9 research outputs found
Bidirectional Type Checking for Relational Properties
Relational type systems have been designed for several applications including
information flow, differential privacy, and cost analysis. In order to achieve
the best results, these systems often use relational refinements and relational
effects to maximally exploit the similarity in the structure of the two
programs being compared. Relational type systems are appealing for relational
properties because they deliver simpler and more precise verification than what
could be derived from typing the two programs separately. However, relational
type systems do not yet achieve the practical appeal of their non-relational
counterpart, in part because of the lack of a general foundations for
implementing them.
In this paper, we take a step in this direction by developing bidirectional
relational type checking for systems with relational refinements and effects.
Our approach achieves the benefits of bidirectional type checking, in a
relational setting. In particular, it significantly reduces the need for typing
annotations through the combination of type checking and type inference. In
order to highlight the foundational nature of our approach, we develop
bidirectional versions of several relational type systems which incrementally
combine many different components needed for expressive relational analysis.Comment: 14 page
Bounded Expectations: Resource Analysis for Probabilistic Programs
This paper presents a new static analysis for deriving upper bounds on the
expected resource consumption of probabilistic programs. The analysis is fully
automatic and derives symbolic bounds that are multivariate polynomials of the
inputs. The new technique combines manual state-of-the-art reasoning techniques
for probabilistic programs with an effective method for automatic
resource-bound analysis of deterministic programs. It can be seen as both, an
extension of automatic amortized resource analysis (AARA) to probabilistic
programs and an automation of manual reasoning for probabilistic programs that
is based on weakest preconditions. As a result, bound inference can be reduced
to off-the-shelf LP solving in many cases and automatically-derived bounds can
be interactively extended with standard program logics if the automation fails.
Building on existing work, the soundness of the analysis is proved with respect
to an operational semantics that is based on Markov decision processes. The
effectiveness of the technique is demonstrated with a prototype implementation
that is used to automatically analyze 39 challenging probabilistic programs and
randomized algorithms. Experimental results indicate that the derived constant
factors in the bounds are very precise and even optimal for many programs
Do you have space for dessert? a verified space cost semantics for CakeML programs
Garbage collectors relieve the programmer from manual memory management, but lead to compiler-generated machine code that can behave differently (e.g. out-of-memory errors) from the source code. To ensure that the generated code behaves exactly like the source code, programmers need a way to answer questions of the form: what is a sufficient amount of memory for my program to never reach an out-of-memory error? This paper develops a cost semantics that can answer such questions for CakeML programs. The work described in this paper is the first to be able to answer such questions with proofs in the context of a language that depends on garbage collection. We demonstrate that positive answers can be used to transfer liveness results proved for the source code to liveness guarantees about the generated machine code. Without guarantees about space usage, only safety results can be transferred from source to machine code. Our cost semantics is phrased in terms of an abstract intermediate language of the CakeML compiler, but results proved at that level map directly to the space cost of the compiler-generated machine code. All of the work described in this paper has been developed in the HOL4 theorem prover
Verifying and Synthesizing Constant-Resource Implementations with Types
We propose a novel type system for verifying that programs correctly
implement constant-resource behavior. Our type system extends recent work on
automatic amortized resource analysis (AARA), a set of techniques that
automatically derive provable upper bounds on the resource consumption of
programs. We devise new techniques that build on the potential method to
achieve compositionality, precision, and automation.
A strict global requirement that a program always maintains constant resource
usage is too restrictive for most practical applications. It is sufficient to
require that the program's resource behavior remain constant with respect to an
attacker who is only allowed to observe part of the program's state and
behavior. To account for this, our type system incorporates information flow
tracking into its resource analysis. This allows our system to certify programs
that need to violate the constant-time requirement in certain cases, as long as
doing so does not leak confidential information to attackers. We formalize this
guarantee by defining a new notion of resource-aware noninterference, and prove
that our system enforces it.
Finally, we show how our type inference algorithm can be used to synthesize a
constant-time implementation from one that cannot be verified as secure,
effectively repairing insecure programs automatically. We also show how a
second novel AARA system that computes lower bounds on resource usage can be
used to derive quantitative bounds on the amount of information that a program
leaks through its resource use. We implemented each of these systems in
Resource Aware ML, and show that it can be applied to verify constant-time
behavior in a number of applications including encryption and decryption
routines, database queries, and other resource-aware functionality.Comment: 30, IEEE S&P 201
Relational cost analysis
Programming languages research has made great progress towards statically estimating the execution cost of a program. However, when one is interested in how the execution costs of two programs compare to each other (i.e., relational cost analysis), the use of unary techniques does not work well in many cases. In order to support a relational cost analysis, we must ultimately support reasoning about not only the executions of a single program, but also the executions of two programs, taking into account their similarities. This dissertation makes several contributions to the understanding and development of such a relational cost analysis. It shows how: • Refinement types and effect systems can express functional and relational quantitative properties of pairs of programs, including the difference in execution costs. • Relational cost analysis can be adapted to reason about dynamic stability, a measure of the update times of incremental programs as their inputs change. • A sound and complete bidirectional type system can be developed (and implemented) for relational cost analysis.Die Programmiersprachen-Forschung hat große Fortschritte bei der statischen Einschätzung der Ausführungskosten von Programmen gemacht.Wenn man allerdings wissen möchte, wie die Ausführungskosten zweier Programme sich zueinander verhalten (relationale Kostenanalyse), funktionieren unäre Methoden in vielen Fällen nicht gut. Eine relationale Analyse muss insbesondere nicht nur die Ausführung eines einzelnen Programmes betrachten, sondern die Ausführung beider Programme, um Ähnlichkeiten berücksichtigen zu können. Diese Dissertation liefert mehrere Beiträge zum Verständnis und zur Entwicklung solcher relationalen Kostenanalysen. Sie zeigt: • Refinement-Typsysteme und Effekt-System können funktional und relational qualitative Eigenschaften von Programmpaaren ausdrücken, insbesondere die Differenz der Ausführungskosten. • Relationale Kostenanalyse kann angepasst werden, um dynamische Stabilität zu analysieren. Diese misst die Update-Zeit inkrementeller Programme, wenn deren Eingaben sich ändern. • Ein korrektes und vollständiges bidirektionales Typsystem für die relationale Kostenanalyse kann entwickelt und implementiert werden
Refinement Types for Incremental Computational Complexity
International audienceWith recent advances, programs can be compiled to efficiently respond to incremental input changes. However, there is no language level support for reasoning about the time complexity of incremental updates. Motivated by this gap, we present CostIt, a higher-order functional language with a lightweight refinement type system for proving asymptotic bounds on incremental computation time. Type refinements specify which parts of inputs and outputs may change, as well as dynamic stability, a measure of time required to propagate changes to a program's execution trace, given modified inputs. We prove our type system sound using a new step-indexed cost semantics for change propagation and demonstrate the precision and generality of our technique through examples