Randy Pollack

Engineering formal metatheory

Machine-checked proofs of properties of programming languages have become acritical need, both for increased confidence in large and complex designsand as a foundation for technologies such as proof-carrying code. However, constructing these proofs remains a black art, involving many choices in the formulation of definitions and theorems that make a huge cumulative difference in the difficulty of carrying out large formal developments. There presentation and manipulation of terms with variable binding is a key issue. We propose a novel style for formalizing metatheory, combining locally nameless representation of terms and cofinite quantification of free variable names in inductivedefinitions of relations on terms (typing, reduction, ...). The key technical insight is that our use of cofinite quantification obviates the need for reasoning about equivariance (the fact that free names can be renamed in derivations); in particular, the structural induction principles of relations defined using cofinite quantification are strong enough for metatheoretic reasoning, and need not be explicitly strengthened. Strong inversion principles follow (automatically, in Coq) from the induction principles. Although many of the underlying ingredients of our technique have been used before, their combination here yields a significant improvement over other methodologies using first-order representations, leading to developments that are faithful to informal practice, yet require noexternal tool support and little infrastructure within the proof assistant. We have carried out several large developments in this style using the Coq proof assistant and have made them publicly available. Our developments include type soundness for System F sub; and core ML (with references, exceptions, datatypes, recursion, and patterns) and subject reduction for the Calculus of Constructions. Not only do these developments demonstrate the comprehensiveness of our approach; they have also been optimized for clarity and robustness, making them good templates for future extension.

A Logical Framework with Dependently Typed Records

Our long term goal is a system to formally represent complex structured mathematical objects, and proofs and computation on such objects; e.g. a foundational computer algebra system. Our approach is informed by the long development of module systems for functional programming based on dependent record types as signatures [22]. For our logical purposes, however, we want a dependently typed base language. In this paper we propose an extension of Martin-Lof’s logical framework [25, 21] with dependently typed records, and present the semantic foundation and the typechecking algorithm of our system. Some of the work is formally checked in Coq [8].1 We have also implemented and experimented with several related systems. Our proposal combines a semantic foundation, provably sound typechecking, good expressiveness (e.g. subtyping, sharing) and first-class higher-order modules. The development of functional programming modules has addressed many aspects of the problem, such as use of manifest or transparent fields to control the information available in a signature, signature strengthening, type abstraction, sharing and subtyping [19, 15, 20]. The problem of modularity is not, however, closed, with much current research into first-class higher-order modules, recursive modules and mixins. There has also been work on dependently typed records over dependent base languages. A first practical implementation is described in [3], however without semantic foundation. An original extension of Martin-Lof’s logical framework is given in [6], however it lacks manifest fields to express sharing, and lacks metamathematical analysis. A general approach to adding modules on top of a Pure Type System

A constructive algebraic hierarchy in Coq

We describe a framework of algebraic structures in the proof assistant Coq. We have developed this framework as part of the FTA project in Nijmegen, in which a constructive proof of the fundamental theorem of algebra has been formalized in Coq.The algebraic hierarchy that is described here is both abstract and structured. Structures like groups and rings are part of it in an abstract way, defining e.g. a ring as a tuple consisting of a group, a binary operation and a constant that together satisfy the properties of a ring. In this way, a ring automatically inherits the group properties of the additive subgroup. The algebraic hierarchy is formalized in Coq by applying a combination of labelled record types and coercions. In the labelled record types of Coq, one can use dependent types: the type of one label may depend on another label. This allows us to give a type to a dependent-typed tuple like 〈A, f, a〉, where A is a set, f an operation on A and a an element of A. Coercions are functions that are used implicitly (they are inferred by the type checker) and allow, for example, to use the structure A := 〈A, f, a〉 as a synonym for the carrier set A, as is often done in mathematical practice. Apart from the inheritance and reuse of properties, the algebraic hierarchy has proven very useful for reusing notations.

External and internal syntax of the λ-calculus

It is well known that formally defining and reasoning about languages with binding (such as logics and @l-calculii) is problematic. There are many approaches to deal with the problem, with much work over recent years stimulated by the desire to formally reason about programming languages and program logics. The various approaches have their own strengths and drawbacks, but no fully satisfactory approach has appeared. We present an approach based on two levels of syntax: an internal syntax which is convenient for machine manipulation, and an external syntax which is the usual informal syntax used in many articles and textbooks. Throughout the paper we use pure @l-calculus as an example, but the technique extends to many languages with binding. Our internal syntax is canonical: one representative of every @a-equivalence class. It is formalized in Isabelle/HOL, and its properties are mechanically proved. It is also proved to be isomorphic with a nominal representation of @l-calculus in Isabelle/HOL. Our conventional, human friendly external syntax is naturally related to the internal syntax by a semantic function. We do not define notions directly on the external syntax, since that would require the usual care about @a-renaming, but introduce them indirectly from the canonical internal syntax via the semantic function.

Preliminary design of the SAFE platform

Safe is a clean-slate design for a secure host architecture. It integrates advances in programming languages, operating systems, and hardware and incorporates formal methods at every step. Though the project is still at an early stage, we have assembled a set of basic architectural choices that we believe will yield a high-assurance system. We sketch the current state of the design and discuss several of these choices.

A Theory of Information-Flow Labels

The security literature offers a multitude of calculi, languages, and systems for information-flow control, each with some set of labels encoding security policies that can be attached to data and computations. The exact form of these labels varies widely, with different systems offering many different combinations of features addressing issues such as confidentiality, integrity, and policy ownership. This variation makes it difficult to compare the expressive power of different information-flow frameworks. To enable such comparisons, we introduce label algebras, an abstract interface for information-flow labels equipped with a notion of authority, and study several notions of embedding between them. The simplest is a straightforward notion of injection between label algebras, but this lacks a clear computational motivation and rejects some reasonable encodings between label models. We obtain a more refined account by defining a space of encodings parameterized by an interpretation of labels and authorities, thus giving a semantic flavor to the definition of encoding. We study the theory of semantic encodings and consider two specific instances, one based on the possible observations of boolean values and one based on the behavior of programs in a small lambda-calculus parameterized over an arbitrary label algebra. We use this framework to define and compare a number of concrete label algebras, including realizations of the familiar taint, endorsement, readers, and distrust models, as well as label algebras based on several existing programming languages and operating systems.

A verified information-flow architecture

SAFE is a clean-slate design for a highly secure computer system, with pervasive mechanisms for tracking and limiting information flows. At the lowest level, the SAFE hardware supports fine-grained programmable tags, with efficient and flexible propagation and combination of tags as instructions are executed. The operating system virtualizes these generic facilities to present an information-flow abstract machine that allows user programs to label sensitive data with rich confidentiality policies. We present a formal, machine-checked model of the key hardware and software mechanisms used to dynamically control information flow in SAFE and an end-to-end proof of noninterference for this model. We use a refinement proof methodology to propagate the noninterference property of the abstract machine down to the concrete machine level. We use an intermediate layer in the refinement chain that factors out the details of the information-flow control policy and devise a code generator for compiling such information-flow policies into low-level monitor code. Finally, we verify the correctness of this generator using a dedicated Hoare logic that abstracts from low-level machine instructions into a reusable set of verified structured code generators.

Certified Complexity (CerCo)

We provide an overview of the FET-Open Project CerCo (‘Certified Complexity’). Our main achievement is the development of a technique for analysing non-functional properties of programs (time, space) at the source level with little or no loss of accuracy and a small trusted code base. The core component is a C compiler, verified in Matita, that produces an instrumented copy of the source code in addition to generating object code. This instrumentation exposes, and tracks precisely, the actual (non-asymptotic) computational cost of the input program at the source level. Untrusted invariant generators and trusted theorem provers may then be used to compute and certify the parametric execution time of the code.

Reasoning About CBV Functional Programs in Isabelle/HOL

We consider the old problem of proving that a computer program meets some specification. By proving, we mean machine checked proof in some formal logic. The programming language we choose to work with is a call by value functional language, essentially the functional core of Standard ML (SML). In future work we hope to add exceptions, then references and I/O to the language.