Adam Chlipala
Cambridge, MA
USA
adamc@csail.mit.edu
http://adam.chlipala.net/
Cambridge, MA
adam@chlipala.net; http://adam.chlipala.net/
http://adam.chlipala.net/cv.html
Not currently seeking employment
Applied logic in development tools for software and hardware (including verification and synthesis for applications, compilers, databases, operating systems, and hardware designs, using separation logic and other modular proof techniques)
Design and implementation of programming languages (especially functional languages with rich type systems)
Design, implementation, and applications of interactive proof assistants
Computer theorem proving
Certified type-preserving compilers
http://ltamer.sf.net/
Verifying imperative programs
http://ynot.cs.harvard.edu/
Design, implementation, and analysis of functional programming languages
Statically typed metaprogramming for web apps
http://www.impredicative.com/ur/
Static types for system configuration
http://wiki.hcoop.net/DomTool
American citizen
January
February
March
April
May
June
July
August
September
October
November
December
Adam Chlipala
http://adam.chlipala.net/
Alex Konradi
https://www.linkedin.com/in/alexander-konradi-89604081/
Andrew W. Appel
https://www.cs.princeton.edu/~appel/
Arvind
http://csg.csail.mit.edu/Users/arvind/
Atalay Ileri
https://github.com/Atalay-Ileri
Benjamin C. Pierce
http://www.cis.upenn.edu/~bcpierce/
Evan Chang
Bor-Yuh Evan Chang
http://www.cs.colorado.edu/~bec/
Benjamin Delaware
https://www.cs.purdue.edu/homes/bendy/
Dirk Beyer
http://www.sosy-lab.org/~dbeyer/
Thomas Braibant
http://braibant.github.io/
Christian J. Bell
http://people.csail.mit.edu/cj/
Clément Pit--Claudel
http://pit-claudel.fr/clement/
Santiago Cuellar
http://scholar.princeton.edu/scuellar/
Karl Crary
http://www.cs.cmu.edu/~crary/
Di Wang
https://github.com/stonebuddha
Daniel Ziegler
http://events.ccc.de/congress/2014/Fahrplan/speakers/5081.html
David Spivak
http://math.mit.edu/~dspivak/
Samuel Duchovni
https://github.com/sdukhovni
Lennart Beringer
https://www.cs.princeton.edu/~eberinge/
Gregory Malecha
https://gmalecha.github.io/
Greg Morrisett
http://www.cs.cornell.edu/~jgm/
Thomas Gregoire
http://tgregoire.info/
Haogang Chen
http://pdos.csail.mit.edu/~hchen/
Jason Gross
http://people.csail.mit.edu/jgross/
Ranjit Jhala
http://goto.ucsd.edu/~rjhala/
Joonwon Choi
http://people.csail.mit.edu/joonwonc/
Frans Kaashoek
http://pdos.csail.mit.edu/~kaashoek/
Eddie Kohler
http://read.seas.harvard.edu/~kohler/
Katherine Ye
https://www.cs.cmu.edu/~kqy/
Mohsen Lesani
http://www.cs.ucr.edu/~lesani/
David Lazar
http://www.csail.mit.edu/user/3604
Leaf Petersen
http://www.leafpetersen.com/
Brian Lucena
http://www1.aucegypt.edu/faculty/lucena/
Manuel Fahndrich
http://fahndrich.com/
Michael Erdmann
http://www.cs.cmu.edu/~me/
Nirav Dave
http://people.csail.mit.edu/ndave/
George Necula
George C. Necula
http://www.cs.berkeley.edu/~necula/
Nickolai Zeldovich
http://people.csail.mit.edu/nickolai/
Rupak Majumdar
http://www.mpi-sws.org/~rupak/
Robert Harper
http://www.cs.cmu.edu/~rwh/
Ryan Wisnesky
http://wisnesky.net/
Robert Schneck
Robert R. Schneck
http://tupelo-schneck.org/robert/
Zhong Shao
http://www.cs.yale.edu/homes/shao/
Benjamin Sherman
http://www.ben-sherman.net/
Avraham Shinnar
http://researcher.watson.ibm.com/researcher/view.php?person=us-shinnar
Sorawit Suriyakarn
https://github.com/sorawit
Steve Zdancewic
http://www.cis.upenn.edu/~stevez/
Stephanie Wang
https://github.com/stephanie-wang
Stephanie Weirich
http://www.cis.upenn.edu/~sweirich/
Thomas Henzinger
http://pub.ist.ac.at/~tah/
Tej Chajed
https://github.com/tchajed
Muralidaran Vijayaraghavan
http://people.csail.mit.edu/vmurali/
Peng Wang
http://people.csail.mit.edu/wangpeng/
Xi Wang
http://homes.cs.washington.edu/~xi/
Jeannette Wing
http://www.cs.cmu.edu/~wing/
Ziv Scully
http://www.djnziv.com/
Zachary Tatlock
http://homes.cs.washington.edu/~ztatlock/
Avaya Communication
Avaya
Holmdel
NJ
http://www.avaya.com/
Carnegie Mellon University
Pittsburgh
PA
http://www.cmu.edu/
Computer Science Department
http://www.cs.cmu.edu/
15-212: Principles of Programming
(introduction to formal reasoning about programs and functional programming with Standard ML)
15-212
http://www.cs.cmu.edu/~me/courses/212/
The TILT type-directed Standard ML compiler project
TILT
http://www.cs.cornell.edu/home/jgm/tilt.html
IEEE Computer Society Press
IEEE
http://www.ieee.org/
Cambridge University Press
CUP
http://www.cambridge.org/
Harvard University
Harvard
Cambridge
MA
http://www.harvard.edu/
School of Engineering and Applied Sciences
http://www.seas.harvard.edu/
COMPSCI 252: Certified Programming with Dependent Types
CS252
http://www.cs.harvard.edu/~adamc/cpdt/
Microsoft Research
MSR
http://research.microsoft.com/
Software Productivity Tools group
Redmond
WA
SPT
The Singularity project
Singularity
http://research.microsoft.com/os/singularity/
IBM Research
IBM
http://research.ibm.com/
IBM Watson Research Center
Hawthorne
NY
IBM Watson
University of Oregon
http://www.uoregon.edu/
Trifecta Technologies
Trifecta
Allentown
PA
http://www.trifecta.com/
University of California, Berkeley
Berkeley
http://www.berkeley.edu/
Electrical Engineering and Computer Science Department
EECS
http://www.eecs.berkeley.edu/
Computer Science Division
CS
http://www.cs.berkeley.edu/
The BLAST project
http://cseweb.ucsd.edu/~rjhala/blast.html
BLAST
CS172: Computability and Complexity
http://inst.eecs.berkeley.edu/~cs172/sp05/
CS172
The Open Verifier project
Open Verifier
CS294-9: Interactive Computer Theorem Proving
CS294-9
http://adam.chlipala.net/itp/
UC Berkeley EECS Department
http://www.eecs.berkeley.edu/
Massachusetts Institute of Technology
MIT
http://www.mit.edu/
Department of Electrical Engineering and Computer Science
EECS
http://www.eecs.mit.edu/
Computer Science and Artificial Intelligence Laboratory
CSAIL
http://www.csail.mit.edu/
Emmaus High School
Emmaus, PA
http://www.eastpenn.k12.pa.us/ehs/
Association for Computing Machinery
ACM
http://www.acm.org/
IEEE
http://www.ieee.org/
Royal Society
Royal Society
https://royalsociety.org/
Springer-Verlag
http://www.springer.de/comp/lncs
Elsevier
http://www.elsevier.com/
Jane Street Capital
Jane Street Capital
http://www.janestreet.com/
26th International Conference on Software Engineering
ICSE'04
http://www.icse-conferences.org/2004/index.html
2004
Edinburgh, Scotland
11th Static Analysis Symposium
SAS'04
http://profs.sci.univr.it/~sas04/
2004
Verona, Italy
9th ACM SIGPLAN International Conference on Functional Programming
ICFP'04
http://www.cs.indiana.edu/icfp04/
Snowbird, Utah, USA
2004
2nd ACM SIGPLAN Workshop on Types in Language Design and Implementation
TLDI'05
http://research.microsoft.com/~maf/tldi05/
2005
Long Beach, California, USA
12th International Conference on Logic for Programming, Artificial Intelligence, and Reasoning
http://www.lpar.net/2005/
LPAR'05
Montego Bay, Jamaica
2005
7th International Conference on Verification, Model Checking, and Abstract Interpretation
http://www.informatik.uni-trier.de/~ley/db/conf/vmcai/vmcai2006.html
VMCAI'06
2006
Charleston, South Carolina, USA
21st Annual IEEE Symposium on Logic in Computer Science
http://www.easychair.org/FLoC-06/LICS.html
LICS'06
2006
Seattle, Washington, USA
11th ACM SIGPLAN International Conference on Functional Programming
http://icfp06.cs.uchicago.edu/
ICFP'06
2006
Portland, Oregon, USA
4th ASIAN Symposium on Programming Languages and Systems
http://www.kb.ecei.tohoku.ac.jp/aplas2006/
APLAS'06
2006
Sydney, Australia
International Workshop on Proof-Carrying Code
http://www.cs.stevens.edu/~abc/PCC-Workshop.html
PCC'06
2006
Seattle, Washington, USA
6th International Workshop on Strategies in Automated Deduction
http://www.easychair.org/FLoC-06/Strategies.html
STRATEGIES'06
2006
Seattle, Washington, USA
Programming Languages meets Program Verification Workshop
http://www.easychair.org/FLoC-06/PLPV.html
PLPV'06
2006
Seattle, Washington, USA
3nd ACM SIGPLAN Workshop on Types in Language Design and Implementation
TLDI'07
http://www.cs.berkeley.edu/~necula/tldi07/
2007
Nice, France
ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation
PLDI'07
http://ties.ucsd.edu/PLDI/
2007
San Diego, California, USA
2005 Open Source Quality Project Retreat
Open Source Quality Project Retreat
http://www.cs.berkeley.edu/~bodik/OSQ05.htm
2005
2006 Open Source Quality Project Retreat
Open Source Quality Project Retreat
http://www.cs.berkeley.edu/~bodik/OSQ06.htm
2006
2007 Open Source Quality Project Retreat
Open Source Quality Project Retreat
http://www.eecs.berkeley.edu/~sseshia/OSQ07.htm
2007
Projet Gallium seminar
http://www-c.inria.fr/Internet/rendez-vous/seminaires-des-equipes-de-recherche/a-certified-type-preserving-compiler-from-lambda-calculus-to-assembly-language
2007
18th International Conference on Term Rewriting and Applications
RTA'07
http://www.lsv.ens-cachan.fr/rdp07/rta.html
2007
Paris, France
2nd Informal ACM SIGPLAN Workshop on Mechanizing Metatheory
WMM'07
http://www.cis.upenn.edu/~sweirich/wmm/wmm07.html
Freiburg, Germany
2007
35th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
POPL'08
http://www.cs.ucsd.edu/popl/08/
2008
San Francisco, California, USA
9th International Conference on Verification, Model Checking and Abstract Interpretation
VMCAI'08
http://www.cs.uic.edu/vmcai08/
2008
San Francisco, California, USA
ACM SIGPLAN 2008 Conference on Programming Language Design and Implementation
PLDI'08
http://pldi2008.cs.ucr.edu/
2008
Tucson, Arizona, USA
3rd Informal ACM SIGPLAN Workshop on Mechanizing Metatheory
WMM'08
http://www.cis.upenn.edu/~sweirich/wmm/wmm08.html
2008
Victoria, British Columbia, Canada
13th ACM SIGPLAN International Conference on Functional Programming
ICFP'08
http://www.icfpconference.org/icfp2008/
2008
Victoria, British Columbia, Canada
36th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
POPL'09
http://www.cs.ucsd.edu/popl/09/
2009
Savannah, Georgia, USA
4th ACM SIGPLAN Workshop on Types in Language Design and Implementation
TLDI'09
http://ttic.uchicago.edu/~amal/tldi2009/
2009
Savannah, Georgia, USA
18th European Symposium on Programming
ESOP'09
http://esop09.pps.jussieu.fr/
2009
York, United Kingdom
21st New England Programming Languages and Systems Symposium
NEPLS 21
http://www.nepls.org/Events/21/
2008
Cambridge, MA, USA
2008 TYPES Meeting
TYPES'08
http://types2008.di.unito.it/
2008
Torino, Italy
ACM SIGPLAN 2009 Conference on Programming Language Design and Implementation
PLDI'09
http://www-plan.cs.colorado.edu/~pldi09/
2009
Dublin, Ireland
4th International Workshop on Logical Frameworks and Meta-languages: Theory and Practice
LFMTP'09
http://workshops.inf.ed.ac.uk/lfmtp/
2009
Montreal, Canada
Boston University Programming Languages Reading Group
http://www.church-project.org/reading-group/reading-group.html
2009
Northeastern University Programming Languages Seminar
http://www.ccs.neu.edu/home/wand/pl-seminar/
2009
Microsoft Research Redmond
http://research.microsoft.com/
2009
14th ACM SIGPLAN International Conference on Functional Programming
ICFP'09
http://www.cs.nott.ac.uk/~gmh/icfp09.html
2009
Edinburgh, Scotland
4th Informal ACM SIGPLAN Workshop on Mechanizing Metatheory
WMM'09
http://www.cis.upenn.edu/~sweirich/wmm/wmm09.html
2009
Edinburgh, Scotland
ACM SIGPLAN Developer Tracks on Functional Programming
DEFUN'09
http://www.defun2009.info/
2009
Edinburgh, Scotland
New Jersey Programming Languages and Systems Seminar
NJPLS
http://www.njpls.org/oct09.html
2009
Bethlehem, PA, USA
New England F# User Group
New England F# User Group
http://www.fsug.org/
2009
Cambridge, MA, USA
37th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
POPL'10
http://www.cse.psu.edu/popl/10/
2010
Madrid, Spain
Programming Languages meets Program Verification Workshop
http://slang.soe.ucsc.edu/plpv10/
PLPV'10
2010
Madrid, Spain
Boston Lisp
Boston Lisp
http://common-lisp.net/project/boston-lisp/
2010
Cambridge, MA, USA
13th International Conference on Foundations of Software Science and Computation Structures
FoSSaCS'10
http://users.comlab.ox.ac.uk/luke.ong/FoSSaCS2010/
2010
Paphos, Cyprus
Sixteenth International Conference on Tools and Algorithms for the Construction and Analysis of Systems
TACAS'10
http://tacas10.in.tum.de/
2010
Paphos, Cyprus
ACM SIGPLAN 2010 Conference on Programming Language Design and Implementation
PLDI'10
http://cs.stanford.edu/pldi10/
2010
Toronto, Canada
The Second Coq Workshop
Coq-2
http://coq.inria.fr/coq-workshop/2010
2010
Edinburgh, Scotland
Dependently Typed Programming 2010
DTP'10
http://sneezy.cs.nott.ac.uk/darcs/dtp10/
2010
Edinburgh, Scotland
2nd Workshop on Module Systems and Libraries for Proof Assistants
MLPA'10
http://kwarc.info/frabe/events/mlpa-10.html
2010
Edinburgh, Scotland
Emerging Languages Camp 2010
Emerging Languages Camp 2010
http://emerginglangs.com/
2010
Portland, OR, USA
Mathematically Structured Functional Programming 2010
MSFP'10
http://cs.ioc.ee/msfp/msfp2010/
2010
Baltimore, MD, USA
9th USENIX Symposium on Operating Systems Design and Implementation
OSDI'10
http://www.usenix.org/event/osdi10/
2010
Vancouver, BC, Canada
5th International Workshop on Systems Software Verification
SSV'10
http://usenix.org/events/ssv10/
2010
Vancouver, BC, Canada
Twenty-sixth Conference on the Mathematical Foundations of Programming Semantics
MFPS'10
http://www.math.tulane.edu/~mfps/mfps26/MFPS_XXVI.html
2010
Ottawa, Ontario, Canada
12th International Symposium on Principles and Practice of Declarative Programming
PPDP'10
http://www.risc.uni-linz.ac.at/about/conferences/ppdp2010/
2010
Hagenberg, Austria
5th International Workshop on Higher-Order Rewriting
HOR'10
http://hor.pps.jussieu.fr/10/
2010
Edinburgh, Scotland
COPLAS, ITU Copenhagen
http://www.coplas.org/
2010
15th ACM SIGPLAN International Conference on Functional Programming
ICFP'10
http://www.icfpconference.org/icfp2010/
2010
Baltimore, MD, USA
First International Workshop on Relations and Data Integrity Constraints and Languages
RADICAL'10
http://research.microsoft.com/en-us/um/people/adg/RADICAL2010/
2010
Cambridge, England
MIT PL Working Group
MIT PL Working Group
http://people.csail.mit.edu/jeanyang/pl/
2010
Cambridge, MA, USA
Third International Workshop on Graph Computation Models
GCM'10
http://gcm-events.org/gcm2010/
2010
Enschede, The Netherlands
38th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
POPL'11
http://www.cse.psu.edu/popl/11/
2011
Austin, TX, USA
Twelfth International Conference on Verification, Model Checking, and Abstract Interpretation
VMCAI'11
http://vmcai11.cis.ksu.edu/
2011
Austin, TX, USA
20th European Symposium on Programming
ESOP'11
http://software.imdea.org/~gbarthe/esop11/
2011
Saarbrücken, Germany
22nd International Conference on Rewriting Techniques and Applications
RTA'11
http://www.rdp2011.uns.ac.rs/rta/
2011
ACM SIGPLAN 2011 Conference on Programming Language Design and Implementation
PLDI'11
http://pldi11.cs.utah.edu/
2011
San Jose, CA, USA
UC Berkeley
UC Berkeley
2011
Berkeley, CA, USA
Workshop on Foundations of Computer Security
FCS'11
http://www.di.ens.fr/~blanchet/fcs11/
2011
Toronto, ON, Canada
Syntax and Semantics of Low-Level Languages
LOLA'11
http://flint.cs.yale.edu/lola2011/
2011
Toronto, ON, Canada
IBM Watson Research Center
IBM Watson Research Center
2011
Hawthorne, NY, USA
CSAIL Student Workshop
CSAIL Student Workshop
http://projects.csail.mit.edu/csw/2011/
2011
Beverly, MA, USA
The Third Coq Workshop
Coq-3
http://www.cs.ru.nl/~spitters/coqw.html
2011
Nijmegen, Holland
6th International Workshop on Systems Software Verification
SSV'11
https://es.fbk.eu/events/ssv2011/
2011
Nijmegen, Holland
16th ACM SIGPLAN International Conference on Functional Programming
ICFP'11
http://www.icfpconference.org/icfp2011/
2011
Tokyo, Japan
39th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
POPL'12
http://www.cse.psu.edu/popl/12/
2012
Philadelphia, PA, USA
7th ACM SIGPLAN Workshop on Types in Language Design and Implementation
TLDI'12
http://www.cis.upenn.edu/~bcpierce/tldi12/
2012
Philadelphia, PA, USA
Fourth International Conference on Verified Software: Theories, Tools, and Experiments
VSTTE'12
https://sites.google.com/site/vstte2012/
2012
Philadelphia, PA, USA
24th International Conference on Computer Aided Verification
CAV'12
http://cav12.cs.illinois.edu/
2012
Berkeley, CA, USA
The Fourth Coq Workshop
Coq-4
http://coq.inria.fr/coq-workshop/2012
2012
Princeton, NJ, USA
15th International Conference on Foundations of Software Science and Computation Structures
FoSSaCS'12
http://www.itu.dk/research/fossacs-2012/
2012
Tallinn, Estonia
Interactive Theorem Proving - Third International Conference
ITP'12
http://www.cs.princeton.edu/~eberinge/itp12/web/Home.html
2012
Princeton, NJ, USA
7th International Workshop on Logical Frameworks and Meta-languages: Theory and Practice
LFMTP'12
http://people.csail.mit.edu/adamc/lfmtp12/
2012
Copenhagen, Denmark
IEEE Symposium on Security & Privacy 2012
S&P'12
http://www.ieee-security.org/TC/SP2012/
2012
San Francisco, CA, USA
ACM SIGPLAN Haskell Symposium 2012
Haskell'12
http://www.haskell.org/haskell-symposium/2012/
2012
Copenhagen, Denmark
2nd International Conference on Certified Programs and Proofs
CPP'12
http://cpp12.kuis.kyoto-u.ac.jp/
2012
Kyoto, Japan
15th International Symposium on Practical Aspects of Declarative Languages
PADL'13
http://www.it.uu.se/conf/padl2013/
2013
Rome, Italy
Data Driven Functional Programming Workshop 2013
DDFP'13
http://research.microsoft.com/en-us/events/ddfp2013/
2013
Rome, Italy
Symposium on Logical Foundations of Computer Science 2013
LFCS'13
http://lfcs.info/lfcs13/
2013
San Diego, California, USA
16th International Conference on Foundations of Software Science and Computation Structures
FoSSaCS'13
http://www.informatik.uni-trier.de/~ley/db/conf/fossacs/
2013
?
ACM SIGPLAN 2013 Conference on Programming Language Design and Implementation
PLDI'13
http://pldi2013.ucombinator.org/
2013
Seattle, Washington, USA
40th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
POPL'13
http://popl.mpi-sws.org/2013/
2013
Rome, Italy
POPL 2013 TutorialFest
POPL'13 TutorialFest
http://wrigstad.com/popl13/tutorialfest.html
2013
Rome, Italy
43th Annual IEEE/IFIP International Conference on Dependable Systems and Networks
DSN'13
http://2013.dsn.org/
2013
Budapest, Hungary
Interactive Theorem Proving - Fourth International Conference
ITP'13
http://itp2013.inria.fr/
2013
Rennes, France
22nd USENIX Security Symposium
USENIX Security'13
https://www.usenix.org/conference/usenixsecurity13
2013
Washington, D.C., USA
Functional Programming Concepts in Domain-Specific Languages
FPCDSL'13
http://quantum.bbn.com/FPCDSL/
2013
Boston, MA, USA
25th International Conference on Computer Aided Verification
CAV'13
http://cav2013.forsyte.at/
2013
Saint Petersburg, Russia
8th International Workshop on Logical Frameworks and Meta-languages: Theory and Practice
LFMTP'13
http://complogic.cs.mcgill.ca/lfmtp13
2013
Boston, MA, USA
18th ACM SIGPLAN International Conference on Functional Programming
ICFP'13
http://www.icfpconference.org/icfp2013/
2013
Boston, MA, USA
The 2nd ACM SIGPLAN Workshop on Higher-Order Programming with Effects
HOPE'13
http://hope2013.mpi-sws.org/
2013
Boston, MA, USA
15th International Symposium on Principles and Practice of Declarative Programming
PPDP'13
http://users.ugent.be/~tschrijv/PPDP2013/
2013
Madrid, Spain
Programming Languages meets Program Verification Workshop
http://www.cse.chalmers.se/~nad/plpv-2014/
PLPV'14
2014
San Diego, CA, USA
41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
POPL'14
http://popl.mpi-sws.org/2014/
2014
San Diego, CA, USA
Workshop on Secure Cloud and Reactive Internet Programming Technology
SCRIPT'13
http://soft.vub.ac.be/script/
2013
Brussels, Belgium
23rd European Symposium on Programming
ESOP'14
http://flint.cs.yale.edu/esop2014/
2014
Grenoble, France
2014 USENIX Annual Technical Conference
USENIX ATC'14
https://www.usenix.org/conference/atc14
2014
Philadelphia, PA, USA
IHP Workshop on Certification of High-Level and Low-Level Programs
IHP Workshop on Certification of High-Level and Low-Level Programs
https://ihp2014.pps.univ-paris-diderot.fr/doku.php?id=workshop_5
2014
Paris, France
9th International Workshop on Logical Frameworks and Meta-languages: Theory and Practice
LFMTP'14
http://complogic.cs.mcgill.ca/lfmtp14/
2014
Vienna, Austria
5th International Conference on Interactive Theorem Proving
ITP'14
http://www.cs.uwyo.edu/~ruben/itp-2014/
2014
Vienna, Austria
19th ACM SIGPLAN International Conference on Functional Programming
ICFP'14
http://www.icfpconference.org/icfp2014/
2014
Gothenburg, Sweden
Boston Haskell
Boston Haskell
http://www.meetup.com/Boston-Haskell/events/190579132/
2014
Cambridge, MA
Kyoto University RIMS
Kyoto University RIMS
http://www.kurims.kyoto-u.ac.jp/en/
2014
Kyoto, Japan
Theorem proving and provers for reliable theory and implementations
TPP'14
http://imi.kyushu-u.ac.jp/lasm/tpp2014/
2014
Fukuoka, Japan
Microsoft Research Cambridge, PPT Group
Microsoft Research Cambridge, PPT Group
http://research.microsoft.com/en-us/groups/ppt/
2014
Cambridge, England
11th USENIX Symposium on Operating System Design and Implementation
OSDI'14
https://www.usenix.org/conference/osdi14/
2014
Broomfield, CO, USA
2014 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, & Applications
OOPSLA'14
http://2014.splashcon.org/track/oopsla2014
2014
Portland, OR, USA
42nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
POPL'15
http://popl.mpi-sws.org/2015/
2015
Mumbai, India
POPL'15 Student Research Competition
SRC
http://popl.mpi-sws.org/2015/posters2.html
2015
Mumbai, India
ACM SIGPLAN Programming Languages Mentoring Workshop 2015
PLMW'15
http://plmw15.iisc-seal.net/
2015
Mumbai, India
The First International Workshop on Coq for PL
CoqPL'15
http://coqpl.cs.washington.edu/
2015
Mumbai, India
24th European Symposium on Programming
ESOP'15
http://conf.researchr.org/home/esop-2015
2015
London, United Kingdom
30th Annual ACM/IEEE Symposium on Logic in Computer Science
http://lics.rwth-aachen.de/lics15/
LICS'15
2015
Kyoto, Japan
2015 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, & Applications
OOPSLA'15
http://2015.splashcon.org/track/oopsla
2015
Pittsburgh, PA, USA
15th Workshop on Hot Topics in Operating Systems
HotOS'15
https://www.usenix.org/conference/hotos15
2015
Kartause Ittingen, Switzerland
Oregon Programming Languages Summer School
OPLSS'15
https://www.cs.uoregon.edu/research/summerschool/summer15/
2015
Eugene, OR, USA
27th International Conference on Computer Aided Verification
CAV'15
http://i-cav.org/2015/
2015
San Francisco, CA, USA
20th ACM SIGPLAN International Conference on Functional Programming
ICFP'15
http://www.icfpconference.org/icfp2015/
2015
Vancouver, BC, Canada
IMDEA Software
http://software.imdea.org/
2015
MITx online course: Cybersecurity: Technology, Application and Policy
MITx online course: Cybersecurity: Technology, Application and Policy
https://mitprofessionalx.mit.edu/courses/course-v1:MITProfessionalX+CSx+2015_T1/about
2015
Cambridge, MA, USA
25th ACM Symposium on Operating Systems Principles
SOSP'15
http://www.ssrc.ucsc.edu/sosp15/
2015
Monterey, CA, USA
5th International Conference on Certified Programs and Proofs
CPP'16
http://people.csail.mit.edu/adamc/cpp16/
2016
St. Petersburg, FL, USA
ACM SIGPLAN 2016 Workshop on Partial Evaluation and Program Manipulation
PEPM'16
http://conf.researchr.org/home/pepm-2016
2016
St. Petersburg, FL, USA
43rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
POPL'16
http://popl16.sigplan.org/
2016
St. Petersburg, FL, USA
The Second International Workshop on Coq for PL
CoqPL'16
http://conf.researchr.org/home/CoqPL-2016
2016
St. Petersburg, FL, USA
37th IEEE Symposium on Security and Privacy
S&P'16
http://www.ieee-security.org/TC/SP2016/
2016
San Jose, CA, USA
28th International Conference on Computer Aided Verification
CAV'16
http://i-cav.org/2016/
2016
Toronto, ON, Canada
Interactive Theorem Proving - Seventh International Conference
ITP'16
http://itp2016.inria.fr/
2016
Nancy, France
21st ACM SIGPLAN International Conference on Functional Programming
ICFP'16
http://icfp16.sigplan.org/
2016
Nara, Japan
The Eighth Coq Workshop
Coq-8
http://coq.inria.fr/coq-workshop/2016
2016
Nancy, France
Mozilla San Francisco
Mozilla San Francisco
https://www.mozilla.org/
2016
San Francisco, CA, USA
Verified Trustworthy Software Systems (public meeting)
Verified Trustworthy Software Systems (public meeting)
https://royalsociety.org/events/2016/04/software-systems/
2016
London, UK
Verified Trustworthy Software Systems (specialist meeting)
Verified Trustworthy Software Systems (specialist meeting)
https://verificationinstitute.org/event/verified-trustworthy-software-systems-specialist-meeting/
2016
London, UK
SPLASH-I
SPLASH-I'16
http://2016.splashcon.org/track/splash-2016-splash-i
2016
Amsterdam, Netherlands
APLAS
APLAS'16
http://soict.hust.edu.vn/~aplas2016/
2016
Hanoi, Vietnam
New Directions In Software Technology 2016
NDIST'16
http://www.kestrel.edu/NDIST/NDIST16/
2016
St. John, U.S. Virgin Islands
44th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
POPL'17
http://popl17.sigplan.org/
2017
Paris, France
Workshop on Reasoning about Declarative Programs
RDP'17
http://conf.researchr.org/track/POPL-2017/RDP-2017
2017
Paris, France
The 2nd Summit oN Advances in Programming Languages
SNAPL'17
http://snapl.org/2017/
2017
Asilomar, CA, USA
ACM SIGPLAN 2017 Conference on Programming Language Design and Implementation
PLDI'17
http://pldi17.sigplan.org/
2017
Barcelona, Spain
30th IEEE Computer Security Foundations Symposium
CSF'17
http://csf2017.tecnico.ulisboa.pt/
2017
Santa Barbara, CA, USA
22nd ACM SIGPLAN International Conference on Functional Programming
ICFP'17
http://icfp17.sigplan.org/
2017
Oxford, UK
Interactive Theorem Proving - Eighth International Conference
ITP'17
http://itp2017.cic.unb.br/
2017
Brasília, Brazil
2017 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, & Applications
OOPSLA'17
http://2017.splashcon.org/track/splash-2017-OOPSLA
2017
Vancouver, BC, Canada
ACM SIGPLAN Conference on Systems, Programming, Languages and Applications: Software for Humanity
SPLASH'17
http://2017.splashcon.org/track/splash-2017-Workshops
2017
Vancouver, BC, Canada
26th ACM Symposium on Operating Systems Principles
SOSP'17
https://www.sigops.org/sosp/sosp17/
2017
Shanghai, China
45th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
POPL'18
http://popl18.sigplan.org/
2018
Los Angeles, CA, USA
Web Programming, Design, Analysis, and Implementation track of The Web Conference 2018
WPDAI'18
https://www2018.thewebconf.org/call-for-papers/web-programming-cfp/
2018
Lyon, France
ACM SIGPLAN 2018 Conference on Programming Language Design and Implementation
PLDI'18
http://pldi18.sigplan.org/
2017
Philadelphia, PA, USA
IFIP Working Group on Functional Programming
http://www.cs.ox.ac.uk/ralf.hinze/WG2.8/
WG 2.8
IFIP Working Group on Language Design
http://program-transformation.org/WGLD/
WG 2.16
National Science Foundation panelist
NSF
https://nsf.gov/dir/index.jsp?org=cise
Communications of the ACM
CACM
http://cacm.acm.org/
Journal of the ACM
JACM
http://jacm.acm.org/
Journal of Functional Programming
JFP
http://journals.cambridge.org/jid_JFP
Journal of Formalized Reasoning
JFR
http://jfr.unibo.it/
ACM Transactions on Programming Languages and Systems
TOPLAS
http://www.cs.utexas.edu/toplas/
IEEE Embedded Systems Letters
ESL
http://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=4563995
Journal of Automated Reasoning
JAR
http://www.springerlink.com/content/100280/
Information Processing Letters
IPL
http://www.elsevier.com/locate/ipl
Higher-Order and Symbolic Computation
HOSC
http://www.springer.com/computer/theoretical+computer+science/journal/10990
Philsophical Transactions of the Royal Society A
PTA
http://rsta.royalsocietypublishing.org/
Science of Computer Programming
SCP
http://www.journals.elsevier.com/science-of-computer-programming/
Fundamenta Informaticae
FI
http://fi.mimuw.edu.pl/
Certified Programming with Dependent Types
http://adam.chlipala.net/cpdt/
MIT Press, 2013. Available online under a Creative Commons license.
The Science of Deep Specification
Overview of and case for the DeepSpec project
We introduce our efforts within the project "The Science of Deep Specification" to work out the key formal underpinnings of industrial-scale formal specifications of software and hardware components, anticipating a world where large verified systems are routinely built out of smaller verified components that are also used by many other projects. We identify an important class of specification that has already been used in a few experiments that connect strong component-correctness theorems across the work of different teams. To help popularize the unique advantages of that style, we dub it *deep specification*, and we say that it encompasses specifications that are *rich*, *two-sided*, *formal*, and *live* (terms that we define in the article). Our core team is developing a proof-of-concept system (based on the Coq proof assistant) whose specification and verification work is divided across largely decoupled subteams at our four institutions, encompassing hardware microarchitecture, compilers, operating systems, and applications, along with cross-cutting principles and tools for effective specification. We also aim to catalyze interest in the approach, not just by basic researchers but also by users in industry.
Project web site
http://rsta.royalsocietypublishing.org/cgi/content/abstract/rsta.2016.0331
Research Highlight: Certifying a File System using Crash Hoare Logic: Correctness in the Presence of Crashes
A file system implemented and verified in Coq, using separation logic, connected to Linux and providing respectable performance
FSCQ is the first file system with a machine-checkable proof that its implementation meets a specification, even in the presence of fail-stop crashes. FSCQ provably avoids bugs that have plagued previous file systems, such as performing disk writes without sufficient barriers or forgetting to zero out directory blocks. If a crash happens at an inopportune time, these bugs can lead to data loss. FSCQ's theorems prove that, under any sequence of crashes followed by reboots, FSCQ will recover its state correctly without losing data.
To state FSCQ's theorems, this paper introduces the Crash Hoare logic (CHL), which extends traditional Hoare logic with a crash condition, a recovery procedure, and logical address spaces for specifying disk states at different abstraction levels. CHL also reduces the proof effort for developers through proof automation. Using CHL, we developed, specified, and proved the correctness of the FSCQ file system. Although FSCQ's design is relatively simple, experiments with FSCQ as a user-level file system show that it is sufficient to run Unix applications with usable performance. FSCQ's specifications and proofs required significantly more work than the implementation, but the work was manageable even for a small team of a few researchers.
http://cacm.acm.org/magazines/2017/4/215044-certifying-a-file-system-using-crash-hoare-logic/abstract
Research Highlight: Ur/Web: A Simple Model for Programming the Web
Introducing the Ur/Web programming language
The World Wide Web has evolved gradually from a document delivery platform to an architecture for distributed programming. This largely unplanned evolution is apparent in the set of interconnected languages and protocols that any Web application must manage. This paper presents Ur/Web, a domain-specific, statically typed functional programming language with a much simpler model for programming modern Web applications. Ur/Web's model is *unified*, where programs in a single programming language are compiled to other "Web standards" languages as needed; supports novel kinds of *encapsulation* of Web-specific state; and exposes *simple concurrency*, where programmers can reason about distributed, multithreaded applications via a mix of transactions and cooperative preemption. We give a tutorial introduction to the main features of Ur/Web.
Project web site
[Condensed version of POPL'15 paper, also including some tweaks to be accessible to a broader audience]
http://cacm.acm.org/magazines/2016/8/205041-ur-web/abstract
An Introduction to Programming and Proving with Dependent Types in Coq
Excerpts from CPDT
Excerpts from CPDT
Computer proof assistants vary along many dimensions. Among the mature implementations, the Coq system is distinguished by two key features. First, we have support for programming with dependent types in the tradition of type theory, based on dependent function types and inductive type families. Second, we have a domain-specific language for coding correct-by-construction proof automation. Though the Coq user community has grown quite large, neither of the aspects I highlight is widely used. In this tutorial, I aim to provide a pragmatic introduction to both, showing how they can bring significant improvements in productivity.
Modular Development of Certified Program Verifiers with a Proof Assistant
Extended version of my ICFP'06 paper
Extended version of my ICFP'06 paper
I report on an experience using the Coq proof assistant to develop a program verification tool with a machine-checked proof of full correctness. The verifier is able to prove memory safety of x86 machine code programs compiled from code that uses algebraic datatypes. The tool's soundness theorem is expressed in terms of the bit-level semantics of x86 programs, so its correctness depends on very few assumptions. I take advantage of Coq's support for programming with dependent types and modules in the structure of the development. The approach is based on developing a library of reusable functors for transforming a verifier at one level of abstraction into a verifier at a lower level. Using this library, it's possible to prototype a verifier based on a new type system with a minimal amount of work, while obtaining a very strong soundness theorem about the final product.
Using the metadata-prefix specification to verify a high-performance crash-safe file system
FSCQ extended to support "flush" operations and delayed syncing of data to disk, as a performance optimization
VDFS is the first file system that (1) provides a precise specification for `fsync` and `fdatasync`, which allow applications to achieve high performance and crash safety, and that (2) provides a machine-checked proof that its implementation meets this precise specification. VDFS's proof rules out some of the most common bugs in file-system implementations, as system calls are proved to expose the expected atomic behavior. VDFS's specification also allows applications to prove their own crash safety, avoiding application-level bugs such as forgetting to invoke `fsync` on both the file and the containing directory.
The key challenge in building VDFS is to write concise specifications for the file system and its internal implementation. VDFS introduces a *metadata-prefix* specification that captures the properties of `fsync` and `fdatasync`, which roughly follows the behavior of Linux ext4. This specification uses a notion of *tree sequences* -- a logical sequence of file system tree states -- to succinctly describe the possible states after a crash, and to describe how data writes can be re-ordered with respect to metadata updates.
An evaluation shows that VDFS achieves 103 MB/s on large file writes to an SSD and durably creates small files at a rate of 1,618 files per second. In comparison, Linux ext4 achieves 295 MB/s for large file writes and 4,977 files/s for small file creation. VDFS is much faster than any previous verified file system (none can even implement large file writes, and the fastest can create 350 files/s).
TiML: A Functional Language for Practical Complexity Analysis with Invariants
Using refinement types to upper-bound program asymptotic running time, taking advantage of invariants specific to data structures
We present TiML (Timed ML), an ML-like functional language with time-complexity annotations in types. It uses indexed types to express sizes of data structures and upper bounds on running time of functions; and refinement kinds to constrain these indices, expressing data-structure invariants and pre/post-conditions. Indexed types are flexible enough that TiML avoids a built-in notion of "size", and the programmer can choose to index user-defined datatypes in any way that helps her analysis. TiML's distinguishing characteristic is supporting highly automated time-bound verification applicable to data structures with nontrivial invariants. The programmer provides type annotations, and the typechecker generates verification conditions that are discharged by an SMT solver. Type and index inference are supported to lower annotation burden, and, furthermore, big-O complexity can be inferred from recurrences generated during typechecking by a recurrence solver based on heuristic pattern matching (e.g. using the Master Theorem to handle divide-and-conquer-like recurrences). We have evaluated TiML's usability by implementing a broad suite of case-study modules, demonstrating that TiML, though lacking full automation and theoretical completeness, is versatile enough to verify worst-case and/or amortized complexities for algorithms and data structures like classic list operations, merge sort, Dijkstra's shortest-path algorithm, red-black trees, Braun trees, functional queues and dynamic tables with bounds like mn log n. The learning curve and annotation burden are reasonable, as we argue with statistics on our case studies. We formalized TiML's type-soundness proof in Coq.
Kami: A Platform for High-Level Parametric Hardware Specification and its Modular Verification
A Coq framework for modular correctness proofs of computer-architecture designs, supporting automatic extraction to circuits that run on FPGAs, etc.
It has become fairly standard in the programming-languages research world to verify functional programs in proof assistants using induction, algebraic simplification, and rewriting. In this paper, we introduce Kami, a Coq library that uses labeled transition systems to enable similar expressive and modular reasoning for hardware designs expressed in the style of the Bluespec language. We can specify, implement, and verify realistic designs entirely within Coq, ending with automatic extraction into a pipeline that bottoms out in FPGAs. Our methodology has been evaluated in a case study verifying an infinite family of multicore systems, with cache-coherent shared memory and pipelined cores implementing (the base integer subset of) the RISC-V instruction set.
Project web site
The End of History? Using a Proof Assistant to Replace Language Design with Library Design
The sales pitch for our Fiat system as embodying a new programming style, with novel and effective kinds of abstraction and modularity
Functionality of software systems has exploded in part because of advances in programming-language support for packaging reusable functionality as libraries. Developers benefit from the uniformity that comes of exposing many interfaces in the same language, as opposed to stringing together hodgepodges of command-line tools. Domain-specific languages may be viewed as an evolution of the power of reusable interfaces, when those interfaces become so flexible as to deserve to be called programming languages. However, common approaches to domain-specific languages give up many of the hard-won advantages of library-building in a rich common language, and even the traditional approach poses significant challenges in learning new APIs. We suggest that instead of continuing to develop new domain-specific languages, our community should embrace library-based ecosystems within very expressive languages that mix programming and theorem proving. Our prototype framework Fiat, a library for the Coq proof assistant, turns languages into easily comprehensible libraries via the key idea of modularizing *functionality* and *performance* away from each other, the former via *macros that desugar into higher-order logic* and the latter via *optimization scripts* that derive efficient code from logical programs.
Project web site
Slides are available from my talk [LibreOffice, PDF].
A Program Optimization for Automatic Database Result Caching
A compiler optimization for Ur/Web that adds caching for SQL-query results and derived computations, inferring sound invalidation strategies that often avoid bottlenecks for parallel execution
Most popular Web applications rely on persistent databases based on languages like SQL for declarative specification of data models and the operations that read and modify them. As applications scale up in user base, they often face challenges responding quickly enough to the high volume of requests. A common aid is *caching* of database results in the application's memory space, taking advantage of program-specific knowledge of which caching schemes are sound and useful, embodied in handwritten modifications that make the program less maintainable. These modifications also require nontrivial reasoning about the read-write dependencies across operations. In this paper, we present a compiler optimization that automatically adds sound SQL caching to Web applications coded in the Ur/Web domain-specific functional language, with no modifications required to source code. We use a custom cache implementation that supports concurrent operations without compromising the transactional semantics of the database abstraction. Through experiments with microbenchmarks and production Ur/Web applications, we show that our optimization in many cases enables an easy doubling or more of an application's throughput, requiring nothing more than passing an extra command-line flag to the compiler.
Project web site
Mostly Automated Formal Verification of Loop Dependencies with Applications to Distributed Stencil Algorithms
A Coq framework for verifying that nested loops obey dependency constraints, in message-passing distributed programs that collaboratively fill in the cells of large multidimensional grids
The class of *stencil* programs involves repeatedly updating elements of arrays according to fixed patterns, referred to as stencils. Stencil problems are ubiquitous in scientific computing and are used as an ingredient to solve more involved problems. Their high regularity allows massive parallelization. Two important challenges in designing such algorithms are cache efficiency and minimizing the number of communication steps between nodes. In this paper, we introduce a mathematical framework for a crucial aspect of formal verification of both sequential and distributed stencil algorithms, and we describe its Coq implementation. We present a domain-specific embedded programming language with support for automating the most tedious steps of proofs that nested loops respect dependencies, applicable to sequential and distributed examples. Finally, we evaluate the robustness of our library by proving the dependency-correctness of some real-world stencil algorithms, including a state-of-the-art cache-oblivious sequential algorithm, as well as two optimized distributed kernels.
Source code
Chapar: Certified Causally Consistent Distributed Key-Value Stores
Coq proofs of several distributed key-value store algorithms, including principles for modular reasoning about client programs that use them
Today's Internet services are often expected to stay available and render high responsiveness even in the face of site crashes and network partitions. Theoretical results state that causal consistency is one of the strongest consistency guarantees that is possible under these requirements, and many practical systems provide causally consistent key-value stores. In this paper, we present a framework called Chapar for modular verification of causal consistency for replicated key-value store implementations and their client programs. Specifically, we formulate separate correctness conditions for key-value store implementations and for their clients. The interface between the two is a novel operational semantics for causal consistency. We have verified the causal consistency of two key-value store implementations from the literature using a novel proof technique. We have also implemented a simple automatic model checker for the correctness of client programs. The two independently verified results for the implementations and clients can be composed to conclude the correctness of any of the programs when executed with any of the implementations. We have developed and checked our framework in Coq, extracted it to OCaml, and built executable stores.
Using Crash Hoare Logic for Certifying the FSCQ File System
Best Paper Award
A file system implemented and verified in Coq, using separation logic, connected to Linux and providing respectable performance
FSCQ is the first file system with a machine-checkable proof (using the Coq proof assistant) that its implementation meets its specification and whose specification includes crashes. FSCQ provably avoids bugs that have plagued previous file systems, such as performing disk writes without sufficient barriers or forgetting to zero out directory blocks. If a crash happens at an inopportune time, these bugs can lead to data loss. FSCQ's theorems prove that, under any sequence of crashes followed by reboots, FSCQ will recover the file system correctly without losing data.
To state FSCQ's theorems, this paper introduces the Crash Hoare logic (CHL), which extends traditional Hoare logic with a crash condition, a recovery procedure, and logical address spaces for specifying disk states at different abstraction levels. CHL also reduces the proof effort for developers through proof automation. Using CHL, we developed, specified, and proved the correctness of the FSCQ file system. Although FSCQ's design is relatively simple, experiments with FSCQ running as a user-level file system show that it is sufficient to run Unix applications with usable performance. FSCQ's specifications and proofs required significantly more work than the implementation, but the work was manageable even for a small team of a few researchers.
An Optimizing Compiler for a Purely Functional Web-Application Language
The whole-program optimizing compiler for Ur/Web
High-level scripting languages have become tremendously popular for development of dynamic Web applications. Many programmers appreciate the productivity benefits of automatic storage management, freedom from verbose type annotations, and so on. While it is often possible to improve performance substantially by rewriting an application in C or a similar language, very few programmers bother to do so, because of the consequences for human development effort. This paper describes a compiler that makes it possible to have most of the best of both worlds, coding Web applications in a high-level language but compiling to native code with performance comparable to handwritten C code. The source language is Ur/Web, a domain-specific, purely functional, statically typed language for the Web. Through a coordinated suite of relatively straightforward program analyses and algebraic optimizations, we transform Ur/Web programs into almost-idiomatic C code, with no garbage collection, little unnecessary memory allocation for intermediate values, etc. Our compiler is in production use for commercial Web sites supporting thousands of users, and microbenchmarks demonstrate very competitive performance versus mainstream tools.
Project web site
Slides are available from my talk at ICFP'15 [LibreOffice, PDF]. There's also an online video of the talk.
Modular Deductive Verification of Multiprocessor Hardware Designs
Modular Coq proofs of Bluespec-style hardware descriptions, where processors and memory systems can be verified separately against generic specs (in the style of labeled transition systems) that are compatible with many different optimizations
We present a new framework for modular verification of hardware designs in the style of the Bluespec language. That is, we formalize the idea of components in a hardware design, with well-defined input and output channels; and we show how to specify and verify components individually, with machine-checked proofs in the Coq proof assistant. As a demonstration, we verify a fairly realistic implementation of a multicore shared-memory system with two types of components: memory system and processor. Both components include nontrivial optimizations, with the memory system employing an arbitrary hierarchy of cache nodes that communicate with each other concurrently, and with the processor doing speculative execution of many concurrent read operations. Nonetheless, we prove that the combined system implements sequential consistency. To our knowledge, our memory-system proof is the first machine verification of a cache-coherence protocol parameterized over an arbitrary cache hierarchy, and our full-system proof is the first machine verification of sequential consistency for a multicore hardware design that includes caches and speculative processors.
Fiat: Deductive Synthesis of Abstract Data Types in a Proof Assistant
Deriving efficient OCaml implementations of abstract data types, from declarative specifications, in Coq, mostly automatically. The main case study works with SQL-style relational queries and update operations.
We present Fiat, a library for the Coq proof assistant supporting refinement of declarative specifications into efficient functional programs with a high degree of automation. Each refinement process leaves a proof trail, checkable by the normal Coq kernel, justifying its soundness. We focus on the synthesis of abstract data types that package methods with private data. We demonstrate the utility of our framework by applying it to the synthesis of *query structures* -- abstract data types with SQL-like query and insert operations. Fiat includes a library for writing specifications of query structures in SQL-inspired notation, expressing operations over relations (tables) in terms of mathematical sets. This library includes a set of tactics for automating the refinement of these specifications into efficient, correct-by-construction OCaml code. Using these tactics, a programmer can generate such an implementation completely automatically by only specifying the equivalent of SQL indexes, data structures capturing useful views of the abstract data. We conclude by speculating on the new programming modularity possibilities enabled by an automated refinement system with proved-correct rules.
Software/proof source code
Ur/Web: A Simple Model for Programming the Web
At long last, a paper on the design of Ur/Web, a DSL for Web applications, supporting novel encapsulation techniques and a simple concurrency model for distributed applications
The World Wide Web has evolved gradually from a document delivery platform to an architecture for distributed programming. This largely unplanned evolution is apparent in the set of interconnected languages and protocols that any Web application must manage. This paper presents Ur/Web, a domain-specific, statically typed functional programming language with a much simpler model for programming modern Web applications. Ur/Web's model is **unified**, where programs in a single programming language are compiled to other "Web standards" languages as needed; **modular**, supporting novel kinds of encapsulation of Web-specific state; and exposes **simple concurrency**, where programmers can reason about distributed, multithreaded applications via a mix of transactions and cooperative preemption. We give a tutorial introduction to the main features of Ur/Web, formalize the basic programming model with operational semantics, and discuss the language implementation and the production Web applications that use it.
Project web site
Slides are available from my talk at POPL'15 [LibreOffice, PDF].
From Network Interface to Multithreaded Web Applications: A Case Study in Modular Program Verification
A case study in building a whole-program Coq proof that covers both an application (a database-backed dynamic Web application) and systems infrastructure (a cooperative thread library). The components are verified modularly with Bedrock, and there is a verified compiler for a domain-specific language that can be used to derive similar theorems for similar Web applications, with minimal new proving work.
Many verifications of realistic software systems are *monolithic*, in the sense that they define single *global invariants* over complete system state. More *modular* proof techniques promise to support reuse of component proofs and even reduce the effort required to verify one concrete system, just as modularity simplifies standard software development. This paper reports on one case study applying modular proof techniques in the Coq proof assistant. To our knowledge, it is the first modular verification certifying a system that combines infrastructure with an application of interest to end users. We assume a nonblocking API for managing TCP networking streams, and on top of that we work our way up to certifying multithreaded, database-backed Web applications. Key verified components include a cooperative threading library and an implementation of a domain-specific language for XML processing. We have deployed our case-study system on mobile robots, where it interfaces with off-the-shelf components for sensing, actuation, and control.
Software/proof source code
Slides are available from my talk at POPL'15 [LibreOffice, PDF].
Compiler Verification Meets Cross-Language Linking via Data Abstraction
An approach to verifying multilanguage programs in the Bedrock framework, mixing operational semantics for intralanguage reasoning and axiomatic semantics for interlanguage reasoning
Many real programs are written in multiple different programming languages, and supporting this pattern creates challenges for formal compiler verification. We describe our Coq verification of a compiler for a high-level language, such that the compiler correctness theorem allows us to derive partial-correctness Hoare-logic theorems for programs built by linking the assembly code output by our compiler and assembly code produced by other means. Our compiler supports such tricky features as storable cross-language function pointers, without giving up the usual benefits of being able to verify different compiler phases (including, in our case, two classic optimizations) independently. The key technical innovation is a mixed operational and axiomatic semantics for the source language, with a built-in notion of *abstract data types*, such that compiled code interfaces with other languages only through axiomatically specified methods that mutate encapsulated private data, represented in whatever formats are most natural for those languages.
Software/proof source code
Jitk: A Trustworthy In-Kernel Interpreter Infrastructure
Coq-verified just-in-time compilation for packet filters, etc., in Linux
Modern operating systems run multiple interpreters in the kernel, which enable user-space applications to add new functionality or specialize system policies. The correctness of such interpreters is critical to the overall system security: bugs in interpreters could allow adversaries to compromise user-space applications and even the kernel.
Jitk is a new infrastructure for building in-kernel interpreters that guarantee *functional correctness* as they compile user-space policies down to native instructions for execution in the kernel. To demonstrate Jitk, we implement two interpreters in the Linux kernel, BPF and INET-DIAG, which are used for network and system call filtering and socket monitoring, respectively. To help application developers write correct filters, we introduce a high-level rule language, along with a proof that Jitk correctly translates high-level rules all the way to native machine code, and demonstrate that this language can be integrated into OpenSSH with tens of lines of code. We built a prototype of Jitk on top of the CompCert verified compiler and integrated it into the Linux kernel. Experimental results show that Jitk is practical, fast, and trustworthy.
Compositional Computational Reflection
A framework for combining reflective Coq tactics, applied in the Bedrock system to verify imperative programs
Current work on computational reflection is single-minded; each reflective procedure is written with a specific application or scope in mind. Composition of these reflective procedures is done by a proof-generating tactic language such as Ltac. This composition, however, comes at the cost of both larger proof terms and redundant preprocessing. In this work, we propose a methodology for writing composable reflective procedures that solve many small tasks in a single invocation. The key technical insights are techniques for reasoning semantically about extensible syntax in intensional type theory. We also consider sound methods for user extension of such procedures using lemmas and full reflective procedures, which mimicks Coq's support for hint databases with only slightly more user effort.
Source code is available for the framework and the instantiation for Bedrock
Experience Implementing a Performant Category-Theory Library in Coq
A Coq category-theory library, designed to support computationally efficient proofs of large goals, taking advantage of recent improvements to the homotopy-type-theory Coq version and giving some other wishlist items for Coq
We describe our experience implementing a broad category-theory library in Coq. Category theory and computational performance are not usually mentioned in the same breath, but we have needed substantial engineering effort to teach Coq to cope with large categorical constructions without slowing proof script processing unacceptably. In this paper, we share the lessons we have learned about how to represent very abstract mathematical objects and arguments in Coq and how future proof assistants might be designed to better support such reasoning. One particular encoding trick to which we draw attention allows category-theoretic arguments involving *duality* to be internalized in Coq's logic with definitional equality. Ours may be the largest Coq development to date that uses the relatively new Coq version developed by homotopy type theorists, and we reflect on which new features were especially helpful.
Library source code
The Bedrock Structured Programming System: Combining Generative Metaprogramming and Hoare Logic in an Extensible Program Verifier
Bedrock takes literally the idea of C as a "macro assembly language." All the programming features are built up as macros on top of assembly language, and macros have verified Hoare logic-style proof rules attached to them, so that one gets a "free" environment for mostly automated deductive program verification for any mix of macros used in a particular program.
We report on the design and implementation of an extensible programming language and its intrinsic support for formal verification. Our language is targeted at low-level programming of infrastructure like operating systems and runtime systems. It is based on a cross-platform core combining characteristics of assembly languages and compiler intermediate languages. From this foundation, we take literally the saying that C is a "macro assembly language": we introduce an expressive notion of *certified low-level macros*, sufficient to build up the usual features of C and beyond as macros with no special support in the core. Furthermore, our macros have integrated support for strongest postcondition calculation and verification condition generation, so that we can provide a high-productivity formal verification environment within Coq for programs composed from any combination of macros. Our macro interface is expressive enough to support features that low-level programs usually only access through external tools with no formal guarantees, such as declarative parsing or SQL-inspired querying. The abstraction level of these macros only imposes a *compile-time* cost, via the execution of functional Coq programs that compute programs in our intermediate language; but the *run-time* cost is not substantially greater than for more conventional C code. We describe our experiences constructing a full C-like language stack using macros, with some experiments on the verifiability and performance of individual programs running on that stack.
Software/proof source code
Slides are available from my talk at ICFP'13 [OpenOffice, PDF].
Formal Verification of Hardware Synthesis
A verified compiler for an idealization of the Bluespec hardware description language
We report on the implementation of a certified compiler for a high-level hardware description language (HDL) called Fe-Si (FEath-erweight SynthesIs). Fe-Si is a simplified version of Bluespec, an HDL based on a notion of guarded atomic actions. Fe-Si is defined as a dependently typed deep embedding in Coq. The target language of the compiler corresponds to a synthesisable subset of Verilog or VHDL. A key aspect of our approach is that input programs to the compiler can be defined and proved correct inside Coq. Then, we use extraction and a Verilog back-end (written in OCaml) to get a certified version of a hardware design.
Public source-code repository
Mostly-Automated Verification of Low-Level Programs in Computational Separation Logic
A constructive proof that automating separation logic proofs for systems code is easy, despite claims to the contrary coming from SMT solver-centric perspectives. `;-)` Specifically, this paper introduced Bedrock, a Coq library for foundational verification of code at the assembly level of abstraction. A mostly-automated separation logic prover uses a modest amount of programmer annotation to drive verification of examples like imperative data structures and a cooperative threading library.
Several recent projects have shown the feasibility of verifying low-level systems software. Verifications based on automated theorem-proving have omitted reasoning about *first-class code pointers*, which is critical for tasks like certifying implementations of threads and processes. Conversely, verifications that deal with first-class code pointers have featured long, complex, manual proofs. In this paper, we introduce the Bedrock framework, which supports mostly-automated proofs about programs with the full range of features needed to implement, e.g., language runtime systems.
The heart of our approach is in mostly-automated discharge of verification conditions inspired by separation logic. Our take on separation logic is *computational*, in the sense that function specifications are usually written in terms of *reference implementations in a purely functional language*. Logical quantifiers are the most challenging feature for most automated verifiers; by relying on functional programs (written in the expressive language of the Coq proof assistant), we are able to avoid quantifiers almost entirely. This leads to some dramatic improvements compared to both the state of the art in classical verification, which we compare against with implementations of data structures like binary search trees and hash tables; and the state of the art in verified programming with code pointers, which we compare against with examples like function memoization and a cooperative threading library.
Software/proof source code
Slides are available from my talk at PLDI'11 [OpenOffice, PDF].
Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications
Static analysis for security policies for Ur/Web applications, based on the key new idea of representing policies as SQL queries. The analysis follows the well-trod path of symbolic evaluation and automated first-order-logic theorem-proving.
We present a system for sound static checking of security policies for database-backed Web applications. Our tool checks a combination of access control and information flow policies, where the policies vary based on database contents. For instance, one or more database tables may represent an access control matrix, controlling who may read or write which cells of these and other tables. Using symbolic evaluation and automated theorem-proving, our tool checks these policies statically, requiring no program annotations (beyond the policies themselves) and adding no run-time overhead. Specifications come in the form of *SQL queries as policies*: for instance, an application's confidentiality policy is a fixed set of queries, whose results provide an upper bound on what information may be released to the user. To provide user-dependent policies, we allow queries to depend on *what secrets the user knows*. We have used our prototype implementation to check several programs representative of the data-centric Web applications that are common today.
From the OSDI'10 talk: slides in OpenOffice and PDF formats; video
Project web site
Ur: Statically-Typed Metaprogramming with Type-Level Record Computation
A first paper about Ur, focusing on the metaprogramming aspect: we can write generic programs that write programs, based on inputs like database schemas, summaries of HTML form configurations, etc., and we can type-check our generators statically without needing to write any proof terms.
*Dependent types* provide a strong foundation for specifying and verifying rich properties of programs through type-checking. The earliest implementations combined dependency, which allows types to mention program variables; with type-level computation, which facilitates expressive specifications that compute with recursive functions over types. While many recent applications of dependent types omit the latter facility, we argue in this paper that it deserves more attention, even when implemented without dependency.
In particular, the ability to use functional programs as specifications enables *statically-typed metaprogramming*: programs write programs, and static type-checking guarantees that the generating process never produces invalid code. Since our focus is on generic validity properties rather than full correctness verification, it is possible to engineer type inference systems that are very effective in narrow domains. As a demonstration, we present Ur, a programming language designed to facilitate metaprogramming with first-class records and names. On top of Ur, we implement Ur/Web, a special standard library that enables the development of modern web applications. Ad-hoc code generation is already in wide use in the popular web application frameworks, and we show how that generation may be tamed using types, without forcing metaprogram authors to write proofs or forcing metaprogram users to write any fancy types.
Project web site
Slides are available from my talk at PLDI'10 [OpenOffice, PDF].
A Verified Compiler for an Impure Functional Language
A case study in verifying a compiler to an idealized assembly language from an untyped source language with most of the key dynamic features of ML: functions, products, sums, mutable references, and value-carrying exceptions. Syntax is encoded with parametric higher-order abstract syntax (PHOAS), which makes it possible to avoid almost all bookkeeping having to do with binders and fresh name generation. The semantics of the object languages are encoded in a new substitution-free style. All of the proofs are automated with tactic programs that can keep working even after changing the definitions of the languages.
We present a verified compiler to an idealized assembly language from a small, untyped functional language with mutable references and exceptions. The compiler is programmed in the Coq proof assistant and has a proof of total correctness with respect to big-step operational semantics for the source and target languages. Compilation is staged and includes standard phases like translation to continuation-passing style and closure conversion, as well as a common subexpression elimination optimization. In this work, our focus has been on discovering and using techniques that make our proofs easy to engineer and maintain. While most programming language work with proof assistants uses very manual proof styles, all of our proofs are implemented as adaptive programs in Coq's tactic language, making it possible to reuse proofs unchanged as new language features are added.
In this paper, we focus especially on phases of compilation that rearrange the structure of syntax with nested variable binders. That aspect has been a key challenge area in past compiler verification projects, with much more effort expended in the statement and proof of binder-related lemmas than is found in standard pencil-and-paper proofs. We show how to exploit the representation technique of *parametric higher-order abstract syntax* to avoid the need to prove any of the usual lemmas about binder manipulation, often leading to proofs that are actually shorter than their pencil-and-paper analogues. Our strategy is based on a new approach to encoding operational semantics which delegates all concerns about substitution to the meta language, without using features incompatible with general-purpose type theories like Coq's logic.
Software/proof source code and documentation
Slides are available from my talks at POPL'10 [OpenOffice, PDF] and WMM'09 [OpenOffice, PDF].
Effective Interactive Proofs for Higher-Order Imperative Programs
An approach to automating correctness proofs about higher-order, imperative programs in Coq, based on an extensible simplifier for separation logic formulas
We present a new approach for constructing and verifying higher-order, imperative programs using the Coq proof assistant. We build on the past work on the Ynot system, which is based on Hoare Type Theory. That original system was a proof of concept, where every program verification was accomplished via laborious manual proofs, with much code devoted to uninteresting low-level details. In this paper, we present a re-implementation of Ynot where verified imperative programming need not be much harder than programming in Haskell. At the same time, our new system is implemented entirely in Coq source files, showcasing the versatility of that proof assistant as a platform for research on language design and verification.
Both versions of the system have been evaluated with case studies in the verification of imperative data structures, such as hash tables with higher-order iterators. The verification burden in our new system is reduced by at least an order of magnitude compared to the old system, by replacing manual proof with automation. The core of the automation is a simplification procedure for implications in higher-order separation logic, with hooks that allow programmers to add domain-specific simplification rules.
We argue for the effectiveness of our infrastructure by verifying a number of data structures and a packrat parser, and we compare to similar efforts within other projects. Compared to competing approaches to data structure verification, our system includes much less code that must be trusted; namely, about a hundred lines of Coq code defining a program logic. All of our theorems and decision procedures have or build machine-checkable correctness proofs from first principles, removing opportunities for tool bugs to create faulty verifications.
From the ICFP'09 talk: slides in OpenOffice and PDF formats; skeleton and final solution for the demo; video
Project web site
Parametric Higher-Order Abstract Syntax for Mechanized Semantics
A new trick for encoding variable binders in Coq, along with an exploration of its consequences: almost trivial syntax and type-theoretic semantics for languages including such features as polymorphism and complicated binding structure (e.g., ML-style pattern matching); almost trivial type preservation proofs for compiler passes that don't need intensional analysis of variables; mostly-automated semantic correctness proofs about those passes, by way of adding an axiom to make the parametricity of CIC usable explicitly in proofs; and the ability to drop down to more traditional syntactic representations for more arduous but feasible proofs of the same properties, when intensional variable analysis is needed.
We present *parametric higher-order abstract syntax (PHOAS)*, a new approach to formalizing the syntax of programming languages in computer proof assistants based on type theory. Like higher-order abstract syntax (HOAS), PHOAS uses the meta language's binding constructs to represent the object language's binding constructs. Unlike HOAS, PHOAS types are definable in general-purpose type theories that support traditional functional programming, like Coq's Calculus of Inductive Constructions. We walk through how Coq can be used to develop certified, executable program transformations over several statically-typed functional programming languages formalized with PHOAS; that is, each transformation has a machine-checked proof of type preservation and semantic preservation. Our examples include CPS translation and closure conversion for simply-typed lambda calculus, CPS translation for System F, and translation from a language with ML-style pattern matching to a simpler language with no variable-arity binding constructs. By avoiding the syntactic hassle associated with first-order representation techniques, we achieve a very high degree of proof automation.
Software/proof source code and documentation
Slides are available from my ICFP talk in OpenOffice and PDF formats.
A Certified Type-Preserving Compiler from Lambda Calculus to Assembly Language
A compiler for a tiny statically-typed functional programming language, implemented in Coq with a proof of correctness. The main interesting bits are my use of dependently-typed abstract syntax and denotational semantics, along with some engineering tricks for making the task manageable.
We present a certified compiler from the simply-typed lambda calculus to assembly language. The compiler is certified in the sense that it comes with a machine-checked proof of semantics preservation, performed with the Coq proof assistant. The compiler and the terms of its several intermediate languages are given dependent types that guarantee that only well-typed programs are representable. Thus, type preservation for each compiler pass follows without any significant "proofs" of the usual kind. Semantics preservation is proved based on denotational semantics assigned to the intermediate languages. We demonstrate how working with a type-preserving compiler enables type-directed proof search to discharge large parts of our proof obligations automatically.
Software/proof source code and documentation
Slides are available from my PLDI talk in OpenOffice and PDF formats.
Slides are also available from a talk I gave at the Projet Gallium seminar at INRIA Rocquencourt, in OpenOffice and PDF formats.
Modular Development of Certified Program Verifiers with a Proof Assistant
I report on an experience using the Coq proof assistant to develop a program verification tool with a machine-checkable proof of full correctness. The verifier is able to prove memory safety of x86 machine code programs compiled from code that uses algebraic datatypes. The tool's soundness theorem is expressed in terms of the bit-level semantics of x86 programs, so its correctness depends on very few assumptions. I take advantage of Coq's support for programming with dependent types and modules in the structure of my development. The approach is based on developing a library of reusable functors for transforming a verifier at one level of abstraction into a verifier at a lower level. Using this library, it's possible to prototype a verifier based on a new type system with a minimal amount of work, while obtaining a very strong soundness theorem about the final product.
I report on an experience using the Coq proof assistant to develop a program verification tool with a machine-checkable proof of full correctness. The verifier is able to prove memory safety of x86 machine code programs compiled from code that uses algebraic datatypes. The tool's soundness theorem is expressed in terms of the bit-level semantics of x86 programs, so its correctness depends on very few assumptions. I take advantage of Coq's support for programming with dependent types and modules in the structure of my development. The approach is based on developing a library of reusable functors for transforming a verifier at one level of abstraction into a verifier at a lower level. Using this library, it's possible to prototype a verifier based on a new type system with a minimal amount of work, while obtaining a very strong soundness theorem about the final product.
Software/proof source code and documentation
Talk slides available in OpenOffice and PDF formats.
A Framework for Certified Program Analysis and Its Applications to Mobile-Code Safety
We propose a new technique in support of the construction of efficient Foundational Proof-Carrying Code systems. Instead of suggesting that pieces of mobile code come with proofs of their safety, we instead suggest that they come with executable verifiers that can attest to their safety, as in our previous work on the Open Verifier. However, in contrast to that previous work, here we do away with any runtime proof generation by these verifiers. Instead, we require that the verifier itself is proved sound. To support this, we present a novel technique for extracting proof obligations about ML programs. Using this approach, we are able to demonstrate the first foundational verification technique for Typed Assembly Language with performance comparable to that of the traditional, uncertified TAL type checker.
A certified program analysis is an analysis whose implementation is accompanied by a checkable proof of soundness. We present a framework whose purpose is to simplify the development of certified program analyses without compromising the run-time efficiency of the analyses. At the core of the framework is a novel technique for automatically extracting Coq proof-assistant specifications from ML implementations of program analyses, while preserving to a large extent the structure of the implementation.
We show that this framework allows developers of mobile code to provide to the code receivers untrusted code verifiers in the form of certified program analyses. We demonstrate efficient implementations in this framework of bytecode verification, typed assembly language, and proof-carrying code.
Talk slides available in OpenOffice and PDF formats.
Generating Tests from Counterexamples
We describe how to use the BLAST model checker to generate program test suites that achieve full coverage with respect to a given set of predicates.
We have extended the software model checker Blast to automatically generate test suites that guarantee full coverage with respect to a given predicate. More precisely, given a C program and a target predicate p, Blast determines the set L of program locations which program execution can reach with p true, and automatically generates a set of test vectors that exhibit the truth of p at all locations in L. We have used Blast to generate test suites and to detect dead code in C programs with up to 30K lines of code. The analysis and test-vector generation is fully automatic (no user intervention) and exact (no false positives).
Towards Certified Storage Systems
On verifying functional properties of filesystems in the presence of failures, using proof assistants
On verifying functional properties of filesystems in the presence of failures, using proof assistants
Position Paper: Thoughts on Programming with Proof Assistants
Some thoughts on how Coq is actually in pretty good shape to use today for non-trivial programming with dependent types
Today the reigning opinion about computer proof assistants based on constructive logic (even from some of the developers of these tools!) is that, while they are very helpful for doing math, they are an absurdly heavy-weight solution to use for practical programming. Yet the Curry-Howard isomorphism foundation of proof assistants like Coq gives them clear interpretations as programming environments.
My purpose in this position paper is to make the general claim that Coq is already quite useful today for non-trivial certified programming tasks, as well as to highlight some reasons why you might want to consider using it as a base for your next project in dependently-typed programming.
Talk slides available in OpenOffice and PDF formats.
Cooperative Integration of an Interactive Proof Assistant and an Automated Prover
We show how to combine the interactive proof assistant Coq and the Nelson-Oppen-style automated first-order theorem prover Kettle in a synergistic way. We do this with a Kettle tactic for Coq that uses theory-specific reasoning to simplify goals based on automatically chosen case analyses, returning to the user as subgoals the cases it couldn't prove automatically. The process can then be repeated recursively, using Coq's tactical language as a very expressive extension of the matching strategies found in provers like Simplify. We also discuss how to encode specialized first-order proofs efficiently in Coq using proof by reflection.
We propose a mechanism for semi-automated proving of theorems, using a tactic for the Coq proof assistant that consults a proof-generating Nelson-Oppen-style automated prover. Instead of simply proving or failing to prove a goal, our tactic decides on relevant case splits using theory-specific axioms, proves some of the resulting cases, and returns the remainder to the Coq user as subgoals. These subgoals can then be proved using inductions and lemma instantiations that are beyond the capabilities of the automated prover. We show that the Coq tactic language provides an excellent way to script this process to an extent not supported by current Nelson-Oppen provers. Like with any Coq proof, a separately checkable proof term in a core calculus is produced at the end of any successful proving session where our method is used, and we take advantage of the "proof by reflection" technique to translate the specialized first-order proofs of the automated prover into compact Coq representations.
Talk slides available in OpenOffice and PDF formats.
The <literal>Open Verifier</literal> Framework for Foundational Verifiers
We propose a new framework for the construction of trustworthy program verifiers. The Open Verifier architecture can be viewed as an optimized Foundational Proof-Carrying Code toolkit. Instead of proposing that code producers send proofs of safety with all of their programs, we instead suggest that they send re-usable proof-generating verifiers. The proofs are generated in an online fashion via a novel interaction scheme between the untrusted verifier and the trusted core of the system.
We present the Open Verifier approach for verifying untrusted code using customized verifiers. This approach can be viewed as an instance of foundational proof-carrying code where an untrusted program can be checked using the verifier most natural for it instead of using a single generic type system. In this paper we focus on a specialized architecture designed to reduce the burden of expressing both type-based and Hoare-style verifiers.
A new verifier is created by providing an untrusted executable extension module, which can incorporate directly pre-existing non-foundational verifiers based on dataflow analysis or type checking. The extensions control virtually all aspects of the verification by carrying on a dialogue with the Open Verifier using a language designed both to correspond closely to common verification actions and to carry simple adequacy proofs for those actions.
We prove the soundness of the framework, and we describe our experience implementing proof-carrying code, typed assembly language, and dataflow or abstract interpretation based verifiers in this unified setting.
Type-Based Verification of Assembly Language for Compiler Debugging
A new approach to checking assembly programs in a way similar to that used in the Java Bytecode Verifier. We introduce a novel mixed type/value technique that makes it tractable to deal with some of the "dependent typing" issues that come up. We also present results on using this technique to help students in an undergraduate compilers class debug their class projects.
It is a common belief that certifying compilation, which typically verifies the well-typedness of compiler output, can be an effective mechanism for compiler debugging, in addition to ensuring basic safety properties. Bytecode verification is a fairly simple example of this approach and derives its simplicity in part by compiling to carefully crafted high-level bytecodes. In this paper, we seek to push this method to native assembly code, while maintaining much of the simplicity of bytecode verification. Furthermore, we wish to provide experimental confirmation that such a tool can be accessible and effective for compiler debugging. To achieve these goals, we present a type-based data-flow analysis or abstract interpretation for assembly code compiled from a Java-like language, and evaluate its bug-finding efficacy on a large set of student compilers.
Strict Bidirectional Type Checking
We present a type system that is useful in saving type annotation space in intermediate language terms expressed in the restricted form called "A-normal form" or "one-half CPS." Our approach imports ideas from strict logic, which is based on the idea of hypotheses that must be used at least once. The resulting system is relevant to the efficiency of type-preserving compilers.
Completely annotated lambda terms (such as are arrived at via the straightforward encodings of various types from System F) contain much redundant type information. Consequently, the completely annotated forms are almost never used in practice, since partially annotated forms can be defined which still allow syntax directed typechecking. An additional optimization that is used in some proof and type systems is to take advantage of the context of occurrence of terms to further elide type information using bi-directional typechecking rules. While this technique is generally effective, we show that there exist bi-directional terms which exhibit asymptotic increases in the size of their type decorations when sequentialized into a named-form calculus (a common first step in compilation). In this paper, we introduce a refinement of the bi-directional type system based on strict logic which allows additional type decorations to be eliminated, and show that it is well-behaved under sequentialization.
Developing Certified Program Verifiers with a Proof Assistant
A poster about certified program verifiers in Coq
Abstract about a poster on certified program verifiers in Coq
You can download the poster in OpenOffice or PDF format.
The <literal>Blast</literal> Query Language for Software Verification
We describe a system that combines security automaton-based program specification with a facility for relational-style queries about the possible execution paths of a program.
Blast is an automatic verification tool for checking temporal safety properties of C programs. Blast is based on lazy predicate abstraction driven by interpolation-based predicate discovery. In this paper, we present the Blast specification language. The language specifies program properties at two levels of precision. At the lower level, monitor automata are used to specify temporal safety properties of program executions (traces). At the higher level, relational reachability queries over program locations are used to combine lower-level trace properties. The two-level specification language can be used to break down a verification task into several independent calls of the model-checking engine. In this way, each call to the model checker may have to analyze only part of the program, or part of the specification, and may thus succeed in a reduction of the number of predicates needed for the analysis. In addition, the two-level specification language provides a means for structuring and maintaining specifications.
Generic Programming and Proving for Programming Language Metatheory
UCB/EECS-2007-147
2007
How to do dependently-typed generation of proofs about programming language syntax and semantics
We present a system for both the generic programming of operations that work over classes of tree-structured data types and the automatic generation of formal type-theoretical proofs about such operations. The system is implemented in the Coq proof assistant, using dependent types to validate code and proof generation statically, quantified over all possible input data types. We focus on generic programming of variable-manipulating operations, such as substitution and free variable set calculation, over abstract syntax tree types implemented as GADTs that combine syntax and typing rules. By accompanying these operations with generic lemmas about their interactions, we significantly ease the burden of formalizing programming language metatheory. Our implementation strategy, based on *proof by reflection*, requires users to trust none of its associated code to be able to trust in the validity of theorems derived with it.
Slides are available from a talk I gave at WMM'07, in OpenOffice and PDF formats.
Implementing Certified Programming Language Tools in Dependent Type Theory
UCB/EECS-2007-113
2007
My PhD dissertation, re-presenting the work on certified program verifiers (from ICFP'06) and certified compilers (from PLDI'07)
I present two case studies supporting the assertion that type-based methods enable effective *certified programming*. By certified programming, I mean the development of software with formal, machine-checked total correctness proofs. While the classical formal methods domain is most commonly concerned with after-the-fact verification of programs written in a traditional way, I explore an alternative technique, based on using *dependent types* to integrate correctness proving with programming. I have chosen the Coq proof assistant as the vehicle for these experiments. Throughout this dissertation, I draw attention to features of formal theorem proving tools based on *dependent type theory* that make such tools superior choices for certified programming, compared to their competition.
In the first case study, I present techniques for constructing *certified program verifiers*. I present a Coq toolkit for building foundational memory safety verifiers for x86 machine code. The implementation uses rich *specification types* to mix behavioral requirements with the traditional types of functions, and I mix standard programming practice with tactic-based interactive theorem proving to implement programs of these types. I decompose verifier implementations into libraries of components, where each component is implemented as *a functor that transforms a verifier at one level of abstraction into a verifier at a lower level*. I use the toolkit to assemble a verifier for programs that use algebraic datatypes using only several hundred lines of code specific to its type system.
The second case study presents work in *certified compilers*. I focus in particular on *type-preserving compilation*, where source-level type information is preserved through several statically-typed intermediate languages and used at runtime for such purposes as guiding a garbage collector. I suggest a novel approach to mechanizing the semantics of programming languages, based on *dependently-typed abstract syntax* and *denotational semantics*. I use this approach to certify a compiler from simply-typed lambda calculus to an idealized assembly language that interfaces with a garbage collector through tables listing the appropriate root registers for different program points. Significant parts of the proof effort are automated using type-driven heuristics. I also present a generic programming system for automating construction of syntactic helper functions and their correctness proofs, based on an implementation technique called *proof by reflection*.
Scrap Your Web Application Boilerplate, or Metaprogramming with Row Types
UCB/EECS-2006-120
2006
An overview of a work-in-progress functional programming language that puts dependent types and theorem proving to work to make it easier to write concise and maintainable web applications
I introduce a new functional programming language, called Laconic/Web, for rapid development of web applications. Its strong static type system guarantees that entire sequences of interaction with these applications "can't go wrong." Moreover, a higher-order dependent type system is used to enable statically-checked metaprogramming. In contrast to most dependently-typed programming languages, Laconic/Web can be used by programmers with no knowledge of proof theory. Instead, more expert developers develop libraries that extend the Laconic/Web type checker with type rewrite rules that have proofs of soundness. I compare Laconic/Web against Ruby on Rails, the most well-known representative of a popular class of Web application frameworks based around dynamic languages and runtime reflection, and show that my approach leads both to more concise programs and to better runtime efficiency.
Project web site
A Framework for Certified Program Analysis and Its Applications to Mobile-Code Safety
UCB/ERL M05/32
2005
This is an extended version of our VMCAI'06 paper, containing a formalization of our model extraction procedure and additional examples.
A certified program analysis is an analysis whose implementation is accompanied by a checkable proof of soundness. We present a framework whose purpose is to simplify the development of certified program analyses without compromising the run-time efficiency of the analyses. At the core of the framework is a novel technique for automatically extracting Coq proof-assistant specifications from ML implementations of program analyses, while preserving to a large extent the structure of the implementation.
We show that this framework allows developers of mobile code to provide to the code receivers untrusted code verifiers in the form of certified program analyses. We demonstrate efficient implementations in this framework of bytecode verification, typed assembly language, and proof-carrying code.
This is an extended version of our VMCAI'06 paper, containing a formalization of our model extraction procedure and additional examples.
An Untrusted Verifier for Typed Assembly Language
MS Project Report
UCB/ERL M04/41
2004
A summary of my experiences developing a proof-generating TAL type checker within the Open Verifier framework. In the style of Foundational PCC, the soundness of this verifier and the proofs it generates is based on no assumptions about the TAL type system. This was one of the first projects to consider the runtime performance of Foundational PCC-style verification.
I present the results of constructing a fully untrusted verifier for memory safety of Typed Assembly Language programs, using the Open Verifier architecture. The verifier is untrusted in the sense that its soundness depends only on axioms about the semantics of a concrete machine architecture, not on any axioms specific to a type system. This experiment served to evaluate both the expressiveness of the Open Verifier architecture and the quality of its support for simplifying the construction of verifiers. I discuss issues of proof generation that are generally not the focus of previous efforts for foundational checking of TAL, and I contrast with these past approaches the sort of logical formalization that is natural in the context of the Open Verifier. My approach is novel in that it uses direct reasoning about concrete machine states where past approaches have formalized typed abstract machines and proved their correspondence with concrete machines. I also describe a new approach to modeling higher-order functions that uses only first-order logic.
10 papers published at peer-reviewed scholarly conferences; 5 at workshops; 2 journal articles
The End of History? Using a Proof Assistant to Replace Language Design with Library Design
Fiat: A New Take on Domain-Specific Languages by Programming with Specifications
invited talk
Fiat: A New Perspective on Compiling Domain-Specific Languages in a Proof Assistant
invited talk
Rapid Development of Web Applications with Typed Metaprogramming in Ur/Web
invited talk
Bedrock & Fiat: Specifications and Proofs at the Center of a Programming Ecosystem
https://www.youtube.com/watch?v=jE0DY5pS-xY#t=127m4s
The Science of Deep Specification
http://deepspec.org/
panel
Fiat: Extensible Code Generation with Proofs
invited talk
Ur/Web: A Simple Model for Programming the Web
Lectures: Formal Proof for C-Like Programs
An Optimizing Compiler for a Purely Functional Web-Application Language
Phantom Monitors: A Simple Foundation for Modular Proofs of Fine-Grained Concurrent Programs
Lectures: The Coq Proof Assistant and Its Applications to Programming-Language Semantics
Bedrock: A Clean-Slate Platform for Developing Verified Software Inside a Proof Assistant
invited talk
From Network Interface to Multithreaded Web Applications: A Case Study in Modular Program Verification
Ur/Web: A Simple Model for Programming the Web
Proof Engineering: Implementation Challenges in Rigorously Verified Software
invited talk
Bedrock: A Software Development Ecosystem Inside a Proof Assistant
http://talks.cam.ac.uk/talk/index/56590
Correct-by-Construction Program Synthesis in Coq
invited talk
Ur/Web: A Simple Model for Programming the Web
Ur/Web: A Simple Model for Programming the Web
Bedrock: A Foundational Proof-Carrying Code Platform with Functional Correctness Proofs
invited talk
Ur/Web: Streamlined Web Apps via Fancy Types
invited talk
Ur/Web: Taking Syntax Seriously
invited talk
Adventures in Knot-Tying while Verifying a Thread Library in Coq
The Bedrock Structured Programming System: Combining Generative Metaprogramming and Hoare Logic in an Extensible Program Verifier
A Taste of Effective Coq Proof Automation
invited tutorial
http://adam.chlipala.net/popltut13/
Web Security via Types and Theorem-Proving in the Ur/Web Programming Language
Web Security via Types and Theorem-Proving in the Ur/Web Programming Language
Bedrock: Higher-Order and Automated Proofs about Low-Level Programs
invited talk
Ur/Web, a Domain-Specific Functional Programming Language for Modern Web Applications
Mostly-Automated Verification of Low-Level Programs in Computational Separation Logic
Ur/Web, a Domain-Specific Functional Programming Language for Modern Web Applications
Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications
Foundational Program Verification in Coq with Automated Proofs
invited tutorial
http://adam.chlipala.net/msfp10/
Ur/Web, a Domain-Specific Functional Programming Language for Modern Web Applications
Ur/Web: A Statically-Typed Language for Building Web Applications from Components
invited talk
A Bottom-Up Approach to Safe Low-Level Programming
invited talk
Generating Pieces of Web Applications with Type-Level Programming
Ur: Statically-Typed Metaprogramming with Type-Level Record Computation
Safe Database Abstractions with Type-Level Record Computation
invited talk
A Sane Approach to Modern Web Application Development
A Verified Compiler for an Impure Functional Language
Towards the Ultimate Web Application Framework, via Fancy Types
Syntactic Proofs of Compositional Compiler Correctness
Metaprogramming AJAX Apps with Static Types
http://www.impredicative.com/ur/defun09/
Engineering a Verified Functional Language Compiler
invited talk
Effective Interactive Proofs for Higher-Order Imperative Programs
Metaprogramming AJAX Apps with Static Types
Liberating Semi-Automated PL Proofs from Binder Bookkeeping
Liberating Semi-Automated PL Proofs from Binder Bookkeeping
Statically-Checked Metaprogramming for Web Applications
Parametric Higher-Order Abstract Syntax for Mechanized Semantics
Generic Programming and Proving for Programming Language Metatheory
A Certified Type-Preserving Compiler from Lambda Calculus to Assembly Language
A Certified Type-Preserving Compiler from Lambda Calculus to Assembly Language
A Certified Type-Preserving Compiler from Lambda Calculus to Assembly Language
Modular Development of Certified Program Verifiers with a Proof Assistant
Position Paper: Thoughts on Programming with Proof Assistants
Cooperative Integration of an Interactive Proof Assistant and an Automated Prover
Developing Sound Program Analysis Tools by Programming with Proofs
A Framework for Certified Program Analysis and Its Applications to Mobile-Code Safety
Proof-Carrying Verifiers
The <literal>Open Verifier</literal> Framework for Foundational Verifiers
SAP HANA TechDays
https://www.sap.com/products/hana.html
August 2017
Google Academic Security and Privacy Research Summit
https://sites.google.com/view/securitysummit2017/
June 2017
NII Shonan Seminar #98: Language integrated queries: towards standard logics for big data analytics
http://shonan.nii.ac.jp/seminar/seminardetails098/
May 2017
ISAT Workshop: Augmented Developers: Tools for Hybrid Man-Machine Software Engineering
February 2017
Dagstuhl Seminar #15191: Compositional Verification Methods for Next-Generation Concurrency
http://www.dagstuhl.de/15191/
May 2015
Dagstuhl Seminar #10351: Modelling, Controlling and Reasoning About State
http://www.dagstuhl.de/10351/
August 2010
Doctor of Philosophy (PhD) in Computer Science
PhD, MS, Computer Science
8
2003
9
2007
4.0
Master of Science (MS) in Computer Science
MS, Computer Science
12
2004
Bachelor of Science (BS) in Computer Science with a minor in Mathematical Sciences and University Honors
BS, Computer Science
8
2000
5
2003
4.0
High school diploma
9
1996
6
2000
Associate Professor without Tenure of Computer Science
7
2015
Assistant Professor of Computer Science
7
2011
6
2015
Douglas T. Ross (1954) Career Development Professor of Software Technology
7
2012
6
2015
MIT
Postdoctoral Fellow
Harvard University
6
2008
6
2011
Led a reimplementation of the Ynot system, with a focus on proof automation
Research on cost-effective program verification
certified programming class, Harvard University
Instructor
9
2008
1
2009
OCaml Hacker
Jane Street Capital
9
2007
4
2008
Graduate Student Researcher
UC Berkeley CS Division
9
2003
8
2007
Investigated implementation of program verification tools with proofs of correctness, using dependent types in the Coq proof assistant
Implemented infrastructure for the Open Verifier and Certified Program Verifiers systems
Developed untrusted plug-ins for memory safety of x86 Typed Assembly Language for those systems, including soundness proofs in the Coq proof assistant
computer theorem proving class, UC Berkeley CS Division
Instructor
8
2006
12
2006
Microsoft Research Redmond
Research Intern
6
2005
8
2005
Designed and implemented an extensible bytecode verifier based on linear logic, and used this verifier to check properties such as manual memory management and message-passing protocols for untrusted process code in the Singularity operating system
Graduate Student Instructor
1
2005
5
2005
Ran discussion sections
Graded weekly homework assignments
Held office hours
Graduate Student Researcher
6
2003
8
2003
Implemented processing for an intuitive language for specifying safety properties of C programs to be verified by the BLAST model checker
Implemented context-free reachability to extend BLAST to verify recursive programs
CMU CS Department
Research Assistant
6
2002
5
2003
Implemented improvements to the mid-level intermediate language of the TILT compiler, along with assorted optimizations
Studied the problem of efficient type-checking of ML-like intermediate languages in flattened forms analogous to traditional compiler intermediate languages
ML programming class, CMU CS Department
Teaching Assistant
1
2002
5
2002
Taught a weekly recitation section
Created homework assignments and exam questions
Held weekly office hours
Graded assignments and exams
Intern/Software Developer
6
2001
8
2001
Developed a database-driven intranet web site to facilitate technology transfer between research and development
Trifecta Technologies
Software Developer
1998
2000
Designed and coded business and presentation logic for electronic commerce web sites using IBM WebSphere Commerce Suite
ACM Senior Member
http://awards.acm.org/senior/
2016
National Science Foundation CAREER Award
http://www.nsf.gov/awardsearch/showAward?AWD_ID=1253229
2012
National Defense Science and Engineering Graduate Fellowship
http://ndseg.asee.org/
2004
National Science Foundation Graduate Research Fellowship
http://www.nsfgrfp.org/
2004
California Microelectronics Fellowship
8
2003
5
2004
Phi Kappa Phi
http://www.phikappaphi.org/
Phi Beta Kappa
http://www.pbk.org/
National Science Foundation Graduate Research Fellowship
http://www.nsfgrfp.org/
2003
Andrew Carnegie Scholarship
http://my.cmu.edu/site/admission/menuitem.18c40008673813c019300710d4a02008/
8
2000
5
2003
Summer School on Software Security: Theory to Practice
http://www.cs.uoregon.edu/Activities/summerschool/summer04/
6
2004
Ur/Web, a domain-specific programming language design and implementation supporting metaprogramming of web applications with strong static guarantees
Cooperative Internet hosting tools, including DomTool, a domain-specific language in support of shared UNIX system configuration by mutually-untrusting users
Dynamic web site tools for Standard ML, including separately usable libraries for accessing SQL databases
Founder of HCoop, Inc., a democratically run Internet hosting cooperative
Main administrator and organizer, Teen Programmers Unite, 1997-2001
ML, Coq, C
F#, Java, SQL, x86 and Z80 assembly languages
Haskell, C++, XSLT
Twelf, Scheme, Common Lisp, Prolog, C#, Visual Basic, UNIX shell scripting, Perl
Apache, djbdns, Courier IMAP, Exim, Mailman, SpamAssassin
Correct-by-Construction and Automatic Generation of Elliptic Curve Cryptography Primitives
Google Research Award
CSR: Medium: A High-Performance Certified File System and Applications
NSF CNS
RINGS: Regenerative, INtent-Guided Systems
DARPA BRASS program
Collaborative Research: Expeditions in Computing: The Science of Deep Specification
NSF Expeditions in Computing
SHF: Medium: Fiat: Correct-by-Construction and Mostly Automated Derivation of Programs with an Interactive Theorem Prover
NSF CCF
A Trust Anchor Secure Language via the Bedrock Platform
Google ATAP Trust Anchor program
Cybersecurity project
QCRI-CSAIL joint program
CAREER: A Formal Verification Platform Focused on Programmer Productivity
NSF CCF
SHF: Small: Capitalizing on First-Class SQL Support in the Ur/Web Programming Language
NSF CCF
CAP^{3}: A Computer Aided Performance Programming Platform
DoE X-Stack program
CARS: A Platform for Scaling Formal Verification to Component-Based Vehicular Software Stacks
DARPA HACMS program
Safe but Unsandboxed Native Code in the Browser
Google Research Award