This paper advocates a novel approach to the construction of secure software: controlling information flow and maintaining integrity via monadic encapsulation of effects. This approach is constructive, relying on properties of monads and monad transformers to build, verify, and extend secure software systems. We illustrate this approach by construction of abstract operating systems called separation kernels. Starting from a mathematical model of shared-state concurrency based on monads of resumptions and state, we outline the development by stepwise refinements of separation kernels supporting Unix-like system calls, interdomain communication, and a formally verified security policy (domain separation). Because monads may be easily and safely represented within any pure, higher-order, typed functional language, the resulting system models may be directly realized within a language such as Haskell. 1

Abstract. Some total languages, like Agda and Coq, allow the use of guarded corecursion to construct infinite values and proofs. Guarded corecursion is a form of recursion in which arbitrary recursive calls are allowed, as long as they are guarded by a coinductive constructor. Guardedness ensures that programs are productive, i.e. that every finite prefix of an infinite value can be computed in finite time. However, many productive programs are not guarded, and it can be nontrivial to put them in guarded form. This paper gives a method for turning a productive program into a guarded program. The method amounts to defining a problem-specific language as a data type, writing the program in the problem-specific language, and writing a guarded interpreter for this language. 1

Unfolds generate data structures, and folds consume them.

We develop a domain theory for treating recursive types with respect to contextual equivalence. The principal approach taken here deviates from classical domain theory in that we do not produce the recursive types via the usual inverse limits constructions- we have it for free by working directly with the operational semantics. By extending type expressions to endofunctors on a ‘syntactic ’ category, we establish algebraic compactness. To do this, we rely on an operational version of the minimal invariance property. In addition, we apply techniques developed herein to reason about FPC programs. Key words: Operational domain theory, recursive types, FPC, realisable functor, algebraic compactness, generic approximation lemma, denotational semantics 1

Abstract. We argue that abstract datatypes — with public interfaces hiding private implementations — represent a form of codata rather than ordinary data, and hence that proof methods for corecursive programs are the appropriate techniques to use for reasoning with them. In particular, we show that the universal properties of unfold operators are perfectly suited for the task. We illustrate with the solution to a problem in the recent literature. 1

Abstract. It is natural to present subtyping for recursive types coinductively. However, Gapeyev, Levin and Pierce have noted that there is a problem with coinductive definitions of non-trivial transitive inference systems: they cannot be “declarative”—as opposed to “algorithmic ” or syntax-directed—because coinductive inference systems with an explicit rule of transitivity are trivial. We propose a solution to this problem. By using mixed induction and coinduction we define an inference system for subtyping which combines the advantages of coinduction with the convenience of an explicit rule of transitivity. The definition uses coinduction for the structural rules, and induction for the rule of transitivity. We also discuss under what conditions this technique can be used when defining other inference systems. The developments presented in the paper have been mechanised using Agda, a dependently typed programming language and proof assistant. 1

This pearl develops a statement about parallel prefix computation in the spirit of Knuth’s 0-1-Principle for oblivious sorting algorithms. It turns out that 0-1 is not quite enough here. The perfect hammer for the nails we are going to drive in is relational parametricity. Categories and Subject Descriptors D.1.1 [Programming Techniques]:

The worker/wrapper transformation is a technique for changing the type of a computation, usually with the aim of improving its performance. It has been used by compiler writers for many years, but the technique is little-known in the wider functional programming community, and has never been described precisely. In this article we explain, formalise, and explore the generality of the worker/wrapper transformation. We also provide a systematic recipe for its use as an equational reasoning technique for improving the performance of programs, and illustrate the power of this recipe using a range of examples. 1

The results reported in Part III consist of joint work with Martín Escardó [14]. All the other results reported in this thesis are due to the author, except for background results, which are clearly stated as such. Some of the results in Part IV have already appeared as [28]. Note This version of the thesis, produced on October 31, 2006, is the result of completing all the minor modifications as suggested by both the examiners in the viva report (Ref: CLM/AC/497773). We develop an operational domain theory to reason about programs in sequential functional languages. The central idea is to export domaintheoretic techniques of the Scott denotational semantics directly to the study of contextual pre-order and equivalence. We investigate to what extent this can be done for two deterministic functional programming languages: PCF (Programming-language for Computable Functionals) and FPC (Fixed Point Calculus).

The worker/wrapper transformation is a general-purpose technique for refactoring recursive programs to improve their performance, without compromising their correctness. The two previous approaches to formalising the technique were based upon different recursion operators, and different correctness conditions. In this article we show how these two approaches can be generalised in a uniform manner by combining and extending their correctness conditions, and explore the benefits that result.