Principals in Programming Languages: A Syntactic Proof Technique

1
Principals in Programming LanguagesA Syntactic
Proof Technique

• Steve Zdancewic
• Dan Grossman and Greg Morrisett
• Cornell University

2
Type Abstraction

• Long history of study
• Strachey 1967, Reynolds 1974, 1983, Mitchell
  Plotkin 1988, ...
• Reasoning about Programs
• Type safety
• System Design
• Extensible Systems

3
Principals

• One way to characterize principals is by their
  "view" of the environment.
• Resources Available
• Memory
• Security Privileges
• Type Information (this talk)

4
Types and Principals
val h open"file" ...
Client
( File handle ) abstype fh open string ?
fh read fh ? char
API
Host
type fh int fun open s ...
5
Safety Properties

• Client cant create file handles
• Must call open to obtain file handles
• File handles are abstract
• No client ever performs
• handle 3
• Host can return any integer as handle
• The read function is applied only to
  host-provided values

6
Polymorphic Encoding
(L fh. l hostopen string ? fh,
read fh ? char.
ltclientgt)
7
Operational Models Needed

• Parametric Polymorphism
• Recursive Types
• References State
• Control Operators
• Threads
• Objects
• ...

8
The Goal
Track and enforce type abstractions in an
operational semantics.
(Proofs in style of Wright Felleisen 1992)
9
Linking Host and Client
(L fh. l hostopen string ? fh,
read fh ? char.
ltclientgt) int lthostgt
10
Evaluation
(L fh. l hostopen string ? fh,
read fh ? char. ltclient
bodygt) int lthostgt
(l hostopen string ? int,
read int ? char. ltclientgtint/fh) lt
hostgt
11
Evaluation
(l hostopen string ? int,
read int ? char. ltclient
bodygtint/fh) lthostgt
ltclientgtint/fhlthostgt/host
12
An Observation

• No mention of fh
• No distinction between client and
• host

ltclientgtint/fhlthostgt/host
13
Our Solution

• Make principals explicit in the syntax
• Color client code blue
• Color host code red
• Typecheck with different rules
• Host knows fh int
• Track colors during evaluation

14
Syntax
t fh int t ? t ...
C x n lxt.C (C C) Ht
H x n lxt.H (H H) Ct
G Ø Gxt Gxt
15
Client Operational Semantics
nint ? n
lxt.H s? s? ? lxs.Hxt/xs?
16
Host Operational Semantics
nfhint ? n
17
lhandle int. hr(handle)fh?char 3fh
18
lhandle int. hr(handle)fh?char 3fh
lhandle fh. hr(handleint)char 3fh
19
lhandle int. hr(handle)fh?char 3fh
lhandle fh. hr(handleint)char 3fh
hr(3fhint)char
20
lhandle int. hr(handle)fh?char 3fh
lhandle fh. hr(handleint)char 3fh
hr(3fhint)char
hr(3)char
21
lhandle int. hr(handle)fh?char 3fh
lhandle fh. hr(handleint)char 3fh
hr(3fhint)char
hr(3)char
Achar
22
lhandle int. hr(handle)fh?char 3fh
lhandle fh. hr(handleint)char 3fh
hr(3fhint)char
hr(3)char
Achar
A
23
Static Semantics
24
Theorems
Soundness proved by standard Subject Reduction
and Progress lemmas.
Erasure property Embeddings and colors dont
affect evaluation.
25
Independence of Evaluation
If C is host-free and lhfh.C is of type fh ? int
then
(lhfh.C) nfh ? m iff (lhfh.C) n'fh ? m
26
File Handles Come From Open
Suppose (lopenstring ?fh.C) is well-typed and C
is host-free. If (lopenstring ?fh.C)
lsstring.ho(s)string ?fh steps to C'
containing nfh as a subterm, then n was
derived from a sequence of the form ho(s)
? n
27
The General Setting

• Multiple principals
• Many abstract types
• Products, Sums, Recursive Types, and
• References
• Proofs follow standard techniques

28
Related Work

• Language Based Security
• (Smith Volpano '97, Heintze Riecke '98,
  Myers '99)
• Principals
• (Nielson Nielson '92, Leroy Rouaix '98)
• Other Parametricity Results
• (Abadi, Cardelli Curien '93, Crary '99,
  Pierce Sangiorgi '99)

29
Summary
Operational approach to proving type abstraction
properties
Principals are a useful conceptual framework.
30
Host Operational Semantics
lxt.C s? s? ? lxsint/fh.Cxt/xs?
nfhint ? n