CLF: A Concurrent Logical Framework

1
CLF A Concurrent Logical Framework

• David Walker
• Princeton
• (with I. Cervesato, F. Pfenning, K. Watkins)

2
Outline

• What is a logical framework?
• Logical frameworks security
• CLF a concurrent logical framework

3
Logical Frameworks

• a logical framework is a meta-language for
  representing deductive systems
• sample deductive systems
• logics of all kinds
• first-order logic, higher-order logic, temporal
  logic,...
• programming languages
• ML, lambda calculus, pi calculus
• specification languages
• set theory, type theory, multi-set rewriting, ...
  
• compilers
• translations between languages or logics

4
Logical Frameworks
meta-logical frameworks
Twelf, Nuprl, HOL, ...
represent properties of logics
logical frameworks
Automath, Nuprl, HOL, LF, ...
represent logics
logics
FOL, linear logic, temporal logic
represent proofs
proofs
(A and B) gt C
5
Logical Frameworks
meta-logical frameworks
Twelf, Nuprl, HOL, ...
represent properties of programming langs
logical frameworks
Automath, Nuprl, HOL, LF, ...
represent programming langs
programming languages
C, ML, Java lambda calculus
represent programs
programs
if (n gt 17) ...
6
Tasks for Logical Frameworks

• Represent syntax
• of a logic
• of a programming language
• Represent valid rules of inference
• inference rules (modus ponens, law of the
  excluded middle) of a logic
• typing rules, operational rules of a language
• Represent valid deductions
• valid proofs
• well-typed programs, valid executions

7
Outline

• What is a logical framework?
• Logical frameworks security
• CLF a concurrent logical framework

8
Application I proof-carrying X

• Proof-carrying code Necula, Lee
• Attach a proof of some safety property to mobile
  code
• Represent and check the proof in LF
• Proof-carrying authentication Appel, Felten
• Attach a proof of access rights to database
  query, service request
• Represent and check the proof in LF

9
Application II Mechanical Reasoning

• Increase our confidence in system properties
  through the following process
• Represent algorithm, deductive system
• Prove adequacy of representation
• Prove security properties within the framework
• LF normally small, simple and trustworthy
• eg LF has two type constructors
• Appel et al. (100k lines LF, 0 soundness bugs)
• Step 2 is least trustworthy

10
Application II Mechanical Reasoning

• Authentication protocols
• Extremely difficult to get correct
• Highly concurrent
• Errors are costly
• Many different specification languages
• informal notation, security logics, MSR, spi
  calculus,...
• Represent protocols, languages their
  properties/relationships in a logical fwrk

11
Outline

• What is a logical framework?
• Logical frameworks security
• CLF a concurrent logical framework

12
Logical framework design

• Logical framework design resembles programming
  language design
• Simple logical frameworks are like simple
  programming languages
• few features simple, trustworthy implementation
  but limited expressiveness
• expressive enough in principle but awkward and
  unmanageable in practice
• adequacy may be unclear, difficult to prove

13
The LF family of Logical Frameworks

• Automath De Bruijn, LF Harper et al.
• Dependent types, intuitionistic functions
• Represents pure PL, logics
• Higher-order abstract syntax
• Linear LF Cervesato, Pfenning
• LF linear functions, additive pairs
• Represents state, effectful programming paradigms
• Resource-conscious logics

14
Concurrent LF (CLF)

• Linear LF a concurrency monad
• The monad encapsulates a concurrent computation
• Represents concurrent programming paradigms
• MSR specifications of security protocols,
  pi-calculus, CML, Petri nets

15
CLF types

• Linear LF types concurrency monad
• Represent the state of a concurrent computation

A,B a ?xA.B A -o B T A B
S S A 1 S1 ? S2 ?xA.S !A
16
Pure CLF terms

• Pure Linear LF terms concurrent computations
• A monad encapsulates computations within the pure
  language

pure terms M,N c ?xA.M M N ... E
17
Effectful CLF computations

• Computation E processes the ambient state
• A let expression represents a step in a
  computation
• Patterns p introduce new state

computations E let p M in E
F patterns p xA 1 p1 ? p2 ?xA.p
!x states F M 1 F1 ? F2 M,F !M
18
Example
CLF signature
Valid Computation
let mwire M send M in let mwire M
send M in let 1 rec M m in let 1 rec M
m in ...
key type. msg type. encrypt key -gt msg -gt
msg. wire msg -gt type. send ?Mmsg.wire
M. rec ?Mmsg.wire M -o 1.
19
Concurrency equations

• LF and related dependent type theories provide a
  notion of definitional equality
• When M?N, the framework cannot distinguish M and
  N
• We extend the LF equality
• The framework cannot distinguish the order of
  independent computation steps

let p M in let p M in E ? let p M
in let p M in E
(M,M do not contain variables in p,p)
20
Example
Valid Computation
Equivalent Computation
let mwire M send M in let 1 rec M m
in let mwire M send M in let 1 rec M
m in ...
let mwire M send M in let mwire M
send M in let 1 rec M m in let 1 rec M
m in ...
21
Results

• Definition and meta-theory of CLF
• A new presentation of LF dependent type theory
  based on canonical forms
• Decidability of type checking
• Examples and applications
• Representation of Petri nets, synchronous and
  asynchronous pi-calculus with proofs of adequacy
• Novel, modular representation of CML in CLF
• Representation of MSR examples

22
Further reading

• Cervesato, Pfenning, Walker, Watkins. A
  concurrent logical framework. January 2002
  (submitted).
• Forthcoming technical reports
• Watkins et al. A concurrent logical framework I
  Judgments and properties.
• Cervesato et al. A concurrent logical framework
  II Examples and applications.

23
Future work

• Implementation and logic programming operational
  semantics for CLF
• Represent, check and execute concurrent
  computations
• Meta-logical reasoning about concurrent
  computations
• Properties of concurrent computations,
  bisimulation
• Automatic proof search

24
Conclusions

• Study of logical frameworks is an important
  aspect of the development of secure and reliable
  systems
• CLF enables concise and adequate representations
  of concurrent languages