Presentation is loading. Please wait.

Presentation is loading. Please wait.

ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University.

Similar presentations


Presentation on theme: "ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University."— Presentation transcript:

1 ICFP Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University

2 ICFP Type Abstraction Long history of study –Strachey 1967, Reynolds 1974, 1983, Mitchell & Plotkin 1988,... Reasoning about Programs –Type safety –System Design –Extensible Systems

3 ICFP Principals One way to characterize principals is by their "view" of the environment. Resources Available –Memory –Security Privileges –Type Information(this talk)

4 ICFP Types and Principals (* File handle *) abstype fh open : string fh read : fh char Host Client type fh = int fun open s =... val h = open"file"... API

5 ICFP Safety Properties Client cant create file handles: –Must call open to obtain file handles File handles are abstract: –No client ever performs [ handle + 3 ] –Host can return any integer as handle The read function is applied only to host- provided values

6 ICFP Polymorphic Encoding fh. host: { open: string fh, read: fh char }. )

7 ICFP Operational Models Needed Parametric Polymorphism Recursive Types References & State Control Operators Threads Objects...

8 ICFP The Goal Track and enforce type abstractions in an operational semantics. (Proofs in style of Wright & Felleisen 1992)

9 ICFP Linking Host and Client fh. host: { open: string fh, read: fh char }. ) int

10 ICFP Evaluation fh. host: { open: string fh, read: fh char }. ) int host: { open: string int, read: int char }. { int / fh })

11 ICFP Evaluation host: { open: string int, read: int char }. [ int / fh ]) { int / fh }{ / host }

12 ICFP An Observation No mention of fh No distinction between client and host { int / fh }{ / host }

13 ICFP Our Solution Make principals explicit in the syntax: Color client code blue Color host code red Typecheck with different rules: – Host knows fh = int Track colors during evaluation

14 ICFP Syntax fh | int | |... C x | n | x C | (C C) | [H] H x | n | x H | (H H) | [C] Ø | [x: ] | [x: ]

15 ICFP Client Operational Semantics [ x H] x H x x [n] int n [n] fh

16 ICFP Host Operational Semantics [ n fh ] int n e e' [e] [e']

17 ICFP handle int hr(handle) fh char [3] fh

18 ICFP handle int hr(handle) fh char [3] fh handle fh hr( handle int ) char [3] fh

19 ICFP handle int hr(handle) fh char [3] fh handle fh hr( handle int ) char [3] fh hr( [3] fh int ) char

20 ICFP handle int hr(handle) fh char [3] fh handle fh hr( handle int ) char [3] fh hr( [3] fh int ) char hr( 3 ) char

21 ICFP handle int hr(handle) fh char [3] fh handle fh hr( handle int ) char [3] fh hr( [3] fh int ) char hr( 3 ) char A char

22 ICFP handle int hr(handle) fh char [3] fh handle fh hr( handle int ) char [3] fh hr( [3] fh int ) char hr( 3 ) char A char A

23 ICFP Static Semantics C] int / fh C H int / fh H]

24 ICFP Theorems Soundness proved by standard Subject Reduction and Progress lemmas. Erasure property: Embeddings and colors dont affect evaluation.

25 ICFP Independence of Evaluation If C is host-free and h fh C is of type fh int then: ( h fh C) [n] fh m iff ( h fh C) [n'] fh m

26 ICFP File Handles Come From Open Suppose ( open string fh C) is well-typed and C is host-free. If ( open string fh C) [ s string ho(s) ] string fh steps to C' containing [n] fh as a subterm, then n was derived from a sequence of the form: ho ( s ) n

27 ICFP The General Setting Multiple principals Many abstract types Products, Sums, Recursive Types, and References Proofs follow standard techniques

28 ICFP Related Work Language Based Security (Smith & Volpano '97, Heintze & Riecke '98, Myers '99) Principals (Nielson & Nielson '92, Leroy & Rouaix '98) Other Parametricity Results (Abadi, Cardelli & Curien '93, Crary '99, Pierce & Sangiorgi '99)

29 ICFP Summary Principals are a useful conceptual framework. Operational approach to proving type abstraction properties

30 ICFP Host Operational Semantics [ n fh ] int n [ x C] x int / fh C x x


Download ppt "ICFP 19991 Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University."

Similar presentations


Ads by Google