## Typed closure conversion preserves observational equivalence (2008)

### Cached

### Download Links

- [ttic.uchicago.edu]
- [people.cs.uchicago.edu]
- [www.cs.indiana.edu]
- [ttic.uchicago.edu]
- [www.ccs.neu.edu]
- [www.cs.uchicago.edu]
- [people.cs.uchicago.edu]
- DBLP

### Other Repositories/Bibliography

Citations: | 17 - 4 self |

### BibTeX

@TECHREPORT{Ahmed08typedclosure,

author = {Amal Ahmed and Matthias Blume},

title = {Typed closure conversion preserves observational equivalence},

institution = {},

year = {2008}

}

### OpenURL

### Abstract

Language-based security relies on the assumption that all potential attacks are bound by the rules of the language in question. When programs are compiled into a different language, this is true only if the translation process preserves observational equivalence. We investigate the problem of fully abstract compilation, i.e., compilation that both preserves and reflects observational equivalence. In particular, we prove that typed closure conversion for the polymorphic λ-calculus with existential and recursive types is fully abstract. Our proof uses operational techniques in the form of a step-indexed logical relation and construction of certain wrapper terms that “back-translate ” from target values to source values. Although typed closure conversion has been assumed to be fully abstract, we are not aware of any previous result that actually proves this.

### Citations

589 | From System F to typed assembly language
- Morrisett, Walker, et al.
- 1999
(Show Context)
Citation Context ...ons. Of course, this requires at least some abstraction facilities to be present in the target language. JVM bytecode and the CLR have been explicitly designed for this. Typed Assembly Language (TAL) =-=[21]-=- is one approach of bringing abstraction mechanisms even to low-level machine code.�� �� Assuming that the translation can be engineered in this way, the remaining problem is to show that the result ... |

364 |
Types, abstraction and parametric polymorphism
- Reynolds
- 1983
(Show Context)
Citation Context ...on detail might enable an attack, then this detail is made inaccessible by hiding it behind an abstract interface, for example using an existential type. Results such as Reynold’s abstraction theorem =-=[26]-=- provide the theoretical justification for this. Let L be a language and P = C[A] be a program written in L where A is the implementation of an abstraction and C is its context, i.e., the “rest of the... |

257 | R.: The revised report on the syntactic theories of sequential control and
- Felleisen, Hieb
- 1992
(Show Context)
Citation Context ...es. Operational semantics. In Figure 3 we give a conventional, callby-value, small-step operational semantics for our language as a context-sensitive rewrite system in the style of Felleisen and Hieb =-=[10]-=-. Syntactic Sugar. Figure 2 also shows some syntactic sugar that we will use throughout the paper. Most of it can be seen as straightforward “macros.” The definition of letrec is more involved, but ul... |

222 | Formal certification of a compiler back-end or: programming a compiler with a proof assistant
- LEROY
(Show Context)
Citation Context ...≈S s2 implies t1 ≈T t2, and equivalence-reflecting—meaning that t1 ≈T t2 implies s1 ≈S s2. Equivalence reflection captures the usual notion of correctness (i.e., preservation of semantics as in Leroy =-=[15]-=-): a translation is clearly not correct if it maps nonequivalent source terms to equivalent target terms. However, correct translations are often not equivalence-preserving. A translation is said to b... |

211 |
Intensional interpretations of functionals of finite type I
- Tait
- 1967
(Show Context)
Citation Context ...difficult to work with contextual equivalence directly. Therefore, the first step is to find a characterization of equivalence that is easier to work with. In this paper we will use logical relations =-=[29, 25, 24]-=-, specifically, a step-indexed logical relation that is sound and complete with respect to contextual equivalence [4]. To show preservation of equivalence we need a way of making use of s1 ≈S s2 when ... |

193 | Full abstraction for PCF
- Abramsky, Jagadeesan, et al.
(Show Context)
Citation Context ...ach of the languages includes the parallel conditional. This is needed to make the models fully abstract. There has been a great deal of work on fully abstract denotational models of languages (e.g., =-=[22, 19, 8, 13, 2]-=-). Our emphasis is somewhat different in that we focus on type-directed and typepreserving compilation. Given a sufficiently “clever” type translation, the types of compiled terms can impose well-beha... |

170 | Unboxed objects and polymorphic typing
- Leroy
- 1992
(Show Context)
Citation Context ... target). The terms W± �τ� are called wrappers. Similar wrappers have been used in many other settings, including contracts [11, 7], multi-language interoperability 2 [18], or representation analysis =-=[16, 28]-=-. Our central result is that a translation s ❀ t can be “faked” using wrappers; that is, we show that if s ❀ t then the result 1 Of course, this form of reasoning cannot establish equivalence reflecti... |

154 | Typed closure conversion
- Minamide, Morrisett, et al.
- 1996
(Show Context)
Citation Context ...ironment and to pass this data structure as an additional argument to the λ-expression, thus turning it into a closed term. Typed closure conversion, which goes back to Minamide, Morrisett and Harper =-=[20]-=-, holds the type of the closure environment abstract by existentially quantifying over it. In general, such existential quantification is necessary to make the translation term type-check at all. For ... |

115 | M.: Contracts for Higher-Order Functions
- Findler, Felleisen
- 2002
(Show Context)
Citation Context ... W − �τ� (mapping from target to source) and W + �τ� (mapping from source to target). The terms W± �τ� are called wrappers. Similar wrappers have been used in many other settings, including contracts =-=[11, 7]-=-, multi-language interoperability 2 [18], or representation analysis [16, 28]. Our central result is that a translation s ❀ t can be “faked” using wrappers; that is, we show that if s ❀ t then the res... |

111 | Equivalence in functional languages with effects
- Mason, Talcott
- 1991
(Show Context)
Citation Context ...ets that can serve as valid interpretations of types (see below)—for the logical relation, we make use of the notion of ciu-equivalence (uses of closed instantiations) introduced by Mason and Talcott =-=[17]-=-, which can be shown to be equivalent to contextual equivalence but is easier to work with since it cuts down the number of contexts under consideration. Here we only need to define ciu-equivalence fo... |

98 |
Towards fully abstract semantics for local variables: Preliminary report
- Meyer, Sieber
- 1988
(Show Context)
Citation Context ...ach of the languages includes the parallel conditional. This is needed to make the models fully abstract. There has been a great deal of work on fully abstract denotational models of languages (e.g., =-=[22, 19, 8, 13, 2]-=-). Our emphasis is somewhat different in that we focus on type-directed and typepreserving compilation. Given a sufficiently “clever” type translation, the types of compiled terms can impose well-beha... |

78 | Protection in Programming-Language Translations
- Abadi
- 1999
(Show Context)
Citation Context ...y describes a number of ways in which abstractions were broken in the process of compiling C ♯ to the CLR intermediate language [14]. Similar problems with Java have previously been examined by Abadi =-=[1]-=-. As Kennedy points out, there are at least three approaches to repairing failures of full abstraction. First, we could enrich the source language itself so that every target-level observation has a s... |

69 | Step-indexed syntactic logical relations for recursive and quantified types
- Ahmed
- 2006
(Show Context)
Citation Context ... step. The interpretation of existential types that we use here is different from an earlier account [4] which, we discovered, did not satisfy the equivalence-respecting property mentioned above (see =-=[3]-=- for details). As a result, that logical relation was incomplete with respect to contextual equivalence at existential types. (The proof that the interpretation of ∃α.τ in Figure 5 is equivalence-resp... |

65 | Flexible representation analysis
- Shao
- 1997
(Show Context)
Citation Context ... target). The terms W± �τ� are called wrappers. Similar wrappers have been used in many other settings, including contracts [11, 7], multi-language interoperability 2 [18], or representation analysis =-=[16, 28]-=-. Our central result is that a translation s ❀ t can be “faked” using wrappers; that is, we show that if s ❀ t then the result 1 Of course, this form of reasoning cannot establish equivalence reflecti... |

43 | Abstract Predicates and Mutable ADTs in Hoare Type Theory - Nanevski, Ahmed, et al. - 2007 |

39 | Observable sequentiality and full abstraction
- Cartwright, Curien, et al.
- 1992
(Show Context)
Citation Context ...ach of the languages includes the parallel conditional. This is needed to make the models fully abstract. There has been a great deal of work on fully abstract denotational models of languages (e.g., =-=[22, 19, 8, 13, 2]-=-). Our emphasis is somewhat different in that we focus on type-directed and typepreserving compilation. Given a sufficiently “clever” type translation, the types of compiled terms can impose well-beha... |

34 |
Lambda-definability and logical relations. Memorandum SAI–RM–4
- Plotkin
- 1973
(Show Context)
Citation Context ...difficult to work with contextual equivalence directly. Therefore, the first step is to find a characterization of equivalence that is easier to work with. In this paper we will use logical relations =-=[29, 25, 24]-=-, specifically, a step-indexed logical relation that is sound and complete with respect to contextual equivalence [4]. To show preservation of equivalence we need a way of making use of s1 ≈S s2 when ... |

33 | Operational semantics for multilanguage programs
- Matthews, Findler
- 2007
(Show Context)
Citation Context ...d W + �τ� (mapping from source to target). The terms W± �τ� are called wrappers. Similar wrappers have been used in many other settings, including contracts [11, 7], multi-language interoperability 2 =-=[18]-=-, or representation analysis [16, 28]. Our central result is that a translation s ❀ t can be “faked” using wrappers; that is, we show that if s ❀ t then the result 1 Of course, this form of reasoning ... |

31 | Existential Types: Logical Relations and Operational Equivalence
- Pitts
- 1998
(Show Context)
Citation Context ...difficult to work with contextual equivalence directly. Therefore, the first step is to find a characterization of equivalence that is easier to work with. In this paper we will use logical relations =-=[29, 25, 24]-=-, specifically, a step-indexed logical relation that is sound and complete with respect to contextual equivalence [4]. To show preservation of equivalence we need a way of making use of s1 ≈S s2 when ... |

27 |
Full Abstraction and Semantic Equivalence
- Mulmuley
- 1987
(Show Context)
Citation Context |

26 |
D.: Sound and complete models of contracts
- Blume, McAllester
- 2006
(Show Context)
Citation Context ... W − �τ� (mapping from target to source) and W + �τ� (mapping from source to target). The terms W± �τ� are called wrappers. Similar wrappers have been used in many other settings, including contracts =-=[11, 7]-=-, multi-language interoperability 2 [18], or representation analysis [16, 28]. Our central result is that a translation s ❀ t can be “faked” using wrappers; that is, we show that if s ❀ t then the res... |

22 |
ECMA-335: Common Language Infrastructure (CLI). ECMA (European Association for Standardizing Information and Communication Systems
- ECMA
- 2002
(Show Context)
Citation Context ...and such code can be generated by means other than compiling Java source code; Microsoft’s Common Language Runtime (CLR) was specifically designed to be the target of compilers for multiple languages =-=[9]-=-; most traditional compilers generate machine code, which can then be linked with other machine code. In all these situations it is easily possible that target contexts are too powerful in the sense t... |

22 |
Fully abstract translations between functional languages (preliminary report
- Riecke
- 1991
(Show Context)
Citation Context ...cts, (2) object closure conversion, and (3) an object encoding. Hence, for full abstraction of functional closure conversion, one would also need to prove encodings (1) and (3) fully abstract. Riecke =-=[27]-=- investigates fully abstract translations between callby-name, call-by-value, and lazy PCF. The proofs rely on fully abstract denotational models of the languages. Each of the languages includes the p... |

21 | A fully abstract semantics for a concurrent functional language with monadic types
- Jeffrey
- 1995
(Show Context)
Citation Context |

17 |
Securing the .NET programming model
- Kennedy
(Show Context)
Citation Context ...t they can make observations that source contexts cannot. Indeed, Kennedy describes a number of ways in which abstractions were broken in the process of compiling C ♯ to the CLR intermediate language =-=[14]-=-. Similar problems with Java have previously been examined by Abadi [1]. As Kennedy points out, there are at least three approaches to repairing failures of full abstraction. First, we could enrich th... |

12 | Object closure conversion
- Glew
- 1999
(Show Context)
Citation Context ...lts consider recursive types. Our proofs are based on operational techniques, in particular, a step-indexed logical relation. They do not involve game semantics or other denotational approaches. Glew =-=[12]-=- showed a form of closure conversion for an object calculus and proved it fully abstract. But object closure conversion is simpler than functional closure conversion. Specifically, Glew notes that the... |

9 |
The Java Programming Language. 4th edition
- Arnold, Gosling, et al.
- 2005
(Show Context)
Citation Context ...the answer to the above question would be “yes,” and the programmer’s reasoning based on source language rules would be correct. Unfortunately, this is often not the case. For instance, Java programs =-=[6]-=- are often distributed in the form of bytecode for the Java Virtual Machine, and such code can be generated by means other than compiling Java source code; Microsoft’s Common Language Runtime (CLR) wa... |