Preliminary Design of the SAFE Platform

SAFE is a clean-slate design for a secure host architecture. It integrates advances in programming languages, operating systems, and hardware and incorporates formal methods at every step. Though the project is still at an early stage, we have assembled a set of basic architectural choices that we believe will yield a high-assurance system. We sketch the current state of the design and discuss several of these choices.Engineering and Applied Science

The Design and Implementation of an Abstract Interpreter for OCaml Programs: A Preliminary Report on the Salto Analyser

International audienceWe report on a work in progress that aims at defining an effective static analyser for OCaml programs, by leveraging abstract interpretation techniques. The goal of the Salto static analyser is to detect precisely which exceptions an OCaml program might raise, and to report problematic cases, where a program execution might rely on elements of the OCaml semantics that are deemed under-specified or undefined. The Salto analyser exploits a novel abstract domain to represent inductively defined sets of trees, that draws inspiration from the theory of recursive types, from tree automata, and from the abstract domain of Type Graphs. The analyser itself is defined using a dynamic fixpoint solver, i.e., a generic library that implements an iteration strategy that finds a post-fixpoint. The solver automatically inserts widening points to ensure the convergence of the iteration process, and aims at limiting the unnecessary computations that may be asked by the iteration strategy

The Design and Implementation of an Abstract Interpreter for OCaml Programs: A Preliminary Report on the Salto Analyser

International audienceWe report on a work in progress that aims at defining an effective static analyser for OCaml programs, by leveraging abstract interpretation techniques. The goal of the Salto static analyser is to detect precisely which exceptions an OCaml program might raise, and to report problematic cases, where a program execution might rely on elements of the OCaml semantics that are deemed under-specified or undefined. The Salto analyser exploits a novel abstract domain to represent inductively defined sets of trees, that draws inspiration from the theory of recursive types, from tree automata, and from the abstract domain of Type Graphs. The analyser itself is defined using a dynamic fixpoint solver, i.e., a generic library that implements an iteration strategy that finds a post-fixpoint. The solver automatically inserts widening points to ensure the convergence of the iteration process, and aims at limiting the unnecessary computations that may be asked by the iteration strategy

The Design and Implementation of an Abstract Interpreter for OCaml Programs: A Preliminary Report on the Salto Analyser

International audienceWe report on a work in progress that aims at defining an effective static analyser for OCaml programs, by leveraging abstract interpretation techniques. The goal of the Salto static analyser is to detect precisely which exceptions an OCaml program might raise, and to report problematic cases, where a program execution might rely on elements of the OCaml semantics that are deemed under-specified or undefined. The Salto analyser exploits a novel abstract domain to represent inductively defined sets of trees, that draws inspiration from the theory of recursive types, from tree automata, and from the abstract domain of Type Graphs. The analyser itself is defined using a dynamic fixpoint solver, i.e., a generic library that implements an iteration strategy that finds a post-fixpoint. The solver automatically inserts widening points to ensure the convergence of the iteration process, and aims at limiting the unnecessary computations that may be asked by the iteration strategy

Programmer avec des modules de première classe dans un langage noyau pourvu de sous-typage, sortes singletons et types existentiels ouverts

160 pagesThis thesis explains how the adjunction of three features to System Fω allows writing programs in a modular way in an explicit system à la Church, while keeping a style that is similar to ML modules. The first chapter focuses on open existential types, which provide a way to consider existential types without scope restrictions: they permit to organize programs in a more flexible manner. The second chapter is devoted to the study of singleton kinds, which model type definitions: in this framework, we give a simple characterization of type equivalence, that is based on a confluent and strongly normalizing reduction relation. The last chapter integrates the two previous notions into a core language equipped with a subtyping relation: it greatly improves the modularity of Fω to a level that is comparable with the flexibility of ML modules. A translation from modules to this core language is defined, and is used to precisely compare the two languages.Cette thèse décrit comment l'ajout de trois ingrédients à Système Fω permet d'écrire des programmes de façon modulaire dans un système explicite à la Church, tout en gardant un style proche des modules de ML. Le premier chapitre s'intéresse aux types existentiels ouverts, qui confèrent la possibilité d'utiliser des types existentiels sans restriction de portée : cela offre une plus grande flexibilité dans l'organisation des programmes. Le deuxième chapitre est consacré à l'étude des kinds singletons, qui modélisent les définitions de types : dans ce cadre, on donne une caractérisation simple de l'équivalence de types, fondée sur une relation de réduction confluente et fortement normalisante. Le dernier chapitre intègre les deux notions précédentes dans un langage noyau muni d'une relation de sous-typage : cela apporte à Fω un gain de modularité important, de niveau comparable à celui des modules de ML. Une traduction des modules vers ce langage est esquissée, permettant une comparaison précise des deux langages

Trace-Based Control-Flow Analysis

International audienceWe define a small-step semantics for the untyped λ-calculus, that traces the β-reductions that occur during evaluation. By abstracting the computation traces, we reconstruct-CFA using abstract interpretation, and justify constraint-based-CFA in a semantic way. The abstract interpretation of the trace semantics also paves the way for introducing widening operators in CFA that go beyond existing analyses, that are all based on exploring a finite state space. We define ∇CFA, a widening-based analysis that limits the cycles in call stacks, and can achieve better precision than-CFA at a similar cost

Détection par interprétation abstraite d'exceptions nonrattrapées dans des programmes fonctionnels (Version étendue)

Exception handling is a key feature in modern programming languages.Exceptions can be used to deal with errors, or as a means to controlthe flow of execution of a program. Since they might unexpectedlyterminate a program, unhandled exceptions are a serious safetyconcern.We propose a static analysis to detect uncaught exceptions infunctional programs, that is defined as an abstract interpreter. Itcomputes a description of the values potentially returned by aprogram using a novel abstract domain, that can express inductivelydefined sets of values. Simultaneously, the analysis infers thepossibly raised exceptions, by computing in the abstract exception monad.This abstract interpreter has been implemented as an effectivestatic analyser for a large subset of OCaml programs, thatsupports mutable data types, the OCaml module system, anddynamically extensible data types such as the exception type. Theanalyser has been evaluated on several hundreds of OCaml programs.Les exceptions permettent de gérer les erreurs dans un programme,et sont un moyen de modifier leur flot de contrôle. Puisque lesexceptions peuvent arrêter un programme de manière abrupte, lesexceptions non rattrapées constituent un problème de sûretéimportant.Nous décrivons une analyse statique qui détecte les exceptions nonrattrapées dans des programmes fonctionnels. Cette analyse estdéfinie comme un interpréteur abstrait. Elle calcule unedescription des valeurs potentiellement produites par un programmeà l'aide d'un nouveau domaine abstrait, qui peut représenter desensembles de valeurs définis inductivement. Cette analyse infèresimultanément les exceptions qui peuvent être lancées, encalculant dans la monade d'exception abstraite.Nous avons implémenté cet interpréteur abstrait, qui effectue uneanalyse statique pour un sous-ensemble important des programmesOCaml. Sont en particulier supportés les types de donnéesalgébriques mutables, le système de modules d'OCaml, et les typesde données extensibles dynamiquement tels, dont le type desexceptions est un exemple. Nous avons évalué cet analyseur surplusieurs centaines de programmes OCaml