Formalisation of Smart Contract Languages

Smart contracts automatically verify and enforce contractual agreements without the need of a trusted intermediary, as potential conflicts are resolved by the network’s consensus protocol. Since "code is law", contracts should be correct, but bugs and vulnerabilities, often exploited by attackers, allow erroneous or even fraudulent behaviour. These days smart contracts are still mostly being written in general purpose programming languages, without proper specifications, let alone correctness proofs. Immutability is one of its selling points, but it is also one of its major problems, as once a contract is deployed to the blockchain it cannot be amended. Additionally, many vulnerabilities come from the misimplementation of contracts’ intended behaviour, as developers struggle to grasp the behavioural impact that the contract has in the blockchain. It is thus crucial to achieve correct implementations of smart contracts. In order to aid developers to promote the design of safer contracts that follow the protocols they are supposed to implement, we propose the use of behavioural types in smart languages. We believe that the use of typestates, for dynamic checking, and session types, for static checking, can ensure the intended behaviour of the contract before and during its execution. To better understand a contract’s behaviour throughout its execution, we took advantage of Racket (and PLT Redex), to have a visualisation of a step-by-step execution graph. By formally defining the syntax and reduction rules of a "core" smart contract language, and how each rule affects the statements and the programs configuration, this visualisation tool allows programmers to check and adjust the language’s formal semantics. This is a successful proof-of-concept exercise, confirming the suitability of Racket to develop program semantics which can be analysed throughout its execution. In the context of smart contract languages, these are important features (to be combined with formal verification with proof assistants). Furthermore, we also implemented a typechecker in OCaml that provides a type derivation tree of the program, in addition to preventing the occurrence of execution errors. To illustrate the usefulness of this approach, we took two different smart contract languages, one completely formalised with syntax, operational semantics and type system (Featherweight solidity, FS), and another only with its natural language semantics (Flint). We formalised FS in Racket and OCaml, where we were able to detect an inaccuracy; and we repeated this process with Flint, formalising its operation semantics and type system. The latter was much more challenging as it incorporated the use of typestates. Throughout this thesis, we present many examples on how the use of visual tools can help in the developing states of contracts and better understand the correct execution of programs, as well as how the use of behavioural types can prevent many execution errors even before running. The framework we define herein not only finds defects in the contracts, but also, crucially, detects vulnerabilities in a language construction, as we demonstrate with our use-cases. Therefore, this approach is very valuable not only for the programmer as visual debugging, but also for the language designer to test the effects of definitions

Mixin Composition Synthesis based on Intersection Types

We present a method for synthesizing compositions of mixins using type inhabitation in intersection types. First, recursively defined classes and mixins, which are functions over classes, are expressed as terms in a lambda calculus with records. Intersection types with records and record-merge are used to assign meaningful types to these terms without resorting to recursive types. Second, typed terms are translated to a repository of typed combinators. We show a relation between record types with record-merge and intersection types with constructors. This relation is used to prove soundness and partial completeness of the translation with respect to mixin composition synthesis. Furthermore, we demonstrate how a translated repository and goal type can be used as input to an existing framework for composition synthesis in bounded combinatory logic via type inhabitation. The computed result is a class typed by the goal type and generated by a mixin composition applied to an existing class

Estimating resource bounds for software transactions

We present an effect based static analysis to calculate upper and lower bounds on the memory resource consumption in a transactional calculus. The calculus is a concurrent variant of Featherweight Java extended by transactional constructs. The model supports nested and concurrent transactions. The analysis is compositional and takes into account implicit join synchronizations that arise when more than one thread perfom a join-synchronization when jointly committing a transaction. Central for a compositional and precise analysis is to capture as part of the effects a tree-representation of the future resource consumption and synchronization points (which we call joining commit trees). We show the soundness of the analysis

A Type-Safe Model of Adaptive Object Groups

Services are autonomous, self-describing, technology-neutral software units that can be described, published, discovered, and composed into software applications at runtime. Designing software services and composing services in order to form applications or composite services requires abstractions beyond those found in typical object-oriented programming languages. This paper explores service-oriented abstractions such as service adaptation, discovery, and querying in an object-oriented setting. We develop a formal model of adaptive object-oriented groups which offer services to their environment. These groups fit directly into the object-oriented paradigm in the sense that they can be dynamically created, they have an identity, and they can receive method calls. In contrast to objects, groups are not used for structuring code. A group exports its services through interfaces and relies on objects to implement these services. Objects may join or leave different groups. Groups may dynamically export new interfaces, they support service discovery, and they can be queried at runtime for the interfaces they support. We define an operational semantics and a static type system for this model of adaptive object groups, and show that well-typed programs do not cause method-not-understood errors at runtime.Comment: In Proceedings FOCLASA 2012, arXiv:1208.432

Featherweight Generic Confinement

Existing approaches to object encapsulation either rely on ad hoc syntactic restrictions or require the use of specialised type systems. Syntactic restrictions are difficult to scale and to prove correct, while specialised type systems require extensive changes to programming languages. We demonstrate that confinement can be enforced cheaply in Featherweight Generic Java, with no essential change to the underlying language or type system. This result demonstrates that polymorphic type parameters can simultaneously act as ownership parameters and should facilitate the adoption of confinement and ownership type systems in general-purpose programming languages