Separation Logic for Small-step Cminor

Cminor is a mid-level imperative programming language; there are proved-correct optimizing compilers from C to Cminor and from Cminor to machine language. We have redesigned Cminor so that it is suitable for Hoare Logic reasoning and we have designed a Separation Logic for Cminor. In this paper, we give a small-step semantics (instead of the big-step of the proved-correct compiler) that is motivated by the need to support future concurrent extensions. We detail a machine-checked proof of soundness of our Separation Logic. This is the first large-scale machine-checked proof of a Separation Logic w.r.t. a small-step semantics. The work presented in this paper has been carried out in the Coq proof assistant. It is a first step towards an environment in which concurrent Cminor programs can be verified using Separation Logic and also compiled by a proved-correct compiler with formal end-to-end correctness guarantees.Comment: Version courte du rapport de recherche RR-613

Is Internet Voting Trustworthy? The Science and the Policy Battles

According to clear scientific consensus, no known technology can make internet voting secure. In some applications—such as e-pollbooks (voter sign-in), voter registration, and absentee ballot request—it is appropriate to use the internet, as the inherent insecurity can be mitigated by other means. But the insecurity of paperless transmission of a voted ballot through the internet cannot be mitigated. The law recognizes this in several ways. Courts have enjoined the use of certain paperless or internet-connected voting systems. Federal law requires states to allow voters to use the internet to request absentee ballots but carefully stops short of internet ballot return (i.e., voting). But many U.S. states and a few countries go beyond what is safe: they have adopted internet voting for citizens living abroad and (in some cases) for voters with disabilities. Most internet voting systems have an essentially common architecture, and they are insecure at least at the same key point: after the voter has reviewed the ballot but before it is transmitted. I review six internet voting systems deployed between 2006 and 2021 that were insecure in practice, just as predicted by theory—of which some were also insecure in surprising new ways, “unforced errors”. We cannot get along without the assistance of computers. U.S. ballots are too long to count entirely by hand unless the special circumstances of a recount require it. So computer-counted paper ballots play a critical role in the security and auditability of our elections. But audits cannot be used to secure internet voting systems, which have no paper ballots that form an auditable paper trail. There are policy controversies: trustworthiness versus convenience, and security versus accessibility. From 2019 to 2022 there were lawsuits in Virginia, New Jersey, New York, New Hampshire, and North Carolina; legislation enacted in Rhode Island and withdrawn in California. There is a common pattern to these disputes, which have mostly resolved in a way that provides remote accessible vote by mail (RAVBM) but stops short of permitting electronic ballot return (internet voting). What would it take to thoroughly review a proposed internet voting system to be assured whether it delivers the security it promises? Switzerland provides a case study. In Switzerland, after a few years of internet voting pilot projects, the Federal Chancellery commissioned several extremely thorough expert studies of their deployed system. These reports teach us not only about their internet voting system itself but about how to study those systems before making policy decisions. Accessibility of election systems to voters with disabilities is a genuine problem. Disability-rights groups have been among those lobbying for internet voting (which is not securable) and other forms of remote accessible vote by mail (which can be adequately securable). I review statistics showing that internet voting is probably not the most effective way to serve voters with disabilities

Proof-Carrying Code with Correct Compilers

In the late 1990s, proof-carrying code was able to produce machine-checkable safety proofs for machine-language programs even though (1) it was impractical to prove correctness properties of source programs and (2) it was impractical to prove correctness of compilers. But now it is practical to prove some correctness properties of source programs, and it is practical to prove correctness of optimizing compilers. We can produce more expressive proof-carrying code, that can guarantee correctness properties for machine code and not just safety. We will construct program logics for source languages, prove them sound w.r.t. the operational semantics of the input language for a proved-correct compiler, and then use these logics as a basis for proving the soundness of static analyses

A list-machine benchmark for mechanized metatheory

Projet GALLIUMWe propose a benchmark to compare theorem-proving systems on their ability to express proofs of compiler correctness. In contrast to the first POPLmark, we emphasize the connection of proofs to compiler implementations, and we point out that much can be done without binders or alpha-conversion. We propose specific criteria for evaluating the utility of mechanized metatheory systems; we have constructed solutions in both Coq and Twelf metatheory, and we draw conclusions about those two systems in particular

Separation Logic for Small-step Cminor (extended version)

Cminor is a mid-level imperative programming language (just below C), and there exist proved-correct optimizing compilers from C to Cminor and from Cminor to machine language. We have redesigned Cminor so that it is suitable for Hoare Logic reasoning, we have designed a Separation Logic for Cminor, we have given a small-step operational semantics so that extensions to concurrent Cminor will be possible, and we have a machine-checked proof of soundness of our Separation Logic. This is the first large-scale machine-checked proof of a Separation Logic w.r.t. a small-step semantics, or for a language with nontrivial reducible control-flow constructs. Our sequential soundness proof of the sequential Separation Logic for the sequential language features will be reusable change within a soundness proof of Concurrent Separation Logic w.r.t. Concurrent Cminor. In addition, we have a machine-checked proof of the relation between our small-step semantics and Leroy's original big-step semantics; thus sequential programs can be compiled by Leroy's compiler with formal end-to-end correctness guarantees

Foundational Verification of Stateful P4 Packet Processing

P4 is a standardized programming language for the network data plane. But P4 is not just for routing anymore. As programmable switches support stateful objects, P4 programs move beyond just stateless forwarders into new stateful applications: network telemetry (heavy hitters, DDoS detection, performance monitoring), middleboxes (firewalls, NAT, load balancers, intrusion detection), and distributed services (in-network caching, lock management, conflict detection). The complexity of stateful programs and their richer specifications are beyond what existing P4 program verifiers can handle. Verifiable P4 is a new interactive verification framework for P4 that (1) allows reasoning about multi-packet properties by specifying the per-packet relation between initial and final states; (2) performs modular verification, especially providing a modular description for stateful objects; (3) is foundational, i.e., with a machine-checked soundness proof with respect to a formal operational semantics of P4_{16} (the current specification of P4) in Coq. In addition, our framework includes a proved-correct reference interpreter. We demonstrate the framework with the specification and verification of a stateful firewall that uses a sliding-window Bloom filter on a Tofino switch to block (most) unsolicited traffic

Logical Step-Indexed Logical Relations

Appel and McAllester's "step-indexed" logical relations have proven to be a simple and effective technique for reasoning about programs in languages with semantically interesting types, such as general recursive types and general reference types. However, proofs using step-indexed models typically involve tedious, error-prone, and proof-obscuring step-index arithmetic, so it is important to develop clean, high-level, equational proof principles that avoid mention of step indices. In this paper, we show how to reason about binary step-indexed logical relations in an abstract and elegant way. Specifically, we define a logic LSLR, which is inspired by Plotkin and Abadi's logic for parametricity, but also supports recursively defined relations by means of the modal "later" operator from Appel, Melli\`es, Richards, and Vouillon's "very modal model" paper. We encode in LSLR a logical relation for reasoning relationally about programs in call-by-value System F extended with general recursive types. Using this logical relation, we derive a set of useful rules with which we can prove contextual equivalence and approximation results without counting steps

Micro-fading spectrometry: investigating the wavelength specificity of fading

A modified microfading spectrometer incorporating a linear variable filter is used to investigate the wavelength dependence of fading of traditional watercolour pigments, dosimeters and fading standards at a higher spectral resolution and/or sampling than had previously been attempted. While the wavelength dependence of photochemical damage was largely found to correlate well with the absorption spectra of each material, exceptions were found in the case of Prussian blue and Prussian green pigments (the latter includes Prussian blue), for which an anti-correlation between the spectral colour change and the absorption spectrum was found