Principals in Programming Languages A Syntactic Proof Technique
![Evaluation (l host: {open: string int, read: int char}. <client body>[int/fh]) <client>{int/fh}{<host>/host} <host> ICFP](https://slidetodoc.com/presentation_image_h2/063719a3b79edee88c26a5dac0767786/image-11.jpg "Evaluation (l host: {open: string int, read: int char}. <client body>[int/fh]) <client>{int/fh}{<host>/host} <host> ICFP")
![Client Operational Semantics [n]int n [n]fh [lx: t. H] s s ICFP 1999 lx:](https://slidetodoc.com/presentation_image_h2/063719a3b79edee88c26a5dac0767786/image-15.jpg "Client Operational Semantics [n]int n [n]fh [lx: t. H] s s ICFP 1999 lx:")
![Host Operational Semantics e e' [e]t [e']t [[n]fh]int ICFP 1999 n 16](https://slidetodoc.com/presentation_image_h2/063719a3b79edee88c26a5dac0767786/image-16.jpg "Host Operational Semantics e e' [e]t [e']t [[n]fh]int ICFP 1999 n 16")
![[lhandle : int. hr(handle)]fh char [3]fh ICFP 1999 17](https://slidetodoc.com/presentation_image_h2/063719a3b79edee88c26a5dac0767786/image-17.jpg "[lhandle : int. hr(handle)]fh char [3]fh ICFP 1999 17")
![[lhandle : int. hr(handle)]fh char [3]fh lhandle : fh. [ hr([handle]int)]char ICFP 1999 [3]fh](https://slidetodoc.com/presentation_image_h2/063719a3b79edee88c26a5dac0767786/image-18.jpg "[lhandle : int. hr(handle)]fh char [3]fh lhandle : fh. [ hr([handle]int)]char ICFP 1999 [3]fh")
![[lhandle : int. hr(handle)]fh char [3]fh lhandle : fh. [ hr([handle]int)]char [3]fh [ hr([[3]fh]int)]char](https://slidetodoc.com/presentation_image_h2/063719a3b79edee88c26a5dac0767786/image-19.jpg "[lhandle : int. hr(handle)]fh char [3]fh lhandle : fh. [ hr([handle]int)]char [3]fh [ hr([[3]fh]int)]char")
![[lhandle : int. hr(handle)]fh char [3]fh lhandle : fh. [ hr([handle]int)]char [3]fh [ hr([[3]fh]int)]char](https://slidetodoc.com/presentation_image_h2/063719a3b79edee88c26a5dac0767786/image-20.jpg "[lhandle : int. hr(handle)]fh char [3]fh lhandle : fh. [ hr([handle]int)]char [3]fh [ hr([[3]fh]int)]char")
![[lhandle : int. hr(handle)]fh char [3]fh lhandle : fh. [ hr([handle]int)]char [3]fh [ hr([[3]fh]int)]char](https://slidetodoc.com/presentation_image_h2/063719a3b79edee88c26a5dac0767786/image-21.jpg "[lhandle : int. hr(handle)]fh char [3]fh lhandle : fh. [ hr([handle]int)]char [3]fh [ hr([[3]fh]int)]char")
![[lhandle : int. hr(handle)]fh char [3]fh lhandle : fh. [ hr([handle]int)]char [3]fh [ hr([[3]fh]int)]char](https://slidetodoc.com/presentation_image_h2/063719a3b79edee88c26a5dac0767786/image-22.jpg "[lhandle : int. hr(handle)]fh char [3]fh lhandle : fh. [ hr([handle]int)]char [3]fh [ hr([[3]fh]int)]char")
![Static Semantics G H : {int/fh}t G [H]t : t G C: t G](https://slidetodoc.com/presentation_image_h2/063719a3b79edee88c26a5dac0767786/image-23.jpg "Static Semantics G H : {int/fh}t G [H]t : t G C: t G")
![Host Operational Semantics [lx: t. C] s s lx: s{int/fh}. [C{[x]t/x}]s [[n]fh]int ICFP 1999](https://slidetodoc.com/presentation_image_h2/063719a3b79edee88c26a5dac0767786/image-30.jpg "Host Operational Semantics [lx: t. C] s s lx: s{int/fh}. [C{[x]t/x}]s [[n]fh]int ICFP 1999")
- Slides: 30
Principals in Programming Languages: A Syntactic Proof Technique Steve Zdancewic Dan Grossman and Greg Morrisett Cornell University ICFP 1999 1
Type Abstraction • Long history of study – Strachey 1967, Reynolds 1974, 1983, Mitchell & Plotkin 1988, . . . • Reasoning about Programs – Type safety – System Design – Extensible Systems ICFP 1999 2
Principals • One way to characterize principals is by their "view" of the environment. • Resources Available – Memory – Security Privileges – Type Information ICFP 1999 (this talk) 3
Types and Principals val h = open"file". . . Client API Host (* File handle *) abstype fh open : string fh read : fh char type fh = int fun open s =. . . ICFP 1999 4
Safety Properties • Client can’t create file handles: – Must call open to obtain file handles • File handles are abstract: – No client ever performs [handle + 3] – Host can return any integer as handle • The read function is applied only to hostprovided values ICFP 1999 5
Polymorphic Encoding (L fh. l host: {open: string fh, read: fh char}. <client>) ICFP 1999 6
Operational Models Needed • Parametric Polymorphism • Recursive Types • References & State • Control Operators • Threads • Objects • . . . ICFP 1999 7
The Goal Track and enforce type abstractions in an operational semantics. (Proofs in style of Wright & Felleisen 1992) ICFP 1999 8
“Linking” Host and Client (L fh. l host: {open: string fh, read: fh char}. <client>) int <host> ICFP 1999 9
Evaluation (L fh. l host: {open: string fh, (l host: {open: string int, read: fh char}. read: int char}. <client body>) <client>{int/fh}) int <host> ICFP 1999 10
Evaluation (l host: {open: string int, read: int char}. <client body>[int/fh]) <client>{int/fh}{<host>/host} <host> ICFP 1999 11
An Observation • No mention of fh • No distinction between client and host <client>{int/fh}{<host>/host} ICFP 1999 12
Our Solution Make principals explicit in the syntax: • Color client code blue • Color host code red • Typecheck with different rules: – Host knows fh = int • Track colors during evaluation ICFP 1999 13
Syntax t : : = fh | int | t t |. . . C : : = x | n | lx: t. C | (C C) | [H]t H : : = x | n | lx: t. H | (H H) | [C]t G : : = Ø | G[x: t] ICFP 1999 14
Client Operational Semantics [n]int n [n]fh [lx: t. H] s s ICFP 1999 lx: s. [H{[x]t/x}]s 15
Host Operational Semantics e e' [e]t [e']t [[n]fh]int ICFP 1999 n 16
[lhandle : int. hr(handle)]fh char [3]fh ICFP 1999 17
[lhandle : int. hr(handle)]fh char [3]fh lhandle : fh. [ hr([handle]int)]char ICFP 1999 [3]fh 18
[lhandle : int. hr(handle)]fh char [3]fh lhandle : fh. [ hr([handle]int)]char [3]fh [ hr([[3]fh]int)]char ICFP 1999 19
[lhandle : int. hr(handle)]fh char [3]fh lhandle : fh. [ hr([handle]int)]char [3]fh [ hr([[3]fh]int)]char [ hr(3)]char ICFP 1999 20
[lhandle : int. hr(handle)]fh char [3]fh lhandle : fh. [ hr([handle]int)]char [3]fh [ hr([[3]fh]int)]char [ hr(3)]char [‘A’]char ICFP 1999 21
[lhandle : int. hr(handle)]fh char [3]fh lhandle : fh. [ hr([handle]int)]char [3]fh [ hr([[3]fh]int)]char [ hr(3)]char [‘A’]char ‘A’ ICFP 1999 22
Static Semantics G H : {int/fh}t G [H]t : t G C: t G [C]t : {int/fh}t ICFP 1999 23
Theorems Soundness proved by standard Subject Reduction and Progress lemmas. Erasure property: Embeddings and colors don’t affect evaluation. ICFP 1999 24
Independence of Evaluation If C is host-free and lh: fh. C is of type fh int then: (lh: fh. C) [n]fh * m iff (lh: fh. C) [n']fh * m ICFP 1999 25
File Handles Come From Open Suppose (lopen: string fh. C) is well-typed and C is host-free. If (lopen: string fh. C) [ls: string. ho(s)]string fh steps to C' containing [n]fh as a subterm, then n was derived from a sequence of the form: ho(s) * n ICFP 1999 26
The General Setting • Multiple principals • Many abstract types • Products, Sums, Recursive Types, and References • Proofs follow standard techniques ICFP 1999 27
Related Work • Language Based Security (Smith & Volpano '97, Heintze & Riecke '98, Myers '99) • Principals (Nielson & Nielson '92, Leroy & Rouaix '98) • Other Parametricity Results (Abadi, Cardelli & Curien '93, Crary '99, Pierce & Sangiorgi '99) ICFP 1999 28
Summary Operational approach to proving type abstraction properties Principals are a useful conceptual framework. ICFP 1999 29
Host Operational Semantics [lx: t. C] s s lx: s{int/fh}. [C{[x]t/x}]s [[n]fh]int ICFP 1999 n 30