Results 1  10
of
19
Secure distributed programming with valuedependent types
 In: Proceedings of the 13th ACM SIGPLAN International Conference on Functional Programming (ICFP
, 2011
"... Distributed applications are difficult to program reliably and securely. Dependently typed functional languages promise to prevent broad classes of errors and vulnerabilities, and to enable program verification to proceed sidebyside with development. However, as recursion, effects, and rich librar ..."
Abstract

Cited by 44 (13 self)
 Add to MetaCart
Distributed applications are difficult to program reliably and securely. Dependently typed functional languages promise to prevent broad classes of errors and vulnerabilities, and to enable program verification to proceed sidebyside with development. However, as recursion, effects, and rich libraries are added, using types to reason about programs, specifications, and proofs becomes challenging. We present F ⋆ , a fullfledged design and implementation of a new dependently typed language for secure distributed programming. Unlike prior languages, F ⋆ provides arbitrary recursion while maintaining a logically consistent core; it enables modular reasoning about state and other effects using affine types; and it supports proofs of refinement properties using a mixture of cryptographic evidence and logical proof terms. The key mechanism is a new kind system that tracks several sublanguages within F ⋆ and controls their interaction. F ⋆ subsumes two previous languages, F7 and Fine. We prove type soundness (with proofs mechanized in Coq) and logical consistency for F ⋆. We have implemented a compiler that translates F ⋆ to.NET bytecode, based on a prototype for Fine. F ⋆ provides access to libraries for concurrency, networking, cryptography, and interoperability with C#, F#, and the other.NET languages. The compiler produces verifiable binaries with 60 % code size overhead for proofs and types, as much as a 45x improvement over the Fine compiler, while still enabling efficient bytecode verification. To date, we have programmed and verified more than 20,000 lines of F ⋆ including (1) new schemes for multiparty sessions; (2) a zeroknowledge privacypreserving payment protocol; (3) a provenanceaware curated database; (4) a suite of 17 webbrowser extensions verified for authorization properties; and (5) a cloudhosted multitier web application with a verified reference monitor.
A proofcarrying file system
, 2009
"... This paper presents the design and implementation of PCFS, a file system that uses formal proofs and capabilities to efficiently enforce access policies expressed in a rich logic. Salient features include backwards compatibility with existing programs and automatic enforcement of access rules that d ..."
Abstract

Cited by 19 (10 self)
 Add to MetaCart
This paper presents the design and implementation of PCFS, a file system that uses formal proofs and capabilities to efficiently enforce access policies expressed in a rich logic. Salient features include backwards compatibility with existing programs and automatic enforcement of access rules that depend on both time and system state. We rigorously prove that enforcement using capabilities is correct, and evaluate the file system’s performance.
Typepreserving Compilation for Endtoend Verification of Security Enforcement
"... A number of programming languages use rich type systems to verify security properties of code. Some of these languages are meant for source programming, but programs written in these languages are compiled without explicit security proofs, limiting their utility in settings where proofs are necessar ..."
Abstract

Cited by 15 (7 self)
 Add to MetaCart
A number of programming languages use rich type systems to verify security properties of code. Some of these languages are meant for source programming, but programs written in these languages are compiled without explicit security proofs, limiting their utility in settings where proofs are necessary, e.g., proofcarrying authorization. Others languages do include explicit proofs, but these are generally lambda calculi not intended for source programming, that must be further compiled to an executable form. A language suitable for source programming backed by a compiler that enables endtoend verification is missing. In this paper, we present a typepreserving compiler that translates programs written in FINE, a sourcelevel functional language with dependent refinements and affine types, to DCIL, a new extension of the.NET Common Intermediate Language. FINE is type checked using an external SMT solver to reduce the proof burden on source programmers. We extract explicit LCFstyle proof terms from the solver and carry these proof terms in the compilation to DCIL, thereby removing the solver from the trusted computing base. Explicit proofs enable DCIL to be used in a number of important scenarios, including the verification of mobile code, proofcarrying authorization, and evidencebased auditing. We report on our experience using FINE to build reference monitors for several applications, ranging from a pluginbased email client to a conference management server.
SecurityTyped Programming within DependentlyTyped Programming
"... Abstract. Several recent securitytyped programming languages allow programmers to express and enforce authorization policies governing access to controlled resources. Policies are expressed as propositions in an authorization logic, and enforced by a type system that requires each access to a sensi ..."
Abstract

Cited by 14 (2 self)
 Add to MetaCart
Abstract. Several recent securitytyped programming languages allow programmers to express and enforce authorization policies governing access to controlled resources. Policies are expressed as propositions in an authorization logic, and enforced by a type system that requires each access to a sensitive resource to be accompanied by a proof. The securitytyped languages described in the literature, such as Aura and PCML5, have been presented as new, standalone language designs. In this paper, we instead show how to embed a securitytyped programming language within an existing dependently typed programming language, Agda. This languagedesign strategy allows us to inherit both the metatheoretic results, such as type safety, and the implementation of the host language. Our embedding consists of the following ingredients: First, we represent the syntax and proofs of an authorization logic, Garg and Pfenning’s BL0, using dependent types. Second, we implement a proof search procedure, based on a focused sequent calculus, to ease the burden of constructing proofs. Third, we define an indexed monad of computations on behalf of a principal, with proofcarrying primitive operations. Our work shows that a dependently typed language can be used to prototype a securitytyped language, and contributes to the growing body of literature on using dependently typed languages to construct domainspecific type systems. 1
Verification of information flow and access control policies with dependent types
, 2011
"... We present Relational Hoare Type Theory (RHTT), a novel language and verification system capable of expressing and verifying rich information flow and access control policies via dependent types. We show that a number of security policies which have been formalized separately in the literature can a ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
We present Relational Hoare Type Theory (RHTT), a novel language and verification system capable of expressing and verifying rich information flow and access control policies via dependent types. We show that a number of security policies which have been formalized separately in the literature can all be expressed in RHTT using only standard typetheoretic types, abstract predicates, and modules. Example security policies include conditional declassification, information erasure, and statedependent information flow and access control. RHTT can reason about such policies in the presence of dynamic memory allocation, deallocation, pointer aliasing and arithmetic. The system, theorems and examples have all been formalized in Coq.
B.: Proofcarrying code in a sessiontyped process calculus
 In: Proc. of CPP ’11. LNCS
, 2011
"... Abstract. Dependent session types allow us to describe not only properties of the I/O behavior of processes but also of the exchanged data. In this paper we show how to exploit dependent session types to express proofcarrying communication. We further introduce two modal operators into the type the ..."
Abstract

Cited by 6 (5 self)
 Add to MetaCart
Abstract. Dependent session types allow us to describe not only properties of the I/O behavior of processes but also of the exchanged data. In this paper we show how to exploit dependent session types to express proofcarrying communication. We further introduce two modal operators into the type theory to provide detailed control about how much information is communicated: one based on traditional proof irrelevance and one integrating digital signatures.
A monadic formalization of ML5
 In Prepreceedings of Workshop on Logical Frameworks and Metalanguages: Theory and Practice
, 2010
"... ML5 is a programming language for spatially distributed computing, based on a CurryHoward correspondence with the modal logic S5. However, the ML5 programming language differs from the logic in several ways. In this paper, we give a semantic embedding of ML5 into the dependently typed programming l ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
ML5 is a programming language for spatially distributed computing, based on a CurryHoward correspondence with the modal logic S5. However, the ML5 programming language differs from the logic in several ways. In this paper, we give a semantic embedding of ML5 into the dependently typed programming language Agda, which both explains these discrepancies between ML5 and S5 and suggests some simplifications and generalizations of the language. Our embedding translates ML5 into a slightly different logic: intuitionistic S5 extended with a lax modality that encapsulates effectful computations in a monad. Rather than formalizing lax S5 as a proof theory, we embed it as a universe within the the dependently typed host language, with the universe elimination given by implementing the modal logic’s Kripke semantics. 1
Selfcertification: Bootstrapping certified typecheckers in F* with Coq
 In POPL
, 2012
"... Wellestablished dependentlytyped languages like Agda and Coq provide reliable ways to build and check formal proofs. Several other dependentlytyped languages such as Aura, ATS, Cayenne, Epigram, F ⋆ , F7, Fine, Guru, PCML5, and Ur also explore reliable ways to develop and verify programs. All the ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
Wellestablished dependentlytyped languages like Agda and Coq provide reliable ways to build and check formal proofs. Several other dependentlytyped languages such as Aura, ATS, Cayenne, Epigram, F ⋆ , F7, Fine, Guru, PCML5, and Ur also explore reliable ways to develop and verify programs. All these languages shine in their own regard, but their implementations do not themselves enjoy the degree of safety provided by machinechecked verification. We propose a general technique called selfcertification that allows a typechecker for a suitably expressive language to be certified for correctness. We have implemented this technique for F ⋆ , a dependently typed language on the.NET platform. Selfcertification involves implementing a typechecker for F ⋆ in F ⋆ , while using all the conveniences F ⋆ provides for the compilerwriter (e.g., partiality, effects, implicit conversions, proof automation, libraries). This typechecker is given a specification (in F ⋆ ) strong enough to ensure that it computes valid typing derivations. We obtain a typing derivation for the core typechecker by running it on itself, and we export it to Coq as a typederivation certificate. By typechecking this derivation (in Coq) and applying the F ⋆ metatheory (also mechanized in Coq), we conclude that our type checker is correct. Once certified in this manner, the F ⋆ typechecker is emancipated from Coq. Selfcertification leads to an efficient certification scheme—we no longer depend on verifying certificates in Coq—as well as a more broadly applicable one. For instance, the selfcertified F ⋆ checker is suitable for use in adversarial settings where Coq is not intended for use, such as runtime certification of mobile code.
Labeled Sequent Calculi for Access Control Logics: Countermodels, Saturation and Abduction
, 2012
"... We show that Kripke semantics of modal logic, manifest in the syntactic proof formalism of labeled sequent calculi, can be used to solve three central problems in access control: Generating evidence for denial of access (countermodel generation), finding all consequences of a policy (saturation) and ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
We show that Kripke semantics of modal logic, manifest in the syntactic proof formalism of labeled sequent calculi, can be used to solve three central problems in access control: Generating evidence for denial of access (countermodel generation), finding all consequences of a policy (saturation) and determining which additional credentials will allow an access (abduction). At the core of our work is a single, nontrivial, countermodel producing decision procedure for a specific access control logic. The procedure is based on backwards search in a labeled sequent calculus for the logic. Modifications of the calculus yield a procedure for abduction and, surprisingly, for saturation. 1
Typed Language Support for ProofCarrying Authorization (Lecture Notes)
, 2009
"... Previous lectures in this class covered logicbased representation of access policies as well as their enforcement with proofcarrying authorization (PCA). The idea behind PCA is twofold. First, access policies and credentials of principals are expressed as logical formulas, which are published in ..."
Abstract
 Add to MetaCart
Previous lectures in this class covered logicbased representation of access policies as well as their enforcement with proofcarrying authorization (PCA). The idea behind PCA is twofold. First, access policies and credentials of principals are expressed as logical formulas, which are published in digitally signed certificates. Second, the reference monitor