Results 1  10
of
11
A Per Model of Secure Information Flow in Sequential Programs
 HIGHERORDER AND SYMBOLIC COMPUTATION
, 1998
"... This paper proposes an extensional semanticsbased formal specification of secure informationflow properties in sequential programs based on representing degrees of security by partial equivalence relations (pers). The specification clarifies and unifies a number of specific correctness arguments i ..."
Abstract

Cited by 90 (18 self)
 Add to MetaCart
This paper proposes an extensional semanticsbased formal specification of secure informationflow properties in sequential programs based on representing degrees of security by partial equivalence relations (pers). The specification clarifies and unifies a number of specific correctness arguments in the literature and connections to other forms of program analysis. The approach is inspired by (and in the deterministic case equivalent to) the use of partial equivalence relations in specifying bindingtime analysis, and is thus able to specify security properties of higherorder functions and "partially confidential data". We also show how the per approach can handle nondeterminism for a firstorder language, by using powerdomain semantics and show how probabilistic security properties can be formalised by using probabilistic powerdomain semantics. We illustrate the usefulness of the compositional nature of the security specifications by presenting a straightforward correctness proof for a simple typebased security analysis.
Parallel Programming using Functional Languages
, 1991
"... I am greatly indebted to Simon Peyton Jones, my supervisor, for his encouragement and technical assistance. His overwhelming enthusiasm was of great support to me. I particularly want to thank Simon and Geoff Burn for commenting on earlier drafts of this thesis. Through his excellent lecturing Cohn ..."
Abstract

Cited by 48 (3 self)
 Add to MetaCart
I am greatly indebted to Simon Peyton Jones, my supervisor, for his encouragement and technical assistance. His overwhelming enthusiasm was of great support to me. I particularly want to thank Simon and Geoff Burn for commenting on earlier drafts of this thesis. Through his excellent lecturing Cohn Runciman initiated my interest in functional programming. I am grateful to Phil Trinder for his simulator, on which mine is based, and Will Partain for his help with LaTex and graphs. I would like to thank the Science and Engineering Research Council of Great Britain for their financial support. Finally, I would like to thank Michelle, whose culinary skills supported me whilst I was writingup.The Imagination the only nation worth defending a nation without alienation a nation whose flag is invisible and whose borders are forever beyond the horizon a nation whose motto is why have one or the other when you can have one the other and both
Binding Time Analysis: A New PERspective
 In Proceedings of the ACM Symposium on Partial Evaluation and SemanticsBased Program Manipulation (PEPM'91
, 1991
"... Given a description of the parameters in a program that will be known at partial evaluation time, a binding time analysis must determine which parts of the program are dependent solely on these known parts (and therefore also known at partial evaluation time). In this paper a binding time analysis f ..."
Abstract

Cited by 33 (5 self)
 Add to MetaCart
Given a description of the parameters in a program that will be known at partial evaluation time, a binding time analysis must determine which parts of the program are dependent solely on these known parts (and therefore also known at partial evaluation time). In this paper a binding time analysis for the simply typed lambda calculus is presented. The analysis takes the form of an abstract interpretation and uses a novel formalisation of the problem of binding time analysis, based on the use of partial equivalence relations. A simple proof of correctness is achieved by the use of logical relations. 1 Introduction Given a description of the parameters in a program that will be known at partial evaluation time, a binding time analysis must determine which parts of the program are dependent solely on these known parts (and therefore also known at partial evaluation time). A binding time analysis performed prior to the partial evaluation process can have several practical benefits (see [...
Abstract Interpretation of Functional Languages: From Theory to Practice
, 1991
"... Abstract interpretation is the name applied to a number of techniques for reasoning about programs by evaluating them over nonstandard domains whose elements denote properties over the standard domains. This thesis is concerned with higherorder functional languages and abstract interpretations with ..."
Abstract

Cited by 25 (0 self)
 Add to MetaCart
Abstract interpretation is the name applied to a number of techniques for reasoning about programs by evaluating them over nonstandard domains whose elements denote properties over the standard domains. This thesis is concerned with higherorder functional languages and abstract interpretations with a formal semantic basis. It is known how abstract interpretation for the simply typed lambda calculus can be formalised by using binary logical relations. This has the advantage of making correctness and other semantic concerns straightforward to reason about. Its main disadvantage is that it enforces the identification of properties as sets. This thesis shows how the known formalism can be generalised by the use of ternary logical relations, and in particular how this allows abstract values to deno...
Higherorder Bindingtime Analysis
 In ACM Symposium on Partial Evaluation and SemanticsBased Program Manipulation (PEPM'93
, 1993
"... The partial evaluation process requires a bindingtime analysis. Bindingtime analysis seeks to determine which parts of a program's result is determined when some part of the input is known. Domain projections provide a very general way to encode a description of which parts of a data structure are ..."
Abstract

Cited by 13 (2 self)
 Add to MetaCart
The partial evaluation process requires a bindingtime analysis. Bindingtime analysis seeks to determine which parts of a program's result is determined when some part of the input is known. Domain projections provide a very general way to encode a description of which parts of a data structure are static (known), and which are dynamic (not static). For firstorder functional languages Launchbury [Lau91a] has developed an abstract interpretation technique for bindingtime analysis in which the basic abstract value is a projection. Unfortunately this technique does not generalise easily to higherorder languages. This paper develops such a generalisation: a projectionbased abstract interpretation suitable for higherorder bindingtime analysis. Launchbury [Lau91b] has shown that bindingtime analysis and strictness analysis are equivalent problems at first order, and for projectionbased analyses have exactly the same safety condition. We argue that the same is true at higher order, ...
Projections for Polymorphic FirstOrder Strictness Analysis
 Math. Struct. in Comp. Science
, 1991
"... this paper, that results from this kind of analysis are, in a sense, polymorphic. This confirms an earlier conjecture [19], and shows how the technique can be applied to firstorder polymorphic functions. The paper is organised as follows. In the next section, we review projectionbased strictness a ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
this paper, that results from this kind of analysis are, in a sense, polymorphic. This confirms an earlier conjecture [19], and shows how the technique can be applied to firstorder polymorphic functions. The paper is organised as follows. In the next section, we review projectionbased strictness analysis very briefly. In Section 3 we introduce the types we will be working with: they are the objects of a category. We show that parameterised types are functors, with certain cancellation properties. In Section 4 we define strong and weak polymorphism: polymorphic functions in programming languages are strongly polymorphic, but we will need to use projections with a slightly weaker property. We prove that, under certain conditions, weakly polymorphic functions are characterised by any nontrivial instance. We can therefore analyse one monomorphic instance of a polymorphic function using existing techniques, and apply the results to every instance. In Section 5 we choose a finite set of projections for each type, suitable for use in a practical compiler. We call these specially chosen projections contexts, and we show examples of factorising contexts for compound types in order to facilitate application of the results of Section 4. We give a number of examples of polymorphic strictness analysis. Finally, in Section 6 we discuss related work and draw some conclusions. 2. Projections for Strictness Analysis
Uniform Ideals and Strictness Analysis
 In Proc. 18th Int'l Coll. on Automata, Languages and Programming (ICALP
, 1991
"... We propose a notion of uniform ideal (certain Scottclosed sets) to characterise strictness properties. This enables us to explain why Hughes' and Wadler's H projection for lazy list strictness analysis is not in general expressible as an abstract interpretation property of the standard semantics. W ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
We propose a notion of uniform ideal (certain Scottclosed sets) to characterise strictness properties. This enables us to explain why Hughes' and Wadler's H projection for lazy list strictness analysis is not in general expressible as an abstract interpretation property of the standard semantics. We give circumstances when it is so expressible. Doing so casts light on Burn's HB projection and his question of its relationship to H. Uniform ideals are a generalisation of the sets of values corresponding to types in (simple) polymorphic type systems. Wadler's doublylifted abstract domain constructor for lazy lists can be seen as a special case which only uses certain uniform ideals. The conuence of strictness and type theory furthers Kuo and Mishra's notion of \strictness types". Summary of results We characterise strictness properties as uniform ideals. This enables us to give abstract interpretation properties to show that a function on list(t 1 +t 2 ) is Hstrict (Wadler an...
On the power of abstract interpretation
 Computer Languages
, 1992
"... Abstract Increasingly sophisticated applications of static analysis make it important to precisely characterize the power of static analysis techniques. Sekar et al. recently studied the power of strictness analysis techniques and showed that strictness analysis is perfect up to variations in consta ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Abstract Increasingly sophisticated applications of static analysis make it important to precisely characterize the power of static analysis techniques. Sekar et al. recently studied the power of strictness analysis techniques and showed that strictness analysis is perfect up to variations in constants. We generalize this approach to abstract interpretation in general by defining a notion of similarity semantics. This semantics associates to a program a collection of interpretations all of which are obtained by blurring the distinctions that a particular static analysis ignores. We define completeness with respect to similarity semantics and obtain two completeness results. For firstorder languages, abstract interpretation is complete with respect to a standard similarity semantics provided the base abstract domain is linearly ordered. For typed higherorder languages, it is complete with respect a logical similarity semantics again under the condition of linearly ordered base abstract domain. 1
PERs from Projections for BindingTime Analysis
 Journal of Lisp and Symbolic Computation
, 1994
"... Firstorder projectionbased bindingtime analysis has proven genuinely useful in partial evaluation [Lau91a, Lau91c]. There have been three notable generalisations of projectionbased analysis to higher order. The first lacked a formal basis [Mog89]; the second used structures strictly more general ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Firstorder projectionbased bindingtime analysis has proven genuinely useful in partial evaluation [Lau91a, Lau91c]. There have been three notable generalisations of projectionbased analysis to higher order. The first lacked a formal basis [Mog89]; the second used structures strictly more general that projections, namely partial equivalence relations (PERs) [HS91]; the third involved a complex construction that gave rise to impractically large abstract domains [Dav93]. This paper presents a technique free of these shortcomings: it is simple, entirely projectionbased, satisfies a formal correctness condition, and gives rise to reasonably small abstract domains. Though the technique is cast in terms of projections, there is also an interpretation in terms of PERs. The principal limitation of the technique is the restriction to monomorphic typing. 1 Introduction and Background We take as given that bindingtime analysis is essential for good partial evaluation, and we do not address...
A Semantic Model of Binding Times for Safe Partial Evaluation
 Proc. Programming Languages: Implementations, Logics and Programs (PLILP
"... In program optimisation an analysis determines some information about a portion of a program, which is then used to justify certain transformations on the code. The correctness of the optimisation can be argued monolithically by considering the behaviour of the optimiser and a particular analysis i ..."
Abstract
 Add to MetaCart
In program optimisation an analysis determines some information about a portion of a program, which is then used to justify certain transformations on the code. The correctness of the optimisation can be argued monolithically by considering the behaviour of the optimiser and a particular analysis in conjunction. Alternatively, correctness can be established by finding an interface, a semantic property, between the analysis and the transformation. The semantic property provides modularity by giving a specification for a systematic construction of the analysis, and the program transformations are justified via the semantic properties. This paper considers the problem of partial evaluation. The safety of a partial evaluator ("it does not go wrong") has previously been argued in the monolithic style by considering the behaviour of a particular bindingtime analysis and program specialiser in conjunction. In this paper we pursue the alternative approach of justifying the bindingtime prop...