Moez A. AbdelGawad

DOI: https://doi.org/10.48550/arXiv.1805.10931

2018-05-18

Programming Languages

Abstract:Of the complex features of generic nominally-typed OO type systems, wildcard types and variance annotations are probably the hardest to fully grasp. As demonstrated when adding closures (a.k.a., lambdas) and when extending type inference in Java, wildcard types and variance annotations make the development and progress of OO programming languages, and of their type systems in particular, a challenging and delicate task. In this work we build on our concurrent work, in which we model Java subtyping using a partial graph product, to suggest how wildcard types in Java can be generalized, and simplified, to interval types. In particular, interval types correspond to endpoints of paths in the Java subtyping graph. In addition to being a simple and more familiar notion, that is easier to grasp than wildcard types, interval types are strictly more expressive than wildcard types. As such, we believe interval types, when developed and analyzed in full, will be a welcome addition to Java and other similar generic nominally-typed OO programming languages.

Elad Kinsbruner,Hila Peleg,Shachar Itzhaky

2024-08-20

Abstract:Soundness of a type system is a fundemental property that guarantees that no operation that is not supported by a value will be performed on that value at run time. A type checker for a sound type system is expected to issue a warning on every type error. While soundness is a desirable property for many practical applications, in 2016, Amin and Tate presented the first unsoundness proof for two major industry languages: Java and Scala. This proof relied on use-site variance and implicit null values. We present an unsoundness proof for Kotlin, another emerging industry language, which relies on a previously unknown unsound combination of language features. Kotlin does not have implicit null values, meaning that the proof by Amin and Tate would not work for Kotlin. Our new proof, which is an infringing code snippet, utilizes Kotlin's \emph{declaration-site} variance specification and does not require implicit null values. We present this counterexample to soundness in full along with detailed explanations of every step. Finally, we present a thorough discussion on precisely which language features cause this issue, as well as how Kotlin's compiler can be patched to fix it.

Programming Languages,Software Engineering

Julian Erhard,Manuel Bentele,Matthias Heizmann,Dominik Klumpp,Simmo Saan,Frank Schüssele,Michael Schwarz,Helmut Seidl,Sarah Tilscher,Vesal Vojdani

2024-11-26

Abstract:Static analyzers are typically complex tools and thus prone to contain bugs themselves. To increase the trust in the verdict of such tools, witnesses encode key reasoning steps underlying the verdict in an exchangeable format, enabling independent validation of the reasoning by other tools. For the correctness of concurrent programs, no agreed-upon witness format exists -- in no small part due to the divide between the semantics considered by analyzers, ranging from interleaving to thread-modular approaches, making it challenging to exchange information. We propose a format that leverages the well-known notion of ghosts to embed the claims a tool makes about a program into a modified program with ghosts, such that the validity of a witness can be decided by analyzing this program. Thus, the validity of witnesses with respect to the interleaving and the thread-modular semantics coincides. Further, thread-modular invariants computed by an abstract interpreter can naturally be expressed in the new format using ghost statements. We evaluate the approach by generating such ghost witnesses for a subset of concurrent programs from the SV-COMP benchmark suite, and pass them to a model checker. It can confirm 75% of these witnesses -- indicating that ghost witnesses can bridge the semantic divide between interleaving and thread-modular approaches.

Programming Languages

Ashwani Anand,Sylvain Schmitz,Lia Schütze,Georg Zetzsche

2024-06-20

Abstract:Well-structured transition systems (WSTS) are an abstract family of systems that encompasses a vast landscape of infinite-state systems. By requiring a well-quasi-ordering (wqo) on the set of states, a WSTS enables generic algorithms for classic verification tasks such as coverability and termination. However, even for systems that are WSTS like vector addition systems (VAS), the framework is notoriously ill-equipped to analyse reachability (as opposed to coverability). Moreover, some important types of infinite-state systems fall out of WSTS' scope entirely, such as pushdown systems (PDS). Inspired by recent algorithmic techniques on VAS, we propose an abstract notion of systems where the set of runs is equipped with a wqo and supports amalgamation of runs. We show that it subsumes a large class of infinite-state systems, including (reachability languages of) VAS and PDS, and even all systems from the abstract framework of valence systems, except for those already known to be Turing-complete. Moreover, this abstract setting enables simple and general algorithmic solutions to unboundedness problems, which have received much attention in recent years. We present algorithms for the (i) simultaneous unboundedness problem (which implies computability of downward closures and decidability of separability by piecewise testable languages), (ii) computing priority downward closures, (iii) deciding whether a language is bounded, meaning included in $w_1^*\cdots w_k^*$ for some words $w_1,\ldots,w_k$, and (iv) effective regularity of unary languages. This leads to either drastically simpler proofs or new decidability results for a rich variety of systems.

Formal Languages and Automata Theory

Jaouhar Fattahi,Mohamed Mejri

DOI: https://doi.org/10.1109/ECAI.2015.7301205

2018-01-05

Abstract:In this paper, we use the witness-functions to analyze cryptographic protocols for secrecy under nonempty equational theories. The witness-functions are safe metrics used to compute security. An analysis with a witness-function consists in making sure that the security of every atomic message does not decrease during its lifecycle in the protocol. The analysis gets more difficult under nonempty equational theories. Indeed, the intruder can take advantage of the algebraic properties of the cryptographic primitives to derive secrets. These properties arise from the use of mathematical functions, such as multiplication, addition, exclusive-or or modular exponentiation in the cryptosystems and the protocols. Here, we show how to use the witness-functions under nonempty equational theories and we run an analysis on the Needham-Schroeder-Lowe protocol under the cipher homomorphism. This analysis reveals that although this protocol is proved secure under the perfect encryption assumption, its security collapses under the homomorphic primitives. We show how the witness-functions help to illustrate an attack scenario on it and we propose an amended version to fix it.

Cryptography and Security

Noah Constant

DOI: https://doi.org/10.3765/SALT.V22I0.2652

2012-09-03

Abstract:This paper presents three novel ways of testing which plural quantificational phrases can denote individuals (type e). Specifically, it is argued that only type-e expressions can (i) be marked as a contrastive topic in a discourse contrasting individuals, (ii) be equated with another type-e expression in an equative frame, and (iii) anchor supplementing material. The main empirical finding is that the class of quantifiers allowing type-e nominal denotations is larger than assumed on classic accounts like Reinhart 1997. Furthermore, this class is characterizable in semantic terms. The quantifiers that give rise to type-e meanings are "witnessable" in the sense of entailing the existence of an individual satisfying both their restrictor and their nuclear scope.

Mathematics,Linguistics

Ofek Kirzner,Adam Morrison

DOI: https://doi.org/10.48550/arXiv.2106.15601

2021-07-02

Abstract:Spectre v1 attacks, which exploit conditional branch misprediction, are often identified with attacks that bypass array bounds checking to leak data from a victim's memory. Generally, however, Spectre v1 attacks can exploit any conditional branch misprediction that makes the victim execute code incorrectly. In this paper, we investigate speculative type confusion, a Spectre v1 attack vector in which branch mispredictions make the victim execute with variables holding values of the wrong type and thereby leak memory content. We observe that speculative type confusion can be inadvertently introduced by a compiler, making it extremely hard for programmers to reason about security and manually apply Spectre mitigations. We thus set out to determine the extent to which speculative type confusion affects the Linux kernel. Our analysis finds exploitable and potentially-exploitable arbitrary memory disclosure vulnerabilities. We also find many latent vulnerabilities, which could become exploitable due to innocuous system changes, such as coding style changes. Our results suggest that Spectre mitigations which rely on statically/manually identifying "bad" code patterns need to be rethought, and more comprehensive mitigations are needed.

Cryptography and Security

Krishnendu Chatterjee,Amir Kafshdar Goharshady,Ehsan Kafshdar Goharshady,Mehrdad Karrabi,Đorđe Žikelić

2024-07-01

Abstract:We study the classical problem of verifying programs with respect to formal specifications given in the linear temporal logic (LTL). We first present novel sound and complete witnesses for LTL verification over imperative programs. Our witnesses are applicable to both verification (proving) and refutation (finding bugs) settings. We then consider LTL formulas in which atomic propositions can be polynomial constraints and turn our focus to polynomial arithmetic programs, i.e. programs in which every assignment and guard consists only of polynomial expressions. For this setting, we provide an efficient algorithm to automatically synthesize such LTL witnesses. Our synthesis procedure is both sound and semi-complete. Finally, we present experimental results demonstrating the effectiveness of our approach and that it can handle programs which were beyond the reach of previous state-of-the-art tools.

Programming Languages,Logic in Computer Science

Guillermo Badia,Andrew Tedder

DOI: https://doi.org/10.48550/arXiv.1809.08299

2018-09-22

Abstract:Elimination of quantifiers is shown to fail dramatically for a group of well-known mathematical theories (classically enjoying the property) against a wide range of relevant logical backgrounds. Furthermore, it is suggested that only by moving to more extensional underlying logics can we get the property back.

Logic

Ernie Cohen

DOI: https://doi.org/10.48550/arXiv.0910.1028

2009-10-06

Abstract:We show that the axioms of Weak Kleene Algebra (WKA) are sound and complete for the theory of regular expressions modulo simulation equivalence, assuming their completeness for monodic trees (as conjectured by Takai and Furusawa).

Logic in Computer Science,Programming Languages

Xi Wang,Nickolai Zeldovich,M. Frans Kaashoek,Armando Solar-Lezama

DOI: https://doi.org/10.1145/2699678

2015-03-11

ACM Transactions on Computer Systems

Abstract:This article studies undefined behavior arising in systems programming languages such as C/C++. Undefined behavior bugs lead to unpredictable and subtle systems behavior, and their effects can be further amplified by compiler optimizations. Undefined behavior bugs are present in many systems, including the Linux kernel and the Postgres database. The consequences range from incorrect functionality to missing security checks. This article proposes a formal and practical approach that finds undefined behavior bugs by finding “unstable code” in terms of optimizations that leverage undefined behavior. Using this approach, we introduce a new static checker called S tack that precisely identifies undefined behavior bugs. Applying S tack to widely used systems has uncovered 161 new bugs that have been confirmed and fixed by developers.

computer science, theory & methods

Matteo Cimini,Dale Miller,Jeremy G. Siek

DOI: https://doi.org/10.48550/arXiv.1611.05105

2016-11-16

Programming Languages

Abstract:Type soundness is an important property of modern programming languages. In this paper we explore the idea that "well-typed languages are sound": the idea that the appropriate typing discipline over language specifications guarantees that the language is type sound. We instantiate this idea for a certain class of languages defined using small step operational semantics by ensuring the progress and preservation theorems. Our first contribution is a syntactic discipline for organizing and restricting language specifications so that they automatically satisfy the progress theorem. This discipline is not novel but makes explicit the way expert language designers have been organizing a certain class of languages for long time. We give a formal account of this discipline by representing language specifications as (higher-order) logic programs and by giving a meta type system over that collection of formulas. Our second contribution is a methodology and meta type system for guaranteeing that languages satisfy the preservation theorem. Ultimately, we proved that language specifications that conform to our meta type systems are guaranteed to be type sound. We have implemented these ideas in the TypeSoundnessCertifier, a tool that takes language specifications in the form of logic programs and type checks them according to our meta type systems. For those languages that pass our type checker, our tool automatically produces a proof of type soundness that can be machine-checked by the Abella proof assistant. For those languages that fail our type checker, the tool pinpoints the design mistakes that hinder type soundness. We have applied the TypeSoundnessCertifier to a large number of programming languages, including those with recursive types, polymorphism, letrec, exceptions, lists and other common types and operators.

Amin Timany,Robbert Krebbers,Derek Dreyer,Lars Birkedal

DOI: https://doi.org/10.1145/3676954

IF: 2.269

2024-07-10

Journal of the ACM

Abstract:Type soundness, which asserts that “well-typed programs cannot go wrong”, is widely viewed as the canonical theorem one must prove to establish that a type system is doing its job. It is commonly proved using the so-called syntactic approach (aka progress and preservation ), which has had a huge impact on the study and teaching of programming language foundations. Unfortunately, syntactic type soundness is a rather weak theorem. It only applies to programs that are well-typed in their entirety, and thus tells us nothing about the many programs written in “safe” languages that make use of “unsafe” language features. Even worse, it tells us nothing about whether type systems achieve one of their main goals: enforcement of data abstraction. One can easily define a language that enjoys syntactic type soundness and yet fails to support even the most basic modular reasoning principles for abstraction mechanisms like closures, objects, and abstract data types. Given these concerns, we argue that programming languages researchers should no longer be satisfied with proving syntactic type soundness, and should instead start proving semantic type soundness , a more useful theorem which captures more accurately what type systems are actually good for. Semantic type soundness is an old idea—Milner’s original account of type soundness from 1978 was semantic—but it fell out of favor in the 1990s due to limitations and complexities of denotational models. In the succeeding decades, thanks to a series of technical advances—notably, step-indexed Kripke logical relations constructed over operational semantics, and higher-order concurrent separation logic as consolidated in the Iris framework in Coq—we can now build (machine-checked) semantic soundness proofs at a much higher level of abstraction than was previously possible. The resulting “logical” approach to semantic type soundness has already been employed to great effect in a number of recent papers, but those papers typically (a) concern advanced problem scenarios that complicate the presentation, (b) assume significant prior knowledge of the reader, and (c) suppress many details of the proofs. Here, we aim to provide a gentler, more pedagogically motivated introduction to logical type soundness, targeted at a broader audience that may or may not be familiar with logical relations and Iris. As a bonus, we also show how logical type soundness proofs can easily be generalized to establish an even stronger relational property— representation independence —for realistic type systems.

computer science, information systems, theory & methods, software engineering, hardware & architecture

Alexander S. Yessenin-Volpin,Christer Hennix

DOI: https://doi.org/10.48550/arXiv.math/0110094

2001-10-09

Logic

Abstract:This paper gives a counterexample to the impossibility, by G\"odel's second incompleteness theorem, of proving a formula expressing the consistency of arithmetic in a fragment of arithmetic on the assumption that the latter is consistent. This counterexample gives rise to a new type of metamathematical paradox, to be called the G\"odel-Wette paradox, which E. Wette claims to have established since some time ago (see [Wette, 1971], [Wette, 1974]). Nevertheless, our work is independent of Wette's since we have failed to understand the details of his work although we recognize the possibility of the correctness of the latter. Furthermore, the G\"odel-Wette paradox is not the only foundational anomaly which the framework of our approach has uncovered but new questions concerning the decision problem, completeness problem, truth definitions and the status of Richard's paradox in arithmetic and set theory (including type theory) have arisen as well. This work will, eventually be unified into a single monograph.

R Ramanujam,Vaishnavi Sundararajan,S P Suresh

2024-01-26

Abstract:In the symbolic verification of cryptographic protocols, a central problem is deciding whether a protocol admits an execution which leaks a designated secret to the malicious intruder. Rusinowitch & Turuani (2003) show that, when considering finitely many sessions, this ``insecurity problem'' is NP-complete. Central to their proof strategy is the observation that any execution of a protocol can be simulated by one where the intruder only communicates terms of bounded size. However, when we consider models where, in addition to terms, one can also communicate logical statements about terms, the analysis of the insecurity problem becomes tricky when both these inference systems are considered together. In this paper we consider the insecurity problem for protocols with logical statements that include {\em equality on terms} and {\em existential quantification}. Witnesses for existential quantifiers may be unbounded, and obtaining small witness terms while maintaining equality proofs complicates the analysis considerably. We extend techniques from Rusinowitch & Turuani (2003) to show that this problem is also in NP.

Logic in Computer Science,Cryptography and Security

Dieter Spreen

DOI: https://doi.org/10.48550/arXiv.1702.05079

2021-10-14

Abstract:Information systems with witnesses have been introduced in [D. Spreen. Generalised information systems capture L-domains. <a class="link-https" data-arxiv-id="1610.02260v2" href="https://arxiv.org/abs/1610.02260v2">arXiv:1610.02260v2</a>] as a logic-style representation of L-domains: The category of such information systems with approximable mappings as morphisms is equivalent to the category of L-domains with Scott continuous functions, which is known to be Cartesian closed. In the present paper a direct proof of the Cartesian closure of the category of information systems with witnesses and approximable mapppings is given. As is shown, the collection of approximable mappings between two information systems with witnesses comes with a natural information system structure.

Logic in Computer Science

Johnathan Djella Legnongo,Tony Ezome,Florian Luca

2023-05-13

Abstract:We describe the average sizes of the set of bad witnesses for a pseudo-primality test which is the product of a multiple-rounds Miller-Rabin test by the Galois test.

Number Theory

Ohad Kammar,Matija Pretnar

DOI: https://doi.org/10.1017/S0956796816000320

2016-05-23

Abstract:We present a straightforward, sound Hindley-Milner polymorphic type system for algebraic effects and handlers in a call-by-value calculus, which allows type variable generalisation of arbitrary computations, not just values. This result is surprising. On the one hand, the soundness of unrestricted call-by-value Hindley-Milner polymorphism is known to fail in the presence of computational effects such as reference cells and continuations. On the other hand, many programming examples can be recast to use effect handlers instead of these effects. Analysing the expressive power of effect handlers with respect to state effects, we claim handlers cannot express reference cells, and show they can simulate dynamically scoped state.

Programming Languages,Logic in Computer Science

Lara Bargmann,Heike Wehrheim

DOI: https://doi.org/10.48550/arXiv.2309.01433

2023-09-04

Abstract:Weak memory models specify the semantics of concurrent programs on multi-core architectures. Reasoning techniques for weak memory models are often specialized to one fixed model and verification results are hence not transferable to other memory models. A recent proposal of a generic verification technique based on axioms on program behaviour expressed via weakest preconditions aims at overcoming this specialization to dedicated models. Due to the usage of weakest preconditions, reasoning however takes place on a very low level requiring the application of numerous axioms for deriving program properties, even for a single statement. In this paper, we lift reasoning in this generic verification approach to a more abstract level. Based on a view-based assertion language, we provide a number of novel proof rules for directly reasoning on the level of program constructs. We prove soundness of our proof rules and exemplify them on the write-to-read causality (WRC) litmus test. A comparison to the axiom-based low-level proof reveals a significant reduction in the number of required proof steps.

Logic in Computer Science,Programming Languages

Thomas Wies,Viktor Kuncak,Karen Zee,Andreas Podelski,Martin Rinard

DOI: https://doi.org/10.48550/arXiv.cs/0609104

2006-09-18

Programming Languages

Abstract:One of the main challenges in the verification of software systems is the analysis of unbounded data structures with dynamic memory allocation, such as linked data structures and arrays. We describe Bohne, a new analysis for verifying data structures. Bohne verifies data structure operations and shows that 1) the operations preserve data structure invariants and 2) the operations satisfy their specifications expressed in terms of changes to the set of objects stored in the data structure. During the analysis, Bohne infers loop invariants in the form of disjunctions of universally quantified Boolean combinations of formulas. To synthesize loop invariants of this form, Bohne uses a combination of decision procedures for Monadic Second-Order Logic over trees, SMT-LIB decision procedures (currently CVC Lite), and an automated reasoner within the Isabelle interactive theorem prover. This architecture shows that synthesized loop invariants can serve as a useful communication mechanism between different decision procedures. Using Bohne, we have verified operations on data structures such as linked lists with iterators and back pointers, trees with and without parent pointers, two-level skip lists, array data structures, and sorted lists. We have deployed Bohne in the Hob and Jahob data structure analysis systems, enabling us to combine Bohne with analyses of data structure clients and apply it in the context of larger programs. This report describes the Bohne algorithm as well as techniques that Bohne uses to reduce the ammount of annotations and the running time of the analysis.