Mechanising and verifying the WebAssembly specification

WebAssembly is a new low-level language currently being implemented in all major web browsers. It is designed to become the universal compilation target for the web, obsoleting existing solutions in this area, such as asm.js and Native Client. The WebAssembly working group has incorporated formal techniques into the development of the language, but their efforts so far have focussed on pen and paper formal specification. We present a mechanised Isabelle specification for the WebAssembly language, together with a verified executable interpreter and type checker. Moreover, we present a fully mechanised proof of the soundness of the WebAssembly type system, and detail how our work on this proof has exposed several issues with the official WebAssembly specification, influencing its development. Finally, we give a brief account of our efforts in performing differential fuzzing of our interpreter against industry implementations

Mechanising and evolving the formal semantics of WebAssembly: the Web's new low-level language

WebAssembly is the first new programming language to be supported natively by all major Web browsers since JavaScript. It is designed to be a natural low-level compilation target for languages such as C, C++, and Rust, enabling programs written in these languages to be compiled and executed efficiently on the Web. WebAssembly’s specification is managed by the W3C WebAssembly Working Group (made up of representatives from a number of major tech companies). Uniquely, the language is specified by way of a full pen-and-paper formal semantics. This thesis describes a number of ways in which I have both helped to shape the specification of WebAssembly, and built upon it. By mechanising the WebAssembly formal semantics in Isabelle/HOL while it was being drafted, I discovered a number of errors in the specification, drove the adoption of official corrections, and provided the first type soundness proof for the corrected language. This thesis also details a verified type checker and interpreter, and a security type system extension for cryptography primitives, all of which have been mechanised as extensions of my initial WebAssembly mechanisation. A major component of the thesis is my work on the specification of shared memory concurrency in Web languages: correcting and verifying properties of JavaScript’s existing relaxed memory model, and defining the WebAssembly-specific extensions to the corrected model which have been adopted as the basis of WebAssembly’s official threads specification. A number of deficiencies in the original JavaScript model are detailed. Some errors have been corrected, with the verified fixes officially adopted into subsequent editions of the language specification. However one discovered deficiency is fundamental to the model, an instance of the well-known "thin-air problem". My work demonstrates the value of formalisation and mechanisation in industrial programming language design, not only in discovering and correcting specification errors, but also in building confidence both in the correctness of the language’s design and in the design of proposed extensions.2019 Google PhD Fellowship in Programming Technology and Software Engineering Peterhouse Research Fellowshi

Weakening WebAssembly

WebAssembly (Wasm) is a safe, portable virtual instruction set that can be hosted in a wide range of environments, such as a Web browser. It is a low-level language whose instructions are intended to compile directly to bare hardware. While the initial version of Wasm focussed on single-threaded computation, a recent proposal extends it with low-level support for multiple threads and atomic instructions for synchronised access to shared memory. To support the correct compilation of concurrent programs, it is necessary to give a suitable specification of its memory model. Wasm’s language definition is based on a fully formalised specification that carefully avoids undefined behaviour. We present a substantial extension to this semantics, incorporating a relaxed memory model, along with a few proposed operational extensions. Wasm’s memory model is unique in that its linear address space can be dynamically grown during execution, while all accesses are bounds-checked. This leads to the novel problem of specifying how observations about the size of the memory can propagate between threads. We argue that, considering desirable compilation schemes, we cannot give a sequentially consistent semantics to memory growth. We show that our model guarantees Sequential Consistency of Data-Race-Free programs (SC-DRF). However, because Wasm is to run on the Web, we must also consider interoperability of its model with that of JavaScript. We show, by counter-example, that JavaScript’s memory model is not SC-DRF, in contrast to what is claimed in its specification. We propose two axiomatic conditions that should be added to the JavaScript model to correct this difference. We also describe a prototype SMT-based litmus tool which acts as an oracle for our axiomatic model, visualising its behaviours, including memory resizing

CT-Wasm: Type-Driven Secure Cryptography for the Web Ecosystem

A significant amount of both client and server-side cryptography is implemented in JavaScript. Despite widespread concerns about its security, no other language has been able to match the convenience that comes from its ubiquitous support on the "web ecosystem" - the wide variety of technologies that collectively underpins the modern World Wide Web. With the introduction of the new WebAssembly bytecode language (Wasm) into the web ecosystem, we have a unique opportunity to advance a principled alternative to existing JavaScript cryptography use cases which does not compromise this convenience. We present Constant-Time WebAssembly (CT-Wasm), a type-driven, strict extension to WebAssembly which facilitates the verifiably secure implementation of cryptographic algorithms. CT-Wasm's type system ensures that code written in CT-Wasm is both information flow secure and resistant to timing side channel attacks; like base Wasm, these guarantees are verifiable in linear time. Building on an existing Wasm mechanization, we mechanize the full CT-Wasm specification, prove soundness of the extended type system, implement a verified type checker, and give several proofs of the language's security properties. We provide two implementations of CT-Wasm: an OCaml reference interpreter and a native implementation for Node.js and Chromium that extends Google's V8 engine. We also implement a CT-Wasm to Wasm rewrite tool that allows developers to reap the benefits of CT-Wasm's type system today, while developing cryptographic algorithms for base Wasm environments. We evaluate the language, our implementations, and supporting tools by porting several cryptographic primitives - Salsa20, SHA-256, and TEA - and the full TweetNaCl library. We find that CT-Wasm is fast, expressive, and generates code that we experimentally measure to be constant-time

Wasm SpecTec: Engineering a Formal Language Standard

WebAssembly (Wasm) is a low-level bytecode language and virtual machine, intended as a compilation target for a wide range of programming languages, which is seeing increasing adoption across diverse ecosystems. As a young technology, Wasm continues to evolve -- it reached version 2.0 last year and another major update is expected soon. For a new feature to be standardised in Wasm, four key artefacts must be presented: a formal (mathematical) specification of the feature, an accompanying prose pseudocode description, an implementation in the official reference interpreter, and a suite of unit tests. This rigorous process helps to avoid errors in the design and implementation of new Wasm features, and Wasm's distinctive formal specification in particular has facilitated machine-checked proofs of various correctness properties for the language. However, manually crafting all of these artefacts requires expert knowledge combined with repetitive and tedious labor, which is a burden on the language's standardization process and authoring of the specification. This paper presents Wasm SpecTec, a technology to express the formal specification of Wasm through a domain-specific language. This DSL allows all of Wasm's currently handwritten specification artefacts to be error-checked and generated automatically from a single source of truth, and is designed to be easy to write, read, compare, and review. We believe that Wasm SpecTec's automation and meta-level error checking will significantly ease the current burden of the language's specification authors. We demonstrate the current capabilities of Wasm SpecTec by showcasing its proficiency in generating various artefacts, and describe our work towards replacing the manually written official Wasm specification document with specifications generated by Wasm SpecTec.Comment: 5 pages, 7 figure

In search of the authentic nation: landscape and national identity in Canada and Switzerland

While the study of nationalism and national identity has flourished in the last decade, little attention has been devoted to the conditions under which natural environments acquire significance in definitions of nationhood. This article examines the identity-forming role of landscape depictions in two polyethnic nation-states: Canada and Switzerland. Two types of geographical national identity are identified. The first – what we call the ‘nationalisation of nature’– portrays zarticular landscapes as expressions of national authenticity. The second pattern – what we refer to as the ‘naturalisation of the nation’– rests upon a notion of geographical determinism that depicts specific landscapes as forces capable of determining national identity. The authors offer two reasons why the second pattern came to prevail in the cases under consideration: (1) the affinity between wild landscape and the Romantic ideal of pure, rugged nature, and (2) a divergence between the nationalist ideal of ethnic homogeneity and the polyethnic composition of the two societies under consideration

Organ donation in the United States

Peer Reviewedhttp://deepblue.lib.umich.edu/bitstream/2027.42/72348/1/j.1600-6143.3.s4.4.x.pd

Precision determination of electroweak parameters and the strange content of the proton from neutrino deep-inelastic scattering

We use recent neutrino dimuon production data combined with a global deep-inelastic parton fit to construct a new parton set, NNPDF1.2, which includes a determination of the strange and antistrange distributions of the nucleon. The result is characterized by a faithful estimation of uncertainties thanks to the use of the NNPDF methodology, and is free of model or theoretical assumptions other than the use of NLO perturbative QCD and exact sum rules. Better control of the uncertainties of the strange and antistrange parton distributions allows us to reassess the determination of electroweak parameters from the NuTeV dimuon data. We perform a direct determination of the |V_cd| and |V_cs| CKM matrix elements, obtaining central values in agreement with the current global CKM fit: specifically we find |V_cd|=0.244\pm 0.019 and |V_cs|=0.96\pm 0.07. Our result for |V_cs| is more precise than any previous direct determination. We also reassess the uncertainty on the NuTeV determination of \sin^2\theta_W through the Paschos-Wolfenstein relation: we find that the very large uncertainties in the strange valence momentum fraction are sufficient to bring the NuTeV result into complete agreement with the results from precision electroweak data.Comment: 46 pages, 20 figures; fig.12 and discussion on positivity added, several typos corrected. Final version, to be published in Nucl. Phys.

Very Small Embryonic-Like Stem Cells Purified from Umbilical Cord Blood Lack Stem Cell Characteristics

Very small embryonic-like (VSEL) cells have been described as putatively pluripotent stem cells present in murine bone marrow and human umbilical cord blood (hUCB) and as such are of high potential interest for regenerative medicine. However, there remain some questions concerning the precise identity and properties of VSEL cells, particularly those derived from hUCB. For this reason, we have carried out an extensive characterisation of purified populations of VSEL cells from a large number of UCB samples. Consistent with a previous report, we find that VSEL cells are CXCR4+, have a high density, are indeed significantly smaller than HSC and have an extremely high nuclear/cytoplasmic ratio. Their nucleoplasm is unstructured and stains strongly with Hoechst 33342. A comprehensive FACS screen for surface markers characteristic of embryonic, mesenchymal, neuronal or hematopoietic stem cells revealed negligible expression on VSEL cells. These cells failed to expand in vitro under a wide range of culture conditions known to support embryonic or adult stem cell types and a microarray analysis revealed the transcriptional profile of VSEL cells to be clearly distinct both from well-defined populations of pluripotent and adult stem cells and from the mature hematopoietic lineages. Finally, we detected an aneuploid karyotype in the majority of purified VSEL cells by fluorescence in situ hybridisation. These data support neither an embryonic nor an adult stem cell like phenotype, suggesting rather that hUCB VSEL cells are an aberrant and inactive population that is not comparable to murine VSEL cells