Pierre-yves Strub - Academia.edu (original) (raw)
Papers by Pierre-yves Strub
This is a preliminary version of a technical report accompanying a conference submission of the s... more This is a preliminary version of a technical report accompanying a conference submission of the same title. It differs from the submission in the following main regards. (1) Expanded section 4, where we provide more details on our JavaScript semantics and background on Lambda JS. (2) Expanded section 5, where we provide more details on our verified runtime JSVerify, more details on the heap invariant used in our theory, and more description of the light translation as well. We also improved on some of the syntactic conventions, which helped facilitate the mechanized proof of JSVerify in F . This makes some of definitions look superficially different, although they remain essentially unchanged. For example, rather than overload stub functions in the Abs heap, we now separate them into their own heap compartment called Stub. This makes the proofs easier, although the main ideas remain unchanged. (3) Expanded section 7, with all the details on our applicative bisimulation machinery—we ...
Distributed applications are difficult to program reliably and securely. Dependently typed functi... more Distributed applications are difficult to program reliably and securely. Dependently typed functional languages promise to prevent broad classes of errors and vulnerabilities, and to enable program verification to proceed side-by-side with development. However, as recursion, effects, and rich libraries are added, using types to reason about programs, specifications, and proofs becomes challenging. We present F ⋆ , a full-fledged design and implementation of a new dependently typed language for secure distributed programming. Unlike prior languages, F ⋆ provides arbitrary recursion while maintaining a logically consistent core; it enables modular reasoning about state and other effects using affine types; and it supports proofs of refinement properties using a mixture of cryptographic evidence and logical proof terms. The key mechanism is a new kind system that tracks several sub-languages within F ⋆ and controls
Coq Modulo Theory (CoqMT) is an extension of the Coq proof assistant incorporating, in its comput... more Coq Modulo Theory (CoqMT) is an extension of the Coq proof assistant incorporating, in its computational mechanism, validity entailment for user-defined first-order equational theories. Such a mechanism strictly enriches the system (more terms are typable), eases the use of dependent types and provides more automation during the development of proofs. CoqMT improves over the Calculus of Congruent Inductive Constructions by getting rid of various restrictions and simplifying the type-checking algorithm and the integration of first-order decision procedures.
Type systems are effective tools for verifying the security of cryptographic programs. They provi... more Type systems are effective tools for verifying the security of cryptographic programs. They provide automation, modularity and scalability, and have been applied to large security protocols. However, they traditionally rely on abstract assumptions on the underlying cryptographic primitives, expressed in symbolic models. Cryptographers usually reason on security assumptions using lower level, computational models that precisely account for the complexity and success probability of attacks. These models are more realistic, but they are harder to formalize and automate. We present the first modular automated program verification method based on standard cryptographic assumptions. We show how to verify ideal functionalities and protocols written in ML by typing them against new cryptographic interfaces using F7, a refinement type checker coupled with an SMT-solver. We develop a probabilistic core calculus for F7 and formalize its type safety in COQ. We build typed module and interfaces ...
We describe a fully portable, open source certifier for traces of SAT problems produced by zChaff... more We describe a fully portable, open source certifier for traces of SAT problems produced by zChaff. It can also be easily adapted for MiniSat, PicoSat or BooleForce, and we have done it for PicoSat. Our certifier has been developped with the proof assistant Coq. We give some figures based on the pigeon hole, comparing both PicoSat and zChaff on the one hand, and our certifier with another certifier also developped with Coq.
ACM SIGPLAN Notices
Well-established dependently-typed languages like Agda and Coq provide reliable ways to build and... more Well-established dependently-typed languages like Agda and Coq provide reliable ways to build and check formal proofs. Several other dependently-typed languages such as Aura, ATS, Cayenne, Epigram, F*, F7, Fine, Guru, PCML5, and Ur also explore reliable ways to develop and verify programs. All these languages shine in their own regard, but their implementations do not themselves enjoy the degree of safety provided by machine-checked verification. We propose a general technique called self-certification that allows a typechecker for a suitably expressive language to be certified for correctness. We have implemented this technique for F*, a dependently typed language on the .NET platform. Self-certification involves implementing a typechecker for F* in F*, while using all the conveniences F* provides for the compiler-writer (e.g., partiality, effects, implicit conversions, proof automation, libraries). This typechecker is given a specification (in~F*) strong enough to ensure that it c...
We investigate here a new version of the Calculus of Inductive Constructions (CIC) on which the p... more We investigate here a new version of the Calculus of Inductive Constructions (CIC) on which the proof assistant Coq is based: the Calculus of Congruent Inductive Constructions, which truly extends CIC by building in arbitrary first-order decision procedures: deduction is still in charge of the CIC kernel, while computation is outsourced to dedicated first-order decision procedures that can be taken from the shelves provided they deliver a proof certificate. The soundness of the whole system becomes an incremental property following from the soundness of the certificate checkers and that of the kernel. A detailed example shows that the resulting style of proofs becomes closer to that of the working mathematician. Full Text at Springer, may require registration or fee
Lecture Notes in Computer Science, 2015
Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages - POPL '12, 2012
IFIP International Federation for Information Processing, 2008
We investigate here a new version of the Calculus of Inductive Constructions (CIC) on which the p... more We investigate here a new version of the Calculus of Inductive Constructions (CIC) on which the proof assistant Coq is based: the Calculus of Congruent Inductive Constructions, which truly extends CIC by building in arbitrary first-order decision procedures: deduction is still in charge of the CIC kernel, while computation is outsourced to dedicated first-order decision procedures that can be taken from the shelves provided they deliver a proof certificate. The soundness of the whole system becomes an incremental property following from the soundness of the certificate checkers and that of the kernel. A detailed example shows that the resulting style of proofs becomes closer to that of the working mathematician.
Proceedings 2001 International Conference on Image Processing (Cat. No.01CH37205), 2001
We present an original method to segment color images using a classification in the 3-D color spa... more We present an original method to segment color images using a classification in the 3-D color space. In the case of ordinary images, clusters that appear in 3-D histograms usually do not fit a well-known statistical model. For that reason, we propose a classifier that relies on mathematical morphology, and more precisely on the watershed algorithm. We show on various images that the expected color clusters are correctly identified by our method. Last, to segment color images into coherent regions, we perform a Markovian labeling that takes advantage of the morphological classification results.
Proceedings of the 40th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages - POPL '13, 2013
Many tools allow programmers to develop applications in highlevel languages and deploy them in we... more Many tools allow programmers to develop applications in highlevel languages and deploy them in web browsers via compilation to JavaScript. While practical and widely used, these compilers are ad hoc: no guarantee is provided on their correctness for whole programs, nor their security for programs executed within arbitrary JavaScript contexts. This paper presents a compiler with such guarantees. We compile an ML-like language with higher-order functions and references to JavaScript, while preserving all source program properties. Relying on type-based invariants and applicative bisimilarity, we show full abstraction: two programs are equivalent in all source contexts if and only if their wrapped translations are equivalent in all JavaScript contexts. We evaluate our compiler on sample programs, including a series of secure libraries.
ACM SIGPLAN Notices, 2012
Well-established dependently-typed languages like Agda and Coq provide reliable ways to build and... more Well-established dependently-typed languages like Agda and Coq provide reliable ways to build and check formal proofs. Several other dependently-typed languages such as Aura, ATS, Cayenne, Epigram, F*, F7, Fine, Guru, PCML5, and Ur also explore reliable ways to develop and verify programs. All these languages shine in their own regard, but their implementations do not themselves enjoy the degree of
2011 IEEE 26th Annual Symposium on Logic in Computer Science, 2011
We study a complex type theory, a Calculus of Inductive Constructions with a predicative hierarch... more We study a complex type theory, a Calculus of Inductive Constructions with a predicative hierarchy of universes and a first-order theory T built in its conversion relation. The theory T is specified abstractly, by a set of constructors, a set of defined symbols, axioms expressing that constructors are free and defined symbols completely defined, and a generic elimination principle relying on crucial properties of first-order structures satisfying the axioms. We first show that COQMTU enjoys all basic meta-theoretical properties of such calculi, confluence, subject reduction and strong normalization when restricted to weak-elimination, implying the decidability of type-checking in this case as well as consistency. The case of strong elimination is left open.
2014 IEEE Symposium on Security and Privacy, 2014
TLS was designed as a transparent channel abstraction to allow developers with no cryptographic e... more TLS was designed as a transparent channel abstraction to allow developers with no cryptographic expertise to protect their application against attackers that may control some clients, some servers, and may have the capability to tamper with network connections. However, the security guarantees of TLS fall short of those of a secure channel, leading to a variety of attacks.
Journal of Functional Programming, 2013
This is paper is a draft. It is an extended version of a shorter paper of the same title. It diff... more This is paper is a draft. It is an extended version of a shorter paper of the same title. It differs from the short paper in the following regards:
Lecture Notes in Computer Science, 2007
In mechanism design, the gold standard solution concepts are dominant strategy incentive compatib... more In mechanism design, the gold standard solution concepts are dominant strategy incentive compatibility and Bayesian incentive compatibility. These solution concepts relieve the (possibly unsophisticated) bidders from the need to engage in complicated strategizing. While incentive properties are simple to state, their proofs are specific to the mechanism and can be quite complex. This raises two concerns. From a practical perspective, checking a complex proof can be a tedious process, often requiring experts knowledgeable in mechanism design. Furthermore, from a modeling perspective, if unsophisticated agents are unconvinced of incentive properties, they may strategize in unpredictable ways.
This is a preliminary version of a technical report accompanying a conference submission of the s... more This is a preliminary version of a technical report accompanying a conference submission of the same title. It differs from the submission in the following main regards. (1) Expanded section 4, where we provide more details on our JavaScript semantics and background on Lambda JS. (2) Expanded section 5, where we provide more details on our verified runtime JSVerify, more details on the heap invariant used in our theory, and more description of the light translation as well. We also improved on some of the syntactic conventions, which helped facilitate the mechanized proof of JSVerify in F . This makes some of definitions look superficially different, although they remain essentially unchanged. For example, rather than overload stub functions in the Abs heap, we now separate them into their own heap compartment called Stub. This makes the proofs easier, although the main ideas remain unchanged. (3) Expanded section 7, with all the details on our applicative bisimulation machinery—we ...
Distributed applications are difficult to program reliably and securely. Dependently typed functi... more Distributed applications are difficult to program reliably and securely. Dependently typed functional languages promise to prevent broad classes of errors and vulnerabilities, and to enable program verification to proceed side-by-side with development. However, as recursion, effects, and rich libraries are added, using types to reason about programs, specifications, and proofs becomes challenging. We present F ⋆ , a full-fledged design and implementation of a new dependently typed language for secure distributed programming. Unlike prior languages, F ⋆ provides arbitrary recursion while maintaining a logically consistent core; it enables modular reasoning about state and other effects using affine types; and it supports proofs of refinement properties using a mixture of cryptographic evidence and logical proof terms. The key mechanism is a new kind system that tracks several sub-languages within F ⋆ and controls
Coq Modulo Theory (CoqMT) is an extension of the Coq proof assistant incorporating, in its comput... more Coq Modulo Theory (CoqMT) is an extension of the Coq proof assistant incorporating, in its computational mechanism, validity entailment for user-defined first-order equational theories. Such a mechanism strictly enriches the system (more terms are typable), eases the use of dependent types and provides more automation during the development of proofs. CoqMT improves over the Calculus of Congruent Inductive Constructions by getting rid of various restrictions and simplifying the type-checking algorithm and the integration of first-order decision procedures.
Type systems are effective tools for verifying the security of cryptographic programs. They provi... more Type systems are effective tools for verifying the security of cryptographic programs. They provide automation, modularity and scalability, and have been applied to large security protocols. However, they traditionally rely on abstract assumptions on the underlying cryptographic primitives, expressed in symbolic models. Cryptographers usually reason on security assumptions using lower level, computational models that precisely account for the complexity and success probability of attacks. These models are more realistic, but they are harder to formalize and automate. We present the first modular automated program verification method based on standard cryptographic assumptions. We show how to verify ideal functionalities and protocols written in ML by typing them against new cryptographic interfaces using F7, a refinement type checker coupled with an SMT-solver. We develop a probabilistic core calculus for F7 and formalize its type safety in COQ. We build typed module and interfaces ...
We describe a fully portable, open source certifier for traces of SAT problems produced by zChaff... more We describe a fully portable, open source certifier for traces of SAT problems produced by zChaff. It can also be easily adapted for MiniSat, PicoSat or BooleForce, and we have done it for PicoSat. Our certifier has been developped with the proof assistant Coq. We give some figures based on the pigeon hole, comparing both PicoSat and zChaff on the one hand, and our certifier with another certifier also developped with Coq.
ACM SIGPLAN Notices
Well-established dependently-typed languages like Agda and Coq provide reliable ways to build and... more Well-established dependently-typed languages like Agda and Coq provide reliable ways to build and check formal proofs. Several other dependently-typed languages such as Aura, ATS, Cayenne, Epigram, F*, F7, Fine, Guru, PCML5, and Ur also explore reliable ways to develop and verify programs. All these languages shine in their own regard, but their implementations do not themselves enjoy the degree of safety provided by machine-checked verification. We propose a general technique called self-certification that allows a typechecker for a suitably expressive language to be certified for correctness. We have implemented this technique for F*, a dependently typed language on the .NET platform. Self-certification involves implementing a typechecker for F* in F*, while using all the conveniences F* provides for the compiler-writer (e.g., partiality, effects, implicit conversions, proof automation, libraries). This typechecker is given a specification (in~F*) strong enough to ensure that it c...
We investigate here a new version of the Calculus of Inductive Constructions (CIC) on which the p... more We investigate here a new version of the Calculus of Inductive Constructions (CIC) on which the proof assistant Coq is based: the Calculus of Congruent Inductive Constructions, which truly extends CIC by building in arbitrary first-order decision procedures: deduction is still in charge of the CIC kernel, while computation is outsourced to dedicated first-order decision procedures that can be taken from the shelves provided they deliver a proof certificate. The soundness of the whole system becomes an incremental property following from the soundness of the certificate checkers and that of the kernel. A detailed example shows that the resulting style of proofs becomes closer to that of the working mathematician. Full Text at Springer, may require registration or fee
Lecture Notes in Computer Science, 2015
Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages - POPL '12, 2012
IFIP International Federation for Information Processing, 2008
We investigate here a new version of the Calculus of Inductive Constructions (CIC) on which the p... more We investigate here a new version of the Calculus of Inductive Constructions (CIC) on which the proof assistant Coq is based: the Calculus of Congruent Inductive Constructions, which truly extends CIC by building in arbitrary first-order decision procedures: deduction is still in charge of the CIC kernel, while computation is outsourced to dedicated first-order decision procedures that can be taken from the shelves provided they deliver a proof certificate. The soundness of the whole system becomes an incremental property following from the soundness of the certificate checkers and that of the kernel. A detailed example shows that the resulting style of proofs becomes closer to that of the working mathematician.
Proceedings 2001 International Conference on Image Processing (Cat. No.01CH37205), 2001
We present an original method to segment color images using a classification in the 3-D color spa... more We present an original method to segment color images using a classification in the 3-D color space. In the case of ordinary images, clusters that appear in 3-D histograms usually do not fit a well-known statistical model. For that reason, we propose a classifier that relies on mathematical morphology, and more precisely on the watershed algorithm. We show on various images that the expected color clusters are correctly identified by our method. Last, to segment color images into coherent regions, we perform a Markovian labeling that takes advantage of the morphological classification results.
Proceedings of the 40th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages - POPL '13, 2013
Many tools allow programmers to develop applications in highlevel languages and deploy them in we... more Many tools allow programmers to develop applications in highlevel languages and deploy them in web browsers via compilation to JavaScript. While practical and widely used, these compilers are ad hoc: no guarantee is provided on their correctness for whole programs, nor their security for programs executed within arbitrary JavaScript contexts. This paper presents a compiler with such guarantees. We compile an ML-like language with higher-order functions and references to JavaScript, while preserving all source program properties. Relying on type-based invariants and applicative bisimilarity, we show full abstraction: two programs are equivalent in all source contexts if and only if their wrapped translations are equivalent in all JavaScript contexts. We evaluate our compiler on sample programs, including a series of secure libraries.
ACM SIGPLAN Notices, 2012
Well-established dependently-typed languages like Agda and Coq provide reliable ways to build and... more Well-established dependently-typed languages like Agda and Coq provide reliable ways to build and check formal proofs. Several other dependently-typed languages such as Aura, ATS, Cayenne, Epigram, F*, F7, Fine, Guru, PCML5, and Ur also explore reliable ways to develop and verify programs. All these languages shine in their own regard, but their implementations do not themselves enjoy the degree of
2011 IEEE 26th Annual Symposium on Logic in Computer Science, 2011
We study a complex type theory, a Calculus of Inductive Constructions with a predicative hierarch... more We study a complex type theory, a Calculus of Inductive Constructions with a predicative hierarchy of universes and a first-order theory T built in its conversion relation. The theory T is specified abstractly, by a set of constructors, a set of defined symbols, axioms expressing that constructors are free and defined symbols completely defined, and a generic elimination principle relying on crucial properties of first-order structures satisfying the axioms. We first show that COQMTU enjoys all basic meta-theoretical properties of such calculi, confluence, subject reduction and strong normalization when restricted to weak-elimination, implying the decidability of type-checking in this case as well as consistency. The case of strong elimination is left open.
2014 IEEE Symposium on Security and Privacy, 2014
TLS was designed as a transparent channel abstraction to allow developers with no cryptographic e... more TLS was designed as a transparent channel abstraction to allow developers with no cryptographic expertise to protect their application against attackers that may control some clients, some servers, and may have the capability to tamper with network connections. However, the security guarantees of TLS fall short of those of a secure channel, leading to a variety of attacks.
Journal of Functional Programming, 2013
This is paper is a draft. It is an extended version of a shorter paper of the same title. It diff... more This is paper is a draft. It is an extended version of a shorter paper of the same title. It differs from the short paper in the following regards:
Lecture Notes in Computer Science, 2007
In mechanism design, the gold standard solution concepts are dominant strategy incentive compatib... more In mechanism design, the gold standard solution concepts are dominant strategy incentive compatibility and Bayesian incentive compatibility. These solution concepts relieve the (possibly unsophisticated) bidders from the need to engage in complicated strategizing. While incentive properties are simple to state, their proofs are specific to the mechanism and can be quite complex. This raises two concerns. From a practical perspective, checking a complex proof can be a tedious process, often requiring experts knowledgeable in mechanism design. Furthermore, from a modeling perspective, if unsophisticated agents are unconvinced of incentive properties, they may strategize in unpredictable ways.