Abstract

Proof-carrying code (PCC) is a framework for mechanically verifying the safety of machine language programs. A program that is successfully verified by a PCC system is guaranteed to be safe to execute, but this safety guarantee is contingent upon the correctness of various trusted components. For instance, in traditional PCC systems the trusted computing base includes a large set of low-level typing rules. Foundational PCC systems seek to minimize the size of the trusted computing base. In particular, they eliminate the need to trust complex, low-level type systems by providing machine-checkable proofs of type soundness for real machine languages. In this thesis, I demonstrate the use of logical relations for proving the soundness of type systems for mutable state. Specifically, I focus on type systems that ensure the safe allocation, update, and reuse of memory. For each type in the language, I define logical relations that explain the meaning of the type in terms of the oper-ational semantics of the language. Using this model of types, I prove each typing rule as a lemma. The major contribution is a model of System F with general references — that is, mutable cells that can hold values of any closed type including other references, functions, recursive types, and impredicative quantified types. The model is based on ideas from both possible worlds and the indexed model of Appel and McAllester. I show how the model of mutable references is encoded in higher-order logic. I also show how to construct an indexed possible-worlds model for a von Neumann machine. The latter is used in the Princeton Foundational PCC system to prove type safety for a full-fledged low-level typed assembly language. Finally, I present a semantic model for a region calculus that supports type-invariant references as well as memory reuse. iii

Citations

1734	The Anatomy of the Grid: Enabling Scalable Virtual Organizations - FOSTER, KESSELMAN, et al. - 2001
1023	The Java Virtual Machine Specification - Lindholm, Yellin - 1996
1016	Proof-carrying code - Necula - 1997
634	A framework for defining logics - Harper, Honsell, et al. - 1999
580	Types and Programming Languages - Pierce - 2002
557	From system F to typed assembly language - Morrisett, Walker, et al. - 1999
379	Jflow: practical mostly-static information flow control - Myers - 1999
332	Types, abstraction and parametric polymorphism - Reynolds - 1983
295	Concepts in Programming Languages - Mitchell - 2003
281	System description: Twelf - a meta-logical framework for deductive systems - Pfenning, Schürmann - 1999
274	Proving the Correctness of Multiprocess Programs - Lamport - 1977
267	G.D.: Abstract types have existential types - Mitchell, Plotkin - 1988
245	The Design and Implementation of a Certifying Compiler - Necula, Lee - 2004
214	The slam calculus: Programming with secrecy and integrity - Heintze, Riecke - 1998
213	Foundational proof-carrying code - Appel - 2001
188	Type systems - Cardelli - 1997
187	Logic in Computer Science. Modelling and reasoning about systems - Huth, Ryan - 2000
186	Typed memory management in a calculus of capabilities - Crary, Walker, et al. - 1999
179	1999], SASI enforcement of security policies: a retrospective - Erlingsson, Schneider
155	1963: ‘Semantical considerations on modal logic - Kripke
155	The essence of Algol - Reynolds - 1981
146	Typed closure conversion - Minamide, Morrisett, et al. - 1996
143	TALx86: A realistic typed assembly language - MORRISETT, CRARY, et al. - 1999
143	Inductive definitions in the system Coq: Rules and properties - Paulin-Mohring - 1993
138	Semantics of Programming Languages - Gunter - 1993
132	Flexible policy-directed code safety - Evans, Twyman - 1999
122	A semantic model of types and machine instructions for proof-carrying code - Appel, Felty - 2000
120	A Certifying Compiler for Java - Colby, Lee, et al. - 2000
119	IRM enforcement of Java stack inspection - Erlingsson, Schneider - 2000
115	The Glasgow Haskell compiler: a technical overview - Jones, Hall, et al. - 1993
114	An indexed model of recursive types for foundational proof-carrying code - Appel, McAllester - 2001
109	Comparing object encodings - Bruce, Cardelli, et al. - 1999
108	Equivalence in functional languages with effects - Mason, Talcott - 1991
106	Observable properties of higher order functions that dynamically create local names, or what’s new - Pitts, Stark - 1993
105	G.: A fully abstract game semantics for general references - Abramsky, Honda, et al. - 1998
104	Fully Abstract Models of Typed Lambda Calculi, Th - Milner - 1977
102	Proving congruence of bisimulation in functional programming languages - Howe - 1996
92	Equality in lazy computation systems - Howe - 1989
92	Relational properties of domains - Pitts - 1996
84	A syntactic approach to foundational proof carrying code - Hamid, Shao, et al. - 2002
75	Toward a foundational typed assembly language - Crary - 2003
75	Report on the programming language Haskell, version 1.2 - Hudak, Jones, et al. - 1992
75	The revised 4 report on the algorithmic language scheme - Clinger, Rees - 1991
74	Co-induction in relational semantics - Milner, Tofte - 1991
72	Parametric polymorphism and operational equivalence - Pitts - 2000
70	Impossible possible worlds vindicated - Hintikka - 1975
57	Vicious circles. On the mathematics of non-wellfounded phenomena - Barwise, Moss - 1996
56	A simplified account of polymorphic references - Harper - 1994
53	P.: Efficient representation and validation of proofs - Necula, Lee - 1998
53	S.P.: Oracle-based checking of untrusted software - Necula, Rahul