We present the first type and effect system for proving authenticity properties of security protocols based on asymmetric cryptography. The most significant new features of our type system are: (1) a separation of public types (for data possibly sent to the opponent) from tainted types (for data possibly received from the opponent) via a subtype relation; (2) trust effects, to guarantee that tainted data does not, in fact, originate from the opponent; and (3) challenge/response types to support a variety of idioms used to guarantee message freshness. We illustrate the applicability of our system via protocol examples.

Abstract. This paper investigates an approach for statically preventing race conditions in an object-oriented language. The setting of this work is a variant of Gordon and Hankin's concurrent object calculus. We enrich that calculus with a form of dependent object types that enables us to verify that threads invoke and update methods only after acquiring appropriate locks. We establish that well-typed programs do not have race conditions. 1 Introduction Concurrent object-oriented programs suffer from many of the errors common inconcurrent programs of other sorts. In particular, the use of objects does not diminish the importance of careful synchronization. With objects or withoutthem, improper synchronization may lead to race conditions (that is, two processes accessing a shared resource simultaneously) and ultimately to incorrectbehavior. A standard approach for eliminating race conditions consists in protectingeach shared resource with a lock, requiring that a process acquires the corresponding lock before using the resource [5]. Object-oriented programs oftenrely on this approach, but with some peculiar patterns. It is common to group related resources into an object, and to attach the lock that protects the re-sources to this object. Processes may acquire the lock before invoking the methods of the object; alternatively, the methods may acquire this lock at the start oftheir execution. With constructs such as Java's

We present the design and implementation of a typechecker for verifying security properties of the source code of cryptographic protocols and access control mechanisms. The underlying type theory is a λ-calculus equipped with refinement types for expressing pre- and post-conditions within first-order logic. We derive formal cryptographic primitives and represent active adversaries within the type theory. Well-typed programs enjoy assertion-based security properties, with respect to a realistic threat model including key compromise. The implementation amounts to an enhanced typechecker for the general purpose functional language F#; typechecking generates verification conditions that are passed to an SMT solver. We describe a series of checked examples. This is the first tool to verify authentication properties of cryptographic protocols by typechecking their source code. 1

Abstract not found

this paper we propose a fine-grained typing system for a higher-order p-calculus which can be used to control the effect of such migrating code on local environments. Processes may be assigned different types depending on their intended use. This is in contrast to most of the previous work on typing processes where all processes are typed by a unique constant type, indicating essentially that they are well-typed relative to a particular environment. Our fine-grained typing facilitates the management of access rights and provides host protection from potentially malicious behaviour

Many design flaws and incorrect analyses of cryptographic protocols can be traced to inadequate specification languages for message components, environment assumptions, and goals. In this paper, we present MSR, a strongly typed specification language for security protocols, which is intended to address the first two issues. Its typing infrastructure, based on the theory of dependent types with subsorting, yields elegant and precise formalizations, and supports a useful array of static check that include type-checking and access control validation. It uses multiset rewriting rules to express the actions of the protocol. The availability of memory predicates enable it to faithfully encode systems consisting of a collection of coordinated subprotocols, and constraints allow tackling objects belonging to complex interpretation domains, e.g. time stamps, in an abstract and modular way. We apply MSR to the specification of several examples.

We propose and study coercive subtyping, a formal extension with subtyping of dependent type theories such as Martin-Lof's type theory [NPS90] and the type theory UTT [Luo94]. In this approach, subtyping with specified implicit coercions is treated as a feature at the level of the logical framework; in particular, subsumption and coercion are combined in such a way that the meaning of an object being in a supertype is given by coercive definition rules for the definitional equality. It is shown that this provides a conceptually simple and uniform framework to understand subtyping and coercion relations in type theories with sophisticated type structures such as inductive types and universes. The use of coercive subtyping in formal development and in reasoning about subsets of objects is discussed in the context of computerassisted formal reasoning. 1 Introduction A type in type theory is often intuitively thought of as a set. For example, types in Martin-Lof's type theory [ML84, NPS90...

MSR is an unambiguous, flexible, powerful and relatively simple specification framework for crypto-protocols. It uses multiset rewriting rules over first-order atomic formulas to express protocol actions and relies on a form of existential quantification to symbolically model the generation of nonces and other fresh data. It supports an array of useful static checks that include type-checking and data access verification. In this paper, we give a detailed presentation of the typing infrastructure of MSR, which is based on the theory of dependent types with subsorting. We prove that type-checking protocol specifications is decidable and show that execution preserves well-typing. We illustrate these features by formalizing a well-known protocol in MSR.

One of the most important contributions of A. Church to logic is his invention of the lambda calculus. We present the genesis of this theory and its two major areas of application: the representation of computations and the resulting functional programming languages on the one hand and the representation of reasoning and the resulting systems of computer mathematics on the other hand. Acknowledgement. The following persons provided help in various ways. Erik Barendsen, Jon Barwise, Johan van Benthem, Andreas Blass, Olivier Danvy, Wil Dekkers, Marko van Eekelen, Sol Feferman, Andrzej Filinski, Twan Laan, Jan Kuper, Pierre Lescanne, Hans Mooij, Robert Maron, Rinus Plasmeijer, Randy Pollack, Kristoffer Rose, Richard Shore, Rick Statman and Simon Thompson. Partial support came from the European HCM project Typed lambda calculus (CHRXCT-92-0046), the Esprit Working Group Types (21900) and the Dutch NWO project WINST (612-316-607). 1. Introduction This paper is written to honor Church's gr...

. We propose a notion of pure type system with implicit coercions. In our framework, judgements are extended with a context of coercions \Delta and the application rule is modified so as to allow coercions to be left implicit. The setting supports multiple inheritance and can be applied to all type theories with \Pi-types. One originality of our work is to propose a computational interpretation for implicit coercions. In this paper, we demonstrate how this interpretation allows a strict control on the logical properties of pure type systems with implicit coecions. 1 Introduction The increasing importance of mathematical software has been accompanied by a drift of mainstream mathematics towards mathematical logic and the foundations of mathematics. Before mathematical software, formal systems were generally seen both by logicians and mathematicians as safe heavens into which mathematics could theoretically be embedded. With powerful mathematical software, there is now a genuine interes...