Incrémentalité et simulation d'effets dans le lambda calcul simplement typé

Certified programming is a framework in which any program is correct by construction. Proof assistants and dependently typed programming languages are the representatives of this paradigm where the proof and implementation of a program are done at the same time. However, it has some limitations: a program in Type Theory is built only with pure and total functions.Our objective is to write efficient and certified programs. The contributions of this work are the formalization, in the Simply Typed Lambda Calculus, of two mechanisms to achieve efficiency: to validate impure computations and to optimize computations by incrementality.An impure computation, that is a program with effects, and its validation in a functional and total language is done through a posteriori simulation. The simulation is performed afterwards on a monadic procedure and is guided by a prophecy. An efficient oracle is responsible for producing prophecies which is actually, the monadic procedure itself translated into an effectful programming language.The second contribution is an optimization to perform incremental computations. Incrementality as a way to propagate an input change into a corresponding output change is guided by formal change descriptions over terms and dynamic differentiation of functions.Displaceable types represent data-changes while an extension of the simply typed lambda calculus with differentials and partial derivatives offers a language to reason about incrementality.La programmation certifiée offre un cadre dans lequel tout programme est correct par construction. Les assistants de preuve et les langages de programmation avec types dépendents sont les représentants de ce paradigme, où la prévue et l’implementation d’un programme sont faites au même temps. Toutefois, il existe certaines limitations : un programme écrit en théorie des types est construit seulement avec des fonctions pures et totales.Notre objectif est d’écrire des programmes efficaces et certifiés. Les contributions de cette thèse sont la formalisation, dans le lambda calcul simplement typé, de deux mécanismes pour améliorer l’efficacité : la validation des calculs impurs et l’optimisation des calculs incrémentaux.Un calcul impur, c’est-à-dire un programme avec effets, et sa validation dans un langage fonctionnel et total est fait á l’aide d’une simulation a posteriori. La simulation est effectuée après, par une procédure monadique et elle est guidée par une prophétie. Un oracle efficace est responsable de la production des prophéties et lui est en fait, la procédure monadique traduite dans un language de programmation généraliste.La deuxième contribution est une optimisation pour les calculs incrémentaux. L’incrémentalité consiste à propager des changements des entrées en changements des sorties, elle est guidée par les descriptions formelles du changement des termes et une différenciation dynamique des fonctions. La représentation des changements de données est pris en charge par les types déplaçables et une extension du lambda calcul simplement typé avec dérivées et dérivées partielles offre un language pour raisonner sur l’incrementalité

Formalizing Size-Optimal Sorting Networks: Extracting a Certified Proof Checker

Since the proof of the four color theorem in 1976, computer-generated proofs have become a reality in mathematics and computer science. During the last decade, we have seen formal proofs using verified proof assistants being used to verify the validity of such proofs. In this paper, we describe a formalized theory of size-optimal sorting networks. From this formalization we extract a certified checker that successfully verifies computer-generated proofs of optimality on up to 8 inputs. The checker relies on an untrusted oracle to shortcut the search for witnesses on more than 1.6 million NP-complete subproblems.Comment: IMADA-preprint-c

A certifying frontend for (sub)polyhedral abstract domains

Convex polyhedra provide a relational abstraction of numerical properties for static analysis of programs by abstract interpretation. We describe a lightweight certification of polyhedral abstract domains using the Coq proof assistant. Our approach consists in delegating most computations to an untrusted backend and in checking its outputs with a certified frontend. The backend is free to implement relaxations of domain operators in order to trade some precision for more efficiency, but must produce hints about the soundness of its results. Experiments with a full-precision backend show that the certification overhead is small and that the certified abstract domain has comparable performance to non-certifying state-of-the-art implementations

Programming Languages and Systems

This open access book constitutes the proceedings of the 28th European Symposium on Programming, ESOP 2019, which took place in Prague, Czech Republic, in April 2019, held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2019

Aura: Programming with Authorization and Audit

Standard programming models do not provide direct ways of managing secret or untrusted data. This is a problem because programmers must use ad hoc methods to ensure that secrets are not leaked and, conversely, that tainted data is not used to make critical decisions. This dissertation advocates integrating cryptography and language-based analyses in order to build programming environments for declarative information security, in which high-level specifications of confidentiality and integrity constraints are automatically enforced in hostile execution environments. This dissertation describes Aura, a family of programing languages which integrate functional programming, access control via authorization logic, automatic audit logging, and confidentially via encryption. Aura\u27s programming model marries an expressive, principled way to specify security policies with a practical policy-enforcement methodology that is well suited for auditing access grants and protecting secrets. Aura security policies are expressed as propositions in an authorization logic. Such logics are suitable for discussing delegation, permission, and other security-relevant concepts. Aura\u27s (dependent) type system cleanly integrates standard data types, like integers, with proofs of authorization-logic propositions; this lets programs manipulate authorization proofs just like ordinary values. In addition, security-relevant implementation details---like the creation of audit trails or the cryptographic representation of language constructs---can be handled automatically with little or no programmer intervention

Towards A Practical High-Assurance Systems Programming Language

Writing correct and performant low-level systems code is a notoriously demanding job, even for experienced developers. To make the matter worse, formally reasoning about their correctness properties introduces yet another level of complexity to the task. It requires considerable expertise in both systems programming and formal verification. The development can be extremely costly due to the sheer complexity of the systems and the nuances in them, if not assisted with appropriate tools that provide abstraction and automation. Cogent is designed to alleviate the burden on developers when writing and verifying systems code. It is a high-level functional language with a certifying compiler, which automatically proves the correctness of the compiled code and also provides a purely functional abstraction of the low-level program to the developer. Equational reasoning techniques can then be used to prove functional correctness properties of the program on top of this abstract semantics, which is notably less laborious than directly verifying the C code. To make Cogent a more approachable and effective tool for developing real-world systems, we further strengthen the framework by extending the core language and its ecosystem. Specifically, we enrich the language to allow users to control the memory representation of algebraic data types, while retaining the automatic proof with a data layout refinement calculus. We repurpose existing tools in a novel way and develop an intuitive foreign function interface, which provides users a seamless experience when using Cogent in conjunction with native C. We augment the Cogent ecosystem with a property-based testing framework, which helps developers better understand the impact formal verification has on their programs and enables a progressive approach to producing high-assurance systems. Finally we explore refinement type systems, which we plan to incorporate into Cogent for more expressiveness and better integration of systems programmers with the verification process

Lightweight Proof by Reflection Using a Posteriori Simulation of Effectful Computation

International audienceProof-by-reflection is a well-established technique that em- ploys decision procedures to reduce the size of proof-terms. Currently, decision procedures can be written either in Type Theory--in a purely functional way that also ensures termination-- or in an effectful program- ming language, where they are used as oracles for the certified checker. The first option offers strong correctness guarantees, while the second one permits more efficient implementations. We propose a novel technique for proof-by-reflection that marries, in Type Theory, an effectful language with (partial) proofs of correctness. The key to our approach is to use simulable monads, where a monad is simulable if, for all terminating reduction sequences in its equivalent effectful computational model, there exists a witness from which the same reduction may be simulated a posteriori by the monad. We encode several examples using simulable monads and demonstrate the advantages of the technique over previous approaches