Hanne Riis Nielson

Automatic binding time analysis for a typed l-calculus

Abstract A binding time analysis imposes a distinction between the computations to be performed early (e.g. at compile-time) and those to be performed late (e.g. at run-time). For the λ-calculus this distinction is formalized by a two-level λ-calculus. We present an algorithm for static analysis of the binding times of a typed λ-calculus with products, sums, lists and general recursive types. Given partial information about the binding times of some of the subexpressions it will complete that information such that (i) early bindings may be turned into late bindings but not vice versa, (ii) the resulting two-level λ-expression reflects our intuition about binding times, e.g. that early bindings are performed before late bindings, and (iii) as few changes as possible have been made compared with the initial binding information. The results can be applied in the implementation of functional languages and in semantics directed compiling.

Two-level semantics and code generation

Abstract We present a two-level denotational metalanguage that is suitable for defining the semantic of PASCAL-like languages. The two levels allow for an explicit distinction between computations taking place at compile-time and computations taking place at run-time. While this distinction is perhaps not absolutely necessary for describing the input-output semantics of programming languages, it is necessary when issues like data flow analysis and code generation are considered. For an example stack-machine we show how to generate code for the run-time computations and still perform the compile-time computations. Based on an example it is argued that compiler-tricks like the use of activation records suggest how to cope with certain syntactic restrictions in the metalanguage. The correctness of the code generation is proved using Kripke-like relations and using a modified machine that can be made to loop when a certain level of recursion is encountered.

Automated Generation of Attack Trees

Attack trees are widely used to represent threat scenarios in a succinct and intuitive manner, suitable for conveying security information to non-experts. The manual construction of such objects relies on the creativity and experience of specialists, and therefore it is error-prone and impracticable for large systems. Nonetheless, the automated generation of attack trees has only been explored in connection to computer networks and levering rich models, whose analysis typically leads to an exponential blow-up of the state space. We propose a static analysis approach where attack trees are automatically inferred from a process algebraic specification in a syntax-directed fashion, encompassing a great many application domains and avoiding incurring systematically an exponential explosion. Moreover, we show how the standard propositional denotation of an attack tree can be used to phrase interesting quantitative problems, that can be solved through an encoding into Satisfiability Modulo Theories. The flexibility and effectiveness of the approach is demonstrated on the study of a national-scale authentication system, whose attack tree is computed thanks to a Java implementation of the framework.

Semantics directed compiling for functional languages

The use of a two-level meta-language in denotational definitions imposes a formal distinction between compile-time entities and run-time entities. The automatic generation of compilers benefits from such an explicit distinction, in partlcular because it gives a general framework for the automatic application of data flow analyses and program transformations. Central to the approach is the concept of an interpretation of the meta-language and in this paper we show how code generation can be specified as an interpretation. This gives a great deal of flexibillty with respect to the choice of target language.

A flow-sensitive analysis of privacy properties

In this paper we consider service oriented architectures where many components interact with one another using a wireless network. We are interested in questions like: ldr Can I be sure that I do not get unsolicited information from some service? - unless I give my permission? ldr Can I be sure that information I send to some service never is leaked to another service? - unless I give my permission? We shall develop a static program analysis for the pi- calculus and show how it can be used to give privacy guarantees like the ones requested above. The analysis records the explicit information flow of the system and keeps track of, not only the potential configurations of the system, but also the order in which they may be encountered.

Finiteness conditions for fixed point iteration

This paper provides a link between the formulation of static program analyses using the framework of abstract interpretation (popular for functional languages and using the more classical framework of data flow anlysis (popular for imperative languages). In particular we show how the classical notions of fastness, rapidity and k-boundedness carry over to the abstract interpretation framework and how this may be used to bound the number of times a functional should be unfolded in order to yield the fixed point. This is supplemented with a number of results on how to calculate the bounds for iterative forms (as for tail recursion), for linear forms (as for one nested recursive call), and for primitive recursive forms. In some cases this improves the “worst case” results of, but more importantly it gives much better“average case” results.

Pragmatic Aspects of Two-Level Denotational Meta-Languages

This work is part of a research project on automatic generation of optimazing compilers from denotational language definitions. The novel aspect of our approach is that we are based on a two-level meta-language allowing us to distinguish between compile-time and run-time, and thereby to formalize e.g. the distinction between static expression procedures and expression procedures of Tennent (1981). In this paper we discuss some of the problems encountered when writing denotational definitions using a two-level meta-language. We consider the meta-language TMLS introduced in Nielson (1986a) as well as its restricted version TMLSC developed in Nielson and Nielson (1986) for automatic code generation. Based on an example we argue that rewriting a language definition using TMLS in TMLSC really means introducing some notion of activation record. This observation may pave the way for a formalization of the transformations on semantic definitions considered by Milne and Strachey (1976) as being imposed by different meta-languages.

Kleene's logic with equality

Plotkins Powerdomain facilitates a rational reconstruction of Kleenes Logic from Predicate Logic and we use this to apply the techniques developed in previous studies of powerdomains in semantics and static analysis of programs for suggesting natural formulae for interpreting new logical operators. It follows that the so-called summary predicate, considered in previous applications of Kleenes Logic for static analysis of programs, can be derived from equality; this leads to a substantial simplification in the notion of approximation between structures.

A hoare-like proof system for analysing the computation time of programs

Abstract Versions of Hoare logic have been introduced to prove partial and total correctness properties of programs. In this paper it is shown how a Hoare-like proof system for while programs may be extended to prove properties of the computation time as well. It should be stressed that the system does not require the programs to be modified by inserting explicit operations upon a clock variable. We generalize the notions of arithmetically sound and complete and show that the proof system satisfies these. Also we derive formal rules corresponding to the informal rules for determining the computation time of while programs. The applicability of the proof system is illustrated by an example, the bubble sorting algorithm.

Model Checking Multivariate State Rewards

We consider continuous stochastic logics with state rewards that are interpreted over continuous time Markov chains. We show how results from multivariate phase type distributions can be used to obtain higher-order moments for multivariate state rewards (including covariance). We also generalise the treatment of eventuality to unbounded path formulae. For all extensions we show how to obtain closed form definitions that are straightforward to implement and we illustrate our development on a small example.