CLF:
A Concurrent Logical Framework
David Walker
Princeton
(with I. Cervesato, F. Pfenning, K. Watkins)
Outline



What is a logical framework?
Logical frameworks & security
CLF: a concurrent logical framework
2
Logical Frameworks


a logical framework is a meta-language for
representing deductive systems
sample deductive systems

logics of all kinds


programming languages


ML, lambda calculus, pi calculus
specification languages


first-order logic, higher-order logic, temporal logic,...
set theory, type theory, multi-set rewriting, ...
compilers

translations between languages or logics
3
Logical Frameworks
meta-logical
frameworks
represent properties
of logics
logical
frameworks
represent
logics
Automath, Nuprl,
HOL, LF, ...
logics
represent
proofs
FOL, linear logic,
temporal logic
proofs
Twelf, Nuprl,
HOL, ...
(A and B) => C
4
Logical Frameworks
meta-logical
frameworks
represent properties
of programming langs
logical
frameworks
represent
programming langs
programming
languages
programs
represent
programs
Twelf, Nuprl,
HOL, ...
Automath, Nuprl,
HOL, LF, ...
C, ML, Java
lambda calculus
if (n > 17) {...}
5
Tasks for Logical Frameworks

Represent syntax



Represent valid rules of inference



of a logic
of a programming language
inference rules (modus ponens, law of the
excluded middle) of a logic
typing rules, operational rules of a language
Represent valid deductions


valid proofs
well-typed programs, valid executions
6
Outline



What is a logical framework?
Logical frameworks & security
CLF: a concurrent logical framework
7
Application I: proof-carrying X

Proof-carrying code



[Necula, Lee]
Attach a proof of some safety property to
mobile code
Represent and check the proof in LF
Proof-carrying authentication


[Appel, Felten]
Attach a proof of access rights to database
query, service request
Represent and check the proof in LF
8
Application II:
Mechanical Reasoning
Increase our confidence in system
properties through the following process

1.
2.
3.
LF normally small, simple and trustworthy




Represent algorithm, deductive system
Prove adequacy of representation
Prove security properties within the framework
eg: LF has two type constructors
Appel et al. (100k lines LF, 0 soundness bugs)
Step 2 is least trustworthy
9
Application II:
Mechanical Reasoning

Authentication protocols

Extremely difficult to get correct



Errors are costly
Many different specification languages


Highly concurrent
informal notation, security logics, MSR, spi
calculus,...
Represent protocols, languages & their
properties/relationships in a logical fwrk
10
Outline



What is a logical framework?
Logical frameworks & security
CLF: a concurrent logical framework
11
Logical framework design

Logical framework design resembles
programming language design

Simple logical frameworks are like simple
programming languages


few features = simple, trustworthy
implementation but limited expressiveness
expressive enough in principle but awkward
and unmanageable in practice

adequacy may be unclear, difficult to prove
12
The LF family of
Logical Frameworks

Automath






LF
[Harper et al.]
Dependent types, intuitionistic functions
Represents pure PL, logics
Higher-order abstract syntax
Linear LF

[De Bruijn],
[Cervesato, Pfenning]
LF + linear functions, additive pairs
Represents state, effectful programming
paradigms
Resource-conscious logics
13
Concurrent LF (CLF)

Linear LF + a concurrency monad



The monad encapsulates a concurrent
computation
Represents concurrent programming
paradigms
MSR specifications of security protocols, picalculus, CML, Petri nets
14
CLF types

Linear LF types + concurrency monad
A,B ::= a | x:A.B | A -o B | T | A & B | {S}

Represent the state of a concurrent
computation
S ::= A | 1 | S1  S2 | x:A.S | !A
15
Pure CLF terms


Pure Linear LF terms + concurrent
computations
A monad encapsulates computations
within the pure language
pure terms M,N ::= c | x:A.M | M N | ... | {E}
16
Effectful CLF computations



Computation E processes the ambient state
A let expression represents a step in a
computation
Patterns p introduce new state
computations E ::= let {p} = M in E | F
patterns p ::= x:A | 1 | p1  p2 | x:A.p | !x
states F ::= M | 1 | F1  F2 | [M,F] | !M
17
Example
CLF signature:
key : type.
msg : type.
encrypt : key -> msg -> msg.
wire : msg -> type.
send : M:msg.{wire M}.
rec : M:msg.wire M -o {1}.
Valid Computation:
{
let {m:wire M} = send M in
let {m’:wire M’} = send M’ in
let {1} = rec M’ m’ in
let {1} = rec M m in
...
}
18
Concurrency equations



LF and related dependent type theories
provide a notion of definitional equality
When MN, the framework cannot
distinguish M and N
We extend the LF equality:
let {p} = M in let {p’} = M’ in E
 let {p’} = M’ in let {p} = M in E

(M,M’ do not contain
variables in p,p’)
The framework cannot distinguish the
order of independent computation steps
19
Example
Valid Computation:
Equivalent Computation:
{
{
let {m:wire M} = send M in
let {m:wire M} = send M in
let {m’:wire M’} = send M’ in
let {1} = rec M m in
let {1} = rec M’ m’ in
let {m’:wire M’} = send M’ in
let {1} = rec M m in
let {1} = rec M’ m’ in
...
...
}
}
20
Results

Definition and meta-theory of CLF



A new presentation of LF dependent type theory
based on canonical forms
Decidability of type checking
Examples and applications



Representation of Petri nets, synchronous and
asynchronous pi-calculus with proofs of adequacy
Novel, modular representation of CML in CLF
Representation of MSR & examples
21
Further reading


Cervesato, Pfenning, Walker, Watkins.
A concurrent logical framework.
January 2002 (submitted).
Forthcoming technical reports:


Watkins et al. A concurrent logical
framework I: Judgments and properties.
Cervesato et al. A concurrent logical
framework II: Examples and applications.
22
Future work

Implementation and logic programming
operational semantics for CLF


Meta-logical reasoning about concurrent
computations


Represent, check and execute concurrent
computations
Properties of concurrent computations,
bisimulation
Automatic proof search
23
Conclusions


Study of logical frameworks is an
important aspect of the development of
secure and reliable systems
CLF enables concise and adequate
representations of concurrent languages
24