## An expressive, scalable type theory for certified code (2002)

### Cached

### Download Links

- [www.cs.caltech.edu]
- [www-2.cs.cmu.edu]
- [reports-archive.adm.cs.cmu.edu]
- [www.cs.cmu.edu]
- [www.cs.caltech.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | In ACM International Conference on Functional Programming |

Citations: | 35 - 4 self |

### BibTeX

@INPROCEEDINGS{Crary02anexpressive,,

author = {Karl Crary and Joseph C. Vanderwaart},

title = {An expressive, scalable type theory for certified code},

booktitle = {In ACM International Conference on Functional Programming},

year = {2002},

pages = {191--205},

publisher = {ACM Press}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract We present the type theory LTT, intended to form a basis for typed target languages, providing an internal notion of logical proposition and proof. The inclusion of explicit proofs allows the type system to guarantee properties that would otherwise be incompatible with decidable type checking. LTT also provides linear facilities for tracking ephemeral properties that hold only for certain program states. Our type theory allows for re-use of typechecking software by casting a variety of type systems within a single language. We provide additional re-use with a framework for modular development of operational semantics. This framework allows independent type systems and their operational semantics to be joined together, automatically inheriting the type safety properties of those individual systems.

### Citations

1075 |
The Java Virtual Machine Specification
- Lindholm
- 1996
(Show Context)
Citation Context ...distribute to lists, requires prior specific permission and/or a fee. ICFP'02, October 4-6, 2002, Pittsburgh, Pennsylvania, USA. Copyright 2002 ACM 1-58113-487-8/02/0010 ...$5.00 Machine architecture =-=[13]-=- certifies intermediate-level, bytecode programs. Recently, there has been considerable interest in certified code architectures that operate at the level of executables, thereby eliminating the need ... |

696 | A Framework for Defining Logics
- Harper, Honsel, et al.
- 1993
(Show Context)
Citation Context ...oriented approach tends to be rather type-theoretic in practice. PCC safety proofs are usually structured using types, and existing implementations of PCC all use the Edinburgh Logical Framework (LF) =-=[8]-=- as their formal logic, in which proof checking boils down to type checking. Nevertheless, there is an important difference between the extrinsic safety evidence of the proof-oriented approach, and th... |

605 |
The Definition of Standard ML (Revised
- Milner, Tofte, et al.
- 1997
(Show Context)
Citation Context ...ere is never a need for proofs to go away. This is satisfactory for purely functional programming, and it also suces for some stateful type systems as well. For example, the references of Standard ML =-=[12]-=-, once created, never disappear. However, we can provide considerably more expressive power for stateful programming by going beyond just intuitionistic proofs and adding linear proof constructs from ... |

588 | From System F to Typed Assembly Language
- Morrisett, Walker, et al.
- 1999
(Show Context)
Citation Context ...n explored for executable-level certied code: the proof-oriented approach exemplied by Proof-Carrying Code (PCC) [15, 1], and the type-theoretic approach exemplied by Typed Assembly Language (TAL) [14=-=-=-]. In the proof-oriented approach, executable programs are accompanied by explicit proofs of safety expressed in a formal logic. Safety is then veried by checking the correctness of the proof. In the ... |

441 |
The formulae-as-types notion of construction
- Howard
- 1980
(Show Context)
Citation Context ...We then present the framework for modular development of operational semantics in Section 6. This paper assumes familiarity with linear logic [6, 18] and with the propositions-as-types correspondence =-=[9]-=-. Additional familiarity with LF and logical frameworks in general will be helpful, but is not required. 2 Intuitionistic LTT The LTT type theory consists of two parts: a proof sub-language, and a com... |

404 | Extensibility, safety and performance in the SPIN operating system
- Bershad, Savage, et al.
- 1995
(Show Context)
Citation Context ...ablishing the code's safety. A variety of certied code architectures exist, diering in the kind of code that is certied and in the form that the safety evidence takes. For example, the SPIN system [2] certies source-level Modula-3 programs, and the Java Virtual Machine architecture [11] certies intermediate-level, bytecode programs. Recently, there has been considerable interest in certied code... |

398 | Safe Kernel Extensions without Run-Time Checking
- Necula, Lee
- 2004
(Show Context)
Citation Context ...ler, or to incur the performance cost of an interpreter. Two main directions have been explored for executable-level certied code: the proof-oriented approach exemplied by Proof-Carrying Code (PCC) [1=-=5, 1-=-], and the type-theoretic approach exemplied by Typed Assembly Language (TAL) [14]. In the proof-oriented approach, executable programs are accompanied by explicit proofs of safety expressed in a form... |

259 | Compiling Polymorphism Using Intensional Type Analysis
- Harper, Morrisett
- 1995
(Show Context)
Citation Context ...ecursion, which 10sLF does not (as such a construct would destroy LF's notion of canonical forms). Consequently, SSTP can use primitive recursion on encoded types to support intensional type analysis =-=[9, 5]-=-, which LTT cannot. Various proposals have been made for extending LF with primitive recursion [6, 20, 19] and we are exploring integrating one of these into LTT. LTT provides the power for very expre... |

215 | Logical frameworks
- Pfenning
- 2001
(Show Context)
Citation Context ...ated, never disappear. However, we can provide considerably more expressive power for stateful programming by going beyond just intuitionistic proofs and adding linear proof constructs from Linear LF =-=[3]-=- as well. This allows the proof of facts that hold for the current state, but may later cease to hold; any operation that may falsify such a fact will arrange to consume that fact's proof. As an examp... |

194 | Typed memory management in a calculus of capabilities
- Walker, Crary, et al.
- 2000
(Show Context)
Citation Context ...plex, because they are backed up by explicit proofs that the code consumer need not be able to reproduce. Second, although both approaches have been shown to be scalable to more powerful type systems =-=[13, 5, 16, 1, 4]-=-, the proof-oriented approach enjoys much greater internal scalability in the following sense: Each new extension to TAL requires a new type system, and therefore requires a new typechecker and a new ... |

169 | Alias types
- Smith, Walker, et al.
- 2000
(Show Context)
Citation Context ...plex, because they are backed up by explicit proofs that the code consumer need not be able to reproduce. Second, although both approaches have been shown to be scalable to more powerful type systems =-=[13, 5, 16, 1, 4]-=-, the proof-oriented approach enjoys much greater internal scalability in the following sense: Each new extension to TAL requires a new type system, and therefore requires a new typechecker and a new ... |

169 | Eliminating array bound checking through dependent types
- Xi, Pfenning
- 1998
(Show Context)
Citation Context ...e theory. As an example, we show how LTT can, by appropriate choice of a signature, express a type system for arrays without automatic bounds checking, following the ideas of Xi, Pfenning, and Harper =-=[21, 20]-=-. In this example, a well-typed array subscript operation must be supplied with a proof that the subscript is within the appropriate bounds. This example is typical of mostly functional extensions. In... |

163 | Inductive definitions in the system coq: Rules and properties
- Paulin-Mohring
- 1993
(Show Context)
Citation Context ...ed code very similar in spirit to ours, which we refer to here as SSTP. While LTT is constructed by attaching LF to a typed programming language, SSTP attaches the Calculus of Inductive Constructions =-=[18]-=- instead. LF and Inductive Constructions are similar in that both have been widely used to formalize mathematics and both enjoy mature, robust implementations. However, there are significant differenc... |

146 | A Linearly Typed Assembly Language
- Cheney, Morrisett
- 2003
(Show Context)
Citation Context ...plex, because they are backed up by explicit proofs that the code consumer need not be able to reproduce. Second, although both approaches have been shown to be scalable to more powerful type systems =-=[13, 5, 16, 1, 4]-=-, the proof-oriented approach enjoys much greater internal scalability in the following sense: Each new extension to TAL requires a new type system, and therefore requires a new typechecker and a new ... |

129 | A certifying compiler for Java
- Colby, Lee, et al.
- 2000
(Show Context)
Citation Context |

127 | A semantic model of types and machine instructions for proof-carrying code
- Appel, Felty
(Show Context)
Citation Context ...ler, or to incur the performance cost of an interpreter. Two main directions have been explored for executable-level certied code: the proof-oriented approach exemplied by Proof-Carrying Code (PCC) [1=-=5, 1-=-], and the type-theoretic approach exemplied by Typed Assembly Language (TAL) [14]. In the proof-oriented approach, executable programs are accompanied by explicit proofs of safety expressed in a form... |

123 | Primitive recursion for higherorder abstract syntax
- Despeyroux, Pfenning, et al.
- 1997
(Show Context)
Citation Context ...nsequently, SSTP can use primitive recursion on encoded types to support intensional type analysis [9, 5], which LTT cannot. Various proposals have been made for extending LF with primitive recursion =-=[6, 20, 19]-=- and we are exploring integrating one of these into LTT. LTT provides the power for very expressive type systems by allowing operations to demand proofs of arbitrary propositions (thereby escaping the... |

88 | A Type System for Expressive Security Policies
- Walker
- 2000
(Show Context)
Citation Context ...sily be encoded in LTT by an appropriate choice of propositions (represented equivalences and constraints) and proof terms. Beyond this, we conjecture that the security automata type system of Walker =-=[19]-=- and the alias-tracking type system of Smith et al. [16] can easily be encoded in LTT as well. The casting of all these type systems into one uniform framework by itself promotes one sort of reuse, th... |

83 | On equivalence and canonical forms in the LF type theory
- Harper, Pfenning
(Show Context)
Citation Context ... S A 1 = A 2 : K is derivable, and whether or not ; ` S;R M 1 = M 2 : A is derivable. The proof [17] is based on a logical relations argument modeled after the analogous proof of Harper and Pfenning [=-=8-=-] for intuitionistic LF. From this it is easy to show decidability of LTT typechecking: Corollary 4.3 Suppose S and R are well-formed, ` S S context, and ` S context. Then it is decidable whether or ... |

79 | Automating the Meta-Theory of Deductive Systems
- SchÃ¼rmann
- 2000
(Show Context)
Citation Context ...nsequently, SSTP can use primitive recursion on encoded types to support intensional type analysis [9, 5], which LTT cannot. Various proposals have been made for extending LF with primitive recursion =-=[6, 20, 19]-=- and we are exploring integrating one of these into LTT. LTT provides the power for very expressive type systems by allowing operations to demand proofs of arbitrary propositions (thereby escaping the... |

76 | Flexible Type Analysis
- Crary, Weirich
- 1999
(Show Context)
Citation Context ...ecursion, which 10sLF does not (as such a construct would destroy LF's notion of canonical forms). Consequently, SSTP can use primitive recursion on encoded types to support intensional type analysis =-=[9, 5]-=-, which LTT cannot. Various proposals have been made for extending LF with primitive recursion [6, 20, 19] and we are exploring integrating one of these into LTT. LTT provides the power for very expre... |

72 | A taste of linear logic
- Wadler
- 1993
(Show Context)
Citation Context ... LTT and treat its operational semantics only informally. We then present the framework for modular development of operational semantics in Section 6. This paper assumes familiarity with linear logic =-=[6, 18]-=- and with the propositions-as-types correspondence [9]. Additional familiarity with LF and logical frameworks in general will be helpful, but is not required. 2 Intuitionistic LTT The LTT type theory ... |

69 | Dependently Typed Assembly Language
- Xi, Harper
- 1999
(Show Context)
Citation Context ...e theory. As an example, we show how LTT can, by appropriate choice of a signature, express a type system for arrays without automatic bounds checking, following the ideas of Xi, Pfenning, and Harper =-=[21, 20]-=-. In this example, a well-typed array subscript operation must be supplied with a proof that the subscript is within the appropriate bounds. This example is typical of mostly functional extensions. In... |

57 |
A framework for de logics
- Harper, Honsell, et al.
- 1993
(Show Context)
Citation Context ...oriented approach tends to be rather type-theoretic in practice. PCC safety proofs are usually structured using types, and existing implementations of PCC all use the Edinburgh Logical Framework (LF) =-=[7-=-] as their formal logic, in which proof checking boils down to type checking. Nevertheless, there is an important dierence between the extrinsic safety evidence of the proof-oriented approach, and the... |

49 |
The Java Virtual Machine Speci
- Lindholm, Yellin
- 1999
(Show Context)
Citation Context ...n the kind of code that is certied and in the form that the safety evidence takes. For example, the SPIN system [2] certies source-level Modula-3 programs, and the Java Virtual Machine architecture [1=-=-=-1] certies intermediate-level, bytecode programs. Recently, there has been considerable interest in certied code architectures that operate at the level of executables, thereby eliminating the need fo... |

35 | Automated Theorem Proving in a Simple Meta-Logic for LF
- SchÃ¼rmann, Pfenning
- 1998
(Show Context)
Citation Context ...nsequently, SSTP can use primitive recursion on encoded types to support intensional type analysis [9, 5], which LTT cannot. Various proposals have been made for extending LF with primitive recursion =-=[6, 20, 19]-=- and we are exploring integrating one of these into LTT. LTT provides the power for very expressive type systems by allowing operations to demand proofs of arbitrary propositions (thereby escaping the... |

20 | TinkerType: A Language for Playing with Formal Systems
- Levin, Pierce
- 2000
(Show Context)
Citation Context ...the safety proofs thereof. To our knowledge, this is the only such account. A similar eort to LTT, as far as its re-usability goals are concerned, is the TinkerType meta-language of Levin and Pierce [=-=10-=-]. Unlike LTT, which casts everything in a common language, TinkerType emphasizes modular development of comparatively dissimilar type systems (such as F , F , F! , etc.). TinkerType provides for modu... |

16 |
logic. Theoretical Computer Science
- Linear
- 1987
(Show Context)
Citation Context ... LTT and treat its operational semantics only informally. We then present the framework for modular development of operational semantics in Section 6. This paper assumes familiarity with linear logic =-=[6, 18]-=- and with the propositions-as-types correspondence [9]. Additional familiarity with LF and logical frameworks in general will be helpful, but is not required. 2 Intuitionistic LTT The LTT type theory ... |

15 | A simplified account of the metatheory of linear LF
- Vanderwaart, Crary
- 2001
(Show Context)
Citation Context ...en in practical use. However, they do substantially complicate the presentation of the type system, so we have removed them here. Accordingly, decidability of LTT typechecking is based on a new proof =-=[17]-=- of decidable typechecking for Linear LF. As is often the case, typechecking in LTT boils down the problem of deciding equivalence of types. In LTT this proves to be easy, provided it is possible to d... |