We present a bisimulation method for proving the contextual equivalence of packages in λ-calculus with full existential and recursive types. Unlike traditional logical relations (either semantic or syntactic), our development is “elementary, ” using only sets and relations and avoiding advanced machinery such as domain theory, admissibility, and ⊤⊤-closure. Unlike other bisimulations, ours is complete even for existential types. The key idea is to consider sets of relations—instead of just relations—as bisimulations.

Reasoning about program equivalence is one of the oldest problems in semantics. In recent years, useful techniques have been developed, based on bisimulations and logical relations, for reasoning about equivalence in the setting of increasingly realistic languages—languages nearly as complex as ML or Haskell. Much of the recent work in this direction has considered the interesting representation independence principles enabled by the use of local state, but it is also important to understand the principles that powerful features like higher-order state and control effects disable. This latter topic has been broached extensively within the framework of game semantics, resulting in what Abramsky dubbed the “semantic cube”: fully abstract game-semantic characterizations of various axes in the design space of ML-like languages. But when it comes to reasoning about many actual examples, game semantics does not yet supply a useful technique for proving equivalences. In this paper, we marry the aspirations of the semantic cube to the powerful proof method of step-indexed Kripke logical relations. Building on recent work of Ahmed, Dreyer, and Rossberg, we define the first fully abstract logical relation for an ML-like language with recursive types, abstract types, general references and call/cc. We then show how, under orthogonal restrictions to the expressive power of our language—namely, the restriction to first-order state and/or the removal of call/cc—we can enhance the proving power of our possible-worlds model in correspondingly orthogonal ways, and we demonstrate this proving power on a range of interesting examples. Central to our story is the use of state transition systems to model the way in which properties of local state evolve over time.

We give a (sound and complete) characterization of observational equivalence in full polymorphic λ-calculus with existential types and first-class, higher-order references. Our method is syntactic and elementary in the sense that it only employs simple structures such as relations on terms. It is nevertheless powerful enough to prove many interesting equivalences that can and cannot be proved by previous approaches, including the latest work by Ahmed, Dreyer and Rossberg (to appear in POPL 2009). 1.

The method of logical relations is a classic technique for proving the equivalence of higher-order programs that implement the same observable behavior but employ different internal data representations. Although it was originally studied for pure, strongly normalizing languages like System F, it has been extended over the past two decades to reason about increasingly realistic languages. In particular, Appel and McAllester’s idea of step-indexing has been used recently to develop syntactic Kripke logical relations for MLlike languages that mix functional and imperative forms of data abstraction. However, while step-indexed models are powerful tools, reasoning with them directly is quite painful, as one is forced to engage in tedious step-index arithmetic to derive even simple results. In this paper, we propose a logic LADR for equational reasoning about higher-order programs in the presence of existential type abstraction, general recursive types, and higher-order mutable state. LADR exhibits a novel synthesis of features from Plotkin-Abadi logic, Gödel-Löb logic, S4 modal logic, and relational separation logic. Our model of LADR is based on Ahmed, Dreyer, and Rossberg’s state-of-the-art step-indexed Kripke logical relation, which was designed to facilitate proofs of representation independence for “state-dependent ” ADTs. LADR enables one to express such proofs at a much higher level, without counting steps or reasoning about the subtle, step-stratified construction of possible worlds.

The Microsoft Windows Vista operating system implements mandatory access control (MAC) for multi-level integrity. Vista’s MAC implementation is designed to balance security with functionality—trusted processes may read untrusted values, and integrity labels may be changed dynamically. While such flexibility makes the system more usable, it also opens the door for information flow vulnerabilities. We propose data-flow integrity (DFI) as a practical security property in this context, and present a type system to enforce DFI in Vista. As long as all trusted code is certified by the type system, we guarantee that locations whose contents are trusted never contain untrusted values, regardless of what untrusted code runs in the environment. Our type system relies on Vista’s dynamic MAC checks for soundness, and illustrates the genuine interplay between static analysis and runtime checks that is needed to ensure such protection. Our study may be viewed as a formalization of the security design of Vista; in particular, our type system formalizes conjectured best practices for secure programming on Vista. Further, we show that while Vista’s write access checks are necessary to enforce DFI, the access control on execution of binaries can in fact be eliminated as a runtime optimization if trusted code is typed using our type system.

In higher-order process calculi the values exchanged in communications may contain processes. A core calculus of higher-order concurrency is studied; it has only the operators necessary to express higher-order communications: input prefix, process output, and parallel composition. By exhibiting a nearly deterministic encoding of Minsky Machines, the calculus is shown to be Turing Complete and therefore its termination problem is undecidable. Strong bisimilarity, however, is proved to be decidable. Further, the main forms of strong bisimilarity for higher-order processes (higher-order bisimilarity, context bisimilarity, normal bisimilarity, barbed congruence) coincide. They also coincide with their asynchronous versions. A sound and complete axiomatization of bisimilarity is given. Finally, bisimilarity is shown to become undecidable if at least four static (i.e., top-level) restrictions are added to the calculus.

We provide a syntactic analysis of contextual preorder and equivalence for a polymorphic programming language with effects. Our approach applies uniformly to arbitrary algebraic effects, and thus incorporates, as instances: errors, input/output, global state, nondeterminism, probabilistic choice, and combinations thereof. Our approach is to extend Plotkin and Power’s structural operational semantics for algebraic effects (FoSSaCS 2001) with a primitive “basic preorder ” on ground type computation trees. The basic preorder is used to derive notions of contextual preorder and equivalence on program terms. Under mild assumptions on this relation, we prove fundamental properties of contextual preorder (hence equivalence) including extensionality properties, a characterisation via applicative contexts, and machinery for reasoning about polymorphism using relational parametricity. 1.

Abstract. Markov automata describe systems in terms of events which may be nondeterministic, may occur probabilistically, or may be subject to time delays. We define a novel notion of weak bisimulation for such systems and prove that this provides both a sound and complete proof methodology for a natural extensional behavioural equivalence between such systems, a generalisation of reduction barbed congruence, the well-known touchstone equivalence for a large variety of process description languages. 1

Higher-order process calculi, for its abstraction capability and theoretical significance, have constantly been receiving much attention in the field of process calculi, and stand as a mathematical tool for describing and analyzing mobile systems with dynamically changing inter-connection structures. In this thesis we contribute to the higher-order paradigm in several aspects. • Higher-order π-calculus with mismatch: the bisimulation theory. Linear fragment of higherorder π-calculus with mismatch: the axiomatization. The problem of the axiomatization of higher-order process calculi, such as higher-order πcalculus, is always a non-trivial one. However, it is important, both in theory and practice, to be able to decide whether two higher-order processes are equivalent with respect to some bisimulation, which needs an algorithm that can effectively analyze and give an answer efficiently. We further the available work by considering the higher-order π-calculus with mismatch, which is a useful operator in bisimulation theory and especially the axiomatization, from algorithmic point of view. We first formulate the bisimulation theory, where the bisimulation we define is called open weak higher-order bisimulation, which is a non-delayed

By combining and simplifying two of the most prominent theories for HOπ of Sangiorgi et al. and Jeffrey and Rathke [15, 4], we present an effective first-order theory for a higher-order picalculus. There are two significant aspects to our theory. The first is that higher-order inputs are treated in a first-order manner, hence eliminating the need to reason about arbitrarily complicated higher-order contexts, or to use up-to context techniques, when establishing equivalences between processes. The second is that we use augmented processes to record directly the knowledge of the observer. This has the benefit of making ordinary firstorder weak bisimulation fully abstract w.r.t. contextual equivalence. It also simplifies the handling of names, giving rise to a truly propositional Hennessy-Milner characterisation of higher-order contextual equivalence. Furthermore, we illustrate the simplicity of our approach in proving several interesting equivalences by exhibiting first-order witness weak bisimulations, and inequivalences by using the propositional Hennessy-Milner Logic. Finally we show that contextual equivalence