clf: a concurrent logical framework david walker princeton (with i. cervesato, f. pfenning, k....
TRANSCRIPT
CLF: A Concurrent Logical Framework
David WalkerPrinceton
(with I. Cervesato, F. Pfenning, K. Watkins)
2
Outline What is a logical framework? Logical frameworks & security CLF: a concurrent logical framework
3
Logical Frameworks a logical framework is a meta-language for
representing deductive systems sample deductive systems
logics of all kinds first-order logic, higher-order logic, temporal logic,...
programming languages ML, lambda calculus, pi calculus
specification languages set theory, type theory, multi-set rewriting, ...
compilers translations between languages or logics
4
Logical Frameworks
meta-logicalframeworks
logicalframeworks
logics
proofs
Twelf, Nuprl, HOL, ...
Automath, Nuprl,HOL, LF, ...
FOL, linear logic,temporal logic
(A and B) => C
represent propertiesof logics
representlogics
represent proofs
5
Logical Frameworks
meta-logicalframeworks
logicalframeworks
programminglanguages
programs
Twelf, Nuprl, HOL, ...
Automath, Nuprl,HOL, LF, ...
C, ML, Javalambda calculus
if (n > 17) {...}
represent propertiesof programming langs
representprogramming langs
represent programs
6
Tasks for Logical Frameworks Represent syntax
of a logic of a programming language
Represent valid rules of inference inference rules (modus ponens, law of the
excluded middle) of a logic typing rules, operational rules of a language
Represent valid deductions valid proofs well-typed programs, valid executions
7
Outline What is a logical framework? Logical frameworks & security CLF: a concurrent logical framework
8
Application I: proof-carrying X Proof-carrying code [Necula, Lee]
Attach a proof of some safety property to mobile code
Represent and check the proof in LF Proof-carrying authentication [Appel,
Felten]
Attach a proof of access rights to database query, service request
Represent and check the proof in LF
9
Application II: Mechanical Reasoning
Increase our confidence in system properties through the following process
1. Represent algorithm, deductive system2. Prove adequacy of representation3. Prove security properties within the framework
LF normally small, simple and trustworthy eg: LF has two type constructors Appel et al. (100k lines LF, 0 soundness bugs)
Step 2 is least trustworthy
10
Application II: Mechanical Reasoning
Authentication protocols Extremely difficult to get correct
Highly concurrent Errors are costly
Many different specification languages informal notation, security logics, MSR, spi
calculus,... Represent protocols, languages & their
properties/relationships in a logical fwrk
11
Outline What is a logical framework? Logical frameworks & security CLF: a concurrent logical framework
12
Logical framework design Logical framework design resembles
programming language design Simple logical frameworks are like
simple programming languages few features = simple, trustworthy
implementation but limited expressiveness expressive enough in principle but
awkward and unmanageable in practice adequacy may be unclear, difficult to prove
13
The LF family of Logical Frameworks Automath [De Bruijn], LF [Harper et al.]
Dependent types, intuitionistic functions Represents pure PL, logics Higher-order abstract syntax
Linear LF [Cervesato, Pfenning]
LF + linear functions, additive pairs Represents state, effectful programming
paradigms Resource-conscious logics
14
Concurrent LF (CLF)
Linear LF + a concurrency monad The monad encapsulates a concurrent
computation Represents concurrent programming
paradigms MSR specifications of security
protocols, pi-calculus, CML, Petri nets
15
CLF types Linear LF types + concurrency
monad
Represent the state of a concurrent computation
A,B ::= a | x:A.B | A -o B | T | A & B | {S}
S ::= A | 1 | S1 S2 | x:A.S | !A
16
Pure CLF terms Pure Linear LF terms + concurrent
computations A monad encapsulates
computations within the pure language
pure terms M,N ::= c | x:A.M | M N | ... | {E}
17
Effectful CLF computations Computation E processes the ambient
state A let expression represents a step in a
computation Patterns p introduce new state
computations E ::= let {p} = M in E | F
patterns p ::= x:A | 1 | p1 p2 | x:A.p | !x
states F ::= M | 1 | F1 F2 | [M,F] | !M
18
Example
key : type.msg : type.encrypt : key -> msg -> msg.wire : msg -> type.send : M:msg.{wire M}.rec : M:msg.wire M -o {1}.
{
let {m:wire M} = send M in
let {m’:wire M’} = send M’ in
let {1} = rec M’ m’ in
let {1} = rec M m in
...
}
CLF signature: Valid Computation:
19
Concurrency equations LF and related dependent type theories
provide a notion of definitional equality When MN, the framework cannot
distinguish M and N We extend the LF equality:
The framework cannot distinguish the order of independent computation steps
let {p} = M in let {p’} = M’ in E let {p’} = M’ in let {p} = M in E
(M,M’ do not containvariables in p,p’)
20
Example
{
let {m:wire M} = send M in
let {1} = rec M m in
let {m’:wire M’} = send M’ in
let {1} = rec M’ m’ in
...
}
Valid Computation: Equivalent Computation:
{
let {m:wire M} = send M in
let {m’:wire M’} = send M’ in
let {1} = rec M’ m’ in
let {1} = rec M m in
...
}
21
Results Definition and meta-theory of CLF
A new presentation of LF dependent type theory based on canonical forms
Decidability of type checking Examples and applications
Representation of Petri nets, synchronous and asynchronous pi-calculus with proofs of adequacy
Novel, modular representation of CML in CLF Representation of MSR & examples
22
Further reading Cervesato, Pfenning, Walker, Watkins.
A concurrent logical framework. January 2002 (submitted).
Forthcoming technical reports: Watkins et al. A concurrent logical
framework I: Judgments and properties. Cervesato et al. A concurrent logical
framework II: Examples and applications.
23
Future work Implementation and logic programming
operational semantics for CLF Represent, check and execute concurrent
computations Meta-logical reasoning about
concurrent computations Properties of concurrent computations,
bisimulation Automatic proof search