318 research outputs found
Securing Verified IO Programs Against Unverified Code in F*
We introduce SCIO*, a formally secure compilation framework for statically
verified partial programs performing input-output (IO). The source language is
an F* subset in which a verified program interacts with its IO-performing
context via a higher-order interface that includes refinement types as well as
pre- and post-conditions about past IO events. The target language is a smaller
F* subset in which the compiled program is linked with an adversarial context
that has an interface without refinement types, pre-conditions, or concrete
post-conditions. To bridge this interface gap and make compilation and linking
secure we propose a formally verified combination of higher-order contracts and
reference monitoring for recording and controlling IO operations. Compilation
uses contracts to convert the logical assumptions the program makes about the
context into dynamic checks on each context-program boundary crossing. These
boundary checks can depend on information about past IO events stored in the
state of the monitor. But these checks cannot stop the adversarial target
context before it performs dangerous IO operations. Therefore linking in SCIO*
additionally forces the context to perform all IO actions via a secure IO
library, which uses reference monitoring to dynamically enforce an access
control policy before each IO operation. We prove in F* that SCIO* soundly
enforces a global trace property for the compiled verified program linked with
the untrusted context. Moreover, we prove in F* that SCIO* satisfies by
construction Robust Relational Hyperproperty Preservation, a very strong secure
compilation criterion. Finally, we illustrate SCIO* at work on a simple web
server example.Comment: POPL'24 camera-ready versio
LIPIcs, Volume 261, ICALP 2023, Complete Volume
LIPIcs, Volume 261, ICALP 2023, Complete Volum
Semantics for Noninterference with Interaction Trees
Noninterference is the strong information-security property that a program does not leak secrets through publicly-visible behavior. In the presence of effects such as nontermination, state, and exceptions, reasoning about noninterference quickly becomes subtle. We advocate using interaction trees (ITrees) to provide compositional mechanized proofs of noninterference for multi-language, effectful, nonterminating programs, while retaining executability of the semantics. We develop important foundations for security analysis with ITrees: two indistinguishability relations, leading to two standard notions of noninterference with adversaries of different strength, along with metatheory libraries for reasoning about each. We demonstrate the utility of our results using a simple imperative language with embedded assembly, along with a compiler into that assembly language
Exploring Regional Dynamics: States, International Civil Society, and Regional Interstate Cooperation
Regional cooperation is widely acknowledged as a crucial element in fostering peace and prosperity among nations, yet few systematic studies have investigated the forces that promote and sustain it. This dissertation examines regional cooperation through the lens of states, state-led institutions, and non-state actors. In order to achieve this, the study first aims to undertake a systematic analysis of the correlates associated with regional cooperation, using country pairings to analyze where cooperation takes place. Second, I explore the role of international civil society in promoting regional cooperation. To gauge international civil society, a new dataset on International Non-Governmental Organizations (INGOs) is constructed and introduced. The first part of my dissertation constructs two datasets on International Non-Governmental Organizations (INGOs). There is no ready-to-use, publicly available data source in the literature for researchers wishing to analyze INGOs systematically. There are a variety of online data sources, but none are based on identified inclusion criteria. I identify as INGOs all United Nations- accredited NGOs and construct two datasets: one of the INGOs and the other of INGOs at the state-year level of analysis. Both datasets can be integrated with other datasets, facilitating engagement with a broad range of research questions. While the INGO-level dataset provides information for 6,595 INGOs from 1816 to 2022, the state-level dataset includes 15,024 state-year observations from 1946 to 2022. The second part of the dissertation investigates the conditions under which regional countries engage in cooperation. Analyses of memberships in 76 regional organizations from 1945 to 2012 yield several factors as significant forces of regional cooperation. In order of importance, these are joint democracy, joint language, equal material capability, and trade interdependence. I found that weaker countries are more hesitant to cooperate with stronger ones within regions. At the theoretical level, this research supports a liberal explanation for regional interstate organization, emphasizing factors such as trade and democracy, over a hegemonic realist explanation that centers on power asymmetry. The third part of the dissertation examines the role of international civil society in regional cooperation. Drawing on the new INGO dataset, I found that the more international non-governmental organizations shared by two countries in a dyad in a year, the more likely the two countries share common memberships in Regional Organizations (ROs), Multilateral Environmental Agreements (MEAs), and Regional Trade Agreements (RTAs). Even after accounting for such factors as democracy, economic status, and alliances, the results yield a robust correlation between the engagement of INGOs and the advancement of regional interstate cooperation
Recommended from our members
Automating the Formal Verification of Software
Formally verified correctness is one of the most desirable properties of software systems. Despite great progress made toward verification via interactive proof assistants, such as Coq and Isabelle/HOL, such verification remains one of the most effort-intensive (and often prohibitively difficult) software development activities. Recent work has created tools that automatically synthesize proofs either through reasoning using precomputed facts or using machine learning to model proofs and then perform biased search through the proof space. However, models in existing tools fail to capture the richness present in proofs, such as the information the programmer has access to when writing proofs and the natural language contained within variable names. Furthermore, these prior models do not make use of variations in the learning process and advances in large language models.
In this dissertation, I develop tools to improve proof synthesis and to enable fully automating more verification. I first present TacTok, a proof-synthesis tool that models proofs using both the partial proof written thus far and the semantics of the proof state. I then present Diva, a proof-synthesis tool that controls the learning process to produce a diverse set of models and, due to the unique nature of proof synthesis (the existence of the theorem prover, an oracle that infallibly judges a proof’s correctness), efficiently combines these models to improve the overall proving power. I then present Passport, a proof-synthesis tool that systematically explores different ways of encoding identifiers in proofs to improve synthesis. Finally, I present Baldur, a proof-synthesis tool that uses transformer-based pretrained large language models fine-tuned on proofs to generate and repair whole proofs at once, rather than one step at a time.
This dissertation contributes new ideas for improving automated proof synthesis and empirically demonstrates that the improvement is significant on large benchmarks consisting of open-source software projects
Programming languages and tools with multiparty session
Distributed software systems are used in a wide variety of applications, including health care, telecommunications, finance, and entertainment. These systems typically consist of multiple software components, each with its own local memory, that are deployed across networks of hosts and communicate by passing messages in order to achieve a common goal. Distributed systems offer several benefits, including scalability — since computation happens independently on each component, it is easy and generally inexpensive to add additional components and functionality as necessary; reliability—since systems can be made up of hundreds of components working together, there is little disruption if a single component fails; performance—since work loads can be broken up and sent to multiple components, distributed systems tend to be very efficient. However, they can also be difficult to implement and analyze due to the need for heterogeneous software components to communicate and synchronize correctly and the potential for hardware or software failures.
Distributed and concurrent programming is challenging due to the complexity of coordinating the communication and interactions between the various components of a system that may be running on different machines or different threads. Behavioural types can help to address some of these difficulties by providing a way to formally specify the communication between components of a distributed system. This specification can then be used to verify the correctness of the communication between these components using static typechecking, dynamic monitoring, or a combination of the two. Perhaps the most well-known form of behavioural types are session types. They define the sequences of messages that are exchanged between two or more parties in a communication protocol, as well as the order in which these messages are exchanged. More generally, behavioural types include typestate systems, which specify the state-dependent availability of operations, choreographies, which specify collective communication behaviour, and behavioural contracts that specify the expected behaviour of a system. By using behavioural types, it is possible to ensure that the communication between components of a distributed system is well-defined and follows a set of predefined rules, which can help to prevent errors and ensure that the system behaves correctly.
The focus of this thesis is on using session type systems to provide static guarantees about the runtime behaviour of concurrent programs. We investigate two strands of work in this context. The first strand focuses on the relationship between session types and linearity. Linearity is a property of certain resources, in this case communication channels, that can only be used once. For instance a linear variable can only be assigned once, after which it cannot be changed. This property is useful for session types because it helps to prevent race conditions and guarantees that no messages are lost or duplicated. We look at relaxing the standard access control in multiparty session types systems. This is typically based on linear or affine types, that offer strong guarantees of communication safety and session. However, these exclude many naturally occurring scenarios that make use of shared channels or need to store channels in shared data structures. We introduce a new and more flexible session type system, which allows channel references to be shared and stored in persistent data structures. We prove that the resulting language satisfies type safety, and we illustrate our type system through examples.
The second strand of research in this thesis looks at the expressive power of session types, and their connection to typestate for safe distributed programming in the Java language. Typestates are a way of annotating objects with a set of operations that are valid to perform on them at a given state. We expand the expressive power of two existing tools, use them to represent real-world case studies, and end by considering language usability and human factors
Reference Capabilities for Flexible Memory Management: Extended Version
Verona is a concurrent object-oriented programming language that organises
all the objects in a program into a forest of isolated regions. Memory is
managed locally for each region, so programmers can control a program's memory
use by adjusting objects' partition into regions, and by setting each region's
memory management strategy. A thread can only mutate (allocate, deallocate)
objects within one active region -- its "window of mutability". Memory
management costs are localised to the active region, ensuring overheads can be
predicted and controlled. Moving the mutability window between regions is
explicit, so code can be executed wherever it is required, yet programs remain
in control of memory use. An ownership type system based on reference
capabilities enforces region isolation, controlling aliasing within and between
regions, yet supporting objects moving between regions and threads. Data
accesses never need expensive atomic operations, and are always thread-safe.Comment: 87 pages, 10 figures, 5 listings, 4 tables. Extended version of paper
to be published at OOPSLA 202
- …