1 / 24

Small Proof Witnesses for LF

Small Proof Witnesses for LF. Susmit Sarkar Brigitte Pientka Karl Crary. Motivation : Untrusted Code. Want : execute untrusted code. Internet. Code Consumer. Code. Solution : Certified Code. Solution : Certificate with Code Proof Carrying Code [Necula]. Internet.

merlin
Download Presentation

Small Proof Witnesses for LF

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Small Proof Witnesses for LF Susmit Sarkar Brigitte Pientka Karl Crary

  2. Motivation : Untrusted Code • Want : execute untrusted code Internet Code Consumer Code

  3. Solution : Certified Code • Solution : Certificate with Code • Proof Carrying Code [Necula] Internet Code Consumer Code Certificate

  4. What is a Certificate? • Prove Code is Safe • Easily checkable by Code Consumer • First Answer : Proof in a Logic

  5. Logical Framework (LF) • Uniformly represent logics (and proofs) • Well-studied properties • Used extensively [PCC, FPCC, TALT,…] • Problem : Proofs are BIG!

  6. Use Proof Search? • Ask Code Consumer to search for proof • Caveat : Higher-order Logic Programming • Advantage : Zero proof size • Disadvantage : Large time required

  7. Idea : Proof Search with Guidance • Do Proof Search • Look at proof to resolve Don’t Know choices • All we really require are the choices • Encode as “oracle” [Necula and Rahul]

  8. What is a Certificate? … contd. • New Answer : Sequence of choices made (as a position number from available choices) • Can be efficiently encoded • Time to check sufficiently low

  9. Our Contributions • Oracles for higher-order logic programming • Handle the entire LF language (as implemented in Twelf) • Previous efforts [Necula et al, Wu et al] restricted to a subset • Generic oracle creation/verification for a variety of logics • Efficient Term-Indexing strategies

  10. Rest of Talk • Higher-order Logic Programming • Challenges • Instrumentation to generate / verify oracle • Experimental results

  11. Higher-order Logic Programming • Goals may have nested implications and universal quantifiers • Depth-First Search (like Prolog) • New Issues: • Dynamic Assumptions added (Scoping rules) • Term language is higher-order (Requires Higher Order Unification) • Efficient Term Indexing strategies needed

  12. Proof Search (producing proof) • Have set of dynamic assumptions  • Case : Goal is 8 x. G : • Solve G [a/x] in  (“a” is new parameter) • Get proof M [a/x] for subgoal • Proof for goal is  x. M

  13. Proof Search … contd. • Case: Goal is G1 ¾ G2 : • Add clause u:G1 to  • Solve for G2 under this extended set of assumptions • Get proof M for subgoal • Proof for goal is  u. M

  14. Proof Search … contd.[2] • Case : Goal is Atomic • Choose clause C (from program or dynamic assumptions) matching goal • Solve subgoals of clause • Get proof M for subgoals • Proof for goal is C . M • records C used, and M for rest

  15. Higher-Order Term Indexing • Term Indexing strategy important • Reduction of choices is efficient for oracle size • Our strategy : Higher-order Substitution Trees [Pientka] • Generalize Substitution Trees

  16. Example: A Natural Deduction Logic alli : prov (forall  x. P x) <- ( x. prov (P x)). alle : prov (P T) <- prov (forall  x. P x). impi : prov (imp P1 P2) <- (prov P1 -> prov P2). impe : prov P <- prov (imp P1 P) <- prov P1.

  17. Example Query ` prov (forall  y. (imp (forall  x. p x) (p y))) alli alle impe (1/3 ) `  a. prov (imp (forall  x. p x) (p a)) ` prov (imp (forall  x. p x) (p a)) impe (2/3 ) impi alle ` prov (forall  x. p x) ¾ prov (p a) u:prov (forall  x. p x)` prov (p a) impe u alle (1/3 ) u:prov (forall  x. p x) ` prov (forall  x. p x)

  18. Oracle Generation / Verification • Generating Oracle assumes Proof Term available • Verifying Oracle assumes Oracle available • Follow complementary procedures • Similar to proof search procedure sketched out

  19. Instrumented Proof Search • Case : Goal is 8 x. G : • Solve [a/x] G • No choice to be made • Case : Goal is G1 ¾ G2 : • Solve G2 in extended set of dynamic assumptions • No choice to be made

  20. Atomic Goal … Generation • Case : Goal is atomic • Choose clause C. Solve its subgoals • During Generation, • Look at proof term (records choice) • Count choices available • Oracle records number of choice made

  21. Atomic Goal … Verification • Case : Goal is atomic • Choose clause C. Solve its subgoals • During Verification, • Look at oracle (records positional number of choice) • Count choices available • Take indicated choice

  22. Results : Time

  23. Results : Proof Size

  24. Conclusions • Instrumented a proof search procedure to produce / verify small witnesses • Handle all of LF (higher-order logic programming required) • Experimental Study of technique

More Related