Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes
Size: px
Start display at page:

Download "Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes"

Transcription

1 Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes F. Prost Frederic.Prost@ens-lyon.fr Ecole Normale Supérieure de Lyon July 2015 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non InterferenceJuly Analyzes / 73

2 Data Privacy from a programming point of view From a programming point of view the question of privacy becomes: how can we prove/certify that a program does not reveal secret information to the public space? F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non InterferenceJuly Analyzes / 73

3 Data Privacy from a programming point of view From a programming point of view the question of privacy becomes: how can we prove/certify that a program does not reveal secret information to the public space? It is an instance of the more general problem of non-interference: x, y do not interfere in P if any modification on the value of x can not be observed on y. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non InterferenceJuly Analyzes / 73

4 Data Privacy from a programming point of view From a programming point of view the question of privacy becomes: how can we prove/certify that a program does not reveal secret information to the public space? It is an instance of the more general problem of non-interference: x, y do not interfere in P if any modification on the value of x can not be observed on y. Non-Interference is a very general problem: Proof-theory: useless hypotheses. Non-computational content of proofs: extraction of programs throught the Curry-Howard correspondance. Parallelism. Strictness analyzis. etc. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non InterferenceJuly Analyzes / 73

5 Non-interferenceS analyzes NI analyzis depends very much on the semantics and programming paradigm in use. F. Prost (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non InterferenceJuly Analyzes / 73

6 Non-interferenceS analyzes NI analyzis depends very much on the semantics and programming paradigm in use. = How do we model the fact that two programs are equivalent? = What is the exact nature or quality of observations? F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non InterferenceJuly Analyzes / 73

7 Non-interferenceS analyzes NI analyzis depends very much on the semantics and programming paradigm in use. = How do we model the fact that two programs are equivalent? = What is the exact nature or quality of observations? It is a very strict approach to privacy: for instance a password check is an intereference. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non InterferenceJuly Analyzes / 73

8 Non-interferenceS analyzes NI analyzis depends very much on the semantics and programming paradigm in use. = How do we model the fact that two programs are equivalent? = What is the exact nature or quality of observations? It is a very strict approach to privacy: for instance a password check is an intereference. = Can we define policies allowing such interferences? Non-Interference is a yes/no approach. = Can we quantify the amount of information released? F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non InterferenceJuly Analyzes / 73

9 NI in a Purely Functional Setting Plan 1 NI in a Purely Functional Setting Pure Terms and Simple Types Higher-order Types 2 NI in an Imperative Setting 3 NI and concurrency 4 Relaxing Non-Interference Programming framework Dynamic interference policy Program safety w.r.t. DIP Program Verification 5 Conclusion F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non InterferenceJuly Analyzes / 73

10 NI in a Purely Functional Setting Pure Terms and Simple Types Plan 1 NI in a Purely Functional Setting Pure Terms and Simple Types Higher-order Types 2 NI in an Imperative Setting 3 NI and concurrency 4 Relaxing Non-Interference Programming framework Dynamic interference policy Program safety w.r.t. DIP Program Verification 5 Conclusion F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non InterferenceJuly Analyzes / 73

11 NI in a Purely Functional Setting Pure Terms and Simple Types Dependencies in pure λ-calculus [Abadi et al., 1996] What parts of a term contributes to the final result? Suppose a v, what can be removed from a while still having a term reducing to v? Pure λ-terms: Prefixes: t ::= x λx.t (t 1 t 2 ) p ::= x λx.p (p 1 p 2 ) F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non InterferenceJuly Analyzes / 73

12 NI in a Purely Functional Setting Pure Terms and Simple Types Prefix order Let a, b be prefixes: a b if a can be produced by b replacing some subterms with. Example: (λx.(t ) ) (λx.(t u) v) The question is: how behaves wrt β-reduction? F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non InterferenceJuly Analyzes / 73

13 NI in a Purely Functional Setting Pure Terms and Simple Types Two results about Théorème (Monotonicity) t u t u F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non InterferenceJuly Analyzes / 73

14 NI in a Purely Functional Setting Pure Terms and Simple Types Two results about Théorème (Monotonicity) t u t u Théorème (Stability) If a v, and v is in normal form, there is a minimal prefix a 0 a such that a 0 v. The minimal prefix is the mathematical solution of the non-interference computattion: how can it be effectively computed? F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non InterferenceJuly Analyzes / 73

15 NI in a Purely Functional Setting Pure Terms and Simple Types Labeled terms Extension of the pure λ-calculus: l ::= x λx.l (l 1 l 2 ) e : l We add the reduction rule: (e : l 1 l 2 ) e : (l1 l2) which makes possible the usual β-reduction : (e 0 : [λx.(x x)] e 1 : y) e 0 : (λx.(x x) e 1 : y) e 0 : (e 1 : y e 1 : y) F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non InterferenceJuly Analyzes / 73

16 NI in a Purely Functional Setting Pure Terms and Simple Types Minimal prefix computation 1 Attribute a unique label to each subterm of a. 2 If a has nf v, we write L(a), the set of all labels occuring in v. 3 Define G(a) as the one obtained by replacing each subterm of a whom the label is not in L(a) by. (e f : (λx.e 5 : 5) e t : t) e f : (λx.e 5 : 5 e t : t) e f : e 5 : 5 Hence t does not interfere with the rest of the program. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

17 NI in a Purely Functional Setting Pure Terms and Simple Types NI in a typed setting [Berardi, 1996] How to statically compute the minimum prefix? The problem in its whole generality undecidable F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

18 NI in a Purely Functional Setting Pure Terms and Simple Types NI in a typed setting [Berardi, 1996] How to statically compute the minimum prefix? The problem in its whole generality undecidable Easy reduction to the halting problem. Is it possible to statically approximate the result? = yes with a surprising use of types in the simply typed λ-calculus.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

19 NI in a Purely Functional Setting Pure Terms and Simple Types Dependancies in simply-typed λ-calculus Simply typed λ-calculus with base type N and constants S : N N and 0 : N. Introduction of a constant, only term of type U. Definition of an order relation w.r.t.. two terms t 1, t 2 : A are observationnelly equivalents iff: C[. A ] : N, C[t 1 ] = β C[t 2 ] F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

20 NI in a Purely Functional Setting Pure Terms and Simple Types Dead code in simply typed λ-calculus Théorème ([Berardi, 1996]) If t, t : A and t t then t and t are obervationnaly equivalent.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

21 NI in a Purely Functional Setting Pure Terms and Simple Types Dead code in simply typed λ-calculus Théorème ([Berardi, 1996]) If t, t : A and t t then t and t are obervationnaly equivalent. Proof. If A = N then by subject reduction, strong normalization and monotonicity we have t v and t v with v v, but closed nf of type N are either 0 or (S... (S 0)...), hence v v. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

22 NI in a Purely Functional Setting Pure Terms and Simple Types Dead code in simply typed λ-calculus Théorème ([Berardi, 1996]) If t, t : A and t t then t and t are obervationnaly equivalent. Proof. If A = N then by subject reduction, strong normalization and monotonicity we have t v and t v with v v, but closed nf of type N are either 0 or (S... (S 0)...), hence v v. For any other type A take any closing context C[. A ] : N. Then C[t] C[t ], and C[t], C[t ] : N, hence we can apply the previous reasonning. An example: (λx : U.5 ) (λx : N.5 t) F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

23 NI in a Purely Functional Setting Pure Terms and Simple Types Problems linked with the unicity of typing Type unicity + Conservative approximation = less accurate analyzis t = (λf : N N.(g f (f 5)) λx : N.4) We would like to type tye first occurrence of f with N N and the second one with U N. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

24 NI in a Purely Functional Setting Higher-order Types Plan 1 NI in a Purely Functional Setting Pure Terms and Simple Types Higher-order Types 2 NI in an Imperative Setting 3 NI and concurrency 4 Relaxing Non-Interference Programming framework Dynamic interference policy Program safety w.r.t. DIP Program Verification 5 Conclusion F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

25 NI in a Purely Functional Setting Higher-order Types Variable sorts A is a type is a judgment: Γ A : We introduce judgments of the form: Γ A : α where α is a sort variable ranging over,. The two different s are used to denote separated universes. We add axiom i : for i {, } F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

26 NI in a Purely Functional Setting Higher-order Types Sort abstraction Abstracting sorts w.r.t. terms: sort application: Γ, α :, Γ t : B Γ, Γ ok Γ, Γ (λα :.t) : (Πα:.B) Γ t : (Πα:.A) Γ k : Γ (t k) : A[α := k] F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

27 NI in a Purely Functional Setting Higher-order Types Examples N α def = ΠX :α.x (X X ) X n α def = λx : α.λx : X.λf : X X. n {}}{ ( f... (f x)...) α :, β :, y : N α 5 β : N β α :, β : λy : N α.5 β : (N α N β ) F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

28 NI in a Purely Functional Setting Higher-order Types k-types, k-constants k-type: Type where the only occuring sort is k. Example of -type: ΠX :.ΠY :.X Y (ΠZ :.Z X ) For all k-type A, we define a constant d A of type A. We define an order k w.r.t. k-constants: (λx : N.5 d N ) (λx : N.5 t) if t is of type N, for instance. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

29 NI in a Purely Functional Setting Higher-order Types Non-interference and types A first result: Theorem (Non-interference) Let x : A t : B, A a -type, B a -type then for all <> t 1, t 2 : A one has: t[x := t 1 ] = obs t[x := t 2 ] A corollary: Theorem (Dead-code) If <> t 1, t 2 : A, and A a -type, and t 1 t 2, then t 1 = obs t 2 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

30 NI in a Purely Functional Setting Higher-order Types Example 1 Let t be such that <> t : N, then terms t 1 = (λy : N.5 t), t 2 = (λy : N.5 d N ) are both of type N. t 2 t 1. Then from theorem 2, we conclude t 1 = obs t 2. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

31 NI in a Purely Functional Setting Higher-order Types Example 2 The ability to abstract over sorts introduces flexibility : t = ( λf : Πα, β :.N α N β (g (f ) ((f ) t ) λα, β :.λx : N α.5 β ) with g of type (N N ) N N, and t of type N. t is of type N, and t analyzed as dead-code. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

32 NI in a Purely Functional Setting Higher-order Types The λ-cube [Barendregt, 1991] Terms: T ::= V C (T T ) λv : T.T ΠV :T.T Parameters: S: sorts, A, axioms of the form c : s, R, rules of the form (s 1, s 2, s 3 ). We write (s 1, s 2 ) when s 3 = s 2. Rules define valid product: Γ A : s 1 Γ, x : A B : s 2 Γ Πx :A.B : s 3 Computation rule: (λx : A.B C) β B[x := C] F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

33 NI in a Purely Functional Setting Higher-order Types The λ-cube Take sorts: {, }, and axiom ( : ). We consider only rules of the form (s 1, s 2 ). We have four possible rules: {(, ), (, ), (, ), (, )} F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

34 NI in a Purely Functional Setting Higher-order Types Intuitions behind rules (, ): simply typed λ-calculus. (, ): polymorphism. (, ): possiblity to build connective. (, ): dependent types. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

35 NI in a Purely Functional Setting Higher-order Types λω λ2 λω λ (, ) (, ) λc λp2 λpω λp System λ Historical name Simply typed λ-calculus [Church, 1940] λ2 System F [Girard, 1972] λp AUT-QE; LF [Bruijn, 1970] λp2 [Longo and Moggi, 1988] λω POLYREC [de Lavalette, 1992] λω F ω [Girard, 1972] λc Calculus of Constructions [Coquand and Huet, 1988] (, ) λ-cube [Barendregt, 1991] F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

36 NI in a Purely Functional Setting Higher-order Types Sort abstraction in cube style Addition of sort: ; Addition of axiom: : ; Addition of rule: (, ); Γ : Γ, α : A : Γ (Πα:.A) : F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

37 NI in a Purely Functional Setting Higher-order Types (, ) (, ) (, ) (, ) λω λ2 λc λp2 Hyper λ-cube λωe λ2e λce λp2e λω λ λpω λp λωe λ E λpωe λpe F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

38 NI in a Purely Functional Setting Higher-order Types Results It is possible to prove theorems 1 and 2 in the E-cube: a non-interference result for the Calculus of Constructions. The rule (, ) expresses the logical content of type-based analyses. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

39 NI in a Purely Functional Setting Higher-order Types Technical considerations Original formalism has been extended in order to have judgments like x : X : α : where x, X, α are variables. In λα :.A, α is a weak variable, i.e. it stands either for or. The work done is of theoretical nature. Hint for an algorithm: ML unification modified (not complete). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

40 NI in an Imperative Setting Plan 1 NI in a Purely Functional Setting Pure Terms and Simple Types Higher-order Types 2 NI in an Imperative Setting 3 NI and concurrency 4 Relaxing Non-Interference Programming framework Dynamic interference policy Program safety w.r.t. DIP Program Verification 5 Conclusion F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

41 NI in an Imperative Setting Interferences in imperative programs [Volpano and Smith, 1997] Programs input and output are classified at different security levels. We would like to allow the information to go up but never down w.r.t. security levels. The security can be expressed by comparing the memory of the computer regarding the different levels of security (different from the functional approach in which there are no variables). Simple imperative programming language with procedures. Type soundness result: if a program is well typed, then non-interference is enforced. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

42 NI in an Imperative Setting Some Information Leaking Programs and Non-Termination for i = 0 to secret output i on public_channel F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

43 NI in an Imperative Setting Some Information Leaking Programs and Non-Termination for i = 0 to secret output i on public_channel for i = 0 to secret output i on public_channel while true do skip F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

44 NI in an Imperative Setting Some Information Leaking Programs and Non-Termination for i = 0 to secret output i on public_channel for i = 0 to secret output i on public_channel while true do skip for i = 0 to maxnat { output i on public_channel if (i = secret) then (while true do skip) } F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

45 NI in an Imperative Setting Types in the Smith-Volpano System Three kinds of types τ-types: security levels. π-types: expressions and commands. ρ-types: types of phrases. For instance τ {h, l} with l h. command types have form τ cmd. A command of type h cmd says it does not contain assignment to low variables. Phrase types are of the form τ var or τ acc The subtype relation is contravariant in command and acceptor types. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

46 NI in an Imperative Setting Information flow Direct information flow: l:=h F. Prost (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

47 NI in an Imperative Setting Information flow Direct information flow: l:=h Indirect information flow While h>0 do l:=l+1; h:=h-1; od. Prost (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

48 NI in an Imperative Setting Information flow Direct information flow: l:=h Indirect information flow While h>0 do l:=l+1; h:=h-1; od We must have typing rules forbidding such programs: γ e : τ γ c : τ cmd γ while e do c : τcmd. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

49 NI in an Imperative Setting Type Soundnes and Non-Interference One needs to define the operational semantics of the programming language: µ c = µ One needs to define a notion of equivalent memories µ l ν if µ and ν agree on the value of low-level variables. The non-interference property can be stated as: suppose that λ c : π suppose that µ c = µ suppose that ν c = ν suppose that µ τ ν τ λ then ν (l) = µ (l) for all l such that λ(l) τ. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

50 NI and concurrency Plan 1 NI in a Purely Functional Setting Pure Terms and Simple Types Higher-order Types 2 NI in an Imperative Setting 3 NI and concurrency 4 Relaxing Non-Interference Programming framework Dynamic interference policy Program safety w.r.t. DIP Program Verification 5 Conclusion F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

51 NI and concurrency Process interlock and information leakage α [c α = 0 SPY := 0 ; c β := 0]; θ F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

52 NI and concurrency Process interlock and information leakage α β [c α = 0 SPY := 0 ; c β := 0]; θ [c β = 0 SPY := 1 ; c α := 0]; θ F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

53 NI and concurrency Process interlock and information leakage α β [c α = 0 SPY := 0 ; c β := 0]; θ [c β = 0 SPY := 1 ; c α := 0]; θ γ ( [PIN = 1 c α := 0]; θ ) + ( [PIN = 0 cβ := 0]; θ ) α β γ F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

54 NI and concurrency λ ar [Prost, 2005]: λ-calculus with adressed resources Variation of the blue-calculus of G. Boudol (variant of Milner s polyadic π-calculus). Terms: t ::= x, a (t t) λx.t t t νa(t) (t s) (s t) Adressed ressources : s ::= a t a = t (s s) F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

55 NI and concurrency Operational Semantics Definition (Reduction rules) (λx.t u) β t{x := u} t a u ρ t{a := u} Communication example: a λx.t (a v) ρ (λx.t v) β t{x := v} F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

56 NI and concurrency λ ar Typing It is possible to have a fine-grained typing of λ ar : [PPAR] Γ t : τ Γ u : σ (τ, σ ) Γ t u : Pa(τ, σ) Sort abstraction à la [Prost00] leads to similar result than in λ-calculus. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

57 Relaxing Non-Interference Plan 1 NI in a Purely Functional Setting Pure Terms and Simple Types Higher-order Types 2 NI in an Imperative Setting 3 NI and concurrency 4 Relaxing Non-Interference Programming framework Dynamic interference policy Program safety w.r.t. DIP Program Verification 5 Conclusion F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

58 Relaxing Non-Interference Non-Interference Dynamic policies [Prost, 2011] A lot of every-day life scenarios involve dynamic evolution of data privacy levels. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

59 Relaxing Non-Interference Non-Interference Dynamic policies [Prost, 2011] A lot of every-day life scenarios involve dynamic evolution of data privacy levels. Pay-per-view; F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

60 Relaxing Non-Interference Non-Interference Dynamic policies [Prost, 2011] A lot of every-day life scenarios involve dynamic evolution of data privacy levels. Pay-per-view; Sealed auctions; F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

61 Relaxing Non-Interference Non-Interference Dynamic policies [Prost, 2011] A lot of every-day life scenarios involve dynamic evolution of data privacy levels. Pay-per-view; Sealed auctions; etc. Challenge: to adapt non-interference to fit with dynamic evolution of privacy? F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

62 Relaxing Non-Interference Non-Interference Dynamic policies [Prost, 2011] A lot of every-day life scenarios involve dynamic evolution of data privacy levels. Pay-per-view; Sealed auctions; etc. Challenge: to adapt non-interference to fit with dynamic evolution of privacy? In our framework we propose: 1 A security profile for each operator: rewrite rules over privacy lattice. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

63 Relaxing Non-Interference Non-Interference Dynamic policies [Prost, 2011] A lot of every-day life scenarios involve dynamic evolution of data privacy levels. Pay-per-view; Sealed auctions; etc. Challenge: to adapt non-interference to fit with dynamic evolution of privacy? In our framework we propose: 1 A security profile for each operator: rewrite rules over privacy lattice. 2 Rewrite rules may have actions modifying the policy. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

64 Relaxing Non-Interference Non-Interference Dynamic policies [Prost, 2011] A lot of every-day life scenarios involve dynamic evolution of data privacy levels. Pay-per-view; Sealed auctions; etc. Challenge: to adapt non-interference to fit with dynamic evolution of privacy? In our framework we propose: 1 A security profile for each operator: rewrite rules over privacy lattice. 2 Rewrite rules may have actions modifying the policy. 3 Definition of high/low bisimulation with dynamic policies. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

65 Relaxing Non-Interference Non-Interference Dynamic policies [Prost, 2011] A lot of every-day life scenarios involve dynamic evolution of data privacy levels. Pay-per-view; Sealed auctions; etc. Challenge: to adapt non-interference to fit with dynamic evolution of privacy? In our framework we propose: 1 A security profile for each operator: rewrite rules over privacy lattice. 2 Rewrite rules may have actions modifying the policy. 3 Definition of high/low bisimulation with dynamic policies. 4 Program safety verification by abstract execution on privacy levels. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

66 Relaxing Non-Interference Programming framework Plan 1 NI in a Purely Functional Setting Pure Terms and Simple Types Higher-order Types 2 NI in an Imperative Setting 3 NI and concurrency 4 Relaxing Non-Interference Programming framework Dynamic interference policy Program safety w.r.t. DIP Program Verification 5 Conclusion F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

67 Relaxing Non-Interference Programming framework WHILE programming language Minimalistic programming language: v ::= x t, b ::= v f (x 1,..., x n ) P ::= x := t P; P if b then P else P while b do P skip It can be seen as an intermediate language: x := f (345, g(x 1, x 2 )) (x 0 := 345; x 3 := g(x 2, x 3 ); x := f (x 3 ) Natural semantics µ, P os µ, P F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

68 Relaxing Non-Interference Dynamic interference policy Plan 1 NI in a Purely Functional Setting Pure Terms and Simple Types Higher-order Types 2 NI in an Imperative Setting 3 NI and concurrency 4 Relaxing Non-Interference Programming framework Dynamic interference policy Program safety w.r.t. DIP Program Verification 5 Conclusion F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

69 Relaxing Non-Interference Dynamic interference policy Interference policy Program variables are attributed privacy levels. Privacy levels are elements of a lattice L. Interference policies are based on authorised behavior of operators. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

70 Relaxing Non-Interference Dynamic interference policy Interference policy Program variables are attributed privacy levels. Privacy levels are elements of a lattice L. Interference policies are based on authorised behavior of operators. Usually it is done through types but it is too rigid. = We use term rewriting system on privacy levels in order to deal with concrete privacy levels used at evaluation time. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

71 Relaxing Non-Interference Dynamic interference policy Static interference policy For each operator f we consider f DIP. Σ DIP = (V DIP, V Ω DIP L) Encryption policy, SP: encrypt DIP (π 128, x) π 1 encrypt DIP (π 256, x) SPY DIP PIN DIP... In the program: SPY := encrypt(k, PIN) The security level of encrypt(k, PIN) is computed using rules of SP. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

72 Relaxing Non-Interference Dynamic interference policy Dynamicity Privacy levels may change during computation. Rewriting rules with actions : l r; a a ::= x π x π x y x y a; a The interference policy changes through the evaluation of operator security level computation: t[σ(l)], SP t[σ(r)], SP F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

73 Relaxing Non-Interference Dynamic interference policy Three strikes, out Aim: account suspended after 3 unsuccessful login attempts. In the program: ckpwd(g, pwd) For each operator f of arity n we consider f DIP of arity 2n. = distinction between the name of a program variable and its privacy level. Privacy level of ckpwd(g, pwd) is computed by the evaluation of: ckpwd DIP (π g, g, π pwd, pwd) F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

74 Relaxing Non-Interference Dynamic interference policy Three strikes, out t 0 t 1 t 2 t 3 ckpwd(, g, t 0, p) ; p t 1 ckpwd(, g, t 1, p) ; p t 2 ckpwd(, g, t 2, p) ; p t 3 ckpwd(, (g, t 3, p) ckok(x, y) ; y t 0 g PIN 1 t 0 PIN 2 t 0... F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

75 Relaxing Non-Interference Dynamic interference policy Three strikes, out t 0 t 1 t 2 t 3 ckpwd(, g, t 0, p) ; p t 1 ckpwd(, g, t 1, p) ; p t 2 ckpwd(, g, t 2, p) ; p t 3 ckpwd(, (g, t 3, p) ckok(x, y) ; y t 0 g PIN 1 t 0 PIN 2 t 0... In the program: if ckpwd(g, PIN 1 ) then blah else next try F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

76 Relaxing Non-Interference Dynamic interference policy Dynamic interference policy Definition A DIP, SP, is a confluent terminating rewrite system with actions with: 1 For every x V there is a rule x π in SP. 2 For each rule l r such that l is in V then r is in L. 3 SP introduces no junk into L. I.e., for all ground terms, t, over Σ L, the normal form of t, is in L. 4 SP introduces no confusion into L. I.e., τ 1, τ 2 L, τ 1 τ 2 = τ 1 τ 2. 5 functions in Σ are monotonic w.r.t. privacy levels: π i, π i L, π i = nf SP (f (π 1,..., π n )) nf SP (f (π 1,..., π n)). π i t, SP π SP (t), SP t F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

77 Relaxing Non-Interference Dynamic interference policy Privacy level of a term wrt SP to compute the privacy level of f (x, y) we consider t = f DIP (nf SP (x), x, nf SP (y), y) The evaluation of this term in SP gives the privacy level and a new interference policy: t, SP π SP (t), SP t F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

78 Relaxing Non-Interference Program safety w.r.t. DIP Plan 1 NI in a Purely Functional Setting Pure Terms and Simple Types Higher-order Types 2 NI in an Imperative Setting 3 NI and concurrency 4 Relaxing Non-Interference Programming framework Dynamic interference policy Program safety w.r.t. DIP Program Verification 5 Conclusion F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

79 Relaxing Non-Interference Program safety w.r.t. DIP Program safety Traditionally: a program is safe if every modification of a value above π cannot be observed below π: µ 1, P os µ 1 µ 2, P os µ 2 µ 1 π µ 2 What to do with the policy: making possible program as: encrypt(π 1024, ) SPY := encrypt(key 1024, PIN) F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

80 Relaxing Non-Interference Program safety w.r.t. DIP Program safety Traditionally: a program is safe if every modification of a value above π cannot be observed below π: µ 1, P os µ 1 µ 2, P os µ 2 µ 1 π µ 2 What to do with the policy: making possible program as: encrypt(π 1024, ) SPY := encrypt(key 1024, PIN) = Use an alternate op. sem. declared leaks are treated specifically. Notion of declassified operational semantics. µ 1, P µ d = µ 1, P F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

81 Relaxing Non-Interference Program safety w.r.t. DIP declassifying terms A term is declassifying if its privacy level is lower than one of its arguments. Such terms will be subjected to specific rules in the declassified operational semantics. Definition (Declassifying terms and assignments) t = f (x 1,..., x n ) is declassifying wrt SP, written SP f (x 1,..., x n ) if: π SP (t) ( n i=1 πsp (t i )) F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

82 Relaxing Non-Interference Program safety w.r.t. DIP Declassified evaluation P, µ µ d = P, µ, SP Declassifying assignment: SP f DIP ((π SP (x), x) [[f (x)]]µ d = v f (π SP (x), x), SP π, SP f (πsp (x),x) y := f (x), µ, SP µ AS d = skip, µ[y := v], SP f (πsp (x),x) F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

83 Relaxing Non-Interference Program safety w.r.t. DIP High/low bisimulation and DIPs Definition (Bisimulation) A π-bisimulation is a symetric relation R such that: If P 1, SP 1 R P 2, SP 2 and µ 1, P 1, SP 1 µ 1 = µ 1, P 1, SP 1 and µ 1 SP 1 SP 2 π µ 2. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

84 Relaxing Non-Interference Program safety w.r.t. DIP High/low bisimulation and DIPs Definition (Bisimulation) A π-bisimulation is a symetric relation R such that: If P 1, SP 1 R P 2, SP 2 and µ 1, P 1, SP 1 µ 1 = µ 1, P 1, SP 1 = and µ 1 SP 1 SP 2 π µ 2 P 2, SP 2 and µ 2 s.t. µ 2, P 2, SP 2 µ 1 = µ 2, P 2, SP 2 and µ 1 SP 1 SP 2 π µ 2 and P 1, SP 1 R P 2, SP 2. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

85 Relaxing Non-Interference Program safety w.r.t. DIP Program safety w.r.t. a DIP The union of two π-bisimulation is a π-bisimulation. The biggest π-bisimulation is written and is the union of all π-bisimulation. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

86 Relaxing Non-Interference Program safety w.r.t. DIP Program safety w.r.t. a DIP The union of two π-bisimulation is a π-bisimulation. The biggest π-bisimulation is written and is the union of all π-bisimulation. Definition (Safe program) A program P is safe with relation DIP SP, written SP = P, if for all privacy level π P, SP π P, SP. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

87 Relaxing Non-Interference Program Verification Plan 1 NI in a Purely Functional Setting Pure Terms and Simple Types Higher-order Types 2 NI in an Imperative Setting 3 NI and concurrency 4 Relaxing Non-Interference Programming framework Dynamic interference policy Program safety w.r.t. DIP Program Verification 5 Conclusion F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

88 Relaxing Non-Interference Program Verification Abstract execution principle (1) F. Prost (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

89 Relaxing Non-Interference Program Verification Abstract execution principle (1) Idea: to execute the program on L. An abstract memory record associates variables with their privacy levels. F. Prost (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

90 Relaxing Non-Interference Program Verification Abstract execution principle (1) Idea: to execute the program on L. An abstract memory record associates variables with their privacy levels. Record of the highest privacy level encountered in if-then-else and while guards to avoid indirect leaks, e.g.: if PIN = 0 then while 0 do skip else skip; SPY := 0 Check assignments wrt SP and : x := f (...) implies π SP (x) (π SP (f (...)) π g ) raises a failure if the inequality is not satisfied.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

91 Relaxing Non-Interference Program Verification Abstract execution principle (2) Moreover evaluation of terms modify the DIP. Problem: it is not possible to merge DIPs resulting from the branches of an if-then-else construct. F. Prost (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

92 Relaxing Non-Interference Program Verification Abstract execution principle (2) Moreover evaluation of terms modify the DIP. Problem: it is not possible to merge DIPs resulting from the branches of an if-then-else construct. = Creation of a DIP list recording DIP s for each execution paths. Fixpoint problem for the while construct.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

93 Relaxing Non-Interference Program Verification Abstract execution principle (2) Moreover evaluation of terms modify the DIP. Problem: it is not possible to merge DIPs resulting from the branches of an if-then-else construct. = Creation of a DIP list recording DIP s for each execution paths. Fixpoint problem for the while construct. = Finite number of DIP lists.. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

94 Relaxing Non-Interference Program Verification Abstract execution result Theorem L.( { SP, }, P L) = SP = P F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

95 Relaxing Non-Interference Program Verification Abstract execution result Theorem L.( { SP, }, P L) = SP = P Converse implication does not hold: if PIN = 0 then SPY := 1 else SPY := 1 this safe program raises a failure in the abstract operational semantics. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

96 Conclusion Plan 1 NI in a Purely Functional Setting Pure Terms and Simple Types Higher-order Types 2 NI in an Imperative Setting 3 NI and concurrency 4 Relaxing Non-Interference Programming framework Dynamic interference policy Program safety w.r.t. DIP Program Verification 5 Conclusion F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

97 Conclusion Conclusion Non-Interference is a very abstract and powerful, but strict, approach to privacy in programming languages. It is very different from the traditional cryptographic approach and relies on completely different techniques: programming semantics. There has been a lot of work in order to cope with different paradigms and subtle variations around the notion of strict non-interference. Differential privacy is a relatively new way to approach non-interference. In a nutshell : the idea is to manipulate data of a data-base in such a way that statistical properties of interest are unchanged while having indistinguishability properties (kind of non-interference) insuring the privacy (e.g. [Dwork, 2008]). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

98 Conclusion Bibliography I Abadi, M., Lampson, B. W., and Lévy, J. (1996). Analysis and caching of dependencies. In Proceedings of the 1996 ACM SIGPLAN International Conference on Functional Programming (ICFP 96), Philadelphia, Pennsylvania, May 24-26, 1996., pages Askarov, A., Hunt, S., Sabelfeld, A., and Sands, D. (2008). Termination-insensitive noninterference leaks more than just a bit. In Computer Security - ESORICS 2008, 13th European Symposium on Research in Computer Security, Málaga, Spain, October 6-8, Proceedings, pages Barendregt, H. (1991). Introduction to generalized type systems. J. Funct. Program., 1(2): F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

99 Conclusion Bibliography II Berardi, S. (1996). Pruning simply typed lambda-terms. J. Log. Comput., 6(5): Bruijn, N. G. D. (1970). The mathematical language AUTOMATH, its usage and some of its extensions (iria, versailles 1968). In Symposium on automatic demonstration, volume 125 of Lecture Notes in Mathematics, pages Springer-Verlag. Church, A. (1940). A formulation of the simple theory of types. Journal of Symbolic Logic, 5(1). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

100 Conclusion Bibliography III Coquand, T. and Huet, G. (1988). The calculus of constructions. Information and Computation, 76: de Lavalette, G. R. (1992). Strictness analysis via abstract interpretation for recursively defined types. Information and Computation, 99(2): Dwork, C. (2008). Differential privacy: A survey of results. In Theory and Applications of Models of Computation, 5th International Conference, TAMC 2008, Xi an, China, April 25-29, Proceedings, pages F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

101 Conclusion Bibliography IV Girard, J.-Y. (1972). Interprétation fonctionnelle et élimination des coupures de l arithmétique d ordre supérieur. PhD thesis, Université Paris 7. Longo, G. and Moggi, E. (1988). Constructive natural deduction and its modest interpretation. Technical Report CMU-CS , Carneghie Mellon University. Prost, F. (2000). A static calculus of dependencies for the lambda-cube. In 15th Annual IEEE Symposium on Logic in Computer Science, Santa Barbara, California, USA, June 26-29, 2000, pages F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

102 Conclusion Bibliography V Prost, F. (2005). Sort abstraction for static analyzes of mobile processes. In Sixth Symposium on Trends in Functional Programming (TFP 2005), Tallinn, Estonia. Prost, F. (2011). Enforcing dynamic interference policy. In PASSAT/SocialCom 2011, Privacy, Security, Risk and Trust (PASSAT), 2011 IEEE Third International Conference on and 2011 IEEE Third International Conference on Social Computing (SocialCom), Boston, MA, USA, 9-11 Oct., 2011, pages Sabelfeld, A. and Sands, D. (2009). Declassification: Dimensions and principles. Journal of Computer Security, 17(5): F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

103 Conclusion Bibliography VI Volpano, D. M. and Smith, G. (1997). A type-based approach to program security. In TAPSOFT 97: Theory and Practice of Software Development, 7th International Joint Conference CAAP/FASE, Lille, France, April 14-18, 1997, Proceedings, pages F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy Normale and Supérieure Computer Science de Lyon) (ECI 2015) Day 3 - Non Interference July Analyzes / 73

Similar documents

Fast Probabilistic Simulation, Nontermination, and Secure Information Flow

Fast Probabilistic Simulation, Nontermination, and Secure Information Flow Fast Probabilistic Simulation, Nontermination, and Secure Information Flow Geoffrey Smith Rafael Alpízar Florida International University {smithg,ralpi00}@cis.fiu.edu Abstract In secure information flow

More information

Dynamic Noninterference Analysis Using Context Sensitive Static Analyses. Gurvan Le Guernic July 14, 2007

Dynamic Noninterference Analysis Using Context Sensitive Static Analyses. Gurvan Le Guernic July 14, 2007 Dynamic Noninterference Analysis Using Context Sensitive Static Analyses Gurvan Le Guernic July 14, 2007 1 Abstract This report proposes a dynamic noninterference analysis for sequential programs. This

More information

A Cryptographic Decentralized Label Model

A Cryptographic Decentralized Label Model A Cryptographic Decentralized Label Model Jeffrey A. Vaughan and Steve Zdancewic Department of Computer and Information Science University of Pennsylvania IEEE Security and Privacy May 22, 2007 Information

More information

Static Program Analysis using Abstract Interpretation

Static Program Analysis using Abstract Interpretation Static Program Analysis using Abstract Interpretation Introduction Static Program Analysis Static program analysis consists of automatically discovering properties of a program that hold for all possible

More information

CS 4110 Programming Languages & Logics. Lecture 16 Programming in the λ-calculus

CS 4110 Programming Languages & Logics. Lecture 16 Programming in the λ-calculus CS 4110 Programming Languages & Logics Lecture 16 Programming in the λ-calculus 30 September 2016 Review: Church Booleans 2 We can encode TRUE, FALSE, and IF, as: TRUE λx. λy. x FALSE λx. λy. y IF λb.

More information

Review of The π-calculus: A Theory of Mobile Processes

Review of The π-calculus: A Theory of Mobile Processes Review of The π-calculus: A Theory of Mobile Processes Riccardo Pucella Department of Computer Science Cornell University July 8, 2001 Introduction With the rise of computer networks in the past decades,

More information

Subtyping and Intersection Types Revisited

Subtyping and Intersection Types Revisited Subtyping and Intersection Types Revisited Frank Pfenning Carnegie Mellon University International Conference on Functional Programming (ICFP 07) Freiburg, Germany, October 1-3, 2007 Joint work with Rowan

More information

Typing Noninterference for Reactive Programs

Typing Noninterference for Reactive Programs Typing Noninterference for Reactive Programs Ana Almeida Matos, Gérard Boudol and Ilaria Castellani June 7, 2004 Abstract We propose a type system to enforce the security property of noninterference in

More information

The Calculus of Inductive Constructions

The Calculus of Inductive Constructions The Calculus of Inductive Constructions Hugo Herbelin 10th Oregon Programming Languages Summer School Eugene, Oregon, June 16-July 1, 2011 1 Outline - A bit of history, leading to the Calculus of Inductive

More information

Safety Analysis versus Type Inference for Partial Types

Safety Analysis versus Type Inference for Partial Types Safety Analysis versus Type Inference for Partial Types Jens Palsberg palsberg@daimi.aau.dk Michael I. Schwartzbach mis@daimi.aau.dk Computer Science Department, Aarhus University Ny Munkegade, DK-8000

More information

Typage et déduction dans le calcul de

Typage et déduction dans le calcul de Typage et déduction dans le calcul de réécriture Benjamin Wack Encadrants : C. Kirchner, L. Liquori Deduction and computation λ-calculus [Church 40] is a simple and powerful computational model Explicit

More information

Information Flow Inference for ML

Information Flow Inference for ML POPL 02 INRIA Rocquencourt Projet Cristal Francois.Pottier@inria.fr http://cristal.inria.fr/~fpottier/ Vincent.Simonet@inria.fr http://cristal.inria.fr/~simonet/ Information flow analysis account number

More information

Denotational semantics

Denotational semantics Denotational semantics Semantics and Application to Program Verification Antoine Miné École normale supérieure, Paris year 2015 2016 Course 4 4 March 2016 Course 4 Denotational semantics Antoine Miné p.

More information

Static Program Analysis

Static Program Analysis Static Program Analysis Xiangyu Zhang The slides are compiled from Alex Aiken s Michael D. Ernst s Sorin Lerner s A Scary Outline Type-based analysis Data-flow analysis Abstract interpretation Theorem

More information

The Expressivity of Universal Timed CCP: Undecidability of Monadic FLTL and Closure Operators for Security

The Expressivity of Universal Timed CCP: Undecidability of Monadic FLTL and Closure Operators for Security The Expressivity of Universal Timed CCP: Undecidability of Monadic FLTL and Closure Operators for Security Carlos Olarte and Frank D. Valencia INRIA /CNRS and LIX, Ecole Polytechnique Motivation Concurrent

More information

Linearity and Passivity

Linearity and Passivity Linearity and Passivity David A. 1 School of Computing University of Tasmania GPO Box 252-100 Hobart 7001 Australia Abstract A simple symmetric logic is proposed which captures both the notions of Linearity

More information

Type Theory and Constructive Mathematics. Type Theory and Constructive Mathematics Thierry Coquand. University of Gothenburg

Type Theory and Constructive Mathematics. Type Theory and Constructive Mathematics Thierry Coquand. University of Gothenburg Type Theory and Constructive Mathematics Type Theory and Constructive Mathematics Thierry Coquand University of Gothenburg Content An introduction to Voevodsky s Univalent Foundations of Mathematics The

More information

Lecture Notes on Combinatory Modal Logic

Lecture Notes on Combinatory Modal Logic Lecture Notes on Combinatory Modal Logic 15-816: Modal Logic Frank Pfenning Lecture 9 February 16, 2010 1 Introduction The connection between proofs and program so far has been through a proof term assignment

More information

Introduction to Type Theory February 2008 Alpha Lernet Summer School Piriapolis, Uruguay. Herman Geuvers Nijmegen & Eindhoven, NL

Introduction to Type Theory February 2008 Alpha Lernet Summer School Piriapolis, Uruguay. Herman Geuvers Nijmegen & Eindhoven, NL Introduction to Type Theory February 2008 Alpha Lernet Summer School Piriapolis, Uruguay Herman Geuvers Nijmegen & Eindhoven, NL Lecture 5: Higher Order Logic and the Calculus of Constructions 1 Church

More information

Safety Analysis versus Type Inference

Safety Analysis versus Type Inference Information and Computation, 118(1):128 141, 1995. Safety Analysis versus Type Inference Jens Palsberg palsberg@daimi.aau.dk Michael I. Schwartzbach mis@daimi.aau.dk Computer Science Department, Aarhus

More information

Decidable Subsets of CCS

Decidable Subsets of CCS Decidable Subsets of CCS based on the paper with the same title by Christensen, Hirshfeld and Moller from 1994 Sven Dziadek Abstract Process algebra is a very interesting framework for describing and analyzing

More information

NICTA Advanced Course. Theorem Proving Principles, Techniques, Applications

NICTA Advanced Course. Theorem Proving Principles, Techniques, Applications NICTA Advanced Course Theorem Proving Principles, Techniques, Applications λ 1 CONTENT Intro & motivation, getting started with Isabelle Foundations & Principles Lambda Calculus Higher Order Logic, natural

More information

A Logic for Information Flow Analysis with an Application to Forward Slicing of Simple Imperative Programs

A Logic for Information Flow Analysis with an Application to Forward Slicing of Simple Imperative Programs A Logic for Information Flow Analysis with an Application to Forward Slicing of Simple Imperative Programs Torben Amtoft and Anindya Banerjee a,1,2 a Department of Computing and Information Sciences Kansas

More information

COMP6463: λ-calculus

COMP6463: λ-calculus COMP6463: λ-calculus 1. Basics Michael Norrish Michael.Norrish@nicta.com.au Canberra Research Lab., NICTA Semester 2, 2015 Outline Introduction Lambda Calculus Terms Alpha Equivalence Substitution Dynamics

More information

Non-Idempotent Typing Operators, beyond the λ-calculus

Non-Idempotent Typing Operators, beyond the λ-calculus Non-Idempotent Typing Operators, beyond the λ-calculus Soutenance de thèse Pierre VIAL IRIF (Univ. Paris Diderot and CNRS) December 7, 2017 Non-idempotent typing operators P. Vial 0 1 /46 Certification

More information

Non deterministic classical logic: the λµ ++ -calculus

Non deterministic classical logic: the λµ ++ -calculus Paru dans : Mathematical Logic Quarterly, 48, pp. 357-366, 2002 Non deterministic classical logic: the λµ ++ -calculus Karim NOUR LAMA - Equipe de Logique, Université de Savoie 73376 Le Bourget du Lac

More information

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages Harvard School of Engineering and Applied Sciences CS 152: Programming Languages Lecture 17 Tuesday, April 2, 2013 1 There is a strong connection between types in programming languages and propositions

More information

Advanced Lambda Calculus. Henk Barendregt & Giulio Manzonetto ICIS Faculty of Science Radboud University Nijmegen, The Netherlands

Advanced Lambda Calculus. Henk Barendregt & Giulio Manzonetto ICIS Faculty of Science Radboud University Nijmegen, The Netherlands Advanced Lambda Calculus Henk Barendregt & Giulio Manzonetto ICIS Faculty of Science Radboud University Nijmegen, The Netherlands Form of the course Ordinary lecture Seminar form Exam: working out an exercise

More information

An Independence Relation for Sets of Secrets

An Independence Relation for Sets of Secrets Sara Miner More Pavel Naumov An Independence Relation for Sets of Secrets Abstract. A relation between two secrets, known in the literature as nondeducibility, was originally introduced by Sutherland.

More information

Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions

Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions Chapter 1 Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions 1.1 The IMP Language IMP is a programming language with an extensible syntax that was developed in the late 1960s. We will

More information

Lecture Notes on Intuitionistic Kripke Semantics

Lecture Notes on Intuitionistic Kripke Semantics Lecture Notes on Intuitionistic Kripke Semantics 15-816: Modal Logic Frank Pfenning Lecture 15 March 18, 2010 1 Introduction In this lecture we present an intuitionistic approach to describing a multipleworld

More information

Beyond First-Order Logic

Beyond First-Order Logic Beyond First-Order Logic Software Formal Verification Maria João Frade Departmento de Informática Universidade do Minho 2008/2009 Maria João Frade (DI-UM) Beyond First-Order Logic MFES 2008/09 1 / 37 FOL

More information

Command = Value Context. Hans-Dieter Hiep. 15th of June, /17

Command = Value Context. Hans-Dieter Hiep. 15th of June, /17 1/17 Command = Value Context Hans-Dieter Hiep 15th of June, 2018 2/17 Example Consider a total functional programming language. swap :: A B B A swap (a, b) = (b, a) paws :: A B B A paws a = a paws b =

More information

Intersection Synchronous Logic

Intersection Synchronous Logic UnB 2007 p. 1/2 Intersection Synchronous Logic Elaine Gouvêa Pimentel Simona Ronchi della Rocca Luca Roversi UFMG/UNITO, 2007 UnB 2007 p. 2/2 Outline Motivation UnB 2007 p. 2/2 Outline Motivation Intuitionistic

More information

Relating Nominal and Higher-Order Pattern Unification

Relating Nominal and Higher-Order Pattern Unification Relating Nominal and Higher-Order Pattern Unification James Cheney University of Edinburgh UNIF 2005 April 22, 2005 1 Motivation Higher-order unification: studied since ca. 1970 Undecidable, infinitary,

More information

The State Explosion Problem

The State Explosion Problem The State Explosion Problem Martin Kot August 16, 2003 1 Introduction One from main approaches to checking correctness of a concurrent system are state space methods. They are suitable for automatic analysis

More information

Space-aware data flow analysis

Space-aware data flow analysis Space-aware data flow analysis C. Bernardeschi, G. Lettieri, L. Martini, P. Masci Dip. di Ingegneria dell Informazione, Università di Pisa, Via Diotisalvi 2, 56126 Pisa, Italy {cinzia,g.lettieri,luca.martini,paolo.masci}@iet.unipi.it

More information

A Behavioral Congruence for Concurrent Constraint Programming with Nondeterministic Choice

A Behavioral Congruence for Concurrent Constraint Programming with Nondeterministic Choice A Behavioral Congruence for Concurrent Constraint Programming with Nondeterministic Choice Luis Pino*, Filippo Bonchi** and Frank Valencia* (Presented by: Jorge A. Pe rez) *E quipe Come te, LIX, Laboratoire

More information

Hoare Logic: Reasoning About Imperative Programs

Hoare Logic: Reasoning About Imperative Programs Hoare Logic: Reasoning About Imperative Programs COMP1600 / COMP6260 Dirk Pattinson Australian National University Semester 2, 2018 Programming Paradigms Functional. (Haskell, SML, OCaml,... ) main paradigm:

More information

Simply Typed Lambda Calculus

Simply Typed Lambda Calculus Simply Typed Lambda Calculus Language (ver1) Lambda calculus with boolean values t ::= x variable x : T.t abstraction tt application true false boolean values if ttt conditional expression Values v ::=

More information

CS 6110 Lecture 28 Subtype Polymorphism 3 April 2013 Lecturer: Andrew Myers

CS 6110 Lecture 28 Subtype Polymorphism 3 April 2013 Lecturer: Andrew Myers CS 6110 Lecture 28 Subtype Polymorphism 3 April 2013 Lecturer: Andrew Myers 1 Introduction In this lecture, we make an attempt to extend the typed λ-calculus for it to support more advanced data structures

More information

Communicating Parallel Processes. Stephen Brookes

Communicating Parallel Processes. Stephen Brookes Communicating Parallel Processes Stephen Brookes Carnegie Mellon University Deconstructing CSP 1 CSP sequential processes input and output as primitives named parallel composition synchronized communication

More information

Partial model checking via abstract interpretation

Partial model checking via abstract interpretation Partial model checking via abstract interpretation N. De Francesco, G. Lettieri, L. Martini, G. Vaglini Università di Pisa, Dipartimento di Ingegneria dell Informazione, sez. Informatica, Via Diotisalvi

More information

arxiv: v3 [cs.pl] 15 May 2011

arxiv: v3 [cs.pl] 15 May 2011 A Step-indexed Semantic Model of Types for the Call-by-Name Lambda Calculus arxiv:1105.1985v3 [cs.pl] 15 May 2011 Abstract Step-indexed semantic models of types were proposed as an alternative to purely

More information

COMPUTER SCIENCE TEMPORAL LOGICS NEED THEIR CLOCKS

COMPUTER SCIENCE TEMPORAL LOGICS NEED THEIR CLOCKS Bulletin of the Section of Logic Volume 18/4 (1989), pp. 153 160 reedition 2006 [original edition, pp. 153 160] Ildikó Sain COMPUTER SCIENCE TEMPORAL LOGICS NEED THEIR CLOCKS In this paper we solve some

More information

A call-by-name lambda-calculus machine

A call-by-name lambda-calculus machine A call-by-name lambda-calculus machine Jean-Louis Krivine University Paris VII, C.N.R.S. 2 place Jussieu 75251 Paris cedex 05 (krivine@pps.jussieu.fr) Introduction We present, in this paper, a particularly

More information

Program Analysis Probably Counts

Program Analysis Probably Counts Probably Counts 1 c.hankin@imperial.ac.uk joint work with Alessandra Di Pierro 2 and Herbert Wiklicky 1 1 Department of Computing, 2 Dipartimento di Informatica, Università di Verona Computer Journal Lecture,

More information

Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics

Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics F. Prost Frederic.Prost@ens-lyon.fr Ecole Normale Supérieure de Lyon July 2015 F. Prost Frederic.Prost@ens-lyon.fr (Ecole

More information

An extension of HM(X) with bounded existential and universal data-types

An extension of HM(X) with bounded existential and universal data-types Groupe de travail Cristal July, 2003 An extension of HM(X) with bounded existential and universal data-types (To appear at ICFP 03) Vincent Simonet INRIA Rocquencourt Cristal project Vincent.Simonet@inria.fr

More information

The Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Indistinguishability

The Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Indistinguishability The Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Catherine Meadows Naval Research Laboratory, Washington, DC 20375 catherine.meadows@nrl.navy.mil Formal Methods for the Science of

More information

Dynamic Dependency Monitoring to Secure Information Flow

Dynamic Dependency Monitoring to Secure Information Flow Dynamic Dependency Monitoring to Secure Information Flow Paritosh Shroff Scott F. Smith Mark Thober Department of Computer Science Johns Hopkins University {pari,scott,mthober}@cs.jhu.edu Abstract Although

More information

The Curry-Howard Isomorphism

The Curry-Howard Isomorphism The Curry-Howard Isomorphism Software Formal Verification Maria João Frade Departmento de Informática Universidade do Minho 2008/2009 Maria João Frade (DI-UM) The Curry-Howard Isomorphism MFES 2008/09

More information

Theories of Programming Languages Assignment 5

Theories of Programming Languages Assignment 5 Theories of Programming Languages Assignment 5 December 17, 2012 1. Lambda-Calculus (see Fig. 1 for initions of = β, normal order evaluation and eager evaluation). (a) Let Ω = ((λx. x x) (λx. x x)), and

More information

Language-based Information Security. CS252r Spring 2012

Language-based Information Security. CS252r Spring 2012 Language-based Information Security CS252r Spring 2012 This course Survey of key concepts and hot topics in language-based information security The use of programming language abstractions and techniques

More information

Model Checking & Program Analysis

Model Checking & Program Analysis Model Checking & Program Analysis Markus Müller-Olm Dortmund University Overview Introduction Model Checking Flow Analysis Some Links between MC and FA Conclusion Apology for not giving proper credit to

More information

Categories, Proofs and Programs

Categories, Proofs and Programs Categories, Proofs and Programs Samson Abramsky and Nikos Tzevelekos Lecture 4: Curry-Howard Correspondence and Cartesian Closed Categories In A Nutshell Logic Computation 555555555555555555 5 Categories

More information

Strong normalization of a symmetric lambda calculus for second order classical logic

Strong normalization of a symmetric lambda calculus for second order classical logic Archive for Mathematical Logic manuscript No. (will be inserted by the editor) Strong normalization of a symmetric lambda calculus for second order classical logic YAMAGATA, yoriyuki e-mail: yoriyuki@ms.u-tokyo.ac.jp

More information

Type-based complexity analysis for fork processes

Type-based complexity analysis for fork processes Type-based complexity analysis for fork processes Emmanuel Hainry, Jean-Yves Marion, and Romain Péchoux Université de Lorraine and LORIA {emmanuel.hainry,jean-yves.marion,romain.pechoux}@loria.fr Abstract.

More information

Limitations of OCAML records

Limitations of OCAML records Limitations of OCAML records The record types must be declared before they are used; a label e can belong to only one record type (otherwise fun x x.e) would have several incompatible types; we cannot

More information

Realizability and Parametricity in Pure Type Systems

Realizability and Parametricity in Pure Type Systems Realizability and Parametricity in Pure Type Systems Jean-Philippe Bernardy 1 and Marc Lasson 2 1 Chalmers University of Technology and University of Gothenburg 2 ENS Lyon, Université de Lyon, LIP (UMR

More information

A Monadic Analysis of Information Flow Security with Mutable State

A Monadic Analysis of Information Flow Security with Mutable State A Monadic Analysis of Information Flow Security with Mutable State Karl Crary Aleksey Kliger Frank Pfenning July 2003 CMU-CS-03-164 School of Computer Science Carnegie Mellon University Pittsburgh, PA

More information

Towards information flow control. Chaire Informatique et sciences numériques Collège de France, cours du 30 mars 2011

Towards information flow control. Chaire Informatique et sciences numériques Collège de France, cours du 30 mars 2011 Towards information flow control Chaire Informatique et sciences numériques Collège de France, cours du 30 mars 2011 Mandatory access controls and security levels DAC vs. MAC Discretionary access control

More information

07 Equational Logic and Algebraic Reasoning

07 Equational Logic and Algebraic Reasoning CAS 701 Fall 2004 07 Equational Logic and Algebraic Reasoning Instructor: W. M. Farmer Revised: 17 November 2004 1 What is Equational Logic? Equational logic is first-order logic restricted to languages

More information

On the Correctness and Efficiency of the Krivine Machine

On the Correctness and Efficiency of the Krivine Machine On the Correctness and Efficiency of the Krivine Machine Mitchell Wand Northeastern University Daniel P. Friedman Indiana University February 12, 2003 Abstract We provide a short derivation of the Krivine

More information

EAHyper: Satisfiability, Implication, and Equivalence Checking of Hyperproperties

EAHyper: Satisfiability, Implication, and Equivalence Checking of Hyperproperties EAHyper: Satisfiability, Implication, and Equivalence Checking of Hyperproperties Bernd Finkbeiner, Christopher Hahn, and Marvin Stenger Saarland Informatics Campus, Saarland University, Saarbrücken, Germany

More information

A General Technique for Analyzing Termination in Symmetric Proof Calculi

A General Technique for Analyzing Termination in Symmetric Proof Calculi A General Technique for Analyzing Termination in Symmetric Proof Calculi Daniel J. Dougherty 1, Silvia Ghilezan 2 and Pierre Lescanne 3 1 Worcester Polytechnic Institute, USA, dd@cs.wpi.edu 2 Faculty of

More information

Algorithmic Reasoning about Böhm Trees

Algorithmic Reasoning about Böhm Trees Algorithmic Reasoning about Böhm Trees Luke Ong University of Oxford (Joint with Bahareh Afshari, Matthew Hague, Graham Leigh, Steven Ramsay, and Takeshi Tsukada) IMS Workshop on Higher-Order Model Checking

More information

On Modal Logics of Partial Recursive Functions

On Modal Logics of Partial Recursive Functions arxiv:cs/0407031v1 [cs.lo] 12 Jul 2004 On Modal Logics of Partial Recursive Functions Pavel Naumov Computer Science Pennsylvania State University Middletown, PA 17057 naumov@psu.edu June 14, 2018 Abstract

More information

Models of computation

Models of computation Lambda-Calculus (I) jean-jacques.levy@inria.fr 2nd Asian-Pacific Summer School on Formal ethods Tsinghua University, August 23, 2010 Plan computation models lambda-notation bound variables odels of computation

More information

Rapporto di Ricerca CS

Rapporto di Ricerca CS UNIVERSITÀ CA FOSCARI DI VENEZIA Dipartimento di Informatica Technical Report Series in Computer Science Rapporto di Ricerca CS-2009-6 Giugno 2009 M. Centenaro, R. Focardi, F.L. Luccio, G. Steel Type-based

More information

Implicit Computational Complexity

Implicit Computational Complexity Implicit Computational Complexity Simone Martini Dipartimento di Scienze dell Informazione Università di Bologna Italy Bertinoro International Spring School for Graduate Studies in Computer Science, 6

More information

Realizability and Parametricty in Pure Type Systems

Realizability and Parametricty in Pure Type Systems Realizability and Parametricty in Pure Type Systems Jean-Philippe Bernardy 1 and Marc Lasson 2 1 Chalmers University of Technology and University of Gothenburg 2 ENS Lyon, Université de Lyon, LIP (UMR

More information

Automatic Generation of Polynomial Invariants for System Verification

Automatic Generation of Polynomial Invariants for System Verification Automatic Generation of Polynomial Invariants for System Verification Enric Rodríguez-Carbonell Technical University of Catalonia Talk at EPFL Nov. 2006 p.1/60 Plan of the Talk Introduction Need for program

More information

Static Program Analysis

Static Program Analysis Static Program Analysis Lecture 16: Abstract Interpretation VI (Counterexample-Guided Abstraction Refinement) Thomas Noll Lehrstuhl für Informatik 2 (Software Modeling and Verification) noll@cs.rwth-aachen.de

More information

Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples

Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples Hoare Logic I Introduction to Deductive Program Verification Işıl Dillig Program Spec Deductive verifier FOL formula Theorem prover valid contingent Example specs: safety (no crashes), absence of arithmetic

More information

Uniform Schemata for Proof Rules

Uniform Schemata for Proof Rules Uniform Schemata for Proof Rules Ulrich Berger and Tie Hou Department of omputer Science, Swansea University, UK {u.berger,cshou}@swansea.ac.uk Abstract. Motivated by the desire to facilitate the implementation

More information

The non-logical symbols determine a specific F OL language and consists of the following sets. Σ = {Σ n } n<ω

The non-logical symbols determine a specific F OL language and consists of the following sets. Σ = {Σ n } n<ω 1 Preliminaries In this chapter we first give a summary of the basic notations, terminology and results which will be used in this thesis. The treatment here is reduced to a list of definitions. For the

More information

Realizing the axiom of dependent choice

Realizing the axiom of dependent choice Realizing the axiom of dependent choice Jean-Louis Krivine PPS Group, University Paris 7, CNRS krivine@pps.jussieu.fr Edinburgh, March 26, 2003 1 The extended Curry-Howard correspondence We want to get

More information

The LCF Approach to Theorem Proving

The LCF Approach to Theorem Proving The LCF Approach to Theorem Proving 1 The LCF Approach to Theorem Proving John Harrison Intel Corporation Ideas and historical context Key ideas of LCF Equational logic example More about HOL Light Programming

More information

Modal Logic as a Basis for Distributed Computation

Modal Logic as a Basis for Distributed Computation Modal Logic as a Basis for Distributed Computation Jonathan Moody 1 jwmoody@cs.cmu.edu October 2003 CMU-CS-03-194 School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 1 This material

More information

Gerwin Klein, June Andronick, Ramana Kumar S2/2016

Gerwin Klein, June Andronick, Ramana Kumar S2/2016 COMP4161: Advanced Topics in Software Verification {} Gerwin Klein, June Andronick, Ramana Kumar S2/2016 data61.csiro.au Content Intro & motivation, getting started [1] Foundations & Principles Lambda

More information

Propositions and Proofs

Propositions and Proofs Chapter 2 Propositions and Proofs The goal of this chapter is to develop the two principal notions of logic, namely propositions and proofs There is no universal agreement about the proper foundations

More information

3.2 Reduction 29. Truth. The constructor just forms the unit element,. Since there is no destructor, there is no reduction rule.

3.2 Reduction 29. Truth. The constructor just forms the unit element,. Since there is no destructor, there is no reduction rule. 32 Reduction 29 32 Reduction In the preceding section, we have introduced the assignment of proof terms to natural deductions If proofs are programs then we need to explain how proofs are to be executed,

More information

On the computational soundness of cryptographically masked flows

On the computational soundness of cryptographically masked flows On the computational soundness of cryptographically masked flows Peeter Laud peeter.laud@ut.ee http://www.ut.ee/ peeter l Tartu University & Cybernetica AS & Institute of Cybernetics Mobius annual meeting,

More information

A Graph Rewriting Semantics for the Polyadic π-calculus

A Graph Rewriting Semantics for the Polyadic π-calculus A Graph Rewriting Semantics for the Polyadic π-calculus BARBARA KÖNIG Fakultät für Informatik, Technische Universität München Abstract We give a hypergraph rewriting semantics for the polyadic π-calculus,

More information

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either Introduction to Temporal Logic The purpose of temporal logics is to specify properties of dynamic systems. These can be either Desired properites. Often liveness properties like In every infinite run action

More information

Type Soundness for Path Polymorphism

Type Soundness for Path Polymorphism Type Soundness for Path Polymorphism Andrés Ezequiel Viso 1,2 joint work with Eduardo Bonelli 1,3 and Mauricio Ayala-Rincón 4 1 CONICET, Argentina 2 Departamento de Computación, FCEyN, UBA, Argentina 3

More information

Higher-Order Abstract Non-Interference

Higher-Order Abstract Non-Interference Higher-Order Abstract Non-Interference Damiano Zanardini Dipartimento di Informatica, Università di Verona Strada Le Grazie 15, I-37134 Verona, Italy zanardini@sci.univr.it Abstract. This work proposes

More information

Formal Methods Lecture 6. (B. Pierce's slides for the book Types and Programming Languages )

Formal Methods Lecture 6. (B. Pierce's slides for the book Types and Programming Languages ) Formal Methods Lecture 6 (B. Pierce's slides for the book Types and Programming Languages ) This Saturday, 10 November 2018, room 335 (FSEGA), we will recover the following activities: 1 Formal Methods

More information

Forcing-based cut-elimination for Gentzen-style intuitionistic sequent calculus

Forcing-based cut-elimination for Gentzen-style intuitionistic sequent calculus Forcing-based cut-elimination for Gentzen-style intuitionistic sequent calculus Hugo Herbelin 1 and Gyesik Lee 2 1 INRIA & PPS, Paris Université 7 Paris, France Hugo.Herbelin@inria.fr 2 ROSAEC center,

More information

Computational Logic and the Quest for Greater Automation

Computational Logic and the Quest for Greater Automation Computational Logic and the Quest for Greater Automation Lawrence C Paulson, Distinguished Affiliated Professor for Logic in Informatics Technische Universität München (and Computer Laboratory, University

More information

Rules and derivations in an elementary logic course arxiv: v1 [cs.lo] 7 Jan 2016

Rules and derivations in an elementary logic course arxiv: v1 [cs.lo] 7 Jan 2016 Rules and derivations in an elementary logic course arxiv:160101483v1 [cslo] 7 Jan 2016 Gilles Dowek Inria, 23 avenue d Italie, CS 81321, 75214 Paris Cedex 13, France gillesdowek@inriafr When teaching

More information

HORSes: format, termination and confluence

HORSes: format, termination and confluence HORSes: format, termination and confluence Jean-Pierre Jouannaud INRIA-LIAMA and singhua Software Chair Joint on-going work with Jianqi Li School of Software, singhua University Project CoqLF NList Cross-discipline

More information

On the Correctness of the Krivine Machine

On the Correctness of the Krivine Machine On the Correctness of the Krivine Machine Mitchell Wand Northeastern University 2003-10-03 15:55:00 wand October 3, 2003 Abstract We provide a short proof of the correctness of the Krivine machine by showing

More information

Introduction to lambda calculus Part 6

Introduction to lambda calculus Part 6 Introduction to lambda calculus Part 6 Antti-Juhani Kaijanaho 2017-02-16 1 Untyped lambda calculus 2 Typed lambda calculi 2.1 Dynamically typed lambda calculus with integers 2.2 A model of Lisp 2.3 Simply

More information

Introduction to dependent type theory. CIRM, May 30

Introduction to dependent type theory. CIRM, May 30 CIRM, May 30 Goals of this presentation Some history and motivations Notations used in type theory Main goal: the statement of main properties of equality type and the univalence axiom First talk P ropositions

More information

CMSC 336: Type Systems for Programming Languages Lecture 10: Polymorphism Acar & Ahmed 19 February 2008

CMSC 336: Type Systems for Programming Languages Lecture 10: Polymorphism Acar & Ahmed 19 February 2008 CMSC 336: Type Systems for Programming Languages Lecture 10: Polymorphism Acar & Ahmed 19 February 2008 Contents 1 Polymorphism 1 2 Polymorphic λ-calculus: Syntax 1 3 Static Semantics 2 4 Dynamic Semantics

More information

Operational Semantics

Operational Semantics Operational Semantics Semantics and applications to verification Xavier Rival École Normale Supérieure Xavier Rival Operational Semantics 1 / 50 Program of this first lecture Operational semantics Mathematical

More information

Lambda-Calculus (I) 2nd Asian-Pacific Summer School on Formal Methods Tsinghua University, August 23, 2010

Lambda-Calculus (I) 2nd Asian-Pacific Summer School on Formal Methods Tsinghua University, August 23, 2010 Lambda-Calculus (I) jean-jacques.levy@inria.fr 2nd Asian-Pacific Summer School on Formal Methods Tsinghua University, August 23, 2010 Plan computation models lambda-notation bound variables conversion

More information

A simple proof that super-consistency implies cut elimination

A simple proof that super-consistency implies cut elimination A simple proof that super-consistency implies cut elimination Gilles Dowek 1 and Olivier Hermant 2 1 École polytechnique and INRIA, LIX, École polytechnique, 91128 Palaiseau Cedex, France gilles.dowek@polytechnique.edu

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback