141 research outputs found
A type-theory for higher-order amortized analysis
Die Verifikation von "Worst-Case" Schranken für Ressourcennutzung ist ein wichtiges Problem in der Informatik. Der Nutzen einer solchen Verifikation hängt von der Präzision der Analyse ab. Aus Gründen der Präzision ist es manchmal nützlich, die durchschnittlichen Kosten einer Folge von Operationen zu berücksichtigen, statt die Kosten jeder einzelnen Operation getrennt zu betrachten. Diese Art von Analyse wird oft als amortisierte Ressourcenanalyse bezeichnet. Typischerweise profitieren Programme, die ihren Zustand optimieren, um die Kosten zukünftiger Ausführungen zu reduzieren, von solchen Ansätzen. Die Analyse der Ressourcennutzung einer mit zwei (LIFO) Listen implementierten funktionalen (FIFO) Schlange ist ein klassisches Beispiel für eine amortisierte Analyse. In dieser Arbeit präsentieren wir λamor, eine Typentheorie für die amortisierte Analyse der Ressourcennutzung höherstufiger Programme. Eine typische amortisierte Analyse speichert einen "ghost state", der als Potenzial bezeichnet wird, zusammen mit den Datenstrukturen. Die Kernidee der amortisierten Analyse ist es, zu zeigen, dass das dem Programm zur Verfügung stehende Potenzial ausreicht, um die Ressourcennutzung des Programms zu erfassen. Die Verifikation in λamor basiert auf der Realisierung dieser Idee in einer Typentheorie. Wir erreichen dies indem wir ein allgemeines typentheoretisches Konstrukt zur Darstellung des Potenzials auf der Ebene von Typen definieren und anschließend eine affine Typentheorie aufbauen. Mit λamor zeigen wir, dass eine typentheoretische amortisierte Analyse mit gut verstandenen Konzepten aus substrukturellen und modalen Typentheorien durchgeführt werden kann. Trotzdem ergibt sich ein äußerst aussagekräftiges Framework, das für die Ressourcenanalyse von höherstufigen Programmen, sowohl ein einem "strikten", als auch in einem "lazy" Setting, verwendet werden kann. Wir präsentieren Einbettungen zweier stark verschiedener Arten von typentheoretischen Ressourcenanalyseframeworks (eines basiert auf Effekten, das andere auf Koeffekten) in λamor. Wir zeigen, dass λamor korrekt (sound) ist (mithilfe eines "Logical relations" Modells) und, dass es vollständig für PCF-Programme ist (unter Verwendung einer der Einbettungen). Als nächstes verwenden wir Ideen von λamor, um eine andere Typentheorie (genannt λcg) für einen ganz anderen Anwendungsfall - Informationsflusskontrolle (IFC) - zu entwickeln. λcg verwendet ähnliche typentheoretische Konstrukte wie λamor für das Potenzial verwendet, um die Vertraulichkeitsmarkierungen (den "ghost state" für IFC) darzustellen. Schließlich abstrahieren wir von den spezifischen "ghost states" (Potenzial und Vertraulichkeitsmarkierungen) und entwickeln eine Typentheorie für einen allgemeinen "ghost state" mit einer monoidalen Struktur.Verification of worst-case bounds (on the resource usage of programs) is an important problem in computer science. The usefulness of such verification depends on the precision of the underlying analysis. For precision, sometimes it is useful to consider the average cost over a sequence of operations, instead of separately considering the cost of each individual operation. This kind of an analysis is often referred to as amortized resource analysis. Typically, programs that optimize their internal state to reduce the cost of future executions benefit from such approaches. Analyzing resource usage of a standard functional (FIFO) queue implemented using two functional (LIFO) lists is a classic example of amortized analysis. In this thesis we present λamor, a type-theory for amortized resource analysis of higher-order functional programs. A typical amortized analysis works by storing a ghost state called the potential with data structures. The key idea underlying amortized analysis is to show that, the available potential with the program is sufficient to account for the resource usage of that program. Verification in λamor is based on internalizing this idea into a type theory. We achieve this by providing a general type-theoretic construct to represent potential at the level of types and then building an affine type-theory around it. With λamor we show that, type-theoretic amortized analysis can be performed using well understood concepts from sub-structural and modal type theories. Yet, it yields an extremely expressive framework which can be used for resource analysis of higher-order programs, both in a strict and lazy setting. We show embeddings of two very different styles (one based on effects and the other on coeffects) of type-theoretic resource analysis frameworks into λamor. We show that λamor is sound (using a logical relations model) and complete for cost analysis of PCF programs (using one of the embeddings). Next, we apply ideas from λamor to develop another type theory (called λcg) for a very different domain – Information Flow Control (IFC). λcg uses a similar typetheoretic construct (which λamor uses for the potential) to represent confidentiality label (the ghost state for IFC). Finally, we abstract away from the specific ghost states (potential and confidentiality label) and describe how to develop a type-theory for a general ghost state with a monoidal structure
Information Flow Control in WebKit's JavaScript Bytecode
Websites today routinely combine JavaScript from multiple sources, both
trusted and untrusted. Hence, JavaScript security is of paramount importance. A
specific interesting problem is information flow control (IFC) for JavaScript.
In this paper, we develop, formalize and implement a dynamic IFC mechanism for
the JavaScript engine of a production Web browser (specifically, Safari's
WebKit engine). Our IFC mechanism works at the level of JavaScript bytecode and
hence leverages years of industrial effort on optimizing both the source to
bytecode compiler and the bytecode interpreter. We track both explicit and
implicit flows and observe only moderate overhead. Working with bytecode
results in new challenges including the extensive use of unstructured control
flow in bytecode (which complicates lowering of program context taints),
unstructured exceptions (which complicate the matter further) and the need to
make IFC analysis permissive. We explain how we address these challenges,
formally model the JavaScript bytecode semantics and our instrumentation, prove
the standard property of termination-insensitive non-interference, and present
experimental results on an optimized prototype
Generalizing Permissive-Upgrade in Dynamic Information Flow Analysis
Preventing implicit information flows by dynamic program analysis requires
coarse approximations that result in false positives, because a dynamic monitor
sees only the executed trace of the program. One widely deployed method is the
no-sensitive-upgrade check, which terminates a program whenever a variable's
taint is upgraded (made more sensitive) due to a control dependence on tainted
data. Although sound, this method is restrictive, e.g., it terminates the
program even if the upgraded variable is never used subsequently. To counter
this, Austin and Flanagan introduced the permissive-upgrade check, which allows
a variable upgrade due to control dependence, but marks the variable
"partially-leaked". The program is stopped later if it tries to use the
partially-leaked variable. Permissive-upgrade handles the dead-variable
assignment problem and remains sound. However, Austin and Flanagan develop
permissive-upgrade only for a two-point (low-high) security lattice and
indicate a generalization to pointwise products of such lattices. In this
paper, we develop a non-trivial and non-obvious generalization of
permissive-upgrade to arbitrary lattices. The key difficulty lies in finding a
suitable notion of partial leaks that is both sound and permissive and in
developing a suitable definition of memory equivalence that allows an inductive
proof of soundness
Types for Information Flow Control: Labeling Granularity and Semantic Models
Language-based information flow control (IFC) tracks dependencies within a
program using sensitivity labels and prohibits public outputs from depending on
secret inputs. In particular, literature has proposed several type systems for
tracking these dependencies. On one extreme, there are fine-grained type
systems (like Flow Caml) that label all values individually and track
dependence at the level of individual values. On the other extreme are
coarse-grained type systems (like HLIO) that track dependence coarsely, by
associating a single label with an entire computation context and not labeling
all values individually.
In this paper, we show that, despite their glaring differences, both these
styles are, in fact, equally expressive. To do this, we show a semantics- and
type-preserving translation from a coarse-grained type system to a fine-grained
one and vice-versa. The forward translation isn't surprising, but the backward
translation is: It requires a construct to arbitrarily limit the scope of a
context label in the coarse-grained type system (e.g., HLIO's "toLabeled"
construct). As a separate contribution, we show how to extend work on logical
relation models of IFC types to higher-order state. We build such logical
relations for both the fine-grained type system and the coarse-grained type
system. We use these relations to prove the two type systems and our
translations between them sound.Comment: 31st IEEE Symposium on Computer Security Foundations (CSF 2018
Radiological examination of impact of edentulism on the articular eminence inclination using orthopantomogram
Background: Occlusion is an important component of the temporomandibular joint (TMJ). Little is known about the association between missing teeth and TMJ changes. The objective of this study was to compare inclination of the articular eminence (AE) between dentulous and edentulous arch. Method: A total of 500 patients were divided into group A (dentulous) and group B (edentulous). Group B was further divided into subgroups based on years of edentulism into group 1, group 2 and group 3. On patient’s panoramic radiograph, the sagittal outline of the AE and glenoid fossa were traced, and a sagittal condylar path inclination was constructed by joining the crest of the glenoid fossa and the crest of AE. This was then related to the constructed Frankfurt’s horizontal plane to determine the inclination of AE. Results: The mean measured value for the AE inclination was varying with all the groups. The mean and standard deviation value (combining right & left) for Group A was 42.8+/-6.83 degrees, Group B was 30.45+/-6.55degrees, Group 1 was 30.2+/-7.23degrees, Group 2 was 31.2+/-4.75 degrees, and Group 3 was 27.5+/-9.3 degrees. Significant differences were found in AE inclination between the dentulous and edentulous groups (P <0.05). Conclusion: A significant difference in the AE inclination was found between dentulous and edentulous groups as well as with increase in the period of edentulism
Discutindo a educação ambiental no cotidiano escolar: desenvolvimento de projetos na escola formação inicial e continuada de professores
A presente pesquisa buscou discutir como a Educação Ambiental (EA) vem sendo trabalhada, no Ensino Fundamental e como os docentes desta escola compreendem e vem inserindo a EA no cotidiano escolar., em uma escola estadual do município de Tangará da Serra/MT, Brasil. Para tanto, realizou-se entrevistas com os professores que fazem parte de um projeto interdisciplinar de EA na escola pesquisada. Verificou-se que o projeto da escola não vem conseguindo alcançar os objetivos propostos por: desconhecimento do mesmo, pelos professores; formação deficiente dos professores, não entendimento da EA como processo de ensino-aprendizagem, falta de recursos didáticos, planejamento inadequado das atividades. A partir dessa constatação, procurou-se debater a impossibilidade de tratar do tema fora do trabalho interdisciplinar, bem como, e principalmente, a importância de um estudo mais aprofundado de EA, vinculando teoria e prática, tanto na formação docente, como em projetos escolares, a fim de fugir do tradicional vínculo “EA e ecologia, lixo e horta”.Facultad de Humanidades y Ciencias de la Educació