Adam Chlipala

Cambridge, MA USA adamc@csail.mit.edu http://adam.chlipala.net/

Cambridge, MA adam@chlipala.net; http://adam.chlipala.net/ http://adam.chlipala.net/cv.html Not currently seeking employment Design and implementation of computer systems supporting programmer productivity, correctness, security, and performance (including compilers, computer architecture, cryptography, databases, and operating systems) Design, implementation, and applications of interactive proof assistants Programming languages (broadly construed to include all development tools) and formal methods (for software and hardware) Computer theorem proving Certified type-preserving compilers http://ltamer.sf.net/ Verifying imperative programs http://ynot.cs.harvard.edu/ Design, implementation, and analysis of functional programming languages Statically typed metaprogramming for web apps http://www.impredicative.com/ur/ Static types for system configuration http://wiki.hcoop.net/DomTool American citizen January February March April May June July August September October November December Andrew Wright https://www.rle.mit.edu/isg/people_andy_wright.htm Adam Chlipala http://adam.chlipala.net/ Alex Konradi https://www.linkedin.com/in/alex-konradi-89604081/ Alice Lee https://www.linkedin.com/in/alicerlee Anders Kaseorg https://github.com/andersk Andres Erbsen https://andres.systems/ Antonis Stampoulis http://astampoulis.github.com/ Arthur Charguéraud https://www.chargueraud.org/ Andrew W. Appel https://www.cs.princeton.edu/~appel/ Arvind http://csg.csail.mit.edu/Users/arvind/ Ashley Lin https://github.com/ashley-lin Atalay Ileri https://github.com/Atalay-Ileri Anna Zhang https://www.linkedin.com/in/annazhang03/ Benjamin C. Pierce http://www.cis.upenn.edu/~bcpierce/ Evan Chang Bor-Yuh Evan Chang http://www.cs.colorado.edu/~bec/ Benjamin Delaware https://www.cs.purdue.edu/homes/bendy/ Dirk Beyer http://www.sosy-lab.org/~dbeyer/ Benjamin Kaiser https://benkaiser.org/ Thomas Braibant http://braibant.github.io/ Thomas Bourgeat https://people.csail.mit.edu/bthom/ Thomas Carotti https://github.com/Carotti Chitchanok Chuengsatiansup https://cs.adelaide.edu.au/~cchuengs/ Chuyue Sun http://web.mit.edu/chuyues/www/ Christian J. Bell http://people.csail.mit.edu/cj/ Clark Wood https://www.linkedin.com/in/clark-wood/ Clément Pit-Claudel http://pit-claudel.fr/clement/ Santiago Cuellar http://scholar.princeton.edu/scuellar/ Karl Crary http://www.cs.cmu.edu/~crary/ Daniel Park https://dancwpark.com/ David Wu https://github.com/daviduwu9 Dustin Jamner https://jamner.net/ Di Wang https://www.cs.cmu.edu/~diw3/ Daniel Ziegler http://events.ccc.de/congress/2014/Fahrplan/speakers/5081.html David Spivak http://math.mit.edu/~dspivak/ Samuel Duchovni https://github.com/sdukhovni Lennart Beringer https://www.cs.princeton.edu/~eberinge/ Eunice Jun https://emjun.github.io/ Edward Z. Yang http://ezyang.com/ Daniel Genkin https://faculty.cc.gatech.edu/~genkin/ Gilbert Bernstein http://www.gilbertbernstein.com/ Gabriel Kammer https://kammer.xyz/ Gregory Malecha https://gmalecha.github.io/ Greg Morrisett http://www.cs.cornell.edu/~jgm/ Thomas Gregoire https://www.linkedin.com/in/thgregoire1 Samuel Gruetter https://samuelgruetter.net/ Haogang Chen http://pdos.csail.mit.edu/~hchen/ Ian Clester https://ijc8.me/ Mirai Ikebuchi https://mir-ikbch.github.io/ Jade Philipoom https://semiprecious.net/ Jason Gross https://jasongross.github.io/ Ranjit Jhala http://goto.ucsd.edu/~rjhala/ Joel Kuepper https://researchers.adelaide.edu.au/profile/joel.kuepper Joonwon Choi http://joonwon.net/c/ Jonathan Ragan-Kelley http://people.csail.mit.edu/jrk/ Julian Zanders https://www.researchgate.net/profile/Julian-Zanders Frans Kaashoek http://pdos.csail.mit.edu/~kaashoek/ Martine Kalke https://www.ll.mit.edu/biographies/martine-m-kalke Shoaib Kamil https://research.adobe.com/person/shoaib-kamil/ Eddie Kohler http://read.seas.harvard.edu/~kohler/ Kosi Nwabueze https://www.linkedin.com/in/kosinw/ Katherine Ye https://www.cs.cmu.edu/~kqy/ Amanda Liu http://people.csail.mit.edu/lamanda/ Jiazheng Liu https://www.linkedin.com/in/jiazheng-liu-95a552197/ Mohsen Lesani https://mohsenlesani.github.io/ David Lazar http://www.csail.mit.edu/user/3604 Leaf Petersen http://www.leafpetersen.com/ London Bielicke https://londonmae.github.io/ Brian Lucena https://www.linkedin.com/in/brianlucena/ Luke Sciarappa https://github.com/lsciarappa Manuel Fahndrich http://fahndrich.com/ Michael Carbin http://people.csail.mit.edu/mcarbin/ Michael Erdmann http://www.cs.cmu.edu/~me/ Mengjia Yan https://people.csail.mit.edu/mengjia/ Miraya Poddar-Agrawal https://www.linkedin.com/in/rajashreeagrawal/ Nirav Dave http://people.csail.mit.edu/ndave/ George Necula George C. Necula http://www.cs.berkeley.edu/~necula/ Nickolai Zeldovich http://people.csail.mit.edu/nickolai/ Owen Conoly https://www.csail.mit.edu/person/owen-conoly Patrick Hulin https://www.linkedin.com/in/patrick-hulin-027939109/ Pratap Singh https://pratap.dev/ Qinglan Luo https://www.linkedin.com/in/blanca-luo-434097279/ Ritam Nag https://www.linkedin.com/in/ritam-nag-a019381b2/ Robert Cunningham https://www.research.pitt.edu/people/robert-k-cunningham Tingzhen Dong https://github.com/RogerDTZ Robert Sloan https://blog.modt.io/ Rupak Majumdar http://www.mpi-sws.org/~rupak/ Robert Harper http://www.cs.cmu.edu/~rwh/ Ryan Wisnesky http://wisnesky.net/ Robert Schneck Robert R. Schneck http://tupelo-schneck.org/robert/ Zhong Shao http://www.cs.yale.edu/homes/shao/ Shardul Chiplunkar https://etaoin-shrdlu.xyz/ Benjamin Sherman http://www.ben-sherman.net/ Avraham Shinnar http://researcher.watson.ibm.com/researcher/view.php?person=us-shinnar Shixin Song https://zhizhuoxin.github.io/ Sorawit Suriyakarn https://github.com/sorawit Stella Lau https://people.csail.mit.edu/stellal/ Steve Zdancewic http://www.cis.upenn.edu/~stevez/ Stephanie Wang https://github.com/stephanie-wang Stephanie Weirich http://www.cis.upenn.edu/~sweirich/ Samuel Tian https://github.com/samuel-tian Thomas Henzinger http://pub.ist.ac.at/~tah/ Timothy Braje https://www.ll.mit.edu/biographies/timothy-m-braje Tej Chajed https://github.com/tchajed Théo Zimmermann https://www.theozimmermann.net/en/ Andy Tockman https://tck.mn/ Viktor Fukala https://www.linkedin.com/in/viktor-fukala/ Muralidaran Vijayaraghavan http://people.csail.mit.edu/vmurali/ Markus Wagner http://www.acrocon.com/~wagner/ Andrew Wagner https://github.com/a-wagner Peng Wang http://people.csail.mit.edu/wangpeng/ Jeannette Wing http://www.cs.cmu.edu/~wing/ Xi Wang http://homes.cs.washington.edu/~xi/ Li-yao Xia https://poisson.chat/ Qianchuan Ye https://www.cs.purdue.edu/homes/ye202/ Yuval Yarom https://cs.adelaide.edu.au/~yval/ Ziv Scully http://ziv.codes/ Zachary Tatlock http://homes.cs.washington.edu/~ztatlock/ Avaya Communication Avaya Holmdel NJ http://www.avaya.com/ Carnegie Mellon University Pittsburgh PA http://www.cmu.edu/ Computer Science Department http://www.cs.cmu.edu/ 15-212: Principles of Programming (introduction to formal reasoning about programs and functional programming with Standard ML) 15-212 http://www.cs.cmu.edu/~me/courses/212/ The TILT type-directed Standard ML compiler project TILT http://www.cs.cornell.edu/home/jgm/tilt.html IEEE Computer Society Press IEEE http://www.ieee.org/ Cambridge University Press CUP http://www.cambridge.org/ Harvard University Harvard Cambridge MA http://www.harvard.edu/ School of Engineering and Applied Sciences http://www.seas.harvard.edu/ COMPSCI 252: Certified Programming with Dependent Types CS252 http://www.cs.harvard.edu/~adamc/cpdt/ Microsoft Research MSR http://research.microsoft.com/ Software Productivity Tools group Redmond WA SPT The Singularity project Singularity http://research.microsoft.com/os/singularity/ IBM Research IBM http://research.ibm.com/ IBM Watson Research Center Hawthorne NY IBM Watson University of Oregon http://www.uoregon.edu/ Trifecta Technologies Trifecta Allentown PA http://www.trifecta.com/ University of California, Berkeley Berkeley http://www.berkeley.edu/ Electrical Engineering and Computer Science Department EECS http://www.eecs.berkeley.edu/ Computer Science Division CS http://www.cs.berkeley.edu/ The BLAST project http://cseweb.ucsd.edu/~rjhala/blast.html BLAST CS172: Computability and Complexity http://inst.eecs.berkeley.edu/~cs172/sp05/ CS172 The Open Verifier project Open Verifier CS294-9: Interactive Computer Theorem Proving CS294-9 http://adam.chlipala.net/itp/ UC Berkeley EECS Department http://www.eecs.berkeley.edu/ Massachusetts Institute of Technology MIT http://www.mit.edu/ Department of Electrical Engineering and Computer Science EECS http://www.eecs.mit.edu/ Computer Science and Artificial Intelligence Laboratory CSAIL http://www.csail.mit.edu/ Emmaus High School Emmaus, PA http://www.eastpennsd.org/ehs/ Association for Computing Machinery ACM http://www.acm.org/ IEEE http://www.ieee.org/ Royal Society Royal Society https://royalsociety.org/ Springer-Verlag Springer-Verlag http://www.springer.de/comp/lncs Elsevier http://www.elsevier.com/ Jane Street Capital Jane Street Capital http://www.janestreet.com/ 26th International Conference on Software Engineering ICSE'04 http://www.icse-conferences.org/2004/index.html 2004 Edinburgh, Scotland 11th Static Analysis Symposium SAS'04 http://profs.sci.univr.it/~sas04/ 2004 Verona, Italy 9th ACM SIGPLAN International Conference on Functional Programming ICFP'04 http://www.cs.indiana.edu/icfp04/ Snowbird, Utah, USA 2004 2nd ACM SIGPLAN Workshop on Types in Language Design and Implementation TLDI'05 http://research.microsoft.com/~maf/tldi05/ 2005 Long Beach, California, USA 12th International Conference on Logic for Programming, Artificial Intelligence, and Reasoning http://www.lpar.net/2005/ LPAR'05 Montego Bay, Jamaica 2005 7th International Conference on Verification, Model Checking, and Abstract Interpretation http://www.informatik.uni-trier.de/~ley/db/conf/vmcai/vmcai2006.html VMCAI'06 2006 Charleston, South Carolina, USA 21st Annual IEEE Symposium on Logic in Computer Science http://www.easychair.org/FLoC-06/LICS.html LICS'06 2006 Seattle, Washington, USA 11th ACM SIGPLAN International Conference on Functional Programming http://icfp06.cs.uchicago.edu/ ICFP'06 2006 Portland, Oregon, USA 4th ASIAN Symposium on Programming Languages and Systems http://www.kb.ecei.tohoku.ac.jp/aplas2006/ APLAS'06 2006 Sydney, Australia International Workshop on Proof-Carrying Code http://www.cs.stevens.edu/~abc/PCC-Workshop.html PCC'06 2006 Seattle, Washington, USA 6th International Workshop on Strategies in Automated Deduction http://www.easychair.org/FLoC-06/Strategies.html STRATEGIES'06 2006 Seattle, Washington, USA Programming Languages meets Program Verification Workshop http://www.easychair.org/FLoC-06/PLPV.html PLPV'06 2006 Seattle, Washington, USA 3nd ACM SIGPLAN Workshop on Types in Language Design and Implementation TLDI'07 http://www.cs.berkeley.edu/~necula/tldi07/ 2007 Nice, France ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation PLDI'07 http://ties.ucsd.edu/PLDI/ 2007 San Diego, California, USA 2005 Open Source Quality Project Retreat Open Source Quality Project Retreat http://www.cs.berkeley.edu/~bodik/OSQ05.htm 2005 2006 Open Source Quality Project Retreat Open Source Quality Project Retreat http://www.cs.berkeley.edu/~bodik/OSQ06.htm 2006 2007 Open Source Quality Project Retreat Open Source Quality Project Retreat http://www.eecs.berkeley.edu/~sseshia/OSQ07.htm 2007 Projet Gallium seminar http://www-c.inria.fr/Internet/rendez-vous/seminaires-des-equipes-de-recherche/a-certified-type-preserving-compiler-from-lambda-calculus-to-assembly-language 2007 18th International Conference on Term Rewriting and Applications RTA'07 http://www.lsv.ens-cachan.fr/rdp07/rta.html 2007 Paris, France 2nd Informal ACM SIGPLAN Workshop on Mechanizing Metatheory WMM'07 http://www.cis.upenn.edu/~sweirich/wmm/wmm07.html Freiburg, Germany 2007 35th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages POPL'08 http://www.cs.ucsd.edu/popl/08/ 2008 San Francisco, California, USA 9th International Conference on Verification, Model Checking and Abstract Interpretation VMCAI'08 http://www.cs.uic.edu/vmcai08/ 2008 San Francisco, California, USA ACM SIGPLAN 2008 Conference on Programming Language Design and Implementation PLDI'08 http://pldi2008.cs.ucr.edu/ 2008 Tucson, Arizona, USA 3rd Informal ACM SIGPLAN Workshop on Mechanizing Metatheory WMM'08 http://www.cis.upenn.edu/~sweirich/wmm/wmm08.html 2008 Victoria, British Columbia, Canada 13th ACM SIGPLAN International Conference on Functional Programming ICFP'08 http://www.icfpconference.org/icfp2008/ 2008 Victoria, British Columbia, Canada 36th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages POPL'09 http://www.cs.ucsd.edu/popl/09/ 2009 Savannah, Georgia, USA 4th ACM SIGPLAN Workshop on Types in Language Design and Implementation TLDI'09 http://ttic.uchicago.edu/~amal/tldi2009/ 2009 Savannah, Georgia, USA 18th European Symposium on Programming ESOP'09 http://esop09.pps.jussieu.fr/ 2009 York, United Kingdom 21st New England Programming Languages and Systems Symposium NEPLS 21 http://www.nepls.org/Events/21/ 2008 Cambridge, MA, USA 2008 TYPES Meeting TYPES'08 http://types2008.di.unito.it/ 2008 Torino, Italy ACM SIGPLAN 2009 Conference on Programming Language Design and Implementation PLDI'09 http://www-plan.cs.colorado.edu/~pldi09/ 2009 Dublin, Ireland 4th International Workshop on Logical Frameworks and Meta-languages: Theory and Practice LFMTP'09 http://workshops.inf.ed.ac.uk/lfmtp/ 2009 Montreal, Canada Boston University Programming Languages Reading Group http://www.church-project.org/reading-group/reading-group.html 2009 Northeastern University Programming Languages Seminar http://www.ccs.neu.edu/home/wand/pl-seminar/ 2009 Microsoft Research Redmond http://research.microsoft.com/ 2009 14th ACM SIGPLAN International Conference on Functional Programming ICFP'09 http://www.cs.nott.ac.uk/~gmh/icfp09.html 2009 Edinburgh, Scotland 4th Informal ACM SIGPLAN Workshop on Mechanizing Metatheory WMM'09 http://www.cis.upenn.edu/~sweirich/wmm/wmm09.html 2009 Edinburgh, Scotland ACM SIGPLAN Developer Tracks on Functional Programming DEFUN'09 http://www.defun2009.info/ 2009 Edinburgh, Scotland New Jersey Programming Languages and Systems Seminar NJPLS http://www.njpls.org/oct09.html 2009 Bethlehem, PA, USA New England F# User Group New England F# User Group http://www.fsug.org/ 2009 Cambridge, MA, USA 37th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages POPL'10 http://www.cse.psu.edu/popl/10/ 2010 Madrid, Spain Programming Languages meets Program Verification Workshop http://slang.soe.ucsc.edu/plpv10/ PLPV'10 2010 Madrid, Spain Boston Lisp Boston Lisp http://common-lisp.net/project/boston-lisp/ 2010 Cambridge, MA, USA 13th International Conference on Foundations of Software Science and Computation Structures FoSSaCS'10 http://users.comlab.ox.ac.uk/luke.ong/FoSSaCS2010/ 2010 Paphos, Cyprus Sixteenth International Conference on Tools and Algorithms for the Construction and Analysis of Systems TACAS'10 http://tacas10.in.tum.de/ 2010 Paphos, Cyprus ACM SIGPLAN 2010 Conference on Programming Language Design and Implementation PLDI'10 http://cs.stanford.edu/pldi10/ 2010 Toronto, Canada The Second Coq Workshop Coq-2 http://coq.inria.fr/coq-workshop/2010 2010 Edinburgh, Scotland Dependently Typed Programming 2010 DTP'10 http://sneezy.cs.nott.ac.uk/darcs/dtp10/ 2010 Edinburgh, Scotland 2nd Workshop on Module Systems and Libraries for Proof Assistants MLPA'10 http://kwarc.info/frabe/events/mlpa-10.html 2010 Edinburgh, Scotland Emerging Languages Camp 2010 Emerging Languages Camp 2010 http://emerginglangs.com/ 2010 Portland, OR, USA Mathematically Structured Functional Programming 2010 MSFP'10 http://cs.ioc.ee/msfp/msfp2010/ 2010 Baltimore, MD, USA 9th USENIX Symposium on Operating Systems Design and Implementation OSDI'10 http://www.usenix.org/event/osdi10/ 2010 Vancouver, BC, Canada 5th International Workshop on Systems Software Verification SSV'10 http://usenix.org/events/ssv10/ 2010 Vancouver, BC, Canada Twenty-sixth Conference on the Mathematical Foundations of Programming Semantics MFPS'10 http://www.math.tulane.edu/~mfps/mfps26/MFPS_XXVI.html 2010 Ottawa, Ontario, Canada 12th International Symposium on Principles and Practice of Declarative Programming PPDP'10 http://www.risc.uni-linz.ac.at/about/conferences/ppdp2010/ 2010 Hagenberg, Austria 5th International Workshop on Higher-Order Rewriting HOR'10 http://hor.pps.jussieu.fr/10/ 2010 Edinburgh, Scotland COPLAS, ITU Copenhagen http://www.coplas.org/ 2010 15th ACM SIGPLAN International Conference on Functional Programming ICFP'10 http://www.icfpconference.org/icfp2010/ 2010 Baltimore, MD, USA First International Workshop on Relations and Data Integrity Constraints and Languages RADICAL'10 http://research.microsoft.com/en-us/um/people/adg/RADICAL2010/ 2010 Cambridge, England MIT PL Working Group MIT PL Working Group http://people.csail.mit.edu/jeanyang/pl/ 2010 Cambridge, MA, USA Third International Workshop on Graph Computation Models GCM'10 http://gcm-events.org/gcm2010/ 2010 Enschede, The Netherlands 38th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages POPL'11 http://www.cse.psu.edu/popl/11/ 2011 Austin, TX, USA Twelfth International Conference on Verification, Model Checking, and Abstract Interpretation VMCAI'11 http://vmcai11.cis.ksu.edu/ 2011 Austin, TX, USA 20th European Symposium on Programming ESOP'11 http://software.imdea.org/~gbarthe/esop11/ 2011 Saarbrücken, Germany 22nd International Conference on Rewriting Techniques and Applications RTA'11 http://www.rdp2011.uns.ac.rs/rta/ 2011 ACM SIGPLAN 2011 Conference on Programming Language Design and Implementation PLDI'11 http://pldi11.cs.utah.edu/ 2011 San Jose, CA, USA UC Berkeley UC Berkeley 2011 Berkeley, CA, USA Workshop on Foundations of Computer Security FCS'11 http://www.di.ens.fr/~blanchet/fcs11/ 2011 Toronto, ON, Canada Syntax and Semantics of Low-Level Languages LOLA'11 http://flint.cs.yale.edu/lola2011/ 2011 Toronto, ON, Canada IBM Watson Research Center IBM Watson Research Center 2011 Hawthorne, NY, USA CSAIL Student Workshop CSAIL Student Workshop http://projects.csail.mit.edu/csw/2011/ 2011 Beverly, MA, USA The Third Coq Workshop Coq-3 http://www.cs.ru.nl/~spitters/coqw.html 2011 Nijmegen, Holland 6th International Workshop on Systems Software Verification SSV'11 https://es.fbk.eu/events/ssv2011/ 2011 Nijmegen, Holland 16th ACM SIGPLAN International Conference on Functional Programming ICFP'11 http://www.icfpconference.org/icfp2011/ 2011 Tokyo, Japan 39th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages POPL'12 http://www.cse.psu.edu/popl/12/ 2012 Philadelphia, PA, USA 7th ACM SIGPLAN Workshop on Types in Language Design and Implementation TLDI'12 http://www.cis.upenn.edu/~bcpierce/tldi12/ 2012 Philadelphia, PA, USA Fourth International Conference on Verified Software: Theories, Tools, and Experiments VSTTE'12 https://sites.google.com/site/vstte2012/ 2012 Philadelphia, PA, USA 24th International Conference on Computer Aided Verification CAV'12 http://cav12.cs.illinois.edu/ 2012 Berkeley, CA, USA The Fourth Coq Workshop Coq-4 http://coq.inria.fr/coq-workshop/2012 2012 Princeton, NJ, USA 15th International Conference on Foundations of Software Science and Computation Structures FoSSaCS'12 http://www.itu.dk/research/fossacs-2012/ 2012 Tallinn, Estonia Interactive Theorem Proving - Third International Conference ITP'12 http://www.cs.princeton.edu/~eberinge/itp12/web/Home.html 2012 Princeton, NJ, USA 7th International Workshop on Logical Frameworks and Meta-languages: Theory and Practice LFMTP'12 http://people.csail.mit.edu/adamc/lfmtp12/ 2012 Copenhagen, Denmark IEEE Symposium on Security & Privacy 2012 S&P'12 http://www.ieee-security.org/TC/SP2012/ 2012 San Francisco, CA, USA ACM SIGPLAN Haskell Symposium 2012 Haskell'12 http://www.haskell.org/haskell-symposium/2012/ 2012 Copenhagen, Denmark 26th New England Programming Languages and Systems Symposium NEPLS 26 http://www.nepls.org/Events/26/home.html 2012 Portland, ME, USA 2nd International Conference on Certified Programs and Proofs CPP'12 http://cpp12.kuis.kyoto-u.ac.jp/ 2012 Kyoto, Japan 15th International Symposium on Practical Aspects of Declarative Languages PADL'13 http://www.it.uu.se/conf/padl2013/ 2013 Rome, Italy Data Driven Functional Programming Workshop 2013 DDFP'13 http://research.microsoft.com/en-us/events/ddfp2013/ 2013 Rome, Italy Symposium on Logical Foundations of Computer Science 2013 LFCS'13 http://lfcs.info/lfcs13/ 2013 San Diego, California, USA 16th International Conference on Foundations of Software Science and Computation Structures FoSSaCS'13 http://www.informatik.uni-trier.de/~ley/db/conf/fossacs/ 2013 ? ACM SIGPLAN 2013 Conference on Programming Language Design and Implementation PLDI'13 http://pldi2013.ucombinator.org/ 2013 Seattle, Washington, USA 40th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages POPL'13 http://popl.mpi-sws.org/2013/ 2013 Rome, Italy POPL 2013 TutorialFest POPL'13 TutorialFest http://wrigstad.com/popl13/tutorialfest.html 2013 Rome, Italy 43th Annual IEEE/IFIP International Conference on Dependable Systems and Networks DSN'13 http://2013.dsn.org/ 2013 Budapest, Hungary Interactive Theorem Proving - Fourth International Conference ITP'13 http://itp2013.inria.fr/ 2013 Rennes, France 22nd USENIX Security Symposium USENIX Security'13 https://www.usenix.org/conference/usenixsecurity13 2013 Washington, D.C., USA Functional Programming Concepts in Domain-Specific Languages FPCDSL'13 http://quantum.bbn.com/FPCDSL/ 2013 Boston, MA, USA 25th International Conference on Computer Aided Verification CAV'13 http://cav2013.forsyte.at/ 2013 Saint Petersburg, Russia 8th International Workshop on Logical Frameworks and Meta-languages: Theory and Practice LFMTP'13 http://complogic.cs.mcgill.ca/lfmtp13 2013 Boston, MA, USA 18th ACM SIGPLAN International Conference on Functional Programming ICFP'13 http://www.icfpconference.org/icfp2013/ 2013 Boston, MA, USA The 2nd ACM SIGPLAN Workshop on Higher-Order Programming with Effects HOPE'13 http://hope2013.mpi-sws.org/ 2013 Boston, MA, USA 15th International Symposium on Principles and Practice of Declarative Programming PPDP'13 http://users.ugent.be/~tschrijv/PPDP2013/ 2013 Madrid, Spain Programming Languages meets Program Verification Workshop http://www.cse.chalmers.se/~nad/plpv-2014/ PLPV'14 2014 San Diego, CA, USA 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages POPL'14 http://popl.mpi-sws.org/2014/ 2014 San Diego, CA, USA Workshop on Secure Cloud and Reactive Internet Programming Technology SCRIPT'13 http://soft.vub.ac.be/script/ 2013 Brussels, Belgium Twitter, Inc. Twitter, Inc., San Francisco 2014 San Francisco, CA 23rd European Symposium on Programming ESOP'14 http://flint.cs.yale.edu/esop2014/ 2014 Grenoble, France 2014 USENIX Annual Technical Conference USENIX ATC'14 https://www.usenix.org/conference/atc14 2014 Philadelphia, PA, USA IHP Workshop on Certification of High-Level and Low-Level Programs IHP Workshop on Certification of High-Level and Low-Level Programs https://ihp2014.pps.univ-paris-diderot.fr/doku.php?id=workshop_5 2014 Paris, France 9th International Workshop on Logical Frameworks and Meta-languages: Theory and Practice LFMTP'14 http://complogic.cs.mcgill.ca/lfmtp14/ 2014 Vienna, Austria 5th International Conference on Interactive Theorem Proving ITP'14 http://www.cs.uwyo.edu/~ruben/itp-2014/ 2014 Vienna, Austria 19th ACM SIGPLAN International Conference on Functional Programming ICFP'14 http://www.icfpconference.org/icfp2014/ 2014 Gothenburg, Sweden Boston Haskell Boston Haskell http://www.meetup.com/Boston-Haskell/events/190579132/ 2014 Cambridge, MA Kyoto University RIMS Kyoto University RIMS http://www.kurims.kyoto-u.ac.jp/en/ 2014 Kyoto, Japan Theorem proving and provers for reliable theory and implementations TPP'14 http://imi.kyushu-u.ac.jp/lasm/tpp2014/ 2014 Fukuoka, Japan Microsoft Research Cambridge, PPT Group Microsoft Research Cambridge, PPT Group http://research.microsoft.com/en-us/groups/ppt/ 2014 Cambridge, England 11th USENIX Symposium on Operating System Design and Implementation OSDI'14 https://www.usenix.org/conference/osdi14/ 2014 Broomfield, CO, USA 2014 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, & Applications OOPSLA'14 http://2014.splashcon.org/track/oopsla2014 2014 Portland, OR, USA 42nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages POPL'15 http://popl.mpi-sws.org/2015/ 2015 Mumbai, India POPL'15 Student Research Competition SRC http://popl.mpi-sws.org/2015/posters2.html 2015 Mumbai, India ACM SIGPLAN Programming Languages Mentoring Workshop 2015 PLMW'15 http://plmw15.iisc-seal.net/ 2015 Mumbai, India The First International Workshop on Coq for PL CoqPL'15 http://coqpl.cs.washington.edu/ 2015 Mumbai, India 24th European Symposium on Programming ESOP'15 http://conf.researchr.org/home/esop-2015 2015 London, United Kingdom 30th Annual ACM/IEEE Symposium on Logic in Computer Science http://lics.rwth-aachen.de/lics15/ LICS'15 2015 Kyoto, Japan 2015 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, & Applications OOPSLA'15 http://2015.splashcon.org/track/oopsla 2015 Pittsburgh, PA, USA 15th Workshop on Hot Topics in Operating Systems HotOS'15 https://www.usenix.org/conference/hotos15 2015 Kartause Ittingen, Switzerland Oregon Programming Languages Summer School OPLSS'15 https://www.cs.uoregon.edu/research/summerschool/summer15/ 2015 Eugene, OR, USA 27th International Conference on Computer Aided Verification CAV'15 http://i-cav.org/2015/ 2015 San Francisco, CA, USA 20th ACM SIGPLAN International Conference on Functional Programming ICFP'15 http://www.icfpconference.org/icfp2015/ 2015 Vancouver, BC, Canada IMDEA Software http://software.imdea.org/ 2015 MITx online course: Cybersecurity: Technology, Application and Policy MITx online course: Cybersecurity: Technology, Application and Policy https://mitprofessionalx.mit.edu/courses/course-v1:MITProfessionalX+CSx+2015_T1/about 2015 Cambridge, MA, USA 25th ACM Symposium on Operating Systems Principles SOSP'15 http://www.ssrc.ucsc.edu/sosp15/ 2015 Monterey, CA, USA 28th New England Programming Languages and Systems Symposium NEPLS 28 http://www.nepls.org/Events/28/home.html 2015 Medford, MA, USA 5th International Conference on Certified Programs and Proofs CPP'16 http://people.csail.mit.edu/adamc/cpp16/ 2016 St. Petersburg, FL, USA ACM SIGPLAN 2016 Workshop on Partial Evaluation and Program Manipulation PEPM'16 http://conf.researchr.org/home/pepm-2016 2016 St. Petersburg, FL, USA 43rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages POPL'16 http://popl16.sigplan.org/ 2016 St. Petersburg, FL, USA The Second International Workshop on Coq for PL CoqPL'16 http://conf.researchr.org/home/CoqPL-2016 2016 St. Petersburg, FL, USA 37th IEEE Symposium on Security and Privacy S&P'16 http://www.ieee-security.org/TC/SP2016/ 2016 San Jose, CA, USA 28th International Conference on Computer Aided Verification CAV'16 http://i-cav.org/2016/ 2016 Toronto, ON, Canada Interactive Theorem Proving - Seventh International Conference ITP'16 http://itp2016.inria.fr/ 2016 Nancy, France 21st ACM SIGPLAN International Conference on Functional Programming ICFP'16 https://icfp16.sigplan.org/ 2016 Nara, Japan The Eighth Coq Workshop Coq-8 http://coq.inria.fr/coq-workshop/2016 2016 Nancy, France Mozilla San Francisco Mozilla San Francisco https://www.mozilla.org/ 2016 San Francisco, CA, USA Verified Trustworthy Software Systems (public meeting) Verified Trustworthy Software Systems (public meeting) https://royalsociety.org/events/2016/04/software-systems/ 2016 London, UK Verified Trustworthy Software Systems (specialist meeting) Verified Trustworthy Software Systems (specialist meeting) https://verificationinstitute.org/event/verified-trustworthy-software-systems-specialist-meeting/ 2016 London, UK 30th New England Programming Languages and Systems Symposium NEPLS 30 http://www.nepls.org/Events/30/home.html 2016 Boston, MA, USA SPLASH-I SPLASH-I'16 https://2016.splashcon.org/track/splash-2016-splash-i 2016 Amsterdam, Netherlands APLAS APLAS'16 http://soict.hust.edu.vn/~aplas2016/ 2016 Hanoi, Vietnam New Directions In Software Technology 2016 NDIST'16 https://ndist.kestrel.edu/events/NDIST16/ 2016 St. John, U.S. Virgin Islands 44th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages POPL'17 https://popl17.sigplan.org/ 2017 Paris, France Workshop on Reasoning about Declarative Programs RDP'17 http://conf.researchr.org/track/POPL-2017/RDP-2017 2017 Paris, France The 2nd Summit oN Advances in Programming Languages SNAPL'17 http://snapl.org/2017/ 2017 Asilomar, CA, USA ACM SIGPLAN 2017 Conference on Programming Language Design and Implementation PLDI'17 https://pldi17.sigplan.org/ 2017 Barcelona, Spain Deep Specifications Summer School 2017 DSSS'17 https://deepspec.org/event/dsss17/ 2017 Philadelphia, PA 30th IEEE Computer Security Foundations Symposium CSF'17 http://csf2017.tecnico.ulisboa.pt/ 2017 Santa Barbara, CA, USA 22nd ACM SIGPLAN International Conference on Functional Programming ICFP'17 https://icfp17.sigplan.org/ 2017 Oxford, UK Interactive Theorem Proving - Eighth International Conference ITP'17 http://itp2017.cic.unb.br/ 2017 Brasília, Brazil 2017 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, & Applications OOPSLA'17 http://2017.splashcon.org/track/splash-2017-OOPSLA 2017 Vancouver, BC, Canada ACM SIGPLAN Conference on Systems, Programming, Languages and Applications: Software for Humanity SPLASH'17 http://2017.splashcon.org/track/splash-2017-Workshops 2017 Vancouver, BC, Canada 26th ACM Symposium on Operating Systems Principles SOSP'17 http://sigops.org/s/conferences/sosp/2017/ 2017 Shanghai, China 7th RISC-V Workshop 7th RISC-V Workshop https://riscv.org/2017/12/7th-risc-v-workshop-proceedings/ 2017 Milpitas, CA, USA Microsoft Research Redmond, RiSE group Microsoft Research Remond, RiSE group https://www.microsoft.com/en-us/research/group/research-in-software-engineering-rise/ 2017 Redmond, WA, USA 34th Chaos Communication Congress 34th Chaos Communication Congress https://events.ccc.de/congress/2017/ 2017 Leipzig, Germany 45th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages POPL'18 https://popl18.sigplan.org/ 2018 Los Angeles, CA, USA ETH Zurich, Programming Methodology ETH Zurich, Programming Methodology http://www.pm.inf.ethz.ch/ 2018 Zurich, Switzerland Inria Paris, Gallium team Inria Paris, Gallium team http://gallium.inria.fr/seminar.html 2018 Paris, France ENabling TRust through Os Proofs...and beYond 2018 ENTROPY 2018 https://entropy2018.sciencesconf.org/ 2018 Lille, France Web Programming, Design, Analysis, and Implementation track of The Web Conference 2018 WPDAI'18 https://www2018.thewebconf.org/call-for-papers/web-programming-cfp/ 2018 Lyon, France ACM SIGPLAN 2018 Conference on Programming Language Design and Implementation PLDI'18 https://pldi18.sigplan.org/ 2018 Philadelphia, PA, USA Deep Specifications Workshop 2018 DeepSpec'18 https://deepspec.org/events/dsw18/ 2018 Philadelphia, PA Interactive Theorem Proving - Ninth International Conference ITP'18 https://itp2018.inria.fr/ 2018 Oxford, UK 33rd Annual ACM/IEEE Symposium on Logic in Computer Science LICS'18 http://lics.siglog.org/lics18/ 2018 Oxford, UK 2018 European Conference on Object-Oriented Programming ECOOP'18 https://2018.ecoop.org/ 2018 Amsterdam, Netherlands Deep Specifications Summer School 2018 DSSS'18 https://deepspec.org/event/dsss18/ 2018 Princeton, NJ Microsoft Research Faculty Summit 2018 https://www.microsoft.com/en-us/research/event/faculty-summit-2018/ Microsoft Research Faculty Summit 2018 2018 Redmond, WA 32nd New England Programming Languages and Systems Symposium NEPLS 32 http://www.nepls.org/Events/32/ 2018 Cambridge, MA, USA The 30th Symposium on Implementation and Application of Functional Languages IFL'18 http://2018.iflconference.org/ 2018 Lowell, MA, USA Festschrift for Robert Harper Festschrift for Robert Harper http://www.cs.cmu.edu/~harperfest/ 2018 Pittsburgh, PA, USA 23rd ACM SIGPLAN International Conference on Functional Programming ICFP'18 https://icfp18.sigplan.org/ 2018 Saint Louis, MO, USA 13th USENIX Symposium on Operating Systems Design and Implementation OSDI'18 https://www.usenix.org/conference/osdi18/ 2018 Carlsbad, CA, USA SPLASH-I SPLASH-I'18 http://2018.splashcon.org/track/splash-2018-splash-i 2018 Boston, MA, USA Inaugural RISC-V Summit RISC-V Summit https://tmt.knect365.com/risc-v-summit/ 2018 San Jose, CA, USA 46th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages POPL'19 https://popl19.sigplan.org/ 2019 Cascais, Portugal SiFive Technical Symposium, Boston SiFive Technical Symposium, Boston https://sifivetechsymposium.com/ 2019 Burlington, MA, USA Annual GOMACTech Conference 2019 GOMACTech'19 https://www.gomactech.net/2019/ 2019 Albuquerque, NM, USA Real World Cryptography 2019 RWC'19 https://rwc.iacr.org/2019/ 2019 San Jose, CA, USA IEEE Symposium on Security & Privacy 2019 S&P'19 http://www.ieee-security.org/TC/SP2019/ 2019 San Francisco, CA, USA 25th International Conference on Types for Proofs and Programs TYPES'19 https://cas.oslo.no/types2019/ 2019 Oslo, Norway Deep Specifications Workshop 2019 DeepSpec'19 https://pldi19.sigplan.org/home/deepspec-2019 2019 Phoenix, AZ SIGARCH Visioning Workshop: Agile and Open Hardware for Next-Generation Computing SIGARCH Visioning Workshop 2019 https://sites.google.com/view/agile-and-open-hardware/ 2019 Phoenix, AZ ACM SIGPLAN 2019 Conference on Programming Language Design and Implementation PLDI'19 https://pldi19.sigplan.org/ 2019 Phoenix, AZ, USA 31st International Conference on Computer Aided Verification CAV'19 http://i-cav.org/2019/ 2019 New York, NY, USA 24th ACM SIGPLAN International Conference on Functional Programming ICFP'19 https://icfp19.sigplan.org/ 2019 Berlin, Germany 27th ACM Symposium on Operating Systems Principles SOSP'19 https://www.sigops.org/sosp/sosp19/ 2019 Huntsville, Ontario, Canada 2019 RISC-V Summit RISC-V Summit 2019 https://riscv.org/blog/2019/12/highlights-from-the-2019-risc-v-summit-a-look-at-the-future-of-computing/ 2019 San Jose, CA, USA 9th International Conference on Certified Programs and Proofs CPP'20 https://popl20.sigplan.org/home/CPP-2020 2020 New Orleans, LA, USA ACM SIGPLAN 2020 Conference on Programming Language Design and Implementation PLDI'20 https://pldi20.sigplan.org/ 2020 London, England 9th International Joint Conference on Automated Reasoning IJCAR'20 https://ijcar2020.org/ 2020 Paris, France 25th ACM SIGPLAN International Conference on Functional Programming ICFP'20 https://icfp20.sigplan.org/ 2020 Jersey City, NJ, USA 15th International Symposium on Functional and Logic Programming FLOPS'20 https://www.ipl.riec.tohoku.ac.jp/FLOPS2020/ 2020 Akita, Japan 48th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages POPL'21 https://popl21.sigplan.org/ 2021 Copenhagen, Denmark The Seventh International Workshop on Coq for Programming Languages CoqPL'21 https://popl21.sigplan.org/home/CoqPL-2021 2021 virtual 2021 Lambda Days Lambda Days'21 https://www.lambdadays.org/lambdadays2021 2021 26th International Conference on Architectural Support for Programming Languages and Operating Systems ASPLOS'21 https://asplos-conference.org/2021/ 2021 virtual Verified software: from theory to practice (a workshop of the Isaac Newton Institute) Verified software: from theory to practice (a workshop of the Isaac Newton Institute) https://www.newton.ac.uk/event/vsow03 2021 42nd ACM SIGPLAN Conference on Programming Language Design and Implementation PLDI'21 https://pldi21.sigplan.org/ 2021 Quebec City, QC, Canada Interactive Theorem Proving - Twelfth International Conference ITP'21 http://easyconferences.eu/itp2021/ 2021 Rome, Italy 15th USENIX Symposium on Operating Systems Design and Implementation OSDI'21 https://www.usenix.org/conference/osdi21/ 2021 Santa Clara, CA, USA 26th ACM SIGPLAN International Conference on Functional Programming ICFP'21 https://icfp21.sigplan.org/ 2021 Virtual NUS Computer Science Research Week NUS Computer Science Research Week https://researchweek.comp.nus.edu.sg/ 2022 49th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages POPL'22 https://popl22.sigplan.org/ 2022 Philadelphia, PA, USA High Confidence Software and Systems Conference 2022 HCSS'22 https://cps-vo.org/group/hcss_conference 2022 Virtual 43rd ACM SIGPLAN Conference on Programming Language Design and Implementation PLDI'22 https://pldi22.sigplan.org/ 2022 San Diego, CA, USA Oregon Programming Languages Summer School OPLSS'22 https://www.cs.uoregon.edu/research/summerschool/summer22/ 2022 Eugene, OR, USA Isaac Newton Institute Verified Software Workshop VSO'22 https://www.newton.ac.uk/event/vso2/ 2022 Cambridge, England 34th International Conference on Computer-Aided Verification CAV'22 http://i-cav.org/2022/ 2022 Haifa, Israel 35th IEEE Computer Security Foundations Symposium CSF'22 https://www.ieee-security.org/TC/CSF2022/ 2022 Haifa, Israel Interactive Theorem Proving - Thirteenth International Conference ITP'22 https://itpconference.github.io/ITP22/ 2022 Haifa, Israel 33rd New England Programming Languages and Systems Symposium NEPLS 33 http://www.nepls.org/Events/33/home.html 2022 Boston, MA, USA 2022 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, & Applications OOPSLA'22 http://2022.splashcon.org/track/splash-2022-oopsla 2022 Auckland, New Zealand ACM SIGPLAN 2023 Workshop on Partial Evaluation and Program Manipulation PEPM'23 https://popl23.sigplan.org/home/PEPM-2023 2023 Boston, MA, USA The Ninth International Workshop on Coq for Programming Languages CoqPL'23 https://popl23.sigplan.org/home/CoqPL-2023 2023 Boston, MA, USA Real World Cryptography 2023 RWC'23 https://rwc.iacr.org/2023/ 2023 Tokyo, Japan 44th ACM SIGPLAN Conference on Programming Language Design and Implementation PLDI'23 https://pldi23.sigplan.org/ 2023 Orlando, FL, USA 28th International Conference on Architectural Support for Programming Languages and Operating Systems ASPLOS'23 https://asplos-conference.org/ 2023 TBD 28th ACM SIGPLAN International Conference on Functional Programming ICFP'23 https://icfp23.sigplan.org/ 2023 Seattle, WA, USA The Tenth International Workshop on Coq for Programming Languages CoqPL'24 https://popl24.sigplan.org/home/CoqPL-2024 2024 London, England Dafny 2024 Dafny'24 https://popl24.sigplan.org/home/dafny-2024 2024 London, England 51st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages POPL'24 https://popl24.sigplan.org/ 2024 London, England National Academies Workshop: AI to Assist Mathematical Reasoning AIMR'24 https://www.nationalacademies.org/our-work/ai-to-assist-mathematical-reasoning-a-workshop 2024 45th ACM SIGPLAN Conference on Programming Language Design and Implementation PLDI'24 https://pldi24.sigplan.org/ 2024 Copenhagen, Denmark First NIST Workshop on Formal Methods within Certification Programs FMCP'24 https://www.nist.gov/news-events/events/nist-workshop-formal-methods-within-certification-programs-fmcp-2024 2024 Rockville, MD, USA 37th IEEE Computer Security Foundations Symposium CSF'24 https://csf2024.ieee-security.org/ 2024 Enschede, The Netherlands Interactive Theorem Proving - Fifteenth International Conference ITP'24 https://www.viam.science.tsu.ge/itp2024/ 2024 Tbilisi, Georgia 2024 ACM SIGSAC Conference on Computer and Communications Security CCS'24 https://www.sigsac.org/ccs/CCS2024/ 2024 Salt Lake City, UT, USA 52nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages POPL'25 https://popl25.sigplan.org/ 2025 Denver, CO, USA ACM SIGPLAN Programming Languages Mentoring Workshop 2025 PLMW@PLDI'25 https://pldi25.sigplan.org/home/PLMW-pldi-2025 2025 Seoul, South Korea 46th ACM SIGPLAN Conference on Programming Language Design and Implementation PLDI'25 https://pldi25.sigplan.org/ 2025 Seoul, South Korea University at Buffalo CSE Distinguished Speaker Series University at Buffalo CSE Distinguished Speaker Series https://engineering.buffalo.edu/computer-science-engineering.html 2025 2025 ACM SIGSAC Conference on Computer and Communications Security CCS'25 https://www.sigsac.org/ccs/CCS2025/ 2025 Taipei, Taiwan 2025 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, & Applications OOPSLA'25 https://2025.splashcon.org/track/OOPSLA 2025 Singapore 15th International Conference on Certified Programs and Proofs CPP'26 https://popl26.sigplan.org/home/CPP-2026 2026 Rennes, France 53rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages POPL'26 https://popl26.sigplan.org/ 2026 Rennes, France Texas A&M International University School of Engineering Distinguished Lecture Series (virtual) Texas A&M International University School of Engineering Distinguished Lecture Series (virtual) 2026 46th ACM SIGPLAN Conference on Programming Language Design and Implementation PLDI'26 https://pldi26.sigplan.org/ 2026 Boulder, CO, USA IFIP Working Group on Functional Programming http://www.cs.ox.ac.uk/ralf.hinze/WG2.8/ WG 2.8 IFIP Working Group on Language Design https://languagedesign.org/ WG 2.16 DARPA Information Science and Technology study group https://www.darpa.mil/about-us/offices/i2o ISAT International Conference on Certified Programs and Proofs https://popl21.sigplan.org/home/CPP-2021#The-CPP-Series CPP International Conference on Functional Programming https://www.icfpconference.org/structure.html ICFP National Science Foundation panelist NSF https://nsf.gov/dir/index.jsp?org=cise Communications of the ACM CACM http://cacm.acm.org/ Journal of the ACM JACM http://jacm.acm.org/ Journal of Functional Programming JFP http://journals.cambridge.org/jid_JFP Journal of Formalized Reasoning JFR http://jfr.unibo.it/ ACM Transactions on Programming Languages and Systems TOPLAS http://www.cs.utexas.edu/toplas/ IEEE Embedded Systems Letters ESL http://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=4563995 Journal of Automated Reasoning JAR http://www.springerlink.com/content/100280/ Information Processing Letters IPL http://www.elsevier.com/locate/ipl Higher-Order and Symbolic Computation HOSC http://www.springer.com/computer/theoretical+computer+science/journal/10990 Philosophical Transactions of the Royal Society A PTA http://rsta.royalsocietypublishing.org/ Science of Computer Programming SCP http://www.journals.elsevier.com/science-of-computer-programming/ Fundamenta Informaticae FI http://fi.mimuw.edu.pl/ http://adam.chlipala.net/cpdt/ MIT Press, 2013. Available online under a Creative Commons license.

Extended treatment of a new style of operational semantics that was applied in the work from our PLDI'21 paper

This paper gives an in-depth presentation of the omni-big-step and omni-small-step styles of semantic judgments. These styles describe operational semantics by relating starting states to sets of outcomes rather than to individual outcomes. A single derivation of these continuation-passing-style semantics for a particular starting state and program describes all possible nondeterministic executions (hence the name omni), whereas in traditional small-step and big-step semantics, each derivation only talks about one single execution. This restructuring allows for straightforward modeling of both nondeterminism and undefined behavior as commonly encountered in sequential functional and imperative programs. Specifically, omnisemantics inherently assert safety, i.e. they guarantee that none of the execution branches gets stuck, while traditional semantics need either a separate judgment or additional error markers to specify safety in the presence of nondeterminism. Omnisemantics can be understood as an inductively defined weakest-precondition semantics (or more generally, predicate-transformer semantics) that does not involve invariants for loops and recursion but instead uses unrolling rules like in traditional small-step and big-step semantics. Omnisemantics were previously described in association with several projects, but we believe the technique has been underappreciated and deserves a well-motivated, extensive, and pedagogical presentation of its benefits. We also explore several novel aspects associated with these semantics, in particular their use in type-safety proofs for lambda calculi, partial-correctness reasoning, and forward proofs of compiler correctness for terminating but potentially nondeterministic programs being compiled to nondeterministic target languages. All results in this paper are formalized in Coq.

Extended version of our ITP'16 paper

The class of stencil programs involves repeatedly updating elements of arrays according to fixed patterns, referred to as stencils. Stencil problems are ubiquitous in scientific computing and are used as an ingredient to solve more involved problems. Their high regularity allows massive parallelization. Two important challenges in designing such algorithms are cache efficiency and minimizing the number of communication steps between nodes. In this paper, we introduce a mathematical framework for a crucial aspect of formal verification of both sequential and distributed stencil algorithms, and we describe its Coq implementation. We present a domain-specific embedded programming language with support for automating the most tedious steps of proofs that nested loops respect dependencies, applicable to sequential and distributed examples. Finally, we evaluate the robustness of our library by proving the dependency-correctness of some real-world stencil algorithms, including a state-of-the-art cache-oblivious sequential algorithm, as well as two optimized distributed kernels. Source code http://www.springer.com/-/3/AWGg8n_juCj1iLTSijwC

Overview of and case for the DeepSpec project

We introduce our efforts within the project "The Science of Deep Specification" to work out the key formal underpinnings of industrial-scale formal specifications of software and hardware components, anticipating a world where large verified systems are routinely built out of smaller verified components that are also used by many other projects. We identify an important class of specification that has already been used in a few experiments that connect strong component-correctness theorems across the work of different teams. To help popularize the unique advantages of that style, we dub it deep specification, and we say that it encompasses specifications that are rich, two-sided, formal, and live (terms that we define in the article). Our core team is developing a proof-of-concept system (based on the Coq proof assistant) whose specification and verification work is divided across largely decoupled subteams at our four institutions, encompassing hardware microarchitecture, compilers, operating systems, and applications, along with cross-cutting principles and tools for effective specification. We also aim to catalyze interest in the approach, not just by basic researchers but also by users in industry. Project web site http://rsta.royalsocietypublishing.org/cgi/content/abstract/rsta.2016.0331

A file system implemented and verified in Coq, using separation logic, connected to Linux and providing respectable performance

FSCQ is the first file system with a machine-checkable proof that its implementation meets a specification, even in the presence of fail-stop crashes. FSCQ provably avoids bugs that have plagued previous file systems, such as performing disk writes without sufficient barriers or forgetting to zero out directory blocks. If a crash happens at an inopportune time, these bugs can lead to data loss. FSCQ's theorems prove that, under any sequence of crashes followed by reboots, FSCQ will recover its state correctly without losing data. To state FSCQ's theorems, this paper introduces the Crash Hoare logic (CHL), which extends traditional Hoare logic with a crash condition, a recovery procedure, and logical address spaces for specifying disk states at different abstraction levels. CHL also reduces the proof effort for developers through proof automation. Using CHL, we developed, specified, and proved the correctness of the FSCQ file system. Although FSCQ's design is relatively simple, experiments with FSCQ as a user-level file system show that it is sufficient to run Unix applications with usable performance. FSCQ's specifications and proofs required significantly more work than the implementation, but the work was manageable even for a small team of a few researchers. http://cacm.acm.org/magazines/2017/4/215044-certifying-a-file-system-using-crash-hoare-logic/abstract

Introducing the Ur/Web programming language

The World Wide Web has evolved gradually from a document delivery platform to an architecture for distributed programming. This largely unplanned evolution is apparent in the set of interconnected languages and protocols that any Web application must manage. This paper presents Ur/Web, a domain-specific, statically typed functional programming language with a much simpler model for programming modern Web applications. Ur/Web's model is unified, where programs in a single programming language are compiled to other "Web standards" languages as needed; supports novel kinds of encapsulation of Web-specific state; and exposes simple concurrency, where programmers can reason about distributed, multithreaded applications via a mix of transactions and cooperative preemption. We give a tutorial introduction to the main features of Ur/Web. Project web site [Condensed version of POPL'15 paper, also including some tweaks to be accessible to a broader audience] http://cacm.acm.org/magazines/2016/8/205041-ur-web/abstract

Excerpts from CPDT

Excerpts from CPDT Computer proof assistants vary along many dimensions. Among the mature implementations, the Coq system is distinguished by two key features. First, we have support for programming with dependent types in the tradition of type theory, based on dependent function types and inductive type families. Second, we have a domain-specific language for coding correct-by-construction proof automation. Though the Coq user community has grown quite large, neither of the aspects I highlight is widely used. In this tutorial, I aim to provide a pragmatic introduction to both, showing how they can bring significant improvements in productivity.

Extended version of my ICFP'06 paper

Extended version of my ICFP'06 paper I report on an experience using the Coq proof assistant to develop a program verification tool with a machine-checked proof of full correctness. The verifier is able to prove memory safety of x86 machine code programs compiled from code that uses algebraic datatypes. The tool's soundness theorem is expressed in terms of the bit-level semantics of x86 programs, so its correctness depends on very few assumptions. I take advantage of Coq's support for programming with dependent types and modules in the structure of the development. The approach is based on developing a library of reusable functors for transforming a verifier at one level of abstraction into a verifier at a lower level. Using this library, it's possible to prototype a verifier based on a new type system with a minimal amount of work, while obtaining a very strong soundness theorem about the final product.

PL-style soundness and completeness theorems for d-separation, a standard "program analysis" for causal diagrams

The design of scientific experiments deserves its own variation of formal verification to catch cases where scientists made important mistakes, such as forgetting to take confounding variables into account. One of the most fundamental underpinnings of science is causality, or what it means for interventions in the world to cause other outcomes, as formalized by computer scientists like Judea Pearl. However, these ideas had not previously been made rigorous to the standards of the programming-languages community, where one expects a (syntactic) program analysis to be proved sound with respect to a natural semantics. In the domain of causality, as the relevant "program analysis," we focused on d-separation, a classic (and arguably unintuitive) condition on graphs that can be used to decide when the design of an experiment controls for sufficiently many confounding variables. Our central result (mechanized in Rocq) is that d-separation exactly coincides with a novel (and arguably intuitive) semantic definition inspired by noninterference from the theory of security. For each given automated test on the quality of an experiment design, our theorem justifies an associated method for falsifying the world-modeling hypothesis behind the experiment.

Extending ATL to compile sparse tensors efficiently

In this paper, we introduce a verified framework for defining and composing sparse tensor formats. We extend the ATL tensor language and scheduling framework, which formerly could only express dense tensor kernels. We define a levelized abstraction to describe per-dimension tensor formats via their encoding routines, access and iteration functions, and formal properties enforcing soundness of the sparse structures as representations of the original dense tensors. Using this abstraction, we compositionally define format-agnostic, multidimensional compression and decompression functions that are used to express the top-level soundness theorem for these abstract sparse tensor formats. We then use this soundness theorem as an adjoint-pair rewrite theorem to introduce sparse data structures and iteration into a dense tensor kernel via the existing scheduling-rewrite framework of ATL. Overall, we are able to start with a program computing over dense operands and derive a proven semantically equivalent, optimized program computing over sparse structures. We further prove a minimal set of instances of the level-format abstraction, which can be composed and passed as parameters to compression to capture a broad range of canonical, multidimensional tensor-compression formats.

Extending the Bedrock2 program-verification approach with omnisemantics to handling proof of timing upper bounds

Some important domains of software demand concrete bounds on how long functions may run, for instance for real-time cyberphysical systems where missed deadlines may damage industrial machinery. Such programs may interact with external devices throughout execution, where time deadlines ought to depend on, for instance, sensor readings (e.g. we only scramble to close a valve immediately when a sensor reports that a tank is about to overflow). We present the first software-development toolchain that delivers first-principles proofs of meaningful time bounds for interactive machine code, while allowing all per-application programming and verification to happen at the source-code level. We allow C-like programs to be proved against separation-logic specifications that constrain their running time, and such proofs are composed with verification of a compiler to RISC-V machine code. All components are implemented and proved inside the Rocq proof assistant, producing final theorems whose statements depend only on machine-language formal semantics and some elementary specification constructions for describing running time. As a capstone case study, we extended a past verification (of a real microcontroller-based cyberphysical system) to bound time between arrival of network packets and actuation of an attached device. GitHub repository

Modularizing compiler proofs in units of language features and their associated compilation code

We present Pyrosome, a generic framework for modular language metatheory that embodies a novel approach to extensible semantics and compilation, implemented in Coq. Common techniques for semantic reasoning are often tied to the specific structures of the languages and compilers that they support. In Pyrosome, verified compilers are fully extensible, meaning that to extend a language (even with a new kind of effect) simply requires defining and verifying the compilation of the new feature, reusing the old correctness theorem for all other cases. The novel enabling idea is an inductive formulation of equivalence preservation that supports the addition of new rules to the source language, target language, and compiler. Pyrosome defines a formal, deeply embedded notion of programming languages with semantics given by dependently sorted equational theories, so all compiler-correctness proofs boil down to type-checking and equational reasoning. We support vertical composition of any compilers expressed in our framework in addition to feature extension. As a case study, we present a multipass compiler from System F with simple references, through CPS translation and closure conversion. Specifically, we demonstrate how we can build such a compiler incrementally by starting with a compiler for simply typed lambda-calculus and adding natural numbers, the unit type, recursive functions, and a global heap, then extending judgments with a type environment and adding type abstraction, all while reusing the original theorems. We also present a linear version of the simply typed CPS pass and compile a small imperative language to the simply typed target to show how Pyrosome handles substructural typing and imperative features.

Retrofitting cryptographic software to use a new hardware defense, by inferring types and rewriting at the assembly level

Authors of cryptographic software are well aware that their code should not leak secrets through its timing behavior, and, until 2018, they believed that following industry-standard constant-time coding guidelines was sufficient. However, the revelation of the Spectre family of speculative execution attacks injected new complexities. To block speculative attacks, prior work has proposed annotating the program's source code to mark secret data, with hardware using this information to decide when to speculate (i.e., when only public values are involved) or not (when secrets are in play). While these solutions are able to track secret information stored on the heap, they suffer from limitations that prevent them from correctly tracking secrets on the stack, at a cost in performance. This paper introduces SecSep, a transformation framework that rewrites assembly programs so that they partition secret and public data on the stack. By moving from the source-code level to assembly rewriting, SecSep is able to address limitations of prior work. The key challenge in performing this assembly rewriting stems from the loss of semantic information through the lengthy compilation process. The key innovation of our methodology is a new variant of typed assembly language (TAL), Octal, which allows us to address this challenge. Assembly rewriting is driven by compile-time inference within Octal. We apply our technique to cryptographic programs and demonstrate that it enables secure speculation efficiently, incurring a low average overhead of 1.2%. GitHub repository

Another variation on use of omnisemantics: compilers preserve security against timing side channels, even on programs with I/O and other sources of nondeterminism

Formal verification of software and compilers has been used to rule out large classes of security-critical issues, but risk of unintentional information leakage has received much less consideration. It is a key requirement for formal specifications to leave some details of a system's behavior unspecified so that future implementation changes can be accommodated, and yet it is nonetheless expected that these choices would not be made based on confidential information the system handles. This paper formalizes that notion using omnisemantics and plain single-copy assertions, giving for the first time a specification of what it means for a nondeterministic program to be constant-time or more generally to avoid leaking (a part of) its inputs. We use this theory to prove data-leak-free execution of core cryptographic routines compiled from Bedrock2 C to RISC-V machine code, showing that the smooth specification and proof experience omnisemantics provides for nondeterminism extends to constant-time properties in the same setting. We also study variants of the key program-compiler contract, highlighting pitfalls of tempting simplifications and subtle consequences of how inputs to nondeterministic choices are constrained. Our results are backed by modular program-logic and compiler-correctness theorems, and they integrate into a neat end-to-end theorem in the Coq proof assistant. GitHub repository

Simplifying modular proofs of hardware blocks by taking advantage of hierarchy

Compared to familiar hardware-description languages like Verilog, rule-based languages like Bluespec offer opportunities to import modularity features from software programming. While Verilog modules are about connecting wires between submodules, Bluespec modules resemble objects in object-oriented programming, where interactions with a module occur only through calls to its methods. However, while software objects can typically be characterized one method at a time, the concurrent nature of hardware makes it essential to consider the repercussions of invoking multiple methods simultaneously. Prior formalizations of rule-based languages conceptualized modules by describing their semantics considering arbitrary sets of simultaneous method calls. This internalized concurrency significantly complicates correctness proofs. Rather than analyzing methods one-at-a-time, as is done when verifying software object methods, validating the correctness of rule-based modules necessitated simultaneous consideration of arbitrary subsets of method calls. The result was a number of proof cases that grew exponentially in the size of the module's API. In this work, we side-step the exponential blowup through a set of judicious language restrictions. We introduce a new Bluespec-inspired formal language, Fjfj, that supports sequential characterization of modules, while preserving the concurrent hardware nature of the language. We evaluated Fjfj by implementing it in Coq, proving the key framework principle: the refinement theorem. We demonstrated Fjfj expressivity via implementations and verification of three examples: a pipelined processor, a parameterized crossbar, and a network switch. Distinguished Artifact Award

How to verify formally that an enclave-style hardware architecture fully isolates running threads from each other, e.g. considering timing side channels

The process isolation enforceable by commodity hardware and operating systems is too weak to protect secrets from malicious code running on the same machine: Spectre-era attacks exploit timing side channels derived from contention on shared microarchitectural resources to extract secrets. With appropriate hardware support, however, we can construct isolated enclaves and safeguard independent processes from interference through timing side channels, a necessary step towards integrity and confidentiality guarantees. In this paper, we describe our work on formally specifying and verifying that a synthesizable hardware architecture implements strong timing isolation for enclaves. We reason about the cycle-accurate semantics of circuits with respect to a trustworthy formulation of strong isolation based on "air-gapped machines" and develop a modular proof strategy that sidesteps the need to prove functionalf correctness of processors. We apply our method on a synthesizable, multicore, pipelined RISC-V design formalized in Coq. GitHub repository

Proving the right correctness relationship between two RISC-V implementation techniques: multiplication via a hardware instruction or via trapping to a software routine

Some processors, especially embedded ones, do not implement all instructions in hardware. Instead, if the processor encounters an unimplemented instruction, an unsupported-instruction exception is raised, and an exception handler is run which implements the missing instruction in software. Getting such a system to work correctly is tricky: The exception handler code must not destroy any state of the user program and must use the control and status registers (CSRs) of the processor correctly. Moreover, parts of the handler are typically implemented in assembly, while other parts are implemented in a language like C, and one must make sure that when jumping from the user program into the handler assembly, from the handler assembly into C, back to assembly and finally back to the user program, all the assumptions made by the different pieces of code, hardware, and the compiler are satisfied. Despite all these tricky details, there is a concise and intuitive way of stating the correctness of such a system: User programs running on a system where some instructions are implemented in software behave the same as if they were running on a system where all instructions are implemented in hardware. We formalize and prove such a statement in the Coq proof assistant, for the case of a simple exception handler implementing the multiplication instruction on a RISC-V processor. GitHub repository

Security verification of file systems that takes probabilistic failures into account

Nondeterminism, such as system crashes, poses an important challenge to the security of storage systems by making leakages possible through secret-dependent result probabilities. This paper proposes a new possibilistic confidentiality specification prohibiting such probabilistic leakages. Our specification is preserved under simulation to enable modularity and is sequentially compositional. We implemented our specification in a framework that contains structures to implement storage systems and prove their confidentiality in a modular fashion. On top of our framework, we implemented the first crash-safe file system with a termination-insensitive version of our specification and machine-checkable confidentiality proofs. Our evaluation shows that proving confidentiality incurs 9.2x proof overhead per line of implementation code. Both our framework and file system are implemented in Coq and extracted to Haskell to obtain an executable artifact.

An integrated Coq proof of a cryptographic server, as one machine-code image that runs on bare metal, built up from quite different programming languages and verification approaches

Some important dimensions of a formal verification might be called its stack height, or how many layers of a system are proved as a whole; tool diversity, or heterogeneity of tools used to verify different parts of a system; and foundationalness, or minimality of the tool-implementation code that must be trusted to believe verification results. This paper presents our verification case study that is, to our knowledge, the first to reach our level of tool diversity while covering all software installed in a demonstration computer system and roughly maxing out foundationalness within a proof assistant. That is, our unified proof is checked by Coq, and its statement depends on neither syntax nor semantics for any programming language but machine language, nor do we leave any compiler or verification tool as trusted, beyond Coq's kernel proof checker. Our case study is a simple cryptographic server for flipping of a bit of state through authenticated network messages, adopting code conventions of embedded systems, like static bounds on memory usage. We believe it is the first formal verification covering a full software stack that models both network input and output. Perhaps most distinctive is that we have chosen quite different programming languages and verification tools for different parts of the software stack (e.g., some libraries are proved as functional programs with equational reasoning, and others are proved as C-like programs or even machine code with separation logic), yet all of the correctness theorems for libraries and layers are integrated into one foundational result. We developed a unified specification style that is able to support that diversity well, and we experienced widely varying productivity with the different verification styles we employed, some of which we recommend for future work and some of which we do not. GitHub repositories: fiat-crypto and bedrock2

Pushing the Coq-verified compilation guarantees even lower (to a C subset), within our ATL tensor-programming project

Producing efficient array code is crucial in high-performance domains like image processing and machine learning. This goal depends on an ability to control factors like compute intensity and locality by reordering computations into different stages and granularities with respect to where they are stored. However, traditional pure, functional tensor languages struggle to do so. In a previous publication, the ATL language was introduced as a pure, functional tensor language capable of systematically decoupling compute and storage order via a set of high-level combinators known as reshape operators. Reshape operators are a unique functional-programming construct since they manipulate storage location in the generated code by modifying the indices that appear on the left-hand sides of storage expressions. We present a formal correctness proof for an implementation of the compilation algorithm, marking the first verification of a lowering algorithm from a functional language that enables separate control of compute and storage ordering. One of the core difficulties of this proof required properly formulating the complex invariants to ensure that these storage-index remappings were well-formed. Notably, this revealed a soundness bug in the original published compilation algorithm regarding the truncation reshape operator. Our fix is a new type system that captures safety conditions that were previously implicit and enables us to prove compiler correctness for well-typed source programs. We evaluate this type system and compiler implementation on a range of common programs and optimizations, including but not limited to those previously studied, which demonstrated performance comparable to established compilers like Halide. GitHub repository

Could Coq be an even more pleasant C-programming IDE than the big names, if we work the right magic with notations and tactics?

We present a prototype for a tool that enables programmers to verify their code as they write it in real-time. After each line of code that the programmer writes, the tool tells the programmer what it can prove about the program so far and indicates potential oversights or potentially violated assumptions. Once the programmer has finished writing the program, it is already verified with a mathematical correctness proof. Other tools providing real-time feedback already exist, but ours is the first one that only relies on a small trusted proof checker and that provides a concise summary of all the facts that are provable at the point in the program currently being edited, as opposed to only indicating whether user-stated assertions or postconditions hold. Program verification requires loop invariants, which are hard to find and tedious to spell out. We explore a middle ground in the design space between the two extremes of requiring users to spell out loop invariants manually and attempting to infer loop invariants automatically: Based on the observation that a loop invariant often looks quite similar to the symbolic state right before the loop, our tool asks users to express the desired loop invariant as a diff from the symbolic state before the loop, which has the potential to lead to less verbose and more maintainable proofs. We prototyped our technique in the interactive proof assistant Coq, so our framework creates machine-checked proofs that the developed functions satisfy their specifications when executed according to the formal semantics of the source language. Using a verified compiler proven against the same source-language semantics, we can ensure that the behavior of the compiled program matches the program's behavior as represented by the framework during the proof. Additionally, since our polyglot source files can be viewed as Coq or C files at the same time, users willing to accept a bigger trusted code base can compile them with GCC. GitHub repository

Our lightweight but flexible approach to mechanized semantics of hardware instruction sets

Instruction sets, from families like x86 and ARM, are at the center of many ambitious formal-methods projects. Many verification, synthesis, programming, and debugging tools rely on formal semantics of instruction sets, but different tools can use semantics in rather different ways. The best-known work applying single semantics across diverse tools relies on domain-specific languages like Sail, where the language and its translation tools are specialized to the realm of instruction sets. In the context of the open RISC-V instruction-set family, we decided to explore a different approach, with semantics written in a carefully chosen subset of Haskell. This style does not depend on any new language translators, relying instead on parameterization of semantics over type-class instances. Our case study is for the open RISC-V instruction-set family, and we have used a single core semantics to support testing, interactive proof, and model checking of both software and hardware, demonstrating that this functional-programming feature can support pleasant prototyping of ISA semantics. GitHub repositories: Haskell baseline and related Coq code Distinguished Paper Award

Genetic program search meets translation validation for Fiat Cryptography, improving performance and shrinking the trusted base even while bringing in more avant-garde compiler techniques

Most software domains rely on compilers to translate high-level code to multiple different machine languages, with performance not too much worse than what developers would have the patience to write directly in assembly language. However, cryptography has been an exception, where many performance-critical routines have been written directly in assembly (sometimes through metaprogramming layers). Some past work has shown how to do formal verification of that assembly, and other work has shown how to generate C code automatically along with formal proof, but with consequent performance penalties vs. the best-known assembly. We present Cryptopt, the first compilation pipeline that specializes high-level cryptographic functional programs into assembly code significantly faster than what GCC or Clang produce, with mechanized proof (in Coq) whose final theorem statement mentions little beyond the input functional program and the operational semantics of x86-64 assembly. On the optimization side, we apply randomized search through the space of assembly programs, with repeated automatic benchmarking on target CPUs. On the formal-verification side, we connect to the Fiat Cryptography framework (which translates functional programs into C-like IR code) and extend it with a new formally verified program-equivalence checker, incorporating a modest subset of known features of SMT solvers and symbolic-execution engines. The overall prototype is quite practical, e.g. producing new fastest-known implementations for the relatively new Intel i9 12G, of finite-field arithmetic for both Curve25519 (part of the TLS standard) and the Bitcoin elliptic curve secp256k1. Code: CryptOpt, fiat-crypto

Modular proofs of concurrent libraries, mixing classic lock-free data structures and transactional memory, in the style of interaction trees

Transactional objects combine the performance of classical concurrent objects with the high-level programmability of transactional memory. But verifying the correctness of transactional objects is tricky, requiring reasoning simultaneously about classical concurrent objects, which guarantee the atomicity of individual methods -- the property known as linearizability -- and about software-transactional-memory libraries, which guarantee the atomicity of user-defined sequences of method calls -- or serializability. We present a formal verification framework, built up from the familiar notion of linearizability and its compositional properties, that allows proof of both kinds of libraries, along with composition of theorems from both styles to prove correctness of applications or further libraries. We apply the framework in a significant case study, verifying a transactional set object built out of both classical and transactional components following the technique of transactional predication; the proof is modular, reasoning separately about the transactional and non-transactional parts of the implementation. Central to our approach is the use of syntactic transformers on interaction trees -- e.g., transactional libraries that transform client code to enforce a particular synchronization discipline. Our framework and case studies are mechanized in Coq.

Taking all the fine-grained concurrency reasoning out of design and proof of cache-coherence protocols, via a DSL proved sound with commutativity analysis

Cache-coherence protocols have been one of the greatest challenges in formal verification of hardware, due to their central complication of executing multiple memory-access transactions concurrently within a distributed message-passing system. In this paper, we introduce Hemiola, a framework embedded in Coq that guides the user to design protocols that never experience inconsistent interleavings while handling transactions concurrently. The framework provides a DSL, where any protocol designed in the DSL always satisfies the serializability property, allowing a user to verify the protocol assuming that transactions are executed one-at-a-time. Hemiola also provides a novel invariant proof method, for protocols designed in Hemiola, that only requires considering execution histories without interleaved memory accesses. We used Hemiola to design and prove hierarchical MSI and MESI protocols as case studies. We also demonstrated that the case-study protocols are hardware-synthesizable, by using a compilation/synthesis toolchain targeting FPGAs. GitHub repository Lincoln Laboratory Best Paper Award

Mechanized cryptographic protocols that are guaranteed to resist adversary interference, in much the same way that traditional type systems resist memory errors

Compared to ordinary concurrent and distributed systems, cryptographic protocols are distinguished by the need to reason about interference by adversaries. We suggest a new layered approach to tame that complexity, via an executable protocol language whose semantics does not reveal an adversary directly, instead enforcing a set of intuitive hygiene rules. By virtue of those rules, protocols written in this language provably behave identically with or without interference by active Dolev-Yao-style adversaries. As a result, formal reasoning about protocols can be simplified enough that even naive model checking can establish correctness of a multiparty protocol, through analysis of a state space with no adversary. We present the design and implementation of SPICY, short for Secure Protocols Implemented CorrectlY, including the semantics of its input languages; the essential safety proofs, formalized in the Coq theorem prover; and the automation techniques. We provide a preliminary evaluation of the tool's performance and capabilities via a handful of case studies. GitHub repository

Generating formally verified compilers modularly via Coq-proved rewrite rules, applied to make Fiat Cryptography a lot faster

Compilers are a prime target for formal verification, since compiler bugs invalidate higher-level correctness guarantees, but compiler changes may become more labor-intensive to implement, if they must come with proof patches. One appealing approach is to present compilers as sets of algebraic rewrite rules, which a generic engine can apply efficiently. Now each rewrite rule can be proved separately, with no need to revisit past proofs for other parts of the compiler. We present the first realization of this idea, in the form of a framework for the Coq proof assistant. Our new Coq command takes normal proved theorems and combines them automatically into fast compilers with proofs. We applied our framework to improve the Fiat Cryptography toolchain for generating cryptographic arithmetic, producing an extracted command-line compiler that is about 1000X faster while actually featuring simpler compiler-specific proofs. GitHub repository

Understanding regressions in Coq itself with automatic reduction of test cases

As the adoption of proof assistants increases, there is a need for efficiency in identifying, documenting, and fixing compatibility issues that arise from proof assistant evolution. We present the Coq Bug Minimizer, a tool for reproducing buggy behavior with minimal and standalone files, integrated with coqbot to trigger automatically on Coq reverse CI failures. Our tool eliminates the overhead of having to download, set up, compile, and then explore and understand large developments: enabling Coq developers to easily obtain modular test-case files for fast experimentation. In this paper, we describe insights about how test-case reduction is different in Coq than in traditional compilers.We expect that our insights will generalize to other proof assistants. We evaluate the Coq Bug Minimizer on over 150 CI failures. Our tool succeeds in reducing failures to smaller test cases in roughly 75% of the time. The minimizer produces a fully standalone test case 89% of the time, and it is on average about one-third the size of the original test. The average reduced test case compiles in 1.25 seconds, with 75% taking under half a second. GitHub repository

Round two of using Coq to compile functional programs to imperative programs with proof, using proof-generating extensions for flexibility

There are typically two ways to compile and run a purely functional program verified using an interactive theorem prover (ITP): automatically extracting it to a similar language (typically an unverified process, like Coq to OCaml) or manually proving it equivalent to a lower-level reimplementation (like a C program). Traditionally, only the latter produced both excellent performance and end-to-end proofs. This paper shows how to recast program extraction as a proof-search problem to automatically derive correct-by-construction, high-performance code from purely functional programs. We call this idea relational compilation -- it extends recent developments with novel solutions to loop-invariant inference and genericity in kinds of side effects. Crucially, relational compilers are incomplete, and unlike traditional compilers, they generate good code not because of a fixed set of clever built-in optimizations but because they allow experts to plug in domain-specific extensions that give them complete control over the compiler's output. We demonstrate the benefits of this approach with Rupicola, a new compiler-construction toolkit designed to extract fast, verified, idiomatic low-level code from annotated functional models. Using case studies and performance benchmarks, we show that it is extensible with minimal effort and that it achieves performance on par with that of handwritten C programs. GitHub repository

Deriving correct imperative loop programs from functional programs with Coq proof, in a style inspired by Halide

We present a lightweight Coq framework for optimizing tensor kernels written in a pure, functional array language. Optimizations rely on user scheduling using series of verified, semantics-preserving rewrites. Unusually for compilation targeting imperative code with arrays and nested loops, all rewrites are source-to-source within a purely functional language. Our language comprises a set of core constructs for expressing high-level computation detail and a set of what we call reshape operators, which can be derived from core constructs but trigger low-level decisions about storage patterns and ordering. We demonstrate that not only is this system capable of deriving the optimizations of existing state-of-the-art languages like Halide and generating comparably performant code, it is also able to schedule a family of useful program transformations beyond what is reachable in Halide. GitHub repository

Using Coq to derive correct first-order implementations of network protocols from higher-order descriptions, applied to TLS 1.3

One of the biggest implementation challenges in security-critical network protocols is nested state machines. In practice today, state machines are either implemented manually at a low level, risking bugs easily missed in audits; or are written using higher-level abstractions like threads, depending on runtime systems that may sacrifice performance or compatibility with the ABIs of important platforms (e.g., resource-constrained IoT systems). We present a compiler-based technique allowing the best of both worlds, coding protocols in a natural high-level form, using freer monads to represent nested coroutines, then compiled automatically to lower-level code with explicit state. In fact, our compiler is implemented as a tactic in the Coq proof assistant, structuring compilation as search for an equivalence proof for source and target programs. As such, it is straightforwardly (and soundly) extensible with new hints, for instance regarding new data structures that may be used to index coroutines. As a case study, we implemented a core of TLS sufficient for use with popular Web browsers, and our experiments show that the extracted Haskell code achieves reasonable performance. GitHub repository

Overview of a key design principle in FRAP courses: mixed embeddings for concise but flexible syntax definitions for embedded languages

Rigorous reasoning about programs calls for some amount of bureaucracy in managing details like variable binding, but, in guiding students through big ideas in semantics, we might hope to minimize the overhead. We describe our experiment introducing a range of such ideas, using the Coq proof assistant, without any explicit representation of variables, instead using a higher-order syntax encoding that we dub "mixed embedding": it is neither the fully explicit syntax of deep embeddings nor the syntax-free programming of shallow embeddings. Marquee examples include different takes on concurrency reasoning, including in the traditions of model checking (partial-order reduction), program logics (concurrent separation logic), and type checking (session types) -- all presented without any side conditions on variables. Book home page

An end-to-end, software+hardware Coq proof for an Internet-connected lightbulb

The interfaces between layers of a system are susceptible to bugs if developers of adjacent layers proceed under subtly different assumptions. Formal verification of two layers against the same formal model of the interface between them can be used to shake out these bugs. Doing so for every interface in the system can, in principle, yield unparalleled assurance of the correctness and security of the system as a whole. However, there have been remarkably few efforts that carry out this exercise, and all of them have simplified the task by restricting interactivity of the application, inventing new simplified instruction sets, and using unrealistic input and output mechanisms. We report on the first verification of a realistic embedded system, with its application software, device drivers, compiler, and RISC-V processor represented inside the Coq proof assistant as one mathematical object, with a machine-checked proof of functional correctness. A key challenge is structuring the proof modularly, so that further refinement of the components or expansion of the system can proceed without revisiting the rest of the system. GitHub repository

Bootstrapping on software-development tools to create a good experience simulating, debugging, and profiling hardware designs in Bluespec-like languages, taking advantage of high-level properties of source files

Rule-based hardware design languages (RHDLs) promise to enhance developer productivity by offering convenient abstractions. Advanced compiler technology keeps the cost of these abstractions low, generating circuits with excellent area and timing properties. Unfortunately, comparatively little effort has been spent on building simulators and debuggers for these languages, so users often simulate and debug their designs at the RTL level. This is problematic because generated circuits typically suffer from poor readability, as compiler optimizations can break high-level abstractions. Worse, optimizations that operate under the assumption that concurrency is essentially free yield faster circuits but often actively hurt simulation performance on platforms with limited concurrency, like desktop computers or servers. This paper demonstrates the benefits of completely separating the simulation and synthesis pipelines. We propose a new approach, yielding the first compiler designed for effective simulation and debugging of a language in the Bluespec family. We generate cycle-accurate C++ models that are readable, compatible with a wide range of traditional software-debugging tools, and fast (often 2 to 3x faster than circuit-level simulation). We achieve these results by optimizing for sequential performance and using static analysis to minimize redundant work. The result is a vastly-improved hardware-design experience, which we demonstrate on embedded processor designs and DSP building blocks using performance benchmarks and debugging case studies. GitHub repository

The last link in a pipeline for automatic compilation, with proofs, from relational specifications to Bedrock assembly programs

We present an original approach to sound program extraction in a proof assistant, using syntax-driven automation to derive correct-by-construction imperative programs from nondeterministic functional source code. Our approach does not require committing to a single inflexible compilation strategy and instead makes it straightforward to create domain-specific code translators. In addition to a small set of core definitions, our framework is a large, user-extensible collection of compilation rules each phrased to handle specific language constructs, code patterns, or data manipulations. By mixing and matching these pieces of logic, users can easily tailor extraction to their own domains and programs, getting maximum performance and ensuring correctness of the resulting assembly code. Using this approach, we complete the first proof-generating pipeline that goes automatically from high-level specifications to assembly code. In our main case study, the original specifications are phrased to resemble SQL-style queries, while the final assembly code does manual memory management, calls out to foreign data structures and functions, and is suitable to deploy on resource-constrained platforms. The pipeline runs entirely within the Coq proof assistant, leading to final, linked assembly code with overall full-functional-correctness proofs in separation logic. GitHub repository

A new hardware-description language that combines Bluespec's modular-decomposition style with fine-grained control of timing; includes Coq embedding with a verified compiler to circuits

The Bluespec hardware-description language presents a significantly higher-level view than hardware engineers are used to, exposing a simpler concurrency model that promotes formal proof, without compromising on performance of compiled circuits. Unfortunately, the cost model of Bluespec has been unclear, with performance details depending on a mix of user hints and opaque static analysis of potential concurrency conflicts within a design. In this paper we present Kôika, a derivative of Bluespec that preserves its desirable properties and yet gives direct control over the scheduling decisions that determine performance. Kôika has a novel and deterministic operational semantics that uses dynamic analysis to avoid concurrency anomalies. Our implementation includes Coq definitions of syntax, semantics, key metatheorems, and a verified compiler to circuits. We argue that most of the extra circuitry required for dynamic analysis can be eliminated by compile-time BSV-style static analysis. GitHub repository

Using Coq to derive efficient binary-format parsers from declarative specifications, automatically

It is a neat result from functional programming that libraries of parser combinators can support rapid construction of decoders for quite a range of formats. With a little more work, the same combinator program can denote both a decoder and an encoder. Unfortunately, the real world is full of gnarly formats, as with the packet formats that make up the standard Internet protocol stack. Most past parser-combinator approaches cannot handle these formats, and the few exceptions require redundancy -- one part of the natural grammar needs to be hand-translated into hints in multiple parts of a parser program. We show how to recover very natural and nonredundant format specifications, covering all popular network packet formats and generating both decoders and encoders automatically. The catch is that we use the Coq proof assistant to derive both kinds of artifacts using tactics, automatically, in a way that guarantees that they form inverses of each other. We used our approach to reimplement packet processing for a full Internet protocol stack, inserting our replacement into the OCaml-based MirageOS unikernel, resulting in minimal performance degradation. GitHub repository

Correct-by-construction generation of low-level crypto-primitive code using Coq

We introduce a new approach for implementing cryptographic arithmetic in short high-level code with machine-checked proofs of functional correctness. We further demonstrate that simple partial evaluation is sufficient to transform into the fastest-known C code, breaking the decades-old pattern that the only fast implementations are those whose instruction-level steps were written out by hand. These techniques were used to build an elliptic-curve library that achieves competitive performance for 80 prime fields and multiple CPU architectures, showing that implementation and proof effort scales with the number and complexity of conceptually different algorithms, not their use cases. As one outcome, we present the first verified high-performance implementation of P-256, the most widely used elliptic curve. Implementations from our library were included in BoringSSL to replace existing specialized code, for inclusion in several large deployments for Chrome, Android, and CloudFlare. Note on errata: a prepublication version was posted here for several months, containing some errors that have been fixed in the final version posted now. Source code

Summarizing our team's work with formal methods in the DARPA SSITH program

Anticipating all possible attacks on a system is hard work. Malicious actors seem to have an inherent advantage, since they can win by finding single vulnerabilities. In our MIT team within the DARPA SSITH program, we are exploring principled ways to rule out human error as a source of security issues in computer processors. A typical security audit involves prose arguments about attack models and why they are thwarted. We instead write down formal mathematical theorems about real digital hardware designs, and we build their formal proofs that can be checked algorithmically. That is, a program, rather than a potentially distracted human, confirms that the security argument is convincing. After giving some background on the general technology, I would like to focus on two concrete uses in the SSITH program. First, we are exploring flexible tagging support, to flow additional security-relevant information through the microarchitectural state of a Linux-capable processor. Unusually, however, we propose to compile custom processor descriptions automatically from descriptions of security policies to be enforced. We aim to do this compilation in a way that gives formal theorems that the generated processors truly enforce the security policies. Second, we are tackling the issues with timing side channels exposed by the Spectre and Meltdown vulnerabilities. Through a synergistic connection with work funded by the National Science Foundation, we are able to prove security theorems for whole hardware-software system stacks. For instance, we can show that a compiled C program with a cryptographic function will run on a specific RISC-V processor, in a way where a secret input flowing into the function provably has no effect on timing of output events flowing out of the processor.

FSCQ extended to track information-flow policies that distinguish between different users

SFSCQ is the first file system with a machine-checked proof of security. To develop, specify, and prove SFSCQ, this paper introduces DiskSec, a novel approach for reasoning about confidentiality of storage systems, such as a file system. DiskSec addresses the challenge of specifying confidentiality using the notion of data noninterference to find a middle ground between strong and precise information-flow-control guarantees and the weaker but more practical discretionary access control. DiskSec factors out reasoning about confidentiality from other properties (such as functional correctness) using a notion of sealed blocks. Sealed blocks enforce that the file system treats confidential file blocks as opaque in the bulk of the code, greatly reducing the effort of proving data noninterference. An evaluation of SFSCQ shows that its theorems preclude security bugs that have been found in real file systems, that DiskSec imposes little performance overhead, and that SFSCQ's incremental development effort, on top of DiskSec and DFSCQ, on which it is based, was moderate.

An introduction to a slick way of implementing programming languages concisely and modularly, focusing on type checking, told in the style of a play, including songs

We demonstrate how the framework of higher-order logic programming, as exemplified in the Lambda-Prolog language design, is a prime vehicle for rapid prototyping of implementations for programming languages with sophisticated type systems. We present the literate development of a type checker for a language with a number of complicated features, culminating in a standard ML-style core with algebraic datatypes and type generalization, extended with staging constructs that are generic over a separately defined language of terms. We add each new feature in sequence, with little to no changes to existing code. Scaling the higher-order logic programming approach to this setting required us to develop approaches to challenges like complex variable binding patterns in object languages and performing generic structural traversals of code, making use of novel constructions in the setting of Lambda-Prolog, such as GADTs and generic programming. For our development, we make use of Makam, a new implementation of Lambda-Prolog, which we introduce in tutorial style as part of our (quasi-)literate development. Project site

A theorem in real analysis shows that, in a world where all computations are continuous, we can't implement interesting conditional tests over, say, the real numbers. Here we show how to get around the problem with a functional-programming-friendly topological treatment of nondeterminism. (We can make discrete decisions about values from continuous spaces so long as we leave some wiggle room about what will actually happen at runtime.)

Though many safety-critical software systems use floating point to represent real-world input and output, the mathematical specifications of these systems' behaviors use real numbers. Significant deviations from those specifications can cause errors and jeopardize safety. To ensure system safety, some programming systems offer exact real arithmetic, which often enables a program's computation to match its mathematical specification exactly. However, exact real arithmetic complicates decision-making: in these systems, it is impossible to compute (total and deterministic) discrete decisions based on connected spaces such as R. We present programming-language semantics based on constructive topology with variants allowing nondeterminism and/or partiality. Either nondeterminism or partiality suffices to allow computable decision making on connected spaces such as R. We then introduce pattern matching on spaces, a language construct for creating programs on spaces, generalizing pattern matching in functional programming, where patterns need not represent decidable predicates and also may overlap or be inexhaustive, giving rise to nondeterminism or partiality, respectively. Nondeterminism and/or partiality also yield formal logics for constructing approximate decision procedures. We extended the Marshall language for exact real arithmetic with these constructs and implemented some programs with it. Source code

A surprisingly simple way to convert terms in higher-order logic into first-class syntax trees, using standard features: would you believe that reification can mostly be done by term normalization in the metalanguage?

We present a new strategy for performing reification in Coq. That is, we show how to generate first-class abstract syntax trees from "native" terms of Coq's logic, suitable as inputs to verified compilers or procedures in the proof-by-reflection style. Our new strategy, based on simple generalization of subterms as variables, is straightforward, short, and fast. In its pure form, it is only complete for constants and function applications, but "let" binders, eliminators, lambdas, and quantifiers can be accommodated through lightweight coding conventions or preprocessing. We survey the existing methods of reification across multiple Coq metaprogramming facilities, describing various design choices and tricks that can be used to speed them up, as well as various limitations. We report benchmarking results for 18 variants, in addition to our own, finding that our own reification outperforms 16 of these methods in all cases, and one additional method in some cases; writing an OCaml plugin is the only method tested to be faster. Our method is the most concise of the strategies we considered, reifying terms using only two to four lines of Ltac---beyond lists of the identifiers to reify and their reified variants. Additionally, our strategy automatically provides error messages that are no less helpful than Coq's own error messages. Source code

FSCQ extended to support "flush" operations and delayed syncing of data to disk, as a performance optimization

VDFS is the first file system that (1) provides a precise specification for fsync and fdatasync, which allow applications to achieve high performance and crash safety, and that (2) provides a machine-checked proof that its implementation meets this precise specification. VDFS's proof rules out some of the most common bugs in file-system implementations, as system calls are proved to expose the expected atomic behavior. VDFS's specification also allows applications to prove their own crash safety, avoiding application-level bugs such as forgetting to invoke fsync on both the file and the containing directory. The key challenge in building VDFS is to write concise specifications for the file system and its internal implementation. VDFS introduces a metadata-prefix specification that captures the properties of fsync and fdatasync, which roughly follows the behavior of Linux ext4. This specification uses a notion of tree sequences -- a logical sequence of file system tree states -- to succinctly describe the possible states after a crash, and to describe how data writes can be re-ordered with respect to metadata updates. An evaluation shows that VDFS achieves 103 MB/s on large file writes to an SSD and durably creates small files at a rate of 1,618 files per second. In comparison, Linux ext4 achieves 295 MB/s for large file writes and 4,977 files/s for small file creation. VDFS is much faster than any previous verified file system (none can even implement large file writes, and the fastest can create 350 files/s). GitHub repository

Using refinement types to upper-bound program asymptotic running time, taking advantage of invariants specific to data structures

We present TiML (Timed ML), an ML-like functional language with time-complexity annotations in types. It uses indexed types to express sizes of data structures and upper bounds on running time of functions; and refinement kinds to constrain these indices, expressing data-structure invariants and pre/post-conditions. Indexed types are flexible enough that TiML avoids a built-in notion of "size", and the programmer can choose to index user-defined datatypes in any way that helps her analysis. TiML's distinguishing characteristic is supporting highly automated time-bound verification applicable to data structures with nontrivial invariants. The programmer provides type annotations, and the typechecker generates verification conditions that are discharged by an SMT solver. Type and index inference are supported to lower annotation burden, and, furthermore, big-O complexity can be inferred from recurrences generated during typechecking by a recurrence solver based on heuristic pattern matching (e.g. using the Master Theorem to handle divide-and-conquer-like recurrences). We have evaluated TiML's usability by implementing a broad suite of case-study modules, demonstrating that TiML, though lacking full automation and theoretical completeness, is versatile enough to verify worst-case and/or amortized complexities for algorithms and data structures like classic list operations, merge sort, Dijkstra's shortest-path algorithm, red-black trees, Braun trees, functional queues and dynamic tables with bounds like mn log n. The learning curve and annotation burden are reasonable, as we argue with statistics on our case studies. We formalized TiML's type-soundness proof in Coq.

A Coq framework for modular correctness proofs of computer-architecture designs, supporting automatic extraction to circuits that run on FPGAs, etc.

It has become fairly standard in the programming-languages research world to verify functional programs in proof assistants using induction, algebraic simplification, and rewriting. In this paper, we introduce Kami, a Coq library that uses labeled transition systems to enable similar expressive and modular reasoning for hardware designs expressed in the style of the Bluespec language. We can specify, implement, and verify realistic designs entirely within Coq, ending with automatic extraction into a pipeline that bottoms out in FPGAs. Our methodology has been evaluated in a case study verifying an infinite family of multicore systems, with cache-coherent shared memory and pipelined cores implementing (the base integer subset of) the RISC-V instruction set. Project web site

The sales pitch for our Fiat system as embodying a new programming style, with novel and effective kinds of abstraction and modularity

Functionality of software systems has exploded in part because of advances in programming-language support for packaging reusable functionality as libraries. Developers benefit from the uniformity that comes of exposing many interfaces in the same language, as opposed to stringing together hodgepodges of command-line tools. Domain-specific languages may be viewed as an evolution of the power of reusable interfaces, when those interfaces become so flexible as to deserve to be called programming languages. However, common approaches to domain-specific languages give up many of the hard-won advantages of library-building in a rich common language, and even the traditional approach poses significant challenges in learning new APIs. We suggest that instead of continuing to develop new domain-specific languages, our community should embrace library-based ecosystems within very expressive languages that mix programming and theorem proving. Our prototype framework Fiat, a library for the Coq proof assistant, turns languages into easily comprehensible libraries via the key idea of modularizing functionality and performance away from each other, the former via macros that desugar into higher-order logic and the latter via optimization scripts that derive efficient code from logical programs. Project web site Slides are available from my talk [LibreOffice, PDF].

A compiler optimization for Ur/Web that adds caching for SQL-query results and derived computations, inferring sound invalidation strategies that often avoid bottlenecks for parallel execution

Most popular Web applications rely on persistent databases based on languages like SQL for declarative specification of data models and the operations that read and modify them. As applications scale up in user base, they often face challenges responding quickly enough to the high volume of requests. A common aid is caching of database results in the application's memory space, taking advantage of program-specific knowledge of which caching schemes are sound and useful, embodied in handwritten modifications that make the program less maintainable. These modifications also require nontrivial reasoning about the read-write dependencies across operations. In this paper, we present a compiler optimization that automatically adds sound SQL caching to Web applications coded in the Ur/Web domain-specific functional language, with no modifications required to source code. We use a custom cache implementation that supports concurrent operations without compromising the transactional semantics of the database abstraction. Through experiments with microbenchmarks and production Ur/Web applications, we show that our optimization in many cases enables an easy doubling or more of an application's throughput, requiring nothing more than passing an extra command-line flag to the compiler. Project web site

A Coq framework for verifying that nested loops obey dependency constraints, in message-passing distributed programs that collaboratively fill in the cells of large multidimensional grids

The class of stencil programs involves repeatedly updating elements of arrays according to fixed patterns, referred to as stencils. Stencil problems are ubiquitous in scientific computing and are used as an ingredient to solve more involved problems. Their high regularity allows massive parallelization. Two important challenges in designing such algorithms are cache efficiency and minimizing the number of communication steps between nodes. In this paper, we introduce a mathematical framework for a crucial aspect of formal verification of both sequential and distributed stencil algorithms, and we describe its Coq implementation. We present a domain-specific embedded programming language with support for automating the most tedious steps of proofs that nested loops respect dependencies, applicable to sequential and distributed examples. Finally, we evaluate the robustness of our library by proving the dependency-correctness of some real-world stencil algorithms, including a state-of-the-art cache-oblivious sequential algorithm, as well as two optimized distributed kernels. Source code

Coq proofs of several distributed key-value store algorithms, including principles for modular reasoning about client programs that use them

Today's Internet services are often expected to stay available and render high responsiveness even in the face of site crashes and network partitions. Theoretical results state that causal consistency is one of the strongest consistency guarantees that is possible under these requirements, and many practical systems provide causally consistent key-value stores. In this paper, we present a framework called Chapar for modular verification of causal consistency for replicated key-value store implementations and their client programs. Specifically, we formulate separate correctness conditions for key-value store implementations and for their clients. The interface between the two is a novel operational semantics for causal consistency. We have verified the causal consistency of two key-value store implementations from the literature using a novel proof technique. We have also implemented a simple automatic model checker for the correctness of client programs. The two independently verified results for the implementations and clients can be composed to conclude the correctness of any of the programs when executed with any of the implementations. We have developed and checked our framework in Coq, extracted it to OCaml, and built executable stores. Best Paper Award and (ten years later) Test of Time Award

A file system implemented and verified in Coq, using separation logic, connected to Linux and providing respectable performance

FSCQ is the first file system with a machine-checkable proof (using the Coq proof assistant) that its implementation meets its specification and whose specification includes crashes. FSCQ provably avoids bugs that have plagued previous file systems, such as performing disk writes without sufficient barriers or forgetting to zero out directory blocks. If a crash happens at an inopportune time, these bugs can lead to data loss. FSCQ's theorems prove that, under any sequence of crashes followed by reboots, FSCQ will recover the file system correctly without losing data. To state FSCQ's theorems, this paper introduces the Crash Hoare logic (CHL), which extends traditional Hoare logic with a crash condition, a recovery procedure, and logical address spaces for specifying disk states at different abstraction levels. CHL also reduces the proof effort for developers through proof automation. Using CHL, we developed, specified, and proved the correctness of the FSCQ file system. Although FSCQ's design is relatively simple, experiments with FSCQ running as a user-level file system show that it is sufficient to run Unix applications with usable performance. FSCQ's specifications and proofs required significantly more work than the implementation, but the work was manageable even for a small team of a few researchers. GitHub repository

The whole-program optimizing compiler for Ur/Web

High-level scripting languages have become tremendously popular for development of dynamic Web applications. Many programmers appreciate the productivity benefits of automatic storage management, freedom from verbose type annotations, and so on. While it is often possible to improve performance substantially by rewriting an application in C or a similar language, very few programmers bother to do so, because of the consequences for human development effort. This paper describes a compiler that makes it possible to have most of the best of both worlds, coding Web applications in a high-level language but compiling to native code with performance comparable to handwritten C code. The source language is Ur/Web, a domain-specific, purely functional, statically typed language for the Web. Through a coordinated suite of relatively straightforward program analyses and algebraic optimizations, we transform Ur/Web programs into almost-idiomatic C code, with no garbage collection, little unnecessary memory allocation for intermediate values, etc. Our compiler is in production use for commercial Web sites supporting thousands of users, and microbenchmarks demonstrate very competitive performance versus mainstream tools. Project web site Slides are available from my talk at ICFP'15 [LibreOffice, PDF]. There's also an online video of the talk.

Modular Coq proofs of Bluespec-style hardware descriptions, where processors and memory systems can be verified separately against generic specs (in the style of labeled transition systems) that are compatible with many different optimizations

We present a new framework for modular verification of hardware designs in the style of the Bluespec language. That is, we formalize the idea of components in a hardware design, with well-defined input and output channels; and we show how to specify and verify components individually, with machine-checked proofs in the Coq proof assistant. As a demonstration, we verify a fairly realistic implementation of a multicore shared-memory system with two types of components: memory system and processor. Both components include nontrivial optimizations, with the memory system employing an arbitrary hierarchy of cache nodes that communicate with each other concurrently, and with the processor doing speculative execution of many concurrent read operations. Nonetheless, we prove that the combined system implements sequential consistency. To our knowledge, our memory-system proof is the first machine verification of a cache-coherence protocol parameterized over an arbitrary cache hierarchy, and our full-system proof is the first machine verification of sequential consistency for a multicore hardware design that includes caches and speculative processors.

Deriving efficient OCaml implementations of abstract data types, from declarative specifications, in Coq, mostly automatically. The main case study works with SQL-style relational queries and update operations.

We present Fiat, a library for the Coq proof assistant supporting refinement of declarative specifications into efficient functional programs with a high degree of automation. Each refinement process leaves a proof trail, checkable by the normal Coq kernel, justifying its soundness. We focus on the synthesis of abstract data types that package methods with private data. We demonstrate the utility of our framework by applying it to the synthesis of query structures -- abstract data types with SQL-like query and insert operations. Fiat includes a library for writing specifications of query structures in SQL-inspired notation, expressing operations over relations (tables) in terms of mathematical sets. This library includes a set of tactics for automating the refinement of these specifications into efficient, correct-by-construction OCaml code. Using these tactics, a programmer can generate such an implementation completely automatically by only specifying the equivalent of SQL indexes, data structures capturing useful views of the abstract data. We conclude by speculating on the new programming modularity possibilities enabled by an automated refinement system with proved-correct rules. Software/proof source code

At long last, a paper on the design of Ur/Web, a DSL for Web applications, supporting novel encapsulation techniques and a simple concurrency model for distributed applications

The World Wide Web has evolved gradually from a document delivery platform to an architecture for distributed programming. This largely unplanned evolution is apparent in the set of interconnected languages and protocols that any Web application must manage. This paper presents Ur/Web, a domain-specific, statically typed functional programming language with a much simpler model for programming modern Web applications. Ur/Web's model is unified, where programs in a single programming language are compiled to other "Web standards" languages as needed; modular, supporting novel kinds of encapsulation of Web-specific state; and exposes simple concurrency, where programmers can reason about distributed, multithreaded applications via a mix of transactions and cooperative preemption. We give a tutorial introduction to the main features of Ur/Web, formalize the basic programming model with operational semantics, and discuss the language implementation and the production Web applications that use it. Project web site Slides are available from my talk at POPL'15 [LibreOffice, PDF].

A case study in building a whole-program Coq proof that covers both an application (a database-backed dynamic Web application) and systems infrastructure (a cooperative thread library). The components are verified modularly with Bedrock, and there is a verified compiler for a domain-specific language that can be used to derive similar theorems for similar Web applications, with minimal new proving work.

Many verifications of realistic software systems are monolithic, in the sense that they define single global invariants over complete system state. More modular proof techniques promise to support reuse of component proofs and even reduce the effort required to verify one concrete system, just as modularity simplifies standard software development. This paper reports on one case study applying modular proof techniques in the Coq proof assistant. To our knowledge, it is the first modular verification certifying a system that combines infrastructure with an application of interest to end users. We assume a nonblocking API for managing TCP networking streams, and on top of that we work our way up to certifying multithreaded, database-backed Web applications. Key verified components include a cooperative threading library and an implementation of a domain-specific language for XML processing. We have deployed our case-study system on mobile robots, where it interfaces with off-the-shelf components for sensing, actuation, and control. Software/proof source code Slides are available from my talk at POPL'15 [LibreOffice, PDF].

An approach to verifying multilanguage programs in the Bedrock framework, mixing operational semantics for intralanguage reasoning and axiomatic semantics for interlanguage reasoning

Many real programs are written in multiple different programming languages, and supporting this pattern creates challenges for formal compiler verification. We describe our Coq verification of a compiler for a high-level language, such that the compiler correctness theorem allows us to derive partial-correctness Hoare-logic theorems for programs built by linking the assembly code output by our compiler and assembly code produced by other means. Our compiler supports such tricky features as storable cross-language function pointers, without giving up the usual benefits of being able to verify different compiler phases (including, in our case, two classic optimizations) independently. The key technical innovation is a mixed operational and axiomatic semantics for the source language, with a built-in notion of abstract data types, such that compiled code interfaces with other languages only through axiomatically specified methods that mutate encapsulated private data, represented in whatever formats are most natural for those languages. Software/proof source code

Coq-verified just-in-time compilation for packet filters, etc., in Linux

Modern operating systems run multiple interpreters in the kernel, which enable user-space applications to add new functionality or specialize system policies. The correctness of such interpreters is critical to the overall system security: bugs in interpreters could allow adversaries to compromise user-space applications and even the kernel. Jitk is a new infrastructure for building in-kernel interpreters that guarantee functional correctness as they compile user-space policies down to native instructions for execution in the kernel. To demonstrate Jitk, we implement two interpreters in the Linux kernel, BPF and INET-DIAG, which are used for network and system call filtering and socket monitoring, respectively. To help application developers write correct filters, we introduce a high-level rule language, along with a proof that Jitk correctly translates high-level rules all the way to native machine code, and demonstrate that this language can be integrated into OpenSSH with tens of lines of code. We built a prototype of Jitk on top of the CompCert verified compiler and integrated it into the Linux kernel. Experimental results show that Jitk is practical, fast, and trustworthy.

A framework for combining reflective Coq tactics, applied in the Bedrock system to verify imperative programs

Current work on computational reflection is single-minded; each reflective procedure is written with a specific application or scope in mind. Composition of these reflective procedures is done by a proof-generating tactic language such as Ltac. This composition, however, comes at the cost of both larger proof terms and redundant preprocessing. In this work, we propose a methodology for writing composable reflective procedures that solve many small tasks in a single invocation. The key technical insights are techniques for reasoning semantically about extensible syntax in intensional type theory. We also consider sound methods for user extension of such procedures using lemmas and full reflective procedures, which mimicks Coq's support for hint databases with only slightly more user effort. Source code is available for the framework and the instantiation for Bedrock

A Coq category-theory library, designed to support computationally efficient proofs of large goals, taking advantage of recent improvements to the homotopy-type-theory Coq version and giving some other wishlist items for Coq

We describe our experience implementing a broad category-theory library in Coq. Category theory and computational performance are not usually mentioned in the same breath, but we have needed substantial engineering effort to teach Coq to cope with large categorical constructions without slowing proof script processing unacceptably. In this paper, we share the lessons we have learned about how to represent very abstract mathematical objects and arguments in Coq and how future proof assistants might be designed to better support such reasoning. One particular encoding trick to which we draw attention allows category-theoretic arguments involving duality to be internalized in Coq's logic with definitional equality. Ours may be the largest Coq development to date that uses the relatively new Coq version developed by homotopy type theorists, and we reflect on which new features were especially helpful. Library source code

Bedrock takes literally the idea of C as a "macro assembly language." All the programming features are built up as macros on top of assembly language, and macros have verified Hoare logic-style proof rules attached to them, so that one gets a "free" environment for mostly automated deductive program verification for any mix of macros used in a particular program.

We report on the design and implementation of an extensible programming language and its intrinsic support for formal verification. Our language is targeted at low-level programming of infrastructure like operating systems and runtime systems. It is based on a cross-platform core combining characteristics of assembly languages and compiler intermediate languages. From this foundation, we take literally the saying that C is a "macro assembly language": we introduce an expressive notion of certified low-level macros, sufficient to build up the usual features of C and beyond as macros with no special support in the core. Furthermore, our macros have integrated support for strongest postcondition calculation and verification condition generation, so that we can provide a high-productivity formal verification environment within Coq for programs composed from any combination of macros. Our macro interface is expressive enough to support features that low-level programs usually only access through external tools with no formal guarantees, such as declarative parsing or SQL-inspired querying. The abstraction level of these macros only imposes a compile-time cost, via the execution of functional Coq programs that compute programs in our intermediate language; but the run-time cost is not substantially greater than for more conventional C code. We describe our experiences constructing a full C-like language stack using macros, with some experiments on the verifiability and performance of individual programs running on that stack. Software/proof source code Slides are available from my talk at ICFP'13 [OpenOffice, PDF].

A verified compiler for an idealization of the Bluespec hardware description language

We report on the implementation of a certified compiler for a high-level hardware description language (HDL) called Fe-Si (FEath-erweight SynthesIs). Fe-Si is a simplified version of Bluespec, an HDL based on a notion of guarded atomic actions. Fe-Si is defined as a dependently typed deep embedding in Coq. The target language of the compiler corresponds to a synthesisable subset of Verilog or VHDL. A key aspect of our approach is that input programs to the compiler can be defined and proved correct inside Coq. Then, we use extraction and a Verilog back-end (written in OCaml) to get a certified version of a hardware design. Public source-code repository

A constructive proof that automating separation logic proofs for systems code is easy, despite claims to the contrary coming from SMT solver-centric perspectives. ;-) Specifically, this paper introduced Bedrock, a Coq library for foundational verification of code at the assembly level of abstraction. A mostly-automated separation logic prover uses a modest amount of programmer annotation to drive verification of examples like imperative data structures and a cooperative threading library.

Several recent projects have shown the feasibility of verifying low-level systems software. Verifications based on automated theorem-proving have omitted reasoning about first-class code pointers, which is critical for tasks like certifying implementations of threads and processes. Conversely, verifications that deal with first-class code pointers have featured long, complex, manual proofs. In this paper, we introduce the Bedrock framework, which supports mostly-automated proofs about programs with the full range of features needed to implement, e.g., language runtime systems. The heart of our approach is in mostly-automated discharge of verification conditions inspired by separation logic. Our take on separation logic is computational, in the sense that function specifications are usually written in terms of reference implementations in a purely functional language. Logical quantifiers are the most challenging feature for most automated verifiers; by relying on functional programs (written in the expressive language of the Coq proof assistant), we are able to avoid quantifiers almost entirely. This leads to some dramatic improvements compared to both the state of the art in classical verification, which we compare against with implementations of data structures like binary search trees and hash tables; and the state of the art in verified programming with code pointers, which we compare against with examples like function memoization and a cooperative threading library. Software/proof source code Slides are available from my talk at PLDI'11 [OpenOffice, PDF].

Static analysis for security policies for Ur/Web applications, based on the key new idea of representing policies as SQL queries. The analysis follows the well-trod path of symbolic evaluation and automated first-order-logic theorem-proving.

We present a system for sound static checking of security policies for database-backed Web applications. Our tool checks a combination of access control and information flow policies, where the policies vary based on database contents. For instance, one or more database tables may represent an access control matrix, controlling who may read or write which cells of these and other tables. Using symbolic evaluation and automated theorem-proving, our tool checks these policies statically, requiring no program annotations (beyond the policies themselves) and adding no run-time overhead. Specifications come in the form of SQL queries as policies: for instance, an application's confidentiality policy is a fixed set of queries, whose results provide an upper bound on what information may be released to the user. To provide user-dependent policies, we allow queries to depend on what secrets the user knows. We have used our prototype implementation to check several programs representative of the data-centric Web applications that are common today. From the OSDI'10 talk: slides in OpenOffice and PDF formats; video Project web site

A first paper about Ur, focusing on the metaprogramming aspect: we can write generic programs that write programs, based on inputs like database schemas, summaries of HTML form configurations, etc., and we can type-check our generators statically without needing to write any proof terms.

Dependent types provide a strong foundation for specifying and verifying rich properties of programs through type-checking. The earliest implementations combined dependency, which allows types to mention program variables; with type-level computation, which facilitates expressive specifications that compute with recursive functions over types. While many recent applications of dependent types omit the latter facility, we argue in this paper that it deserves more attention, even when implemented without dependency. In particular, the ability to use functional programs as specifications enables statically-typed metaprogramming: programs write programs, and static type-checking guarantees that the generating process never produces invalid code. Since our focus is on generic validity properties rather than full correctness verification, it is possible to engineer type inference systems that are very effective in narrow domains. As a demonstration, we present Ur, a programming language designed to facilitate metaprogramming with first-class records and names. On top of Ur, we implement Ur/Web, a special standard library that enables the development of modern web applications. Ad-hoc code generation is already in wide use in the popular web application frameworks, and we show how that generation may be tamed using types, without forcing metaprogram authors to write proofs or forcing metaprogram users to write any fancy types. Project web site Slides are available from my talk at PLDI'10 [OpenOffice, PDF].

A case study in verifying a compiler to an idealized assembly language from an untyped source language with most of the key dynamic features of ML: functions, products, sums, mutable references, and value-carrying exceptions. Syntax is encoded with parametric higher-order abstract syntax (PHOAS), which makes it possible to avoid almost all bookkeeping having to do with binders and fresh name generation. The semantics of the object languages are encoded in a new substitution-free style. All of the proofs are automated with tactic programs that can keep working even after changing the definitions of the languages.

We present a verified compiler to an idealized assembly language from a small, untyped functional language with mutable references and exceptions. The compiler is programmed in the Coq proof assistant and has a proof of total correctness with respect to big-step operational semantics for the source and target languages. Compilation is staged and includes standard phases like translation to continuation-passing style and closure conversion, as well as a common subexpression elimination optimization. In this work, our focus has been on discovering and using techniques that make our proofs easy to engineer and maintain. While most programming language work with proof assistants uses very manual proof styles, all of our proofs are implemented as adaptive programs in Coq's tactic language, making it possible to reuse proofs unchanged as new language features are added. In this paper, we focus especially on phases of compilation that rearrange the structure of syntax with nested variable binders. That aspect has been a key challenge area in past compiler verification projects, with much more effort expended in the statement and proof of binder-related lemmas than is found in standard pencil-and-paper proofs. We show how to exploit the representation technique of parametric higher-order abstract syntax to avoid the need to prove any of the usual lemmas about binder manipulation, often leading to proofs that are actually shorter than their pencil-and-paper analogues. Our strategy is based on a new approach to encoding operational semantics which delegates all concerns about substitution to the meta language, without using features incompatible with general-purpose type theories like Coq's logic. Software/proof source code and documentation Slides are available from my talks at POPL'10 [OpenOffice, PDF] and WMM'09 [OpenOffice, PDF].

An approach to automating correctness proofs about higher-order, imperative programs in Coq, based on an extensible simplifier for separation logic formulas

We present a new approach for constructing and verifying higher-order, imperative programs using the Coq proof assistant. We build on the past work on the Ynot system, which is based on Hoare Type Theory. That original system was a proof of concept, where every program verification was accomplished via laborious manual proofs, with much code devoted to uninteresting low-level details. In this paper, we present a re-implementation of Ynot where verified imperative programming need not be much harder than programming in Haskell. At the same time, our new system is implemented entirely in Coq source files, showcasing the versatility of that proof assistant as a platform for research on language design and verification. Both versions of the system have been evaluated with case studies in the verification of imperative data structures, such as hash tables with higher-order iterators. The verification burden in our new system is reduced by at least an order of magnitude compared to the old system, by replacing manual proof with automation. The core of the automation is a simplification procedure for implications in higher-order separation logic, with hooks that allow programmers to add domain-specific simplification rules. We argue for the effectiveness of our infrastructure by verifying a number of data structures and a packrat parser, and we compare to similar efforts within other projects. Compared to competing approaches to data structure verification, our system includes much less code that must be trusted; namely, about a hundred lines of Coq code defining a program logic. All of our theorems and decision procedures have or build machine-checkable correctness proofs from first principles, removing opportunities for tool bugs to create faulty verifications. From the ICFP'09 talk: slides in OpenOffice and PDF formats; skeleton and final solution for the demo; video Project web site Awarded Most Influential Paper ten years later

A new trick for encoding variable binders in Coq, along with an exploration of its consequences: almost trivial syntax and type-theoretic semantics for languages including such features as polymorphism and complicated binding structure (e.g., ML-style pattern matching); almost trivial type preservation proofs for compiler passes that don't need intensional analysis of variables; mostly-automated semantic correctness proofs about those passes, by way of adding an axiom to make the parametricity of CIC usable explicitly in proofs; and the ability to drop down to more traditional syntactic representations for more arduous but feasible proofs of the same properties, when intensional variable analysis is needed.

We present parametric higher-order abstract syntax (PHOAS), a new approach to formalizing the syntax of programming languages in computer proof assistants based on type theory. Like higher-order abstract syntax (HOAS), PHOAS uses the meta language's binding constructs to represent the object language's binding constructs. Unlike HOAS, PHOAS types are definable in general-purpose type theories that support traditional functional programming, like Coq's Calculus of Inductive Constructions. We walk through how Coq can be used to develop certified, executable program transformations over several statically-typed functional programming languages formalized with PHOAS; that is, each transformation has a machine-checked proof of type preservation and semantic preservation. Our examples include CPS translation and closure conversion for simply-typed lambda calculus, CPS translation for System F, and translation from a language with ML-style pattern matching to a simpler language with no variable-arity binding constructs. By avoiding the syntactic hassle associated with first-order representation techniques, we achieve a very high degree of proof automation. Software/proof source code and documentation Slides are available from my ICFP talk in OpenOffice and PDF formats.

A compiler for a tiny statically-typed functional programming language, implemented in Coq with a proof of correctness. The main interesting bits are my use of dependently-typed abstract syntax and denotational semantics, along with some engineering tricks for making the task manageable.

We present a certified compiler from the simply-typed lambda calculus to assembly language. The compiler is certified in the sense that it comes with a machine-checked proof of semantics preservation, performed with the Coq proof assistant. The compiler and the terms of its several intermediate languages are given dependent types that guarantee that only well-typed programs are representable. Thus, type preservation for each compiler pass follows without any significant "proofs" of the usual kind. Semantics preservation is proved based on denotational semantics assigned to the intermediate languages. We demonstrate how working with a type-preserving compiler enables type-directed proof search to discharge large parts of our proof obligations automatically. Software/proof source code and documentation Slides are available from my PLDI talk in OpenOffice and PDF formats. Slides are also available from a talk I gave at the Projet Gallium seminar at INRIA Rocquencourt, in OpenOffice and PDF formats.

I report on an experience using the Coq proof assistant to develop a program verification tool with a machine-checkable proof of full correctness. The verifier is able to prove memory safety of x86 machine code programs compiled from code that uses algebraic datatypes. The tool's soundness theorem is expressed in terms of the bit-level semantics of x86 programs, so its correctness depends on very few assumptions. I take advantage of Coq's support for programming with dependent types and modules in the structure of my development. The approach is based on developing a library of reusable functors for transforming a verifier at one level of abstraction into a verifier at a lower level. Using this library, it's possible to prototype a verifier based on a new type system with a minimal amount of work, while obtaining a very strong soundness theorem about the final product.

I report on an experience using the Coq proof assistant to develop a program verification tool with a machine-checkable proof of full correctness. The verifier is able to prove memory safety of x86 machine code programs compiled from code that uses algebraic datatypes. The tool's soundness theorem is expressed in terms of the bit-level semantics of x86 programs, so its correctness depends on very few assumptions. I take advantage of Coq's support for programming with dependent types and modules in the structure of my development. The approach is based on developing a library of reusable functors for transforming a verifier at one level of abstraction into a verifier at a lower level. Using this library, it's possible to prototype a verifier based on a new type system with a minimal amount of work, while obtaining a very strong soundness theorem about the final product. Software/proof source code and documentation Talk slides available in OpenOffice and PDF formats.

We propose a new technique in support of the construction of efficient Foundational Proof-Carrying Code systems. Instead of suggesting that pieces of mobile code come with proofs of their safety, we instead suggest that they come with executable verifiers that can attest to their safety, as in our previous work on the Open Verifier. However, in contrast to that previous work, here we do away with any runtime proof generation by these verifiers. Instead, we require that the verifier itself is proved sound. To support this, we present a novel technique for extracting proof obligations about ML programs. Using this approach, we are able to demonstrate the first foundational verification technique for Typed Assembly Language with performance comparable to that of the traditional, uncertified TAL type checker.

A certified program analysis is an analysis whose implementation is accompanied by a checkable proof of soundness. We present a framework whose purpose is to simplify the development of certified program analyses without compromising the run-time efficiency of the analyses. At the core of the framework is a novel technique for automatically extracting Coq proof-assistant specifications from ML implementations of program analyses, while preserving to a large extent the structure of the implementation. We show that this framework allows developers of mobile code to provide to the code receivers untrusted code verifiers in the form of certified program analyses. We demonstrate efficient implementations in this framework of bytecode verification, typed assembly language, and proof-carrying code. Talk slides available in OpenOffice and PDF formats.

We describe how to use the BLAST model checker to generate program test suites that achieve full coverage with respect to a given set of predicates.

We have extended the software model checker Blast to automatically generate test suites that guarantee full coverage with respect to a given predicate. More precisely, given a C program and a target predicate p, Blast determines the set L of program locations which program execution can reach with p true, and automatically generates a set of test vectors that exhibit the truth of p at all locations in L. We have used Blast to generate test suites and to detect dead code in C programs with up to 30K lines of code. The analysis and test-vector generation is fully automatic (no user intervention) and exact (no false positives).

On verifying functional properties of filesystems in the presence of failures, using proof assistants

On verifying functional properties of filesystems in the presence of failures, using proof assistants

Some thoughts on how Coq is actually in pretty good shape to use today for non-trivial programming with dependent types

Today the reigning opinion about computer proof assistants based on constructive logic (even from some of the developers of these tools!) is that, while they are very helpful for doing math, they are an absurdly heavy-weight solution to use for practical programming. Yet the Curry-Howard isomorphism foundation of proof assistants like Coq gives them clear interpretations as programming environments. My purpose in this position paper is to make the general claim that Coq is already quite useful today for non-trivial certified programming tasks, as well as to highlight some reasons why you might want to consider using it as a base for your next project in dependently-typed programming. Talk slides available in OpenOffice and PDF formats.

We show how to combine the interactive proof assistant Coq and the Nelson-Oppen-style automated first-order theorem prover Kettle in a synergistic way. We do this with a Kettle tactic for Coq that uses theory-specific reasoning to simplify goals based on automatically chosen case analyses, returning to the user as subgoals the cases it couldn't prove automatically. The process can then be repeated recursively, using Coq's tactical language as a very expressive extension of the matching strategies found in provers like Simplify. We also discuss how to encode specialized first-order proofs efficiently in Coq using proof by reflection.

We propose a mechanism for semi-automated proving of theorems, using a tactic for the Coq proof assistant that consults a proof-generating Nelson-Oppen-style automated prover. Instead of simply proving or failing to prove a goal, our tactic decides on relevant case splits using theory-specific axioms, proves some of the resulting cases, and returns the remainder to the Coq user as subgoals. These subgoals can then be proved using inductions and lemma instantiations that are beyond the capabilities of the automated prover. We show that the Coq tactic language provides an excellent way to script this process to an extent not supported by current Nelson-Oppen provers. Like with any Coq proof, a separately checkable proof term in a core calculus is produced at the end of any successful proving session where our method is used, and we take advantage of the "proof by reflection" technique to translate the specialized first-order proofs of the automated prover into compact Coq representations. Talk slides available in OpenOffice and PDF formats.

We propose a new framework for the construction of trustworthy program verifiers. The Open Verifier architecture can be viewed as an optimized Foundational Proof-Carrying Code toolkit. Instead of proposing that code producers send proofs of safety with all of their programs, we instead suggest that they send re-usable proof-generating verifiers. The proofs are generated in an online fashion via a novel interaction scheme between the untrusted verifier and the trusted core of the system.

We present the Open Verifier approach for verifying untrusted code using customized verifiers. This approach can be viewed as an instance of foundational proof-carrying code where an untrusted program can be checked using the verifier most natural for it instead of using a single generic type system. In this paper we focus on a specialized architecture designed to reduce the burden of expressing both type-based and Hoare-style verifiers. A new verifier is created by providing an untrusted executable extension module, which can incorporate directly pre-existing non-foundational verifiers based on dataflow analysis or type checking. The extensions control virtually all aspects of the verification by carrying on a dialogue with the Open Verifier using a language designed both to correspond closely to common verification actions and to carry simple adequacy proofs for those actions. We prove the soundness of the framework, and we describe our experience implementing proof-carrying code, typed assembly language, and dataflow or abstract interpretation based verifiers in this unified setting.

A new approach to checking assembly programs in a way similar to that used in the Java Bytecode Verifier. We introduce a novel mixed type/value technique that makes it tractable to deal with some of the "dependent typing" issues that come up. We also present results on using this technique to help students in an undergraduate compilers class debug their class projects.

It is a common belief that certifying compilation, which typically verifies the well-typedness of compiler output, can be an effective mechanism for compiler debugging, in addition to ensuring basic safety properties. Bytecode verification is a fairly simple example of this approach and derives its simplicity in part by compiling to carefully crafted high-level bytecodes. In this paper, we seek to push this method to native assembly code, while maintaining much of the simplicity of bytecode verification. Furthermore, we wish to provide experimental confirmation that such a tool can be accessible and effective for compiler debugging. To achieve these goals, we present a type-based data-flow analysis or abstract interpretation for assembly code compiled from a Java-like language, and evaluate its bug-finding efficacy on a large set of student compilers.

We present a type system that is useful in saving type annotation space in intermediate language terms expressed in the restricted form called "A-normal form" or "one-half CPS." Our approach imports ideas from strict logic, which is based on the idea of hypotheses that must be used at least once. The resulting system is relevant to the efficiency of type-preserving compilers.

Completely annotated lambda terms (such as are arrived at via the straightforward encodings of various types from System F) contain much redundant type information. Consequently, the completely annotated forms are almost never used in practice, since partially annotated forms can be defined which still allow syntax directed typechecking. An additional optimization that is used in some proof and type systems is to take advantage of the context of occurrence of terms to further elide type information using bi-directional typechecking rules. While this technique is generally effective, we show that there exist bi-directional terms which exhibit asymptotic increases in the size of their type decorations when sequentialized into a named-form calculus (a common first step in compilation). In this paper, we introduce a refinement of the bi-directional type system based on strict logic which allows additional type decorations to be eliminated, and show that it is well-behaved under sequentialization.

A poster about certified program verifiers in Coq

Abstract about a poster on certified program verifiers in Coq You can download the poster in OpenOffice or PDF format.

We describe a system that combines security automaton-based program specification with a facility for relational-style queries about the possible execution paths of a program.

Blast is an automatic verification tool for checking temporal safety properties of C programs. Blast is based on lazy predicate abstraction driven by interpolation-based predicate discovery. In this paper, we present the Blast specification language. The language specifies program properties at two levels of precision. At the lower level, monitor automata are used to specify temporal safety properties of program executions (traces). At the higher level, relational reachability queries over program locations are used to combine lower-level trace properties. The two-level specification language can be used to break down a verification task into several independent calls of the model-checking engine. In this way, each call to the model checker may have to analyze only part of the program, or part of the specification, and may thus succeed in a reduction of the number of predicates needed for the analysis. In addition, the two-level specification language provides a means for structuring and maintaining specifications. UCB/EECS-2007-147 2007

How to do dependently-typed generation of proofs about programming language syntax and semantics

We present a system for both the generic programming of operations that work over classes of tree-structured data types and the automatic generation of formal type-theoretical proofs about such operations. The system is implemented in the Coq proof assistant, using dependent types to validate code and proof generation statically, quantified over all possible input data types. We focus on generic programming of variable-manipulating operations, such as substitution and free variable set calculation, over abstract syntax tree types implemented as GADTs that combine syntax and typing rules. By accompanying these operations with generic lemmas about their interactions, we significantly ease the burden of formalizing programming language metatheory. Our implementation strategy, based on proof by reflection, requires users to trust none of its associated code to be able to trust in the validity of theorems derived with it. Slides are available from a talk I gave at WMM'07, in OpenOffice and PDF formats. UCB/EECS-2007-113 2007

My PhD dissertation, re-presenting the work on certified program verifiers (from ICFP'06) and certified compilers (from PLDI'07)

I present two case studies supporting the assertion that type-based methods enable effective certified programming. By certified programming, I mean the development of software with formal, machine-checked total correctness proofs. While the classical formal methods domain is most commonly concerned with after-the-fact verification of programs written in a traditional way, I explore an alternative technique, based on using dependent types to integrate correctness proving with programming. I have chosen the Coq proof assistant as the vehicle for these experiments. Throughout this dissertation, I draw attention to features of formal theorem proving tools based on dependent type theory that make such tools superior choices for certified programming, compared to their competition. In the first case study, I present techniques for constructing certified program verifiers. I present a Coq toolkit for building foundational memory safety verifiers for x86 machine code. The implementation uses rich specification types to mix behavioral requirements with the traditional types of functions, and I mix standard programming practice with tactic-based interactive theorem proving to implement programs of these types. I decompose verifier implementations into libraries of components, where each component is implemented as a functor that transforms a verifier at one level of abstraction into a verifier at a lower level. I use the toolkit to assemble a verifier for programs that use algebraic datatypes using only several hundred lines of code specific to its type system. The second case study presents work in certified compilers. I focus in particular on type-preserving compilation, where source-level type information is preserved through several statically-typed intermediate languages and used at runtime for such purposes as guiding a garbage collector. I suggest a novel approach to mechanizing the semantics of programming languages, based on dependently-typed abstract syntax and denotational semantics. I use this approach to certify a compiler from simply-typed lambda calculus to an idealized assembly language that interfaces with a garbage collector through tables listing the appropriate root registers for different program points. Significant parts of the proof effort are automated using type-driven heuristics. I also present a generic programming system for automating construction of syntactic helper functions and their correctness proofs, based on an implementation technique called proof by reflection. UCB/EECS-2006-120 2006

An overview of a work-in-progress functional programming language that puts dependent types and theorem proving to work to make it easier to write concise and maintainable web applications

I introduce a new functional programming language, called Laconic/Web, for rapid development of web applications. Its strong static type system guarantees that entire sequences of interaction with these applications "can't go wrong." Moreover, a higher-order dependent type system is used to enable statically-checked metaprogramming. In contrast to most dependently-typed programming languages, Laconic/Web can be used by programmers with no knowledge of proof theory. Instead, more expert developers develop libraries that extend the Laconic/Web type checker with type rewrite rules that have proofs of soundness. I compare Laconic/Web against Ruby on Rails, the most well-known representative of a popular class of Web application frameworks based around dynamic languages and runtime reflection, and show that my approach leads both to more concise programs and to better runtime efficiency. Project web site UCB/ERL M05/32 2005

This is an extended version of our VMCAI'06 paper, containing a formalization of our model extraction procedure and additional examples.

A certified program analysis is an analysis whose implementation is accompanied by a checkable proof of soundness. We present a framework whose purpose is to simplify the development of certified program analyses without compromising the run-time efficiency of the analyses. At the core of the framework is a novel technique for automatically extracting Coq proof-assistant specifications from ML implementations of program analyses, while preserving to a large extent the structure of the implementation. We show that this framework allows developers of mobile code to provide to the code receivers untrusted code verifiers in the form of certified program analyses. We demonstrate efficient implementations in this framework of bytecode verification, typed assembly language, and proof-carrying code. This is an extended version of our VMCAI'06 paper, containing a formalization of our model extraction procedure and additional examples. MS Project Report UCB/ERL M04/41 2004

A summary of my experiences developing a proof-generating TAL type checker within the Open Verifier framework. In the style of Foundational PCC, the soundness of this verifier and the proofs it generates is based on no assumptions about the TAL type system. This was one of the first projects to consider the runtime performance of Foundational PCC-style verification.

I present the results of constructing a fully untrusted verifier for memory safety of Typed Assembly Language programs, using the Open Verifier architecture. The verifier is untrusted in the sense that its soundness depends only on axioms about the semantics of a concrete machine architecture, not on any axioms specific to a type system. This experiment served to evaluate both the expressiveness of the Open Verifier architecture and the quality of its support for simplifying the construction of verifiers. I discuss issues of proof generation that are generally not the focus of previous efforts for foundational checking of TAL, and I contrast with these past approaches the sort of logical formalization that is natural in the context of the Open Verifier. My approach is novel in that it uses direct reasoning about concrete machine states where past approaches have formalized typed abstract machines and proved their correspondence with concrete machines. I also describe a new approach to modeling higher-order functions that uses only first-order logic. 10 papers published at peer-reviewed scholarly conferences; 5 at workshops; 2 journal articles keynote talk invited webinar talk invited talk invited talk invited talk invited talk invited talk invited talk https://youtu.be/GXXOyXeyKeY invited talk invited talk https://www.youtube.com/watch?v=uIbPt1v6QKE invited talk invited talk invited talk https://media.ccc.de/v/34c3-9105-coming_soon_machine-checked_mathematical_proofs_in_everyday_software_and_hardware_development https://www.youtube.com/watch?v=4DYVJdHMV5k invited talk invited talk invited talk https://www.youtube.com/watch?v=jE0DY5pS-xY#t=127m4s http://deepspec.org/ panel invited talk invited talk invited talk http://talks.cam.ac.uk/talk/index/56590 invited talk invited talk invited talk invited talk invited tutorial http://adam.chlipala.net/popltut13/ invited talk invited tutorial http://adam.chlipala.net/msfp10/ invited talk invited talk invited talk http://www.impredicative.com/ur/defun09/ invited talk https://www.hacs-workshop.org/ March 2024 https://www.hacs-workshop.org/ March 2023 https://www.hacs-workshop.org/ April 2022 https://www.hacs-workshop.org/ April 2021 https://www.hacs-workshop.org/ January 2020 https://hase-workshop.github.io/ January 2019 https://www.microsoft.com/en-us/research/event/faculty-summit-2018/ August 2018 https://www.hacs-workshop.org/ January 2018 https://www.sap.com/products/hana.html August 2017 https://sites.google.com/view/securitysummit2017/ June 2017 http://shonan.nii.ac.jp/seminar/seminardetails098/ May 2017 February 2017 https://www.hacs-workshop.org/ January 2017 https://www.hacs-workshop.org/ January 2016 https://www.coreinfrastructure.org/ July 2015 http://www.dagstuhl.de/15191/ May 2015 https://www.coreinfrastructure.org/ January 2015 http://www.dagstuhl.de/10351/ August 2010 Doctor of Philosophy (PhD) in Computer Science PhD, MS, Computer Science 8 2003 9 2007 4.0 Master of Science (MS) in Computer Science MS, Computer Science 12 2004 Bachelor of Science (BS) in Computer Science with a minor in Mathematical Sciences and University Honors BS, Computer Science 8 2000 5 2003 4.0 High school diploma 9 1996 6 2000 7 2024 7 2022 7 2018 6 2022 7 2015 6 2018 7 2011 6 2015 7 2012 6 2015 MIT Harvard University 6 2008 6 2011 Led a reimplementation of the Ynot system, with a focus on proof automation Research on cost-effective program verification certified programming class, Harvard University 9 2008 1 2009 Jane Street Capital 9 2007 4 2008 UC Berkeley CS Division 9 2003 8 2007 Investigated implementation of program verification tools with proofs of correctness, using dependent types in the Coq proof assistant Implemented infrastructure for the Open Verifier and Certified Program Verifiers systems Developed untrusted plug-ins for memory safety of x86 Typed Assembly Language for those systems, including soundness proofs in the Coq proof assistant computer theorem proving class, UC Berkeley CS Division 8 2006 12 2006 Microsoft Research Redmond 6 2005 8 2005 Designed and implemented an extensible bytecode verifier based on linear logic, and used this verifier to check properties such as manual memory management and message-passing protocols for untrusted process code in the Singularity operating system 1 2005 5 2005 Ran discussion sections Graded weekly homework assignments Held office hours 6 2003 8 2003 Implemented processing for an intuitive language for specifying safety properties of C programs to be verified by the BLAST model checker Implemented context-free reachability to extend BLAST to verify recursive programs CMU CS Department 6 2002 5 2003 Implemented improvements to the mid-level intermediate language of the TILT compiler, along with assorted optimizations Studied the problem of efficient type-checking of ML-like intermediate languages in flattened forms analogous to traditional compiler intermediate languages ML programming class, CMU CS Department 1 2002 5 2002 Taught a weekly recitation section Created homework assignments and exam questions Held weekly office hours Graded assignments and exams 6 2001 8 2001 Developed a database-driven intranet web site to facilitate technology transfer between research and development Trifecta Technologies 1998 2000 Designed and coded business and presentation logic for electronic commerce web sites using IBM WebSphere Commerce Suite SOSP Test of Time Award (for FSCQ) https://www.sosp.org/ 2025 German IT Security Award (for CryptOpt) https://www.deutscher-it-sicherheitspreis.de/prize.php 2024 Annual "Humies" Awards For Human-Competitive Results Produced By Genetic And Evolutionary Computation (Gold Award, for CryptOpt) https://www.human-competitive.org/ 2023 PLDI Distinguished Reviewer Award https://pldi23.sigplan.org/ 2023 Burgess (1952) & Elizabeth Jamieson Prize for Excellence in Teaching 2023 ACM Distinguished Member https://awards.acm.org/distinguished-members 2019 Ruth and Joel Spira Award for Excellence in Teaching https://engineering.mit.edu/faculty-research/faculty-awards/teaching-awards/ 2019 Most Influential ICFP Paper Award (for PHOAS) http://www.sigplan.org/Awards/ICFP/ 2018 ACM Senior Member https://awards.acm.org/senior-members 2016 National Science Foundation CAREER Award http://www.nsf.gov/awardsearch/showAward?AWD_ID=1253229 2012 National Defense Science and Engineering Graduate Fellowship https://www.ndsegfellowships.org/ 2004 National Science Foundation Graduate Research Fellowship http://www.nsfgrfp.org/ 2004 California Microelectronics Fellowship 8 2003 5 2004 Phi Kappa Phi http://www.phikappaphi.org/ Phi Beta Kappa http://www.pbk.org/ National Science Foundation Graduate Research Fellowship http://www.nsfgrfp.org/ 2003 Andrew Carnegie Scholarship http://my.cmu.edu/site/admission/menuitem.18c40008673813c019300710d4a02008/ 8 2000 5 2003 Summer School on Software Security: Theory to Practice http://www.cs.uoregon.edu/Activities/summerschool/summer04/ 6 2004 Ur/Web, a domain-specific programming language design and implementation supporting metaprogramming of web applications with strong static guarantees Cooperative Internet hosting tools, including DomTool, a domain-specific language in support of shared UNIX system configuration by mutually-untrusting users Dynamic web site tools for Standard ML, including separately usable libraries for accessing SQL databases Founder of HCoop, Inc., a democratically run Internet hosting cooperative Main administrator and organizer, Teen Programmers Unite, 1997-2001 ML, Coq, C F#, Java, SQL, x86 and Z80 assembly languages Haskell, C++, XSLT Twelf, Scheme, Common Lisp, Prolog, C#, Visual Basic, UNIX shell scripting, Perl Apache, djbdns, Courier IMAP, Exim, Mailman, SpamAssassin FMitF: Track I: Formally Verified Programmable Network Switches NSF FMitF PI Collaborative Research: SHF: Medium: High-Performance, Verified Accelerator Programming NSF CCF PI PPoSS: LARGE: Intel: Combining Learning and Formal Verification for Scalable Machine Programming (ScaMP) NSF PPoSS (with Intel) co-PI SaTC: CORE: Small: Scaling Correct-by-Construction Code Generation for Cryptography NSF SaTC PI SaTC: CORE: Medium: Provably Secure, Usable, and Performant Enclaves in Multicore Processors NSF SaTC co-PI Tools for Correct-by-Construction Hardware and Software in Critical Systems Sandia National Laboratories ACHILLES: Assured CryptograpHic Integration of muLtiple Languages for Encrypted Systems IARPA HECTOR program co-PI for sub The Hardware Security Compiler: A Rapid-Development Workflow with End-to-End Formal Verification DARPA SSITH program PI for prime FMitF: Verifying Concurrent System Software with Cspec NSF CCF co-PI SaTC: CORE: Small: verifying security for data non-interference NSF CNS co-PI Correct-by-Construction and Automatic Generation of Elliptic Curve Cryptography Primitives Google Research Award CSR: Medium: A High-Performance Certified File System and Applications NSF CNS co-PI RINGS: Regenerative, INtent-Guided Systems DARPA BRASS program PI for sub Collaborative Research: Expeditions in Computing: The Science of Deep Specification NSF Expeditions in Computing PI for MIT SHF: Medium: Fiat: Correct-by-Construction and Mostly Automated Derivation of Programs with an Interactive Theorem Prover NSF CCF PI A Trust Anchor Secure Language via the Bedrock Platform Google ATAP Trust Anchor program PI Cybersecurity project QCRI-CSAIL joint program CAREER: A Formal Verification Platform Focused on Programmer Productivity NSF CCF PI SHF: Small: Capitalizing on First-Class SQL Support in the Ur/Web Programming Language NSF CCF PI CAP³: A Computer Aided Performance Programming Platform DoE X-Stack program co-PI CARS: A Platform for Scaling Formal Verification to Component-Based Vehicular Software Stacks DARPA HACMS program PI for sub Safe but Unsandboxed Native Code in the Browser Google Research Award