Results 1  10
of
313
Foundational ProofCarrying Code
, 2001
"... Proofcarrying code is a framework for the mechanical verification of safety properties of machine language programs, but the problem arises of quis custodiat ipsos custodeswho will verify the verifier itself? Foundational proofcarrying code is verification from the smallest possible set of axio ..."
Abstract

Cited by 228 (9 self)
 Add to MetaCart
Proofcarrying code is a framework for the mechanical verification of safety properties of machine language programs, but the problem arises of quis custodiat ipsos custodeswho will verify the verifier itself? Foundational proofcarrying code is verification from the smallest possible set of axioms, using the simplest possible verifier and the smallest possible runtime system. I will describe many of the mathematical and engineering problems to be solved in the construction of a foundational proofcarrying code system.
ProofCarrying Authentication
 In Proceedings of the 6th ACM Conference on Computer and Communications Security
, 1999
"... We have designed and implemented a general and powerful distributed authentication framework based on higherorder logic. Authentication frameworks  including Taos, SPKI, SDSI, and X.509  have been explained using logic. We show that by starting with the logic, we can implement these framework ..."
Abstract

Cited by 173 (6 self)
 Add to MetaCart
We have designed and implemented a general and powerful distributed authentication framework based on higherorder logic. Authentication frameworks  including Taos, SPKI, SDSI, and X.509  have been explained using logic. We show that by starting with the logic, we can implement these frameworks, all in the same concise and efficient system. Because our logic has no decision procedure  although proof checking is simple  users of the framework must submit proofs with their requests.
An Indexed Model of Recursive Types for Foundational ProofCarrying Code
 ACM Transactions on Programming Languages and Systems
, 2000
"... The proofs of "traditional" proof carrying code (PCC) are typespecialized in the sense that they require axioms about a specific type system. In contrast, the proofs of foundational PCC explicitly define all required types and explicitly prove all the required properties of those types as ..."
Abstract

Cited by 134 (13 self)
 Add to MetaCart
The proofs of "traditional" proof carrying code (PCC) are typespecialized in the sense that they require axioms about a specific type system. In contrast, the proofs of foundational PCC explicitly define all required types and explicitly prove all the required properties of those types assuming only a fixed foundation of mathematics such as higherorder logic. Foundational PCC is both more flexible and more secure than typespecialized PCC.
A semantic model of types and machine instructions for proofcarrying code
 In Principles of Programming Languages
"... Proofcarrying code is a framework for proving the safety of machinelanguage programs with a machinecheckable proof. Such proofs have previously defined typechecking rules as part of the logic. We show a universal type framework for proofcarrying code that will allow a code producer to choose a p ..."
Abstract

Cited by 127 (17 self)
 Add to MetaCart
Proofcarrying code is a framework for proving the safety of machinelanguage programs with a machinecheckable proof. Such proofs have previously defined typechecking rules as part of the logic. We show a universal type framework for proofcarrying code that will allow a code producer to choose a programming language, prove the type rules for that language as lemmas in higherorder logic, then use those lemmas to prove the safety of a particular program. We show how to handle traversal, allocation, and initialization of values in a wide variety of types, including functions, records, unions, existentials, and covariant recursive types. 1
Engineering formal metatheory
 In ACM SIGPLANSIGACT Symposium on Principles of Programming Languages
, 2008
"... Machinechecked proofs of properties of programming languages have become a critical need, both for increased confidence in large and complex designs and as a foundation for technologies such as proofcarrying code. However, constructing these proofs remains a black art, involving many choices in th ..."
Abstract

Cited by 84 (9 self)
 Add to MetaCart
Machinechecked proofs of properties of programming languages have become a critical need, both for increased confidence in large and complex designs and as a foundation for technologies such as proofcarrying code. However, constructing these proofs remains a black art, involving many choices in the formulation of definitions and theorems that make a huge cumulative difference in the difficulty of carrying out large formal developments. The representation and manipulation of terms with variable binding is a key issue. We propose a novel style for formalizing metatheory, combining locally nameless representation of terms and cofinite quantification of free variable names in inductive definitions of relations on terms (typing, reduction,...). The key technical insight is that our use of cofinite quantification obviates the need for reasoning about equivariance (the fact that free names can be renamed in derivations); in particular, the structural induction principles of relations
On Equivalence and Canonical Forms in the LF Type Theory
 ACM Transactions on Computational Logic
, 2001
"... Decidability of definitional equality and conversion of terms into canonical form play a central role in the metatheory of a typetheoretic logical framework. Most studies of definitional equality are based on a confluent, stronglynormalizing notion of reduction. Coquand has considered a different ..."
Abstract

Cited by 82 (16 self)
 Add to MetaCart
Decidability of definitional equality and conversion of terms into canonical form play a central role in the metatheory of a typetheoretic logical framework. Most studies of definitional equality are based on a confluent, stronglynormalizing notion of reduction. Coquand has considered a different approach, directly proving the correctness of a practical equivalence algorithm based on the shape of terms. Neither approach appears to scale well to richer languages with unit types or subtyping, and neither directly addresses the problem of conversion to canonical form.
Languages of the Future
 In OOPSLA ’04: Companion to the 19th annual ACM SIGPLAN conference on Objectoriented programming systems, languages, and applications
, 2004
"... This paper explores a new point in the design space of formal reasoning systems  part programming language, part logical framework. The system is built on a programming language where the user expresses equality constraints between types and the type checker then enforces these constraints. This si ..."
Abstract

Cited by 69 (3 self)
 Add to MetaCart
This paper explores a new point in the design space of formal reasoning systems  part programming language, part logical framework. The system is built on a programming language where the user expresses equality constraints between types and the type checker then enforces these constraints. This simple extension to the type system allows the programmer to describe properties of his program in the types of witness objects which can be thought of as concrete evidence that the program has the property desired. These techniques and two other rich typing mechanisms, rankN polymorphism and extensible kinds, create a powerful new programming idiom for writing programs whose types enforce semantic properties. A language with these features is both a practical programming language and a logic. This marriage between two previously separate entities increases the probability that users will apply formal methods to their programming designs. This kind of synthesis creates the foundations for the languages of the future.
An Effective Theory of Type Refinements
, 2002
"... We develop an explicit two level system that allows programmers to reason about the behavior of effectful programs. The first level is an ordinary MLstyle type system, which confers standard properties on program behavior. The second level is a conservative extension of the first that uses a logic ..."
Abstract

Cited by 62 (5 self)
 Add to MetaCart
We develop an explicit two level system that allows programmers to reason about the behavior of effectful programs. The first level is an ordinary MLstyle type system, which confers standard properties on program behavior. The second level is a conservative extension of the first that uses a logic of type refinements to check more precise properties of program behavior. Our logic is a fragment of intuitionistic linear logic, which gives programmers the ability to reason locally about changes of program state. We provide a generic resource semantics for our logic as well as a sound, decidable, syntactic refinementchecking system. We also prove that refinements give rise to an optimization principle for programs. Finally, we illustrate the power of our system through a number of examples.
Semantics of Types for Mutable State
, 2004
"... Proofcarrying code (PCC) is a framework for mechanically verifying the safety of machine language programs. A program that is successfully verified by a PCC system is guaranteed to be safe to execute, but this safety guarantee is contingent upon the correctness of various trusted components. For in ..."
Abstract

Cited by 55 (5 self)
 Add to MetaCart
Proofcarrying code (PCC) is a framework for mechanically verifying the safety of machine language programs. A program that is successfully verified by a PCC system is guaranteed to be safe to execute, but this safety guarantee is contingent upon the correctness of various trusted components. For instance, in traditional PCC systems the trusted computing base includes a large set of lowlevel typing rules. Foundational PCC systems seek to minimize the size of the trusted computing base. In particular, they eliminate the need to trust complex, lowlevel type systems by providing machinecheckable proofs of type soundness for real machine languages. In this thesis, I demonstrate the use of logical relations for proving the soundness of type systems for mutable state. Specifically, I focus on type systems that ensure the safe allocation, update, and reuse of memory. For each type in the language, I define logical relations that explain the meaning of the type in terms of the operational semantics of the language. Using this model of types, I prove each typing rule as a lemma. The major contribution is a model of System F with general references — that is, mutable cells that can hold values of any closed type including other references, functions, recursive types, and impredicative quantified types. The model is based on ideas from both possible worlds and the indexed model of Appel and McAllester. I show how the model of mutable references is encoded in higherorder logic. I also show how to construct an indexed possibleworlds model for a von Neumann machine. The latter is used in the Princeton Foundational PCC system to prove type safety for a fullfledged lowlevel typed assembly language. Finally, I present a semantic model for a region calculus that supports typeinvariant references as well as memory reuse. iii
A symmetric modal lambda calculus for distributed computing
 IN PROCEEDINGS OF THE 19TH IEEE SYMPOSIUM ON LOGIC IN COMPUTER SCIENCE (LICS
, 2004
"... We present a foundational language for distributed programming, called Lambda 5, that addresses both mobilityof code and locality of resources. In order to construct our system, we appeal to the powerful propositionsastypes interpretation of logic. Specifically, we take the possible worlds of the ..."
Abstract

Cited by 51 (12 self)
 Add to MetaCart
We present a foundational language for distributed programming, called Lambda 5, that addresses both mobilityof code and locality of resources. In order to construct our system, we appeal to the powerful propositionsastypes interpretation of logic. Specifically, we take the possible worlds of the intuitionistic modal logic IS5 to be nodes ona network, and the connectives 2 and 3 to reflect mobility and locality, respectively. We formulate a novel systemof natural deduction for IS5, decomposing the introduction and elimination rules for 2 and 3, thereby allowing thecorresponding programs to be more direct. We then give an operational semantics to our calculus that is typesafe, logically faithful, and computationally realistic.