."
Abstract

Cited by 35 (11 self)
 Add to MetaCart
Developing a theory of bisimulation in higherorder languages can be hard. Particularly challenging can be: (1) the proof of congruence, as well as enhancements of the bisimulation proof method with “upto context ” techniques, and (2) obtaining definitions and results that scale to languages with different features. To meet these challenges, we present environmental bisimulations, a form of bisimulation for higherorder languages, and its basic theory. We consider four representative calculi: pure λcalculi (callbyname and callbyvalue), callbyvalue λcalculus with higherorder store, and then HigherOrder πcalculus. In each case: we present the basic properties of environmental bisimilarity, including congruence; we show that it coincides with contextual equivalence; we develop some upto techniques, including upto context, as examples of possible enhancements of the associated bisimulation method. Unlike previous approaches (such as applicative bisimulations, logical relations, SumiiPierceKoutavasWand), our method does not require induction/indices on evaluation derivation/steps (which may complicate the proofs of congruence, transitivity, and the combination with upto techniques), or sophisticated methods such as Howe’s for proving congruence. It also scales from the pure λcalculi to the richer calculi with simple congruence proofs. 1
Compilation and Equivalence of Imperative Objects
, 1998
"... We adopt the untyped imperative object calculus of Abadi and Cardelli as a minimal setting in which to study problems of compilation and program equivalence that arise when compiling objectoriented languages. We present both a bigstep and a smallstep substitutionbased operational semantics fo ..."
Abstract

Cited by 34 (4 self)
 Add to MetaCart
We adopt the untyped imperative object calculus of Abadi and Cardelli as a minimal setting in which to study problems of compilation and program equivalence that arise when compiling objectoriented languages. We present both a bigstep and a smallstep substitutionbased operational semantics for the calculus. Our rst two results are theorems asserting the equivalence of our substitutionbased semantics with a closurebased semantics like that given by Abadi and Cardelli. Our third result is a direct proof of the correctness of compilation to a stackbased abstract machine via a smallstep decompilation algorithm. Our fourth result is that contextual equivalence of objects coincides with a form of Mason and Talcott's CIU equivalence; the latter provides a tractable means of establishing operational equivalences. Finally, we prove correct an algorithm, used in our prototype compiler, for statically resolving method osets. This is the rst study of correctness of an objectoriented abstract machine, and of operational equivalence for the imperative object calculus.