Refinement reflection: complete verification with SMT

Vazou, Niki; Tondwalkar, Anish; Choudhury, Vikraman; Scott, Ryan G.; Newton, Ryan; Wadler, Philip; Jhala, Ranjit

doi:10.1145/3158141

Cited by 51 publications

(44 citation statements)

References 62 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…[Giesl et al 2011[Giesl et al , 2006[Giesl et al , 2004) can be used instead or in complement to our approach. The use of type checking in verification appears in program verifiers such as F* [Ahman et al 2017;Swamy et al 2016Swamy et al , 2013 and Liquid Haskell [Vazou et al 2013[Vazou et al , 2014[Vazou et al , 2018. Like Dafny [Leino 2010] and Stainless, these systems rely on SMT solvers to automatically discharge verification conditions.…”

Section: Related Workmentioning

confidence: 99%

System FR: formalized foundations for the stainless verifier

Hamza

Voirol

Kunčak

2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

We present the design, implementation, and foundation of a verifier for higher-order functional programs with generics and recursive data types. Our system supports proving safety and termination using preconditions, postconditions and assertions. It supports writing proof hints using assertions and recursive calls. To formalize the soundness of the system we introduce System FR, a calculus supporting System F polymorphism, dependent refinement types, and recursive types (including recursion through contravariant positions of function types). Through the use of sized types, System FR supports reasoning about termination of lazy data structures such as streams. We formalize a reducibility argument using the Coq proof assistant and prove the soundness of a type-checker with respect to call-by-value semantics, ensuring type safety and normalization for typeable programs. Our program verifier is implemented as an alternative verification-condition generator for the Stainless tool, which relies on the Inox SMT-based solver backend for automation. We demonstrate the efficiency of our approach by verifying a collection of higher-order functional programs comprising around 14000 lines of polymorphic higher-order Scala code, including graph search algorithms, basic number theory, monad laws, functional data structures, and assignments from popular Functional Programming MOOCs.

show abstract

Section: Related Workmentioning

confidence: 99%

System FR: formalized foundations for the stainless verifier

Hamza

Voirol

Kunčak

2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

show abstract

“…We present them the same way in this paper, rather than reformatting them as mathematical inference rules. Metatheoretic properties are expressed as refinement types, following Vazou et al [2017Vazou et al [ , 2018, and proofs are Haskell functions with these types (checked by the SMT solver). We assess our experience using Liquid Haskell for metatheory in comparison to related approaches in § 5.…”

Section: Mechanizing Noninterference Of Lio In Liquid Haskellmentioning

confidence: 99%

“…We define a Haskell (executable) function evalPredicate and use an axiom to connect it with the synonymous logical uninterpreted function [Vazou et al 2018]: Primitive queries. It is straightforward to define primitive operators that manipulate the database but do not perform IFC checks.…”

Section: Querying the Databasementioning

confidence: 99%

LWeb: information flow security for multi-tier web applications

Parker

Vazou

Hicks

2019

Proc. ACM Program. Lang.

Self Cite

View full text Add to dashboard Cite

This paper presents LWeb, a framework for enforcing label-based, information flow policies in database-using web applications. In a nutshell, LWeb marries the LIO Haskell IFC enforcement library with the Yesod web programming framework. The implementation has two parts. First, we extract the core of LIO into a monad transformer (LMonad) and then apply it to Yesod's core monad. Second, we extend Yesod's table definition DSL and query functionality to permit defining and enforcing label-based policies on tables and enforcing them during query processing. LWeb's policy language is expressive, permitting dynamic per-table and per-row policies. We formalize the essence of LWeb in the λ LWeb calculus and mechanize the proof of noninterference in Liquid Haskell. This mechanization constitutes the first metatheoretic proof carried out in Liquid Haskell. We also used LWeb to build a substantial web site hosting the Build it, Break it, Fix it security-oriented programming contest. The site involves 40 data tables and sophisticated policies. Compared to manually checking security policies, LWeb imposes a modest runtime overhead of between 2% to 21%. It reduces the trusted code base from the whole application to just 1% of the application code, and 21% of the code overall (when counting LWeb too).A promising solution to these problems is embodied in the LIO system for Haskell. LIO is a drop-in replacement for the Haskell IO monad, extending IO with an internal current label and clearance label. Such labels are lattice ordered (as is typical [Denning 1976]), with the degenerate case being a secret (high) label and public (low) one. LIO's current label constitutes the least upper bound of the security labels of all values read during the current computation. Effectful operations such as reading/writing from stable storage, or communicating with other processes, are checked against the current label. If the operation's security label (e.g., that on a channel being written to) is lower than the current label, then the operation is rejected as potentially insecure. The clearance serves as an upper bound that the current label may never cross, even prior to performing any I/O, so as to reduce the chance of side channels. Haskell's clear, type-enforced separation of pure computation from effects makes LIO easy to implement soundly and efficiently, compared to other dynamic enforcement mechanisms. This paper presents LWeb, an extension to LIO that aims to bring its benefits to Haskell-based web applications. This paper presents the three main contributions of our work.First, we present an extension to a core LIO formalism with support for database transactions. Each table has a label that protects its length. In our implementation we use DC labels , which have both confidentiality and integrity components. The confidentiality component of the table label controls who can query it (as the result may reveal something about the table's length), and the integrity component controls who can add or delete rows (since both may change the ...

show abstract

“…In such cases, Liquid Haskell can lift arbitrary Haskell functions into the refinement type level via the notion of reflection [Vazou et al 2018]. Rather than using the straightforward translation available for measures, which completely describes the function to the SMT solver, reflection gives the SMT solver only the value of the function for the arguments on which it is actually called.…”

Section: Deep Reasoningmentioning

confidence: 99%

Theorem proving for all: equational reasoning in liquid Haskell (functional pearl)

et al. 2018

Self Cite

View full text Add to dashboard Cite

Equational reasoning is one of the key features of pure functional languages such as Haskell. To date, however, such reasoning always took place externally to Haskell, either manually on paper, or mechanised in a theorem prover. This article shows how equational reasoning can be performed directly and seamlessly within Haskell itself, and be checked using Liquid Haskell. In particular, language learners -to whom external theorem provers are out of reach -can benefit from having their proofs mechanically checked. Concretely, we show how the equational proofs and derivations from Hutton [2016]'s textbook can be recast as proofs in Haskell (spoiler: they look essentially the same).

show abstract

Refinement reflection: complete verification with SMT

Cited by 51 publications

References 62 publications

System FR: formalized foundations for the stainless verifier

System FR: formalized foundations for the stainless verifier

LWeb: information flow security for multi-tier web applications

Theorem proving for all: equational reasoning in liquid Haskell (functional pearl)

Contact Info

Product

Resources

About