11,921 research outputs found
Modular, Fully-abstract Compilation by Approximate Back-translation
A compiler is fully-abstract if the compilation from source language programs
to target language programs reflects and preserves behavioural equivalence.
Such compilers have important security benefits, as they limit the power of an
attacker interacting with the program in the target language to that of an
attacker interacting with the program in the source language. Proving compiler
full-abstraction is, however, rather complicated. A common proof technique is
based on the back-translation of target-level program contexts to
behaviourally-equivalent source-level contexts. However, constructing such a
back- translation is problematic when the source language is not strong enough
to embed an encoding of the target language. For instance, when compiling from
STLC to ULC, the lack of recursive types in the former prevents such a
back-translation.
We propose a general and elegant solution for this problem. The key insight
is that it suffices to construct an approximate back-translation. The
approximation is only accurate up to a certain number of steps and conservative
beyond that, in the sense that the context generated by the back-translation
may diverge when the original would not, but not vice versa. Based on this
insight, we describe a general technique for proving compiler full-abstraction
and demonstrate it on a compiler from STLC to ULC. The proof uses asymmetric
cross-language logical relations and makes innovative use of step-indexing to
express the relation between a context and its approximate back-translation.
The proof extends easily to common compiler patterns such as modular
compilation and it, to the best of our knowledge, it is the first compiler full
abstraction proof to have been fully mechanised in Coq. We believe this proof
technique can scale to challenging settings and enable simpler, more scalable
proofs of compiler full-abstraction
Verification of Java Bytecode using Analysis and Transformation of Logic Programs
State of the art analyzers in the Logic Programming (LP) paradigm are
nowadays mature and sophisticated. They allow inferring a wide variety of
global properties including termination, bounds on resource consumption, etc.
The aim of this work is to automatically transfer the power of such analysis
tools for LP to the analysis and verification of Java bytecode (JVML). In order
to achieve our goal, we rely on well-known techniques for meta-programming and
program specialization. More precisely, we propose to partially evaluate a JVML
interpreter implemented in LP together with (an LP representation of) a JVML
program and then analyze the residual program. Interestingly, at least for the
examples we have studied, our approach produces very simple LP representations
of the original JVML programs. This can be seen as a decompilation from JVML to
high-level LP source. By reasoning about such residual programs, we can
automatically prove in the CiaoPP system some non-trivial properties of JVML
programs such as termination, run-time error freeness and infer bounds on its
resource consumption. We are not aware of any other system which is able to
verify such advanced properties of Java bytecode
Dynamically typed languages
Dynamically typed languages such as Python and Ruby have experienced a rapid grown in popularity in recent times. However, there is much confusion as to what makes these languages interesting relative to statically typed languages, and little knowledge of their rich history. In this chapter I explore the general topic of dynamically typed languages, how they differ from statically typed languages, their history, and their defining features
Beyond Good and Evil: Formalizing the Security Guarantees of Compartmentalizing Compilation
Compartmentalization is good security-engineering practice. By breaking a
large software system into mutually distrustful components that run with
minimal privileges, restricting their interactions to conform to well-defined
interfaces, we can limit the damage caused by low-level attacks such as
control-flow hijacking. When used to defend against such attacks,
compartmentalization is often implemented cooperatively by a compiler and a
low-level compartmentalization mechanism. However, the formal guarantees
provided by such compartmentalizing compilation have seen surprisingly little
investigation.
We propose a new security property, secure compartmentalizing compilation
(SCC), that formally characterizes the guarantees provided by
compartmentalizing compilation and clarifies its attacker model. We reconstruct
our property by starting from the well-established notion of fully abstract
compilation, then identifying and lifting three important limitations that make
standard full abstraction unsuitable for compartmentalization. The connection
to full abstraction allows us to prove SCC by adapting established proof
techniques; we illustrate this with a compiler from a simple unsafe imperative
language with procedures to a compartmentalized abstract machine.Comment: Nit
In the Age of Web: Typed Functional-First Programming Revisited
Most programming languages were designed before the age of web. This matters
because the web changes many assumptions that typed functional language
designers take for granted. For example, programs do not run in a closed world,
but must instead interact with (changing and likely unreliable) services and
data sources, communication is often asynchronous or event-driven, and programs
need to interoperate with untyped environments.
In this paper, we present how the F# language and libraries face the
challenges posed by the web. Technically, this comprises using type providers
for integration with external information sources and for integration with
untyped programming environments, using lightweight meta-programming for
targeting JavaScript and computation expressions for writing asynchronous code.
In this inquiry, the holistic perspective is more important than each of the
features in isolation. We use a practical case study as a starting point and
look at how F# language and libraries approach the challenges posed by the web.
The specific lessons learned are perhaps less interesting than our attempt to
uncover hidden assumptions that no longer hold in the age of web.Comment: In Proceedings ML/OCaml 2014, arXiv:1512.0143
A flexible model for dynamic linking in Java and C#
Dynamic linking supports flexible code deployment, allowing partially linked code to link further code on the fly, as needed.
Thus, end-users enjoy the advantage of automatically receiving any updates, without any need for any explicit actions on their side,
such as re-compilation, or re-linking. On the down side, two executions of a program may link in different versions of code, which
in some cases causes subtle errors, and may mystify end-users.
Dynamic linking in Java and C# are similar: the same linking phases are involved, soundness is based on similar ideas, and
executions which do not throw linking errors give the same result. They are, however, not identical: the linking phases are combined
differently, and take place in different order. Consequently, linking errors may be detected at different times by Java and C# runtime
systems.
We develop a non-deterministic model, which describes the behaviour of both Java and C# program executions. The nondeterminism
allows us to describe the design space, to distill the similarities between the two languages, and to use one proof of
soundness for both. We also prove that all execution strategies are equivalent with respect to terminating executions that do not
throw link errors: they give the same results
- …