Abstract
Language-based security relies on the assumption that all potential attacks follow the rules of the language in question. When programs are compiled into a different language, this is true only if the translation process preserves observational equivalence.
To prove that a translation preserves equivalence, one must show that if two program fragments cannot be distinguished by any source context, then their translations cannot be distinguished by any target context. Informally, target contexts must be no more powerful than source contexts, i.e., for every target context there exists a source context that "behaves the same." This seems to amount to being able to "back-translate" arbitrary target terms. However, that is simply not viable for practical compilers where the target language is lower-level and, thus, contains expressions that have no source equivalent.
In this paper, we give a CPS translation from a less expressive source language (STLC) to a more expressive target language (System F) and prove that the translation preserves observational equivalence. The key to our equivalence-preserving compilation is the choice of the right type translation: a source type σ mandates a set of behaviors and we must ensure that its translation σ+ mandates semantically equivalent behaviors at the target level. Based on this type translation, we demonstrate how to prove that for every target term of type σ+, there exists an equivalent source term of type σ- even when sub-terms of the target term are not necessarily "back-translatable" themselves. A key novelty of our proof, resulting in a pleasant proof structure, is that it leverages a multi-language semantics where source and target terms may interoperate.
Supplemental Material
- M. Abadi. Protection in programming-language translations. In International Colloquium on Automata, Languages and Programming (ICALP), pages 868--883, 1998. Google Scholar
Digital Library
- S. Abramsky, R. Jagadeesan, and P. Malacaria. Full abstraction for PCF. Inf. Comput., 163 (2): 409--470, 2000. Google Scholar
Digital Library
- A. Ahmed. Step-indexed syntactic logical relations for recursive and quantified types. In European Symposium on Programming (ESOP), pages 69--83, Mar. 2006. Google Scholar
Digital Library
- A. Ahmed and M. Blume. Typed closure conversion preserves observational equivalence. In International Conference on Functional Programming (ICFP), Victoria, British Columbia, Canada, pages 157--168, Sept. 2008. Google Scholar
Digital Library
- A. Ahmed and M. Blume. An equivalence-preserving CPS translation via multi-language semantics (technical appendix). Available at http://www.cs.indiana.edu/~amal/papers/epc/, July 2011. Google Scholar
Digital Library
- A. Ahmed, D. Dreyer, and A. Rossberg. State-dependent representation independence. In ACM Symposium on Principles of Programming Languages (POPL), Savannah, Georgia, Jan. 2009. Google Scholar
Digital Library
- A. W. Appel. Compiling with Continuations. Cambridge University Press, 1992. Google Scholar
Digital Library
- N. Benton and C.-K. Hur. Biorthogonality, step-indexing and compiler correctness. In International Conference on Functional Programming (ICFP), Edinburgh, Scotland, Sept. 2009. Google Scholar
Digital Library
- N. Benton and C.-K. Hur. Realizability and compositional compiler correctness for a polymorphic language. Technical Report MSR-TR-2010-62, Microsoft Research, Apr. 2010.Google Scholar
- J. Berdine. Linear and affine typing of continuation-passing style. Technical Report RR-04-04, Queen Mary, Univ. of London, Jan. 2004.Google Scholar
- Berdine, O'Hearn, Reddy, and Thielecke}berdine02:lincpsJ. Berdine, P. O'Hearn, U. Reddy, and H. Thielecke. Linear continuation-passing. Higher Order Symbol. Comput., 15 (2--3): 181--208, 2002\natexlaba. Google Scholar
Digital Library
- J. Berdine, P. O'Hearn, and H. Thielecke. Extracting the range of cps from affine typing: Extended abstract. In Workshop on Linear Logic, 2002.Google Scholar
- M. Berger, K. Honda, and N. Yoshida. Sequentiality and the π-calculus. In Typed Lambda Calculi and Applications (TLCA), Krakow, Poland, pages 29--45, 2001. Google Scholar
Digital Library
- M. Berger, K. Honda, and N. Yoshida. Genericity and the π-calculus. In Proceedings of the 6th International conference on Foundations of Software Science and Computation Structures and joint European conference on Theory and practice of software, FOSSACS'03/ETAPS'03, pages 103--119, 2003. Google Scholar
Digital Library
- M. Berger, K. Honda, and N. Yoshida. Genericity and the π-calculus. Acta Informatica, 42: 83--141, November 2005. Google Scholar
Digital Library
- R. Cartwright and M. Felleisen. Observable sequentiality and full abstraction. In ACM Symposium on Principles of Programming Languages (POPL), Albuquerque, New Mexico, pages 328--342, 1992. Google Scholar
Digital Library
- A. Chlipala. A certified type-preserving compiler from lambda calculus to assembly language. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), San Diego, California, June 2007. Google Scholar
Digital Library
- O. Danvy. Back to direct style. Science of Computer Programming, 22 (3): 183--195, 1994. Google Scholar
Digital Library
- A. Filinski. Representing monads. In ACM Symposium on Principles of Programming Languages (POPL), Portland, Oregon, Jan. 1994. Google Scholar
Digital Library
- R. Harper and M. Lillibridge. Explicit polymorphism and CPS conversion. In POPL '93, pages 206--219, 1993. Google Scholar
Digital Library
- M. Hasegawa. Linearly used effects: Monadic and CPS transformations into the linear lambda calculus. In International Symposium on Functional and Logic Programming (FLOPS), Aizu, Japan, pages 167--182, 2002. Google Scholar
Digital Library
- K. Honda and N. Yoshida. A uniform type structure for secure information flow. In ACM Symposium on Principles of Programming Languages (POPL), Portland, Oregon, Jan. 2002. Google Scholar
Digital Library
- K. Honda, N. Yoshida, and M. Berger. Control in the π-calculus. In Fourth ACM-SIGPLAN Continuations Workshop (CW '04), Jan. 2004.Google Scholar
- J. M. E. Hyland and C. H. L. Ong. On full abstraction for PCF: I, II, and III. Information and Computation, 163 (2): 285--408, 2000. Google Scholar
Digital Library
- A. Jeffrey. A fully abstract semantics for a concurrent functional language with monadic types. In IEEE Symposium on Logic in Computer Science (LICS), San Diego, California, 1995. Google Scholar
Digital Library
- A. Kennedy. Securing the .NET programming model. Theoretical Computer Science, 364 (3): 311--317, 2006. Google Scholar
Digital Library
- A. Kennedy. Compiling with continuations, continued. In International Conference on Functional Programming (ICFP), Freiburg, Germany, Oct. 2007. Google Scholar
Digital Library
- D. A. Kranz, R. A. Kelsey, J. A. Rees, P. Hudak, and J. Philbin. ORBIT: an optimizing compiler for Scheme. In Proceedings of the ACM Symposium on Compiler Construction, pages 219--233, June 1986. Google Scholar
Digital Library
- J. Laird. Game semantics and linear CPS interpretation. Theor. Comput. Sci., 333 (1--2): 199--224, 2005. Google Scholar
Digital Library
- I. A. Mason and C. L. Talcott. Equivalence in functional languages with effects. J. Functional Programming, 1 (3): 287--327, 1991.Google Scholar
Cross Ref
- J. Matthews and R. B. Findler. Operational semantics for multi-language programs. In ACM Symposium on Principles of Programming Languages (POPL), Nice, France, pages 3--10, Jan. 2007. Google Scholar
Digital Library
- A. Meyer and J. G. Riecke. Continuations may be unreasonable. In Conf. on LISP and functional programming, LFP '88, pages 63--71, 1988. Google Scholar
Digital Library
- A. R. Meyer and K. Sieber. Towards fully abstract semantics for local variables. In ACM Symposium on Principles of Programming Languages (POPL), San Diego, California, pages 191--203, 1988. Google Scholar
Digital Library
- A. R. Meyer and M. Wand. Continuation semantics in typed lambda-calculi. In R. Parikh, editor, Logics of Programs (Brooklyn, June, 1985), volume 193 of Lecture Notes in Computer Science, pages 219--224. Springer-Verlag, 1985. Google Scholar
Digital Library
- R. Milner. Fully abstract models of typed lambda calculi. Theoretical Computer Science, 4 (1), 1977.Google Scholar
- G. Morrisett, D. Walker, K. Crary, and N. Glew. From System F to typed assembly language. ACM Transactions on Programming Languages and Systems, 21 (3): 527--568, May 1999. Google Scholar
Digital Library
- A. Nanevski, A. Ahmed, G. Morrisett, and L. Birkedal. Abstract predicates and mutable adts in hoare type theory. In European Symposium on Programming (ESOP), pages 189--204, Mar. 2007. Google Scholar
Digital Library
- A. M. Pitts. Typed operational reasoning. In B. C. Pierce, editor, Advanced Topics in Types and Programming Languages. MIT Press, 2005.Google Scholar
- G. D. Plotkin. LCF considered as a programming language. Theoretical Computer Science, 5: 223--255, 1977.Google Scholar
Cross Ref
- J. C. Reynolds. Types, abstraction, and parametric polymorphism. Information Processing, pages 513--523, 1983.Google Scholar
- J. Riecke and R. Viswanathan. Isolating side effects in sequential languages. In ACM Symposium on Principles of Programming Languages (POPL), San Francisco, California, Jan. 1995. Google Scholar
Digital Library
- J. G. Riecke. Fully abstract translations between functional languages. In ACM Symposium on Principles of Programming Languages (POPL), Orlando, Florida, pages 245--254, 1991. Google Scholar
Digital Library
- A. Sabry and M. Felleisen. Reasoning about programs in continuation-passing style. In Conf. on LISP and functional programming, LFP '92, 1992. Google Scholar
Digital Library
- S. B. Sanjabi and C.-H. L. Ong. Fully abstract semantics of additive aspects by translation. In Proceedings of the 6th international conference on Aspect-oriented software development (AOSD), pages 135--148, 2007. Google Scholar
Digital Library
- Z. Shao and A. W. Appel. A type-based compiler for Standard ML. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), La Jolla, California, pages 116--129. ACM Press, 1995. Google Scholar
Digital Library
- N. Shikuma and A. Igarashi. Proving noninterference by a fully complete translation to the simply typed lambda-calculus. Logical Methods in Computer Science, 4 (3:10): 1--31, 2008.Google Scholar
Cross Ref
- G. L. Steele. RABBIT: A compiler for SCHEME. Technical Report AI-TR-474, MIT, May 1978. Google Scholar
- H. Thielecke. From control effects to typed continuation passing. In ACM Symposium on Principles of Programming Languages (POPL), New Orleans, Louisiana, 2003. Google Scholar
Digital Library
- H. Thielecke. Answer type polymorphism in call-by-name continuation passing. In European Symposium on Programming (ESOP), Mar. 2004.Google Scholar
Cross Ref
- P. Wadler. Theorems for free! In ACM Symposium on Functional Programming Languages and Computer Architecture (FPCA), Sept. 1989. Google Scholar
Digital Library
- S. Zdancewic and A. C. Myers. Secure information flow and CPS. In European Symposium on Programming (ESOP), pages 46--61, Apr. 2001. Google Scholar
Digital Library
Index Terms
An equivalence-preserving CPS translation via multi-language semantics
Recommendations
An equivalence-preserving CPS translation via multi-language semantics
ICFP '11: Proceedings of the 16th ACM SIGPLAN international conference on Functional programmingLanguage-based security relies on the assumption that all potential attacks follow the rules of the language in question. When programs are compiled into a different language, this is true only if the translation process preserves observational ...
Fully abstract compilation via universal embedding
ICFP '16A fully abstract compiler guarantees that two source components are observationally equivalent in the source language if and only if their translations are observationally equivalent in the target. Full abstraction implies the translation is secure: ...
Fully abstract compilation via universal embedding
ICFP 2016: Proceedings of the 21st ACM SIGPLAN International Conference on Functional ProgrammingA fully abstract compiler guarantees that two source components are observationally equivalent in the source language if and only if their translations are observationally equivalent in the target. Full abstraction implies the translation is secure: ...







Comments