skip to main content
research-article

Self-certification: bootstrapping certified typecheckers in F* with Coq

Published:25 January 2012Publication History
Skip Abstract Section

Abstract

Well-established dependently-typed languages like Agda and Coq provide reliable ways to build and check formal proofs. Several other dependently-typed languages such as Aura, ATS, Cayenne, Epigram, F*, F7, Fine, Guru, PCML5, and Ur also explore reliable ways to develop and verify programs. All these languages shine in their own regard, but their implementations do not themselves enjoy the degree of safety provided by machine-checked verification. We propose a general technique called self-certification that allows a typechecker for a suitably expressive language to be certified for correctness. We have implemented this technique for F*, a dependently typed language on the .NET platform. Self-certification involves implementing a typechecker for F* in F*, while using all the conveniences F* provides for the compiler-writer (e.g., partiality, effects, implicit conversions, proof automation, libraries). This typechecker is given a specification (in~F*) strong enough to ensure that it computes valid typing derivations. We obtain a typing derivation for the core typechecker by running it on itself, and we export it to Coq as a type-derivation certificate. By typechecking this derivation (in Coq) and applying the F* metatheory (also mechanized in Coq), we conclude that our type checker is correct. Once certified in this manner, the F* typechecker is emancipated from Coq.

Self-certification leads to an efficient certification scheme---we no longer depend on verifying certificates in Coq---as well as a more broadly applicable one. For instance, the self-certified F* checker is suitable for use in adversarial settings where Coq is not intended for use, such as run-time certification of mobile code.

Skip Supplemental Material Section

Supplemental Material

popl_8b_3.mp4

References

  1. T. Acar, C. Fournet, and D. Shumow. Design and verification of a cryptoagile distributed key manager. Technical report, MSR, 2010.Google ScholarGoogle Scholar
  2. A.W. Appel. Axiomatic bootstrapping: a guide for compiler hackers. ACM TOPLAS, 16, November 1994. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. M. Armand, B. Gregoire, A. Spiwack, and L. Thery. Extending Coq with imperative features and its application to SAT verification. In ITP, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. L. Augustsson. Cayenne: A language with dependent types. In ICFP, 1998. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. K. Avijit, A. Datta, and R. Harper. Distributed programming with distributed authorization. In TLDI, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. B. Aydemir, A. Chargueraud, B. C. Pierce, R. Pollack, and S. Weirich. Engineering formal metatheory. In POPL, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. B. Barras. Sets in coq, coq in sets. J. Formalized Reasoning, 2010.Google ScholarGoogle Scholar
  8. J. Bengtson, K. Bhargavan, C. Fournet, A. D. Gordon, and S. Maffeis. Refinement types for secure implementations. In CSF, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. K. Bhargavan, R. Corin, P.-M. Denielou, C. Fournet, and J. Leifer. Cryptographic protocol synthesis and verification for multiparty sessions. In CSF, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. K. Bhargavan, C. Fournet, and A. D. Gordon. Modular verification of security protocol code by typing. In POPL, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. C. Casinghino, H. D. Eades, G. Kimmell, V. Sjoberg, T. Sheard, A. Stump, and S. Weirich. The preliminary design of the Trellys core language. In PLPV, 2011.Google ScholarGoogle Scholar
  12. J. Chen, R. Chugh, and N. Swamy. Type-preserving compilation of end-toend verification of security enforcement. In PLDI, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. A. Chlipala. A verified compiler for an impure functional language. In POPL, 2010a. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. A. Chlipala. Ur: statically-typed metaprogramming with type-level record computation. PLDI, 2010b. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. C. Colby, P. Lee, G. C. Necula, F. Blau, M. Plesko, and K. Cline. A certifying compiler for Java. In PLDI, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. J. Davis. A self-verifying theorem prover. PhD thesis, U.T. Austin, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. L. de Moura and N. Bjørner. Z3: An efficient SMT solver. In TACAS, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.2, 2008.Google ScholarGoogle Scholar
  19. T. Hart and M. Levin. The new compiler. AI Memo 39, MIT, 1962. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. L. Jia, J. Vaughan, K. Mazurak, J. Zhao, L. Zarko, J. Schorr, and S. Zdancewic. Aura: A programming language for authorization and audit. In ICFP, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. C. Keller and B. Werner. Importing HOL Light into Coq. In ITP, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. X. Leroy. A locally nameless solution to the POPLmark challenge. Research report 6098, INRIA, Jan. 2007.Google ScholarGoogle Scholar
  23. X. Leroy. The CompCert verified compiler, software and commented proof, Mar. 2011.Google ScholarGoogle Scholar
  24. P. Letouzey. Coq extraction, an overview. In LTA '08, volume 5028 of Lecture Notes in Computer Science. Springer-Verlag, 2008.Google ScholarGoogle Scholar
  25. S. Maffeis, M. Abadi, C. Fournet, and A. D. Gordon. Code-carrying authorization. In ESORICS '08, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. C. McBride. Epigram: Practical programming with dependent types. In Advanced Functional Programming School, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. G. Morrisett, D. Walker, K. Crary, and N. Glew. From System F to typed assembly language. ACM Trans. Program. Lang. Syst., 21(3), 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. M. Moskal. Rocket-fast proof checking for SMT solvers. In TACAS, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. M. O. Myreen and J. Davis. A verified runtime for a verified theorem prover. In Interactive Theorem Proving, Aug. 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. A. Nanevski, G. Morrisett, A. Shinnar, P. Govereau, and L. Birkedal. Ynot: dependent types for imperative programs. In ICFP, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. U. Norell. Towards a practical programming language based on dependent type theory. PhD thesis, Chalmers Institute of Technology, 2007.Google ScholarGoogle Scholar
  32. R. Pollack. How to believe a machine-checked proof. In G. Sambin and J. Smith, editors, Twenty-Five Years of Constructive Type Theory. 1998.Google ScholarGoogle Scholar
  33. M. Sozeau. Equations: A dependent pattern-matching compiler. LNCS, 6172, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. A. Stump, M. Deters, A. Petcher, T. Schiller, and T. Simpson. Verified programming in Guru. In PLPV, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. N. Swamy, B. J. Corcoran, and M. Hicks. Fable: A language for enforcing user-defined security policies. In S&P, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. N. Swamy, J. Chen, and R. Chugh. Enforcing stateful authorization and information flow policies in Fine. In ESOP, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. N. Swamy, J. Chen, C. Fournet, P.-Y. Strub, K. Bhargavan, and J. Yang. Secure distributed programming with value-dependent types. In ICFP, Sept. 2011. See also the full paper at MSR-TR-2011-37. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. The Coq Development Team. The Coq Proof Assistant Reference Manual - Version 8.3. INRIA, 2011. At URL http://coq.inria.fr/.Google ScholarGoogle Scholar
  39. H. Xi. Applied type system: Extended abstract. In Types for Proofs and Programs, pages 394--408, 2003.Google ScholarGoogle Scholar

Index Terms

  1. Self-certification: bootstrapping certified typecheckers in F* with Coq

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Published in

        cover image ACM SIGPLAN Notices
        ACM SIGPLAN Notices  Volume 47, Issue 1
        POPL '12
        January 2012
        569 pages
        ISSN:0362-1340
        EISSN:1558-1160
        DOI:10.1145/2103621
        Issue’s Table of Contents
        • cover image ACM Conferences
          POPL '12: Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
          January 2012
          602 pages
          ISBN:9781450310833
          DOI:10.1145/2103656

        Copyright © 2012 ACM

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 25 January 2012

        Check for updates

        Qualifiers

        • research-article

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!