Filters








19 Hits in 1.9 sec

Embracing a mechanized formalization gap [article]

Antal Spector-Zabusky, Joachim Breitner, Yao Li, Stephanie Weirich
2019 arXiv   pre-print
If a code base is so big and complicated that complete mechanical verification is intractable, can we still apply and benefit from verification methods? We show that by allowing a deliberate mechanized formalization gap we can shrink and simplify the model until it is manageable, while still retaining a meaningful, declaratively documented connection to the original, unmodified source code. Concretely, we translate core parts of the Haskell compiler GHC into Coq, using hs-to-coq, and verify invariants related to the use of term variables.
arXiv:1910.11724v1 fatcat:iancabvl3nbrxi2coyol7c4iie

Testing noninterference, quickly

Catalin Hritcu, John Hughes, Benjamin C. Pierce, Antal Spector-Zabusky, Dimitrios Vytiniotis, Arthur Azevedo de Amorim, Leonidas Lampropoulos
2013 SIGPLAN notices  
Information-flow control mechanisms are difficult to design and labor intensive to prove correct. To reduce the time wasted on proof attempts doomed to fail due to broken definitions, we advocate modern random testing techniques for finding counterexamples during the design process. We show how to use QuickCheck, a property-based random-testing tool, to guide the design of a simple information-flow abstract machine. We find that both sophisticated strategies for generating well-distributed
more » ... m programs and readily falsifiable formulations of noninterference properties are critically important. We propose several approaches and evaluate their effectiveness on a collection of injected bugs of varying subtlety. We also present an effective technique for shrinking large counterexamples to minimal, easily comprehensible ones. Taken together, our best methods enable us to quickly and automatically generate simple counterexamples for all these bugs.
doi:10.1145/2544174.2500574 fatcat:7emv7ekrwrep3jrsplqe7mu7wa

choose your own derivative (extended abstract)

Jennifer Paykin, Antal Spector-Zabusky, Kenneth Foner
2016 Proceedings of the 1st International Workshop on Type-Driven Development - TyDe 2016  
We discuss a generalization of the synchronization mechanism selective choice. We argue that selective choice can be extended to synchronize arbitrary data structures of events, based on a typing paradigm introduced by McBride: the derivatives of recursive data types. We discuss our work in progress implementing generalized selective choice as a Haskell library based on generic programming.
doi:10.1145/2976022.2976024 dblp:conf/icfp/PaykinSF16 fatcat:nl7ringsrbdrplcfmhe27w6zpm

Towards a Fully Abstract Compiler Using Micro-Policies: Secure Compilation for Mutually Distrustful Components [article]

Yannis Juglaret, Catalin Hritcu, Arthur Azevedo de Amorim, Benjamin C. Pierce, Antal Spector-Zabusky, Andrew Tolmach
2015 arXiv   pre-print
Secure compilation prevents all low-level attacks on compiled code and allows for sound reasoning about security in the source language. In this work we propose a new attacker model for secure compilation that extends the well-known notion of full abstraction to ensure protection for mutually distrustful components. We devise a compiler chain (compiler, linker, and loader) and a novel security monitor that together defend against this strong attacker model. The monitor is implemented using a
more » ... ently proposed, generic tag-based protection framework called micro-policies, which comes with hardware support for efficient caching and with a formal verification methodology. Our monitor protects the abstractions of a simple object-oriented language---class isolation, the method call discipline, and type safety---against arbitrary low-level attackers.
arXiv:1510.00697v1 fatcat:pdzanfz66faohjbpnl2wcv3y7e

Testing noninterference, quickly

CĂTĂLIN HRIŢCU, LEONIDAS LAMPROPOULOS, ANTAL SPECTOR-ZABUSKY, ARTHUR AZEVEDO DE AMORIM, MAXIME DÉNÈS, JOHN HUGHES, BENJAMIN C. PIERCE, DIMITRIOS VYTINIOTIS
2016 Journal of functional programming  
AbstractInformation-flow control mechanisms are difficult both to design and to prove correct. To reduce the time wasted on doomed proof attempts due to broken definitions, we advocate modern random-testing techniques for finding counterexamples during the design process. We show how to use QuickCheck, a property-based random-testing tool, to guide the design of increasingly complex information-flow abstract machines, leading up to a sophisticated register machine with a novel and highly
more » ... ive flow-sensitive dynamic enforcement mechanism that is sound in the presence of first-class public labels. We find that both sophisticated strategies for generating well-distributed random programs and readily falsifiable formulations of noninterference properties are critically important for efficient testing. We propose several approaches and evaluate their effectiveness on a collection of injected bugs of varying subtlety. We also present an effective technique for shrinking large counterexamples to minimal, easily comprehensible ones. Taken together, our best methods enable us to quickly and automatically generate simple counterexamples for more than 45 bugs. Moreover, we show how testing guides the discovery of the sophisticated invariants needed for the noninterference proof of our most complex machine.
doi:10.1017/s0956796816000058 fatcat:qyjrtvt6grhrnj3yd4hrebdgci

Testing noninterference, quickly

Catalin Hritcu, John Hughes, Benjamin C. Pierce, Antal Spector-Zabusky, Dimitrios Vytiniotis, Arthur Azevedo de Amorim, Leonidas Lampropoulos
2013 Proceedings of the 18th ACM SIGPLAN international conference on Functional programming - ICFP '13  
Information-flow control mechanisms are difficult to design and labor intensive to prove correct. To reduce the time wasted on proof attempts doomed to fail due to broken definitions, we advocate modern random testing techniques for finding counterexamples during the design process. We show how to use QuickCheck, a property-based random-testing tool, to guide the design of a simple information-flow abstract machine. We find that both sophisticated strategies for generating well-distributed
more » ... m programs and readily falsifiable formulations of noninterference properties are critically important. We propose several approaches and evaluate their effectiveness on a collection of injected bugs of varying subtlety. We also present an effective technique for shrinking large counterexamples to minimal, easily comprehensible ones. Taken together, our best methods enable us to quickly and automatically generate simple counterexamples for all these bugs.
doi:10.1145/2500365.2500574 dblp:conf/icfp/HritcuHPSVAL13 fatcat:xg5leydmkfa3tjv6snaufbm2xe

Micro-Policies: Formally Verified, Tag-Based Security Monitors

Arthur Azevedo de Amorim, Maxime Denes, Nick Giannarakis, Catalin Hritcu, Benjamin C. Pierce, Antal Spector-Zabusky, Andrew Tolmach
2015 2015 IEEE Symposium on Security and Privacy  
Recent advances in hardware design have demonstrated mechanisms allowing a wide range of low-level security policies (or micro-policies) to be expressed using rules on metadata tags. We propose a methodology for defining and reasoning about such tag-based reference monitors in terms of a high-level "symbolic machine," and we use this methodology to define and formally verify micro-policies for dynamic sealing, compartmentalization, control-flow integrity, and memory safety; in addition, we show
more » ... how to use the tagging mechanism to protect its own integrity. For each micro-policy, we prove by refinement that the symbolic machine instantiated with the policy's rules embodies a high-level specification characterizing a useful security property. Last, we show how the symbolic machine itself can be implemented in terms of a hardware rule cache and a software controller. Abstract machine specification for micro-policy P Symbolic machine instance for P Concrete machine running policy monitor for P Symbolic machine Concrete machine Symbolic micro-policy (tags, transfer function, and monitor services) for P Monitor code (transfer function and monitor services) for P refines refines Generic components Micro-policy-specific components Generic miss handler abstract symbolic concrete
doi:10.1109/sp.2015.55 dblp:conf/sp/AmorimDGHPST15 fatcat:h3c43yx4ofblzhmkl7d64h2h5q

Total Haskell is reasonable Coq

Antal Spector-Zabusky, Joachim Breitner, Christine Rizkallah, Stephanie Weirich
2018 Proceedings of the 7th ACM SIGPLAN International Conference on Certified Programs and Proofs - CPP 2018  
We would like to use the Coq proof assistant to mechanically verify properties of Haskell programs. To that end, we present a tool, named hs-to-coq, that translates total Haskell programs into Coq programs via a shallow embedding. We apply our tool in three case studies -- a lawful Monad instance, "Hutton's razor", and an existing data structure library -- and prove their correctness. These examples show that this approach is viable: both that hs-to-coq applies to existing Haskell code, and
more » ... the output it produces is amenable to verification.
doi:10.1145/3167092 dblp:conf/cpp/Spector-Zabusky18 fatcat:yazpv47ixvaerk63v7zepb2q7i

Ready, Set, Verify! Applying hs-to-coq to real-world Haskell code [article]

Joachim Breitner and Antal Spector-Zabusky and Yao Li and Christine Rizkallah and John Wiegley and Stephanie Weirich
2018 arXiv   pre-print
Spector-Zabusky et al. [2018] describe three case studies, two of which require less than 20 lines of Haskell.  ...  In contrast, a proof of termination is a requirement for verifying functions using hs-to-coq [Spector-Zabusky et al. 2018 ].  ... 
arXiv:1803.06960v2 fatcat:bgigt7yjivcqrffegj3tllnl3m

Ready, set, verify! applying hs-to-coq to real-world Haskell code (experience report)

Joachim Breitner, Antal Spector-Zabusky, Yao Li, Christine Rizkallah, John Wiegley, Stephanie Weirich
2018 Proceedings of the ACM on Programming Languages  
This work is licensed under a Creative Commons Attribution 4.0 International License. 89:2 Breitner, Spector-Zabusky, Li, Rizkallah, Wiegley, and Weirich functions, and type classes into equivalent Coq  ...  Furthermore, by using multiple disparate specifications, we not 89:6 Breitner, Spector-Zabusky, Li, Rizkallah, Wiegley, and Weirich only increase the assurance that we captured all the important behaviors  ...  Depending on how involved the termination argument for a given function is, we use one of the following approaches. 89:12 Breitner, Spector-Zabusky, Li, Rizkallah, Wiegley, and Weirich Obvious structural  ... 
doi:10.1145/3236784 dblp:journals/pacmpl/BreitnerSLRWW18 fatcat:y3m367mjffflxcrj2bru2rk554

Scalable Handling of Effects (Dagstuhl Seminar 21292)

Danel Ahman, Amal Ahmed, Sam Lindley, Andreas Rossberg
2021
Proc) → List α timeshare m := schedule [Paused (λ⟨⟩.reifyProcess m)] Antal Spector-Zabusky (Jane Street -London, GB) License Creative Commons BY 4.0 International license © Antal Spector-Zabusky Joint  ...  work of Antal Spector-Zabusky, Stephan Dolan, Leo White Wouter Swierstra (Utrecht University, NL) and Robert Atkey (University of Strathclyde -Glasgow, GB)LicenseCreative Commons BY 4.0 International  ... 
doi:10.4230/dagrep.11.6.54 fatcat:daqhu5kcyffxvjxtl3qef6tid4

Keep your laziness in check

Kenneth Foner, Hengchu Zhang, Leonidas Lampropoulos
2018 Proceedings of the ACM on Programming Languages  
ACKNOWLEDGMENTS We are grateful to José Manuel Calderón Trilla, Stephanie Weirich, Benjamin Pierce, Mayur Naik, Katrina Xiaoyue Yin, Jennifer Paykin, Robert Rand, Antal Spector-Zabusky, Matthew Weaver,  ... 
doi:10.1145/3236797 dblp:journals/pacmpl/FonerZL18 fatcat:g2hab4uqrvglxcvjdjdpxvidbm

Safe zero-cost coercions for Haskell

JOACHIM BREITNER, RICHARD A. EISENBERG, SIMON PEYTON JONES, STEPHANIE WEIRICH
2016 Journal of functional programming  
Acknowledgments Thanks to Antal Spector-Zabusky for contributing to this version of FC; and to Edward Kmett and Dimitrios Vytiniotis for discussion and feedback.  ... 
doi:10.1017/s0956796816000150 fatcat:ee7rlcbwwzdxfn6lwv56dzcczu

Safe zero-cost coercions for Haskell

Joachim Breitner, Richard A. Eisenberg, Simon Peyton Jones, Stephanie Weirich
2014 Proceedings of the 19th ACM SIGPLAN international conference on Functional programming - ICFP '14  
Acknowledgments Thanks to Antal Spector-Zabusky for contributing to this version of FC; and to Edward Kmett and Dimitrios Vytiniotis for discussion and feedback.  ... 
doi:10.1145/2628136.2628141 dblp:conf/icfp/BreitnerEJW14 fatcat:fh445cf5zrcxdedft4ziy7mmfq

Safe zero-cost coercions for Haskell

Joachim Breitner, Richard A. Eisenberg, Simon Peyton Jones, Stephanie Weirich
2014 SIGPLAN notices  
Acknowledgments Thanks to Antal Spector-Zabusky for contributing to this version of FC; and to Edward Kmett and Dimitrios Vytiniotis for discussion and feedback.  ... 
doi:10.1145/2692915.2628141 fatcat:afiaulg7tvar5f2kmcqccbawvu
« Previous Showing results 1 — 15 out of 19 results