Slot Games for Detecting Timing Leaks of Programs

In this paper we describe a method for verifying secure information flow of programs, where apart from direct and indirect flows a secret information can be leaked through covert timing channels. That is, no two computations of a program that differ only on high-security inputs can be distinguished by low-security outputs and timing differences. We attack this problem by using slot-game semantics for a quantitative analysis of programs. We show how slot-games model can be used for performing a precise security analysis of programs, that takes into account both extensional and intensional properties of programs. The practicality of this approach for automated verification is also shown.Comment: In Proceedings GandALF 2013, arXiv:1307.416

Fifty years of Hoare's Logic

We present a history of Hoare's logic.Comment: 79 pages. To appear in Formal Aspects of Computin

A Graph Model for Imperative Computation

Scott's graph model is a lambda-algebra based on the observation that continuous endofunctions on the lattice of sets of natural numbers can be represented via their graphs. A graph is a relation mapping finite sets of input values to output values. We consider a similar model based on relations whose input values are finite sequences rather than sets. This alteration means that we are taking into account the order in which observations are made. This new notion of graph gives rise to a model of affine lambda-calculus that admits an interpretation of imperative constructs including variable assignment, dereferencing and allocation. Extending this untyped model, we construct a category that provides a model of typed higher-order imperative computation with an affine type system. An appropriate language of this kind is Reynolds's Syntactic Control of Interference. Our model turns out to be fully abstract for this language. At a concrete level, it is the same as Reddy's object spaces model, which was the first "state-free" model of a higher-order imperative programming language and an important precursor of games models. The graph model can therefore be seen as a universal domain for Reddy's model

Note on Algol and Conservatively Extending Functional Programming

A simple Idealized Algol is considered, based on Reynolds\u27s essence of Algol. It is shown that observational equivalence in this language conservatively extends observational equivalence in its assignment-free functional sublanguage

Syntactic Control of Interference Revisited

In Syntactic Control of Interference (POPL, 1978), J. C. Reynolds proposes three design principles intended to constrain the scope of imperative state effects in Algol-like languages. The resulting linguistic framework seems to be a very satisfactory way of combining functional and imperative concepts, having the desirable attributes of both purely functional languages (such as pcf) and simple imperative languages (such as the language of while programs). However, Reynolds points out that the obvious syntax for interference control has the unfortunate property that fi-reductions do not always preserve typings. Reynolds has subsequently presented a solution to this problem (ICALP, 1989), but it is fairly complicated and requires intersection types in the type system. Here, we present a much simpler solution which does not require intersection types. We first describe a new type system inspired in part by linear logic and verify that reductions preserve typings. We then define a class of bireflective models, which provide a categorical analysis of structure underlying the new typing rules; a companion paper Bireflectivity, in this volume, exposes wider ramifications of this structure. Finally, we describe a concrete model for an illustrative programming language based on the new type system; this improves on earlier such efforts in that states are not assumed to be structured using locations

Decidability and syntactic control of interference

AbstractWe investigate the decidability of observational equivalence and approximation in Reynolds’ “Syntactic Control of Interference” (SCI), a prototypical functional-imperative language in which covert interference between functions and their arguments is prevented by the use of an affine typing discipline.By associating denotations of terms in a fully abstract “relational” model of finitary basic SCI (due to Reddy) with multitape finite state automata, we show that observational approximation is not decidable (even at first order), but that observational equivalence is decidable for all terms.We then consider the same problems for basic SCI extended with non-local control in the form of backwards jumps. We show that both observational approximation and observational equivalence are decidable in this “observably sequential” version of the language by describing a fully abstract games model in which strategies are regular languages

Elementary data structures in ALGOL-like languages

AbstractJ.C. Reynolds has pointed out that ALGOL 60 has a set of properties not shared by most of the languages usually regarded as being its successors. We propose to use this ALGOL-like framework to design a language that could adequately support both applicative and imperative programming while also retaining the advantages of each of the “pure” frameworks. This paper discusses elementary data-structuring facilities (products, arrays, sums) for such a language, taking advantage of recent developments, such as this author's “quantification” notation, and the notion of “conjunctive type” proposed by Coppo and Dezani, and adapted to explicitly-typed languages by Reynolds