Results 1  10
of
80
ProofCarrying Code
, 1997
"... This paper describes proofcarrying code (PCC), a mechanism by which a host system can determine with certainty that it is safe to execute a program supplied (possibly in binary form) by an untrusted source. For this to be possible, the untrusted code producer must supply with the code a safety proo ..."
Abstract

Cited by 1240 (27 self)
 Add to MetaCart
This paper describes proofcarrying code (PCC), a mechanism by which a host system can determine with certainty that it is safe to execute a program supplied (possibly in binary form) by an untrusted source. For this to be possible, the untrusted code producer must supply with the code a safety proof that attests to the code's adherence to a previously defined safety policy. The host can then easily and quickly validate the proof without using cryptography and without consulting any external agents. In order to gain preliminary experience with PCC, we have performed several case studies. We show in this paper how proofcarrying code might be used to develop safe assemblylanguage extensions of ML programs. In the context of this case study, we present and prove the adequacy of concrete representations for the safety policy, the safety proofs, and the proof validation. Finally, we briefly discuss how we use proofcarrying code to develop network packet filters that are faster than similar filters developed using other techniques and are formally guaranteed to be safe with respect to a given operating system safety policy.
Logic Programming in the LF Logical Framework
, 1991
"... this paper we describe Elf, a metalanguage intended for environments dealing with deductive systems represented in LF. While this paper is intended to include a full description of the Elf core language, we only state, but do not prove here the most important theorems regarding the basic building b ..."
Abstract

Cited by 188 (53 self)
 Add to MetaCart
(Show Context)
this paper we describe Elf, a metalanguage intended for environments dealing with deductive systems represented in LF. While this paper is intended to include a full description of the Elf core language, we only state, but do not prove here the most important theorems regarding the basic building blocks of Elf. These proofs are left to a future paper. A preliminary account of Elf can be found in [26]. The range of applications of Elf includes theorem proving and proof transformation in various logics, definition and execution of structured operational and natural semantics for programming languages, type checking and type inference, etc. The basic idea behind Elf is to unify logic definition (in the style of LF) with logic programming (in the style of Prolog, see [22, 24]). It achieves this unification by giving types an operational interpretation, much the same way that Prolog gives certain formulas (Hornclauses) an operational interpretation. An alternative approach to logic programming in LF has been developed independently by Pym [28]. Here are some of the salient characteristics of our unified approach to logic definition and metaprogramming. First of all, the Elf search process automatically constructs terms that can represent objectlogic proofs, and thus a program need not construct them explicitly. This is in contrast to logic programming languages where executing a logic program corresponds to theorem proving in a metalogic, but a metaproof is never constructed or used and it is solely the programmer's responsibility to construct objectlogic proofs where they are needed. Secondly, the partial correctness of many metaprograms with respect to a given logic can be expressed and proved by Elf itself (see the example in Section 5). This creates the possibilit...
A New Approach to Abstract Syntax Involving Binders
 In 14th Annual Symposium on Logic in Computer Science
, 1999
"... Syntax Involving Binders Murdoch Gabbay Cambridge University DPMMS Cambridge CB2 1SB, UK M.J.Gabbay@cantab.com Andrew Pitts Cambridge University Computer Laboratory Cambridge CB2 3QG, UK ap@cl.cam.ac.uk Abstract The FraenkelMostowski permutation model of set theory with atoms (FMsets) ..."
Abstract

Cited by 177 (20 self)
 Add to MetaCart
(Show Context)
Syntax Involving Binders Murdoch Gabbay Cambridge University DPMMS Cambridge CB2 1SB, UK M.J.Gabbay@cantab.com Andrew Pitts Cambridge University Computer Laboratory Cambridge CB2 3QG, UK ap@cl.cam.ac.uk Abstract The FraenkelMostowski permutation model of set theory with atoms (FMsets) can serve as the semantic basis of metalogics for specifying and reasoning about formal systems involving name binding, ffconversion, capture avoiding substitution, and so on. We show that in FMset theory one can express statements quantifying over `fresh' names and we use this to give a novel settheoretic interpretation of name abstraction. Inductively defined FMsets involving this nameabstraction set former (together with cartesian product and disjoint union) can correctly encode objectlevel syntax modulo ffconversion. In this way, the standard theory of algebraic data types can be extended to encompass signatures involving binding operators. In particular, there is an associated n...
Rewriting Logic as a Logical and Semantic Framework
, 1993
"... Rewriting logic [72] is proposed as a logical framework in which other logics can be represented, and as a semantic framework for the specification of languages and systems. Using concepts from the theory of general logics [70], representations of an object logic L in a framework logic F are und ..."
Abstract

Cited by 169 (56 self)
 Add to MetaCart
Rewriting logic [72] is proposed as a logical framework in which other logics can be represented, and as a semantic framework for the specification of languages and systems. Using concepts from the theory of general logics [70], representations of an object logic L in a framework logic F are understood as mappings L ! F that translate one logic into the other in a conservative way. The ease with which such maps can be defined for a number of quite different logics of interest, including equational logic, Horn logic with equality, linear logic, logics with quantifiers, and any sequent calculus presentation of a logic for a very general notion of "sequent," is discussed in detail. Using the fact that rewriting logic is reflective, it is often possible to reify inside rewriting logic itself a representation map L ! RWLogic for the finitely presentable theories of L. Such a reification takes the form of a map between the abstract data types representing the finitary theories of...
Forum: A multipleconclusion specification logic
 Theoretical Computer Science
, 1996
"... The theory of cutfree sequent proofs has been used to motivate and justify the design of a number of logic programming languages. Two such languages, λProlog and its linear logic refinement, Lolli [15], provide for various forms of abstraction (modules, abstract data types, and higherorder program ..."
Abstract

Cited by 96 (12 self)
 Add to MetaCart
(Show Context)
The theory of cutfree sequent proofs has been used to motivate and justify the design of a number of logic programming languages. Two such languages, λProlog and its linear logic refinement, Lolli [15], provide for various forms of abstraction (modules, abstract data types, and higherorder programming) but lack primitives for concurrency. The logic programming language, LO (Linear Objects) [2] provides some primitives for concurrency but lacks abstraction mechanisms. In this paper we present Forum, a logic programming presentation of all of linear logic that modularly extends λProlog, Lolli, and LO. Forum, therefore, allows specifications to incorporate both abstractions and concurrency. To illustrate the new expressive strengths of Forum, we specify in it a sequent calculus proof system and the operational semantics of a programming language that incorporates references and concurrency. We also show that the meta theory of linear logic can be used to prove properties of the objectlanguages specified in Forum.
The Semantics of Reflected Proof
 IN PROC. OF FIFTH SYMP. ON LOGIC IN COMP. SCI
, 1990
"... We begin to lay the foundations for reasoning about proofs whose steps include both invocations of programs to build subproofs (tactics) and references to representations of proofs themselves (reflected proofs). The main result is the definition of a single type of proof which can mention itself, ..."
Abstract

Cited by 95 (11 self)
 Add to MetaCart
We begin to lay the foundations for reasoning about proofs whose steps include both invocations of programs to build subproofs (tactics) and references to representations of proofs themselves (reflected proofs). The main result is the definition of a single type of proof which can mention itself, using a new technique which finds a fixed point of a mapping between metalanguage and object language. This single type contrasts with hierarchies of types used in other approaches to accomplish the same classification. We show that these proofs are valid, and that every proof can be reduced to a proof involving only primitive inference rules. We also show how to extend the results to proofs from which programs (such as tactics) can be derived, and to proofs that can refer to a library of definitions and previously proven theorems. We believe that the mechanism of reflection is fundamental in building proof development systems, and we illustrate its power with applications to automating reasoning and describing modes of computation.
Using Typed Lambda Calculus to Implement Formal Systems on a Machine
 Journal of Automated Reasoning
, 1992
"... this paper and the LF. In particular the idea of having an operator T : Prop ! Type appears already in De Bruijn's earlier work, as does the idea of having several judgements. The paper [24] describes the basic features of the LF. In this paper we are going to provide a broader illustration of ..."
Abstract

Cited by 93 (16 self)
 Add to MetaCart
this paper and the LF. In particular the idea of having an operator T : Prop ! Type appears already in De Bruijn's earlier work, as does the idea of having several judgements. The paper [24] describes the basic features of the LF. In this paper we are going to provide a broader illustration of its applicability and discuss to what extent it is successful. The analysis (of the formal presentation) of a system carried out through encoding often illuminates the system itself. This paper will also deal with this phenomenon.
A MultipleConclusion MetaLogic
 In Proceedings of 9th Annual IEEE Symposium On Logic In Computer Science
, 1994
"... The theory of cutfree sequent proofs has been used to motivate and justify the design of a number of logic programming languages. Two such languages, λProlog and its linear logic refinement, Lolli [12], provide data types, higherorder programming) but lack primitives for concurrency. The logic pro ..."
Abstract

Cited by 87 (7 self)
 Add to MetaCart
(Show Context)
The theory of cutfree sequent proofs has been used to motivate and justify the design of a number of logic programming languages. Two such languages, λProlog and its linear logic refinement, Lolli [12], provide data types, higherorder programming) but lack primitives for concurrency. The logic programming language, LO (Linear Objects) [2] provides for concurrency but lacks abstraction mechanisms. In this paper we present Forum, a logic programming presentation of all of linear logic that modularly extends the languages λProlog, Lolli, and LO. Forum, therefore, allows specifications to incorporate both abstractions and concurrency. As a metalanguage, Forum greatly extends the expressiveness of these other logic programming languages. To illustrate its expressive strength, we specify in Forum a sequent calculus proof system and the operational semantics of a functional programming language that incorporates such nonfunctional features as counters and references. 1
The Theory of LEGO  A Proof Checker for the Extended Calculus of Constructions
, 1994
"... LEGO is a computer program for interactive typechecking in the Extended Calculus of Constructions and two of its subsystems. LEGO also supports the extension of these three systems with inductive types. These type systems can be viewed as logics, and as meta languages for expressing logics, and LEGO ..."
Abstract

Cited by 73 (10 self)
 Add to MetaCart
(Show Context)
LEGO is a computer program for interactive typechecking in the Extended Calculus of Constructions and two of its subsystems. LEGO also supports the extension of these three systems with inductive types. These type systems can be viewed as logics, and as meta languages for expressing logics, and LEGO is intended to be used for interactively constructing proofs in mathematical theories presented in these logics. I have developed LEGO over six years, starting from an implementation of the Calculus of Constructions by G erard Huet. LEGO has been used for problems at the limits of our abilities to do formal mathematics. In this thesis I explain some aspects of the metatheory of LEGO's type systems leading to a machinechecked proof that typechecking is decidable for all three type theories supported by LEGO, and to a verified algorithm for deciding their typing judgements, assuming only that they are normalizing. In order to do this, the theory of Pure Type Systems (PTS) is extended and f...
Unification and AntiUnification in the Calculus of Constructions
 In Sixth Annual IEEE Symposium on Logic in Computer Science
, 1991
"... We present algorithms for unification and antiunification in the Calculus of Constructions, where occurrences of free variables (the variables subject to instantiation) are restricted to higherorder patterns, a notion investigated for the simplytyped calculus by Miller. Most general unifiers and ..."
Abstract

Cited by 71 (16 self)
 Add to MetaCart
(Show Context)
We present algorithms for unification and antiunification in the Calculus of Constructions, where occurrences of free variables (the variables subject to instantiation) are restricted to higherorder patterns, a notion investigated for the simplytyped calculus by Miller. Most general unifiers and least common antiinstances are shown to exist and are unique up to a simple equivalence. The unification algorithm is used for logic program execution and type and term reconstruction in the current implementation of Elf and has shown itself to be practical. The main application of the antiunification algorithm we have in mind is that of proof generalization. 1 Introduction Higherorder logic with an embedded simplytyped  calculus has been used as the basis for a number of theorem provers (for example [1, 19]) and the programming language Prolog [16]. Central to these systems is an implementation of Huet's preunification algorithm for the simplytyped calculus [12] which has shown it...