Pilsner: a compositionally verified compiler for a higher-order imperative language

Neis, Georg; Hur, Chung-Kil; Kaiser, Jan-Oliver; McLaughlin, Craig; Dreyer, Derek; Vafeiadis, Viktor

doi:10.1145/2784731.2784764

Cited by 63 publications

(32 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The initial version of CakeML [Kumar et al 2014] treated them naively, with applications feeding one argument in at a time, and always jumping to the code pointer loaded from the heap-allocated closure record. Pilsner [Neis et al 2015] does the same, although it does support inlining, contiication, and hoisting optimisations that we do not address here. The most recent work on CakeML mentions ClosLang and the treatment of multi-argument functions, but it does not explain the semantics, or give any information on how the veriication works.…”

Section: Introductionmentioning

confidence: 87%

“…18:25 9 RELATED WORK As mentioned in ğ1, neither previous versions of CakeML [Kumar et al 2014], nor Pilsner [Neis et al 2015] support special semantics for curried functions, nor do they optimise calls to known (but not inlined) functions. This is true for Lambda Tamer [Chlipala 2010] as well, although it uses higher-order abstract syntax instead of de Bruijn indices and shifting.…”

Section: Verifying Eficient Function Calls In Cakemlmentioning

confidence: 99%

See 1 more Smart Citation

Verifying efficient function calls in CakeML

Owens

Norrish

Kumar

et al. 2017

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

We have designed an intermediate language (IL) for the CakeML compiler that supports the veriied, eicient compilation of functions and calls. Veriied compilation steps include batching of multiple curried arguments, detecting calls to statically known functions, and specialising calls to known functions with no free variables. Finally, we verify the translation to a lower-level IL that only supports closed, irst-order functions.These compilation steps resemble those found in other compilers (especially OCaml). Our contribution here is the design of the semantics of the IL, and the demonstration that our veriication techniques over this semantics work well in practice at this scale. The entire development was carried out in the HOL4 theorem prover.

show abstract

Section: Introductionmentioning

confidence: 87%

Section: Verifying Eficient Function Calls In Cakemlmentioning

confidence: 99%

Verifying efficient function calls in CakeML

Owens

Norrish

Kumar

et al. 2017

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

show abstract

“…More compositional criteria for compiler correctness have also been proposed [56,70,79,92]. At a minimum such criteria allow linking with contexts that are the compilation of source contexts [56], which can be formalized as follows:…”

Section: Robust Trace Property Preservation (Rtp)mentioning

confidence: 99%

Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation

Abate

Blanco

Garg

et al. 2019

2019 IEEE 32nd Computer Security Foundations Symposium (CSF)

View full text Add to dashboard Cite

Good programming languages provide helpful abstractions for writing secure code, but the security properties of the source language are generally not preserved when compiling a program and linking it with adversarial code in a low-level target language (e.g., a library or a legacy application). Linked target code that is compromised or malicious may, for instance, read and write the compiled program's data and code, jump to arbitrary memory locations, or smash the stack, blatantly violating any source-level abstraction. By contrast, a fully abstract compilation chain protects source-level abstractions all the way down, ensuring that linked adversarial target code cannot observe more about the compiled program than what some linked source code could about the source program. However, while research in this area has so far focused on preserving observational equivalence, as needed for achieving full abstraction, there is a much larger space of security properties one can choose to preserve against linked adversarial code. And the precise class of security properties one chooses crucially impacts not only the supported security goals and the strength of the attacker model, but also the kind of protections a secure compilation chain has to introduce.We are the first to thoroughly explore a large space of formal secure compilation criteria based on robust property preservation, i.e., the preservation of properties satisfied against arbitrary adversarial contexts. We study robustly preserving various classes of trace properties such as safety, of hyperproperties such as noninterference, and of relational hyperproperties such as trace equivalence. This leads to many new secure compilation criteria, some of which are easier to practically achieve and prove than full abstraction, and some of which provide strictly stronger security guarantees. For each of the studied criteria we propose an equivalent "property-free" characterization that clarifies which proof techniques apply. For relational properties and hyperproperties, which relate the behaviors of multiple programs, our formal definitions of the property classes themselves are novel. We order our criteria by their relative strength and show several collapses and separation results. Finally, we adapt existing proof techniques to show that even the strongest of our secure compilation criteria, the robust preservation of all relational hyperproperties, is achievable for a simple translation from a statically typed to a dynamically typed language.(∀C T . ∀t 1 , .., t k , ..(∀i.C T [P i ] t i ) ⇒ (t 1 , .., t k , ..) ∈ R)

show abstract

“…We could support a compositional compiler correctness result by developing a relation independent of the compiler between source and target components to classify which components are safe to link with. There are well known techniques for developing such relations which we think will extend to CC [13,36,37,41,43].…”

Section: Separate and Compositional Compilationmentioning

confidence: 99%

Typed closure conversion for the calculus of constructions

Bowman

Ahmed

2018

Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation

View full text Add to dashboard Cite

Dependently typed languages such as Coq are used to specify and verify the full functional correctness of source programs. Type-preserving compilation can be used to preserve these specifications and proofs of correctness through compilation into the generated target-language programs. Unfortunately, type-preserving compilation of dependent types is hard. In essence, the problem is that dependent type systems are designed around high-level compositional abstractions to decide type checking, but compilation interferes with the type-system rules for reasoning about run-time terms.We develop a type-preserving closure-conversion translation from the Calculus of Constructions (CC) with strong dependent pairs (Σ types)-a subset of the core language of Coq-to a type-safe, dependently typed compiler intermediate language named CC-CC. The central challenge in this work is how to translate the source type-system rules for reasoning about functions into target type-system rules for reasoning about closures. To justify these rules, we prove soundness of CC-CC by giving a model in CC. In addition to type preservation, we prove correctness of separate compilation.

show abstract

Pilsner: a compositionally verified compiler for a higher-order imperative language

Cited by 63 publications

References 29 publications

Verifying efficient function calls in CakeML

Verifying efficient function calls in CakeML

Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation

Typed closure conversion for the calculus of constructions

Contact Info

Product

Resources

About