Linear Types, Protocols, and Processes in Classical F°

Session types and typestate both promise a type system that can reason about protocol adherence. The complexity budgets of most programming languages, however, do not allow for new forms of types aimed at specific problem domains--even domains as broad as these. Classical F◦ --read F-pop --is a typed λ-calculus based on classical (i.e., full) linear logic, wherein session types arise naturally from the interaction between the usual sums, products, and implications of linear logic and a simple process model, with the dualizing negation of classical logic naturally accounting for how a protocol is seen by each of a channel\u27s endpoints. Classical F◦ expressions evaluate to processes, reminiscent of those in the π-calculus, that communicate over channels, but source expressions, rather than including processes and channels, employ only two novel control operators that account for process creation and communication. F◦ is introduced by way of its intuitionistic fragment, which even on its own can account for typestate: the combination of linearity and polymorphism leads to natural encodings of many programmer-specified protocols. In fact, any protocol expressible as a regular language can be encoded in an intuitionistic F◦ type. F◦ distinguishes between linear and unrestricted types by using kinds together with a notion of subkinding, avoiding the pitfalls of approaches based on type qualifiers or modalities; kinds are related by a subkinding order that allows unrestricted types to be treated as though they were linear. Soundness for intuitionistic and classical F◦ is proved both in the standard operational sense of preservation and progress and for an augmented semantics that shows more directly that the expected properties of linearity are preserved. This establishes the absence of deadlocks in closed, well-typed F◦ programs; it also guarantees that such programs will not leak processes as long as their result types are unrestricted

Lolliproc: to Concurrency from Classical Linear Logic via Curry-Howard and Control

While many type systems based on the intuitionistic fragment of linear logic have been proposed, applications in programming languages of the full power of linear logic-including double-negation elimination-have remained elusive. Meanwhile, linearity has been used in many type systems for concurrent programs-e.g., session types-which suggests applicability to the problems of concurrent programming, but the ways in which linearity has interacted with concurrency primitives in lambda calculi have remained somewhat ad-hoc. In this paper we connect classical linear logic and concurrent functional programming in the language Lolliproc, which provides simple primitives for concurrency that have a direct logical interpretation and that combine to provide the functionality of session types. Lolliproc features a simple process calculus “under the hood” but hides the machinery of processes from programmers. We illustrate Lolliproc by example and prove soundness, strong normalization, and confluence results, which, among other things, guarantees freedom from deadlocks and race conditions

ABash: Finding Bugs in Bash Scripts

This paper describes the design and implementation of ABash, a tool for statically analyzing programs written in the bash scripting language. Although it makes no formal guarantees against missed errors or spurious warnings (largely due to the highly dynamic nature of bash scripts), ABash is useful for detecting certain common program errors that may lead to security vulnerabilities. In experiments with 49 bash scripts taken from popular Internet repositories, ABash was able to identify 20 of them as containing bugs of varying severity while yielding only a reasonable number of spurious warnings on both these scripts and the generally bug-free initialization scripts of the Ubuntu Linux distribution. ABash works by performing abstract interpretation of a bash script via an abstract semantics that accounts for shell variable expansion. The analysis is also parameterized by a collection of signatures that describe external program interfaces (for Unix commands, etc.), yielding an easily configurable and extensible framework for finding bugs in bash scripts

Linear types, protocols, and processes in classical F°

Session types and typestate both promise a type system that can reason about protocol adherence. The complexity budgets of most programming languages, however, do not allow for new forms of types aimed at specific problem domains—even domains as broad as these. Classical F°—read F-pop —is a typed λ-calculus based on classical (i.e., full) linear logic, wherein session types arise naturally from the interaction between the usual sums, products, and implications of linear logic and a simple process model, with the dualizing negation of classical logic naturally accounting for how a protocol is seen by each of a channel\u27s endpoints. Classical F° expressions evaluate to processes, reminiscent of those in the π-calculus, that communicate over channels, but source expressions, rather than including processes and channels, employ only two novel control operators that account for process creation and communication. F° is introduced by way of its intuitionistic fragment, which even on its own can account for typestate: the combination of linearity and polymorphism leads to natural encodings of many programmer-specified protocols. In fact, any protocol expressible as a regular language can be encoded in an intuitionistic F° type. F° distinguishes between linear and unrestricted types by using kinds together with a notion of subkinding, avoiding the pitfalls of approaches based on type qualifiers or modalities; kinds are related by a subkinding order that allows unrestricted types to be treated as though they were linear. Soundness for intuitionistic and classical F° is proved both in the standard operational sense of preservation and progress and for an augmented semantics that shows more directly that the expected properties of linearity are preserved. This establishes the absence of deadlocks in closed, well-typed F° programs; it also guarantees that such programs will not leak processes as long as their result types are unrestricted

Linear types, protocols, and processes in classical F°

Session types and typestate both promise a type system that can reason about protocol adherence. The complexity budgets of most programming languages, however, do not allow for new forms of types aimed at specific problem domains—even domains as broad as these. Classical F°—read F-pop —is a typed λ-calculus based on classical (i.e., full) linear logic, wherein session types arise naturally from the interaction between the usual sums, products, and implications of linear logic and a simple process model, with the dualizing negation of classical logic naturally accounting for how a protocol is seen by each of a channel\u27s endpoints. Classical F° expressions evaluate to processes, reminiscent of those in the π-calculus, that communicate over channels, but source expressions, rather than including processes and channels, employ only two novel control operators that account for process creation and communication. F° is introduced by way of its intuitionistic fragment, which even on its own can account for typestate: the combination of linearity and polymorphism leads to natural encodings of many programmer-specified protocols. In fact, any protocol expressible as a regular language can be encoded in an intuitionistic F° type. F° distinguishes between linear and unrestricted types by using kinds together with a notion of subkinding, avoiding the pitfalls of approaches based on type qualifiers or modalities; kinds are related by a subkinding order that allows unrestricted types to be treated as though they were linear. Soundness for intuitionistic and classical F° is proved both in the standard operational sense of preservation and progress and for an augmented semantics that shows more directly that the expected properties of linearity are preserved. This establishes the absence of deadlocks in closed, well-typed F° programs; it also guarantees that such programs will not leak processes as long as their result types are unrestricted

Lightweight linear types in system F o

We present System F ◦ , an extension of System F that uses kinds to distinguish between linear and unrestricted types, simplifying the use of linearity for general-purpose programming. We demonstrate through examples how System F ◦ can elegantly express many useful protocols, and we prove that any protocol representable as a DFA can be encoded as an F ◦ type. We supply mechanized proofs of System F ◦ ’s soundness and parametricity properties, along with a nonstandard operational semantics that formalizes common intuitions about linearity and aids in reasoning about protocols. We compare System F ◦ to other linear systems, noting that the simplicity of our kind-based approach leads to a more explicit account of what linearity is meant to capture, allowing otherwiseconflicting interpretations of linearity (in particular, restrictions on aliasing versus restrictions on resource usage) to coexist peacefully. We also discuss extensions to System F ◦ aimed at making the core language more practical, including the additive fragment of linear logic, algebraic datatypes, and recursion

Evidence-based audit

Authorization logics provide a principled and flexible approach to specifying access control policies. One of their compelling benefits is that a proof in the logic is evidence that an access-control decision has been made in accordance with policy. Using such proofs for auditing reduces the trusted computing base and enables the ability to detect flaws in complex authorization policies. Moreover, the proof structure is itself useful, because proof normalization can yield information about the relevance of policy statements. Untrusted, but well-typed, applications that access resources through an appropriate interface must obey the access control policy and create proofs useful for audit. This paper presents AURA0, an authorization logic based on a dependently-typed variant of DCC and proves the metatheoretic properties of subject-reduction and normalization. It shows the utility of proof-based auditing in a number of examples and discusses several pragmatic issues that must be addressed in this context.

Evidence-based audit, technical appendix

Authorization logics provide a principled and flexible approach to specifying access control policies. One of their compelling benefits is that a proof in the logic is evidence that an access-control decision has been made in accordance with policy. Using such proofs for auditing reduces the trusted computing base and enables the ability to detect flaws in complex authorization policies. Moreover, the proof structure is itself useful, because proof normalization can yield information about the relevance of policy statements. Untrusted, but well-typed, applications that access resources through an appropriate interface must obey the access control policy and create proofs useful for audit. This paper presents AURA0, an authorization logic based on a dependently-typed variant of DCC and proves the metatheoretic properties of subject-reduction and normalization. It shows the utility of proof-based auditing in a number of examples and discusses several pragmatic issues that must be addressed in this context.

AURA: A programming language for authorization and audit

This paper presents AURA, a programming language for access control that treats ordinary programming constructs (e.g., integers and recursive functions) and authorization logic constructs (e.g., principals and access control policies) in a uniform way. AURA is based on polymorphic DCC and uses dependent types to permit assertions that refer directly to AURA values while keeping computation out of the assertion level to ensure tractability. The main technical results of this paper include fully mechanically verified proofs of the decidability and soundness for AURA’s type system, and a prototype typechecker and interpreter