global abstraction safe marshalling via hash types
play

Global abstraction-safe marshalling via hash types James J. Leifer - PowerPoint PPT Presentation

Aug 05, 2023 •233 likes •528 views

Global abstraction-safe marshalling via hash types James J. Leifer Gilles Peskine Peter Sewell Keith Wansbrough INRIA Rocquencourt University of Cambridge Problem Consider inter-machine communication (or persistent storage): (A) (B) ...

  1. Global abstraction-safe marshalling via hash types James J. Leifer Gilles Peskine Peter Sewell Keith Wansbrough INRIA Rocquencourt University of Cambridge

  2. Problem Consider inter-machine communication (or persistent storage): (A) (B) ... ... let y = v : t send (marshal (v : bool)) unmarshal (receive () : int list) − − − − − − → A dynamic type check of t = t ′ can ensure the safety of unmarshal . But what if t and t ′ are ML-like abstract types, e.g. t = UnbalancedBinaryTree.ty t ′ = BalancedBinaryTree.ty ? Could just consider their concrete representation types to get type safety, but we want abstraction safety too. Leifer, Peskine, Sewell, Wansbrough. “Global abstraction-safe marshalling via hash types” 1

  3. Problem Consider inter-machine communication (or persistent storage): (A) (B) ... ... let y = v : t unmarshal (receive () : t ′ send (marshal (v : t )) ) − − − − − − → A dynamic type check of t = t ′ can ensure the safety of unmarshal . But what if t and t ′ are ML-like abstract types, e.g. t = UnbalancedBinaryTree.ty t ′ = BalancedBinaryTree.ty ? Could just consider their concrete representation types to get type safety, but we want abstraction safety too. Leifer, Peskine, Sewell, Wansbrough. “Global abstraction-safe marshalling via hash types” 2

  4. Problem Consider inter-machine communication (or persistent storage): (A) (B) ... ... let y = v : t unmarshal (receive () : t ′ send (marshal (v : t )) ) − − − − − − → A dynamic type check of t = t ′ can ensure the safety of unmarshal . But what if t and t ′ are ML-like abstract types, e.g. t = UnbalancedBinaryTree.ty t ′ = BalancedBinaryTree.ty ? Could just consider their concrete representation types to get type safety, but we want abstraction safety too. Leifer, Peskine, Sewell, Wansbrough. “Global abstraction-safe marshalling via hash types” 3

  5. Overview • Examples: communication with abstract types • Solution: hash types, compilation, and typing • Theorems • Conclusions and future work Leifer, Peskine, Sewell, Wansbrough. “Global abstraction-safe marshalling via hash types” 4

  6. An even counter: manifest signature module EvenC = ( struct (* the representation type *) type t = int let start = 0 let up x = x + 2 let get x = x end : EvenCSig) EvenCSig = sig type t = int (* t is manifestly equal to int *) val start : t val up : t -> t val get : t -> int end Leifer, Peskine, Sewell, Wansbrough. “Global abstraction-safe marshalling via hash types” 5

  7. An even counter: abstract signature module EvenC = ( struct (* the representation type *) type t = int let start = 0 let up x = x + 2 let get x = x end : EvenCSig) EvenCSig = sig type t (* t is abstract *) val start : t val up : t -> t val get : t -> int end Leifer, Peskine, Sewell, Wansbrough. “Global abstraction-safe marshalling via hash types” 6

  8. Example: identical abstract types (A) (B) module EvenC = (struct module EvenC = (struct type t = int type t = int let start = 0 let start = 0 let up x = x + 2 let up x = x + 2 let get x = x let get x = x end : EvenCSig) end : EvenCSig) let x = EvenC.start in let y = send (marshal (x : EvenC.t)) unmarshal (receive () : EvenC.t) √ succeed Within a single program, two abstract types with the same definition would be different (ML generativity). Between programs, that’s not what we want. Leifer, Peskine, Sewell, Wansbrough. “Global abstraction-safe marshalling via hash types” 7

  9. Example: concrete to abstract (A) (B) module EvenC = (struct type t = int ... let start = 0 let up x = x + 2 let get x = x end : EvenCSig) let x = 3 in let y = send (marshal (x : int)) unmarshal (receive () : EvenC.t) × fail Allowing unmarshal to succeed would break (B)’s invariants. Leifer, Peskine, Sewell, Wansbrough. “Global abstraction-safe marshalling via hash types” 8

  10. Example: same external behaviour Example: but different internal invariants (A) (B) module EvenC = (struct module EvenC = (struct type t = int type t = int let start = 0 let start = 0 let up x = x + 1 let up x = x + 2 let get x = 2 * x let get x = x end : EvenCSig) end : EvenCSig) let x = EvenC.start in let y = send (marshal (x : EvenC.t)) unmarshal (receive () : EvenC.t) × fail Again, success would not respect (B)’s invariants. Leifer, Peskine, Sewell, Wansbrough. “Global abstraction-safe marshalling via hash types” 9

  11. Example: same internal invariants (A) (B) module EvenC = (struct module EvenC = (struct type t = int type t = int let start = 0 let start = 0 let up x = 2 + x let up x = x + 2 let get x = x let get x = x end : EvenCSig) end : EvenCSig) let x = EvenC.start in let y = send (marshal (x : EvenC.t)) unmarshal (receive () : EvenC.t) ? maybe Success would require a theorem prover to perform the verification (unrealistic) or a user-supplied coercion. Leifer, Peskine, Sewell, Wansbrough. “Global abstraction-safe marshalling via hash types” 10

  12. Summary of the main cases Interface Implementation Desired behavior √ succeed same same code ? maybe same same internal invariants same external behaviour × fail same but different internal invariants × fail same different external behaviour × fail different ... × fail ... different representation types Leifer, Peskine, Sewell, Wansbrough. “Global abstraction-safe marshalling via hash types” 11

  13. How do we get the desired behaviour? • For communication between programs with identical sources, it’s easy to compare abstract types by their source-code names, e.g. EvenC.t would mean the same thing in all copies. • However, for programs that share only some modules, that would be unsound. How do we obtain globally meaningful type names? Solution: we construct them from module hashes . (A) (B) ... ... v : hash(struct ... end : sig ... end).t − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − → Leifer, Peskine, Sewell, Wansbrough. “Global abstraction-safe marshalling via hash types” 12

  14. Solution: hash types • We can implement them with a cryptographic hash, e.g. md5 (compact fingerprint yet injective in practice). • We freely look inside their structure in our typing rules, but never need to do this in the implementation. • What exactly do we hash? A good candidate: abstract syntax trees of module definitions. But module dependencies require care. (A) (B) ... ... v : hash(struct ... end : sig ... end).t − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − → Leifer, Peskine, Sewell, Wansbrough. “Global abstraction-safe marshalling via hash types” 13

  15. 1. Compile-time reduction: hash generation module EvenC = � struct � type t = int let start = 0 ... end : sig type t val start : t ... end send (marshal (EvenC.start : EvenC.t)) − → c inlining EvenC send (marshal (0 : h .t)) � struct � type t = int let start = 0 ... end where h = hash : sig type t val start : t ... end Leifer, Peskine, Sewell, Wansbrough. “Global abstraction-safe marshalling via hash types” 14

  16. 2. Compile-time reduction: module dependency (1/3) − → c inlining EvenC module EvenC =   struct type t = int let start = 0 ... end     : sig type t   val start : t ... end module CleanC =   struct type s = EvenC.t * bool  let create = (EvenC.start, true) ... end      : sig type s   val create : s ... end send (marshal (CleanC.create : CleanC.s)) Leifer, Peskine, Sewell, Wansbrough. “Global abstraction-safe marshalling via hash types” 15

  17. 2. Compile-time reduction: module dependency (2/3) − → c inlining EvenC module CleanC =   type s = h .t * bool struct  let create = (0, true) ... end      : sig type s   val create : s ... end send (marshal (CleanC.create : CleanC.s)) where   struct type t = int let start = 0 ... end   h = hash   : sig type t   val start : t ... end Leifer, Peskine, Sewell, Wansbrough. “Global abstraction-safe marshalling via hash types” 16

  18. 2. Compile-time reduction: module dependency (2/3) − → c inlining EvenC module CleanC =   type s = h .t * bool struct  let create = (0, true) ... end      : sig type s   val create : s ... end send (marshal (CleanC.create : CleanC.s)) where   struct type t = int let start = 0 ... end   h = hash   : sig type t   val start : t ... end Leifer, Peskine, Sewell, Wansbrough. “Global abstraction-safe marshalling via hash types” 17

  19. 2. Compile-time reduction: module dependency (3/3) − → c inlining CleanC send (marshal ((0, true) : h ′ .s)) where   struct type t = int let start = 0 ... end   h = hash   : sig type t   val start : t ... end   type s = h .t * bool struct let create = (0, true) ... end h ′ = hash     : sig type s   val create : s ... end Leifer, Peskine, Sewell, Wansbrough. “Global abstraction-safe marshalling via hash types” 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Chapter 3: Data Abstraction Abstraction, modularity, information hiding Abstract data types

Chapter 3: Data Abstraction Abstraction, modularity, information hiding Abstract data types

Chapter 3: Data Abstraction Abstraction, modularity, information hiding Abstract data types Example-1: List ADT Example-2: Sorted list ADT C++ Classes C++ Namespaces C++ Exceptions EECS 268 Programming II 1 Modularity

691 views • 50 slides
Existential Types and Abstraction Liam OConnor CSE, UNSW (and data61) Term 3 2019 1

Existential Types and Abstraction Liam OConnor CSE, UNSW (and data61) Term 3 2019 1

Abstract Data Types Existential Types Existential Types and Abstraction Liam OConnor CSE, UNSW (and data61) Term 3 2019 1 Abstract Data Types Existential Types Motivation Throughout your studies, lecturers have (hopefully) expounded on

291 views • 14 slides
Types, Abstraction, and Parametric Polymorphism John C. Reynolds Presented by Dietrich Geisler

Types, Abstraction, and Parametric Polymorphism John C. Reynolds Presented by Dietrich Geisler

Types, Abstraction, and Parametric Polymorphism John C. Reynolds Presented by Dietrich Geisler Abstraction Dietrich Geisler (With apologies to John C. Reynolds) What is Abstraction? 1. Define complex numbers 2. When are they equal? 1.

538 views • 12 slides
CSC 1800 Organization of Programming Languages Abstract Data Types 1 The Concept of

CSC 1800 Organization of Programming Languages Abstract Data Types 1 The Concept of

CSC 1800 Organization of Programming Languages Abstract Data Types 1 The Concept of Abstraction An abstraction is a view or representation of an entity that includes only the most significant attributes The concept of abstraction is

538 views • 14 slides
The Power of Abstraction Barbara Liskov October 2010 Outline Inventing abstract data types

The Power of Abstraction Barbara Liskov October 2010 Outline Inventing abstract data types

The Power of Abstraction Barbara Liskov October 2010 Outline Inventing abstract data types CLU Type hierarchy What next Data Abstraction Prehistory The Venus machine The Interdata 3 Data Abstraction Prehistory The

792 views • 52 slides
Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must provide o Compression output length is small o Efficiency h(x) easy to compute for any x o One-way given a value y it is infeasible to find

465 views • 42 slides
Hash tables Hash functions Open addressing March 09, 2020 Cinda Heeren / Andy Roth / Geoffrey

Hash tables Hash functions Open addressing March 09, 2020 Cinda Heeren / Andy Roth / Geoffrey

Hash tables Hash functions Open addressing March 09, 2020 Cinda Heeren / Andy Roth / Geoffrey Tien 1 Hash tables A hash table consists of an array to store data Data often consists of complex types, or pointers to such objects One

247 views • 21 slides
The Power of Abstraction The Power of Abstraction Barbara Liskov October 2009 October 2009

The Power of Abstraction The Power of Abstraction Barbara Liskov October 2009 October 2009

The Power of Abstraction The Power of Abstraction Barbara Liskov October 2009 October 2009 Outline Inventing abstract data types CLU CLU Type hierarchy What next h Data Abstraction Prehistory The Venus machine The

750 views • 64 slides
Point, Line, & Plane 1 Abstraction Abstraction is the act of considering something as a

Point, Line, & Plane 1 Abstraction Abstraction is the act of considering something as a

Point, Line, & Plane 1 Abstraction Abstraction is the act of considering something as a general quality or characteristic, apart from concrete realities, specific objects, or actual instances. 2 Abstraction Abstraction is

478 views • 21 slides
Cyclone: Safe Programming at the C Level of Abstraction Dan Grossman Cornell University Joint

Cyclone: Safe Programming at the C Level of Abstraction Dan Grossman Cornell University Joint

Cyclone: Safe Programming at the C Level of Abstraction Dan Grossman Cornell University Joint work with: Trevor Jim (AT&T), Greg Morrisett, Michael Hicks (Maryland), James Cheney, Yanling Wang A safe C-level language Cyclone is a

860 views • 83 slides
Predicate Abstraction with SATABS Existential Abstraction Predicate Abstraction for Software

Predicate Abstraction with SATABS Existential Abstraction Predicate Abstraction for Software

Outline Introduction Predicate Abstraction with SATABS Existential Abstraction Predicate Abstraction for Software Counterexample-Guided Abstraction Refinement Computing Existential Abstractions of Programs Version 1.0, 2010 Checking the

429 views • 12 slides
CS 171: Visualization Data Abstraction & Data Types Alexander Lex alex@seas.harvard.edu

CS 171: Visualization Data Abstraction & Data Types Alexander Lex alex@seas.harvard.edu

CS 171: Visualization Data Abstraction & Data Types Alexander Lex alex@seas.harvard.edu [xkcd] This Week Homework 0: due tomorrow! NEW: ANNOUNCE REPOSITORY & tell us if you dont have a micro account yet http://goo.gl/HFVE6h

862 views • 73 slides
Topic 22 Hash Tables " hash collision n. [from the techspeak] (var. `hash clash') When used

Topic 22 Hash Tables " hash collision n. [from the techspeak] (var. `hash clash') When used

Topic 22 Hash Tables " hash collision n. [from the techspeak] (var. `hash clash') When used of people, signifies a confusion in associative memory or imagination, especially a persistent one (see thinko ). True story: One of us was once on

908 views • 31 slides
Data Abstraction and Abstract Data Types Tessema M. Mengistu Department of Computer Science

Data Abstraction and Abstract Data Types Tessema M. Mengistu Department of Computer Science

Data Abstraction and Abstract Data Types Tessema M. Mengistu Department of Computer Science Southern Illinois University Carbondale tessema.mengistu@siu.edu Room - 3131 1 Outline Abstract Data types (ADT) ADT Design Specification

502 views • 28 slides
Hash Table In a hash table, we allocate an array of size m, which is much smaller than |U|

Hash Table In a hash table, we allocate an array of size m, which is much smaller than |U|

Hash Table In a hash table, we allocate an array of size m, which is much smaller than |U| (the set of keys). Tirgul 9 We use a hash function h() to determine the entry of each key. Hash Tables (continued) Reminder The crucial

151 views • 4 slides
D9: Off-chain attacks Short-address attack Unnamed exchange uses insecure marshalling between

D9: Off-chain attacks Short-address attack Unnamed exchange uses insecure marshalling between

D9: Off-chain attacks Short-address attack Unnamed exchange uses insecure marshalling between web API and programming language (Web3/Solidity) and underlying execution environment (Ethereum Virtual Machine) Portland State University CS

996 views • 38 slides
Enacting BPEL4WS Specified Workflows with Multiagent Systems Paul Buhler 1 e M Vidal 2 Jos 1

Enacting BPEL4WS Specified Workflows with Multiagent Systems Paul Buhler 1 e M Vidal 2 Jos 1

Centralized Enactment Distributed Enactment Enacting BPEL4WS Specified Workflows with Multiagent Systems Paul Buhler 1 e M Vidal 2 Jos 1 Department of Computer Science College of Charleston 2 Department of Computer Science and Engineering

785 views • 47 slides
Session 14 Serialization/JSON 1 Lecture Objectives Understand the need for serialization

Session 14 Serialization/JSON 1 Lecture Objectives Understand the need for serialization

Session 14 Serialization/JSON Session 14 Serialization/JSON 1 Lecture Objectives Understand the need for serialization Understand various approaches to serialization Understand the use of JSON as a popular approach to

327 views • 16 slides
TestingMicroservices: TestingMicroservices: TestingMicroservices: fastandwithconfidence

TestingMicroservices: TestingMicroservices: TestingMicroservices: fastandwithconfidence

TestingMicroservices: TestingMicroservices: TestingMicroservices: fastandwithconfidence fastandwithconfidence fastandwithconfidence StephanJaensch StephanJaensch StephanJaensch @s_jaensch @s_jaensch @s_jaensch 1 2

705 views • 19 slides
The Java Architecture For XML Binding (JAXB) By: Yoav Zibin Sharon Krisher Motivation for

The Java Architecture For XML Binding (JAXB) By: Yoav Zibin Sharon Krisher Motivation for

The Java Architecture For XML Binding (JAXB) By: Yoav Zibin Sharon Krisher Motivation for JAXB Problem: How to manipulate this data model? DOM (data object model) solution: Pros: simple, general (a schema is not even required)

679 views • 16 slides
Lazy Modules Keiko Nakata Institute of Cybernetics at Tallinn University of Technology

Lazy Modules Keiko Nakata Institute of Cybernetics at Tallinn University of Technology

Lazy Modules Keiko Nakata Institute of Cybernetics at Tallinn University of Technology Constrained lazy initialization for modules Plan of my talk Lazy initialization in practice Constrained laziness Or, hybrid strategies between

595 views • 40 slides
Towards an OpenID -based solution to the Social Network Interoperability problem M. Mostarda,

Towards an OpenID -based solution to the Social Network Interoperability problem M. Mostarda,

W3C Workshop on the Future of Social Networking, Barcelona January 2009 Towards an OpenID -based solution to the Social Network Interoperability problem M. Mostarda, D. Palmisano, F. Zani, S. Tripodi About Us We are proud member of the W3C

252 views • 21 slides
Native service interfaces for the Virtual State Layer Felix Kuperjans Advisor(s): Dr.

Native service interfaces for the Virtual State Layer Felix Kuperjans Advisor(s): Dr.

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Native service interfaces for the Virtual State Layer Felix Kuperjans Advisor(s): Dr. Marc-Oliver Pahl, Stefan Liebald Supervisor: Prof.

535 views • 9 slides
CS 555: D ISTRIBUTED S YSTEMS [RMI] Shrideep Pallickara Computer Science Colorado State

CS 555: D ISTRIBUTED S YSTEMS [RMI] Shrideep Pallickara Computer Science Colorado State

CS555: Distributed Systems [Fall 2019] Dept. Of Computer Science , Colorado State University CS 555: D ISTRIBUTED S YSTEMS [RMI] Shrideep Pallickara Computer Science Colorado State University CS555: Distributed Systems [Fall 2019] December 5,

820 views • 30 slides

More recommend