Proof-Carrying Code in a Session-Typed Process Calculus

Transcription

1 Proof-Carrying Code in a Session-Typed Process Calculus Frank Pfenning with Luís Caires and Bernardo Toninho Department of Computer Science Carnegie Mellon University 1st International Conference on Certified Programs and Proofs (CPP) December 7, / 33

2 Why do we trust software? 2 / 33

3 Why do we trust software? We don t! 2 / 33

4 Why do we trust software? We don t! To the extent that we do, we rely on: 2 / 33

5 Why do we trust software? We don t! To the extent that we do, we rely on: Digital signatures (state-of-the-practice) Formal proof (state-of-the-art) 2 / 33

6 Why do we trust software? We don t! To the extent that we do, we rely on: Digital signatures (state-of-the-practice) Formal proof (state-of-the-art) Can we combine digital signatures and proofs? 2 / 33

7 Why do we trust software? We don t! To the extent that we do, we rely on: Digital signatures (state-of-the-practice) Formal proof (state-of-the-art) Can we combine digital signatures and proofs? Digital signatures are here to stay Proofs are here to stay 2 / 33

8 System Modeling and Security Properties 3 / 33

9 System Modeling and Security Properties Communicating processes 3 / 33

10 System Modeling and Security Properties Communicating processes Name-passing (mobile) Value-passing (applied) Proof-passing (proof-carrying) 3 / 33

11 System Modeling and Security Properties Communicating processes Name-passing (mobile) Value-passing (applied) Proof-passing (proof-carrying) Reason about process behavior 3 / 33

12 System Modeling and Security Properties Communicating processes Name-passing (mobile) Value-passing (applied) Proof-passing (proof-carrying) Reason about process behavior Deadlock-freedom Session fidelity Termination 3 / 33

13 System Modeling and Security Properties Communicating processes Name-passing (mobile) Value-passing (applied) Proof-passing (proof-carrying) Reason about process behavior Deadlock-freedom Session fidelity Termination Reason about values and proofs 3 / 33

14 System Modeling and Security Properties Communicating processes Name-passing (mobile) Value-passing (applied) Proof-passing (proof-carrying) Reason about process behavior Deadlock-freedom Session fidelity Termination Reason about values and proofs Types Correctness of proofs Validity of signatures 3 / 33

15 Approach 4 / 33

16 Approach Communicating processes 4 / 33

17 Approach Communicating processes Value-passing extension of π-calculus 4 / 33

18 Approach Communicating processes Value-passing extension of π-calculus Reason about process behavior [CONCUR 10] 4 / 33

19 Approach Communicating processes Value-passing extension of π-calculus Reason about process behavior [CONCUR 10] Session types Curry-Howard isomorphism between Intuitionistic linear propositions and session types Sequent proofs and π-calculus processes Proof reduction and process reduction 4 / 33

20 Approach Communicating processes Value-passing extension of π-calculus Reason about process behavior [CONCUR 10] Session types Curry-Howard isomorphism between Intuitionistic linear propositions and session types Sequent proofs and π-calculus processes Proof reduction and process reduction Reason about values and proofs 4 / 33

21 Approach Communicating processes Value-passing extension of π-calculus Reason about process behavior [CONCUR 10] Session types Curry-Howard isomorphism between Intuitionistic linear propositions and session types Sequent proofs and π-calculus processes Proof reduction and process reduction Reason about values and proofs Dependent session types [PPDP 11] Terms and proofs from dependent type theory Add proof irrelevance (to avoid sending proofs) Add affirmation (to capture digital signatures) 4 / 33

22 Outline 1 Session types for π-calculus 2 Dependent session types 3 Proof irrelevance 4 Affirmation and digital signatures 5 Conclusion 5 / 33

23 Session types: judgment forms Judgment P :: x : A Process P offers service A along channel x Linear sequent P uses x i :A i and offers x:a. Cut as composition x 1 :A 1,..., x n :A }{{} n P :: x : A A, A C, C cut Identity as forwarding A A id 6 / 33

24 Session types: judgment forms Judgment P :: x : A Process P offers service A along channel x Linear sequent P uses x i :A i and offers x:a. Cut as composition x 1 :A 1,..., x n :A }{{} n P :: x : A x : A, x:a z : C, z : C cut Identity as forwarding A A id 6 / 33

25 Session types: judgment forms Judgment P :: x : A Process P offers service A along channel x Linear sequent P uses x i :A i and offers x:a. Cut as composition x 1 :A 1,..., x n :A }{{} n P :: x : A P :: x : A, x:a Q :: z : C, (νx)(p Q) :: z : C cut Identity as forwarding A A id 6 / 33

26 Session types: judgment forms Judgment P :: x : A Process P offers service A along channel x Linear sequent P uses x i :A i and offers x:a. Cut as composition x 1 :A 1,..., x n :A }{{} n P :: x : A P :: x : A, x:a Q :: z : C, (νx)(p Q) :: z : C cut Identity as forwarding x:a z : A id 6 / 33

27 Session types: judgment forms Judgment P :: x : A Process P offers service A along channel x Linear sequent P uses x i :A i and offers x:a. Cut as composition x 1 :A 1,..., x n :A }{{} n P :: x : A P :: x : A, x:a Q :: z : C, (νx)(p Q) :: z : C cut Identity as forwarding x:a [x z] :: z : A id 6 / 33

28 Session types: input (A B) P :: x : A B P inputs an A along x and then behaves as B Right rule: offer of service, A B A B R Can reuse x, due to linearity Left rule: matching use of service A, B C,, A B C L Can reuse x, due to linearity Channel y must be new 7 / 33

29 Session types: input (A B) P :: x : A B P inputs an A along x and then behaves as B Right rule: offer of service, y:a x : B x : A B R Can reuse x, due to linearity Left rule: matching use of service A, B C,, A B C L Can reuse x, due to linearity Channel y must be new 7 / 33

30 Session types: input (A B) P :: x : A B P inputs an A along x and then behaves as B Right rule: offer of service, y:a P :: x : B x(y).p :: x : A B R Can reuse x, due to linearity Left rule: matching use of service A, B C,, A B C L Can reuse x, due to linearity Channel y must be new 7 / 33

31 Session types: input (A B) P :: x : A B P inputs an A along x and then behaves as B Right rule: offer of service, y:a P :: x : B x(y).p :: x : A B R Can reuse x, due to linearity Left rule: matching use of service y : A, x:b z : C,, x:a B z : C L Can reuse x, due to linearity Channel y must be new 7 / 33

32 Session types: input (A B) P :: x : A B P inputs an A along x and then behaves as B Right rule: offer of service, y:a P :: x : B x(y).p :: x : A B R Can reuse x, due to linearity Left rule: matching use of service P :: y : A, x:b Q :: z : C,, x:a B (νy)x y.(p Q) :: z : C L Can reuse x, due to linearity Channel y must be new 7 / 33

33 Session types: reduction Proof reduction, A B A B R 1 A 2, B C 1, 2, A B C 1 A, 1, 2 C, A B, 1 B cut, 1, 2 C Corresponding process reduction 2, B C L, 1, 2 (νx)(x(y).p 1 (νw)(x w.(p 2 Q))) :: z : C cut cut, 1, 2 (νx)((νw)(p 2 P 1 {w/y}) Q) :: z : C 8 / 33

34 Session types: other connectives Linear propositions as session types P :: x : A B P :: x : A B P :: x : 1 P :: x : A & B P :: x : A B P :: x :!A Input a y:a along x and behave as B Output a new y:a along x and behave as B Terminate session on x Offer choice between A and B along x Offer either A or B along x Offer A persistently along x Sequent proofs as process expressions Proof reduction as process reduction 9 / 33

35 Two small examples PDF indexing service, version 1 index 1 :!(file file 1) Persistently offer to input a file, then output a file and terminate session. Intent: input PDF, output indexed PDF for keyword search. Persistent file storage store 1 :!(file!(file 1)) Persistently offer to input a file, then output a persistent handle for retrieving this file. Intent: output file is the same as input file. 10 / 33

36 Outline 1 Session types for π-calculus 2 Dependent session types 3 Proof irrelevance 4 Affirmation and digital signatures 5 Conclusion 11 / 33

37 Term passing Types τ from a (dependent) type theory Hypothetical judgment x 1 :τ 1,..., x k :τ }{{} k M : τ Ψ Some example type constructors Πx:τ.σ, τ σ Σx:τ.σ, τ σ nat Functions from τ to σ Pairs of a τ and a σ Natural numbers Integrate into sequent calculus Ψ }{{} ; Γ }{{} ; }{{} term variables persistent channels linear channels P :: x : A }{{} linear 12 / 33

38 Term passing: input ( y:τ.a) P :: x : y:τa P inputs an M : τ along x and then behaves as A{M/x} Right rule: offer of service Ψ, y:τ ; Γ ; A Ψ ; Γ ; y:τ.a R Left rule: matching use of service Ψ M : τ Ψ ; Γ ;, A{M/y} C Ψ ; Γ ;, y:τ.a C L Proof reduction yields 13 / 33

39 Term passing: input ( y:τ.a) P :: x : y:τa P inputs an M : τ along x and then behaves as A{M/x} Right rule: offer of service Ψ, y:τ ; Γ ; x : A Ψ ; Γ ; x : y:τ.a R Left rule: matching use of service Ψ M : τ Ψ ; Γ ;, A{M/y} C Ψ ; Γ ;, y:τ.a C L Proof reduction yields 13 / 33

40 Term passing: input ( y:τ.a) P :: x : y:τa P inputs an M : τ along x and then behaves as A{M/x} Right rule: offer of service Ψ, y:τ ; Γ ; P :: x : A Ψ ; Γ ; x(y).p :: x : y:τ.a R Left rule: matching use of service Ψ M : τ Ψ ; Γ ;, A{M/y} C Ψ ; Γ ;, y:τ.a C L Proof reduction yields 13 / 33

41 Term passing: input ( y:τ.a) P :: x : y:τa P inputs an M : τ along x and then behaves as A{M/x} Right rule: offer of service Ψ, y:τ ; Γ ; P :: x : A Ψ ; Γ ; x(y).p :: x : y:τ.a R Left rule: matching use of service Ψ M : τ Ψ ; Γ ;, x:a{m/y} z : C Ψ ; Γ ;, x: y:τ.a z : C L Proof reduction yields 13 / 33

42 Term passing: input ( y:τ.a) P :: x : y:τa P inputs an M : τ along x and then behaves as A{M/x} Right rule: offer of service Ψ, y:τ ; Γ ; P :: x : A Ψ ; Γ ; x(y).p :: x : y:τ.a R Left rule: matching use of service Ψ M : τ Ψ ; Γ ;, x:a{m/y} Q :: z : C Ψ ; Γ ;, x: y:τ.a x M.Q :: z : C L Proof reduction yields 13 / 33

43 Term passing: input ( y:τ.a) P :: x : y:τa P inputs an M : τ along x and then behaves as A{M/x} Right rule: offer of service Ψ, y:τ ; Γ ; P :: x : A Ψ ; Γ ; x(y).p :: x : y:τ.a R Left rule: matching use of service Ψ M : τ Ψ ; Γ ;, x:a{m/y} Q :: z : C Ψ ; Γ ;, x: y:τ.a x M.Q :: z : C L Proof reduction yields (νx)(x(y).p x M.Q) 13 / 33

44 Term passing: input ( y:τ.a) P :: x : y:τa P inputs an M : τ along x and then behaves as A{M/x} Right rule: offer of service Ψ, y:τ ; Γ ; P :: x : A Ψ ; Γ ; x(y).p :: x : y:τ.a R Left rule: matching use of service Ψ M : τ Ψ ; Γ ;, x:a{m/y} Q :: z : C Ψ ; Γ ;, x: y:τ.a x M.Q :: z : C L Proof reduction yields (νx)(x(y).p x M.Q) (νx)(p{m/y} Q) 13 / 33

45 Term passing: other connectives Quantified proposition as dependent session types x : y:τ.a x : $τ A x : y:τ.a x : $τ A Input an M : A along x and behave as A{M/y} Input an M : A along x and behave as A Output an M : A along x and behave as A{M/y} Output an M : A along x and behave as A $τ A as shorthand for y:τ.a if y not free in A $τ A as shorthand for y:τ.a if y not free in A We will omit the $ for readability 14 / 33

46 Examples, carrying proofs PDF indexing service index 1 :!(file file 1) index 2 :!( f :file. pdf(f ) g:file. pdf(g) 1) Persistently offer to input a file f, a proof that f is in PDF format, then output a PDF file g, and a proof that g is in PDF format and terminate the session. Persistent file storage store 1 :!(file!(file 1)) store 2 :!( f :file.! g:file. g. = f 1) Persistently offer to input a file, then output a persistent channel for retrieving this file and a proof that the two are equal. 15 / 33

47 Outline 1 Session types for π-calculus 2 Dependent session types 3 Proof irrelevance 4 Affirmation and digital signatures 5 Conclusion 16 / 33

48 Proof irrelevance In many examples, we want to know that proofs exist, but we do not want to transmit them We can easily check pdf(g) when using the indexing service The proof of g. = f (by reflexivity) would not be informative Use proof irrelevance in type theory M : [τ] M is a term of type τ that is computationally irrelevant 17 / 33

49 Proof irrelevance: rules Introduction and elimination Ψ M : τ Ψ [M] : [τ] []I Ψ M : [τ] Ψ, x τ N : σ Ψ let [x] = M in N : σ Ψ promotes hypotheses x τ to x:τ In examples, may use pattern matching instead of let By agreement, terms [M] will be erased before transmission Typing guarantees this can be done consistently []E 18 / 33

50 Examples with proof irrelevance Mark proofs as computationally irrelevant PDF indexing service index 2 :!( f :file. pdf(f ) g:file. pdf(g) 1) index 3 :!( f :file. [pdf(f )] g:file. [pdf(g)] 1) Persistent file storage store 2 :!( f :file.! g:file. g =. f 1) store 3 :!( f :file.! g:file. [g =. f ] 1) After erasure, communication can be optimized further 19 / 33

51 Examples: affirming the existence of proofs In the PDF indexing example, we may want to have some evidence that g and f agree. index 4 :!( f :file. [pdf(f )] g:file. [pdf(g)] [agree(g, f )] 1) agree(g, f ) if g and f differ at most in the index Since no proof is transmitted, client may require indexer X s explicit affirmation (= digital signature)! Similarly, in the persistent file storage example 20 / 33

52 Outline 1 Session types for π-calculus 2 Dependent session types 3 Proof irrelevance 4 Affirmation and digital signatures 5 Conclusion 21 / 33

53 Affirmation Judgment M : K τ Principal K affirms property τ due to evidence M. Ψ M : τ Ψ M:τ K : K τ (affirms) Internalize judgment as proposition K τ Ψ M : K τ Ψ M : K τ I Ψ M : K τ Ψ, x:τ N : K σ Ψ let x:τ K = M in N : K σ E Note same principal K in premises and conclusion of E M:τ K can be realized by K s signature on M:τ Assume some public key infrastructure K is a K-indexed family of strong monads 22 / 33

54 Examples: affirmations PDF indexing service, with indexer X index 5 :!( f :file. [pdf(f )] g:file. [pdf(g)] X [agree(g, f )] 1) Persistent file storage, with file system Y store 4 :!( f :file.! g:file. Y [g. = f ] 1) Idiom K [τ] may transmit [ ]:τ K, a certificate, digitally signed by K affirming τ Some proof that [τ] follows from affirmations by K, according to the laws of K 23 / 33

55 Example: a PDF compression service A PDF compression service, with compressor C compress :!( f :file. [pdf(f )] g:file. [pdf(g)] C [approx(g, f )] 1) A consolidator service: indexing and compression ixc :!( f :file. [pdf(f )] g:file. [pdf(g)] X C [approx(g, f )] 1) Have to trust both X and C! 24 / 33

56 Example: consolidator implementation Specification ixc :!( f :file. [pdf(f )] g:file. [pdf(g)] X C [approx(g, f )] 1) Implementation consolidator =!ixc(a).a(f 1 ).a([p 1 ]). (νb)index b.b f 1.b [p 1 ].b(f 2 ).b([p 2 ]).b(q 2 ). (νc)compress c.c f 2.c [p 2 ].c(f 3 ).c([p 3 ]).c(q 3 ). a f 3.a [p 3 ].a comb q 2 q 3.0 Certificate types q 2 : X [agree(f 2, f 1 )] q 3 : C [approx(f 3, f 2 )] comb q 2 q 3 : C X [approx(f 3, f 1 )] 25 / 33

57 Certificate combination Certificate types Proof q 2 : X [agree(f 2, f 1 )] q 3 : C [approx(f 3, f 2 )] comb q 2 q 3 : C X [approx(f 3, f 1 )] ida : agree(f 2, f 1 ) approx(f 2, f 1 ) tra : approx(f 3, f 2 ) approx(f 2, f 1 ) approx(f 3, f 1 ) comb q 2 q 3 = let [q 3]:[approx(f 3, f 2 )] C = q 3 in let [q 2]:[agree(f 2, f 1 )] X = q 2 in [tra q 3 (ida q 2)]: X : C 26 / 33

58 Trust axioms Affirmations track aspects of provenance and info. flow Diamonds are forever In general, K τ τ Need declassification Trust axioms For specific types τ and principals K: trust K,τ : K τ τ Implementable, in general, by stripping signature Omitted proofs [τ] cannot be recovered, in general [τ] τ K [τ] τ not implementable, in general not implementable, in general 27 / 33

59 Example: mobile code For sensitive documents we want to run indexing locally Specification index 6 :!( X (Πf :file. [pdf(f )] Σg:file. [pdf(g)] [agree(g, f )]) 1) Service persistently offers a function for indexing Cannot leak information since only process layer can communicate 28 / 33

60 Example: electronic commerce Signed certificates may have external meaning Signed certificates may flow in both directions index u 7 :!( u [pay(u, X, 1)] ( f :file. [pdf(f )] g:file. [pdf(g)] X [agree(g, f )] 1)) Need to make principals more explicit? Some experience in proof-carrying authorization 29 / 33

61 Outline 1 Session types for π-calculus 2 Dependent session types 3 Proof irrelevance 4 Affirmation and digital signatures 5 Conclusion 30 / 33

62 Summary A Curry-Howard isomorphism Linear propositions as session types A B (input), A B (output), A & B (external choice) A B (internal choice),!a (replication) Sequent proofs as π-calculus processes with a binary guarded choice and channel forwarding Cut reduction as π-calculus reduction Term-passing extension with a type theory x:τ.a (term input), x:τ.a (term output) Additional type theory constructs [τ] for proof irrelevance (not transmitted) K τ for affirmations (evidenced by digital signatures) 31 / 33

63 Assessment Strong basis in logic and type theory Modular construction and extensibility Integrated computation and reasoning Uniform logical integration Proofs (implicit or explicit) Affirmations (implicit or explicit signatures) Enable gradual integration of formal proofs in current practice based on digital signatures? 32 / 33

64 Current and Future Work Practical language design and implementation Explicit spatial distribution, principals, and authorization (with Jamie Morgenstern) Interaction with databases (with João Seco and OutSystems) Reasoning about processes (with Jorge Pérez and Henry DeYoung) Observational equivalence via proof theory Towards concurrent type theory 33 / 33

65 Summary A Curry-Howard isomorphism Linear propositions as session types A B (input), A B (output), A & B (external choice) A B (internal choice),!a (replication) Sequent proofs as π-calculus processes with a binary guarded choice and channel forwarding Cut reduction as π-calculus reduction Term-passing extension with a type theory x:τ.a (term input), x:τ.a (term output) Additional type theory constructs [τ] for proof irrelevance (not transmitted) K τ for affirmations (evidenced by digital signatures) 34 / 33