480 likes | 592 Views
Proof Planning in Logical Frameworks. Carsten Schürmann Yale University September 2002. Motivating questions. Is the number of CERT advisories increasing or decreasing? Who can vouch for the correctness of the BLUETOOTH protocol? Will we ever vote electronically?
E N D
Proof Planning in Logical Frameworks Carsten Schürmann Yale University September 2002
Motivating questions • Is the number of CERT advisories increasing or decreasing? • Who can vouch for the correctness of the BLUETOOTH protocol? • Will we ever vote electronically? • Is the complexity of network protocols increasing or decreasing?
Safety Architectures • Examples • Authentication • Network routing • E-voting • Mobile Code • Requirements • Flexible design • Extensibility • Trust
Proof Checker Safety Proof Safety Proof Language Trusted Computing Base Programming Languages Binary Source Compiler
Complexity • Safety proof languages • PCC : 129 rules [Necula, Lee 97] • FPCC : several 100 rules [Appel, Felty 01] • FLINT: ?? rules [Zhao, et al 02] • Typed Assembly Language • Type theory: 31 rules[Morrisett, Crary … 98] • Proof Checker: approx 4000 lines • Blue Tooth Protocol • Type system: 1000 pages prose
We need tools to … • … control the inherent complexity • design safety architectures • reason about our designs • automate reasoning processes involved • program with our designs
Proof Checker Proof Checker Safety Proof Safety Proof Logical Framework Binary Proof Checker Safety Proof Language Safety Proof Language Safety Proof Safety Proof Language Dimension 1: Design • Logical Frameworks encode • Safety Proof Languages • Type Systems • Security Protocols • Benefit: • Storing • Shipping • Checking Binary
Dimension 1: Design • Safety Proof Languages • Higher-order logic • Temporal Logic • Modal Logic • Linear Logic • Coq Logic • Type Systems
Dimension 2: Reasoning • Meta logical framework • Consistency • Completeness • Type Safety • Freeness of attacks • Benefit: • Trusting • Verifying Is the safety proof language consistent? Can somebody steal an e-vote? Can an intruder steal keys?
Meta Logical Framework Is the Safety Proof Language Consistent? Proof Checker Safety Proof Logical Framework Binary Proof Checker Safety Proof Language Safety Proof Safety Proof Language Dimension 2: Reasoning
Proof Planner Dimension 3: Automation • Proof planning [CS, Autexier] • Push buttom technology • Ease of use • Failure interpretation • Benefit: • Level of abstraction • Interactive design cycle • Quick response
Meta Logical Framework Proof Planner Is the Safety Proof Language Consistent? Proof Checker Safety Proof Logical Framework Binary Proof Checker Safety Proof Language Safety Proof Safety Proof Language Dimension 3: Automation
Dimension 4: Programming • Delphin [CS, Yu, Poswolsky] • Compilers [CS, Xi] • Client-server Architecture • Theorem Provers for Proof Carrying Authentication • Benefit: • Direct manipulation of derivations • Automatic code generation
Meta Logical Framework Proof Planner Is the Safety Proof Language Consistent? Proof Checker Safety Proof Logical Framework Delphin Fun. Programming Binary Proof Checker Safety Proof Language Safety Proof Safety Proof Language Dimension 4: Programming
Rest of this Talk • Proof Planning • in • Twelf • Used at Yale, CMU, Princeton, Stanford, Harvard (?)…
Meta Logical Framework Proof Planner Is the Safety Proof Language Consistent? Proof Checker Safety Proof Logical Framework Binary Proof Checker Safety Proof Language Safety Proof Safety Proof Language Overview
Proof Checker Safety Proof Logical Framework Binary Proof Checker Safety Proof Language Safety Proof Safety Proof Language Let’s get started
Safety Proof Language • Intuitionistic logic: • Sequent calculus: [Gentzen 35] • Judgment: • Rules:
Representation • Logical framework LF[Honsell, Harper, Plotkin 93] • Simply typed λ-calculus • Dependent types • Paradigm • Judgments as types (assumptions as contexts) • Derivations as objects Logical Framework
axiom : (hyp A -> conc A). impr : (hyp A -> conc B) -> conc (A imp B). impl : conc A -> (hyp B -> conc C) -> (hyp (A imp B) -> conc C). cut : conc A -> (hyp A -> conc C) -> conc C. Representation (cont’d) • Inference rules as constants
Representation (cont’d) • Reasoning about the real world • is as good as the encoding is Logic Logical Framework 1-to-1
Logical Frameworks Research • Focuses on common concepts • Hypotheses • State • Enriches logical framework • Substitution (beta reduction) • Update (resource oriented logics)
Logical Frameworks Research • Emphasis 1: Representation • Extend frameworks conservatively • Terms are not dead, they live! • Example: Twelf • Emphasis 2: Reasoning • Examples: Coq, Isabelle, Lego
Remarks We can look at the current field of problem solving by computers as a series of ideas about how to present a problem. If a problem can be cast into one of these representations in a natural way, then it is possible to manipulate it and stand some chance of solving it. [Allen Newell] • Elegance • Higher-order representation techniques • Dependent types • Benefit for this work: • Variables and substitutions come for free!
Meta Logical Framework Is the Safety Proof Language Consistent? Proof Checker Safety Proof Logical Framework Binary Proof Checker Safety Proof Language Safety Proof Safety Proof Language Overview
Is the Logic Consistent? • Theorem [Admissibility]:[Gentzen 35] • If and then • Fundamental theorem in logic [Gentzen 35] • Consistency of first-order logic • Structural proof [Pfenning 95] • Twelf can prove it automatically
+ Meta Logic Mw • First-order logic • Induction principles for arbitrary higher-order encodings [CS 00,01] Theorem [Admissibility]: If and then
Meta Logical Framework Proof Planner Is the Safety Proof Language Consistent? Proof Checker Safety Proof Logical Framework Binary Proof Checker Safety Proof Language Safety Proof Safety Proof Language Proof Planning
The Situation • What we have: • Logical Framework LF • Proofs by induction • How can we find proofs • automatically and quickly?
None-Theorems Formulas Theorems Pruning the Search Space
Common Operations • Splitting (Case analysis) • Recursion (Induction hypothesis) • Filling • Constructing safety proofs • Resolution based techniques A:o C:o D: conc A E: hyp A -> conc B
Profiling reveals • With naïve Prototype implementation:
Explanation • Reason 1: Search spaces enormous • Reason 2: Side effect of failure
Possible Tackles • Reason 1: Search spaces enormous • Tabled proof search [Pientka ‘02] • Outsourcing [Vampire?] • Reason 2: Side effect of failure • Pruning through proof plans • Decidable criterion
Approximations • Meta Logic Proof Plans Framework dependent Problem independent Approximated Theorem Plan search Theorem Prover abstraction Theorem
+ Proof Planning Calculus Pw • First order logic [CS, Autexier 02] • Propositions approximate type families • Natural deduction • Decidable (because of M2L)
Central Insight • Exploit information contained in types indices. • Example: • “We have an object of type family conc containing information on A” • “We have another object of type family conc containing information on B once we know …” D: conc A E: hyp A -> conc B
Observation • There is no proof of • But • Splitting on (D, E) • Proof plans exist for each case. • Let’s try to prove. SUCCESS!
A Few Details • Abstraction is defined as follows
Soundness Theorem If without case rules And Then . • Proof: by induction on . • Benefit: Read it backwards!
Summary + • Proof planning calculus Pw • Recognizes unpromising states • Provides proof search guidance • Gives a logical explanation to proof plans • Failure criterion • Inspects a proof state • Recognizes unpromising ones quickly • Decidable
Summary • Importance • Push button technology • Network/authentication/e-voting protocols • Proof planning system Pw • Works for encodings in LF • TI-abstraction [Giungilia, Walsh 91] • Implementation is underway +
Our Goal: Tools to … • design safety architectures • reason about our designs • automate reasoning processes involved • program with our designs • We are on the way!
Future Work • Alternative proof techniques • Logical relations [CS, Sarnat] • Coinduction [CS, Momigliano] • Application domain • Network protocols • E-Voting • Infinite structures • Choice sequences vs. Co-induction • Adequate representation of infinite traces
Conclusion • For more information about • Twelf and Delphin • check http://www.twelf.org
Trusted Computing Base Authentication Protocols Client Compiler Source Server Theorem Prover/ Model Checker Model Safety Proof Safety proof Language