Adam Chlipala
Cambridge, MA
USA
adamc@csail.mit.edu
http://adam.chlipala.net/
Cambridge, MA
adam@chlipala.net; http://adam.chlipala.net/
http://adam.chlipala.net/cv.html
Not currently seeking employment
Design and implementation of computer systems supporting programmer productivity, correctness, security, and performance (including compilers, computer architecture, cryptography, databases, and operating systems)
Design, implementation, and applications of interactive proof assistants
Programming languages (broadly construed to include all development tools) and formal methods (for software and hardware)
Computer theorem proving
Certified type-preserving compilers
http://ltamer.sf.net/
Verifying imperative programs
http://ynot.cs.harvard.edu/
Design, implementation, and analysis of functional programming languages
Statically typed metaprogramming for web apps
http://www.impredicative.com/ur/
Static types for system configuration
http://wiki.hcoop.net/DomTool
American citizen
January
February
March
April
May
June
July
August
September
October
November
December
Andrew Wright
https://www.rle.mit.edu/isg/people_andy_wright.htm
Adam Chlipala
http://adam.chlipala.net/
Alex Konradi
https://www.linkedin.com/in/alex-konradi-89604081/
Alice Lee
https://www.linkedin.com/in/alicerlee
Anders Kaseorg
https://github.com/andersk
Andres Erbsen
https://andres.systems/
Antonis Stampoulis
http://astampoulis.github.com/
Arthur Charguéraud
https://www.chargueraud.org/
Andrew W. Appel
https://www.cs.princeton.edu/~appel/
Arvind
http://csg.csail.mit.edu/Users/arvind/
Ashley Lin
https://github.com/ashley-lin
Atalay Ileri
https://github.com/Atalay-Ileri
Benjamin C. Pierce
http://www.cis.upenn.edu/~bcpierce/
Evan Chang
Bor-Yuh Evan Chang
http://www.cs.colorado.edu/~bec/
Benjamin Delaware
https://www.cs.purdue.edu/homes/bendy/
Dirk Beyer
http://www.sosy-lab.org/~dbeyer/
Benjamin Kaiser
https://benkaiser.org/
Thomas Braibant
http://braibant.github.io/
Thomas Bourgeat
https://people.csail.mit.edu/bthom/
Chitchanok Chuengsatiansup
https://cs.adelaide.edu.au/~cchuengs/
Chuyue Sun
http://web.mit.edu/chuyues/www/
Christian J. Bell
http://people.csail.mit.edu/cj/
Clark Wood
https://www.linkedin.com/in/clark-wood/
Clément Pit-Claudel
http://pit-claudel.fr/clement/
Santiago Cuellar
http://scholar.princeton.edu/scuellar/
Karl Crary
http://www.cs.cmu.edu/~crary/
Daniel Park
https://dancwpark.com/
David Wu
https://github.com/daviduwu9
Dustin Jamner
https://jamner.net/
Di Wang
https://www.cs.cmu.edu/~diw3/
Daniel Ziegler
http://events.ccc.de/congress/2014/Fahrplan/speakers/5081.html
David Spivak
http://math.mit.edu/~dspivak/
Samuel Duchovni
https://github.com/sdukhovni
Lennart Beringer
https://www.cs.princeton.edu/~eberinge/
Edward Z. Yang
http://ezyang.com/
Daniel Genkin
https://faculty.cc.gatech.edu/~genkin/
Gilbert Bernstein
http://www.gilbertbernstein.com/
Gabriel Kammer
https://github.com/Gab601
Gregory Malecha
https://gmalecha.github.io/
Greg Morrisett
http://www.cs.cornell.edu/~jgm/
Thomas Gregoire
https://www.linkedin.com/in/thgregoire1
Samuel Gruetter
https://samuelgruetter.net/
Haogang Chen
http://pdos.csail.mit.edu/~hchen/
Ian Clester
https://ijc8.me/
Mirai Ikebuchi
https://mir-ikbch.github.io/
Jade Philipoom
https://github.com/jadephilipoom
Jason Gross
https://jasongross.github.io/
Ranjit Jhala
http://goto.ucsd.edu/~rjhala/
Joel Kuepper
https://researchers.adelaide.edu.au/profile/joel.kuepper
Joonwon Choi
http://joonwon.net/c/
Jonathan Ragan-Kelley
http://people.csail.mit.edu/jrk/
Frans Kaashoek
http://pdos.csail.mit.edu/~kaashoek/
Martine Kalke
https://www.ll.mit.edu/biographies/martine-m-kalke
Eddie Kohler
http://read.seas.harvard.edu/~kohler/
Katherine Ye
https://www.cs.cmu.edu/~kqy/
Amanda Liu
http://people.csail.mit.edu/lamanda/
Mohsen Lesani
https://mohsenlesani.github.io/
David Lazar
http://www.csail.mit.edu/user/3604
Leaf Petersen
http://www.leafpetersen.com/
Brian Lucena
https://www.linkedin.com/in/brianlucena/
Luke Sciarappa
https://github.com/lsciarappa
Manuel Fahndrich
http://fahndrich.com/
Michael Carbin
http://people.csail.mit.edu/mcarbin/
Michael Erdmann
http://www.cs.cmu.edu/~me/
Miraya Poddar-Agrawal
https://www.linkedin.com/in/rajashreeagrawal/
Nirav Dave
http://people.csail.mit.edu/ndave/
George Necula
George C. Necula
http://www.cs.berkeley.edu/~necula/
Nickolai Zeldovich
http://people.csail.mit.edu/nickolai/
Owen Conoly
https://www.csail.mit.edu/person/owen-conoly
Patrick Hulin
https://www.linkedin.com/in/patrick-hulin-027939109/
Pratap Singh
https://pratap.dev/
Robert Cunningham
https://www.research.pitt.edu/people/robert-k-cunningham
Robert Sloan
https://blog.modt.io/
Rupak Majumdar
http://www.mpi-sws.org/~rupak/
Robert Harper
http://www.cs.cmu.edu/~rwh/
Ryan Wisnesky
http://wisnesky.net/
Robert Schneck
Robert R. Schneck
http://tupelo-schneck.org/robert/
Zhong Shao
http://www.cs.yale.edu/homes/shao/
Shardul Chiplunkar
https://etaoin-shrdlu.xyz/
Benjamin Sherman
http://www.ben-sherman.net/
Avraham Shinnar
http://researcher.watson.ibm.com/researcher/view.php?person=us-shinnar
Sorawit Suriyakarn
https://github.com/sorawit
Stella Lau
https://people.csail.mit.edu/stellal/
Steve Zdancewic
http://www.cis.upenn.edu/~stevez/
Stephanie Wang
https://github.com/stephanie-wang
Stephanie Weirich
http://www.cis.upenn.edu/~sweirich/
Samuel Tian
https://github.com/samuel-tian
Thomas Henzinger
http://pub.ist.ac.at/~tah/
Timothy Braje
https://www.ll.mit.edu/biographies/timothy-m-braje
Tej Chajed
https://github.com/tchajed
Théo Zimmermann
https://www.theozimmermann.net/en/
Viktor Fukala
https://www.linkedin.com/in/viktor-fukala/
Muralidaran Vijayaraghavan
http://people.csail.mit.edu/vmurali/
Markus Wagner
http://www.acrocon.com/~wagner/
Andrew Wagner
https://github.com/a-wagner
Peng Wang
http://people.csail.mit.edu/wangpeng/
Jeannette Wing
http://www.cs.cmu.edu/~wing/
Xi Wang
http://homes.cs.washington.edu/~xi/
Li-yao Xia
https://poisson.chat/
Qianchuan Ye
https://www.cs.purdue.edu/homes/ye202/
Yuval Yarom
https://cs.adelaide.edu.au/~yval/
Ziv Scully
http://ziv.codes/
Zachary Tatlock
http://homes.cs.washington.edu/~ztatlock/
Avaya Communication
Avaya
Holmdel
NJ
http://www.avaya.com/
Carnegie Mellon University
Pittsburgh
PA
http://www.cmu.edu/
Computer Science Department
http://www.cs.cmu.edu/
15-212: Principles of Programming
(introduction to formal reasoning about programs and functional programming with Standard ML)
15-212
http://www.cs.cmu.edu/~me/courses/212/
The TILT type-directed Standard ML compiler project
TILT
http://www.cs.cornell.edu/home/jgm/tilt.html
IEEE Computer Society Press
IEEE
http://www.ieee.org/
Cambridge University Press
CUP
http://www.cambridge.org/
Harvard University
Harvard
Cambridge
MA
http://www.harvard.edu/
School of Engineering and Applied Sciences
http://www.seas.harvard.edu/
COMPSCI 252: Certified Programming with Dependent Types
CS252
http://www.cs.harvard.edu/~adamc/cpdt/
Microsoft Research
MSR
http://research.microsoft.com/
Software Productivity Tools group
Redmond
WA
SPT
The Singularity project
Singularity
http://research.microsoft.com/os/singularity/
IBM Research
IBM
http://research.ibm.com/
IBM Watson Research Center
Hawthorne
NY
IBM Watson
University of Oregon
http://www.uoregon.edu/
Trifecta Technologies
Trifecta
Allentown
PA
http://www.trifecta.com/
University of California, Berkeley
Berkeley
http://www.berkeley.edu/
Electrical Engineering and Computer Science Department
EECS
http://www.eecs.berkeley.edu/
Computer Science Division
CS
http://www.cs.berkeley.edu/
The BLAST project
http://cseweb.ucsd.edu/~rjhala/blast.html
BLAST
CS172: Computability and Complexity
http://inst.eecs.berkeley.edu/~cs172/sp05/
CS172
The Open Verifier project
Open Verifier
CS294-9: Interactive Computer Theorem Proving
CS294-9
http://adam.chlipala.net/itp/
UC Berkeley EECS Department
http://www.eecs.berkeley.edu/
Massachusetts Institute of Technology
MIT
http://www.mit.edu/
Department of Electrical Engineering and Computer Science
EECS
http://www.eecs.mit.edu/
Computer Science and Artificial Intelligence Laboratory
CSAIL
http://www.csail.mit.edu/
Emmaus High School
Emmaus, PA
http://www.eastpennsd.org/ehs/
Association for Computing Machinery
ACM
http://www.acm.org/
IEEE
http://www.ieee.org/
Royal Society
Royal Society
https://royalsociety.org/
Springer-Verlag
Springer-Verlag
http://www.springer.de/comp/lncs
Elsevier
http://www.elsevier.com/
Jane Street Capital
Jane Street Capital
http://www.janestreet.com/
26th International Conference on Software Engineering
ICSE'04
http://www.icse-conferences.org/2004/index.html
2004
Edinburgh, Scotland
11th Static Analysis Symposium
SAS'04
http://profs.sci.univr.it/~sas04/
2004
Verona, Italy
9th ACM SIGPLAN International Conference on Functional Programming
ICFP'04
http://www.cs.indiana.edu/icfp04/
Snowbird, Utah, USA
2004
2nd ACM SIGPLAN Workshop on Types in Language Design and Implementation
TLDI'05
http://research.microsoft.com/~maf/tldi05/
2005
Long Beach, California, USA
12th International Conference on Logic for Programming, Artificial Intelligence, and Reasoning
http://www.lpar.net/2005/
LPAR'05
Montego Bay, Jamaica
2005
7th International Conference on Verification, Model Checking, and Abstract Interpretation
http://www.informatik.uni-trier.de/~ley/db/conf/vmcai/vmcai2006.html
VMCAI'06
2006
Charleston, South Carolina, USA
21st Annual IEEE Symposium on Logic in Computer Science
http://www.easychair.org/FLoC-06/LICS.html
LICS'06
2006
Seattle, Washington, USA
11th ACM SIGPLAN International Conference on Functional Programming
http://icfp06.cs.uchicago.edu/
ICFP'06
2006
Portland, Oregon, USA
4th ASIAN Symposium on Programming Languages and Systems
http://www.kb.ecei.tohoku.ac.jp/aplas2006/
APLAS'06
2006
Sydney, Australia
International Workshop on Proof-Carrying Code
http://www.cs.stevens.edu/~abc/PCC-Workshop.html
PCC'06
2006
Seattle, Washington, USA
6th International Workshop on Strategies in Automated Deduction
http://www.easychair.org/FLoC-06/Strategies.html
STRATEGIES'06
2006
Seattle, Washington, USA
Programming Languages meets Program Verification Workshop
http://www.easychair.org/FLoC-06/PLPV.html
PLPV'06
2006
Seattle, Washington, USA
3nd ACM SIGPLAN Workshop on Types in Language Design and Implementation
TLDI'07
http://www.cs.berkeley.edu/~necula/tldi07/
2007
Nice, France
ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation
PLDI'07
http://ties.ucsd.edu/PLDI/
2007
San Diego, California, USA
2005 Open Source Quality Project Retreat
Open Source Quality Project Retreat
http://www.cs.berkeley.edu/~bodik/OSQ05.htm
2005
2006 Open Source Quality Project Retreat
Open Source Quality Project Retreat
http://www.cs.berkeley.edu/~bodik/OSQ06.htm
2006
2007 Open Source Quality Project Retreat
Open Source Quality Project Retreat
http://www.eecs.berkeley.edu/~sseshia/OSQ07.htm
2007
Projet Gallium seminar
http://www-c.inria.fr/Internet/rendez-vous/seminaires-des-equipes-de-recherche/a-certified-type-preserving-compiler-from-lambda-calculus-to-assembly-language
2007
18th International Conference on Term Rewriting and Applications
RTA'07
http://www.lsv.ens-cachan.fr/rdp07/rta.html
2007
Paris, France
2nd Informal ACM SIGPLAN Workshop on Mechanizing Metatheory
WMM'07
http://www.cis.upenn.edu/~sweirich/wmm/wmm07.html
Freiburg, Germany
2007
35th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
POPL'08
http://www.cs.ucsd.edu/popl/08/
2008
San Francisco, California, USA
9th International Conference on Verification, Model Checking and Abstract Interpretation
VMCAI'08
http://www.cs.uic.edu/vmcai08/
2008
San Francisco, California, USA
ACM SIGPLAN 2008 Conference on Programming Language Design and Implementation
PLDI'08
http://pldi2008.cs.ucr.edu/
2008
Tucson, Arizona, USA
3rd Informal ACM SIGPLAN Workshop on Mechanizing Metatheory
WMM'08
http://www.cis.upenn.edu/~sweirich/wmm/wmm08.html
2008
Victoria, British Columbia, Canada
13th ACM SIGPLAN International Conference on Functional Programming
ICFP'08
http://www.icfpconference.org/icfp2008/
2008
Victoria, British Columbia, Canada
36th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
POPL'09
http://www.cs.ucsd.edu/popl/09/
2009
Savannah, Georgia, USA
4th ACM SIGPLAN Workshop on Types in Language Design and Implementation
TLDI'09
http://ttic.uchicago.edu/~amal/tldi2009/
2009
Savannah, Georgia, USA
18th European Symposium on Programming
ESOP'09
http://esop09.pps.jussieu.fr/
2009
York, United Kingdom
21st New England Programming Languages and Systems Symposium
NEPLS 21
http://www.nepls.org/Events/21/
2008
Cambridge, MA, USA
2008 TYPES Meeting
TYPES'08
http://types2008.di.unito.it/
2008
Torino, Italy
ACM SIGPLAN 2009 Conference on Programming Language Design and Implementation
PLDI'09
http://www-plan.cs.colorado.edu/~pldi09/
2009
Dublin, Ireland
4th International Workshop on Logical Frameworks and Meta-languages: Theory and Practice
LFMTP'09
http://workshops.inf.ed.ac.uk/lfmtp/
2009
Montreal, Canada
Boston University Programming Languages Reading Group
http://www.church-project.org/reading-group/reading-group.html
2009
Northeastern University Programming Languages Seminar
http://www.ccs.neu.edu/home/wand/pl-seminar/
2009
Microsoft Research Redmond
http://research.microsoft.com/
2009
14th ACM SIGPLAN International Conference on Functional Programming
ICFP'09
http://www.cs.nott.ac.uk/~gmh/icfp09.html
2009
Edinburgh, Scotland
4th Informal ACM SIGPLAN Workshop on Mechanizing Metatheory
WMM'09
http://www.cis.upenn.edu/~sweirich/wmm/wmm09.html
2009
Edinburgh, Scotland
ACM SIGPLAN Developer Tracks on Functional Programming
DEFUN'09
http://www.defun2009.info/
2009
Edinburgh, Scotland
New Jersey Programming Languages and Systems Seminar
NJPLS
http://www.njpls.org/oct09.html
2009
Bethlehem, PA, USA
New England F# User Group
New England F# User Group
http://www.fsug.org/
2009
Cambridge, MA, USA
37th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
POPL'10
http://www.cse.psu.edu/popl/10/
2010
Madrid, Spain
Programming Languages meets Program Verification Workshop
http://slang.soe.ucsc.edu/plpv10/
PLPV'10
2010
Madrid, Spain
Boston Lisp
Boston Lisp
http://common-lisp.net/project/boston-lisp/
2010
Cambridge, MA, USA
13th International Conference on Foundations of Software Science and Computation Structures
FoSSaCS'10
http://users.comlab.ox.ac.uk/luke.ong/FoSSaCS2010/
2010
Paphos, Cyprus
Sixteenth International Conference on Tools and Algorithms for the Construction and Analysis of Systems
TACAS'10
http://tacas10.in.tum.de/
2010
Paphos, Cyprus
ACM SIGPLAN 2010 Conference on Programming Language Design and Implementation
PLDI'10
http://cs.stanford.edu/pldi10/
2010
Toronto, Canada
The Second Coq Workshop
Coq-2
http://coq.inria.fr/coq-workshop/2010
2010
Edinburgh, Scotland
Dependently Typed Programming 2010
DTP'10
http://sneezy.cs.nott.ac.uk/darcs/dtp10/
2010
Edinburgh, Scotland
2nd Workshop on Module Systems and Libraries for Proof Assistants
MLPA'10
http://kwarc.info/frabe/events/mlpa-10.html
2010
Edinburgh, Scotland
Emerging Languages Camp 2010
Emerging Languages Camp 2010
http://emerginglangs.com/
2010
Portland, OR, USA
Mathematically Structured Functional Programming 2010
MSFP'10
http://cs.ioc.ee/msfp/msfp2010/
2010
Baltimore, MD, USA
9th USENIX Symposium on Operating Systems Design and Implementation
OSDI'10
http://www.usenix.org/event/osdi10/
2010
Vancouver, BC, Canada
5th International Workshop on Systems Software Verification
SSV'10
http://usenix.org/events/ssv10/
2010
Vancouver, BC, Canada
Twenty-sixth Conference on the Mathematical Foundations of Programming Semantics
MFPS'10
http://www.math.tulane.edu/~mfps/mfps26/MFPS_XXVI.html
2010
Ottawa, Ontario, Canada
12th International Symposium on Principles and Practice of Declarative Programming
PPDP'10
http://www.risc.uni-linz.ac.at/about/conferences/ppdp2010/
2010
Hagenberg, Austria
5th International Workshop on Higher-Order Rewriting
HOR'10
http://hor.pps.jussieu.fr/10/
2010
Edinburgh, Scotland
COPLAS, ITU Copenhagen
http://www.coplas.org/
2010
15th ACM SIGPLAN International Conference on Functional Programming
ICFP'10
http://www.icfpconference.org/icfp2010/
2010
Baltimore, MD, USA
First International Workshop on Relations and Data Integrity Constraints and Languages
RADICAL'10
http://research.microsoft.com/en-us/um/people/adg/RADICAL2010/
2010
Cambridge, England
MIT PL Working Group
MIT PL Working Group
http://people.csail.mit.edu/jeanyang/pl/
2010
Cambridge, MA, USA
Third International Workshop on Graph Computation Models
GCM'10
http://gcm-events.org/gcm2010/
2010
Enschede, The Netherlands
38th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
POPL'11
http://www.cse.psu.edu/popl/11/
2011
Austin, TX, USA
Twelfth International Conference on Verification, Model Checking, and Abstract Interpretation
VMCAI'11
http://vmcai11.cis.ksu.edu/
2011
Austin, TX, USA
20th European Symposium on Programming
ESOP'11
http://software.imdea.org/~gbarthe/esop11/
2011
Saarbrücken, Germany
22nd International Conference on Rewriting Techniques and Applications
RTA'11
http://www.rdp2011.uns.ac.rs/rta/
2011
ACM SIGPLAN 2011 Conference on Programming Language Design and Implementation
PLDI'11
http://pldi11.cs.utah.edu/
2011
San Jose, CA, USA
UC Berkeley
UC Berkeley
2011
Berkeley, CA, USA
Workshop on Foundations of Computer Security
FCS'11
http://www.di.ens.fr/~blanchet/fcs11/
2011
Toronto, ON, Canada
Syntax and Semantics of Low-Level Languages
LOLA'11
http://flint.cs.yale.edu/lola2011/
2011
Toronto, ON, Canada
IBM Watson Research Center
IBM Watson Research Center
2011
Hawthorne, NY, USA
CSAIL Student Workshop
CSAIL Student Workshop
http://projects.csail.mit.edu/csw/2011/
2011
Beverly, MA, USA
The Third Coq Workshop
Coq-3
http://www.cs.ru.nl/~spitters/coqw.html
2011
Nijmegen, Holland
6th International Workshop on Systems Software Verification
SSV'11
https://es.fbk.eu/events/ssv2011/
2011
Nijmegen, Holland
16th ACM SIGPLAN International Conference on Functional Programming
ICFP'11
http://www.icfpconference.org/icfp2011/
2011
Tokyo, Japan
39th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
POPL'12
http://www.cse.psu.edu/popl/12/
2012
Philadelphia, PA, USA
7th ACM SIGPLAN Workshop on Types in Language Design and Implementation
TLDI'12
http://www.cis.upenn.edu/~bcpierce/tldi12/
2012
Philadelphia, PA, USA
Fourth International Conference on Verified Software: Theories, Tools, and Experiments
VSTTE'12
https://sites.google.com/site/vstte2012/
2012
Philadelphia, PA, USA
24th International Conference on Computer Aided Verification
CAV'12
http://cav12.cs.illinois.edu/
2012
Berkeley, CA, USA
The Fourth Coq Workshop
Coq-4
http://coq.inria.fr/coq-workshop/2012
2012
Princeton, NJ, USA
15th International Conference on Foundations of Software Science and Computation Structures
FoSSaCS'12
http://www.itu.dk/research/fossacs-2012/
2012
Tallinn, Estonia
Interactive Theorem Proving - Third International Conference
ITP'12
http://www.cs.princeton.edu/~eberinge/itp12/web/Home.html
2012
Princeton, NJ, USA
7th International Workshop on Logical Frameworks and Meta-languages: Theory and Practice
LFMTP'12
http://people.csail.mit.edu/adamc/lfmtp12/
2012
Copenhagen, Denmark
IEEE Symposium on Security & Privacy 2012
S&P'12
http://www.ieee-security.org/TC/SP2012/
2012
San Francisco, CA, USA
ACM SIGPLAN Haskell Symposium 2012
Haskell'12
http://www.haskell.org/haskell-symposium/2012/
2012
Copenhagen, Denmark
26th New England Programming Languages and Systems Symposium
NEPLS 26
http://www.nepls.org/Events/26/home.html
2012
Portland, ME, USA
2nd International Conference on Certified Programs and Proofs
CPP'12
http://cpp12.kuis.kyoto-u.ac.jp/
2012
Kyoto, Japan
15th International Symposium on Practical Aspects of Declarative Languages
PADL'13
http://www.it.uu.se/conf/padl2013/
2013
Rome, Italy
Data Driven Functional Programming Workshop 2013
DDFP'13
http://research.microsoft.com/en-us/events/ddfp2013/
2013
Rome, Italy
Symposium on Logical Foundations of Computer Science 2013
LFCS'13
http://lfcs.info/lfcs13/
2013
San Diego, California, USA
16th International Conference on Foundations of Software Science and Computation Structures
FoSSaCS'13
http://www.informatik.uni-trier.de/~ley/db/conf/fossacs/
2013
?
ACM SIGPLAN 2013 Conference on Programming Language Design and Implementation
PLDI'13
http://pldi2013.ucombinator.org/
2013
Seattle, Washington, USA
40th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
POPL'13
http://popl.mpi-sws.org/2013/
2013
Rome, Italy
POPL 2013 TutorialFest
POPL'13 TutorialFest
http://wrigstad.com/popl13/tutorialfest.html
2013
Rome, Italy
43th Annual IEEE/IFIP International Conference on Dependable Systems and Networks
DSN'13
http://2013.dsn.org/
2013
Budapest, Hungary
Interactive Theorem Proving - Fourth International Conference
ITP'13
http://itp2013.inria.fr/
2013
Rennes, France
22nd USENIX Security Symposium
USENIX Security'13
https://www.usenix.org/conference/usenixsecurity13
2013
Washington, D.C., USA
Functional Programming Concepts in Domain-Specific Languages
FPCDSL'13
http://quantum.bbn.com/FPCDSL/
2013
Boston, MA, USA
25th International Conference on Computer Aided Verification
CAV'13
http://cav2013.forsyte.at/
2013
Saint Petersburg, Russia
8th International Workshop on Logical Frameworks and Meta-languages: Theory and Practice
LFMTP'13
http://complogic.cs.mcgill.ca/lfmtp13
2013
Boston, MA, USA
18th ACM SIGPLAN International Conference on Functional Programming
ICFP'13
http://www.icfpconference.org/icfp2013/
2013
Boston, MA, USA
The 2nd ACM SIGPLAN Workshop on Higher-Order Programming with Effects
HOPE'13
http://hope2013.mpi-sws.org/
2013
Boston, MA, USA
15th International Symposium on Principles and Practice of Declarative Programming
PPDP'13
http://users.ugent.be/~tschrijv/PPDP2013/
2013
Madrid, Spain
Programming Languages meets Program Verification Workshop
http://www.cse.chalmers.se/~nad/plpv-2014/
PLPV'14
2014
San Diego, CA, USA
41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
POPL'14
http://popl.mpi-sws.org/2014/
2014
San Diego, CA, USA
Workshop on Secure Cloud and Reactive Internet Programming Technology
SCRIPT'13
http://soft.vub.ac.be/script/
2013
Brussels, Belgium
23rd European Symposium on Programming
ESOP'14
http://flint.cs.yale.edu/esop2014/
2014
Grenoble, France
2014 USENIX Annual Technical Conference
USENIX ATC'14
https://www.usenix.org/conference/atc14
2014
Philadelphia, PA, USA
IHP Workshop on Certification of High-Level and Low-Level Programs
IHP Workshop on Certification of High-Level and Low-Level Programs
https://ihp2014.pps.univ-paris-diderot.fr/doku.php?id=workshop_5
2014
Paris, France
9th International Workshop on Logical Frameworks and Meta-languages: Theory and Practice
LFMTP'14
http://complogic.cs.mcgill.ca/lfmtp14/
2014
Vienna, Austria
5th International Conference on Interactive Theorem Proving
ITP'14
http://www.cs.uwyo.edu/~ruben/itp-2014/
2014
Vienna, Austria
19th ACM SIGPLAN International Conference on Functional Programming
ICFP'14
http://www.icfpconference.org/icfp2014/
2014
Gothenburg, Sweden
Boston Haskell
Boston Haskell
http://www.meetup.com/Boston-Haskell/events/190579132/
2014
Cambridge, MA
Kyoto University RIMS
Kyoto University RIMS
http://www.kurims.kyoto-u.ac.jp/en/
2014
Kyoto, Japan
Theorem proving and provers for reliable theory and implementations
TPP'14
http://imi.kyushu-u.ac.jp/lasm/tpp2014/
2014
Fukuoka, Japan
Microsoft Research Cambridge, PPT Group
Microsoft Research Cambridge, PPT Group
http://research.microsoft.com/en-us/groups/ppt/
2014
Cambridge, England
11th USENIX Symposium on Operating System Design and Implementation
OSDI'14
https://www.usenix.org/conference/osdi14/
2014
Broomfield, CO, USA
2014 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, & Applications
OOPSLA'14
http://2014.splashcon.org/track/oopsla2014
2014
Portland, OR, USA
42nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
POPL'15
http://popl.mpi-sws.org/2015/
2015
Mumbai, India
POPL'15 Student Research Competition
SRC
http://popl.mpi-sws.org/2015/posters2.html
2015
Mumbai, India
ACM SIGPLAN Programming Languages Mentoring Workshop 2015
PLMW'15
http://plmw15.iisc-seal.net/
2015
Mumbai, India
The First International Workshop on Coq for PL
CoqPL'15
http://coqpl.cs.washington.edu/
2015
Mumbai, India
24th European Symposium on Programming
ESOP'15
http://conf.researchr.org/home/esop-2015
2015
London, United Kingdom
30th Annual ACM/IEEE Symposium on Logic in Computer Science
http://lics.rwth-aachen.de/lics15/
LICS'15
2015
Kyoto, Japan
2015 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, & Applications
OOPSLA'15
http://2015.splashcon.org/track/oopsla
2015
Pittsburgh, PA, USA
15th Workshop on Hot Topics in Operating Systems
HotOS'15
https://www.usenix.org/conference/hotos15
2015
Kartause Ittingen, Switzerland
Oregon Programming Languages Summer School
OPLSS'15
https://www.cs.uoregon.edu/research/summerschool/summer15/
2015
Eugene, OR, USA
27th International Conference on Computer Aided Verification
CAV'15
http://i-cav.org/2015/
2015
San Francisco, CA, USA
20th ACM SIGPLAN International Conference on Functional Programming
ICFP'15
http://www.icfpconference.org/icfp2015/
2015
Vancouver, BC, Canada
IMDEA Software
http://software.imdea.org/
2015
MITx online course: Cybersecurity: Technology, Application and Policy
MITx online course: Cybersecurity: Technology, Application and Policy
https://mitprofessionalx.mit.edu/courses/course-v1:MITProfessionalX+CSx+2015_T1/about
2015
Cambridge, MA, USA
25th ACM Symposium on Operating Systems Principles
SOSP'15
http://www.ssrc.ucsc.edu/sosp15/
2015
Monterey, CA, USA
28th New England Programming Languages and Systems Symposium
NEPLS 28
http://www.nepls.org/Events/28/home.html
2015
Medford, MA, USA
5th International Conference on Certified Programs and Proofs
CPP'16
http://people.csail.mit.edu/adamc/cpp16/
2016
St. Petersburg, FL, USA
ACM SIGPLAN 2016 Workshop on Partial Evaluation and Program Manipulation
PEPM'16
http://conf.researchr.org/home/pepm-2016
2016
St. Petersburg, FL, USA
43rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
POPL'16
http://popl16.sigplan.org/
2016
St. Petersburg, FL, USA
The Second International Workshop on Coq for PL
CoqPL'16
http://conf.researchr.org/home/CoqPL-2016
2016
St. Petersburg, FL, USA
37th IEEE Symposium on Security and Privacy
S&P'16
http://www.ieee-security.org/TC/SP2016/
2016
San Jose, CA, USA
28th International Conference on Computer Aided Verification
CAV'16
http://i-cav.org/2016/
2016
Toronto, ON, Canada
Interactive Theorem Proving - Seventh International Conference
ITP'16
http://itp2016.inria.fr/
2016
Nancy, France
21st ACM SIGPLAN International Conference on Functional Programming
ICFP'16
https://icfp16.sigplan.org/
2016
Nara, Japan
The Eighth Coq Workshop
Coq-8
http://coq.inria.fr/coq-workshop/2016
2016
Nancy, France
Mozilla San Francisco
Mozilla San Francisco
https://www.mozilla.org/
2016
San Francisco, CA, USA
Verified Trustworthy Software Systems (public meeting)
Verified Trustworthy Software Systems (public meeting)
https://royalsociety.org/events/2016/04/software-systems/
2016
London, UK
Verified Trustworthy Software Systems (specialist meeting)
Verified Trustworthy Software Systems (specialist meeting)
https://verificationinstitute.org/event/verified-trustworthy-software-systems-specialist-meeting/
2016
London, UK
30th New England Programming Languages and Systems Symposium
NEPLS 30
http://www.nepls.org/Events/30/home.html
2016
Boston, MA, USA
SPLASH-I
SPLASH-I'16
https://2016.splashcon.org/track/splash-2016-splash-i
2016
Amsterdam, Netherlands
APLAS
APLAS'16
http://soict.hust.edu.vn/~aplas2016/
2016
Hanoi, Vietnam
New Directions In Software Technology 2016
NDIST'16
https://ndist.kestrel.edu/events/NDIST16/
2016
St. John, U.S. Virgin Islands
44th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
POPL'17
https://popl17.sigplan.org/
2017
Paris, France
Workshop on Reasoning about Declarative Programs
RDP'17
http://conf.researchr.org/track/POPL-2017/RDP-2017
2017
Paris, France
The 2nd Summit oN Advances in Programming Languages
SNAPL'17
http://snapl.org/2017/
2017
Asilomar, CA, USA
ACM SIGPLAN 2017 Conference on Programming Language Design and Implementation
PLDI'17
https://pldi17.sigplan.org/
2017
Barcelona, Spain
Deep Specifications Summer School 2017
DSSS'17
https://deepspec.org/event/dsss17/
2017
Philadelphia, PA
30th IEEE Computer Security Foundations Symposium
CSF'17
http://csf2017.tecnico.ulisboa.pt/
2017
Santa Barbara, CA, USA
22nd ACM SIGPLAN International Conference on Functional Programming
ICFP'17
https://icfp17.sigplan.org/
2017
Oxford, UK
Interactive Theorem Proving - Eighth International Conference
ITP'17
http://itp2017.cic.unb.br/
2017
Brasília, Brazil
2017 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, & Applications
OOPSLA'17
http://2017.splashcon.org/track/splash-2017-OOPSLA
2017
Vancouver, BC, Canada
ACM SIGPLAN Conference on Systems, Programming, Languages and Applications: Software for Humanity
SPLASH'17
http://2017.splashcon.org/track/splash-2017-Workshops
2017
Vancouver, BC, Canada
26th ACM Symposium on Operating Systems Principles
SOSP'17
http://sigops.org/s/conferences/sosp/2017/
2017
Shanghai, China
7th RISC-V Workshop
7th RISC-V Workshop
https://riscv.org/2017/12/7th-risc-v-workshop-proceedings/
2017
Milpitas, CA, USA
Microsoft Research Redmond, RiSE group
Microsoft Research Remond, RiSE group
https://www.microsoft.com/en-us/research/group/research-in-software-engineering-rise/
2017
Redmond, WA, USA
34th Chaos Communication Congress
34th Chaos Communication Congress
https://events.ccc.de/congress/2017/
2017
Leipzig, Germany
45th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
POPL'18
https://popl18.sigplan.org/
2018
Los Angeles, CA, USA
ETH Zurich, Programming Methodology
ETH Zurich, Programming Methodology
http://www.pm.inf.ethz.ch/
2018
Zurich, Switzerland
Inria Paris, Gallium team
Inria Paris, Gallium team
http://gallium.inria.fr/seminar.html
2018
Paris, France
ENabling TRust through Os Proofs...and beYond 2018
ENTROPY 2018
https://entropy2018.sciencesconf.org/
2018
Lille, France
Web Programming, Design, Analysis, and Implementation track of The Web Conference 2018
WPDAI'18
https://www2018.thewebconf.org/call-for-papers/web-programming-cfp/
2018
Lyon, France
ACM SIGPLAN 2018 Conference on Programming Language Design and Implementation
PLDI'18
https://pldi18.sigplan.org/
2018
Philadelphia, PA, USA
Deep Specifications Workshop 2018
DeepSpec'18
https://deepspec.org/events/dsw18/
2018
Philadelphia, PA
Interactive Theorem Proving - Ninth International Conference
ITP'18
https://itp2018.inria.fr/
2018
Oxford, UK
33rd Annual ACM/IEEE Symposium on Logic in Computer Science
LICS'18
http://lics.siglog.org/lics18/
2018
Oxford, UK
2018 European Conference on Object-Oriented Programming
ECOOP'18
https://2018.ecoop.org/
2018
Amsterdam, Netherlands
Deep Specifications Summer School 2018
DSSS'18
https://deepspec.org/event/dsss18/
2018
Princeton, NJ
Microsoft Research Faculty Summit 2018
https://www.microsoft.com/en-us/research/event/faculty-summit-2018/
Microsoft Research Faculty Summit 2018
2018
Redmond, WA
32nd New England Programming Languages and Systems Symposium
NEPLS 32
http://www.nepls.org/Events/32/
2018
Cambridge, MA, USA
The 30th Symposium on Implementation and Application of Functional Languages
IFL'18
http://2018.iflconference.org/
2018
Lowell, MA, USA
Festschrift for Robert Harper
Festschrift for Robert Harper
http://www.cs.cmu.edu/~harperfest/
2018
Pittsburgh, PA, USA
23rd ACM SIGPLAN International Conference on Functional Programming
ICFP'18
https://icfp18.sigplan.org/
2018
Saint Louis, MO, USA
13th USENIX Symposium on Operating Systems Design and Implementation
OSDI'18
https://www.usenix.org/conference/osdi18/
2018
Carlsbad, CA, USA
SPLASH-I
SPLASH-I'18
http://2018.splashcon.org/track/splash-2018-splash-i
2018
Boston, MA, USA
Inaugural RISC-V Summit
RISC-V Summit
https://tmt.knect365.com/risc-v-summit/
2018
San Jose, CA, USA
46th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
POPL'19
https://popl19.sigplan.org/
2019
Cascais, Portugal
SiFive Technical Symposium, Boston
SiFive Technical Symposium, Boston
https://sifivetechsymposium.com/
2019
Burlington, MA, USA
Annual GOMACTech Conference 2019
GOMACTech'19
https://www.gomactech.net/2019/
2019
Albuquerque, NM, USA
Real World Cryptography 2019
RWC'19
https://rwc.iacr.org/2019/
2019
San Jose, CA, USA
IEEE Symposium on Security & Privacy 2019
S&P'19
http://www.ieee-security.org/TC/SP2019/
2019
San Francisco, CA, USA
25th International Conference on Types for Proofs and Programs
TYPES'19
https://cas.oslo.no/types2019/
2019
Oslo, Norway
Deep Specifications Workshop 2019
DeepSpec'19
https://pldi19.sigplan.org/home/deepspec-2019
2019
Phoenix, AZ
SIGARCH Visioning Workshop: Agile and Open Hardware for Next-Generation Computing
SIGARCH Visioning Workshop 2019
https://sites.google.com/view/agile-and-open-hardware/
2019
Phoenix, AZ
ACM SIGPLAN 2019 Conference on Programming Language Design and Implementation
PLDI'19
https://pldi19.sigplan.org/
2019
Phoenix, AZ, USA
31st International Conference on Computer Aided Verification
CAV'19
http://i-cav.org/2019/
2019
New York, NY, USA
24th ACM SIGPLAN International Conference on Functional Programming
ICFP'19
https://icfp19.sigplan.org/
2019
Berlin, Germany
27th ACM Symposium on Operating Systems Principles
SOSP'19
https://www.sigops.org/sosp/sosp19/
2019
Huntsville, Ontario, Canada
2019 RISC-V Summit
RISC-V Summit 2019
https://riscv.org/blog/2019/12/highlights-from-the-2019-risc-v-summit-a-look-at-the-future-of-computing/
2019
San Jose, CA, USA
9th International Conference on Certified Programs and Proofs
CPP'20
https://popl20.sigplan.org/home/CPP-2020
2020
New Orleans, LA, USA
ACM SIGPLAN 2020 Conference on Programming Language Design and Implementation
PLDI'20
https://pldi20.sigplan.org/
2020
London, England
9th International Joint Conference on Automated Reasoning
IJCAR'20
https://ijcar2020.org/
2020
Paris, France
25th ACM SIGPLAN International Conference on Functional Programming
ICFP'20
https://icfp20.sigplan.org/
2020
Jersey City, NJ, USA
15th International Symposium on Functional and Logic Programming
FLOPS'20
https://www.ipl.riec.tohoku.ac.jp/FLOPS2020/
2020
Akita, Japan
48th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
POPL'21
https://popl21.sigplan.org/
2021
Copenhagen, Denmark
The Seventh International Workshop on Coq for Programming Languages
CoqPL'21
https://popl21.sigplan.org/home/CoqPL-2021
2021
virtual
2021 Lambda Days
Lambda Days'21
https://www.lambdadays.org/lambdadays2021
2021
26th International Conference on Architectural Support for Programming Languages and Operating Systems
ASPLOS'21
https://asplos-conference.org/2021/
2021
virtual
Verified software: from theory to practice (a workshop of the Isaac Newton Institute)
Verified software: from theory to practice (a workshop of the Isaac Newton Institute)
https://www.newton.ac.uk/event/vsow03
2021
42nd ACM SIGPLAN Conference on Programming Language Design and Implementation
PLDI'21
https://pldi21.sigplan.org/
2021
Quebec City, QC, Canada
Interactive Theorem Proving - Twelfth International Conference
ITP'21
http://easyconferences.eu/itp2021/
2021
Rome, Italy
15th USENIX Symposium on Operating Systems Design and Implementation
OSDI'21
https://www.usenix.org/conference/osdi21/
2021
Santa Clara, CA, USA
26th ACM SIGPLAN International Conference on Functional Programming
ICFP'21
https://icfp21.sigplan.org/
2021
Virtual
NUS Computer Science Research Week
NUS Computer Science Research Week
https://researchweek.comp.nus.edu.sg/
2022
49th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
POPL'22
https://popl22.sigplan.org/
2022
Philadelphia, PA, USA
High Confidence Software and Systems Conference 2022
HCSS'22
https://cps-vo.org/group/hcss_conference
2022
Virtual
43rd ACM SIGPLAN Conference on Programming Language Design and Implementation
PLDI'22
https://pldi22.sigplan.org/
2022
San Diego, CA, USA
Oregon Programming Languages Summer School
OPLSS'22
https://www.cs.uoregon.edu/research/summerschool/summer22/
2022
Eugene, OR, USA
Isaac Newton Institute Verified Software Workshop
VSO'22
https://www.newton.ac.uk/event/vso2/
2022
Cambridge, England
34th International Conference on Computer-Aided Verification
CAV'22
http://i-cav.org/2022/
2022
Haifa, Israel
35th IEEE Computer Security Foundations Symposium
CSF'22
https://www.ieee-security.org/TC/CSF2022/
2022
Haifa, Israel
Interactive Theorem Proving - Thirteenth International Conference
ITP'22
https://itpconference.github.io/ITP22/
2022
Haifa, Israel
33rd New England Programming Languages and Systems Symposium
NEPLS 33
http://www.nepls.org/Events/33/home.html
2022
Boston, MA, USA
2022 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, & Applications
OOPSLA'22
http://2022.splashcon.org/track/splash-2022-oopsla
2022
Auckland, New Zealand
ACM SIGPLAN 2023 Workshop on Partial Evaluation and Program Manipulation
PEPM'23
https://popl23.sigplan.org/home/PEPM-2023
2023
Boston, MA, USA
The Ninth International Workshop on Coq for Programming Languages
CoqPL'23
https://popl23.sigplan.org/home/CoqPL-2023
2023
Boston, MA, USA
Real World Cryptography 2023
RWC'23
https://rwc.iacr.org/2023/
2023
Tokyo, Japan
44th ACM SIGPLAN Conference on Programming Language Design and Implementation
PLDI'23
https://pldi23.sigplan.org/
2023
Orlando, FL, USA
28th International Conference on Architectural Support for Programming Languages and Operating Systems
ASPLOS'23
https://asplos-conference.org/
2023
TBD
28th ACM SIGPLAN International Conference on Functional Programming
ICFP'23
https://icfp23.sigplan.org/
2023
Seattle, WA, USA
The Tenth International Workshop on Coq for Programming Languages
CoqPL'24
https://popl24.sigplan.org/home/CoqPL-2024
2024
London, England
Dafny 2024
Dafny'24
https://popl24.sigplan.org/home/dafny-2024
2024
London, England
51st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
POPL'24
https://popl24.sigplan.org/
2024
London, England
National Academies Workshop: AI to Assist Mathematical Reasoning
AIMR'24
https://www.nationalacademies.org/our-work/ai-to-assist-mathematical-reasoning-a-workshop
2024
45th ACM SIGPLAN Conference on Programming Language Design and Implementation
PLDI'24
https://pldi24.sigplan.org/
2024
Copenhagen, Denmark
First NIST Workshop on Formal Methods within Certification Programs
FMCP'24
https://www.nist.gov/news-events/events/nist-workshop-formal-methods-within-certification-programs-fmcp-2024
2024
Rockville, MD, USA
37th IEEE Computer Security Foundations Symposium
CSF'24
https://csf2024.ieee-security.org/
2024
Enschede, The Netherlands
Interactive Theorem Proving - Fifteenth International Conference
ITP'24
https://www.viam.science.tsu.ge/itp2024/
2024
Tbilisi, Georgia
2024 ACM SIGSAC Conference on Computer and Communications Security
CCS'24
https://www.sigsac.org/ccs/CCS2024/
2024
Salt Lake City, UT, USA
52nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
POPL'25
https://popl25.sigplan.org/
2021
Denver, CO, USA
IFIP Working Group on Functional Programming
http://www.cs.ox.ac.uk/ralf.hinze/WG2.8/
WG 2.8
IFIP Working Group on Language Design
https://languagedesign.org/
WG 2.16
DARPA Information Science and Technology study group
https://www.darpa.mil/about-us/offices/i2o
ISAT
International Conference on Certified Programs and Proofs
https://popl21.sigplan.org/home/CPP-2021#The-CPP-Series
CPP
International Conference on Functional Programming
https://www.icfpconference.org/structure.html
ICFP
National Science Foundation panelist
NSF
https://nsf.gov/dir/index.jsp?org=cise
Communications of the ACM
CACM
http://cacm.acm.org/
Journal of the ACM
JACM
http://jacm.acm.org/
Journal of Functional Programming
JFP
http://journals.cambridge.org/jid_JFP
Journal of Formalized Reasoning
JFR
http://jfr.unibo.it/
ACM Transactions on Programming Languages and Systems
TOPLAS
http://www.cs.utexas.edu/toplas/
IEEE Embedded Systems Letters
ESL
http://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=4563995
Journal of Automated Reasoning
JAR
http://www.springerlink.com/content/100280/
Information Processing Letters
IPL
http://www.elsevier.com/locate/ipl
Higher-Order and Symbolic Computation
HOSC
http://www.springer.com/computer/theoretical+computer+science/journal/10990
Philosophical Transactions of the Royal Society A
PTA
http://rsta.royalsocietypublishing.org/
Science of Computer Programming
SCP
http://www.journals.elsevier.com/science-of-computer-programming/
Fundamenta Informaticae
FI
http://fi.mimuw.edu.pl/
Certified Programming with Dependent Types
http://adam.chlipala.net/cpdt/
MIT Press, 2013. Available online under a Creative Commons license.
Omnisemantics: Smoother Handling of Nondeterminism
Extended treatment of a new style of operational semantics that was applied in the work from our PLDI'21 paper
This paper gives an in-depth presentation of the omni-big-step and omni-small-step styles of semantic judgments. These styles describe operational semantics by relating starting states to sets of outcomes rather than to individual outcomes. A single derivation of these continuation-passing-style semantics for a particular starting state and program describes all possible nondeterministic executions (hence the name *omni*), whereas in traditional small-step and big-step semantics, each derivation only talks about one single execution. This restructuring allows for straightforward modeling of both nondeterminism and undefined behavior as commonly encountered in sequential functional and imperative programs. Specifically, omnisemantics inherently assert *safety*, i.e. they guarantee that none of the execution branches gets stuck, while traditional semantics need either a separate judgment or additional error markers to specify safety in the presence of nondeterminism.
Omnisemantics can be understood as an inductively defined weakest-precondition semantics (or more generally, predicate-transformer semantics) that does not involve invariants for loops and recursion but instead uses unrolling rules like in traditional small-step and big-step semantics. Omnisemantics were previously described in association with several projects, but we believe the technique has been underappreciated and deserves a well-motivated, extensive, and pedagogical presentation of its benefits. We also explore several novel aspects associated with these semantics, in particular their use in type-safety proofs for lambda calculi, partial-correctness reasoning, and forward proofs of compiler correctness for terminating but potentially nondeterministic programs being compiled to nondeterministic target languages. All results in this paper are formalized in Coq.
Mostly Automated Formal Verification of Loop Dependencies with Applications to Distributed Stencil Algorithms
Extended version of our ITP'16 paper
The class of *stencil* programs involves repeatedly updating elements of arrays according to fixed patterns, referred to as stencils. Stencil problems are ubiquitous in scientific computing and are used as an ingredient to solve more involved problems. Their high regularity allows massive parallelization. Two important challenges in designing such algorithms are cache efficiency and minimizing the number of communication steps between nodes. In this paper, we introduce a mathematical framework for a crucial aspect of formal verification of both sequential and distributed stencil algorithms, and we describe its Coq implementation. We present a domain-specific embedded programming language with support for automating the most tedious steps of proofs that nested loops respect dependencies, applicable to sequential and distributed examples. Finally, we evaluate the robustness of our library by proving the dependency-correctness of some real-world stencil algorithms, including a state-of-the-art cache-oblivious sequential algorithm, as well as two optimized distributed kernels.
Source code
http://www.springer.com/-/3/AWGg8n_juCj1iLTSijwC
The Science of Deep Specification
Overview of and case for the DeepSpec project
We introduce our efforts within the project "The Science of Deep Specification" to work out the key formal underpinnings of industrial-scale formal specifications of software and hardware components, anticipating a world where large verified systems are routinely built out of smaller verified components that are also used by many other projects. We identify an important class of specification that has already been used in a few experiments that connect strong component-correctness theorems across the work of different teams. To help popularize the unique advantages of that style, we dub it *deep specification*, and we say that it encompasses specifications that are *rich*, *two-sided*, *formal*, and *live* (terms that we define in the article). Our core team is developing a proof-of-concept system (based on the Coq proof assistant) whose specification and verification work is divided across largely decoupled subteams at our four institutions, encompassing hardware microarchitecture, compilers, operating systems, and applications, along with cross-cutting principles and tools for effective specification. We also aim to catalyze interest in the approach, not just by basic researchers but also by users in industry.
Project web site
http://rsta.royalsocietypublishing.org/cgi/content/abstract/rsta.2016.0331
Research Highlight: Certifying a File System using Crash Hoare Logic: Correctness in the Presence of Crashes
A file system implemented and verified in Coq, using separation logic, connected to Linux and providing respectable performance
FSCQ is the first file system with a machine-checkable proof that its implementation meets a specification, even in the presence of fail-stop crashes. FSCQ provably avoids bugs that have plagued previous file systems, such as performing disk writes without sufficient barriers or forgetting to zero out directory blocks. If a crash happens at an inopportune time, these bugs can lead to data loss. FSCQ's theorems prove that, under any sequence of crashes followed by reboots, FSCQ will recover its state correctly without losing data.
To state FSCQ's theorems, this paper introduces the Crash Hoare logic (CHL), which extends traditional Hoare logic with a crash condition, a recovery procedure, and logical address spaces for specifying disk states at different abstraction levels. CHL also reduces the proof effort for developers through proof automation. Using CHL, we developed, specified, and proved the correctness of the FSCQ file system. Although FSCQ's design is relatively simple, experiments with FSCQ as a user-level file system show that it is sufficient to run Unix applications with usable performance. FSCQ's specifications and proofs required significantly more work than the implementation, but the work was manageable even for a small team of a few researchers.
http://cacm.acm.org/magazines/2017/4/215044-certifying-a-file-system-using-crash-hoare-logic/abstract
Research Highlight: Ur/Web: A Simple Model for Programming the Web
Introducing the Ur/Web programming language
The World Wide Web has evolved gradually from a document delivery platform to an architecture for distributed programming. This largely unplanned evolution is apparent in the set of interconnected languages and protocols that any Web application must manage. This paper presents Ur/Web, a domain-specific, statically typed functional programming language with a much simpler model for programming modern Web applications. Ur/Web's model is *unified*, where programs in a single programming language are compiled to other "Web standards" languages as needed; supports novel kinds of *encapsulation* of Web-specific state; and exposes *simple concurrency*, where programmers can reason about distributed, multithreaded applications via a mix of transactions and cooperative preemption. We give a tutorial introduction to the main features of Ur/Web.
Project web site
[Condensed version of POPL'15 paper, also including some tweaks to be accessible to a broader audience]
http://cacm.acm.org/magazines/2016/8/205041-ur-web/abstract
An Introduction to Programming and Proving with Dependent Types in Coq
Excerpts from CPDT
Excerpts from CPDT
Computer proof assistants vary along many dimensions. Among the mature implementations, the Coq system is distinguished by two key features. First, we have support for programming with dependent types in the tradition of type theory, based on dependent function types and inductive type families. Second, we have a domain-specific language for coding correct-by-construction proof automation. Though the Coq user community has grown quite large, neither of the aspects I highlight is widely used. In this tutorial, I aim to provide a pragmatic introduction to both, showing how they can bring significant improvements in productivity.
Modular Development of Certified Program Verifiers with a Proof Assistant
Extended version of my ICFP'06 paper
Extended version of my ICFP'06 paper
I report on an experience using the Coq proof assistant to develop a program verification tool with a machine-checked proof of full correctness. The verifier is able to prove memory safety of x86 machine code programs compiled from code that uses algebraic datatypes. The tool's soundness theorem is expressed in terms of the bit-level semantics of x86 programs, so its correctness depends on very few assumptions. I take advantage of Coq's support for programming with dependent types and modules in the structure of the development. The approach is based on developing a library of reusable functors for transforming a verifier at one level of abstraction into a verifier at a lower level. Using this library, it's possible to prototype a verifier based on a new type system with a minimal amount of work, while obtaining a very strong soundness theorem about the final product.
Specification and Verification of Strong Timing Isolation of Hardware Enclaves
How to verify formally that an enclave-style hardware architecture fully isolates running threads from each other, e.g. considering timing side channels
The process isolation enforceable by commodity hardware and operating systems is too weak to protect secrets from malicious code running on the same machine: Spectre-era attacks exploit timing side channels derived from contention on shared microarchitectural resources to extract secrets. With appropriate hardware support, however, we can construct *isolated enclaves* and safeguard independent processes from interference through timing side channels, a necessary step towards integrity and confidentiality guarantees.
In this paper, we describe our work on formally specifying and verifying that a synthesizable hardware architecture implements *strong timing isolation* for enclaves. We reason about the cycle-accurate semantics of circuits with respect to a trustworthy formulation of strong isolation based on "air-gapped machines" and develop a modular proof strategy that sidesteps the need to prove functionalf correctness of processors. We apply our method on a synthesizable, multicore, pipelined RISC-V design formalized in Coq.
Verifying Software Emulation of an Unsupported Hardware Instruction
Proving the right correctness relationship between two RISC-V implementation techniques: multiplication via a hardware instruction or via trapping to a software routine
Some processors, especially embedded ones, do not implement all instructions in hardware. Instead, if the processor encounters an unimplemented instruction, an unsupported-instruction exception is raised, and an exception handler is run which implements the missing instruction in software. Getting such a system to work correctly is tricky: The exception handler code must not destroy any state of the user program and must use the control and status registers (CSRs) of the processor correctly. Moreover, parts of the handler are typically implemented in assembly, while other parts are implemented in a language like C, and one must make sure that when jumping from the user program into the handler assembly, from the handler assembly into C, back to assembly and finally back to the user program, all the assumptions made by the different pieces of code, hardware, and the compiler are satisfied.
Despite all these tricky details, there is a concise and intuitive way of stating the correctness of such a system: User programs running on a system where some instructions are implemented in software behave the same as if they were running on a system where all instructions are implemented in hardware.
We formalize and prove such a statement in the Coq proof assistant, for the case of a simple exception handler implementing the multiplication instruction on a RISC-V processor.
GitHub repository
Probability from Possibility: Probabilistic Confidentiality for Storage Systems Under Nondeterminism
Security verification of file systems that takes probabilistic failures into account
Nondeterminism, such as system crashes, poses an important challenge to the security of storage systems by making leakages possible through secret-dependent result probabilities. This paper proposes a new possibilistic confidentiality specification prohibiting such probabilistic leakages. Our specification is preserved under simulation to enable modularity and is sequentially compositional. We implemented our specification in a framework that contains structures to implement storage systems and prove their confidentiality in a modular fashion. On top of our framework, we implemented the first crash-safe file system with a termination-insensitive version of our specification and machine-checkable confidentiality proofs. Our evaluation shows that proving confidentiality incurs 9.2x proof overhead per line of implementation code. Both our framework and file system are implemented in Coq and extracted to Haskell to obtain an executable artifact.
Foundational Integration Verification of a Cryptographic Server
An integrated Coq proof of a cryptographic server, as one machine-code image that runs on bare metal, built up from quite different programming languages and verification approaches
Some important dimensions of a formal verification might be called its *stack height*, or how many layers of a system are proved as a whole; *tool diversity*, or heterogeneity of tools used to verify different parts of a system; and *foundationalness*, or minimality of the tool-implementation code that must be trusted to believe verification results. This paper presents our verification case study that is, to our knowledge, the first to reach our level of tool diversity while covering all software installed in a demonstration computer system and roughly maxing out foundationalness within a proof assistant. That is, our unified proof is checked by Coq, and its statement depends on neither syntax nor semantics for any programming language but machine language, nor do we leave any compiler or verification tool as trusted, beyond Coq's kernel proof checker. Our case study is a simple cryptographic server for flipping of a bit of state through authenticated network messages, adopting code conventions of embedded systems, like static bounds on memory usage. We believe it is the first formal verification covering a full software stack that models both network input and output. Perhaps most distinctive is that we have chosen quite different programming languages and verification tools for different parts of the software stack (e.g., some libraries are proved as functional programs with equational reasoning, and others are proved as C-like programs or even machine code with separation logic), yet all of the correctness theorems for libraries and layers are integrated into one foundational result. We developed a unified specification style that is able to support that diversity well, and we experienced widely varying productivity with the different verification styles we employed, some of which we recommend for future work and some of which we do not.
GitHub repositories: fiat-crypto and bedrock2
A Verified Compiler for a Functional Tensor Language
Pushing the Coq-verified compilation guarantees even lower (to a C subset), within our ATL tensor-programming project
Producing efficient array code is crucial in high-performance domains like image processing and machine learning. This goal depends on an ability to control factors like compute intensity and locality by reordering computations into different stages and granularities with respect to where they are stored. However, traditional pure, functional tensor languages struggle to do so. In a previous publication, the ATL language was introduced as a pure, functional tensor language capable of systematically decoupling compute and storage order via a set of high-level combinators known as reshape operators. Reshape operators are a unique functional-programming construct since they manipulate storage location in the generated code by modifying the indices that appear on the left-hand sides of storage expressions. We present a formal correctness proof for an implementation of the compilation algorithm, marking the first verification of a lowering algorithm from a functional language that enables separate control of compute and storage ordering. One of the core difficulties of this proof required properly formulating the complex invariants to ensure that these storage-index remappings were well-formed. Notably, this revealed a *soundness bug* in the original published compilation algorithm regarding the truncation reshape operator. Our fix is a new type system that captures safety conditions that were previously implicit and enables us to prove compiler correctness for well-typed source programs. We evaluate this type system and compiler implementation on a range of common programs and optimizations, including but not limited to those previously studied, which demonstrated performance comparable to established compilers like Halide.
GitHub repository
Live Verification in an Interactive Proof Assistant
Could Coq be an even more pleasant C-programming IDE than the big names, if we work the right magic with notations and tactics?
We present a prototype for a tool that enables programmers to verify their code as they write it in real-time. After each line of code that the programmer writes, the tool tells the programmer what it can prove about the program so far and indicates potential oversights or potentially violated assumptions. Once the programmer has finished writing the program, it is already verified with a mathematical correctness proof. Other tools providing real-time feedback already exist, but ours is the first one that only relies on a small trusted proof checker and that provides a concise summary of all the facts that are provable at the point in the program currently being edited, as opposed to only indicating whether user-stated assertions or postconditions hold.
Program verification requires loop invariants, which are hard to find and tedious to spell out. We explore a middle ground in the design space between the two extremes of requiring users to spell out loop invariants manually and attempting to infer loop invariants automatically: Based on the observation that a loop invariant often looks quite similar to the symbolic state right before the loop, our tool asks users to express the desired loop invariant as a diff from the symbolic state before the loop, which has the potential to lead to less verbose and more maintainable proofs.
We prototyped our technique in the interactive proof assistant Coq, so our framework creates machine-checked proofs that the developed functions satisfy their specifications when executed according to the formal semantics of the source language. Using a verified compiler proven against the same source-language semantics, we can ensure that the behavior of the compiled program matches the program's behavior as represented by the framework during the proof. Additionally, since our polyglot source files can be viewed as Coq or C files at the same time, users willing to accept a bigger trusted code base can compile them with GCC.
GitHub repository
Flexible Instruction-Set Semantics via Abstract Monads (Experience Report)
Our lightweight but flexible approach to mechanized semantics of hardware instruction sets
Instruction sets, from families like x86 and ARM, are at the center of many ambitious formal-methods projects. Many verification, synthesis, programming, and debugging tools rely on formal semantics of instruction sets, but different tools can use semantics in rather different ways. The best-known work applying single semantics across diverse tools relies on domain-specific languages like Sail, where the language and its translation tools are specialized to the realm of instruction sets. In the context of the open RISC-V instruction-set family, we decided to explore a different approach, with semantics written in a carefully chosen subset of Haskell. This style does not depend on any new language translators, relying instead on parameterization of semantics over type-class instances. Our case study is for the open RISC-V instruction-set family, and we have used a single core semantics to support testing, interactive proof, and model checking of both software and hardware, demonstrating that this functional-programming feature can support pleasant prototyping of ISA semantics.
GitHub repositories: Haskell baseline and related Coq code
CryptOpt: Verified Compilation with Random Program Search for Cryptographic Primitives
Distinguished Paper Award
Genetic program search meets translation validation for Fiat Cryptography, improving performance and shrinking the trusted base even while bringing in more avant-garde compiler techniques
Most software domains rely on compilers to translate high-level code to multiple different machine languages, with performance not too much worse than what developers would have the patience to write directly in assembly language. However, cryptography has been an exception, where many performance-critical routines have been written directly in assembly (sometimes through metaprogramming layers). Some past work has shown how to do formal verification of that assembly, and other work has shown how to generate C code automatically along with formal proof, but with consequent performance penalties vs. the best-known assembly. We present Cryptopt, the first compilation pipeline that specializes high-level cryptographic functional programs into assembly code significantly faster than what GCC or Clang produce, with mechanized proof (in Coq) whose final theorem statement mentions little beyond the input functional program and the operational semantics of x86-64 assembly. On the optimization side, we apply randomized search through the space of assembly programs, with repeated automatic benchmarking on target CPUs. On the formal-verification side, we connect to the Fiat Cryptography framework (which translates functional programs into C-like IR code) and extend it with a new formally verified program-equivalence checker, incorporating a modest subset of known features of SMT solvers and symbolic-execution engines. The overall prototype is quite practical, e.g. producing new fastest-known implementations for the relatively new Intel i9 12G, of finite-field arithmetic for both Curve25519 (part of the TLS standard) and the Bitcoin elliptic curve secp256k1.
Code: CryptOpt, fiat-crypto
C4: Verified Transactional Objects
Modular proofs of concurrent libraries, mixing classic lock-free data structures and transactional memory, in the style of interaction trees
Transactional objects combine the performance of classical concurrent objects with the high-level programmability of transactional memory. But verifying the correctness of transactional objects is tricky, requiring reasoning simultaneously about classical concurrent objects, which guarantee the atomicity of individual methods -- the property known as linearizability -- and about software-transactional-memory libraries, which guarantee the atomicity of user-defined sequences of method calls -- or serializability.
We present a formal verification framework, built up from the familiar notion of linearizability and its compositional properties, that allows proof of both kinds of libraries, along with composition of theorems from both styles to prove correctness of applications or further libraries. We apply the framework in a significant case study, verifying a transactional set object built out of both classical and transactional components following the technique of transactional predication; the proof is modular, reasoning separately about the transactional and non-transactional parts of the implementation. Central to our approach is the use of syntactic transformers on interaction trees -- e.g., transactional libraries that transform client code to enforce a particular synchronization discipline. Our framework and case studies are mechanized in Coq.
Hemiola: A DSL and Verification Tools to Guide Design and Proof of Hierarchical Cache-Coherence Protocols
Taking all the fine-grained concurrency reasoning out of design and proof of cache-coherence protocols, via a DSL proved sound with commutativity analysis
Cache-coherence protocols have been one of the greatest challenges in formal verification of hardware, due to their central complication of executing multiple memory-access transactions concurrently within a distributed message-passing system. In this paper, we introduce Hemiola, a framework embedded in Coq that guides the user to design protocols that never experience inconsistent interleavings while handling transactions concurrently. The framework provides a DSL, where any protocol designed in the DSL always satisfies the serializability property, allowing a user to verify the protocol assuming that transactions are executed one-at-a-time. Hemiola also provides a novel invariant proof method, for protocols designed in Hemiola, that only requires considering execution histories without interleaved memory accesses. We used Hemiola to design and prove hierarchical MSI and MESI protocols as case studies. We also demonstrated that the case-study protocols are hardware-synthesizable, by using a compilation/synthesis toolchain targeting FPGAs.
GitHub repository
Adversary Safety by Construction in a Language of Cryptographic Protocols
Lincoln Laboratory Best Paper Award
Mechanized cryptographic protocols that are guaranteed to resist adversary interference, in much the same way that traditional type systems resist memory errors
Compared to ordinary concurrent and distributed systems, cryptographic protocols are distinguished by the need to reason about interference by adversaries. We suggest a new layered approach to tame that complexity, via an executable protocol language whose semantics does not reveal an adversary directly, instead enforcing a set of intuitive hygiene rules. By virtue of those rules, protocols written in this language provably behave identically with or without interference by active Dolev-Yao-style adversaries. As a result, formal reasoning about protocols can be simplified enough that even naive model checking can establish correctness of a multiparty protocol, through analysis of a state space with no adversary.
We present the design and implementation of SPICY, short for Secure Protocols Implemented CorrectlY, including the semantics of its input languages; the essential safety proofs, formalized in the Coq theorem prover; and the automation techniques. We provide a preliminary evaluation of the tool's performance and capabilities via a handful of case studies.
GitHub repository
Accelerating Verified-Compiler Development with a Verified Rewriting Engine
Generating formally verified compilers modularly via Coq-proved rewrite rules, applied to make Fiat Cryptography a lot faster
Compilers are a prime target for formal verification, since compiler bugs invalidate higher-level correctness guarantees, but compiler changes may become more labor-intensive to implement, if they must come with proof patches. One appealing approach is to present compilers as sets of algebraic rewrite rules, which a generic engine can apply efficiently. Now each rewrite rule can be proved separately, with no need to revisit past proofs for other parts of the compiler. We present the first realization of this idea, in the form of a framework for the Coq proof assistant. Our new Coq command takes normal proved theorems and combines them automatically into fast compilers with proofs. We applied our framework to improve the Fiat Cryptography toolchain for generating cryptographic arithmetic, producing an extracted command-line compiler that is about 1000X faster while actually featuring simpler compiler-specific proofs.
GitHub repository
Automatic Test-Case Reduction in Proof Assistants: A Case Study in Coq
Understanding regressions in Coq itself with automatic reduction of test cases
As the adoption of proof assistants increases, there is a need for efficiency in identifying, documenting, and fixing compatibility issues that arise from proof assistant evolution. We present the Coq Bug Minimizer, a tool for *reproducing buggy behavior* with *minimal* and *standalone* files, integrated with coqbot to trigger *automatically* on Coq reverse CI failures. Our tool eliminates the overhead of having to download, set up, compile, and then explore and understand large developments: enabling Coq developers to easily obtain modular test-case files for fast experimentation. In this paper, we describe insights about how test-case reduction is different in Coq than in traditional compilers.We expect that our insights will generalize to other proof assistants. We evaluate the Coq Bug Minimizer on over 150 CI failures. Our tool succeeds in reducing failures to smaller test cases in roughly 75% of the time. The minimizer produces a fully standalone test case 89% of the time, and it is on average about one-third the size of the original test. The average reduced test case compiles in 1.25 seconds, with 75% taking under half a second.
GitHub repository
Relational Compilation for Performance-Critical Applications
Round two of using Coq to compile functional programs to imperative programs with proof, using proof-generating extensions for flexibility
There are typically two ways to compile and run a purely functional program verified using an interactive theorem prover (ITP): automatically extracting it to a similar language (typically an unverified process, like Coq to OCaml) or manually proving it equivalent to a lower-level reimplementation (like a C program). Traditionally, only the latter produced both excellent performance and end-to-end proofs.
This paper shows how to recast program extraction as a proof-search problem to automatically derive correct-by-construction, high-performance code from purely functional programs.
We call this idea *relational compilation* -- it extends recent developments with novel solutions to loop-invariant inference and genericity in kinds of side effects.
Crucially, relational compilers are incomplete, and unlike traditional compilers, they generate good code not because of a fixed set of clever built-in optimizations but because they allow experts to plug in domain-specific extensions that give them complete control over the compiler's output.
We demonstrate the benefits of this approach with Rupicola, a new compiler-construction toolkit designed to extract fast, verified, idiomatic low-level code from annotated functional models. Using case studies and performance benchmarks, we show that it is extensible with minimal effort and that it achieves performance on par with that of handwritten C programs.
GitHub repository
Verified Tensor-Program Optimization Via High-level Scheduling Rewrites
Deriving correct imperative loop programs from functional programs with Coq proof, in a style inspired by Halide
We present a lightweight Coq framework for optimizing tensor kernels written in a pure, functional array language. Optimizations rely on user scheduling using series of verified, semantics-preserving rewrites. Unusually for compilation targeting imperative code with arrays and nested loops, all rewrites are source-to-source within a purely functional language. Our language comprises a set of core constructs for expressing high-level computation detail and a set of what we call reshape operators, which can be derived from core constructs but trigger low-level decisions about storage patterns and ordering. We demonstrate that not only is this system capable of deriving the optimizations of existing state-of-the-art languages like Halide and generating comparably performant code, it is also able to schedule a family of useful program transformations beyond what is reachable in Halide.
GitHub repository
Certifying Derivation of State Machines from Coroutines
Using Coq to derive correct first-order implementations of network protocols from higher-order descriptions, applied to TLS 1.3
One of the biggest implementation challenges in security-critical network protocols is nested state machines. In practice today, state machines are either implemented manually at a low level, risking bugs easily missed in audits; or are written using higher-level abstractions like threads, depending on runtime systems that may sacrifice performance or compatibility with the ABIs of important platforms (e.g., resource-constrained IoT systems). We present a compiler-based technique allowing the best of both worlds, coding protocols in a natural high-level form, using freer monads to represent nested coroutines, then compiled automatically to lower-level code with explicit state. In fact, our compiler is implemented as a tactic in the Coq proof assistant, structuring compilation as search for an equivalence proof for source and target programs. As such, it is straightforwardly (and soundly) extensible with new hints, for instance regarding new data structures that may be used to index coroutines. As a case study, we implemented a core of TLS sufficient for use with popular Web browsers, and our experiments show that the extracted Haskell code achieves reasonable performance.
GitHub repository
Skipping the Binder Bureaucracy with Mixed Embeddings in a Semantics Course (Functional Pearl)
Overview of a key design principle in FRAP courses: *mixed embeddings* for concise but flexible syntax definitions for embedded languages
Rigorous reasoning about programs calls for some amount of bureaucracy in managing details like variable binding, but, in guiding students through big ideas in semantics, we might hope to minimize the overhead. We describe our experiment introducing a range of such ideas, using the Coq proof assistant, without any explicit representation of variables, instead using a higher-order syntax encoding that we dub "mixed embedding": it is neither the fully explicit syntax of deep embeddings nor the syntax-free programming of shallow embeddings. Marquee examples include different takes on concurrency reasoning, including in the traditions of model checking (partial-order reduction), program logics (concurrent separation logic), and type checking (session types) -- all presented without any side conditions on variables.
Book home page
Integration Verification Across Software and Hardware for a Simple Embedded System
An end-to-end, software+hardware Coq proof for an Internet-connected lightbulb
The interfaces between layers of a system are susceptible to bugs if developers of adjacent layers proceed under subtly different assumptions. Formal verification of two layers against the same formal model of the interface between them can be used to shake out these bugs. Doing so for every interface in the system can, in principle, yield unparalleled assurance of the correctness and security of the system as a whole. However, there have been remarkably few efforts that carry out this exercise, and all of them have simplified the task by restricting interactivity of the application, inventing new simplified instruction sets, and using unrealistic input and output mechanisms. We report on the first verification of a realistic embedded system, with its application software, device drivers, compiler, and RISC-V processor represented inside the Coq proof assistant as one mathematical object, with a machine-checked proof of functional correctness. A key challenge is structuring the proof modularly, so that further refinement of the components or expansion of the system can proceed without revisiting the rest of the system.
GitHub repository
Effective Simulation and Debugging for a High-Level Hardware Language Using Software Compilers
Bootstrapping on software-development tools to create a good experience simulating, debugging, and profiling hardware designs in Bluespec-like languages, taking advantage of high-level properties of source files
Rule-based hardware design languages (RHDLs) promise to enhance developer productivity by offering convenient abstractions. Advanced compiler technology keeps the cost of these abstractions low, generating circuits with excellent area and timing properties.
Unfortunately, comparatively little effort has been spent on building simulators and debuggers for these languages, so users often simulate and debug their designs at the RTL level. This is problematic because generated circuits typically suffer from poor readability, as compiler optimizations can break high-level abstractions. Worse, optimizations that operate under the assumption that concurrency is essentially free yield faster circuits but often actively hurt simulation performance on platforms with limited concurrency, like desktop computers or servers.
This paper demonstrates the benefits of completely separating the simulation and synthesis pipelines. We propose a new approach, yielding the first compiler designed for effective simulation and debugging of a language in the Bluespec family. We generate cycle-accurate C++ models that are readable, compatible with a wide range of traditional software-debugging tools, and fast (often 2 to 3x faster than circuit-level simulation). We achieve these results by optimizing for sequential performance and using static analysis to minimize redundant work. The result is a vastly-improved hardware-design experience, which we demonstrate on embedded processor designs and DSP building blocks using performance benchmarks and debugging case studies.
GitHub repository
Extensible Extraction of Efficient Imperative Programs with Foreign Functions, Manually Managed Memory, and Proofs
The last link in a pipeline for automatic compilation, with proofs, from relational specifications to Bedrock assembly programs
We present an original approach to sound program extraction in a proof assistant, using syntax-driven automation to derive correct-by-construction imperative programs from nondeterministic functional source code. Our approach does not require committing to a single inflexible compilation strategy and instead makes it straightforward to create domain-specific code translators. In addition to a small set of core definitions, our framework is a large, user-extensible collection of compilation rules each phrased to handle specific language constructs, code patterns, or data manipulations. By mixing and matching these pieces of logic, users can easily tailor extraction to their own domains and programs, getting maximum performance and ensuring correctness of the resulting assembly code.
Using this approach, we complete the first proof-generating pipeline that goes automatically from high-level specifications to assembly code. In our main case study, the original specifications are phrased to resemble SQL-style queries, while the final assembly code does manual memory management, calls out to foreign data structures and functions, and is suitable to deploy on resource-constrained platforms. The pipeline runs entirely within the Coq proof assistant, leading to final, linked assembly code with overall full-functional-correctness proofs in separation logic.
GitHub repository
The Essence of Bluespec: A Core Language for Rule-Based Hardware Design
A new hardware-description language that combines Bluespec's modular-decomposition style with fine-grained control of timing; includes Coq embedding with a verified compiler to circuits
The Bluespec hardware-description language presents a significantly higher-level view than hardware engineers are used to, exposing a simpler concurrency model that promotes formal proof, without compromising on performance of compiled circuits. Unfortunately, the cost model of Bluespec has been unclear, with performance details depending on a mix of user hints and opaque static analysis of potential concurrency conflicts within a design. In this paper we present Kôika, a derivative of Bluespec that preserves its desirable properties and yet gives direct control over the *scheduling* decisions that determine performance. Kôika has a novel and deterministic operational semantics that uses dynamic analysis to avoid concurrency anomalies. Our implementation includes Coq definitions of syntax, semantics, key metatheorems, and a verified compiler to circuits. We argue that most of the extra circuitry required for dynamic analysis can be eliminated by compile-time BSV-style static analysis.
GitHub repository
Narcissus: Correct-By-Construction Derivation of Decoders and Encoders from Binary Formats
Using Coq to derive efficient binary-format parsers from declarative specifications, automatically
It is a neat result from functional programming that libraries of *parser combinators* can support rapid construction of decoders for quite a range of formats. With a little more work, the same combinator program can denote both a decoder and an encoder. Unfortunately, the real world is full of gnarly formats, as with the packet formats that make up the standard Internet protocol stack. Most past parser-combinator approaches cannot handle these formats, and the few exceptions require redundancy -- one part of the natural grammar needs to be hand-translated into hints in multiple parts of a parser program. We show how to recover very natural and nonredundant format specifications, covering all popular network packet formats and generating both decoders and encoders automatically. The catch is that we use the Coq proof assistant to derive both kinds of artifacts using tactics, automatically, in a way that guarantees that they form inverses of each other. We used our approach to reimplement packet processing for a full Internet protocol stack, inserting our replacement into the OCaml-based MirageOS unikernel, resulting in minimal performance degradation.
GitHub repository
Simple High-Level Code For Cryptographic Arithmetic -- With Proofs, Without Compromises
Correct-by-construction generation of low-level crypto-primitive code using Coq
We introduce a new approach for implementing cryptographic arithmetic in short high-level code with machine-checked proofs of functional correctness. We further demonstrate that simple partial evaluation is sufficient to transform into the fastest-known C code, breaking the decades-old pattern that the only fast implementations are those whose instruction-level steps were written out by hand.
These techniques were used to build an elliptic-curve library that achieves competitive performance for 80 prime fields and multiple CPU architectures, showing that implementation and proof effort scales with the number and complexity of conceptually different algorithms, not their use cases. As one outcome, we present the first verified high-performance implementation of P-256, the most widely used elliptic curve. Implementations from our library were included in BoringSSL to replace existing specialized code, for inclusion in several large deployments for Chrome, Android, and CloudFlare.
*Note on errata:* a prepublication version was posted here for several months, containing some errors that have been fixed in the final version posted now.
Source code
Algorithmic Checking of Security Arguments for Microprocessors
Summarizing our team's work with formal methods in the DARPA SSITH program
Anticipating all possible attacks on a system is hard work. Malicious actors seem to have an inherent advantage, since they can win by finding single vulnerabilities. In our MIT team within the DARPA SSITH program, we are exploring principled ways to rule out human error as a source of security issues in computer processors. A typical security audit involves prose arguments about attack models and why they are thwarted. We instead write down formal mathematical theorems about real digital hardware designs, and we build their formal proofs that can be checked algorithmically. That is, a program, rather than a potentially distracted human, confirms that the security argument is convincing.
After giving some background on the general technology, I would like to focus on two concrete uses in the SSITH program. First, we are exploring flexible tagging support, to flow additional security-relevant information through the microarchitectural state of a Linux-capable processor. Unusually, however, we propose to compile custom processor descriptions automatically from descriptions of security policies to be enforced. We aim to do this compilation in a way that gives formal theorems that the generated processors truly enforce the security policies. Second, we are tackling the issues with timing side channels exposed by the Spectre and Meltdown vulnerabilities. Through a synergistic connection with work funded by the National Science Foundation, we are able to prove security theorems for whole hardware-software system stacks. For instance, we can show that a compiled C program with a cryptographic function will run on a specific RISC-V processor, in a way where a secret input flowing into the function provably has no effect on timing of output events flowing out of the processor.
Proving confidentiality in a file system using DiskSec
FSCQ extended to track information-flow policies that distinguish between different users
SFSCQ is the first file system with a machine-checked proof of security. To develop, specify, and prove SFSCQ, this paper introduces DiskSec, a novel approach for reasoning about confidentiality of storage systems, such as a file system. DiskSec addresses the challenge of specifying confidentiality using the notion of *data noninterference* to find a middle ground between strong and precise information-flow-control guarantees and the weaker but more practical discretionary access control. DiskSec factors out reasoning about confidentiality from other properties (such as functional correctness) using a notion of *sealed blocks*. Sealed blocks enforce that the file system treats confidential file blocks as opaque in the bulk of the code, greatly reducing the effort of proving data noninterference. An evaluation of SFSCQ shows that its theorems preclude security bugs that have been found in real file systems, that DiskSec imposes little performance overhead, and that SFSCQ's incremental development effort, on top of DiskSec and DFSCQ, on which it is based, was moderate.
Prototyping a Functional Language using Higher-Order Logic Programming: A Functional Pearl on Learning the Ways of Lambda-Prolog/Makam
An introduction to a slick way of implementing programming languages concisely and modularly, focusing on type checking, told in the style of a play, including songs
We demonstrate how the framework of *higher-order logic programming*, as exemplified in the Lambda-Prolog language design, is a prime vehicle for rapid prototyping of implementations for programming languages with sophisticated type systems. We present the literate development of a type checker for a language with a number of complicated features, culminating in a standard ML-style core with algebraic datatypes and type generalization, extended with staging constructs that are generic over a separately defined language of terms. We add each new feature in sequence, with little to no changes to existing code. Scaling the higher-order logic programming approach to this setting required us to develop approaches to challenges like complex variable binding patterns in object languages and performing generic structural traversals of code, making use of novel constructions in the setting of Lambda-Prolog, such as GADTs and generic programming. For our development, we make use of Makam, a new implementation of Lambda-Prolog, which we introduce in tutorial style as part of our (quasi-)literate development.
Project site
Computable decision-making on the reals and other spaces via partiality and nondeterminism
A theorem in real analysis shows that, in a world where all computations are continuous, we can't implement interesting conditional tests over, say, the real numbers. Here we show how to get around the problem with a functional-programming-friendly topological treatment of nondeterminism. (We can make discrete decisions about values from continuous spaces so long as we leave some wiggle room about what will actually happen at runtime.)
Though many safety-critical software systems use floating point to represent real-world input and output, the mathematical specifications of these systems' behaviors use real numbers. Significant deviations from those specifications can cause errors and jeopardize safety. To ensure system safety, some programming systems offer exact real arithmetic, which often enables a program's computation to match its mathematical specification exactly. However, exact real arithmetic complicates decision-making: in these systems, it is impossible to compute (total and deterministic) discrete decisions based on connected spaces such as R. We present programming-language semantics based on constructive topology with variants allowing nondeterminism and/or partiality. Either nondeterminism or partiality suffices to allow computable decision making on connected spaces such as R. We then introduce *pattern matching* on spaces, a language construct for creating programs on spaces, generalizing pattern matching in functional programming, where patterns need not represent decidable predicates and also may overlap or be inexhaustive, giving rise to nondeterminism or partiality, respectively. Nondeterminism and/or partiality also yield formal *logics for constructing approximate decision procedures*. We extended the Marshall language for exact real arithmetic with these constructs and implemented some programs with it.
Source code
Reification by Parametricity: Fast Setup for Proof by Reflection, in Two Lines of Ltac
A surprisingly simple way to convert terms in higher-order logic into first-class syntax trees, using standard features: would you believe that reification can mostly be done by term normalization in the metalanguage?
We present a new strategy for performing reification in Coq. That is, we show how to generate first-class abstract syntax trees from "native" terms of Coq's logic, suitable as inputs to verified compilers or procedures in the *proof-by-reflection* style. Our new strategy, based on simple generalization of subterms as variables, is straightforward, short, and fast. In its pure form, it is only complete for constants and function applications, but "let" binders, eliminators, lambdas, and quantifiers can be accommodated through lightweight coding conventions or preprocessing.
We survey the existing methods of reification across multiple Coq metaprogramming facilities, describing various design choices and tricks that can be used to speed them up, as well as various limitations. We report benchmarking results for 18 variants, in addition to our own, finding that our own reification outperforms 16 of these methods in all cases, and one additional method in some cases; writing an OCaml plugin is the only method tested to be faster. Our method is the most concise of the strategies we considered, reifying terms using only two to four lines of Ltac---beyond lists of the identifiers to reify and their reified variants. Additionally, our strategy automatically provides error messages that are no less helpful than Coq's own error messages.
Source code
Verifying a High-Performance Crash-Safe File System Using a Tree Specification
FSCQ extended to support "flush" operations and delayed syncing of data to disk, as a performance optimization
VDFS is the first file system that (1) provides a precise specification for `fsync` and `fdatasync`, which allow applications to achieve high performance and crash safety, and that (2) provides a machine-checked proof that its implementation meets this precise specification. VDFS's proof rules out some of the most common bugs in file-system implementations, as system calls are proved to expose the expected atomic behavior. VDFS's specification also allows applications to prove their own crash safety, avoiding application-level bugs such as forgetting to invoke `fsync` on both the file and the containing directory.
The key challenge in building VDFS is to write concise specifications for the file system and its internal implementation. VDFS introduces a *metadata-prefix* specification that captures the properties of `fsync` and `fdatasync`, which roughly follows the behavior of Linux ext4. This specification uses a notion of *tree sequences* -- a logical sequence of file system tree states -- to succinctly describe the possible states after a crash, and to describe how data writes can be re-ordered with respect to metadata updates.
An evaluation shows that VDFS achieves 103 MB/s on large file writes to an SSD and durably creates small files at a rate of 1,618 files per second. In comparison, Linux ext4 achieves 295 MB/s for large file writes and 4,977 files/s for small file creation. VDFS is much faster than any previous verified file system (none can even implement large file writes, and the fastest can create 350 files/s).
GitHub repository
TiML: A Functional Language for Practical Complexity Analysis with Invariants
Using refinement types to upper-bound program asymptotic running time, taking advantage of invariants specific to data structures
We present TiML (Timed ML), an ML-like functional language with time-complexity annotations in types. It uses indexed types to express sizes of data structures and upper bounds on running time of functions; and refinement kinds to constrain these indices, expressing data-structure invariants and pre/post-conditions. Indexed types are flexible enough that TiML avoids a built-in notion of "size", and the programmer can choose to index user-defined datatypes in any way that helps her analysis. TiML's distinguishing characteristic is supporting highly automated time-bound verification applicable to data structures with nontrivial invariants. The programmer provides type annotations, and the typechecker generates verification conditions that are discharged by an SMT solver. Type and index inference are supported to lower annotation burden, and, furthermore, big-O complexity can be inferred from recurrences generated during typechecking by a recurrence solver based on heuristic pattern matching (e.g. using the Master Theorem to handle divide-and-conquer-like recurrences). We have evaluated TiML's usability by implementing a broad suite of case-study modules, demonstrating that TiML, though lacking full automation and theoretical completeness, is versatile enough to verify worst-case and/or amortized complexities for algorithms and data structures like classic list operations, merge sort, Dijkstra's shortest-path algorithm, red-black trees, Braun trees, functional queues and dynamic tables with bounds like mn log n. The learning curve and annotation burden are reasonable, as we argue with statistics on our case studies. We formalized TiML's type-soundness proof in Coq.
Kami: A Platform for High-Level Parametric Hardware Specification and its Modular Verification
A Coq framework for modular correctness proofs of computer-architecture designs, supporting automatic extraction to circuits that run on FPGAs, etc.
It has become fairly standard in the programming-languages research world to verify functional programs in proof assistants using induction, algebraic simplification, and rewriting. In this paper, we introduce Kami, a Coq library that uses labeled transition systems to enable similar expressive and modular reasoning for hardware designs expressed in the style of the Bluespec language. We can specify, implement, and verify realistic designs entirely within Coq, ending with automatic extraction into a pipeline that bottoms out in FPGAs. Our methodology has been evaluated in a case study verifying an infinite family of multicore systems, with cache-coherent shared memory and pipelined cores implementing (the base integer subset of) the RISC-V instruction set.
Project web site
The End of History? Using a Proof Assistant to Replace Language Design with Library Design
The sales pitch for our Fiat system as embodying a new programming style, with novel and effective kinds of abstraction and modularity
Functionality of software systems has exploded in part because of advances in programming-language support for packaging reusable functionality as libraries. Developers benefit from the uniformity that comes of exposing many interfaces in the same language, as opposed to stringing together hodgepodges of command-line tools. Domain-specific languages may be viewed as an evolution of the power of reusable interfaces, when those interfaces become so flexible as to deserve to be called programming languages. However, common approaches to domain-specific languages give up many of the hard-won advantages of library-building in a rich common language, and even the traditional approach poses significant challenges in learning new APIs. We suggest that instead of continuing to develop new domain-specific languages, our community should embrace library-based ecosystems within very expressive languages that mix programming and theorem proving. Our prototype framework Fiat, a library for the Coq proof assistant, turns languages into easily comprehensible libraries via the key idea of modularizing *functionality* and *performance* away from each other, the former via *macros that desugar into higher-order logic* and the latter via *optimization scripts* that derive efficient code from logical programs.
Project web site
Slides are available from my talk [LibreOffice, PDF].
A Program Optimization for Automatic Database Result Caching
A compiler optimization for Ur/Web that adds caching for SQL-query results and derived computations, inferring sound invalidation strategies that often avoid bottlenecks for parallel execution
Most popular Web applications rely on persistent databases based on languages like SQL for declarative specification of data models and the operations that read and modify them. As applications scale up in user base, they often face challenges responding quickly enough to the high volume of requests. A common aid is *caching* of database results in the application's memory space, taking advantage of program-specific knowledge of which caching schemes are sound and useful, embodied in handwritten modifications that make the program less maintainable. These modifications also require nontrivial reasoning about the read-write dependencies across operations. In this paper, we present a compiler optimization that automatically adds sound SQL caching to Web applications coded in the Ur/Web domain-specific functional language, with no modifications required to source code. We use a custom cache implementation that supports concurrent operations without compromising the transactional semantics of the database abstraction. Through experiments with microbenchmarks and production Ur/Web applications, we show that our optimization in many cases enables an easy doubling or more of an application's throughput, requiring nothing more than passing an extra command-line flag to the compiler.
Project web site
Mostly Automated Formal Verification of Loop Dependencies with Applications to Distributed Stencil Algorithms
A Coq framework for verifying that nested loops obey dependency constraints, in message-passing distributed programs that collaboratively fill in the cells of large multidimensional grids
The class of *stencil* programs involves repeatedly updating elements of arrays according to fixed patterns, referred to as stencils. Stencil problems are ubiquitous in scientific computing and are used as an ingredient to solve more involved problems. Their high regularity allows massive parallelization. Two important challenges in designing such algorithms are cache efficiency and minimizing the number of communication steps between nodes. In this paper, we introduce a mathematical framework for a crucial aspect of formal verification of both sequential and distributed stencil algorithms, and we describe its Coq implementation. We present a domain-specific embedded programming language with support for automating the most tedious steps of proofs that nested loops respect dependencies, applicable to sequential and distributed examples. Finally, we evaluate the robustness of our library by proving the dependency-correctness of some real-world stencil algorithms, including a state-of-the-art cache-oblivious sequential algorithm, as well as two optimized distributed kernels.
Source code
Chapar: Certified Causally Consistent Distributed Key-Value Stores
Coq proofs of several distributed key-value store algorithms, including principles for modular reasoning about client programs that use them
Today's Internet services are often expected to stay available and render high responsiveness even in the face of site crashes and network partitions. Theoretical results state that causal consistency is one of the strongest consistency guarantees that is possible under these requirements, and many practical systems provide causally consistent key-value stores. In this paper, we present a framework called Chapar for modular verification of causal consistency for replicated key-value store implementations and their client programs. Specifically, we formulate separate correctness conditions for key-value store implementations and for their clients. The interface between the two is a novel operational semantics for causal consistency. We have verified the causal consistency of two key-value store implementations from the literature using a novel proof technique. We have also implemented a simple automatic model checker for the correctness of client programs. The two independently verified results for the implementations and clients can be composed to conclude the correctness of any of the programs when executed with any of the implementations. We have developed and checked our framework in Coq, extracted it to OCaml, and built executable stores.
Using Crash Hoare Logic for Certifying the FSCQ File System
Best Paper Award
A file system implemented and verified in Coq, using separation logic, connected to Linux and providing respectable performance
FSCQ is the first file system with a machine-checkable proof (using the Coq proof assistant) that its implementation meets its specification and whose specification includes crashes. FSCQ provably avoids bugs that have plagued previous file systems, such as performing disk writes without sufficient barriers or forgetting to zero out directory blocks. If a crash happens at an inopportune time, these bugs can lead to data loss. FSCQ's theorems prove that, under any sequence of crashes followed by reboots, FSCQ will recover the file system correctly without losing data.
To state FSCQ's theorems, this paper introduces the Crash Hoare logic (CHL), which extends traditional Hoare logic with a crash condition, a recovery procedure, and logical address spaces for specifying disk states at different abstraction levels. CHL also reduces the proof effort for developers through proof automation. Using CHL, we developed, specified, and proved the correctness of the FSCQ file system. Although FSCQ's design is relatively simple, experiments with FSCQ running as a user-level file system show that it is sufficient to run Unix applications with usable performance. FSCQ's specifications and proofs required significantly more work than the implementation, but the work was manageable even for a small team of a few researchers.
GitHub repository
An Optimizing Compiler for a Purely Functional Web-Application Language
The whole-program optimizing compiler for Ur/Web
High-level scripting languages have become tremendously popular for development of dynamic Web applications. Many programmers appreciate the productivity benefits of automatic storage management, freedom from verbose type annotations, and so on. While it is often possible to improve performance substantially by rewriting an application in C or a similar language, very few programmers bother to do so, because of the consequences for human development effort. This paper describes a compiler that makes it possible to have most of the best of both worlds, coding Web applications in a high-level language but compiling to native code with performance comparable to handwritten C code. The source language is Ur/Web, a domain-specific, purely functional, statically typed language for the Web. Through a coordinated suite of relatively straightforward program analyses and algebraic optimizations, we transform Ur/Web programs into almost-idiomatic C code, with no garbage collection, little unnecessary memory allocation for intermediate values, etc. Our compiler is in production use for commercial Web sites supporting thousands of users, and microbenchmarks demonstrate very competitive performance versus mainstream tools.
Project web site
Slides are available from my talk at ICFP'15 [LibreOffice, PDF]. There's also an online video of the talk.
Modular Deductive Verification of Multiprocessor Hardware Designs
Modular Coq proofs of Bluespec-style hardware descriptions, where processors and memory systems can be verified separately against generic specs (in the style of labeled transition systems) that are compatible with many different optimizations
We present a new framework for modular verification of hardware designs in the style of the Bluespec language. That is, we formalize the idea of components in a hardware design, with well-defined input and output channels; and we show how to specify and verify components individually, with machine-checked proofs in the Coq proof assistant. As a demonstration, we verify a fairly realistic implementation of a multicore shared-memory system with two types of components: memory system and processor. Both components include nontrivial optimizations, with the memory system employing an arbitrary hierarchy of cache nodes that communicate with each other concurrently, and with the processor doing speculative execution of many concurrent read operations. Nonetheless, we prove that the combined system implements sequential consistency. To our knowledge, our memory-system proof is the first machine verification of a cache-coherence protocol parameterized over an arbitrary cache hierarchy, and our full-system proof is the first machine verification of sequential consistency for a multicore hardware design that includes caches and speculative processors.
Fiat: Deductive Synthesis of Abstract Data Types in a Proof Assistant
Deriving efficient OCaml implementations of abstract data types, from declarative specifications, in Coq, mostly automatically. The main case study works with SQL-style relational queries and update operations.
We present Fiat, a library for the Coq proof assistant supporting refinement of declarative specifications into efficient functional programs with a high degree of automation. Each refinement process leaves a proof trail, checkable by the normal Coq kernel, justifying its soundness. We focus on the synthesis of abstract data types that package methods with private data. We demonstrate the utility of our framework by applying it to the synthesis of *query structures* -- abstract data types with SQL-like query and insert operations. Fiat includes a library for writing specifications of query structures in SQL-inspired notation, expressing operations over relations (tables) in terms of mathematical sets. This library includes a set of tactics for automating the refinement of these specifications into efficient, correct-by-construction OCaml code. Using these tactics, a programmer can generate such an implementation completely automatically by only specifying the equivalent of SQL indexes, data structures capturing useful views of the abstract data. We conclude by speculating on the new programming modularity possibilities enabled by an automated refinement system with proved-correct rules.
Software/proof source code
Ur/Web: A Simple Model for Programming the Web
At long last, a paper on the design of Ur/Web, a DSL for Web applications, supporting novel encapsulation techniques and a simple concurrency model for distributed applications
The World Wide Web has evolved gradually from a document delivery platform to an architecture for distributed programming. This largely unplanned evolution is apparent in the set of interconnected languages and protocols that any Web application must manage. This paper presents Ur/Web, a domain-specific, statically typed functional programming language with a much simpler model for programming modern Web applications. Ur/Web's model is **unified**, where programs in a single programming language are compiled to other "Web standards" languages as needed; **modular**, supporting novel kinds of encapsulation of Web-specific state; and exposes **simple concurrency**, where programmers can reason about distributed, multithreaded applications via a mix of transactions and cooperative preemption. We give a tutorial introduction to the main features of Ur/Web, formalize the basic programming model with operational semantics, and discuss the language implementation and the production Web applications that use it.
Project web site
Slides are available from my talk at POPL'15 [LibreOffice, PDF].
From Network Interface to Multithreaded Web Applications: A Case Study in Modular Program Verification
A case study in building a whole-program Coq proof that covers both an application (a database-backed dynamic Web application) and systems infrastructure (a cooperative thread library). The components are verified modularly with Bedrock, and there is a verified compiler for a domain-specific language that can be used to derive similar theorems for similar Web applications, with minimal new proving work.
Many verifications of realistic software systems are *monolithic*, in the sense that they define single *global invariants* over complete system state. More *modular* proof techniques promise to support reuse of component proofs and even reduce the effort required to verify one concrete system, just as modularity simplifies standard software development. This paper reports on one case study applying modular proof techniques in the Coq proof assistant. To our knowledge, it is the first modular verification certifying a system that combines infrastructure with an application of interest to end users. We assume a nonblocking API for managing TCP networking streams, and on top of that we work our way up to certifying multithreaded, database-backed Web applications. Key verified components include a cooperative threading library and an implementation of a domain-specific language for XML processing. We have deployed our case-study system on mobile robots, where it interfaces with off-the-shelf components for sensing, actuation, and control.
Software/proof source code
Slides are available from my talk at POPL'15 [LibreOffice, PDF].
Compiler Verification Meets Cross-Language Linking via Data Abstraction
An approach to verifying multilanguage programs in the Bedrock framework, mixing operational semantics for intralanguage reasoning and axiomatic semantics for interlanguage reasoning
Many real programs are written in multiple different programming languages, and supporting this pattern creates challenges for formal compiler verification. We describe our Coq verification of a compiler for a high-level language, such that the compiler correctness theorem allows us to derive partial-correctness Hoare-logic theorems for programs built by linking the assembly code output by our compiler and assembly code produced by other means. Our compiler supports such tricky features as storable cross-language function pointers, without giving up the usual benefits of being able to verify different compiler phases (including, in our case, two classic optimizations) independently. The key technical innovation is a mixed operational and axiomatic semantics for the source language, with a built-in notion of *abstract data types*, such that compiled code interfaces with other languages only through axiomatically specified methods that mutate encapsulated private data, represented in whatever formats are most natural for those languages.
Software/proof source code
Jitk: A Trustworthy In-Kernel Interpreter Infrastructure
Coq-verified just-in-time compilation for packet filters, etc., in Linux
Modern operating systems run multiple interpreters in the kernel, which enable user-space applications to add new functionality or specialize system policies. The correctness of such interpreters is critical to the overall system security: bugs in interpreters could allow adversaries to compromise user-space applications and even the kernel.
Jitk is a new infrastructure for building in-kernel interpreters that guarantee *functional correctness* as they compile user-space policies down to native instructions for execution in the kernel. To demonstrate Jitk, we implement two interpreters in the Linux kernel, BPF and INET-DIAG, which are used for network and system call filtering and socket monitoring, respectively. To help application developers write correct filters, we introduce a high-level rule language, along with a proof that Jitk correctly translates high-level rules all the way to native machine code, and demonstrate that this language can be integrated into OpenSSH with tens of lines of code. We built a prototype of Jitk on top of the CompCert verified compiler and integrated it into the Linux kernel. Experimental results show that Jitk is practical, fast, and trustworthy.
Compositional Computational Reflection
A framework for combining reflective Coq tactics, applied in the Bedrock system to verify imperative programs
Current work on computational reflection is single-minded; each reflective procedure is written with a specific application or scope in mind. Composition of these reflective procedures is done by a proof-generating tactic language such as Ltac. This composition, however, comes at the cost of both larger proof terms and redundant preprocessing. In this work, we propose a methodology for writing composable reflective procedures that solve many small tasks in a single invocation. The key technical insights are techniques for reasoning semantically about extensible syntax in intensional type theory. We also consider sound methods for user extension of such procedures using lemmas and full reflective procedures, which mimicks Coq's support for hint databases with only slightly more user effort.
Source code is available for the framework and the instantiation for Bedrock
Experience Implementing a Performant Category-Theory Library in Coq
A Coq category-theory library, designed to support computationally efficient proofs of large goals, taking advantage of recent improvements to the homotopy-type-theory Coq version and giving some other wishlist items for Coq
We describe our experience implementing a broad category-theory library in Coq. Category theory and computational performance are not usually mentioned in the same breath, but we have needed substantial engineering effort to teach Coq to cope with large categorical constructions without slowing proof script processing unacceptably. In this paper, we share the lessons we have learned about how to represent very abstract mathematical objects and arguments in Coq and how future proof assistants might be designed to better support such reasoning. One particular encoding trick to which we draw attention allows category-theoretic arguments involving *duality* to be internalized in Coq's logic with definitional equality. Ours may be the largest Coq development to date that uses the relatively new Coq version developed by homotopy type theorists, and we reflect on which new features were especially helpful.
Library source code
The Bedrock Structured Programming System: Combining Generative Metaprogramming and Hoare Logic in an Extensible Program Verifier
Bedrock takes literally the idea of C as a "macro assembly language." All the programming features are built up as macros on top of assembly language, and macros have verified Hoare logic-style proof rules attached to them, so that one gets a "free" environment for mostly automated deductive program verification for any mix of macros used in a particular program.
We report on the design and implementation of an extensible programming language and its intrinsic support for formal verification. Our language is targeted at low-level programming of infrastructure like operating systems and runtime systems. It is based on a cross-platform core combining characteristics of assembly languages and compiler intermediate languages. From this foundation, we take literally the saying that C is a "macro assembly language": we introduce an expressive notion of *certified low-level macros*, sufficient to build up the usual features of C and beyond as macros with no special support in the core. Furthermore, our macros have integrated support for strongest postcondition calculation and verification condition generation, so that we can provide a high-productivity formal verification environment within Coq for programs composed from any combination of macros. Our macro interface is expressive enough to support features that low-level programs usually only access through external tools with no formal guarantees, such as declarative parsing or SQL-inspired querying. The abstraction level of these macros only imposes a *compile-time* cost, via the execution of functional Coq programs that compute programs in our intermediate language; but the *run-time* cost is not substantially greater than for more conventional C code. We describe our experiences constructing a full C-like language stack using macros, with some experiments on the verifiability and performance of individual programs running on that stack.
Software/proof source code
Slides are available from my talk at ICFP'13 [OpenOffice, PDF].
Formal Verification of Hardware Synthesis
A verified compiler for an idealization of the Bluespec hardware description language
We report on the implementation of a certified compiler for a high-level hardware description language (HDL) called Fe-Si (FEath-erweight SynthesIs). Fe-Si is a simplified version of Bluespec, an HDL based on a notion of guarded atomic actions. Fe-Si is defined as a dependently typed deep embedding in Coq. The target language of the compiler corresponds to a synthesisable subset of Verilog or VHDL. A key aspect of our approach is that input programs to the compiler can be defined and proved correct inside Coq. Then, we use extraction and a Verilog back-end (written in OCaml) to get a certified version of a hardware design.
Public source-code repository
Mostly-Automated Verification of Low-Level Programs in Computational Separation Logic
A constructive proof that automating separation logic proofs for systems code is easy, despite claims to the contrary coming from SMT solver-centric perspectives. `;-)` Specifically, this paper introduced Bedrock, a Coq library for foundational verification of code at the assembly level of abstraction. A mostly-automated separation logic prover uses a modest amount of programmer annotation to drive verification of examples like imperative data structures and a cooperative threading library.
Several recent projects have shown the feasibility of verifying low-level systems software. Verifications based on automated theorem-proving have omitted reasoning about *first-class code pointers*, which is critical for tasks like certifying implementations of threads and processes. Conversely, verifications that deal with first-class code pointers have featured long, complex, manual proofs. In this paper, we introduce the Bedrock framework, which supports mostly-automated proofs about programs with the full range of features needed to implement, e.g., language runtime systems.
The heart of our approach is in mostly-automated discharge of verification conditions inspired by separation logic. Our take on separation logic is *computational*, in the sense that function specifications are usually written in terms of *reference implementations in a purely functional language*. Logical quantifiers are the most challenging feature for most automated verifiers; by relying on functional programs (written in the expressive language of the Coq proof assistant), we are able to avoid quantifiers almost entirely. This leads to some dramatic improvements compared to both the state of the art in classical verification, which we compare against with implementations of data structures like binary search trees and hash tables; and the state of the art in verified programming with code pointers, which we compare against with examples like function memoization and a cooperative threading library.
Software/proof source code
Slides are available from my talk at PLDI'11 [OpenOffice, PDF].
Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications
Static analysis for security policies for Ur/Web applications, based on the key new idea of representing policies as SQL queries. The analysis follows the well-trod path of symbolic evaluation and automated first-order-logic theorem-proving.
We present a system for sound static checking of security policies for database-backed Web applications. Our tool checks a combination of access control and information flow policies, where the policies vary based on database contents. For instance, one or more database tables may represent an access control matrix, controlling who may read or write which cells of these and other tables. Using symbolic evaluation and automated theorem-proving, our tool checks these policies statically, requiring no program annotations (beyond the policies themselves) and adding no run-time overhead. Specifications come in the form of *SQL queries as policies*: for instance, an application's confidentiality policy is a fixed set of queries, whose results provide an upper bound on what information may be released to the user. To provide user-dependent policies, we allow queries to depend on *what secrets the user knows*. We have used our prototype implementation to check several programs representative of the data-centric Web applications that are common today.
From the OSDI'10 talk: slides in OpenOffice and PDF formats; video
Project web site
Ur: Statically-Typed Metaprogramming with Type-Level Record Computation
A first paper about Ur, focusing on the metaprogramming aspect: we can write generic programs that write programs, based on inputs like database schemas, summaries of HTML form configurations, etc., and we can type-check our generators statically without needing to write any proof terms.
*Dependent types* provide a strong foundation for specifying and verifying rich properties of programs through type-checking. The earliest implementations combined dependency, which allows types to mention program variables; with type-level computation, which facilitates expressive specifications that compute with recursive functions over types. While many recent applications of dependent types omit the latter facility, we argue in this paper that it deserves more attention, even when implemented without dependency.
In particular, the ability to use functional programs as specifications enables *statically-typed metaprogramming*: programs write programs, and static type-checking guarantees that the generating process never produces invalid code. Since our focus is on generic validity properties rather than full correctness verification, it is possible to engineer type inference systems that are very effective in narrow domains. As a demonstration, we present Ur, a programming language designed to facilitate metaprogramming with first-class records and names. On top of Ur, we implement Ur/Web, a special standard library that enables the development of modern web applications. Ad-hoc code generation is already in wide use in the popular web application frameworks, and we show how that generation may be tamed using types, without forcing metaprogram authors to write proofs or forcing metaprogram users to write any fancy types.
Project web site
Slides are available from my talk at PLDI'10 [OpenOffice, PDF].
A Verified Compiler for an Impure Functional Language
A case study in verifying a compiler to an idealized assembly language from an untyped source language with most of the key dynamic features of ML: functions, products, sums, mutable references, and value-carrying exceptions. Syntax is encoded with parametric higher-order abstract syntax (PHOAS), which makes it possible to avoid almost all bookkeeping having to do with binders and fresh name generation. The semantics of the object languages are encoded in a new substitution-free style. All of the proofs are automated with tactic programs that can keep working even after changing the definitions of the languages.
We present a verified compiler to an idealized assembly language from a small, untyped functional language with mutable references and exceptions. The compiler is programmed in the Coq proof assistant and has a proof of total correctness with respect to big-step operational semantics for the source and target languages. Compilation is staged and includes standard phases like translation to continuation-passing style and closure conversion, as well as a common subexpression elimination optimization. In this work, our focus has been on discovering and using techniques that make our proofs easy to engineer and maintain. While most programming language work with proof assistants uses very manual proof styles, all of our proofs are implemented as adaptive programs in Coq's tactic language, making it possible to reuse proofs unchanged as new language features are added.
In this paper, we focus especially on phases of compilation that rearrange the structure of syntax with nested variable binders. That aspect has been a key challenge area in past compiler verification projects, with much more effort expended in the statement and proof of binder-related lemmas than is found in standard pencil-and-paper proofs. We show how to exploit the representation technique of *parametric higher-order abstract syntax* to avoid the need to prove any of the usual lemmas about binder manipulation, often leading to proofs that are actually shorter than their pencil-and-paper analogues. Our strategy is based on a new approach to encoding operational semantics which delegates all concerns about substitution to the meta language, without using features incompatible with general-purpose type theories like Coq's logic.
Software/proof source code and documentation
Slides are available from my talks at POPL'10 [OpenOffice, PDF] and WMM'09 [OpenOffice, PDF].
Effective Interactive Proofs for Higher-Order Imperative Programs
An approach to automating correctness proofs about higher-order, imperative programs in Coq, based on an extensible simplifier for separation logic formulas
We present a new approach for constructing and verifying higher-order, imperative programs using the Coq proof assistant. We build on the past work on the Ynot system, which is based on Hoare Type Theory. That original system was a proof of concept, where every program verification was accomplished via laborious manual proofs, with much code devoted to uninteresting low-level details. In this paper, we present a re-implementation of Ynot where verified imperative programming need not be much harder than programming in Haskell. At the same time, our new system is implemented entirely in Coq source files, showcasing the versatility of that proof assistant as a platform for research on language design and verification.
Both versions of the system have been evaluated with case studies in the verification of imperative data structures, such as hash tables with higher-order iterators. The verification burden in our new system is reduced by at least an order of magnitude compared to the old system, by replacing manual proof with automation. The core of the automation is a simplification procedure for implications in higher-order separation logic, with hooks that allow programmers to add domain-specific simplification rules.
We argue for the effectiveness of our infrastructure by verifying a number of data structures and a packrat parser, and we compare to similar efforts within other projects. Compared to competing approaches to data structure verification, our system includes much less code that must be trusted; namely, about a hundred lines of Coq code defining a program logic. All of our theorems and decision procedures have or build machine-checkable correctness proofs from first principles, removing opportunities for tool bugs to create faulty verifications.
From the ICFP'09 talk: slides in OpenOffice and PDF formats; skeleton and final solution for the demo; video
Project web site
Parametric Higher-Order Abstract Syntax for Mechanized Semantics
Awarded Most Influential Paper ten years later
A new trick for encoding variable binders in Coq, along with an exploration of its consequences: almost trivial syntax and type-theoretic semantics for languages including such features as polymorphism and complicated binding structure (e.g., ML-style pattern matching); almost trivial type preservation proofs for compiler passes that don't need intensional analysis of variables; mostly-automated semantic correctness proofs about those passes, by way of adding an axiom to make the parametricity of CIC usable explicitly in proofs; and the ability to drop down to more traditional syntactic representations for more arduous but feasible proofs of the same properties, when intensional variable analysis is needed.
We present *parametric higher-order abstract syntax (PHOAS)*, a new approach to formalizing the syntax of programming languages in computer proof assistants based on type theory. Like higher-order abstract syntax (HOAS), PHOAS uses the meta language's binding constructs to represent the object language's binding constructs. Unlike HOAS, PHOAS types are definable in general-purpose type theories that support traditional functional programming, like Coq's Calculus of Inductive Constructions. We walk through how Coq can be used to develop certified, executable program transformations over several statically-typed functional programming languages formalized with PHOAS; that is, each transformation has a machine-checked proof of type preservation and semantic preservation. Our examples include CPS translation and closure conversion for simply-typed lambda calculus, CPS translation for System F, and translation from a language with ML-style pattern matching to a simpler language with no variable-arity binding constructs. By avoiding the syntactic hassle associated with first-order representation techniques, we achieve a very high degree of proof automation.
Software/proof source code and documentation
Slides are available from my ICFP talk in OpenOffice and PDF formats.
A Certified Type-Preserving Compiler from Lambda Calculus to Assembly Language
A compiler for a tiny statically-typed functional programming language, implemented in Coq with a proof of correctness. The main interesting bits are my use of dependently-typed abstract syntax and denotational semantics, along with some engineering tricks for making the task manageable.
We present a certified compiler from the simply-typed lambda calculus to assembly language. The compiler is certified in the sense that it comes with a machine-checked proof of semantics preservation, performed with the Coq proof assistant. The compiler and the terms of its several intermediate languages are given dependent types that guarantee that only well-typed programs are representable. Thus, type preservation for each compiler pass follows without any significant "proofs" of the usual kind. Semantics preservation is proved based on denotational semantics assigned to the intermediate languages. We demonstrate how working with a type-preserving compiler enables type-directed proof search to discharge large parts of our proof obligations automatically.
Software/proof source code and documentation
Slides are available from my PLDI talk in OpenOffice and PDF formats.
Slides are also available from a talk I gave at the Projet Gallium seminar at INRIA Rocquencourt, in OpenOffice and PDF formats.
Modular Development of Certified Program Verifiers with a Proof Assistant
I report on an experience using the Coq proof assistant to develop a program verification tool with a machine-checkable proof of full correctness. The verifier is able to prove memory safety of x86 machine code programs compiled from code that uses algebraic datatypes. The tool's soundness theorem is expressed in terms of the bit-level semantics of x86 programs, so its correctness depends on very few assumptions. I take advantage of Coq's support for programming with dependent types and modules in the structure of my development. The approach is based on developing a library of reusable functors for transforming a verifier at one level of abstraction into a verifier at a lower level. Using this library, it's possible to prototype a verifier based on a new type system with a minimal amount of work, while obtaining a very strong soundness theorem about the final product.
I report on an experience using the Coq proof assistant to develop a program verification tool with a machine-checkable proof of full correctness. The verifier is able to prove memory safety of x86 machine code programs compiled from code that uses algebraic datatypes. The tool's soundness theorem is expressed in terms of the bit-level semantics of x86 programs, so its correctness depends on very few assumptions. I take advantage of Coq's support for programming with dependent types and modules in the structure of my development. The approach is based on developing a library of reusable functors for transforming a verifier at one level of abstraction into a verifier at a lower level. Using this library, it's possible to prototype a verifier based on a new type system with a minimal amount of work, while obtaining a very strong soundness theorem about the final product.
Software/proof source code and documentation
Talk slides available in OpenOffice and PDF formats.
A Framework for Certified Program Analysis and Its Applications to Mobile-Code Safety
We propose a new technique in support of the construction of efficient Foundational Proof-Carrying Code systems. Instead of suggesting that pieces of mobile code come with proofs of their safety, we instead suggest that they come with executable verifiers that can attest to their safety, as in our previous work on the Open Verifier. However, in contrast to that previous work, here we do away with any runtime proof generation by these verifiers. Instead, we require that the verifier itself is proved sound. To support this, we present a novel technique for extracting proof obligations about ML programs. Using this approach, we are able to demonstrate the first foundational verification technique for Typed Assembly Language with performance comparable to that of the traditional, uncertified TAL type checker.
A certified program analysis is an analysis whose implementation is accompanied by a checkable proof of soundness. We present a framework whose purpose is to simplify the development of certified program analyses without compromising the run-time efficiency of the analyses. At the core of the framework is a novel technique for automatically extracting Coq proof-assistant specifications from ML implementations of program analyses, while preserving to a large extent the structure of the implementation.
We show that this framework allows developers of mobile code to provide to the code receivers untrusted code verifiers in the form of certified program analyses. We demonstrate efficient implementations in this framework of bytecode verification, typed assembly language, and proof-carrying code.
Talk slides available in OpenOffice and PDF formats.
Generating Tests from Counterexamples
We describe how to use the BLAST model checker to generate program test suites that achieve full coverage with respect to a given set of predicates.
We have extended the software model checker Blast to automatically generate test suites that guarantee full coverage with respect to a given predicate. More precisely, given a C program and a target predicate p, Blast determines the set L of program locations which program execution can reach with p true, and automatically generates a set of test vectors that exhibit the truth of p at all locations in L. We have used Blast to generate test suites and to detect dead code in C programs with up to 30K lines of code. The analysis and test-vector generation is fully automatic (no user intervention) and exact (no false positives).
Towards Certified Storage Systems
On verifying functional properties of filesystems in the presence of failures, using proof assistants
On verifying functional properties of filesystems in the presence of failures, using proof assistants
Position Paper: Thoughts on Programming with Proof Assistants
Some thoughts on how Coq is actually in pretty good shape to use today for non-trivial programming with dependent types
Today the reigning opinion about computer proof assistants based on constructive logic (even from some of the developers of these tools!) is that, while they are very helpful for doing math, they are an absurdly heavy-weight solution to use for practical programming. Yet the Curry-Howard isomorphism foundation of proof assistants like Coq gives them clear interpretations as programming environments.
My purpose in this position paper is to make the general claim that Coq is already quite useful today for non-trivial certified programming tasks, as well as to highlight some reasons why you might want to consider using it as a base for your next project in dependently-typed programming.
Talk slides available in OpenOffice and PDF formats.
Cooperative Integration of an Interactive Proof Assistant and an Automated Prover
We show how to combine the interactive proof assistant Coq and the Nelson-Oppen-style automated first-order theorem prover Kettle in a synergistic way. We do this with a Kettle tactic for Coq that uses theory-specific reasoning to simplify goals based on automatically chosen case analyses, returning to the user as subgoals the cases it couldn't prove automatically. The process can then be repeated recursively, using Coq's tactical language as a very expressive extension of the matching strategies found in provers like Simplify. We also discuss how to encode specialized first-order proofs efficiently in Coq using proof by reflection.
We propose a mechanism for semi-automated proving of theorems, using a tactic for the Coq proof assistant that consults a proof-generating Nelson-Oppen-style automated prover. Instead of simply proving or failing to prove a goal, our tactic decides on relevant case splits using theory-specific axioms, proves some of the resulting cases, and returns the remainder to the Coq user as subgoals. These subgoals can then be proved using inductions and lemma instantiations that are beyond the capabilities of the automated prover. We show that the Coq tactic language provides an excellent way to script this process to an extent not supported by current Nelson-Oppen provers. Like with any Coq proof, a separately checkable proof term in a core calculus is produced at the end of any successful proving session where our method is used, and we take advantage of the "proof by reflection" technique to translate the specialized first-order proofs of the automated prover into compact Coq representations.
Talk slides available in OpenOffice and PDF formats.
The <literal>Open Verifier</literal> Framework for Foundational Verifiers
We propose a new framework for the construction of trustworthy program verifiers. The Open Verifier architecture can be viewed as an optimized Foundational Proof-Carrying Code toolkit. Instead of proposing that code producers send proofs of safety with all of their programs, we instead suggest that they send re-usable proof-generating verifiers. The proofs are generated in an online fashion via a novel interaction scheme between the untrusted verifier and the trusted core of the system.
We present the Open Verifier approach for verifying untrusted code using customized verifiers. This approach can be viewed as an instance of foundational proof-carrying code where an untrusted program can be checked using the verifier most natural for it instead of using a single generic type system. In this paper we focus on a specialized architecture designed to reduce the burden of expressing both type-based and Hoare-style verifiers.
A new verifier is created by providing an untrusted executable extension module, which can incorporate directly pre-existing non-foundational verifiers based on dataflow analysis or type checking. The extensions control virtually all aspects of the verification by carrying on a dialogue with the Open Verifier using a language designed both to correspond closely to common verification actions and to carry simple adequacy proofs for those actions.
We prove the soundness of the framework, and we describe our experience implementing proof-carrying code, typed assembly language, and dataflow or abstract interpretation based verifiers in this unified setting.
Type-Based Verification of Assembly Language for Compiler Debugging
A new approach to checking assembly programs in a way similar to that used in the Java Bytecode Verifier. We introduce a novel mixed type/value technique that makes it tractable to deal with some of the "dependent typing" issues that come up. We also present results on using this technique to help students in an undergraduate compilers class debug their class projects.
It is a common belief that certifying compilation, which typically verifies the well-typedness of compiler output, can be an effective mechanism for compiler debugging, in addition to ensuring basic safety properties. Bytecode verification is a fairly simple example of this approach and derives its simplicity in part by compiling to carefully crafted high-level bytecodes. In this paper, we seek to push this method to native assembly code, while maintaining much of the simplicity of bytecode verification. Furthermore, we wish to provide experimental confirmation that such a tool can be accessible and effective for compiler debugging. To achieve these goals, we present a type-based data-flow analysis or abstract interpretation for assembly code compiled from a Java-like language, and evaluate its bug-finding efficacy on a large set of student compilers.
Strict Bidirectional Type Checking
We present a type system that is useful in saving type annotation space in intermediate language terms expressed in the restricted form called "A-normal form" or "one-half CPS." Our approach imports ideas from strict logic, which is based on the idea of hypotheses that must be used at least once. The resulting system is relevant to the efficiency of type-preserving compilers.
Completely annotated lambda terms (such as are arrived at via the straightforward encodings of various types from System F) contain much redundant type information. Consequently, the completely annotated forms are almost never used in practice, since partially annotated forms can be defined which still allow syntax directed typechecking. An additional optimization that is used in some proof and type systems is to take advantage of the context of occurrence of terms to further elide type information using bi-directional typechecking rules. While this technique is generally effective, we show that there exist bi-directional terms which exhibit asymptotic increases in the size of their type decorations when sequentialized into a named-form calculus (a common first step in compilation). In this paper, we introduce a refinement of the bi-directional type system based on strict logic which allows additional type decorations to be eliminated, and show that it is well-behaved under sequentialization.
Developing Certified Program Verifiers with a Proof Assistant
A poster about certified program verifiers in Coq
Abstract about a poster on certified program verifiers in Coq
You can download the poster in OpenOffice or PDF format.
The <literal>Blast</literal> Query Language for Software Verification
We describe a system that combines security automaton-based program specification with a facility for relational-style queries about the possible execution paths of a program.
Blast is an automatic verification tool for checking temporal safety properties of C programs. Blast is based on lazy predicate abstraction driven by interpolation-based predicate discovery. In this paper, we present the Blast specification language. The language specifies program properties at two levels of precision. At the lower level, monitor automata are used to specify temporal safety properties of program executions (traces). At the higher level, relational reachability queries over program locations are used to combine lower-level trace properties. The two-level specification language can be used to break down a verification task into several independent calls of the model-checking engine. In this way, each call to the model checker may have to analyze only part of the program, or part of the specification, and may thus succeed in a reduction of the number of predicates needed for the analysis. In addition, the two-level specification language provides a means for structuring and maintaining specifications.
Generic Programming and Proving for Programming Language Metatheory
UCB/EECS-2007-147
2007
How to do dependently-typed generation of proofs about programming language syntax and semantics
We present a system for both the generic programming of operations that work over classes of tree-structured data types and the automatic generation of formal type-theoretical proofs about such operations. The system is implemented in the Coq proof assistant, using dependent types to validate code and proof generation statically, quantified over all possible input data types. We focus on generic programming of variable-manipulating operations, such as substitution and free variable set calculation, over abstract syntax tree types implemented as GADTs that combine syntax and typing rules. By accompanying these operations with generic lemmas about their interactions, we significantly ease the burden of formalizing programming language metatheory. Our implementation strategy, based on *proof by reflection*, requires users to trust none of its associated code to be able to trust in the validity of theorems derived with it.
Slides are available from a talk I gave at WMM'07, in OpenOffice and PDF formats.
Implementing Certified Programming Language Tools in Dependent Type Theory
UCB/EECS-2007-113
2007
My PhD dissertation, re-presenting the work on certified program verifiers (from ICFP'06) and certified compilers (from PLDI'07)
I present two case studies supporting the assertion that type-based methods enable effective *certified programming*. By certified programming, I mean the development of software with formal, machine-checked total correctness proofs. While the classical formal methods domain is most commonly concerned with after-the-fact verification of programs written in a traditional way, I explore an alternative technique, based on using *dependent types* to integrate correctness proving with programming. I have chosen the Coq proof assistant as the vehicle for these experiments. Throughout this dissertation, I draw attention to features of formal theorem proving tools based on *dependent type theory* that make such tools superior choices for certified programming, compared to their competition.
In the first case study, I present techniques for constructing *certified program verifiers*. I present a Coq toolkit for building foundational memory safety verifiers for x86 machine code. The implementation uses rich *specification types* to mix behavioral requirements with the traditional types of functions, and I mix standard programming practice with tactic-based interactive theorem proving to implement programs of these types. I decompose verifier implementations into libraries of components, where each component is implemented as *a functor that transforms a verifier at one level of abstraction into a verifier at a lower level*. I use the toolkit to assemble a verifier for programs that use algebraic datatypes using only several hundred lines of code specific to its type system.
The second case study presents work in *certified compilers*. I focus in particular on *type-preserving compilation*, where source-level type information is preserved through several statically-typed intermediate languages and used at runtime for such purposes as guiding a garbage collector. I suggest a novel approach to mechanizing the semantics of programming languages, based on *dependently-typed abstract syntax* and *denotational semantics*. I use this approach to certify a compiler from simply-typed lambda calculus to an idealized assembly language that interfaces with a garbage collector through tables listing the appropriate root registers for different program points. Significant parts of the proof effort are automated using type-driven heuristics. I also present a generic programming system for automating construction of syntactic helper functions and their correctness proofs, based on an implementation technique called *proof by reflection*.
Scrap Your Web Application Boilerplate, or Metaprogramming with Row Types
UCB/EECS-2006-120
2006
An overview of a work-in-progress functional programming language that puts dependent types and theorem proving to work to make it easier to write concise and maintainable web applications
I introduce a new functional programming language, called Laconic/Web, for rapid development of web applications. Its strong static type system guarantees that entire sequences of interaction with these applications "can't go wrong." Moreover, a higher-order dependent type system is used to enable statically-checked metaprogramming. In contrast to most dependently-typed programming languages, Laconic/Web can be used by programmers with no knowledge of proof theory. Instead, more expert developers develop libraries that extend the Laconic/Web type checker with type rewrite rules that have proofs of soundness. I compare Laconic/Web against Ruby on Rails, the most well-known representative of a popular class of Web application frameworks based around dynamic languages and runtime reflection, and show that my approach leads both to more concise programs and to better runtime efficiency.
Project web site
A Framework for Certified Program Analysis and Its Applications to Mobile-Code Safety
UCB/ERL M05/32
2005
This is an extended version of our VMCAI'06 paper, containing a formalization of our model extraction procedure and additional examples.
A certified program analysis is an analysis whose implementation is accompanied by a checkable proof of soundness. We present a framework whose purpose is to simplify the development of certified program analyses without compromising the run-time efficiency of the analyses. At the core of the framework is a novel technique for automatically extracting Coq proof-assistant specifications from ML implementations of program analyses, while preserving to a large extent the structure of the implementation.
We show that this framework allows developers of mobile code to provide to the code receivers untrusted code verifiers in the form of certified program analyses. We demonstrate efficient implementations in this framework of bytecode verification, typed assembly language, and proof-carrying code.
This is an extended version of our VMCAI'06 paper, containing a formalization of our model extraction procedure and additional examples.
An Untrusted Verifier for Typed Assembly Language
MS Project Report
UCB/ERL M04/41
2004
A summary of my experiences developing a proof-generating TAL type checker within the Open Verifier framework. In the style of Foundational PCC, the soundness of this verifier and the proofs it generates is based on no assumptions about the TAL type system. This was one of the first projects to consider the runtime performance of Foundational PCC-style verification.
I present the results of constructing a fully untrusted verifier for memory safety of Typed Assembly Language programs, using the Open Verifier architecture. The verifier is untrusted in the sense that its soundness depends only on axioms about the semantics of a concrete machine architecture, not on any axioms specific to a type system. This experiment served to evaluate both the expressiveness of the Open Verifier architecture and the quality of its support for simplifying the construction of verifiers. I discuss issues of proof generation that are generally not the focus of previous efforts for foundational checking of TAL, and I contrast with these past approaches the sort of logical formalization that is natural in the context of the Open Verifier. My approach is novel in that it uses direct reasoning about concrete machine states where past approaches have formalized typed abstract machines and proved their correspondence with concrete machines. I also describe a new approach to modeling higher-order functions that uses only first-order logic.
10 papers published at peer-reviewed scholarly conferences; 5 at workshops; 2 journal articles
Programming with Proof Assistants
invited webinar talk
Fast Cryptographic Code via Partial Evaluation
invited talk
Fiat Cryptography: A Formally Verified Compiler for Finite-Field Arithmetic
Lectures: From Type Theory to End-to-End Proof of Realistic Systems
Fiat Cryptography: A Formally Verified Compiler for Finite-Field Arithmetic
Correct-by-Construction Cryptography Without Performance Compromises
invited talk
Fiat Cryptography: A Code-Generation Approach to Correct-by-Construction Cryptography
invited talk
Correct-by-Construction Cryptographic Arithmetic in Coq
invited talk
Performance-Scaling Challenges in Formal Verification with Proof Assistants
invited talk
Proof Assistants at the Hardware-Software Interface
invited talk
https://youtu.be/GXXOyXeyKeY
Strong Formal Verification Across a Hardware-Software Stack with RISC-V
invited talk
Fast, Verified Partial Evaluation
Challenges Scaling Type-Theory-Based Verification to Cryptographic Code in Production
invited talk
Algorithmic Checking of Security Arguments for Microprocessors
Research with RISC-V at MIT CSAIL: Modular Design for Performance, Security, and Formal Verification
Never Again: Spectre-Proofing Chip Designs with End-to-End Formal Methods
https://www.youtube.com/watch?v=uIbPt1v6QKE
Mechanized Proofs of System Correctness in Production: Cryptography and Beyond
invited talk
Parametric Higher-Order Abstract Syntax in Fiat Cryptography
Interactive Proof and the Fall and Rise of the Standard Model of Functional-Program Execution
invited talk
Opportunities to Simplify Computer Systems via Formal Methods
How Formal-Methods Adoption Should Drive Changes to System Designs
Lectures: Implementing, specifying, verifying, and compiling hardware components with Kami
Verification Around the Hardware-Software Interface: Instruction Set, Processors, and Side Channels
Raising the Level of Abstraction in Systems Programming with Fiat and Extensible, Correct-by-Construction Compilers
invited talk
Kami: Modular Verification of Digital Hardware in Coq
Fiat Cryptography: Automatic Correct-by-Construction Generation of Low-Level Cryptographic Code
Coming Soon: Machine-Checked Mathematical Proofs in Everyday Software and Hardware Development
https://media.ccc.de/v/34c3-9105-coming_soon_machine-checked_mathematical_proofs_in_everyday_software_and_hardware_development
Fiat Cryptography: Automatic Correct-by-Construction Generation of Low-Level Cryptographic Code
Strong Formal Verification for RISC-V: From Instruction-Set Manual to RTL
https://www.youtube.com/watch?v=4DYVJdHMV5k
Lectures: Program-specific proof automation
The End of History? Using a Proof Assistant to Replace Language Design with Library Design
Fiat: A New Take on Domain-Specific Languages by Programming with Specifications
invited talk
Fiat: A New Perspective on Compiling Domain-Specific Languages in a Proof Assistant
invited talk
Rapid Development of Web Applications with Typed Metaprogramming in Ur/Web
invited talk
Bedrock & Fiat: Specifications and Proofs at the Center of a Programming Ecosystem
https://www.youtube.com/watch?v=jE0DY5pS-xY#t=127m4s
The Science of Deep Specification
http://deepspec.org/
panel
Fiat: Extensible Code Generation with Proofs
invited talk
Ur/Web: A Simple Model for Programming the Web
Lectures: Formal Proof for C-Like Programs
An Optimizing Compiler for a Purely Functional Web-Application Language
Phantom Monitors: A Simple Foundation for Modular Proofs of Fine-Grained Concurrent Programs
Lectures: The Coq Proof Assistant and Its Applications to Programming-Language Semantics
Bedrock: A Clean-Slate Platform for Developing Verified Software Inside a Proof Assistant
invited talk
From Network Interface to Multithreaded Web Applications: A Case Study in Modular Program Verification
Ur/Web: A Simple Model for Programming the Web
Proof Engineering: Implementation Challenges in Rigorously Verified Software
invited talk
Bedrock: A Software Development Ecosystem Inside a Proof Assistant
http://talks.cam.ac.uk/talk/index/56590
Correct-by-Construction Program Synthesis in Coq
invited talk
Ur/Web: A Simple Model for Programming the Web
Ur/Web: A Simple Model for Programming the Web
Bedrock: A Foundational Proof-Carrying Code Platform with Functional Correctness Proofs
invited talk
Ur/Web: Streamlined Web Apps via Fancy Types
invited talk
Ur/Web: Taking Syntax Seriously
invited talk
Adventures in Knot-Tying while Verifying a Thread Library in Coq
The Bedrock Structured Programming System: Combining Generative Metaprogramming and Hoare Logic in an Extensible Program Verifier
A Taste of Effective Coq Proof Automation
invited tutorial
http://adam.chlipala.net/popltut13/
Web Security via Types and Theorem-Proving in the Ur/Web Programming Language
Web Security via Types and Theorem-Proving in the Ur/Web Programming Language
Bedrock: Higher-Order and Automated Proofs about Low-Level Programs
invited talk
Ur/Web, a Domain-Specific Functional Programming Language for Modern Web Applications
Mostly-Automated Verification of Low-Level Programs in Computational Separation Logic
Ur/Web, a Domain-Specific Functional Programming Language for Modern Web Applications
Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications
Foundational Program Verification in Coq with Automated Proofs
invited tutorial
http://adam.chlipala.net/msfp10/
Ur/Web, a Domain-Specific Functional Programming Language for Modern Web Applications
Ur/Web: A Statically-Typed Language for Building Web Applications from Components
invited talk
A Bottom-Up Approach to Safe Low-Level Programming
invited talk
Generating Pieces of Web Applications with Type-Level Programming
Ur: Statically-Typed Metaprogramming with Type-Level Record Computation
Safe Database Abstractions with Type-Level Record Computation
invited talk
A Sane Approach to Modern Web Application Development
A Verified Compiler for an Impure Functional Language
Towards the Ultimate Web Application Framework, via Fancy Types
Syntactic Proofs of Compositional Compiler Correctness
Metaprogramming AJAX Apps with Static Types
http://www.impredicative.com/ur/defun09/
Engineering a Verified Functional Language Compiler
invited talk
Effective Interactive Proofs for Higher-Order Imperative Programs
Metaprogramming AJAX Apps with Static Types
Liberating Semi-Automated PL Proofs from Binder Bookkeeping
Liberating Semi-Automated PL Proofs from Binder Bookkeeping
Statically-Checked Metaprogramming for Web Applications
Parametric Higher-Order Abstract Syntax for Mechanized Semantics
Generic Programming and Proving for Programming Language Metatheory
A Certified Type-Preserving Compiler from Lambda Calculus to Assembly Language
A Certified Type-Preserving Compiler from Lambda Calculus to Assembly Language
A Certified Type-Preserving Compiler from Lambda Calculus to Assembly Language
Modular Development of Certified Program Verifiers with a Proof Assistant
Position Paper: Thoughts on Programming with Proof Assistants
Cooperative Integration of an Interactive Proof Assistant and an Automated Prover
Developing Sound Program Analysis Tools by Programming with Proofs
A Framework for Certified Program Analysis and Its Applications to Mobile-Code Safety
Proof-Carrying Verifiers
The <literal>Open Verifier</literal> Framework for Foundational Verifiers
CryptOpt: Verified Compilation with Random Program Search for Cryptographic Primitives
Pyrosome: A Framework for Modular, Extensible, Equivalence-Preserving Compilation
Omnisemantics: Smooth Handling of Nondeterminism
Omnisemantics: Smooth Handling of Nondeterminism
Automated Synthesis of Verified Firewalls
Formal methods for hardware-software integration on RISC-V embedded systems
Efficient and Verified Finite-Field Operations
Programming with Continuous Spaces
Phantom Monitors: A Simple Foundation for Modular Proofs of Fine-Grained Concurrent Programs
Composable Modular Atomicity
A Framework for Verifying Low-level Programs
8th High-Assurance Crypto Software Workshop
https://www.hacs-workshop.org/
March 2024
7th High-Assurance Crypto Software Workshop
https://www.hacs-workshop.org/
March 2023
6th High-Assurance Crypto Software Workshop
https://www.hacs-workshop.org/
April 2022
5th High-Assurance Crypto Software Workshop
https://www.hacs-workshop.org/
April 2021
4th High-Assurance Crypto Software Workshop
https://www.hacs-workshop.org/
January 2020
1st High Assurance Systems Engineering Workshop
https://hase-workshop.github.io/
January 2019
Microsoft Research Faculty Summit 2018
https://www.microsoft.com/en-us/research/event/faculty-summit-2018/
August 2018
3rd High-Assurance Crypto Software Workshop
https://www.hacs-workshop.org/
January 2018
SAP HANA TechDays
https://www.sap.com/products/hana.html
August 2017
Google Academic Security and Privacy Research Summit
https://sites.google.com/view/securitysummit2017/
June 2017
NII Shonan Seminar #98: Language integrated queries: towards standard logics for big data analytics
http://shonan.nii.ac.jp/seminar/seminardetails098/
May 2017
ISAT Workshop: Augmented Developers: Tools for Hybrid Man-Machine Software Engineering
February 2017
2nd High-Assurance Crypto Software Workshop
https://www.hacs-workshop.org/
January 2017
1st High-Assurance Crypto Software Workshop
https://www.hacs-workshop.org/
January 2016
2nd Core Infrastructure Workshop (Linux Foundation)
https://www.coreinfrastructure.org/
July 2015
Dagstuhl Seminar #15191: Compositional Verification Methods for Next-Generation Concurrency
http://www.dagstuhl.de/15191/
May 2015
1st Core Infrastructure Workshop (Linux Foundation)
https://www.coreinfrastructure.org/
January 2015
Dagstuhl Seminar #10351: Modelling, Controlling and Reasoning About State
http://www.dagstuhl.de/10351/
August 2010
Doctor of Philosophy (PhD) in Computer Science
PhD, MS, Computer Science
8
2003
9
2007
4.0
Master of Science (MS) in Computer Science
MS, Computer Science
12
2004
Bachelor of Science (BS) in Computer Science with a minor in Mathematical Sciences and University Honors
BS, Computer Science
8
2000
5
2003
4.0
High school diploma
9
1996
6
2000
Arthur J. Conner (1888) Professor of Computer Science
7
2024
Professor of Computer Science
7
2022
Associate Professor of Computer Science
7
2018
6
2022
Associate Professor without Tenure of Computer Science
7
2015
6
2018
Assistant Professor of Computer Science
7
2011
6
2015
Douglas T. Ross (1954) Career Development Professor of Software Technology
7
2012
6
2015
MIT
Postdoctoral Fellow
Harvard University
6
2008
6
2011
Led a reimplementation of the Ynot system, with a focus on proof automation
Research on cost-effective program verification
certified programming class, Harvard University
Instructor
9
2008
1
2009
OCaml Hacker
Jane Street Capital
9
2007
4
2008
Graduate Student Researcher
UC Berkeley CS Division
9
2003
8
2007
Investigated implementation of program verification tools with proofs of correctness, using dependent types in the Coq proof assistant
Implemented infrastructure for the Open Verifier and Certified Program Verifiers systems
Developed untrusted plug-ins for memory safety of x86 Typed Assembly Language for those systems, including soundness proofs in the Coq proof assistant
computer theorem proving class, UC Berkeley CS Division
Instructor
8
2006
12
2006
Microsoft Research Redmond
Research Intern
6
2005
8
2005
Designed and implemented an extensible bytecode verifier based on linear logic, and used this verifier to check properties such as manual memory management and message-passing protocols for untrusted process code in the Singularity operating system
Graduate Student Instructor
1
2005
5
2005
Ran discussion sections
Graded weekly homework assignments
Held office hours
Graduate Student Researcher
6
2003
8
2003
Implemented processing for an intuitive language for specifying safety properties of C programs to be verified by the BLAST model checker
Implemented context-free reachability to extend BLAST to verify recursive programs
CMU CS Department
Research Assistant
6
2002
5
2003
Implemented improvements to the mid-level intermediate language of the TILT compiler, along with assorted optimizations
Studied the problem of efficient type-checking of ML-like intermediate languages in flattened forms analogous to traditional compiler intermediate languages
ML programming class, CMU CS Department
Teaching Assistant
1
2002
5
2002
Taught a weekly recitation section
Created homework assignments and exam questions
Held weekly office hours
Graded assignments and exams
Intern/Software Developer
6
2001
8
2001
Developed a database-driven intranet web site to facilitate technology transfer between research and development
Trifecta Technologies
Software Developer
1998
2000
Designed and coded business and presentation logic for electronic commerce web sites using IBM WebSphere Commerce Suite
Annual "Humies" Awards For Human-Competitive Results Produced By Genetic And Evolutionary Computation (Gold Award)
https://www.human-competitive.org/
2023
PLDI Distinguished Reviewer Award
https://pldi23.sigplan.org/
2023
Burgess (1952) & Elizabeth Jamieson Prize for Excellence in Teaching
2023
ACM Distinguished Member
https://awards.acm.org/distinguished-members
2019
Ruth and Joel Spira Award for Excellence in Teaching
https://engineering.mit.edu/faculty-research/faculty-awards/teaching-awards/
2019
Most Influential ICFP Paper Award
http://www.sigplan.org/Awards/ICFP/
2018
ACM Senior Member
https://awards.acm.org/senior-members
2016
National Science Foundation CAREER Award
http://www.nsf.gov/awardsearch/showAward?AWD_ID=1253229
2012
National Defense Science and Engineering Graduate Fellowship
https://www.ndsegfellowships.org/
2004
National Science Foundation Graduate Research Fellowship
http://www.nsfgrfp.org/
2004
California Microelectronics Fellowship
8
2003
5
2004
Phi Kappa Phi
http://www.phikappaphi.org/
Phi Beta Kappa
http://www.pbk.org/
National Science Foundation Graduate Research Fellowship
http://www.nsfgrfp.org/
2003
Andrew Carnegie Scholarship
http://my.cmu.edu/site/admission/menuitem.18c40008673813c019300710d4a02008/
8
2000
5
2003
Summer School on Software Security: Theory to Practice
http://www.cs.uoregon.edu/Activities/summerschool/summer04/
6
2004
Ur/Web, a domain-specific programming language design and implementation supporting metaprogramming of web applications with strong static guarantees
Cooperative Internet hosting tools, including DomTool, a domain-specific language in support of shared UNIX system configuration by mutually-untrusting users
Dynamic web site tools for Standard ML, including separately usable libraries for accessing SQL databases
Founder of HCoop, Inc., a democratically run Internet hosting cooperative
Main administrator and organizer, Teen Programmers Unite, 1997-2001
ML, Coq, C
F#, Java, SQL, x86 and Z80 assembly languages
Haskell, C++, XSLT
Twelf, Scheme, Common Lisp, Prolog, C#, Visual Basic, UNIX shell scripting, Perl
Apache, djbdns, Courier IMAP, Exim, Mailman, SpamAssassin
FMitF: Track I: Formally Verified Programmable Network Switches
NSF FMitF
PI
Collaborative Research: SHF: Medium: High-Performance, Verified Accelerator Programming
NSF CCF
PI
PPoSS: LARGE: Intel: Combining Learning and Formal Verification for Scalable Machine Programming (ScaMP)
NSF PPoSS (with Intel)
co-PI
SaTC: CORE: Small: Scaling Correct-by-Construction Code Generation for Cryptography
NSF SaTC
PI
SaTC: CORE: Medium: Provably Secure, Usable, and Performant Enclaves in Multicore Processors
NSF SaTC
co-PI
Tools for Correct-by-Construction Hardware and Software in Critical Systems
Sandia National Laboratories
ACHILLES: Assured CryptograpHic Integration of muLtiple Languages for Encrypted Systems
IARPA HECTOR program
co-PI for sub
The Hardware Security Compiler: A Rapid-Development Workflow with End-to-End Formal Verification
DARPA SSITH program
PI for prime
FMitF: Verifying Concurrent System Software with Cspec
NSF CCF
co-PI
SaTC: CORE: Small: verifying security for data non-interference
NSF CNS
co-PI
Correct-by-Construction and Automatic Generation of Elliptic Curve Cryptography Primitives
Google Research Award
CSR: Medium: A High-Performance Certified File System and Applications
NSF CNS
co-PI
RINGS: Regenerative, INtent-Guided Systems
DARPA BRASS program
PI for sub
Collaborative Research: Expeditions in Computing: The Science of Deep Specification
NSF Expeditions in Computing
PI for MIT
SHF: Medium: Fiat: Correct-by-Construction and Mostly Automated Derivation of Programs with an Interactive Theorem Prover
NSF CCF
PI
A Trust Anchor Secure Language via the Bedrock Platform
Google ATAP Trust Anchor program
PI
Cybersecurity project
QCRI-CSAIL joint program
CAREER: A Formal Verification Platform Focused on Programmer Productivity
NSF CCF
PI
SHF: Small: Capitalizing on First-Class SQL Support in the Ur/Web Programming Language
NSF CCF
PI
CAP^{3}: A Computer Aided Performance Programming Platform
DoE X-Stack program
co-PI
CARS: A Platform for Scaling Formal Verification to Component-Based Vehicular Software Stacks
DARPA HACMS program
PI for sub
Safe but Unsandboxed Native Code in the Browser
Google Research Award