Results 1  10
of
12
A Logical Analysis of Aliasing in Imperative HigherOrder Functions
 INTERNATIONAL CONFERENCE ON FUNCTIONAL PROGRAMMING, ICFP’05
, 2005
"... We present a compositional program logic for callbyvalue imperative higherorder functions with general forms of aliasing, which can arise from the use of reference names as function parameters, return values, content of references and part of data structures. The program logic ..."
Abstract

Cited by 28 (3 self)
 Add to MetaCart
We present a compositional program logic for callbyvalue imperative higherorder functions with general forms of aliasing, which can arise from the use of reference names as function parameters, return values, content of references and part of data structures. The program logic
An Open Framework for Foundational ProofCarrying Code
 IN PROC. THE 2007 ACM SIGPLAN INTERNATIONAL WORKSHOP ON TYPES IN LANGUAGE DESIGN AND IMPLEMENTATION (TLDI’07
, 2007
"... Software systems usually use many different computation features and span different abstraction levels (e.g., user code level and the runtime system level). To build foundational certified systems, it is hard to have one verification system supporting all computation features. In this paper we prese ..."
Abstract

Cited by 23 (11 self)
 Add to MetaCart
Software systems usually use many different computation features and span different abstraction levels (e.g., user code level and the runtime system level). To build foundational certified systems, it is hard to have one verification system supporting all computation features. In this paper we present an open framework for foundational proofcarrying code (FPCC). It allows program modules to be specified and certified separately using different type systems or program logics. Certified modules (code + proof) can be linked to compose fully certified systems. The framework supports modular verification and proof reuse. It is extensible, and is expressive enough to allow invariants established in verification systems to be maintained when they are embedded in. Our framework is the first FPCC framework that systematically supports interoperation between different verification systems. It is fully mechanized in the Coq proof assistant with machinecheckable soundness proof.
A typed, compositional logic for a stackbased abstract machine
 In Proc. 3rd Asian Symposium on Programming Languages and Systems (APLAS), volume 3780 of Lecture Notes in Computer Science
, 2005
"... Abstract. We define a compositional program logic in the style of Floyd and Hoare for a simple, typed, stackbased abstract machine with unstructured control flow, global variables and mutually recursive procedure calls. Notable features of the logic include a careful treatment of auxiliary variable ..."
Abstract

Cited by 22 (7 self)
 Add to MetaCart
Abstract. We define a compositional program logic in the style of Floyd and Hoare for a simple, typed, stackbased abstract machine with unstructured control flow, global variables and mutually recursive procedure calls. Notable features of the logic include a careful treatment of auxiliary variables and quantification and the use of substructural typing to permit local, modular reasoning about program fragments. Semantic soundness is established using an interpretation of types and assertions defined by orthogonality with respect to sets of contexts. 1
Dependent type theory of stateful higherorder functions
, 2005
"... In this paper we investigate a logic for reasoning about programs with higherorder functions and effectful features like nontermination and state with aliasing. We propose a dependent type theory HTT (short for Hoare Type Theory), where types serve as program specifications. In case of effectful p ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
In this paper we investigate a logic for reasoning about programs with higherorder functions and effectful features like nontermination and state with aliasing. We propose a dependent type theory HTT (short for Hoare Type Theory), where types serve as program specifications. In case of effectful programs, the type of Hoare triples {P}x:A{Q} specifies the precondition P, the type of the return result A, and the postcondition Q. By CurryHoward isomorphism, a dependent type theory may be viewed as a functional programming language. From this perspective, the type of Hoare triples is a monad, and HTT is a monadic language, whose pure fragment consists of higherorder functions, while the effectful fragment is a full Turingcomplete imperative language with conditionals, loops, recursion and commands for stateful operations like allocation, lookup and mutation of location content. 1
An Approach to Formal Verification of Arithmetic Functions in Assembly—Proof Scripts. http://staff.aist.go.jp/ reynald.affeldt/seplog/asian2006
"... Abstract. It is customary to write performancecritical parts of arithmetic functions in assembly: this enables finelytuned algorithms that use specialized processor instructions. However, such optimizations make formal verification of arithmetic functions technically challenging, mainly because of ..."
Abstract

Cited by 6 (4 self)
 Add to MetaCart
Abstract. It is customary to write performancecritical parts of arithmetic functions in assembly: this enables finelytuned algorithms that use specialized processor instructions. However, such optimizations make formal verification of arithmetic functions technically challenging, mainly because of many bitlevel manipulations of data. In this paper, we propose an approach for formal verification of arithmetic functions in assembly. It consists in the implementation in the Coq proof assistant of (1) a Hoare logic for assembly programs augmented with loops and (2) a certified translator to readytorun assembly with jumps. To properly handle formal verification of bitlevel manipulations of data, we propose an original encoding of machine integers. For concreteness, we use the SmartMIPS assembly language, an extension of the MIPS instruction set for smartcards, and we explain the formal verification of an optimized implementation of the Montgomery multiplication, a de factostandard for the implementation of many cryptosystems. 1
An Open Framework for Certified System Software
, 2008
"... Certified software consists of a machine executable program plus a machine checkable proof showing that the software is free of bugs with respect to a particular specification. Constructing certified system software is an important step toward building a reliable and secure computing platform for fu ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Certified software consists of a machine executable program plus a machine checkable proof showing that the software is free of bugs with respect to a particular specification. Constructing certified system software is an important step toward building a reliable and secure computing platform for future critical applications. In addition to the benefits from provably safe components, architectures of certified systems may also be simplified to achieve better efficiency. However, because system software consists of program modules that use many different computation features and span different abstraction levels, it is difficult to design a single type system or program logic to certify the whole system. As a result, significant amount of kernel code of today’s operating systems has to be implemented in unsafe languages, despite recent progress on typesafe languages. In this thesis, I develop a new methodology to solve this problem, which applies different verification systems to certify different program modules, and then links the certified modules in an open framework to compose the whole certified software package. Specifically, this thesis makes contributions in the following two aspects. First, I develop new Hoarestyle program logics to certify lowlevel programs with
A Tutorial Example of the Semantic Approach to Foundational ProofCarrying Code
 PROC. SIXTEENTH INTERNATIONAL CONFERENCE ON REWRITING TECHNIQUES AND APPLICATIONS, LECTURE NOTES IN COMPUTER SCIENCE 3465
, 2005
"... Proofcarrying code provides a mechanism for insuring that a host, or code consumer, can safely run code delivered by a code producer. The host specifies a safety policy as a set of axioms and inference rules. In addition to a compiled program, the code producer delivers a formal proof of safety ex ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
Proofcarrying code provides a mechanism for insuring that a host, or code consumer, can safely run code delivered by a code producer. The host specifies a safety policy as a set of axioms and inference rules. In addition to a compiled program, the code producer delivers a formal proof of safety expressed in terms of those rules that can be easily checked. Foundational proofcarrying code (FPCC) provides increased security and greater flexibility in the construction of proofs of safety. Proofs of safety are constructed from the smallest possible set of axioms and inference rules. For example, typing rules are not included. In our semantic approach to FPCC, we encode a semantics of types from first principles and the typing rules are proved as lemmas. In addition, we start from a semantic definition of machine instructions and safety is defined directly from this semantics. Since FPCC starts from basic axioms and lowlevel definitions, it is necessary to build up a library of lemmas and definitions so that reasoning about particular programs can be carried out at a higher level, and ideally, also be automated. We describe a highlevel organization that involves Hoarestyle reasoning about machine code programs. This organization is presented using a detailed example. The example, as well as illustrating the above mentioned approach to organizing proofs, is designed to provide a tutorial introduction to a variety of facets of our FPCC approach. For example, it illustrates how to prove safety of programs that traverse input data structures as well as allocate new ones.
An untrusted verifier for typed assembly language
, 2004
"... I present the results of constructing a fully untrusted verifier for memory safety of Typed Assembly Language programs, using the Open Verifier architecture. The verifier is untrusted in the sense that its soundness depends only on axioms about the semantics of a concrete machine architecture, not o ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
I present the results of constructing a fully untrusted verifier for memory safety of Typed Assembly Language programs, using the Open Verifier architecture. The verifier is untrusted in the sense that its soundness depends only on axioms about the semantics of a concrete machine architecture, not on any axioms specific to a type system. This experiment served to evaluate both the expressiveness of the Open Verifier architecture and the quality of its support for simplifying the construction of verifiers. I discuss issues of proof generation that are generally not the focus of previous efforts for foundational checking of TAL, and I contrast with these past approaches the sort of logical formalization that is natural in the context of the Open Verifier. My approach is novel in that it uses direct reasoning about concrete machine states where past approaches have formalized typed abstract machines and proved their correspondence with concrete machines. I also describe a new approach to modeling higherorder functions that uses only firstorder logic. 1
Syntactic proofs of compositional compiler correctness
, 2009
"... Abstract. Semantic preservation by compilers for higherorder languages can be verified using simple syntactic methods. At the heart of classic techniques are relations between sourcelevel and targetlevel values. Unfortunately, these relations are specific to particular compilers, leading to corre ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. Semantic preservation by compilers for higherorder languages can be verified using simple syntactic methods. At the heart of classic techniques are relations between sourcelevel and targetlevel values. Unfortunately, these relations are specific to particular compilers, leading to correctness theorems that have nothing to say about linking programs with functions compiled by other compilers or written by hand in the target language. Theorems based on logical relations manage to avoid this problem, but at a cost: standard logical relations do not apply directly to programs with nontermination or impurity, and extensions to handle those features are relatively complicated, compared to the classical compiler verification literature. In this paper, we present a new approach to “open ” compiler correctness theorems that is “syntactic ” in the sense that the core relations do not refer to semantics. Though the technique is much more elementary than previous proposals, it scales up nicely to realistic languages. In particular, untyped and impure programs may be handled simply, while previous work has addressed neither in this context. Our approach is based on the observation that it is an unnecessary handicap to consider proofs as black boxes. We identify some theoremspecific proof skeletons, such that we can define an algebra of nondeterministic compilations and their proofs, and we can compose any two compilations to produce a correctbyconstruction result. We have prototyped these ideas with a Coq implementation of multiple CPS translations for an untyped MiniML source language with recursive functions, sums, products, mutable references, and exceptions. 1
Provably Secure Systems using Operating System Primitives
, 2004
"... 1 Introduction Security is fundamental in computing systems. Individuals, companies, and governments rely heavily on the reliability and confidentiality of information stored within these systems. However, the increase in the availability of highbandwidth connections has meant that a program can be ..."
Abstract
 Add to MetaCart
1 Introduction Security is fundamental in computing systems. Individuals, companies, and governments rely heavily on the reliability and confidentiality of information stored within these systems. However, the increase in the availability of highbandwidth connections has meant that a program can be downloaded from anywhere in the world. Coupled with lax security, this has meant an increase in the number of viruses and more subtle malicious programs. Proofcarrying code[9, 10] allows clients to safely execute code from untrusted sources. Such systems rely on the untrusted code carrying some certificate of security, showing that the program conforms to criteria set by the client; these certificates usually take the form of a formal proof of the desired security properties.