skip to main content
10.1145/2103656.2103723acmconferencesArticle/Chapter ViewAbstractPublication PagespoplConference Proceedingsconference-collections
research-article

Self-certification: bootstrapping certified typecheckers in F* with Coq

Published: 25 January 2012 Publication History

Abstract

Well-established dependently-typed languages like Agda and Coq provide reliable ways to build and check formal proofs. Several other dependently-typed languages such as Aura, ATS, Cayenne, Epigram, F*, F7, Fine, Guru, PCML5, and Ur also explore reliable ways to develop and verify programs. All these languages shine in their own regard, but their implementations do not themselves enjoy the degree of safety provided by machine-checked verification. We propose a general technique called self-certification that allows a typechecker for a suitably expressive language to be certified for correctness. We have implemented this technique for F*, a dependently typed language on the .NET platform. Self-certification involves implementing a typechecker for F* in F*, while using all the conveniences F* provides for the compiler-writer (e.g., partiality, effects, implicit conversions, proof automation, libraries). This typechecker is given a specification (in~F*) strong enough to ensure that it computes valid typing derivations. We obtain a typing derivation for the core typechecker by running it on itself, and we export it to Coq as a type-derivation certificate. By typechecking this derivation (in Coq) and applying the F* metatheory (also mechanized in Coq), we conclude that our type checker is correct. Once certified in this manner, the F* typechecker is emancipated from Coq.
Self-certification leads to an efficient certification scheme---we no longer depend on verifying certificates in Coq---as well as a more broadly applicable one. For instance, the self-certified F* checker is suitable for use in adversarial settings where Coq is not intended for use, such as run-time certification of mobile code.

Supplementary Material

JPG File (popl_8b_3.jpg)
MP4 File (popl_8b_3.mp4)

References

[1]
T. Acar, C. Fournet, and D. Shumow. Design and verification of a cryptoagile distributed key manager. Technical report, MSR, 2010.
[2]
A.W. Appel. Axiomatic bootstrapping: a guide for compiler hackers. ACM TOPLAS, 16, November 1994.
[3]
M. Armand, B. Gregoire, A. Spiwack, and L. Thery. Extending Coq with imperative features and its application to SAT verification. In ITP, 2010.
[4]
L. Augustsson. Cayenne: A language with dependent types. In ICFP, 1998.
[5]
K. Avijit, A. Datta, and R. Harper. Distributed programming with distributed authorization. In TLDI, 2010.
[6]
B. Aydemir, A. Chargueraud, B. C. Pierce, R. Pollack, and S. Weirich. Engineering formal metatheory. In POPL, 2008.
[7]
B. Barras. Sets in coq, coq in sets. J. Formalized Reasoning, 2010.
[8]
J. Bengtson, K. Bhargavan, C. Fournet, A. D. Gordon, and S. Maffeis. Refinement types for secure implementations. In CSF, 2008.
[9]
K. Bhargavan, R. Corin, P.-M. Denielou, C. Fournet, and J. Leifer. Cryptographic protocol synthesis and verification for multiparty sessions. In CSF, 2009.
[10]
K. Bhargavan, C. Fournet, and A. D. Gordon. Modular verification of security protocol code by typing. In POPL, 2010.
[11]
C. Casinghino, H. D. Eades, G. Kimmell, V. Sjoberg, T. Sheard, A. Stump, and S. Weirich. The preliminary design of the Trellys core language. In PLPV, 2011.
[12]
J. Chen, R. Chugh, and N. Swamy. Type-preserving compilation of end-toend verification of security enforcement. In PLDI, 2010.
[13]
A. Chlipala. A verified compiler for an impure functional language. In POPL, 2010a.
[14]
A. Chlipala. Ur: statically-typed metaprogramming with type-level record computation. PLDI, 2010b.
[15]
C. Colby, P. Lee, G. C. Necula, F. Blau, M. Plesko, and K. Cline. A certifying compiler for Java. In PLDI, 2000.
[16]
J. Davis. A self-verifying theorem prover. PhD thesis, U.T. Austin, 2009.
[17]
L. de Moura and N. Bjørner. Z3: An efficient SMT solver. In TACAS, 2008.
[18]
T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.2, 2008.
[19]
T. Hart and M. Levin. The new compiler. AI Memo 39, MIT, 1962.
[20]
L. Jia, J. Vaughan, K. Mazurak, J. Zhao, L. Zarko, J. Schorr, and S. Zdancewic. Aura: A programming language for authorization and audit. In ICFP, 2008.
[21]
C. Keller and B. Werner. Importing HOL Light into Coq. In ITP, 2010.
[22]
X. Leroy. A locally nameless solution to the POPLmark challenge. Research report 6098, INRIA, Jan. 2007.
[23]
X. Leroy. The CompCert verified compiler, software and commented proof, Mar. 2011.
[24]
P. Letouzey. Coq extraction, an overview. In LTA '08, volume 5028 of Lecture Notes in Computer Science. Springer-Verlag, 2008.
[25]
S. Maffeis, M. Abadi, C. Fournet, and A. D. Gordon. Code-carrying authorization. In ESORICS '08, 2008.
[26]
C. McBride. Epigram: Practical programming with dependent types. In Advanced Functional Programming School, 2004.
[27]
G. Morrisett, D. Walker, K. Crary, and N. Glew. From System F to typed assembly language. ACM Trans. Program. Lang. Syst., 21(3), 1999.
[28]
M. Moskal. Rocket-fast proof checking for SMT solvers. In TACAS, 2008.
[29]
M. O. Myreen and J. Davis. A verified runtime for a verified theorem prover. In Interactive Theorem Proving, Aug. 2011.
[30]
A. Nanevski, G. Morrisett, A. Shinnar, P. Govereau, and L. Birkedal. Ynot: dependent types for imperative programs. In ICFP, 2008.
[31]
U. Norell. Towards a practical programming language based on dependent type theory. PhD thesis, Chalmers Institute of Technology, 2007.
[32]
R. Pollack. How to believe a machine-checked proof. In G. Sambin and J. Smith, editors, Twenty-Five Years of Constructive Type Theory. 1998.
[33]
M. Sozeau. Equations: A dependent pattern-matching compiler. LNCS, 6172, 2010.
[34]
A. Stump, M. Deters, A. Petcher, T. Schiller, and T. Simpson. Verified programming in Guru. In PLPV, 2008.
[35]
N. Swamy, B. J. Corcoran, and M. Hicks. Fable: A language for enforcing user-defined security policies. In S&P, 2008.
[36]
N. Swamy, J. Chen, and R. Chugh. Enforcing stateful authorization and information flow policies in Fine. In ESOP, 2010.
[37]
N. Swamy, J. Chen, C. Fournet, P.-Y. Strub, K. Bhargavan, and J. Yang. Secure distributed programming with value-dependent types. In ICFP, Sept. 2011. See also the full paper at MSR-TR-2011-37.
[38]
The Coq Development Team. The Coq Proof Assistant Reference Manual - Version 8.3. INRIA, 2011. At URL http://coq.inria.fr/.
[39]
H. Xi. Applied type system: Extended abstract. In Types for Proofs and Programs, pages 394--408, 2003.

Cited By

View all
  • (2025)Correct and Complete Type Checking and Certified Erasure for Coq, in CoqJournal of the ACM10.1145/370605672:1(1-74)Online publication date: 27-Jan-2025
  • (2021)A minimalistic verified bootstrapped compiler (proof pearl)Proceedings of the 10th ACM SIGPLAN International Conference on Certified Programs and Proofs10.1145/3437992.3439915(32-45)Online publication date: 17-Jan-2021
  • (2021)Formally Validating a Practical Verification Condition GeneratorComputer Aided Verification10.1007/978-3-030-81688-9_33(704-727)Online publication date: 15-Jul-2021
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
POPL '12: Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
January 2012
602 pages
ISBN:9781450310833
DOI:10.1145/2103656
  • cover image ACM SIGPLAN Notices
    ACM SIGPLAN Notices  Volume 47, Issue 1
    POPL '12
    January 2012
    569 pages
    ISSN:0362-1340
    EISSN:1558-1160
    DOI:10.1145/2103621
    Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

In-Cooperation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 January 2012

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. certification
  2. dependent types
  3. refinement types

Qualifiers

  • Research-article

Conference

POPL '12
Sponsor:

Acceptance Rates

Overall Acceptance Rate 860 of 4,328 submissions, 20%

Upcoming Conference

POPL '26

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)10
  • Downloads (Last 6 weeks)1
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2025)Correct and Complete Type Checking and Certified Erasure for Coq, in CoqJournal of the ACM10.1145/370605672:1(1-74)Online publication date: 27-Jan-2025
  • (2021)A minimalistic verified bootstrapped compiler (proof pearl)Proceedings of the 10th ACM SIGPLAN International Conference on Certified Programs and Proofs10.1145/3437992.3439915(32-45)Online publication date: 17-Jan-2021
  • (2021)Formally Validating a Practical Verification Condition GeneratorComputer Aided Verification10.1007/978-3-030-81688-9_33(704-727)Online publication date: 15-Jul-2021
  • (2019)Coq Coq correct! verification of type checking and erasure for Coq, in CoqProceedings of the ACM on Programming Languages10.1145/33710764:POPL(1-28)Online publication date: 20-Dec-2019
  • (2019)A verified, efficient embedding of a verifiable assembly languageProceedings of the ACM on Programming Languages10.1145/32903763:POPL(1-30)Online publication date: 2-Jan-2019
  • (2018)Proving Conditional Termination for Smart ContractsProceedings of the 2nd ACM Workshop on Blockchains, Cryptocurrencies, and Contracts10.1145/3205230.3205239(57-59)Online publication date: 22-May-2018
  • (2018)Formal Systems, Logics, and ProgramsRaymond Smullyan on Self Reference10.1007/978-3-319-68732-2_2(23-38)Online publication date: 14-Jan-2018
  • (2017)Verified Characteristic Formulae for CakeMLProgramming Languages and Systems10.1007/978-3-662-54434-1_22(584-610)Online publication date: 25-Apr-2017
  • (2014)A relational framework for higher-order shape analysisACM SIGPLAN Notices10.1145/2692915.262815949:9(311-324)Online publication date: 19-Aug-2014
  • (2014)A relational framework for higher-order shape analysisProceedings of the 19th ACM SIGPLAN international conference on Functional programming10.1145/2628136.2628159(311-324)Online publication date: 19-Aug-2014
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media