Adam Chlipala

Cambridge, MA USA adamc@hcoop.net http://adam.chlipala.net/

Cambridge, MA adamc@hcoop.net; http://adam.chlipala.net/ Not currently seeking employment Dependent type systems; interactive theorem proving; type-based programming methodologies that integrate programming with correctness proofs Program verification; language-based security; proof-carrying code; typed assembly language; model checking; formal methods for low-level software Design and implementation of declarative programming languages; type systems and logics; functional programming Automated deduction; interactive proof assistants Computer theorem proving Certified type-preserving compilers http://ltamer.sf.net/ Certified machine code safety analysis http://proofos.sf.net/ Design, implementation, and analysis of functional programming languages Statically-typed metaprogramming for web apps http://laconic.sf.net/ Static types for system configuration http://wiki.hcoop.net/DomTool American citizen January February March April May June July August September October November December Adam Chlipala http://adam.chlipala.net/ Evan Chang Bor-Yuh Evan Chang http://www.cs.berkeley.edu/~bec/ Dirk Beyer http://mtc.epfl.ch/~beyer/ Karl Crary http://www.cs.cmu.edu/~crary/ Greg Morrisett http://www.eecs.harvard.edu/~greg/ Ranjit Jhala http://www.cse.ucsd.edu/~rjhala/ Leaf Petersen http://www.cs.cmu.edu/~leaf/ Brian Lucena http://www.aucegypt.edu/faculty/lucena/ Manuel Fahndrich http://research.microsoft.com/~maf/ Michael Erdmann http://www.cs.cmu.edu/~me/ George Necula George C. Necula http://www.cs.berkeley.edu/~necula/ Rupak Majumdar http://www.cs.ucla.edu/~rupak/ Robert Harper http://www.cs.cmu.edu/~rwh/ Robert Schneck Robert R. Schneck http://math.berkeley.edu/~schneck/ Thomas Henzinger http://mtc.epfl.ch/~tah/ Jeannette Wing http://www.cs.cmu.edu/~wing/ Avaya Communication Avaya Holmdel NJ http://www.avaya.com/ Carnegie Mellon University Pittsburgh PA http://www.cmu.edu/ Computer Science Department http://www.cs.cmu.edu/ 15-212: Principles of Programming (introduction to formal reasoning about programs and functional programming with Standard ML) 15-212 http://www.cs.cmu.edu/~me/courses/212/ The TILT type-directed Standard ML compiler project TILT http://www.cs.cornell.edu/home/jgm/tilt.html IEEE Computer Society Press IEEE http://www.ieee.org/ Cambridge University Press CUP http://www.cambridge.org/ Harvard University Harvard Cambridge MA http://www.harvard.edu/ School of Engineering and Applied Sciences http://www.seas.harvard.edu/ COMPSCI 252: Certified Programming with Dependent Types CS252 http://www.cs.harvard.edu/~adamc/cpdt/ Microsoft Research MSR http://research.microsoft.com/ Software Productivity Tools group Redmond WA SPT The Singularity project Singularity http://research.microsoft.com/os/singularity/ University of Oregon http://www.uoregon.edu/ Trifecta Technologies Trifecta Allentown PA http://www.trifecta.com/ University of California, Berkeley Berkeley http://www.berkeley.edu/ Electrical Engineering and Computer Science Department EECS http://www.eecs.berkeley.edu/ Computer Science Division CS http://www.cs.berkeley.edu/ The BLAST project http://www.cs.ucla.edu/~rupak/blast/ BLAST CS172: Computability and Complexity http://inst.eecs.berkeley.edu/~cs172/sp05/ CS172 The Open Verifier project Open Verifier CS294-9: Interactive Computer Theorem Proving CS294-9 http://adam.chlipala.net/itp/ UC Berkeley EECS Department http://www.eecs.berkeley.edu/ Emmaus High School Emmaus, PA http://www.eastpenn.k12.pa.us/ehs/ ACM http://www.acm.org/ IEEE http://www.ieee.org/ Springer-Verlag http://www.springer.de/comp/lncs Jane Street Capital Jane Street Capital http://www.janestcapital.com/ 26th International Conference on Software Engineering ICSE'04 http://www.icse-conferences.org/2004/index.html 2004 Edinburgh, Scotland 11th Static Analysis Symposium SAS'04 http://profs.sci.univr.it/~sas04/ 2004 Verona, Italy 9th ACM SIGPLAN International Conference on Functional Programming ICFP'04 http://www.cs.indiana.edu/icfp04/ Snowbird, Utah, USA 2004 2nd ACM SIGPLAN Workshop on Types in Language Design and Implementation TLDI'05 http://research.microsoft.com/~maf/tldi05/ 2005 Long Beach, California, USA 12th International Conference on Logic for Programming, Artificial Intelligence, and Reasoning http://www.lpar.net/2005/ LPAR'05 Montego Bay, Jamaica 2005 7th International Conference on Verification, Model Checking, and Abstract Interpretation http://www.informatik.uni-trier.de/~ley/db/conf/vmcai/vmcai2006.html VMCAI'06 2006 Charleston, South Carolina, USA 21st Annual IEEE Symposium on Logic in Computer Science http://www.easychair.org/FLoC-06/LICS.html LICS'06 2006 Seattle, Washington, USA 11th ACM SIGPLAN International Conference on Functional Programming http://icfp06.cs.uchicago.edu/ ICFP'06 2006 Portland, Oregon, USA 4th ASIAN Symposium on Programming Languages and Systems http://www.kb.ecei.tohoku.ac.jp/aplas2006/ APLAS'06 2006 Sydney, Australia International Workshop on Proof-Carrying Code http://www.cs.stevens.edu/~abc/PCC-Workshop.html PCC'06 2006 Seattle, Washington, USA 6th International Workshop on Strategies in Automated Deduction http://www.easychair.org/FLoC-06/Strategies.html STRATEGIES'06 2006 Seattle, Washington, USA Programming Languages meets Program Verification Workshop http://www.easychair.org/FLoC-06/PLPV.html PLPV'06 2006 Seattle, Washington, USA 3nd ACM SIGPLAN Workshop on Types in Language Design and Implementation TLDI'07 http://www.cs.berkeley.edu/~necula/tldi07/ 2007 Nice, France ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation PLDI'07 http://ties.ucsd.edu/PLDI/ 2007 San Diego, California, USA 2005 Open Source Quality Project Retreat Open Source Quality Project Retreat http://www.cs.berkeley.edu/~bodik/OSQ05.htm 2005 2006 Open Source Quality Project Retreat Open Source Quality Project Retreat http://www.cs.berkeley.edu/~bodik/OSQ06.htm 2006 2007 Open Source Quality Project Retreat Open Source Quality Project Retreat http://www.eecs.berkeley.edu/~sseshia/OSQ07.htm 2007 Projet Gallium seminar http://www-c.inria.fr/Internet/rendez-vous/seminaires-des-equipes-de-recherche/a-certified-type-preserving-compiler-from-lambda-calculus-to-assembly-language 2007 The 18th International Conference on Term Rewriting and Applications RTA'07 http://www.lsv.ens-cachan.fr/rdp07/rta.html 2007 Paris, France The 2nd Informal ACM SIGPLAN Workshop on Mechanizing Metatheory WMM'07 http://www.cis.upenn.edu/~sweirich/wmm/ Freiburg, Germany 2007 The 35th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages POPL'08 http://www.cs.ucsd.edu/popl/08/ 2008 San Francisco, California, USA The 9th International Conference on Verification, Model Checking and Abstract Interpretation VMCAI'08 http://www.cs.uic.edu/vmcai08/ 2008 San Francisco, California, USA ACM SIGPLAN 2008 Conference on Programming Language Design and Implementation PLDI'08 http://pldi2008.cs.ucr.edu/ 2008 Tucson, Arizona, USA 3rd Informal ACM SIGPLAN Workshop on Mechanizing Metatheory WMM'08 http://www.cis.upenn.edu/~sweirich/wmm/wmm08.html 2008 Victoria, British Columbia, Canada 13th ACM SIGPLAN International Conference on Functional Programming ICFP'08 http://www.icfpconference.org/icfp2008/ 2008 Victoria, British Columbia, Canada The 36th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages POPL'09 http://www.cs.ucsd.edu/popl/09/ 2009 Savannah, Georgia, USA 4th ACM SIGPLAN Workshop on Types in Language Design and Implementation TLDI'09 http://ttic.uchicago.edu/~amal/tldi2009/ 2009 Savannah, Georgia, USA 18th European Symposium on Programming ESOP'09 http://esop09.pps.jussieu.fr/ 2009 York, United Kingdom 21st New England Programming Languages and Systems Symposium NEPLS 21 http://www.nepls.org/Events/21/ 2008 Cambridge, MA, USA 2008 TYPES Meeting TYPES'08 http://types2008.di.unito.it/ 2008 Torino, Italy Journal of Functional Programming JFP http://journals.cambridge.org/jid_JFP I was the main administrator and general head honcho from about 1997 to 2001 for Teen Programmers Unite, the first Internet organization for young programmers. I first became interested in programming language technology at age 15, when I wrote an ANSI C compiler targeting Texas Instruments graphing calculators. Working as a programmer at a small Web development company during high school, I had the chance to write most of the custom code that drove the Web political campaign donation system used by Senator John McCain in his 2000 bid for the presidency, among others. After his announcement of the URL on national television, our system successfully collected \$6.4 million in donations without any serious technical difficulties, surprisingly enough. Throughout high school, I worked on a novel virtual machine system and its development tools, including another C compiler. The bytecode language supported an unusual method for distributed execution of programs where opcode-level annotations directed different instructions to execute on different machines. I used this system to implement a shared 3D virtual world environment, with object behavior controlled by bytecode programs. I did my undergraduate education in computer science at Carnegie Mellon University. There I learned about functional programming and became a big fan of the ML family of programming languages, which I've used in almost all of my official and side projects since then. I worked as a teaching assistant for an ML programming class and as a research assistant in a project developing a novel ML compiler. In 2002, I founded HCoop, the first democratically-run, public Internet hosting cooperative. Since we incorporated in 2004 as a U.S. non-profit, tax exempt corporation, I've served as the elected president of the co-op. I'm also responsible for developing new software infrastructure to support our unusual model of giving mutually-untrusting members ``almost free reign'' on shared servers. This has included developing a distributed system configuration system called DomTool, whose latest version is based on the use of a new statically-typed, purely functional programming language to express member configuration settings, such that the language's static type system is expressive enough to rule out most potential security policy violations. The co-op recently passed the 100 member mark after expanding almost entirely through word of mouth, and we hope to begin a wide advertising campaign in the coming months after moving our latest set of servers into new colocation space. I entered the computer science PhD program at UC Berkeley in 2003, starting out working on research projects in software model checking and proof-carrying code. These led me to discover the world of interactive computer theorem proving, which has been the focus of my research since then. In particular, I've been lucky enough to get in on the ground floor of the ``new renaissance'' in formal verification of deep correctness properties of real programs. Advances in theorem proving methods and hardware capacity have quite recently made it reasonable to move past the bad reputation that formal verification was left with in the 1980's. My recent projects have been in the design and implementation of infrastructures for building certified machine code safety analyzers and certified compilers for high-level programming languages. I worked as a research intern at Microsoft Research in summer 2005. I was part of the Singularity project, which is re-thinking operating system design with security and reliability in mind by writing almost all OS code in C#. I implemented the first bytecode verifier for Singularity applications that is able to check the key static properties that Singularity's security depends on, including adherence to message-passing channel communication protocols and proper manual memory management of a shared heap area. In Fall 2006, I taught a graduate course at Berkeley on interactive computer theorem proving, focusing on highlighting practical applications outside pure math and on the engineering issues of effective proof construction. I have a long-standing interest in programming language technology for Web development. I developed the smlweb Web programming language, which today drives HCoop's member support portal. I like to describe it as a re-envisioning of PHP based on the Standard ML programming language, supporting static type checking. More recently, I created a prototype implementation of a language called Laconic, which uses ideas from theorem proving to support the construction of sophisticated Web applications that can be checked statically for the absence of failures across entire client-server interaction sessions.

A new trick for encoding variable binders in Coq, along with an exploration of its consequences: almost trivial syntax and type-theoretic semantics for languages including such features as polymorphism and complicated binding structure (e.g., ML-style pattern matching); almost trivial type preservation proofs for compiler passes that don't need intensional analysis of variables; mostly-automated semantic correctness proofs about those passes, by way of adding an axiom to make the parametricity of CIC usable explicitly in proofs; and the ability to drop down to more traditional syntactic representations for more arduous but feasible proofs of the same properties, when intensional variable analysis is needed.

We present parametric higher-order abstract syntax (PHOAS), a new approach to formalizing the syntax of programming languages in computer proof assistants based on type theory. Like higher-order abstract syntax (HOAS), PHOAS uses the meta language's binding constructs to represent the object language's binding constructs. Unlike HOAS, PHOAS types are definable in general-purpose type theories that support traditional functional programming, like Coq's Calculus of Inductive Constructions. We walk through how Coq can be used to develop certified, executable program transformations over several statically-typed functional programming languages formalized with PHOAS; that is, each transformation has a machine-checked proof of type preservation and semantic preservation. Our examples include CPS translation and closure conversion for simply-typed lambda calculus, CPS translation for System F, and translation from a language with ML-style pattern matching to a simpler language with no variable-arity binding constructs. By avoiding the syntactic hassle associated with first-order representation techniques, we achieve a very high degree of proof automation. Software/proof source code and documentation Slides are available from my ICFP talk in OpenOffice and PDF formats.

A compiler for a tiny statically-typed functional programming language, implemented in Coq with a proof of correctness. The main interesting bits are my use of dependently-typed abstract syntax and denotational semantics, along with some engineering tricks for making the task manageable.

We present a certified compiler from the simply-typed lambda calculus to assembly language. The compiler is certified in the sense that it comes with a machine-checked proof of semantics preservation, performed with the Coq proof assistant. The compiler and the terms of its several intermediate languages are given dependent types that guarantee that only well-typed programs are representable. Thus, type preservation for each compiler pass follows without any significant "proofs" of the usual kind. Semantics preservation is proved based on denotational semantics assigned to the intermediate languages. We demonstrate how working with a type-preserving compiler enables type-directed proof search to discharge large parts of our proof obligations automatically. Software/proof source code and documentation Slides are available from my PLDI talk in OpenOffice and PDF formats. Slides are also available from a talk I gave at the Projet Gallium seminar at INRIA Rocquencourt, in OpenOffice and PDF formats.

I report on an experience using the Coq proof assistant to develop a program verification tool with a machine-checkable proof of full correctness. The verifier is able to prove memory safety of x86 machine code programs compiled from code that uses algebraic datatypes. The tool's soundness theorem is expressed in terms of the bit-level semantics of x86 programs, so its correctness depends on very few assumptions. I take advantage of Coq's support for programming with dependent types and modules in the structure of my development. The approach is based on developing a library of reusable functors for transforming a verifier at one level of abstraction into a verifier at a lower level. Using this library, it's possible to prototype a verifier based on a new type system with a minimal amount of work, while obtaining a very strong soundness theorem about the final product.

I report on an experience using the Coq proof assistant to develop a program verification tool with a machine-checkable proof of full correctness. The verifier is able to prove memory safety of x86 machine code programs compiled from code that uses algebraic datatypes. The tool's soundness theorem is expressed in terms of the bit-level semantics of x86 programs, so its correctness depends on very few assumptions. I take advantage of Coq's support for programming with dependent types and modules in the structure of my development. The approach is based on developing a library of reusable functors for transforming a verifier at one level of abstraction into a verifier at a lower level. Using this library, it's possible to prototype a verifier based on a new type system with a minimal amount of work, while obtaining a very strong soundness theorem about the final product. Software/proof source code and documentation Talk slides available in OpenOffice and PDF formats.

We propose a new technique in support of the construction of efficient Foundational Proof-Carrying Code systems. Instead of suggesting that pieces of mobile code come with proofs of their safety, we instead suggest that they come with executable verifiers that can attest to their safety, as in our previous work on the Open Verifier. However, in constrast to that previous work, here we do away with any runtime proof generation by these verifiers. Instead, we require that the verifier itself is proved sound. To support this, we present a novel technique for extracting proof obligations about ML programs. Using this approach, we are able to demonstrate the first foundational verification technique for Typed Assembly Language with performance comparable to that of the traditional, uncertified TAL type checker.

A certified program analysis is an analysis whose implementation is accompanied by a checkable proof of soundness. We present a framework whose purpose is to simplify the development of certified program analyses without compromising the run-time efficiency of the analyses. At the core of the framework is a novel technique for automatically extracting Coq proof-assistant specifications from ML implementations of program analyses, while preserving to a large extent the structure of the implementation. We show that this framework allows developers of mobile code to provide to the code receivers untrusted code verifiers in the form of certified program analyses. We demonstrate efficient implementations in this framework of bytecode verification, typed assembly language, and proof-carrying code. Talk slides available in OpenOffice and PDF formats.

We describe how to use the BLAST model checker to generate program test suites that achieve full coverage with respect to a given set of predicates.

We have extended the software model checker Blast to automatically generate test suites that guarantee full coverage with respect to a given predicate. More precisely, given a C program and a target predicate p, Blast determines the set L of program locations which program execution can reach with p true, and automatically generates a set of test vectors that exhibit the truth of p at all locations in L. We have used Blast to generate test suites and to detect dead code in C programs with up to 30K lines of code. The analysis and test-vector generation is fully automatic (no user intervention) and exact (no false positives).

Extended version of my ICFP'06 paper

Extended version of my ICFP'06 paper I report on an experience using the Coq proof assistant to develop a program verification tool with a machine-checked proof of full correctness. The verifier is able to prove memory safety of x86 machine code programs compiled from code that uses algebraic datatypes. The tool's soundness theorem is expressed in terms of the bit-level semantics of x86 programs, so its correctness depends on very few assumptions. I take advantage of Coq's support for programming with dependent types and modules in the structure of the development. The approach is based on developing a library of reusable functors for transforming a verifier at one level of abstraction into a verifier at a lower level. Using this library, it's possible to prototype a verifier based on a new type system with a minimal amount of work, while obtaining a very strong soundness theorem about the final product.

Some thoughts on how Coq is actually in pretty good shape to use today for non-trivial programming with dependent types

Today the reigning opinion about computer proof assistants based on constructive logic (even from some of the developers of these tools!) is that, while they are very helpful for doing math, they are an absurdly heavy-weight solution to use for practical programming. Yet the Curry-Howard isomorphism foundation of proof assistants like Coq gives them clear interpretations as programming environments. My purpose in this position paper is to make the general claim that Coq is already quite useful today for non-trivial certified programming tasks, as well as to highlight some reasons why you might want to consider using it as a base for your next project in dependently-typed programming. Talk slides available in OpenOffice and PDF formats.

We show how to combine the interactive proof assistant Coq and the Nelson-Oppen-style automated first-order theorem prover Kettle in a synergistic way. We do this with a Kettle tactic for Coq that uses theory-specific reasoning to simplify goals based on automatically chosen case analyses, returning to the user as subgoals the cases it couldn't prove automatically. The process can then be repeated recursively, using Coq's tactical language as a very expressive extension of the matching strategies found in provers like Simplify. We also discuss how to encode specialized first-order proofs efficiently in Coq using proof by reflection.

We propose a mechanism for semi-automated proving of theorems, using a tactic for the Coq proof assistant that consults a proof-generating Nelson-Oppen-style automated prover. Instead of simply proving or failing to prove a goal, our tactic decides on relevant case splits using theory-specific axioms, proves some of the resulting cases, and returns the remainder to the Coq user as subgoals. These subgoals can then be proved using inductions and lemma instantiations that are beyond the capabilities of the automated prover. We show that the Coq tactic language provides an excellent way to script this process to an extent not supported by current Nelson-Oppen provers. Like with any Coq proof, a separately checkable proof term in a core calculus is produced at the end of any successful proving session where our method is used, and we take advantage of the ``proof by reflection'' technique to translate the specialized first-order proofs of the automated prover into compact Coq representations. Talk slides available in OpenOffice and PDF formats.

We propose a new framework for the construction of trustworthy program verifiers. The Open Verifier architecture can be viewed as an optimized Foundational Proof-Carrying Code toolkit. Instead of proposing that code producers send proofs of safety with all of their programs, we instead suggest that they send re-usable proof-generating verifiers. The proofs are generated in an online fashion via a novel interaction scheme between the untrusted verifier and the trusted core of the system.

We present the Open Verifier approach for verifying untrusted code using customized verifiers. This approach can be viewed as an instance of foundational proof-carrying code where an untrusted program can be checked using the verifier most natural for it instead of using a single generic type system. In this paper we focus on a specialized architecture designed to reduce the burden of expressing both type-based and Hoare-style verifiers. A new verifier is created by providing an untrusted executable extension module, which can incorporate directly pre-existing non-foundational verifiers based on dataflow analysis or type checking. The extensions control virtually all aspects of the verification by carrying on a dialogue with the Open Verifier using a language designed both to correspond closely to common verification actions and to carry simple adequacy proofs for those actions. We prove the soundness of the framework, and we describe our experience implementing proof-carrying code, typed assembly language, and dataflow or abstract interpretation based verifiers in this unified setting.

A new approach to checking assembly programs in a way similar to that used in the Java Bytecode Verifier. We introduce a novel mixed type/value technique that makes it tractable to deal with some of the "dependent typing" issues that come up. We also present results on using this technique to help students in an undergraduate compilers class debug their class projects.

It is a common belief that certifying compilation, which typically verifies the well-typedness of compiler output, can be an effective mechanism for compiler debugging, in addition to ensuring basic safety properties. Bytecode verification is a fairly simple example of this approach and derives its simplicity in part by compiling to carefully crafted high-level bytecodes. In this paper, we seek to push this method to native assembly code, while maintaining much of the simplicity of bytecode verification. Furthermore, we wish to provide experimental confirmation that such a tool can be accessible and effective for compiler debugging. To achieve these goals, we present a type-based data-flow analysis or abstract interpretation for assembly code compiled from a Java-like language, and evaluate its bug-finding efficacy on a large set of student compilers.

We present a type system that is useful in saving type annotation space in intermediate language terms expressed in the restricted form called "A-normal form" or "one-half CPS." Our approach imports ideas from strict logic, which is based on the idea of hypotheses that must be used at least once. The resulting system is relevant to the efficiency of type-preserving compilers.

Completely annotated lambda terms (such as are arrived at via the straightforward encodings of various types from System F) contain much redundant type information. Consequently, the completely annotated forms are almost never used in practice, since partially annotated forms can be defined which still allow syntax directed typechecking. An additional optimization that is used in some proof and type systems is to take advantage of the context of occurrence of terms to further elide type information using bi-directional typechecking rules. While this technique is generally effective, we show that there exist bi-directional terms which exhibit asymptotic increases in the size of their type decorations when sequentialized into a named-form calculus (a common first step in compilation). In this paper, we introduce a refinement of the bi-directional type system based on strict logic which allows additional type decorations to be eliminated, and show that it is well-behaved under sequentialization.

A poster about certified program verifiers in Coq

Abstract about a poster on certified program verifiers in Coq You can download the poster in OpenOffice or PDF format.

We describe a system that combines security automaton-based program specification with a facility for relational-style queries about the possible execution paths of a program.

Blast is an automatic verification tool for checking temporal safety properties of C programs. Blast is based on lazy predicate abstraction driven by interpolation-based predicate discovery. In this paper, we present the Blast specification language. The language specifies program properties at two levels of precision. At the lower level, monitor automata are used to specify temporal safety properties of program executions (traces). At the higher level, relational reachability queries over program locations are used to combine lower-level trace properties. The two-level specification language can be used to break down a verification task into several independent calls of the model-checking engine. In this way, each call to the model checker may have to analyze only part of the program, or part of the specification, and may thus succeed in a reduction of the number of predicates needed for the analysis. In addition, the two-level specification language provides a means for structuring and maintaining specifications. UCB/EECS-2007-147 2007

How to do dependently-typed generation of proofs about programming language syntax and semantics

We present a system for both the generic programming of operations that work over classes of tree-structured data types and the automatic generation of formal type-theoretical proofs about such operations. The system is implemented in the Coq proof assistant, using dependent types to validate code and proof generation statically, quantified over all possible input data types. We focus on generic programming of variable-manipulating operations, such as substitution and free variable set calculation, over abstract syntax tree types implemented as GADTs that combine syntax and typing rules. By accompanying these operations with generic lemmas about their interactions, we significantly ease the burden of formalizing programming language metatheory. Our implementation strategy, based on proof by reflection, requires users to trust none of its associated code to be able to trust in the validity of theorems derived with it. Slides are available from a talk I gave at WMM'07, in OpenOffice and PDF formats. UCB/EECS-2007-113 2007

My PhD dissertation, re-presenting the work on certified program verifiers (from ICFP'06) and certified compilers (from PLDI'07)

I present two case studies supporting the assertion that type-based methods enable effective certified programming. By certified programming, I mean the development of software with formal, machine-checked total correctness proofs. While the classical formal methods domain is most commonly concerned with after-the-fact verification of programs written in a traditional way, I explore an alternative technique, based on using dependent types to integrate correctness proving with programming. I have chosen the Coq proof assistant as the vehicle for these experiments. Throughout this dissertation, I draw attention to features of formal theorem proving tools based on dependent type theory that make such tools superior choices for certified programming, compared to their competition. In the first case study, I present techniques for constructing certified program verifiers. I present a Coq toolkit for building foundational memory safety verifiers for x86 machine code. The implementation uses rich specification types to mix behavioral requirements with the traditional types of functions, and I mix standard programming practice with tactic-based interactive theorem proving to implement programs of these types. I decompose verifier implementations into libraries of components, where each component is implemented as a functor that transforms a verifier at one level of abstraction into a verifier at a lower level. I use the toolkit to assemble a verifier for programs that use algebraic datatypes using only several hundred lines of code specific to its type system. The second case study presents work in certified compilers. I focus in particular on type-preserving compilation, where source-level type information is preserved through several statically-typed intermediate languages and used at runtime for such purposes as guiding a garbage collector. I suggest a novel approach to mechanizing the semantics of programming languages, based on dependently-typed abstract syntax and denotational semantics. I use this approach to certify a compiler from simply-typed lambda calculus to an idealized assembly language that interfaces with a garbage collector through tables listing the appropriate root registers for different program points. Significant parts of the proof effort are automated using type-driven heuristics. I also present a generic programming system for automating construction of syntactic helper functions and their correctness proofs, based on an implementation technique called proof by reflection. UCB/EECS-2006-120 2006

An overview of a work-in-progress functional programming language that puts dependent types and theorem proving to work to make it easier to write concise and maintainable web applications

I introduce a new functional programming language, called Laconic/Web, for rapid development of web applications. Its strong static type system guarantees that entire sequences of interaction with these applications ``can't go wrong.'' Moreover, a higher-order dependent type system is used to enable statically-checked metaprogramming. In contrast to most dependently-typed programming languages, Laconic/Web can be used by programmers with no knowledge of proof theory. Instead, more expert developers develop libraries that extend the Laconic/Web type checker with type rewrite rules that have proofs of soundness. I compare Laconic/Web against Ruby on Rails, the most well-known representative of a popular class of Web application frameworks based around dynamic languages and runtime reflection, and show that my approach leads both to more concise programs and to better runtime efficiency. Project web site UCB/ERL M05/32 2005

This is an extended version of our VMCAI'06 paper, containing a formalization of our model extraction procedure and additional examples.

A certified program analysis is an analysis whose implementation is accompanied by a checkable proof of soundness. We present a framework whose purpose is to simplify the development of certified program analyses without compromising the run-time efficiency of the analyses. At the core of the framework is a novel technique for automatically extracting Coq proof-assistant specifications from ML implementations of program analyses, while preserving to a large extent the structure of the implementation. We show that this framework allows developers of mobile code to provide to the code receivers untrusted code verifiers in the form of certified program analyses. We demonstrate efficient implementations in this framework of bytecode verification, typed assembly language, and proof-carrying code. This is an extended version of our VMCAI'06 paper, containing a formalization of our model extraction procedure and additional examples. MS Project Report UCB/ERL M04/41 2004

A summary of my experiences developing a proof-generating TAL type checker within the Open Verifier framework. In the style of Foundational PCC, the soundness of this verifier and the proofs it generates is based on no assumptions about the TAL type system. This was one of the first projects to consider the runtime performance of Foundational PCC-style verification.

I present the results of constructing a fully untrusted verifier for memory safety of Typed Assembly Language programs, using the Open Verifier architecture. The verifier is untrusted in the sense that its soundness depends only on axioms about the semantics of a concrete machine architecture, not on any axioms specific to a type system. This experiment served to evaluate both the expressiveness of the Open Verifier architecture and the quality of its support for simplifying the construction of verifiers. I discuss issues of proof generation that are generally not the focus of previous efforts for foundational checking of TAL, and I contrast with these past approaches the sort of logical formalization that is natural in the context of the Open Verifier. My approach is novel in that it uses direct reasoning about concrete machine states where past approaches have formalized typed abstract machines and proved their correspondence with concrete machines. I also describe a new approach to modeling higher-order functions that uses only first-order logic. 5 papers published at peer-reviewed scholarly conferences; 5 at workshops; 1 journal article Doctor of Philosophy (PhD) in Computer Science PhD, MS, Computer Science 8 2003 9 2007 4.0 Master of Science (MS) in Computer Science MS, Computer Science 12 2004 Bachelor of Science (BS) in Computer Science with a minor in Mathematical Sciences and University Honors BS, Computer Science 8 2000 5 2003 4.0 High school diploma 9 1996 6 2000 Harvard University 6 2008 certified programming class, Harvard School of Engineering and Applied Sciences 9 2008 1 2009 Jane Street Capital 9 2007 4 2008 UC Berkeley CS Division 9 2003 8 2007 Investigating implementation of program verification tools with proofs of correctness, using dependent types in the Coq proof assistant Implemented infrastructure for the Open Verifier and Certified Program Verifiers systems Developed untrusted plug-ins for memory safety of x86 Typed Assembly Language for those systems, including soundness proofs in the Coq proof assistant computer theorem proving class, UC Berkeley CS Division 8 2006 12 2006 Microsoft Research Redmond 6 2005 8 2005 Designed and implemented an extensible bytecode verifier based on linear logic, and used this verifier to check properties such as manual memory management and message-passing protocols for untrusted process code in the Singularity operating system 1 2005 5 2005 Ran discussion sections Graded weekly homework assignments Held office hours 6 2003 8 2003 Implemented processing for an intuitive language for specifying safety properties of C programs to be verified by the BLAST model checker Implemented context-free reachability to extend BLAST to verify recursive programs CMU CS Department 6 2002 5 2003 Implemented improvements to the mid-level intermediate language of the TILT compiler, along with assorted optimizations Studied the problem of efficient type-checking of ML-like intermediate languages in flattened forms analogous to traditional compiler intermediate languages ML programming class, CMU CS Department 1 2002 5 2002 Taught a weekly recitation section Created homework assignments and exam questions Held weekly office hours Graded assignments and exams 6 2001 8 2001 Developed a database-driven intranet web site to facilitate technology transfer between research and development Trifecta Technologies 1998 2000 Designed and coded business and presentation logic for electronic commerce web sites using IBM WebSphere Commerce Suite National Defense Science and Engineering Graduate Fellowship http://www.asee.org/ndseg/ 2004 National Science Foundation Graduate Research Fellowship http://www.nsfgradfellows.org/ 2004 California Microelectronics Fellowship http://www.ucop.edu/research/micro/fellows.html 8 2003 5 2004 Phi Kappa Phi http://www.phikappaphi.org/ Phi Beta Kappa http://www.pbk.org/ National Science Foundation Graduate Research Fellowship http://www.nsfgradfellows.org/ 2003 Andrew Carnegie Scholarship http://my.cmu.edu/site/admission/menuitem.18c40008673813c019300710d4a02008/ 8 2000 5 2003 Summer School on Software Security: Theory to Practice http://www.cs.uoregon.edu/activities/summerschool/summer04/ 6 2004 Ur/Web, a prototype domain-specific programming language design and implementation supporting metaprogramming of web applications with strong static guarantees Cooperative Internet hosting tools, including DomTool, a domain-specific language in support of shared UNIX system configuration by mutually-untrusting users Dynamic web site tools for Standard ML, including separately usable libraries for accessing SQL databases Founder and chief software developer of HCoop, Inc., a democratically-run Internet hosting cooperative Black belt in Karate (no longer training) ML, Coq, C F#, Java, SQL, x86 and Z80 assembly languages Haskell, C++, XSLT Twelf, Scheme, Common Lisp, Prolog, C#, Visual Basic, UNIX shell scripting, Perl Apache, djbdns, Courier IMAP, Exim, Mailman, SpamAssassin