28 research outputs found
Bidirectional Type Checking for Relational Properties
Relational type systems have been designed for several applications including
information flow, differential privacy, and cost analysis. In order to achieve
the best results, these systems often use relational refinements and relational
effects to maximally exploit the similarity in the structure of the two
programs being compared. Relational type systems are appealing for relational
properties because they deliver simpler and more precise verification than what
could be derived from typing the two programs separately. However, relational
type systems do not yet achieve the practical appeal of their non-relational
counterpart, in part because of the lack of a general foundations for
implementing them.
In this paper, we take a step in this direction by developing bidirectional
relational type checking for systems with relational refinements and effects.
Our approach achieves the benefits of bidirectional type checking, in a
relational setting. In particular, it significantly reduces the need for typing
annotations through the combination of type checking and type inference. In
order to highlight the foundational nature of our approach, we develop
bidirectional versions of several relational type systems which incrementally
combine many different components needed for expressive relational analysis.Comment: 14 page
A Relational Logic for Higher-Order Programs
Relational program verification is a variant of program verification where
one can reason about two programs and as a special case about two executions of
a single program on different inputs. Relational program verification can be
used for reasoning about a broad range of properties, including equivalence and
refinement, and specialized notions such as continuity, information flow
security or relative cost. In a higher-order setting, relational program
verification can be achieved using relational refinement type systems, a form
of refinement types where assertions have a relational interpretation.
Relational refinement type systems excel at relating structurally equivalent
terms but provide limited support for relating terms with very different
structures.
We present a logic, called Relational Higher Order Logic (RHOL), for proving
relational properties of a simply typed -calculus with inductive types
and recursive definitions. RHOL retains the type-directed flavour of relational
refinement type systems but achieves greater expressivity through rules which
simultaneously reason about the two terms as well as rules which only
contemplate one of the two terms. We show that RHOL has strong foundations, by
proving an equivalence with higher-order logic (HOL), and leverage this
equivalence to derive key meta-theoretical properties: subject reduction,
admissibility of a transitivity rule and set-theoretical soundness. Moreover,
we define sound embeddings for several existing relational type systems such as
relational refinement types and type systems for dependency analysis and
relative cost, and we verify examples that were out of reach of prior work.Comment: Submitted to ICFP 201
Reasoning about the garden of forking paths
Lazy evaluation is a powerful tool for functional programmers. It enables the
concise expression of on-demand computation and a form of compositionality not
available under other evaluation strategies. However, the stateful nature of
lazy evaluation makes it hard to analyze a program's computational cost, either
informally or formally. In this work, we present a novel and simple framework
for formally reasoning about lazy computation costs based on a recent model of
lazy evaluation: clairvoyant call-by-value. The key feature of our framework is
its simplicity, as expressed by our definition of the clairvoyance monad. This
monad is both simple to define (around 20 lines of Coq) and simple to reason
about. We show that this monad can be effectively used to mechanically reason
about the computational cost of lazy functional programs written in Coq.Comment: 28 pages, accepted by ICFP'2
Dependent Merges and First-Class Environments
In most programming languages a (runtime) environment stores all the definitions that are available to programmers. Typically, environments are a meta-level notion, used only conceptually or internally in the implementation of programming languages. Only a few programming languages allow environments to be first-class values, which can be manipulated directly in programs. Although there is some research on calculi with first-class environments for statically typed programming languages, these calculi typically have significant restrictions.
In this paper we propose a statically typed calculus, called ?_i, with first-class environments. The main novelty of the ?_i calculus is its support for first-class environments, together with an expressive set of operators that manipulate them. Such operators include: reification of the current environment, environment concatenation, environment restriction, and reflection mechanisms for running computations under a given environment. In ?_i any type can act as a context (i.e. an environment type) and contexts are simply types. Furthermore, because ?_i supports subtyping, there is a natural notion of context subtyping. There are two important ideas in ?_i that generalize and are inspired by existing notions in the literature. The ?_i calculus borrows disjoint intersection types and a merge operator, used in ?_i to model contexts and environments, from the ?_i calculus. However, unlike the merges in ?_i, the merges in ?_i can depend on previous components of a merge. From implicit calculi, the ?_i calculus borrows the notion of a query, which allows type-based lookups on environments. In particular, queries are key to the ability of ?_i to reify the current environment, or some parts of it. We prove the determinism and type soundness of ?_i, and show that ?_i can encode all well-typed ?_i programs
Particpants' Proceedings on the Workshop: Types for Program Analysis
As a satellite meeting of the TAPSOFT'95 conference we organized a small workshop on program analysis. The title of the workshop, ``Types for Program Analysis´´, was motivated by the recent trend of letting the presentation and development of program analyses be influenced by annotated type systems, effect systems, and more general logical systems. The contents of the workshop was intended to be somewhat broader; consequently the call for participation listed the following areas of interest:- specification of specific analyses for programming languages,- the role of effects, polymorphism, conjunction/disjunction types, dependent types etc.in specification of analyses,- algorithmic tools and methods for solving general classes of type-based analyses,- the role of unification, semi-unification etc. in implementations of analyses,- proof techniques for establishing the safety of analyses,- relationship to other approaches to program analysis, including abstract interpretation and constraint-based methods,- exploitation of analysis results in program optimization and implementation.The submissions were not formally refereed; however each submission was read by several members of the program committee and received detailed comments and suggestions for improvement. We expect that several of the papers, in slightly revised forms, will show up at future conferences. The workshop took place at Aarhus University on May 26 and May 27 and lasted two half days
Mechanized Reasoning About how Using Functional Programs And Embeddings
Embedding describes the process of encoding a program\u27s syntax and/or semantics in another language---typically a theorem prover in the context of mechanized reasoning. Among different embedding styles, deep embeddings are generally preferred as they enable the most faithful modeling of the original language. However, deep embeddings are also the most complex, and working with them requires additional effort. In light of that, this dissertation aims to draw more attention to alternative styles, namely shallow and mixed embeddings, by studying their use in mechanized reasoning about programs\u27 properties that are related to how . More specifically, I present a simple shallow embedding for reasoning about computation costs of lazy programs, and a class of mixed embeddings that are useful for reasoning about properties of general computation patterns in effectful programs. I show the usefulness of these embedding styles with examples based on real-world applications
Foundations of Information-Flow Control and Effects
In programming language research, information-flow control (IFC) is a technique for enforcing a variety of security aspects, such as confidentiality of data,on programs. This Licenciate thesis makes novel contributions to the theory and foundations of IFC in the following ways: Chapter A presents a new proof method for showing the usual desired property of noninterference; Chapter B shows how to securely extend the concurrent IFC language MAC with asynchronous exceptions; and, Chapter C presents a new and simpler language for IFC with effects based on an explicit separation of pure and effectful computations
Cautiously Optimistic Program Analyses for Secure and Reliable Software
Modern computer systems still have various security and reliability vulnerabilities. Well-known dynamic analyses solutions can mitigate them using runtime monitors that serve as lifeguards. But the additional work in enforcing these security and safety properties incurs exorbitant performance costs, and such tools are rarely used in practice. Our work addresses this problem by constructing a novel technique- Cautiously Optimistic Program Analysis (COPA).
COPA is optimistic- it infers likely program invariants from dynamic observations, and assumes them in its static reasoning to precisely identify and elide wasteful runtime monitors. The resulting system is fast, but also ensures soundness by recovering to a conservatively optimized analysis when a likely invariant rarely fails at runtime. COPA is also cautious- by carefully restricting optimizations to only safe elisions, the recovery is greatly simplified. It avoids unbounded rollbacks upon recovery, thereby enabling analysis for live production software.
We demonstrate the effectiveness of Cautiously Optimistic Program Analyses in three areas:
Information-Flow Tracking (IFT) can help prevent security breaches and information leaks. But they are rarely used in practice due to their high performance overhead (>500% for web/email servers). COPA dramatically reduces this cost by eliding wasteful IFT monitors to make it practical (9% overhead, 4x speedup).
Automatic Garbage Collection (GC) in managed languages (e.g. Java) simplifies programming tasks while ensuring memory safety. However, there is no correct GC for weakly-typed languages (e.g. C/C++), and manual memory management is prone to errors that have been exploited in high profile attacks. We develop the first sound GC for C/C++, and use COPA to optimize its performance (16% overhead).
Sequential Consistency (SC) provides intuitive semantics to concurrent programs that simplifies reasoning for their correctness. However, ensuring SC behavior on commodity hardware remains expensive. We use COPA to ensure SC for Java at the language-level efficiently, and significantly reduce its cost (from 24% down to 5% on x86).
COPA provides a way to realize strong software security, reliability and semantic guarantees at practical costs.PHDComputer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/170027/1/subarno_1.pd