Higher-Order Approximate Relational Refinement Types for Mechanism Design and Differential Privacy

Barthe, Gilles; Gaboardi, Marco; Arias, Emilio Jesús Gallego; Hsu, Justin; Roth, Aaron; Strub, Pierre-Yves

doi:10.1145/2676726.2677000

Cited by 72 publications

(91 citation statements)

References 70 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The type systems for information flow control generally trade off precision for good automation [Sabelfeld and Myers 2003]. Various specialized type systems and static analysis tools have also been proposed for checking differential privacy [Barthe et al 2015;Gaboardi et al 2013;Gavazzo 2018;Winograd-Cort et al 2017;Zhang and Kifer 2017] or doing relational cost analysis [Çiçek et al 2017].…”

Section: Related Workmentioning

confidence: 99%

The next 700 relational program logics

Maillard

Hriţcu

Rivas

et al. 2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

We propose the first framework for defining relational program logics for arbitrary monadic effects. The framework is embedded within a relational dependent type theory and is highly expressive. At the semantic level, we provide an algebraic characterization for relational specifications as a class of relative monads, and link computations and specifications by introducing relational effect observations, which map pairs of monadic computations to relational specifications in a way that respects the algebraic structure. For an arbitrary relational effect observation, we generically define the core of a sound relational program logic, and explain how to complete it to a full-fledged logic for the monadic effect at hand. We show that by instantiating our framework with state and unbounded iteration we can embed a variant of Benton's Relational Hoare Logic, and also sketch how to reconstruct Relational Hoare Type Theory. Finally, we identify and overcome conceptual challenges that prevented previous relational program logics from properly dealing with effects such as exceptions, and are the first to provide a proper semantic foundation and a relational program logic for exceptions.

show abstract

Section: Related Workmentioning

confidence: 99%

The next 700 relational program logics

Maillard

Hriţcu

Rivas

et al. 2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

show abstract

“…The specific incarnation of our methodology in F ⋆ exploits its efficient implementation of effects enabled by abstraction and controlled reification; a unary weakest precondition calculus as a base for relational proofs; SMT-based automation; and the convenience of writing effectful code in direct style with returns, binds, and lifts automatically inserted. (Aguirre et al 2017;Barthe et al 2009;Benton 2004;Yang 2007), while others apply general relational logics to specific domains, including access control (Nanevski et al 2013), cryptography (Barthe et al 2009(Barthe et al , 2012(Barthe et al , 2013aPetcher and Morrisett 2015), differential privacy (Barthe et al 2013b;Zhang and Kifer 2017), mechanism design (Barthe et al 2015), cost analysis (Çiçek et al 2017), program approximations (Carbin et al 2012). RF ⋆ , is worth pointing out for its connection to F ⋆ .…”

Section: Related Workmentioning

confidence: 99%

A monadic framework for relational verification: applied to information security, program equivalence, and optimizations

Grimm¹,

Maillard²,

Fournet³

et al. 2018

Proceedings of the 7th ACM SIGPLAN International Conference on Certified Programs and Proofs - CPP 2018

View full text Add to dashboard Cite

Relational properties describe multiple runs of one or more programs. They characterize many useful notions of security, program refinement, and equivalence for programs with diverse computational effects, and they have received much attention in the recent literature. Rather than developing separate tools for special classes of effects and relational properties, we advocate using a general purpose proof assistant as a unifying framework for the relational verification of effectful programs. The essence of our approach is to model effectful computations using monads and to prove relational properties on their monadic representations, making the most of existing support for reasoning about pure programs.We apply this method in F ⋆ and evaluate it by encoding a variety of relational program analyses, including information flow control, semantic declassification, program equivalence and refinement at higher order, correctness of program optimizations and game-based cryptographic security. By relying on SMT-based automation, unary weakest preconditions, user-defined effects, and monadic reification, we show that, compared to unary properties, verifying relational properties requires little additional effort from the F ⋆ programmer.

show abstract

“…Like RHL, RSL lacks the ability to cope with structurally dissimilar programs. Relational program logics have recently been extended to probabilistic programs, both in an imperative setting [11,12] and in a higher-order setting [8,10], and applied to reason about cryptographic constructions, differentially private computations, and mechanism design. Regression verification is another approach proposed by Godlin and Strichman [22] for proving equivalence between two programs.…”

Section: Related Workmentioning

confidence: 99%

Product programs and relational program logics

Barthe

Crespo²,

Kunz³

2016

Journal of Logical and Algebraic Methods in Programming

Self Cite

View full text Add to dashboard Cite

A common theme in program verification is to relate two programs, for instance to show that they are equivalent, or that one refines the other. Such relationships can be formally established using relational program logics, which are tailored to reason about relations between two programs, or product constructions which allow to build from two programs a product program that emulates the behavior of both input programs. Similarly, product programs and relational program logics can be used to reason about 2-safety properties, an important class of properties that reason about two executions of the same program, and includes as instances non-interference, continuity, and determinism. In this paper, we consider several notions of product programs and explore their relationship with different relational program logics. Moreover, we present applications of product programs to program robustness, non-interference, translation validation, and differential privacy.

show abstract

Higher-Order Approximate Relational Refinement Types for Mechanism Design and Differential Privacy

Cited by 72 publications

References 70 publications

The next 700 relational program logics

The next 700 relational program logics

A monadic framework for relational verification: applied to information security, program equivalence, and optimizations

Product programs and relational program logics

Contact Info

Product

Resources

About