advances in logical programming environments

Post on 30-Dec-2015






Click to see full reader


Advances in Logical Programming Environments. Programming. Logic. Communications. Secure software infrastructure. Stuart AllenMark Bickford Robert Constable Richard Eaton Christoph Kreitz Lori Lorigo. Project goals. - PowerPoint PPT Presentation


Stuart Allen Mark Bickford Robert Constable

Richard Eaton Christoph Kreitz Lori Lorigo

Secure software infrastructure




Advances in Advances in Logical Programming Logical Programming


Build open Logical Programming


- integrate programming language and logic

- share libraries of formalized mathematics

- enable cooperation among formal systems

- local reflection and code transformations

Project goals

Application to reliable embedded systems

- semantics-based transformation and optimization

- high-assurance software components and

systems - formal component design

• Nuprl LPE - new implementation with open architecture - formal documentation mechanisms - development of class theory - local reflection for weaving aspects


• Application to networked systems - optimization of protocol stacks - compositional protocol verification -- formal designformal design of adaptive of adaptive


• Cooperating processes

• Library as persistent database - basis for sharing mathematics

• Ability to connect to external systems

• Cooperating inference engines

• Multiple user interfaces

• Reflective system structure

LPE LPE ArchitectureArchitecture

• Comments contain references to objects - formal content browsable while reading text

• Display objects determine term presentation - print representation (screen/LaTeX macros) - suppressing formal parameters - preferences vs. parentheses

Formal Formal DocumentationDocumentation

• Create documentation from formal objects - formal design expertise in “readable” form - screen display, LaTeX articles, HTML documents

• Provides expressive type constructs - Union, Intersection, Subtyping, Records, Modules

• Supports formalization and composition of - Abstract specifications + concrete code of components - Modular verifications


Ocaml (Ensemble)

External System Formalizes JVM


Ocaml Language Formalized in Nuprl

Class theory provides IOA formalisms

Formal Class Formal Class TheoryTheory

• Extends Nuprl’s type theory

• Add properties to code Message Message Passing Passing

with with Total OrderTotal Order

Fault Fault TolerantTolerant

System with System with Total OrderTotal Order

Transform Total Order code to include rejoining &

view-change code

Fault Fault ToleranceTolerance

• Weaving as formal method requires local reflection - thms about semantical effect of syntactical transformations

- reasoning about refinement + meta-properties

Weaving and local Weaving and local reflectionreflection

• Optimize component-based network systems

Formal Formal OptimizationOptimization

Fast, abstract, verifiably correct results, speedup factor 3-4

(demo available)• Automate with Nuprl LPE• Identify Common Case Predicates

• Component code + CCP -> optimization theorem • System composition -> theorem composition • Composed theorem -> new system code

• generate fast-path for common case• compress message headers

Incremental through proof inheritance:

• (A = P) (A B = P)

A B intersects:

• states, actions

• initial states, transitionsInduction:

1. A I = I2. B I = I3. A.init B.init

I A B = I

View = view



ETO = total view

Total = total


Compositional Protocol Compositional Protocol Verification Verification

• Adapt system to suit run-time dynamics - system upgrades

- changing conditions (higher security levels, …)

- use optimal implementations of components

• Usually complicatedswitch

spec spec• Building block approach - generic switching protocol

constructs hybrid protocols from simpler ones

- flexible, easy to prove correct

Formal Design of Adaptive SystemsJoint work with Robbert Van Renesse, Xiaoming Liu, Ken Birman

• Normal mode - forward messages to current protocol

- receive messages from current protocol

Switching Protocol

P1 P2

• Switching Mode - deliver messages from previous protocol

- buffer messages sent in the new protocol

Switching Protocols: basic Switching Protocols: basic modelmodel

What kind of properties What kind of properties will be preserved by will be preserved by switching? switching?

In other words, what are the properties of these properties ?


Total Order?Integrity?Confidentiality?

Prioritized Delivery?

Virtual Synchrony?


Inject formal methods at earliest design Inject formal methods at earliest design stagestage

we proved that six meta-properties are sufficient for protocols to work correctly under a switching protocol





Using Using the Nuprlthe Nuprl LPELPE

Formal Model of Formal Model of CommunicationCommunication

• Communication property

- predicate P on traces

• Trace - List tr of send and receive events Send(p,m) : message p sent by process m

Deliver(p,m) : message p received by process m

• Confidentiality qT. Deliver(q,m) tr pT. Send(p,m) tr )

• Reliability p,m. Send(p, m) tr q. Deliver(q,m) tr

Properties, formalizedProperties, formalized

• Integrity (T: set of trusted processes)

qT. Deliver(q,m) tr pT. Send(p,m) tr

• Total order q1,q2,m1,m2. Deliver(q1,m1) tr Deliver(q2,m1) tr Deliver(q1,m2) tr Deliver(q2,m2) tr Deliver(q1,m1) < Deliver(q1, m2)

Deliver(q2,m1) < Deliver(q2, m2)

• Expressed by relation R between traces tru,trl above and below a protocol layer

M(P) tru,trl. P(trl) trl R tru P(tru)


• Predicate M on properties of protocols

• Requires capability for higher order reasoning

Meta-properties for Meta-properties for SwitchingSwitching


Layered Communication

Protocol Switching

Rsend-e (tru ,trl) tru = trl @ [Send(p1,m1),..,Send(pn,mn)]

Rasync (tru ,trl) swap-adjacent(trl ,tru) for e1,e2

with process(e1) process(e2)

Rdelay (tru ,trl) swap-adjacent(trl ,tru) for e1,e2


e1=Send(p,m1) e2 =


Rsafety (tru ,trl) trl truRcomposable (tru ,trl1,trl2 ) trl1trl2=[] interleave(tru,trl1,trl2) …

Rmemoryless (tru ,trl) tru = trl - [e | msg(e){m1,..,mn}]

Switchable(P) Msafety (P) … Mcomposable






Formal design at same pace as Formal design at same pace as “informal” one“informal” one

Verifying Hybrid Verifying Hybrid ProtocolsProtocols

P.tru,trl. switch_invariant(tru,trl)


(P(pr1(trl)) P(pr2(trl))) P(tru)Switchable properties are preserved if the switch implementation satisfies a switch invariant• tru results from swapping trl events with different

origin • messages sent by different protocols must be delivered

in the same order

Nuprl proof developed in parallel to implementation

Lessons learned

• Employing formal techniques at every design stage is of great use for building efficient network systems

• The LPE is capable of supporting “real” design - its theory is very expressive - reflection supports reasoning about program transformation• Automation still needs to be increased

• More experience from applications is necessary

• The component-based approach is ideal for building adaptive systems

• Extend scope of automation - Domain-specific reasoning strategies - Connect external inference engines - Formalize design knowledge (e.g. as theorems) - Techniques for automated system (code) synthesis

• Develop and deploy full reflection mechanism

• Build formal infrastructure for practitioners - Include library of formally documented mathematics


• Design & verification of new programs - New hybrid protocols (adaptivity) - Probabilistic protocols (scalability)

top related