16 research outputs found
Computer-aided verification in mechanism design
In mechanism design, the gold standard solution concepts are dominant
strategy incentive compatibility and Bayesian incentive compatibility. These
solution concepts relieve the (possibly unsophisticated) bidders from the need
to engage in complicated strategizing. While incentive properties are simple to
state, their proofs are specific to the mechanism and can be quite complex.
This raises two concerns. From a practical perspective, checking a complex
proof can be a tedious process, often requiring experts knowledgeable in
mechanism design. Furthermore, from a modeling perspective, if unsophisticated
agents are unconvinced of incentive properties, they may strategize in
unpredictable ways.
To address both concerns, we explore techniques from computer-aided
verification to construct formal proofs of incentive properties. Because formal
proofs can be automatically checked, agents do not need to manually check the
properties, or even understand the proof. To demonstrate, we present the
verification of a sophisticated mechanism: the generic reduction from Bayesian
incentive compatible mechanism design to algorithm design given by Hartline,
Kleinberg, and Malekian. This mechanism presents new challenges for formal
verification, including essential use of randomness from both the execution of
the mechanism and from the prior type distributions. As an immediate
consequence, our work also formalizes Bayesian incentive compatibility for the
entire family of mechanisms derived via this reduction. Finally, as an
intermediate step in our formalization, we provide the first formal
verification of incentive compatibility for the celebrated
Vickrey-Clarke-Groves mechanism
Relational Symbolic Execution
Symbolic execution is a classical program analysis technique used to show
that programs satisfy or violate given specifications. In this work we
generalize symbolic execution to support program analysis for relational
specifications in the form of relational properties - these are properties
about two runs of two programs on related inputs, or about two executions of a
single program on related inputs. Relational properties are useful to formalize
notions in security and privacy, and to reason about program optimizations. We
design a relational symbolic execution engine, named RelSym which supports
interactive refutation, as well as proving of relational properties for
programs written in a language with arrays and for-like loops
Proving Differential Privacy with Shadow Execution
Recent work on formal verification of differential privacy shows a trend
toward usability and expressiveness -- generating a correctness proof of
sophisticated algorithm while minimizing the annotation burden on programmers.
Sometimes, combining those two requires substantial changes to program logics:
one recent paper is able to verify Report Noisy Max automatically, but it
involves a complex verification system using customized program logics and
verifiers.
In this paper, we propose a new proof technique, called shadow execution, and
embed it into a language called ShadowDP. ShadowDP uses shadow execution to
generate proofs of differential privacy with very few programmer annotations
and without relying on customized logics and verifiers. In addition to
verifying Report Noisy Max, we show that it can verify a new variant of Sparse
Vector that reports the gap between some noisy query answers and the noisy
threshold. Moreover, ShadowDP reduces the complexity of verification: for all
of the algorithms we have evaluated, type checking and verification in total
takes at most 3 seconds, while prior work takes minutes on the same algorithms.Comment: 23 pages, 12 figures, PLDI'1
Bidirectional Type Checking for Relational Properties
Relational type systems have been designed for several applications including
information flow, differential privacy, and cost analysis. In order to achieve
the best results, these systems often use relational refinements and relational
effects to maximally exploit the similarity in the structure of the two
programs being compared. Relational type systems are appealing for relational
properties because they deliver simpler and more precise verification than what
could be derived from typing the two programs separately. However, relational
type systems do not yet achieve the practical appeal of their non-relational
counterpart, in part because of the lack of a general foundations for
implementing them.
In this paper, we take a step in this direction by developing bidirectional
relational type checking for systems with relational refinements and effects.
Our approach achieves the benefits of bidirectional type checking, in a
relational setting. In particular, it significantly reduces the need for typing
annotations through the combination of type checking and type inference. In
order to highlight the foundational nature of our approach, we develop
bidirectional versions of several relational type systems which incrementally
combine many different components needed for expressive relational analysis.Comment: 14 page
Higher-order approximate relational refinement types for mechanism design and differential privacy
Mechanism design is the study of algorithm design in which the inputs to the
algorithm are controlled by strategic agents, who must be incentivized to
faithfully report them. Unlike typical programmatic properties, it is not
sufficient for algorithms to merely satisfy the property---incentive properties
are only useful if the strategic agents also believe this fact.
Verification is an attractive way to convince agents that the incentive
properties actually hold, but mechanism design poses several unique challenges:
interesting properties can be sophisticated relational properties of
probabilistic computations involving expected values, and mechanisms may rely
on other probabilistic properties, like differential privacy, to achieve their
goals.
We introduce a relational refinement type system, called ,
for verifying mechanism design and differential privacy. We show that
is sound w.r.t. a denotational semantics, and correctly
models -differential privacy; moreover, we show that it
subsumes DFuzz, an existing linear dependent type system for differential
privacy. Finally, we develop an SMT-based implementation of
and use it to verify challenging examples of mechanism design, including
auctions and aggregative games, and new proposed examples from differential
privacy
Relational Cost Analysis for Functional-Imperative Programs
Relational cost analysis aims at formally establishing bounds on the
difference in the evaluation costs of two programs. As a particular case, one
can also use relational cost analysis to establish bounds on the difference in
the evaluation cost of the same program on two different inputs. One way to
perform relational cost analysis is to use a relational type-and-effect system
that supports reasoning about relations between two executions of two programs.
Building on this basic idea, we present a type-and-effect system, called
ARel, for reasoning about the relative cost of array-manipulating, higher-order
functional-imperative programs. The key ingredient of our approach is a new
lightweight type refinement discipline that we use to track relations
(differences) between two arrays. This discipline combined with Hoare-style
triples built into the types allows us to express and establish precise
relative costs of several interesting programs which imperatively update their
data.Comment: 14 page