Results 1  10
of
23
Statedependent representation independence
 In Proceedings of the 36th ACM SIGPLANSIGACT Symposium on Principles of Programming Languages
, 2009
"... Mitchell’s notion of representation independence is a particularly useful application of Reynolds ’ relational parametricity — two different implementations of an abstract data type can be shown contextually equivalent so long as there exists a relation between their type representations that is pre ..."
Abstract

Cited by 64 (19 self)
 Add to MetaCart
Mitchell’s notion of representation independence is a particularly useful application of Reynolds ’ relational parametricity — two different implementations of an abstract data type can be shown contextually equivalent so long as there exists a relation between their type representations that is preserved by their operations. There have been a number of methods proposed for proving representation independence in various pure extensions of System F (where data abstraction is achieved through existential typing), as well as in Algol or Javalike languages (where data abstraction is achieved through the use of local mutable state). However, none of these approaches addresses the interaction of existential type abstraction and local state. In particular, none allows one to prove representation independence results for generative ADTs — i.e., ADTs that both maintain some local state and define abstract types whose internal
A Logic of Secure Systems and its Application to Trusted Computing
"... We present a logic for reasoning about properties of secure systems. The logic is built around a concurrent programming language with constructs for modeling machines with shared memory, a simple form of access control on memory, machine resets, cryptographic operations, network communication and dy ..."
Abstract

Cited by 23 (3 self)
 Add to MetaCart
We present a logic for reasoning about properties of secure systems. The logic is built around a concurrent programming language with constructs for modeling machines with shared memory, a simple form of access control on memory, machine resets, cryptographic operations, network communication and dynamically loading and executing unknown (and potentially untrusted) code. The adversary’s capabilities are constrained by the system interface as defined in the programming model (leading to the name CSIADVERSARY). We develop a sound proof system for reasoning about programs, without explicitly reasoning about adversary actions. This form of reasoning was particularly difficult to codify for dynamically loaded unknown pieces of code. We use the logic to characterize trusted computing primitives and prove code integrity and execution integrity properties of two remote attestation protocols. The proofs make precise assumptions needed for the security of these protocols and reveal a surprising insecure interaction between the two protocols. 1
Verification of information flow and access control policies with dependent types
, 2011
"... We present Relational Hoare Type Theory (RHTT), a novel language and verification system capable of expressing and verifying rich information flow and access control policies via dependent types. We show that a number of security policies which have been formalized separately in the literature can a ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
We present Relational Hoare Type Theory (RHTT), a novel language and verification system capable of expressing and verifying rich information flow and access control policies via dependent types. We show that a number of security policies which have been formalized separately in the literature can all be expressed in RHTT using only standard typetheoretic types, abstract predicates, and modules. Example security policies include conditional declassification, information erasure, and statedependent information flow and access control. RHTT can reason about such policies in the presence of dynamic memory allocation, deallocation, pointer aliasing and arithmetic. The system, theorems and examples have all been formalized in Coq.
Reasoning About Effects: Seeing the Wood Through the Trees (Extended Version)
"... Pure functional languages such as Haskell support programming with impure effects by exploiting mathematical notions such as monads, applicative functors, and arrows. However, in contrast to the wealth of research on the use of these notions to write effectful programs, there has been comparatively ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
Pure functional languages such as Haskell support programming with impure effects by exploiting mathematical notions such as monads, applicative functors, and arrows. However, in contrast to the wealth of research on the use of these notions to write effectful programs, there has been comparatively little progress on reasoning about the resulting programs. In this article we focus on this problem, using a simple but instructive example concerned with relabelling binary trees. 1
Local Reasoning for Global Invariants, Part II: Dynamic Boundaries
"... The hiding of internal invariants creates a mismatch between procedure specifications in an interface and proof obligations on the implementations of those procedures. The mismatch is sound if the invariants depend only on encapsulated state, but encapsulation is problematic in contemporary software ..."
Abstract

Cited by 7 (5 self)
 Add to MetaCart
The hiding of internal invariants creates a mismatch between procedure specifications in an interface and proof obligations on the implementations of those procedures. The mismatch is sound if the invariants depend only on encapsulated state, but encapsulation is problematic in contemporary software due to the many uses of shared mutable objects. The mismatch is formalized here in a proof rule that achieves flexibility via explicit restrictions on client effects, expressed using ghost state and ordinary first order assertions. The restrictions amount to a stateful frame condition that must be satisfied by any client; this dynamic encapsulation boundary complements conventional scopebased encapsulation. The technical development is based on a companion paper, Part I, that presents a programming logic with stateful frame conditions for commands.
Verifying Higherorder Programs with the Dijkstra Monad
"... Modern programming languages, ranging from Haskell and ML, to JavaScript, C # and Java, all make extensive use of higherorder state. This paper advocates a new verification methodology for higherorder stateful programs, based on a new monad of predicate transformers called the Dijkstra monad. Usin ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
Modern programming languages, ranging from Haskell and ML, to JavaScript, C # and Java, all make extensive use of higherorder state. This paper advocates a new verification methodology for higherorder stateful programs, based on a new monad of predicate transformers called the Dijkstra monad. Using the Dijkstra monad has a number of benefits. First, the monad naturally yields a weakest precondition calculus. Second, the computed specifications are structurally simpler in several ways, e.g., singlestate postconditions are sufficient (rather than the more complex twostate postconditions). Finally, the monad can easily be varied to handle features like exceptions and heap invariants, while retaining the same type inference algorithm. We implement the Dijkstra monad and its type inference algorithm for the F ⋆ programming language. Our most extensive case study evaluates the Dijkstra monad and its F ⋆ implementation by using it to verify JavaScript programs. Specifically, we describe a tool chain that translates programs in a subset of JavaScript decorated with assertions and loop invariants to F ⋆. Once in F ⋆ , our type inference algorithm computes verification conditions and automatically discharges their proofs using an SMT solver. We use our tools to prove that a core model of the JavaScript runtime in F ⋆ respects various invariants and that a suite of JavaScript source programs are free of runtime errors.
Just do it: Simple monadic equational reasoning
 In Proceedings of the 16th International Conference on Functional Programming (ICFP’11
, 2011
"... One of the appeals of pure functional programming is that it is so amenable to equational reasoning. One of the problems of pure functional programming is that it rules out computational effects. Moggi and Wadler showed how to get round this problem by using monads to encapsulate the effects, leadin ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
One of the appeals of pure functional programming is that it is so amenable to equational reasoning. One of the problems of pure functional programming is that it rules out computational effects. Moggi and Wadler showed how to get round this problem by using monads to encapsulate the effects, leading in essence to a phase distinction—a pure functional evaluation yielding an impure imperative computation. Still, it has not been clear how to reconcile that phase distinction with the continuing appeal of functional programming; does the impure imperative part become inaccessible to equational reasoning? We think not; and to back that up, we present a simple axiomatic approach to reasoning about programs with computational effects.
Superficially Substructural Types
"... Many substructural type systems have been proposed for controlling access to shared state in higherorder languages. Central to these systems is the notion of a resource, which may be split into disjoint pieces that different parts of a program can manipulate independently without worrying about int ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
Many substructural type systems have been proposed for controlling access to shared state in higherorder languages. Central to these systems is the notion of a resource, which may be split into disjoint pieces that different parts of a program can manipulate independently without worrying about interfering with one another. Some systems support a logical notion of resource (such as permissions), under which two resources may be considered disjoint even if they govern the same piece of state. However, in nearly all existing systems, the notions of resource and disjointness are fixed at the outset, baked into the model of the language, and fairly coarsegrained in the kinds of sharing they enable. In this paper, inspired by recent work on “fictional disjointness” in separation logic, we propose a simple and flexible way of enabling any module in a program to create its own custom type of splittable resource (represented as a commutative monoid), thus providing finegrained control over how the module’s private state is shared with its clients. This functionality can be incorporated into an otherwise standard substructural type system by means of a new typing rule we call the sharing rule, whose soundness we prove semantically via a novel resourceoriented Kripke logical relation. 1.
Typetheoretic semantics for transactional concurrency
, 2007
"... We propose a dependent type theory that integrates programming, specifications, and reasoning about higherorder concurrent programs with shared transactional memory. The design builds upon our previous work on Hoare Type Theory (HTT), which we extend with types that correspond to Hoarestyle specif ..."
Abstract

Cited by 6 (4 self)
 Add to MetaCart
We propose a dependent type theory that integrates programming, specifications, and reasoning about higherorder concurrent programs with shared transactional memory. The design builds upon our previous work on Hoare Type Theory (HTT), which we extend with types that correspond to Hoarestyle specifications for transactions. The types track shared and local state of the process separately, and enforce that shared state always satisfies a given invariant, except at specific critical sections which appear to execute atomically. Atomic sections may violate the invariant, but must restore it upon exit. HTT follows Separation Logic in providing tight specifications of space requirements. As a logic, we argue that HTT is sound and compositional. As a programming language, we define its operational semantics and show adequacy with respect to specifications.