9 research outputs found
Gradual Certified Programming in Coq
Expressive static typing disciplines are a powerful way to achieve
high-quality software. However, the adoption cost of such techniques should not
be under-estimated. Just like gradual typing allows for a smooth transition
from dynamically-typed to statically-typed programs, it seems desirable to
support a gradual path to certified programming. We explore gradual certified
programming in Coq, providing the possibility to postpone the proofs of
selected properties, and to check "at runtime" whether the properties actually
hold. Casts can be integrated with the implicit coercion mechanism of Coq to
support implicit cast insertion a la gradual typing. Additionally, when
extracting Coq functions to mainstream languages, our encoding of casts
supports lifting assumed properties into runtime checks. Much to our surprise,
it is not necessary to extend Coq in any way to support gradual certified
programming. A simple mix of type classes and axioms makes it possible to bring
gradual certified programming to Coq in a straightforward manner.Comment: DLS'15 final version, Proceedings of the ACM Dynamic Languages
Symposium (DLS 2015
A Reasonably Gradual Type Theory
Gradualizing the Calculus of Inductive Constructions (CIC) involves dealing
with subtle tensions between normalization, graduality, and conservativity with
respect to CIC. Recently, GCIC has been proposed as a parametrized gradual type
theory that admits three variants, each sacrificing one of these properties.
For devising a gradual proof assistant based on CIC, normalization and
conservativity with respect to CIC are key, but the tension with graduality
needs to be addressed. Additionally, several challenges remain: (1) The
presence of two wildcard terms at any type-the error and unknown terms-enables
trivial proofs of any theorem, jeopardizing the use of a gradual type theory in
a proof assistant; (2) Supporting general indexed inductive families, most
prominently equality, is an open problem; (3) Theoretical accounts of gradual
typing and graduality so far do not support handling type mismatches detected
during reduction; (4) Precision and graduality are external notions not
amenable to reasoning within a gradual type theory. All these issues manifest
primally in CastCIC, the cast calculus used to define GCIC. In this work, we
present an extension of CastCIC called GRIP. GRIP is a reasonably gradual type
theory that addresses the issues above, featuring internal precision and
general exception handling. GRIP features an impure (gradual) sort of types
inhabited by errors and unknown terms, and a pure (non-gradual) sort of strict
propositions for consistent reasoning about gradual terms. Internal precision
supports reasoning about graduality within GRIP itself, for instance to
characterize gradual exception-handling terms, and supports gradual subset
types. We develop the metatheory of GRIP using a model formalized in Coq, and
provide a prototype implementation of GRIP in Agda.Comment: 27pages + 2pages bibliograph
Securing Verified IO Programs Against Unverified Code in F*
We introduce SCIO*, a formally secure compilation framework for statically
verified partial programs performing input-output (IO). The source language is
an F* subset in which a verified program interacts with its IO-performing
context via a higher-order interface that includes refinement types as well as
pre- and post-conditions about past IO events. The target language is a smaller
F* subset in which the compiled program is linked with an adversarial context
that has an interface without refinement types, pre-conditions, or concrete
post-conditions. To bridge this interface gap and make compilation and linking
secure we propose a formally verified combination of higher-order contracts and
reference monitoring for recording and controlling IO operations. Compilation
uses contracts to convert the logical assumptions the program makes about the
context into dynamic checks on each context-program boundary crossing. These
boundary checks can depend on information about past IO events stored in the
state of the monitor. But these checks cannot stop the adversarial target
context before it performs dangerous IO operations. Therefore linking in SCIO*
additionally forces the context to perform all IO actions via a secure IO
library, which uses reference monitoring to dynamically enforce an access
control policy before each IO operation. We prove in F* that SCIO* soundly
enforces a global trace property for the compiled verified program linked with
the untrusted context. Moreover, we prove in F* that SCIO* satisfies by
construction Robust Relational Hyperproperty Preservation, a very strong secure
compilation criterion. Finally, we illustrate SCIO* at work on a simple web
server example.Comment: POPL'24 camera-ready versio
Approximate Normalization for Gradual Dependent Types
Dependent types help programmers write highly reliable code. However, this
reliability comes at a cost: it can be challenging to write new prototypes in
(or migrate old code to) dependently-typed programming languages. Gradual
typing makes static type disciplines more flexible, so an appropriate notion of
gradual dependent types could fruitfully lower this cost. However, dependent
types raise unique challenges for gradual typing. Dependent typechecking
involves the execution of program code, but gradually-typed code can signal
runtime type errors or diverge. These runtime errors threaten the soundness
guarantees that make dependent types so attractive, while divergence spoils the
type-driven programming experience.
This paper presents GDTL, a gradual dependently-typed language that
emphasizes pragmatic dependently-typed programming. GDTL fully embeds both an
untyped and dependently-typed language, and allows for smooth transitions
between the two. In addition to gradual types we introduce gradual terms ,
which allow the user to be imprecise in type indices and to omit proof terms;
runtime checks ensure type safety . To account for nontermination and failure,
we distinguish between compile-time normalization and run-time execution:
compile-time normalization is approximate but total, while runtime execution is
exact , but may fail or diverge. We prove that GDTL has decidable typechecking
and satisfies all the expected properties of gradual languages. In particular,
GDTL satisfies the static and dynamic gradual guarantees: reducing type
precision preserves typedness, and altering type precision does not change
program behavior outside of dynamic type failures. To prove these properties,
we were led to establish a novel normalization gradual guarantee that captures
the monotonicity of approximate normalization with respect to imprecision
A Reasonably Gradual Type Theory
International audienceGradualizing the Calculus of Inductive Constructions (CIC) involves dealing with subtle tensions between normalization, graduality, and conservativity with respect to CIC. Recently, GCIC has been proposed as a parametrized gradual type theory that admits three variants, each sacrificing one of these properties. For devising a gradual proof assistant based on CIC, normalization and conservativity with respect to CIC are key, but the tension with graduality needs to be addressed. Additionally, several challenges remain: (1) The presence of two wildcard terms at any type-the error and unknown terms-enables trivial proofs of any theorem, jeopardizing the use of a gradual type theory in a proof assistant; (2) Supporting general indexed inductive families, most prominently equality, is an open problem; (3) Theoretical accounts of gradual typing and graduality so far do not support handling type mismatches detected during reduction; (4) Precision and graduality are external notions not amenable to reasoning within a gradual type theory. All these issues manifest primally in CastCIC, the cast calculus used to define GCIC. In this work, we present an alternative to CastCIC called GRIP. GRIP is a reasonably gradual type theory that addresses the issues above, featuring internal precision and general exception handling. For consistent reasoning about gradual terms, GRIP features an impure sort of types inhabited by errors and unknown terms, and a pure sort of strict propositions. By adopting a novel interpretation of the unknown term that carefully accounts for universe levels, GRIP satisfies graduality for a large and well-defined class of terms, in addition to being normalizing and a conservative extension of CIC. Internal precision supports reasoning about graduality within GRIP itself, for instance to characterize gradual exception-handling terms, and supports gradual subset types. We develop the metatheory of GRIP using a model formalized in Coq, and provide a prototype implementation of GRIP in Agda
Software Engineering with Incomplete Information
Information may be the common currency of the universe, the stuff of creation. As the physicist John Wheeler claimed, we get ``it from bit''. Measuring information, however, is a hard problem. Knowing the meaning of information is a hard problem. Directing the movement of information is a hard problem. This hardness comes when our information about information is incomplete. Yet we need to offer decision making guidance, to the computer or developer, when facing this incompleteness. This work addresses this insufficiency within the universe of software engineering.
This thesis addresses the first problem by demonstrating that obtaining the relative magnitude of information flow is computationally less expensive than an exact measurement. We propose ranked information flow, or RIF, where different flows are ordered according to their FlowForward, a new measure designed for ease of ordering. To demonstrate the utility of FlowForward, we introduce information contour maps: heatmapped callgraphs of information flow within software. These maps serve multiple engineering uses, such as security and refactoring.
By mixing a type system with RIF, we address the problem of meaning. Information security is a common concern in software engineering. We present OaST, the world's first gradual security type system that replaces dynamic monitoring with information theoretic risk assessment. OaST now contextualises FlowForward within a formally verified framework: secure program components communicate over insecure channels ranked by how much information flows through them. This context helps the developer interpret the flows and enables security policy discovery, adaptation and refactoring.
Finally, we introduce safestrings, a type-based system for controlling how the information embedded within a string moves through a program. This takes a structural approach, whereby a string subtype is a more precise, information limited, subset of string, ie a string that contains an email address, rather than anything else
Gradual Certified Programming in Coq
Expressive static typing disciplines are a powerful way to achieve high-quality software. However, the adoption cost of such techniques should not be under-estimated. Just like gradual typing allows for a smooth transition from dynamically-typed to statically-typed programs, it seems desirable to support a gradual path to certified programming. We explore gradual certified programming in Coq, providing the possibility to postpone the proofs of selected properties, and to check "at runtime" whether the properties actually hold. Casts can be integrated with the implicit coercion mechanism of Coq to support implicit cast insertion a la gradual typing. Additionally, when extracting Coq functions to mainstream languages, our encoding of casts supports lifting assumed properties into runtime checks. Much to our surprise, it is not necessary to extend Coq in any way to support gradual certified programming. A simple mix of type classes and axioms makes it possible to bring gradual certified programming to Coq in a straightforward manner