( m =@;/: (3;
TRANSCRIPT
�(�������M�=@;/:�(3;/<B71AMM.6=<5�(6/=MM-/:3�*<7D3@A7BGM�3>/@B;3<B�=4��=;>CB3@�(173<13�
��$)&'���*�&*��+� )�)'(�������
)=2/G�A�"31BC@3�
�
L ,6G�ABC2G�4=@;/:�A3;/<B71A��
L �=E� �B3/16�B67A�1=C@A3��
L #/B6�0/195@=C<2�/<2�>@3271/B3�:=571�
,6/B� A��=@;/:�(3;/<B71A���
4=@;/:������"�(��"�(���!!-�&��$&$)'��A3;/<B71A������'()�-�$��"��#�#�'��
�
%0D7=CA:G��
L ,6/B�7A�/�>@=5@/;;7<5�:/<5C/53���,6/B�7A�/�>@=5@/;��
L ,6/B�/@3�B63�;3/<7<5A�=4�A>317471�:/<5C/53�43/BC@3A�/<2�6=E�B63G�7<B3@/1B���
L �=E�B=�;/93�AC@3�B6/B�/�>@=5@/;�036/D3A�/11=@27<5�B=�7BA��A>317471/B7=<�����
�CB�/:A=��
L �=E�2=�E3�3F>:/7<�B63A3��;3/<7<5A���7<�E6716��:/<5C/53���
L ,6/B�7A�/�;3B/�:=571��,6/B�7A�/�;316/<7H32�;3B/�:=571���
L ,6/B�7A�/�A>317471/B7=<�:/<5C/53��,6/B�7A�7BA��A3;/<B71A����
,6G�)/93��(�������
L (=4BE/@3�@3:7/07:7BG�/<2�A31C@7BG�/@3�B63�07553AB�>@=0:3;A�4/132�0G�B63� )�7<2CAB@G�B=2/G���-=C�/@3�:793:G�B=�E=@@G�/0=CB�B63;�7<�G=C@�4CBC@3�8=0A�
L B�E7::�57D3�G=C�/<�3253�=D3@�G=C@�1=;>3B7B=@A��7<2CAB@G�/<2�;=AB�=B63@�A16==:A�2=<’B�B3/16�B67A��
L B�E7::�7;>@=D3�G=C@�>@=5@/;;7<5�A97::A�K�031/CA3�G=C�E7::�6/D3�/�03BB3@�/>>@317/B7=<�=4�E6/B�G=C@�>@=5@/;A�/1BC/::G�"��#��
L -=C�E7::�03�03BB3@�/0:3�B=�1=;>/@3�/<2�1=<B@/AB�>@=5@/;;7<5�:/<5C/53A��=@�3D3<�23A75<�G=C@�=E<�
L B�7A�/<�7;>=@B/<B�/<2�3F17B7<5�/@3/�=4�@3A3/@16��E7B6�;/<G�<3E�723/A�/<2�>3@A>31B7D3A�4@3?C3<B:G�3;3@57<5�
�@7/<<3���
%<�!C<3����������B63��@7/<<3���B==9�=44�=<�7BA�;/723<�4:756B�
���A31=<2A�7<B=�7BA�4:756B�7B�D33@32�=44�1=C@A3�/<2�3F>:=232�
B�E/A�:/B3@�4=C<2�B=�03�/<�3@@=@�7<�@3CA3�=4�/�A=4BE/@3�1=;>=<3<B�
�)67A�>71BC@3�031/;3�?C7B3�>=>C:/@�7<�B/:9A�=<�A=4BE/@3�@3:7/07:7BG�/<2�@3:/B32�B=>71A��
��3BB3@���/AB3@���63/>3@��
<�������$�(��:=AB�0=B6�B63�#/@A�&=:/@�"/<23@�/<2�B63��:7;/B3�%@07B3@�
"/B3@�7<D3AB75/B7=<A�23B3@;7<32�A=4BE/@3�3@@=@A�E3@3�B=�0:/;3�
• %@07B3@���=;>=<3<B�@3CA3�3@@=@�
• "/<23@��&@31=<27B7=<�D7=:/B7=<�
*((�-=@9B=E<�
��4B3@�/�1@3E�;3;03@�;7AB/93<:G�3<B3@32�/�H3@=�7<B=�B63�2/B/�473:2�=4�/<�/>>:71/B7=<��B63�1=;>CB3@�AGAB3;�>@=133232�B=�27D723�/<=B63@�?C/<B7BG�0G�B6/B�H3@=�����$%�&�(�$#���)'������)���&�$*�&�!$+���#�+�������(��!�� ����&$"���(�"%$&�&-�'($&����'%�����#�"�"$&-���#��(����&&$&��*�#()�!!-��&$)��(��$+#�(���'��%�'�%&$%)!'�$#�'-'(�"��)63�@3AC:B��(����$& ($+#�+�'�������#�(���+�(�&��$&�"$&��(��#�(+$��$)&'��
)63@/1� ��
�@=;������������A3D3@/:M1/<13@�>/B73<BA�E3@3M97::32�=@�A3@7=CA:G�7<8C@32M/A�/�@3AC:B�=4�037<5�=D3@�M@/27/B32�0G�)63@/1� ��M/�@/27/B7=<�B@3/B;3<BM4/17:7BG�
M)63�>@=0:3;�E/A�2C3�B=�/�AC0B:3�@/13M1=<27B7=<�03BE33<�1=<1C@@3<B�>@=13AA3A�
�=;>CB3@�+7@CA3A�
�
$332�E3�A/G�;=@3��
�=@�;=@3��A=4BE/@3�6=@@=@�AB=@73A���A33M6BB>�EEE1AB/C/17:I</16C;26=@@=@6B;:�
%0A3@D/B7=<A�
L ��/7:C@3�=4B3<�2C3�B=�A7;>:3�>@=0:3;A��7<�B63�23B/7:A��
L �(;/::�B63=@3;A�/0=CB�:/@53�>@=5@/;A�E=C:2�03�CA34C:�
L �$332�1:3/@:G�A>3174732�7<B3@4/13A�/<2�163197<5�=4�7<B3@4/13�1=;>:7/<13�
L ��3BB3@�:/<5C/53A�E=C:2�63:>��
�6/::3<53A�
)63�7;>/1B�/<2�1=AB�=4�A=4BE/@3�4/7:C@3A�E7::�7<1@3/A3��/A�E7::�B63�23;/<2�4=@�3FB3<A707:7BG�
)63�27AB7<1B7=<�03BE33<��A/43BG�1@7B71/:��/<2��1=<AC;3@�3:31B@=<71A��A=4BE/@3�E7::�4/23�/E/G�
��$�+�!!�%&$*����(���(���#$!$�-��$&��'�����'$�(+�&��'-'(�"'��
10 Emerging Technologies 2011, In: Technology Review, 2011(6), MIT Press
http://www.technologyreview.com/tr10/
%>>=@BC<7B73A�
�756�/AAC@/<13��@3:7/07:7BG�23>3<2A�4C<2/;3<B/::G�=<�=C@�/07:7BG�B=�&��'$#���$)(�%&$�&�"'��
����$%%$&()#�(��'��$&�#�+�!�#�)���'��'�+�!!��'��$&"�!�'�"�#(��'��(-%��(��$&-���$"%)(�(�$#�!�!$������#��'$�$#���&���&��(��
Certifying a computing host?
Formal proofs for resilience,
extensibility, security?
Need to reason about:
• human behaviors
• cosmic rays + natural disasters
• hardware failure
• software
VIEW #1: bug-free host impossible. Treat it as a biological system.
Certifying a computing host?
Formal proofs for resilience,
extensibility, security?
Need to reason about:
• human behaviors
• cosmic rays + natural disasters
• hardware failure
• software
VIEW #2: focus on software since it is a rigorous mathematical entity!
HW & Env Model
Certified software 01011010101010101111100011001110110111111101010101010101010101010111111111010101010101111000110001010101010101011111100011001001111001111111100111111100011110001010101011111101110011001110101010111111100011
110001110001110011
SOFTWARE
Formal specs &
proofs for resilience,
extensibility, security?
HW & Env Model
Find a mathematical proof showing that
if the HW/Env follows its model, the software will run according to its specification
0101101010101010111110001100111011011111110101010101010101010101011111111101010101010111100011000101010101010101111110001100100111100111111110011111110001111000101010101111110111001100111010
10101111111000111100
Application & other system SW
Certified OS kernel
Formal specs &
proofs for resilience,
extensibility, security?
HW & Env Model
Research tasks & key innovations:
• new OS kernel that can “crash-proof” the entire system & application SW
• new PLs for writing certified kernel plug-ins (new OCAP + DSPLs)
• new formal methods for automating proofs & specs (VeriML)
ResourceManagers
ProtectedExecutors
DeviceDrivers
Certified Kernel
CPU CPU GPU GPU Disk NIC
NativeExecutor
TypesafeExecutor
VMMExecutor
SFIExecutor
Scheduler Scheduler
Driver Driver
FS Net
DriverDriver
LegacyX86App
Java/MSILApp
NaClApp
LegacyOS + App
Certified “hypervisor” kernel
• Problems w. existing platforms • Attacks: Zero-Day Kernel Vulnerabilities
(ZDKVs) & rogue driver certificates
• leads to rogue kernels
• leads to rogue WinCC/Step7 apps
• leads to rogue PLC firmeware
�firmw
are
Rogue PC Rogue PLC WinCC
&
Step 7
rogue OS & its kernel
�
Other
Apps �
zero-day kernel vulnerabilities
& fake/stolen driver certificates
�certified firm
ware
Secure PC w. IFC labels
Secure PLC WinCC
&
Step 7
certified kernel
�
Other
Apps �
COTS OS
small mechanized proof checker
New CRASH technologies
• A small certified “hypervisor” kernel provides a reliable ZDKV-free core to fall back on, even under attacks
• Information-Flow-Control to enforce security
• Mechanized proof certificates are unforgeable
Protecting against Stuxnet attacks!
Process Management
Mgmt OS (Linux 1) Linux 2 App 1 Virtual
Device Certified
App 2 Applica'on*
Scheduler IPC
V-PIC V-PCI Hypercall
Trap Handling
(Interrupt, Exception, Syscall)
SVM*/*VMX*module*
Pass-Through Devices
Hardware*
Memory Management
Cer'KOS*
CertiKOS architecture
Device*Drivers* SVM&VMX*Driver* IOMMU&VT-d Driver
IOMMU/VT-d module +7@BC/:�#/167<3�#/</53;3<B�
Disk*Driver*
KBD*Driver* VGA*Driver* Timer*Driver* IOCAPIC*Driver* APIC*Driver* PCI*Driver*
Serial*Driver*
Compositional specification & verification�
Raw Machine / HW Spec�
kmod1.c
CompCert�
abs-layer-1 spec�
kmod1.s�
high-level kernel spec�
abs-layer-k spec�
kmodk.s�
abs-layer-2 spec�
kmod2.s�
kmod2.c
CompCert�
abs-layer-z spec�
kmodz.s�
kmodz.c
CompCert�
…………………………�
abs-layer-x spec�
kmodx.s�
kmodx.c
CompCert�kmody.c
CompCert�
kmody.s�
kmod3.c
CompCert�
kmod3.s�
kmody.c
CompCert�
kmody.s�
…………………………�
kinit.c�
Safety
(never crash)�
Correctness
Secure
(no info leak)
Liveness (resource usage)
Compositonal specification & verification current target: single-core CertiKOS
Decomposing CertiKOS�
Initialization of paging mechanism
Providing address space
�/A32�=<�B63�/0AB@/1B�;/167<3�>@=D7232�0G�0==B�
:=/23@�
Physical Memory and Virtual Memory Management�
Decomposing CertiKOS (cont’d) �
Thread and Process Management�
�$)&'���*�&*��+�
#G��=/:A�
�6/D3�BE=�5=/:A��
L )=�B3/16�B63�;=AB�1=;;=<�"�(�$�'�4=@�A>3174G7<5�4=@;/:�A3;/<B71AJ� <�>/@B71C:/@��B63���#$(�(�$#�!��$%�&�(�$#�!���,�$"�(���/<2�(-%��(��$&�(���;3B6=2AMM)67A�E7::�57D3�G=C�B63�<313AA/@G�B==:A�B=�C<23@AB/<2�A3;/<B71�A>317471/B7=<A�/<2�B=�23D3:=>�<3E�=<3A�
L )=�AC@D3G�3F7AB7<5�!�#�)�������()&�'�B=�>@=D723�/�233>�C<23@AB/<27<5�=4�E6/B�B63A3�43/BC@3A�@3/::G�"��#��E6/B�B63G�2=��/<2�6=E�B63G�1=;>/@3MM)67A�E7::�3</0:3�G=C�B=�03BB3@�3D/:C/B3�3F7AB7<5�:/<5C/53A�/<2�<3E�=<3A�/A�B63G�/@3�23D3:=>32�
&@3@3?C7A7B3A�
L �(� �����(� � ���(� ����(�� �M�=@�3?C7D/:3<BA��
L #/B63;/B71/:�0/195@=C<2��:=571��A3BA��@3:/B7=<A��4C<1B7=<A��>@=2C1BA��/<2�C<7=<A���(33��>>3<27F�7<�'3G<=:2A�B3FB0==9��
L ��23A7@3�B=�:3/@<��
�=C@A3�'3?C7@3;3<BA��:/AA�/BB3<2/<13�7A�@31=;;3<232�
• %CBA723�;/B3@7/:�E7::�03�7<B@=2C132�
&@=0:3;�A3BA�• &@=0:3;A�4@=;�B3FB0==9A�• &@=5@/;;7<5�/AA75<;3<BA��,3�E7::�%&$($(-%��A=;3�=4�=C@�
A3;/<B71A�A>317471/B7=<A�7<��=?��=@�#"�/A93::��
'3/27<5A�• (3:31B32�16/>B3@A�7<�B63�;/7<�B3FB0==9A���/@>3@�/<2�'3G<=:2A��• ��1=C>:3�=4�@3A3/@16�>/>3@A�• �=?��=@�#"�/A93::��BCB=@7/:A�74�G=C�2=<�B�9<=E�B63;��
�@/27<5�• �0=CB�����>@=0:3;�A3BA������47</:�>@=831B3F/;��<=�;72B3@;��
(G::/0CA�� <B@=2C1B7=<��&@3271/B3�"=571� <2C1B7D3��347<7B7=<A�� �0AB@/1B�(G<B/F�/<2��7<27<5�� ;>���3<=B/B7=</:�(3;/<B71A�� �/7:C@3�� <>CB�%CB>CB��/<2��=<B7<C/B7=<A�� (B/B71�/<2��G</;71�(3;/<B71A���� &@=5@/;�(>317471/B7=<A�/<2�&@==4A���� �C<1B7=<�)G>3A���� &:=B97<�A�&������������ �7<7B3��/B/�)G>3A������� <47<7B3��/B/�)G>3A������ *<BG>32�"/;02/��/:1C:CA�������� �G</;71�)G>7<5��������
(G::/0CA��1=<B�2����
�� &=:G;=@>671�)G>3A����� �F7AB3<B7/:�)G>3A����� �=<B@=:�(B/19A�/<2��F13>B7=<A�������� �=<B7<C/B7=<A���������� )G>3A�/<2�&@=>=A7B7=<A���������� (C0BG>7<5��(3;/<B71A�=4�)G>3A���� � (B=@/53��4431BA����� � #=</2A�/<2��=;=</2A����� "/HG��D/:C/B7=<����� � &/@/::3:7A;������ � &@=13AA��/:1C:CA�������� � #=</271��=<1C@@3<1G�������
�=C@A3�,30>/53�
�
��������6BB>�4:7<B1AG/:332C1A����
�&�����(���$�������
��(����� �&$)#��
Predicate Logic
Predicate logic over integer expressions:
a language of logical assertions, for example
8x. x + 0 = x
Why discuss predicate logic?
It is an example of a simple language
It has simple denotational semantics
We will use it later in program specifications
Abstract Syntax
Describes the structure of a phrase
ignoring the details of its representation.
An abstract grammar for predicate logic over integer expressions:
intexp ::= 0 | 1 | . . .
| var
| �intexp | intexp + intexp | intexp � intexp | . . .
assert ::= true | false| intexp = intexp | intexp < intexp | intexp intexp | . . .
| ¬assert | assert ^ assert | assert _ assert
| assert ) assert | assert , assert
| 8var . assert | 9var . assert
Resolving Notational Ambiguity
Using parentheses: (8x. ((((x) + (0)) + 0) = (x)))
Using precedence and parentheses: 8x. (x + 0) + 0 = x
arithmetic operators (⇤ / rem . . .) with the usual precedencerelational operators (= 6= < . . .)
¬^_),
The body of a quantified term extends to a delimiter.
Carriers and Constructors
Carriers: sets of abstract phrases (e.g. intexp, assert)Constructors: specify abstract grammar productions
intexp ::= 0 �! c0 2 {hi}! intexp
intexp ::= intexp + intexp �! c+ 2intexp ⇥ intexp ! intexp
Note: Independent of the concrete pattern of the production:
intexp ::= plus intexp intexp �! c+ 2intexp ⇥ intexp ! intexp
Constructors must be injective and have disjoint ranges
Carriers must be either predefined or their elements must be
constructible in finitely many constructor applications
Inductive Structure of Carrier Sets
With these properties of constructors and carriers,carriers can be defined inductively:
intexp
(0) = {}intexp
(j+1) = {c0hi, . . .} [ {c+(x0, x1) |x0, x1 2 intexp
(j)} [ . . .
assert
(0) = {}assert
(j+1) = {ctruehi, cfalsehi}[{c=(x0, x1) |x0, x1 2 intexp
(j)} [ . . .
[{c¬(x0) |x0 2 assert
(j)} [ . . .
intexp =1[
j=0intexp
(j)
assert =1[
j=0assert
(j)
Denotational Semantics of Predicate Logic
The meaning of a term e 2 intexp is [[e]]intexp
i.e. the function [[�]]intexp
maps intexp objects to their meanings.
What is the set of meanings?
The meaning [[5 + 37]]intexp
of the term 5 + 37| {z } could be the integer 42.(that is, c+(c5hi, c37hi))
However the term x + 5 contains the free variable x,
so the meaning of an intexp in general cannot be an integer. . .
Mathematical Background
Sets
Relations
Functions
Sequences
Products and Sums
Sets
membership the empty setnatural numbers
inclusion integersfinite subset
set comprehensionintersection and
is a bound variableunion ordifference and notpowersetinteger range and
Generalized Set Operations
def def
def def
def def
meaningless
Examples:
Relations
A relation is a set of primitive pairs .
relates and
is an identity relation
the identity on def
the domain of dom def
the range of ran def
composition of with def and
reflection of def
Relations: Properties and Examples
dom ran
dom
Functions
A relation is a function ifand
If is a function,maps to
and are functions.If and are functions, then is a function:
is not necessarily a function:consider
is an injection if both and are functions.
Notation for Functions
Typed abstraction: def
Defined only when is defined for all(consider )
dom , if ran dom .
Placeholder: with a dash standing for the bound variable
Variation of a function :ifotherwise
dom domran ran
Sequences
def
def
def
— the empty function— the empty sequence— an -tuple— a (non-primitive) pair
dom == when
Products
Let be an indexed family of sets (a function with sets in its range).The Cartesian product of is
def dom dom and dom
More Products
def
def
def “ ”
def
def
times
Sets of Sequences
Let
def (finite)
def (finite)
def (infinite)
Sums
Let ✓ be an indexed family of sets (a function with sets in its range).
The disjoint union (sum) of ✓ is
P✓
def
= {hi, xi | i 2 dom ✓ and x 2 ✓ i}
X
x2T
S
def
=X
�x 2 T. S S1 + . . . + S
n
def
=nX
i=1“S
i
”
nX
i=m
S
def
=X
i2(m to n)S T ⇥ S =
X
x2T
S
n⇥ S = (0 to (n� 1))⇥ S = S + . . . + S| {z }n times
B + B =PhB, Bi = {h0, truei, h0, falsei, h1, truei, h1, falsei}
= 2⇥B
Functions of Multiple Arguments
Use tuples instead of multiple arguments:
f (a0, . . . a
n�1) ����!f ha0, . . . a
n�1i
Syntactic sugar:
�hx0 2 S0, . . . , x
n�1 2 S
n�1i. Edef
= �x 2 S0 ⇥ . . .⇥ S
n�1. (�x0 2 S0. . . . �x
n�1 2 S
n�1. E)
(x 0) . . . (x(n�1))
Use Currying:
f (a0, . . . a
n�1) ����!f a0 . . . a
n�1
=(. . . (f a0) . . .) a
n�1
where f is a Curried function �x0 2 S0. . . . �x
n�1 2 S
n�1. E.
Relations Between Sets
⇢ is a relation from S to T
() ⇢ 2 S
�!REL
T
() dom ⇢ ✓ S and ran ⇢ ✓ T .
Relation on S
def
= relation from S to S.
I
S
2 S
�!REL
S
⇢ 2 S
�!REL
T ) ⇢
† 2 T
�!REL
S
For all S and T , {} 2 S
�!REL
T
{} 2! S
�!REL
{}
{} 2! {}�!REL
T
Total Relations
⇢ 2 S
�!REL
T is a total relation from S to T
() ⇢ 2 S
�!TREL
T
() 8x 2 S.9y 2 T. x ⇢ y
() dom ⇢ = S
() I
S
✓ ⇢
† · ⇢
S ut^
^
^
^
^
^
^
^
^
^
^
^
^
^
rs �
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
pq^
^
^
^
^
^
^
^
^
^
^
^
^
^
^
^
^
wv�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
Tut
rs�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
pqZ
Z
Z
wv�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
,,Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
⇢ �
�
22e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e �
�
44i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i �
�
88r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
55k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
⇢ 2 (dom ⇢) �!TREL
T () T ◆ ran ⇢
Functions Between Sets
f is a partial function from S to T
() f 2 S
��!PFUN
T
() f 2 S
�!REL
T and f is a function.
“Partial”: f 2 S
�!REL
T ) dom f ✓ S
f 2 S
��!PFUN
T is a (total) function from S to T
() f 2 S ! T
() dom f = S.
S ! T = T
S =Y
x2S
T
S ! T ! U = S ! (T ! U)
Surjections, Injections, Bijections
f is a surjection from S to T () ran f = T
f is a injection from S to T () f
† 2 T
��!PFUN
S
f is a bijection from S to T () f
† 2 T ! S
() f is an isomorphism from S to T
S ut^
^
^
^
^
^
^
^
^
^
^
rs �
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
pq^
^
^
^
^
^
^
^
^
^
^
^
^
^
wv�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
Tut
rs�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
pqZ
Z
Z
wv�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�++X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X �
�
44h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h �
�
33f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f �
�
44h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
sur
S ut^
^
^
^
^
^
^
^
^
^
rs�
�
�
�
�
�
�
�
�
�
�
�
�
pq^
^
^
^
^
^
^
^
^
^
^
^
^
wv�
�
�
�
�
�
�
�
�
�
�
�
Tut
rs�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
pqZ
Z
Z
wv�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�++W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W �
�
44i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i �
in
�
S ut^
^
^
^
^
^
^
^
^
^
rs�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
pq^
^
^
^
^
^
^
^
^
^
^
^
^
wv�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
Tut
rs�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
pqZ
Z
Z
wv�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�++W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W �
�**U
U
U
U
U
U
U
U
U
U
U
U
U
U
U
U
U
U
U
U
U
U �
�
77o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o �
bi
Back to Predicate Logic
intexp ::= 0 | 1 | . . .
| var
| �intexp | intexp + intexp | intexp � intexp | . . .
assert ::= true | false
| intexp = intexp | intexp < intexp | intexp intexp | . . .
| ¬assert | assert ^ assert | assert _ assert
| assert ) assert | assert , assert
| 8var . assert | 9var . assert
Denotational Semantics of Predicate Logic
The meaning of term e 2 intexp is [[e]]intexp
i.e. the function [[�]]intexp
maps objects from intexp to their meanings.
What is the set of meanings?
The meaning [[5+37]]intexp
of the term 5+37 could be the integer 42.
But the term x + 5 contains the free variable x. . .
Environments
. . . hence we need an environment (variable assignment, state)
� 2 ⌃def
= var ! Z
to give meaning to free variables.
The meaning of a term is a function from the states to Z or B.
[[�]]intexp
2 intexp ! ⌃! Z
[[�]]assert
2 assert ! ⌃! B
if � = [x : 3, y : 4], then [[x+5]]intexp
� = 8
[[9z. x < z ^ z < y]] � = false
Direct Semantics Equations for Predicate Logic
v 2 var e 2 intexp p 2 assert
[[0]]intexp
� = 0
( really [[c0hi]]intexp
� = 0)
[[v]]intexp
� = �v
[[e0+e1]]intexp
� = [[e0]]intexp
� + [[e1]]intexp
�
[[true]]assert
� = true
[[e0=e1]]assert� = [[e0]]intexp
� = [[e1]]intexp
�
[[¬p]]assert
� = ¬([[p]]assert
�)
[[p0 ^ p1]]assert� = [[p0]]assert� ^ [[p1]]assert�
[[8v. p]]assert
� = 8n 2 Z. [[p]]assert
[�|v : n]
Example: The Meaning of a Term
[[8x. x+0=x]]assert
�
= 8n 2 Z. [[x+0=x]]assert
[�|x : n]
= 8n 2 Z. [[x+0]]intexp
[�|x : n] = [[x]]intexp
[�|x : n]
= 8n 2 Z. [[x]]intexp
[�|x : n]+[[0]]intexp
[�|x : n]=[[x]]intexp
[�|x : n]
= 8n 2 Z. [�|x : n](x) + 0 = [�|x : n](x)
= 8n 2 Z. n + 0 = n
= true
Properties of the Semantic Equations
They are syntax-directed (homomorphic):
exactly one equation for each abstract grammar production
(constructor)
result expressed using functions (meanings)
of subterms only (arguments of constructor)
) they have exactly one solution h[[�]]intexp
, [[�]]assert
i(proof by induction on the structure of terms).
They define compositional semantic functions
(depending only on the meaning of the subterms)
) “equivalent” subterms can be substituted
Validity of Assertions
p holds/is true in � () � satisfies p () [[p]]assert
� = true
p is valid () 8� 2 ⌃. p holds in �
p is unsatisfiable () 8� 2 ⌃. [[p]]assert
� = false
() ¬p is valid
p is stronger than p
0 () 8� 2 ⌃. (p0 holds if p holds )
() (p ) p
0) is valid
p and p
0are equivalent () p is stronger than p
0
and p
0is stronger than p
Inference Rules
Class Examples
` p (Axiom) ` x + 0 = x (xPlusZero)
` p(Axiom Schema) ` e1=e0 ) e0=e1
(SymmObjEq)
` p0 . . . ` pn�1` p
(Rule)` p ` p ) p0
` p0(ModusPonens)
` p
` 8v. p(Generalization)
Formal Proofs
A set of inference rules defines a logical theory `.
A formal proof (in a logical theory):
a sequence of instances of the inference rules, wherethe premisses of each rule occur as conclusions earlier in the sequence.
1. ` x + 0 = x (xPlusZero)
2. ` x + 0 = x ) x = x + 0 (SymmObjEq)[e0 : x | e1 : x + 0]
3. ` x = x + 0 (ModusPonens, 1, 2)[p : x + 0 = x | p0 : x = x + 0]
4. ` 8x. x = x + 0 (Generalization, 3)[v : x | p : x = x + 0]
Tree Representation of Formal Proofs
` x + 0 = x ` x + 0 = x ) x = x + 0
(SymmObjEq)
` x = x + 0
(MP)
` 8x. x = x + 0
(Gen)
Soundness of a Logical Theory
An inference rule is sound if in every instance of the rule
the conclusion is valid if all the premisses are.
A logical theory ` is sound if all inference rules in it are sound.
If ` is sound and there is a formal proof of ` p, then p is valid.
Object vs Meta implication:
` p ) 8v. p is not a sound rule, although` p
` 8v. pis.
Completeness of a Logical Theory
A logical theory ` is complete if
for every valid p there is a formal proof of ` p.
A logical theory ` is axiomatizable if
there exists a finite set of inference rules
from which can be constructed formal proofs of all assertions in `.
No first-order theory of arithmetic is complete and axiomatizable.
Variable Binding
8x. 9y. xrspq^^^^^^^^^^^
nn < y
utwv`````````````````
oo ^ 9x. xrspqOO > y
utwv_________________________________________________________________
oo
8
x
@@⇥⇥⇥⇥⇥⇥⇥⇥
9
__????????
y
??~~~~~~~~ ^
ggOOOOOOOOOOOOOOOO
<
77ppppppppppppppp 9
__????????
x
??~~~~~~~~y
__????????
x
??��������
>
__@@@@@@@@
x
??~~~~~~~~y
__????????
Variable Binding
8x. 9y. xrspq^^^^^^^^^^^
nn < y
utwv`````````````````
oo ^ 9x. xrspqOO > y
utwv_________________________________________________________________
oo
8
pw����
����
���
ab??
????
????
????
???
��
9
__????????
y
??~~~~~~~~ ^
ggOOOOOOOOOOOOOOOO
<
77ppppppppppppppp 9pw⇥⇥
⇥⇥
ab???
???������
__????????
y
__????????
>
__@@@@@@@@
y
__????????
Bound and Free Variables
In 8v. p, v is the binding occurrence (binder) and p is its scope.
If a non-binding occurrence of v is within the scope of a binder for v,
then it is a bound occurrence; otherwise it’s a free one.
FVintexp
(0) = {} FVassert
(true) = {}FV (v) = {v} FV (e0=e1) = FV (e0) [ FV (e1)
FV (�e) = FV (e) FV (¬p) = FV (p)
FV (e0 + e1) = FV (e0) [ FV (e1) FV (p0 ^ p1) = FV (p0) [ FV (p1)
FV (8v. p) = FV (p)� {v}
Example:
FV (9y. x < y ^ 9x. x > y) = {x}
Only Assignment of Free Variables Matters
Coincidence Theorem:
If �v = �0v for all v 2 FV✓(p), then [[p]]✓� = [[p]]✓�0
(where p is a phrase of type ✓).
Proof: By structural induction.
Inductive hypothesis:
The statement of the theorem holdsfor all phrases of depth less than that of the phrase p0.
Base cases:
p0 = 0 ) [[0]]intexp
� = 0 = [[0]]intexp
�0
p0 = v ) [[v]]intexp
� = � v = �0v = [[v]]intexp
�0, since FV (v) = {v}.
Proof of Concidence Theorem, cont’d
Coincidence Theorem:
If �v = �0v for all v 2 FV✓(p), then [[p]]✓� = [[p]]✓�0.
Inductive cases:
p0 = e0 + e1: by IH [[ei]]intexp
� = [[ei]]intexp
�0, i 2 {1,2}.[[p0]]
intexp
� = [[e0]]intexp
� + [[e1]]intexp
�= [[e0]]
intexp
�0 + [[e1]]intexp
�0 = [[p0]]intexp
�0
p0 = 8u. q: �v = �0v, 8v 2 FV (p0) = FV (q)� {u}then [�|u : n]v = [�0|u : n]v, 8v 2 FV (q), n 2 Z
Then by IH [[q]]assert
[�|u : n]= [[q]]assert
[�0|u : n] for all n 2 Z,
hence 8n 2 Z. [[q]]assert
[�|u : n]=8n 2 Z. [[q]]assert
[�0|u : n]
[[8u. q]]assert
� =[[8u. q]]assert
�0.
Substitution
�/� 2 intexp ! intexp
�/� 2 assert ! assert
9>=
>;when � 2 var ! intexp
0/� = 0 v/� = �v
(-e)/� = -(e/�) (p0 ^ p1)/� = (p0/�) ^ (p1/�)
(e0+e1)/� = (e0/�)+(e1/�) (8v. p)/� = 8v0. (p/[�|v : v0]),
. . . where v0 /2[
u2FV (p)�{v}FV (�u)
Examples:
(x < 0 ^ 9x. x y)/[x : y+1] = y+1 < 0 ^ 9x. x y
(x < 0 ^ 9x. x y)/[y : x+1] = x < 0 ^ 9z. z x+1
Preserving Binding Structure
(x < 0 ^ 9x. x y)/[ x : y+1] = y+1 < 0 ^ 9x. x y
^
<
:B}}}}}}}
}}}}}}}
9pw⇥⇥
⇥⇥⇥
⇥⇥⇥⇥
⇥
ab??
????
??;C������
������
[c???????
???????
x
;C~~~~~~~
~~~~~~~
0
[c>>>>>>>>
>>>>>>>>
<
Zb>>>>>>>>
>>>>>>>>
y
Zb========
========
�! ^
<
:B}}}}}}}
}}}}}}}
9pw⇤⇤
⇤⇤⇤⇤
⇤⇤
ab??
????
??;C������
������
[c???????
???????
+
;C�������
�������
0
\dAAAAAAAA
AAAAAAAA
<
[c@@@@@@@
@@@@@@@
y
<D�������
�������
1
[c@@@@@@@@
@@@@@@@@
y
[c@@@@@@@@
@@@@@@@@
1
Avoiding Variable Capture
(x < 0 ^ 9x. x y)/[ y : x+1] = x < 0 ^ 9z. z x+1
^
<
:B}}}}}}}
}}}}}}}
9pw⇥⇥
⇥⇥⇥
⇥⇥⇥⇥
⇥
ab??
????
??
;C������
������
[c???????
???????
x
;C��������
��������
0
\dAAAAAAAA
AAAAAAAA
<
[c@@@@@@@
@@@@@@@
y
[c???????
???????
�! ^
<
:B}}}}}}}
}}}}}}}
9pw⇤⇤
⇤⇤⇤⇤
⇤⇤
ab??
????
??;C�����
�����
[c???????
???????
x
;C��������
��������
0
\dAAAAAAAA
AAAAAAAA
<
[c@@@@@@@
@@@@@@@
+
\dAAAAAAA
AAAAAAA
x
:B}}}}}}}}
}}}}}}}}
1
[c>>>>>>>
>>>>>>>
Substitution Theorems
Substitution Theorem:
If � = [[�]]intexp
�0 · � on FV (p), then ([[�]]�)p = ([[�]]�0 · (�/�))p.
Finite Substitution Theorem:
[[p/v0 ! e0, . . . vn�1 ! en�1]]� = [[p]][�|v0 : [[e0]]�, . . .].
where
p/v0 ! e0, . . . vn�1 ! en�1def= p/[cvar|v0 : e0| . . . |vn�1 : en�1].
Renaming:
If u /2 FV (q)� {v}, then [[8u. (q/v ! u)]]boolexp
= [[8v. q]]boolexp
.