Linear capabilities for fully abstract compilation of separation-logic-verified code

IF 1.1 3区计算机科学 Q4 COMPUTER SCIENCE, SOFTWARE ENGINEERING

Journal of Functional Programming Pub Date : 2021-03-30 DOI:10.1017/s0956796821000022

THOMAS VAN STRYDONCK, FRANK PIESSENS, DOMINIQUE DEVRIESE

{"title":"Linear capabilities for fully abstract compilation of separation-logic-verified code","authors":"THOMAS VAN STRYDONCK, FRANK PIESSENS, DOMINIQUE DEVRIESE","doi":"10.1017/s0956796821000022","DOIUrl":null,"url":null,"abstract":"Separation logic is a powerful program logic for the static modular verification of imperative programs. However, dynamic checking of separation logic contracts on the boundaries between verified and untrusted modules is hard because it requires one to enforce (among other things) that outcalls from a verified to an untrusted module do not access memory resources currently owned by the verified module. This paper proposes an approach to dynamic contract checking by relying on support for capabilities, a well-studied form of unforgeable memory pointers that enables fine-grained, efficient memory access control. More specifically, we rely on a form of capabilities called linear capabilities for which the hardware enforces that they cannot be copied. We formalize our approach as a fully abstract compiler from a statically verified source language to an unverified target language with support for linear capabilities. The key insight behind our compiler is that memory resources described by spatial separation logic predicates can be represented at run time by linear capabilities. The compiler is separation-logic-proof-directed: it uses the separation logic proof of the source program to determine how memory accesses in the source program should be compiled to linear capability accesses in the target program. The full abstraction property of the compiler essentially guarantees that compiled verified modules can interact with untrusted target language modules as if they were compiled from verified code as well. This article is an extended version of one that was presented at ICFP 2019 (Van Strydonck et al., 2019).","PeriodicalId":15874,"journal":{"name":"Journal of Functional Programming","volume":"46 1","pages":""},"PeriodicalIF":1.1000,"publicationDate":"2021-03-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Functional Programming","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1017/s0956796821000022","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q4","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

Abstract

Separation logic is a powerful program logic for the static modular verification of imperative programs. However, dynamic checking of separation logic contracts on the boundaries between verified and untrusted modules is hard because it requires one to enforce (among other things) that outcalls from a verified to an untrusted module do not access memory resources currently owned by the verified module. This paper proposes an approach to dynamic contract checking by relying on support for capabilities, a well-studied form of unforgeable memory pointers that enables fine-grained, efficient memory access control. More specifically, we rely on a form of capabilities called linear capabilities for which the hardware enforces that they cannot be copied. We formalize our approach as a fully abstract compiler from a statically verified source language to an unverified target language with support for linear capabilities. The key insight behind our compiler is that memory resources described by spatial separation logic predicates can be represented at run time by linear capabilities. The compiler is separation-logic-proof-directed: it uses the separation logic proof of the source program to determine how memory accesses in the source program should be compiled to linear capability accesses in the target program. The full abstraction property of the compiler essentially guarantees that compiled verified modules can interact with untrusted target language modules as if they were compiled from verified code as well. This article is an extended version of one that was presented at ICFP 2019 (Van Strydonck et al., 2019).

查看原文本刊更多论文

对分离逻辑验证代码进行完全抽象编译的线性能力

分离逻辑是一种功能强大的程序逻辑，用于命令式程序的静态模块化验证。然而，对已验证模块和不受信任模块之间边界上的分离逻辑契约进行动态检查是困难的，因为它需要强制执行(除其他事项外)从已验证模块到不受信任模块的输出调用不访问当前由已验证模块拥有的内存资源。本文提出了一种动态契约检查的方法，它依赖于对功能的支持，这是一种经过充分研究的不可伪造内存指针形式，可以实现细粒度、高效的内存访问控制。更具体地说，我们依赖于一种称为线性能力的能力形式，硬件强制它们不能被复制。我们将我们的方法形式化为一个完全抽象的编译器，从静态验证的源语言到支持线性功能的未经验证的目标语言。我们编译器背后的关键见解是，由空间分离逻辑谓词描述的内存资源可以在运行时通过线性能力表示。编译器是面向分离逻辑证明的:它使用源程序的分离逻辑证明来确定源程序中的内存访问应该如何编译为目标程序中的线性能力访问。编译器的完整抽象属性本质上保证编译后的经过验证的模块可以与不受信任的目标语言模块交互，就好像它们是从经过验证的代码中编译出来的一样。本文是在ICFP 2019上发表的一篇文章的扩展版本(Van Strydonck et al.， 2019)。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Functional Programming 工程技术-计算机：软件工程

CiteScore

1.70

自引率

0.00%

发文量

审稿时长

>12 weeks

期刊介绍： Journal of Functional Programming is the only journal devoted solely to the design, implementation, and application of functional programming languages, spanning the range from mathematical theory to industrial practice. Topics covered include functional languages and extensions, implementation techniques, reasoning and proof, program transformation and synthesis, type systems, type theory, language-based security, memory management, parallelism and applications. The journal is of interest to computer scientists, software engineers, programming language researchers and mathematicians interested in the logical foundations of programming.