Top Banner
CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)
24

CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

Dec 18, 2015

Download

Documents

Nigel Lane
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

CLF: A Concurrent Logical Framework

David WalkerPrinceton

(with I. Cervesato, F. Pfenning, K. Watkins)

Page 2: CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

2

Outline What is a logical framework? Logical frameworks & security CLF: a concurrent logical framework

Page 3: CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

3

Logical Frameworks a logical framework is a meta-language for

representing deductive systems sample deductive systems

logics of all kinds first-order logic, higher-order logic, temporal logic,...

programming languages ML, lambda calculus, pi calculus

specification languages set theory, type theory, multi-set rewriting, ...

compilers translations between languages or logics

Page 4: CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

4

Logical Frameworks

meta-logicalframeworks

logicalframeworks

logics

proofs

Twelf, Nuprl, HOL, ...

Automath, Nuprl,HOL, LF, ...

FOL, linear logic,temporal logic

(A and B) => C

represent propertiesof logics

representlogics

represent proofs

Page 5: CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

5

Logical Frameworks

meta-logicalframeworks

logicalframeworks

programminglanguages

programs

Twelf, Nuprl, HOL, ...

Automath, Nuprl,HOL, LF, ...

C, ML, Javalambda calculus

if (n > 17) {...}

represent propertiesof programming langs

representprogramming langs

represent programs

Page 6: CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

6

Tasks for Logical Frameworks Represent syntax

of a logic of a programming language

Represent valid rules of inference inference rules (modus ponens, law of the

excluded middle) of a logic typing rules, operational rules of a language

Represent valid deductions valid proofs well-typed programs, valid executions

Page 7: CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

7

Outline What is a logical framework? Logical frameworks & security CLF: a concurrent logical framework

Page 8: CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

8

Application I: proof-carrying X Proof-carrying code [Necula, Lee]

Attach a proof of some safety property to mobile code

Represent and check the proof in LF Proof-carrying authentication [Appel,

Felten]

Attach a proof of access rights to database query, service request

Represent and check the proof in LF

Page 9: CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

9

Application II: Mechanical Reasoning

Increase our confidence in system properties through the following process

1. Represent algorithm, deductive system2. Prove adequacy of representation3. Prove security properties within the framework

LF normally small, simple and trustworthy eg: LF has two type constructors Appel et al. (100k lines LF, 0 soundness bugs)

Step 2 is least trustworthy

Page 10: CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

10

Application II: Mechanical Reasoning

Authentication protocols Extremely difficult to get correct

Highly concurrent Errors are costly

Many different specification languages informal notation, security logics, MSR, spi

calculus,... Represent protocols, languages & their

properties/relationships in a logical fwrk

Page 11: CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

11

Outline What is a logical framework? Logical frameworks & security CLF: a concurrent logical framework

Page 12: CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

12

Logical framework design Logical framework design resembles

programming language design Simple logical frameworks are like

simple programming languages few features = simple, trustworthy

implementation but limited expressiveness expressive enough in principle but

awkward and unmanageable in practice adequacy may be unclear, difficult to prove

Page 13: CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

13

The LF family of Logical Frameworks Automath [De Bruijn], LF [Harper et al.]

Dependent types, intuitionistic functions Represents pure PL, logics Higher-order abstract syntax

Linear LF [Cervesato, Pfenning]

LF + linear functions, additive pairs Represents state, effectful programming

paradigms Resource-conscious logics

Page 14: CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

14

Concurrent LF (CLF)

Linear LF + a concurrency monad The monad encapsulates a concurrent

computation Represents concurrent programming

paradigms MSR specifications of security

protocols, pi-calculus, CML, Petri nets

Page 15: CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

15

CLF types Linear LF types + concurrency

monad

Represent the state of a concurrent computation

A,B ::= a | x:A.B | A -o B | T | A & B | {S}

S ::= A | 1 | S1 S2 | x:A.S | !A

Page 16: CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

16

Pure CLF terms Pure Linear LF terms + concurrent

computations A monad encapsulates

computations within the pure language

pure terms M,N ::= c | x:A.M | M N | ... | {E}

Page 17: CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

17

Effectful CLF computations Computation E processes the ambient

state A let expression represents a step in a

computation Patterns p introduce new state

computations E ::= let {p} = M in E | F

patterns p ::= x:A | 1 | p1 p2 | x:A.p | !x

states F ::= M | 1 | F1 F2 | [M,F] | !M

Page 18: CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

18

Example

key : type.msg : type.encrypt : key -> msg -> msg.wire : msg -> type.send : M:msg.{wire M}.rec : M:msg.wire M -o {1}.

{

let {m:wire M} = send M in

let {m’:wire M’} = send M’ in

let {1} = rec M’ m’ in

let {1} = rec M m in

...

}

CLF signature: Valid Computation:

Page 19: CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

19

Concurrency equations LF and related dependent type theories

provide a notion of definitional equality When MN, the framework cannot

distinguish M and N We extend the LF equality:

The framework cannot distinguish the order of independent computation steps

let {p} = M in let {p’} = M’ in E let {p’} = M’ in let {p} = M in E

(M,M’ do not containvariables in p,p’)

Page 20: CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

20

Example

{

let {m:wire M} = send M in

let {1} = rec M m in

let {m’:wire M’} = send M’ in

let {1} = rec M’ m’ in

...

}

Valid Computation: Equivalent Computation:

{

let {m:wire M} = send M in

let {m’:wire M’} = send M’ in

let {1} = rec M’ m’ in

let {1} = rec M m in

...

}

Page 21: CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

21

Results Definition and meta-theory of CLF

A new presentation of LF dependent type theory based on canonical forms

Decidability of type checking Examples and applications

Representation of Petri nets, synchronous and asynchronous pi-calculus with proofs of adequacy

Novel, modular representation of CML in CLF Representation of MSR & examples

Page 22: CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

22

Further reading Cervesato, Pfenning, Walker, Watkins.

A concurrent logical framework. January 2002 (submitted).

Forthcoming technical reports: Watkins et al. A concurrent logical

framework I: Judgments and properties. Cervesato et al. A concurrent logical

framework II: Examples and applications.

Page 23: CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

23

Future work Implementation and logic programming

operational semantics for CLF Represent, check and execute concurrent

computations Meta-logical reasoning about

concurrent computations Properties of concurrent computations,

bisimulation Automatic proof search

Page 24: CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

24

Conclusions Study of logical frameworks is an

important aspect of the development of secure and reliable systems

CLF enables concise and adequate representations of concurrent languages