ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan...
-
Upload
marvin-hurlburt -
Category
Documents
-
view
216 -
download
2
Transcript of ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan...
![Page 1: ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.](https://reader036.fdocuments.in/reader036/viewer/2022062619/5517cb055503461b658b4aac/html5/thumbnails/1.jpg)
ICFP 1999 1
Principals in Programming Languages:
A Syntactic Proof Technique
Steve Zdancewic
Dan Grossman and Greg Morrisett
Cornell University
![Page 2: ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.](https://reader036.fdocuments.in/reader036/viewer/2022062619/5517cb055503461b658b4aac/html5/thumbnails/2.jpg)
ICFP 1999 2
Type Abstraction
• Long history of study – Strachey 1967, Reynolds 1974, 1983, Mitchell
& Plotkin 1988, ...
• Reasoning about Programs– Type safety– System Design– Extensible Systems
![Page 3: ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.](https://reader036.fdocuments.in/reader036/viewer/2022062619/5517cb055503461b658b4aac/html5/thumbnails/3.jpg)
ICFP 1999 3
Principals
• One way to characterize principals is by their "view" of the environment.
• Resources Available– Memory– Security Privileges– Type Information (this talk)
![Page 4: ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.](https://reader036.fdocuments.in/reader036/viewer/2022062619/5517cb055503461b658b4aac/html5/thumbnails/4.jpg)
ICFP 1999 4
Types and Principals
(* File handle *)abstype fhopen : string fhread : fh charHost
Client
type fh = intfun open s = ...
val h = open"file" ...
API
![Page 5: ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.](https://reader036.fdocuments.in/reader036/viewer/2022062619/5517cb055503461b658b4aac/html5/thumbnails/5.jpg)
ICFP 1999 5
Safety Properties
• Client can’t create file handles:– Must call open to obtain file handles
• File handles are abstract:– No client ever performs
[handle + 3]
– Host can return any integer as handle
• The read function is applied only to host-provided values
![Page 6: ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.](https://reader036.fdocuments.in/reader036/viewer/2022062619/5517cb055503461b658b4aac/html5/thumbnails/6.jpg)
ICFP 1999 6
Polymorphic Encoding
fh. host:{open: string fh, read: fh char}. <client>)
![Page 7: ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.](https://reader036.fdocuments.in/reader036/viewer/2022062619/5517cb055503461b658b4aac/html5/thumbnails/7.jpg)
ICFP 1999 7
Operational Models Needed
•Parametric Polymorphism•Recursive Types•References & State•Control Operators•Threads•Objects•...
![Page 8: ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.](https://reader036.fdocuments.in/reader036/viewer/2022062619/5517cb055503461b658b4aac/html5/thumbnails/8.jpg)
ICFP 1999 8
The Goal
Track and enforce type abstractions in an operational semantics.
(Proofs in style of Wright & Felleisen 1992)
![Page 9: ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.](https://reader036.fdocuments.in/reader036/viewer/2022062619/5517cb055503461b658b4aac/html5/thumbnails/9.jpg)
ICFP 1999 9
“Linking” Host and Client
fh. host:{open: string fh, read: fh char}. <client>)int<host>
![Page 10: ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.](https://reader036.fdocuments.in/reader036/viewer/2022062619/5517cb055503461b658b4aac/html5/thumbnails/10.jpg)
ICFP 1999 10
Evaluation
fh. host:{open: string fh, read: fh char}. <client body>)int<host>
host:{open: string int, read: int char}. <client>{int/fh})<host>
![Page 11: ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.](https://reader036.fdocuments.in/reader036/viewer/2022062619/5517cb055503461b658b4aac/html5/thumbnails/11.jpg)
ICFP 1999 11
Evaluation
host:{open: string int, read: int char}. <client body>[int/fh])<host>
<client>{int/fh}{<host>/host}
![Page 12: ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.](https://reader036.fdocuments.in/reader036/viewer/2022062619/5517cb055503461b658b4aac/html5/thumbnails/12.jpg)
ICFP 1999 12
An Observation
•No mention of fh•No distinction between client and host
<client>{int/fh}{<host>/host}
![Page 13: ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.](https://reader036.fdocuments.in/reader036/viewer/2022062619/5517cb055503461b658b4aac/html5/thumbnails/13.jpg)
ICFP 1999 13
Our Solution
Make principals explicit in the syntax:•Color client code blue•Color host code red•Typecheck with different rules:
– Host knows fh = int•Track colors during evaluation
![Page 14: ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.](https://reader036.fdocuments.in/reader036/viewer/2022062619/5517cb055503461b658b4aac/html5/thumbnails/14.jpg)
ICFP 1999 14
Syntax
fh | int | | ...
C x | n | xC | (C C) | [H]
H x | n | xH | (H H) | [C]
Ø | [x:] | [x:]
![Page 15: ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.](https://reader036.fdocuments.in/reader036/viewer/2022062619/5517cb055503461b658b4aac/html5/thumbnails/15.jpg)
ICFP 1999 15
Client Operational Semantics
[xH] xHxx
[n]int n
[n]fh
![Page 16: ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.](https://reader036.fdocuments.in/reader036/viewer/2022062619/5517cb055503461b658b4aac/html5/thumbnails/16.jpg)
ICFP 1999 16
Host Operational Semantics
[nfh]int n
e e'[e] [e']
![Page 17: ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.](https://reader036.fdocuments.in/reader036/viewer/2022062619/5517cb055503461b658b4aac/html5/thumbnails/17.jpg)
ICFP 1999 17
handleinthr(handle)fhchar [3]fh
![Page 18: ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.](https://reader036.fdocuments.in/reader036/viewer/2022062619/5517cb055503461b658b4aac/html5/thumbnails/18.jpg)
ICFP 1999 18
handleinthr(handle)fhchar [3]fh
handlefhhr(handleint)char [3]fh
![Page 19: ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.](https://reader036.fdocuments.in/reader036/viewer/2022062619/5517cb055503461b658b4aac/html5/thumbnails/19.jpg)
ICFP 1999 19
handleinthr(handle)fhchar [3]fh
handlefhhr(handleint)char [3]fh
hr([3]fhint)char
![Page 20: ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.](https://reader036.fdocuments.in/reader036/viewer/2022062619/5517cb055503461b658b4aac/html5/thumbnails/20.jpg)
ICFP 1999 20
handleinthr(handle)fhchar [3]fh
handlefhhr(handleint)char [3]fh
hr([3]fhint)char
hr(3)char
![Page 21: ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.](https://reader036.fdocuments.in/reader036/viewer/2022062619/5517cb055503461b658b4aac/html5/thumbnails/21.jpg)
ICFP 1999 21
handleinthr(handle)fhchar [3]fh
handlefhhr(handleint)char [3]fh
hr([3]fhint)char
hr(3)char
‘A’char
![Page 22: ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.](https://reader036.fdocuments.in/reader036/viewer/2022062619/5517cb055503461b658b4aac/html5/thumbnails/22.jpg)
ICFP 1999 22
handleinthr(handle)fhchar [3]fh
handlefhhr(handleint)char [3]fh
hr([3]fhint)char
hr(3)char
‘A’char
‘A’
![Page 23: ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.](https://reader036.fdocuments.in/reader036/viewer/2022062619/5517cb055503461b658b4aac/html5/thumbnails/23.jpg)
ICFP 1999 23
Static Semantics
C]int/fhC
Hint/fhH]
![Page 24: ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.](https://reader036.fdocuments.in/reader036/viewer/2022062619/5517cb055503461b658b4aac/html5/thumbnails/24.jpg)
ICFP 1999 24
Theorems
Soundness proved by standard Subject Reduction and Progress lemmas.
Erasure property: Embeddings and colors don’t affect evaluation.
![Page 25: ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.](https://reader036.fdocuments.in/reader036/viewer/2022062619/5517cb055503461b658b4aac/html5/thumbnails/25.jpg)
ICFP 1999 25
Independence of Evaluation
If C is host-free and hfhC is of typefh int then:
(hfhC) [n]fh miff
(hfhC) [n']fh m
![Page 26: ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.](https://reader036.fdocuments.in/reader036/viewer/2022062619/5517cb055503461b658b4aac/html5/thumbnails/26.jpg)
ICFP 1999 26
File Handles Come From Open
Suppose (openstring fhC) is well-typed and C is host-free. If
(openstring fhC) [sstringho(s)]string fh
steps to C' containing [n]fh as a subterm, then n was derived from a sequence of the form: ho(s) n
![Page 27: ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.](https://reader036.fdocuments.in/reader036/viewer/2022062619/5517cb055503461b658b4aac/html5/thumbnails/27.jpg)
ICFP 1999 27
The General Setting
•Multiple principals•Many abstract types•Products, Sums, Recursive Types, and References•Proofs follow standard techniques
![Page 28: ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.](https://reader036.fdocuments.in/reader036/viewer/2022062619/5517cb055503461b658b4aac/html5/thumbnails/28.jpg)
ICFP 1999 28
Related Work
• Language Based Security (Smith & Volpano '97, Heintze & Riecke '98, Myers '99)
• Principals (Nielson & Nielson '92, Leroy & Rouaix '98)
• Other Parametricity Results
(Abadi, Cardelli & Curien '93, Crary '99, Pierce & Sangiorgi '99)
![Page 29: ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.](https://reader036.fdocuments.in/reader036/viewer/2022062619/5517cb055503461b658b4aac/html5/thumbnails/29.jpg)
ICFP 1999 29
Summary
Principals are a useful conceptualframework.
Operational approach to proving type abstraction properties
![Page 30: ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.](https://reader036.fdocuments.in/reader036/viewer/2022062619/5517cb055503461b658b4aac/html5/thumbnails/30.jpg)
ICFP 1999 30
Host Operational Semantics
[nfh]int n
[xC]
xint/fhCxx