icfp 19991 principals in programming languages: a syntactic proof technique steve zdancewic dan...
TRANSCRIPT
ICFP 1999 1
Principals in Programming Languages:
A Syntactic Proof Technique
Steve Zdancewic
Dan Grossman and Greg Morrisett
Cornell University
ICFP 1999 2
Type Abstraction
• Long history of study – Strachey 1967, Reynolds 1974, 1983, Mitchell
& Plotkin 1988, ...
• Reasoning about Programs– Type safety– System Design– Extensible Systems
ICFP 1999 3
Principals
• One way to characterize principals is by their "view" of the environment.
• Resources Available– Memory– Security Privileges– Type Information (this talk)
ICFP 1999 4
Types and Principals
(* File handle *)abstype fhopen : string fhread : fh charHost
Client
type fh = intfun open s = ...
val h = open"file" ...
API
ICFP 1999 5
Safety Properties
• Client can’t create file handles:– Must call open to obtain file handles
• File handles are abstract:– No client ever performs
[handle + 3]
– Host can return any integer as handle
• The read function is applied only to host-provided values
ICFP 1999 6
Polymorphic Encoding
fh. host:{open: string fh, read: fh char}. <client>)
ICFP 1999 7
Operational Models Needed
•Parametric Polymorphism•Recursive Types•References & State•Control Operators•Threads•Objects•...
ICFP 1999 8
The Goal
Track and enforce type abstractions in an operational semantics.
(Proofs in style of Wright & Felleisen 1992)
ICFP 1999 9
“Linking” Host and Client
fh. host:{open: string fh, read: fh char}. <client>)int<host>
ICFP 1999 10
Evaluation
fh. host:{open: string fh, read: fh char}. <client body>)int<host>
host:{open: string int, read: int char}. <client>{int/fh})<host>
ICFP 1999 11
Evaluation
host:{open: string int, read: int char}. <client body>[int/fh])<host>
<client>{int/fh}{<host>/host}
ICFP 1999 12
An Observation
•No mention of fh•No distinction between client and host
<client>{int/fh}{<host>/host}
ICFP 1999 13
Our Solution
Make principals explicit in the syntax:•Color client code blue•Color host code red•Typecheck with different rules:
– Host knows fh = int•Track colors during evaluation
ICFP 1999 14
Syntax
fh | int | | ...
C x | n | xC | (C C) | [H]
H x | n | xH | (H H) | [C]
Ø | [x:] | [x:]
ICFP 1999 15
Client Operational Semantics
[xH] xHxx
[n]int n
[n]fh
ICFP 1999 16
Host Operational Semantics
[nfh]int n
e e'[e] [e']
ICFP 1999 17
handleinthr(handle)fhchar [3]fh
ICFP 1999 18
handleinthr(handle)fhchar [3]fh
handlefhhr(handleint)char [3]fh
ICFP 1999 19
handleinthr(handle)fhchar [3]fh
handlefhhr(handleint)char [3]fh
hr([3]fhint)char
ICFP 1999 20
handleinthr(handle)fhchar [3]fh
handlefhhr(handleint)char [3]fh
hr([3]fhint)char
hr(3)char
ICFP 1999 21
handleinthr(handle)fhchar [3]fh
handlefhhr(handleint)char [3]fh
hr([3]fhint)char
hr(3)char
‘A’char
ICFP 1999 22
handleinthr(handle)fhchar [3]fh
handlefhhr(handleint)char [3]fh
hr([3]fhint)char
hr(3)char
‘A’char
‘A’
ICFP 1999 23
Static Semantics
C]int/fhC
Hint/fhH]
ICFP 1999 24
Theorems
Soundness proved by standard Subject Reduction and Progress lemmas.
Erasure property: Embeddings and colors don’t affect evaluation.
ICFP 1999 25
Independence of Evaluation
If C is host-free and hfhC is of typefh int then:
(hfhC) [n]fh miff
(hfhC) [n']fh m
ICFP 1999 26
File Handles Come From Open
Suppose (openstring fhC) is well-typed and C is host-free. If
(openstring fhC) [sstringho(s)]string fh
steps to C' containing [n]fh as a subterm, then n was derived from a sequence of the form: ho(s) n
ICFP 1999 27
The General Setting
•Multiple principals•Many abstract types•Products, Sums, Recursive Types, and References•Proofs follow standard techniques
ICFP 1999 28
Related Work
• Language Based Security (Smith & Volpano '97, Heintze & Riecke '98, Myers '99)
• Principals (Nielson & Nielson '92, Leroy & Rouaix '98)
• Other Parametricity Results
(Abadi, Cardelli & Curien '93, Crary '99, Pierce & Sangiorgi '99)
ICFP 1999 29
Summary
Principals are a useful conceptualframework.
Operational approach to proving type abstraction properties
ICFP 1999 30
Host Operational Semantics
[nfh]int n
[xC]
xint/fhCxx