Wilmer Ricciotti James Cheney University of Edinburgh - - PowerPoint PPT Presentation

Wilmer Ricciotti James Cheney University of Edinburgh

International Colloquium on Theoretical Aspects of Computing 16-19 October 2018, Stellenbosch, South Africa

 Audited computation refers to the ability to:

 Faithfully record a description (log, trace, trail) of the

computation history

 Programmatically inspect that history at any time, and in

particular during the computation itself

 Take decisions based on the inspection

 Typical approaches require the programmer to

instrument the code in an ad hoc way

 We seek to develop languages with a first-class notion of

computation history

 Break-the-glass policies (e.g. in electronic medical record

systems)

 Retrospective security

 Access-control based on the function calls in the history

• f the current computation

 Stack inspection

 Annotation of data with information disclosing its origin or

the way it was computed

 Provenance

 Break-the-glass policies (e.g. in electronic medical record

systems)

 Retrospective security

 Access-control based on the function calls in the history

• f the current computation

 Stack inspection

 Annotation of data with information disclosing its origin or

the way it was computed

 Provenance

 Break-the-glass policies (e.g. in electronic medical record

systems)

 Retrospective security

 Access-control based on the function calls in the history

• f the current computation

 Stack inspection

 Annotation of data with information disclosing its origin or

the way it was computed

 Provenance

 Break-the-glass policies (e.g. in electronic medical record

systems)

 Retrospective security

 Access-control based on the function calls in the history

• f the current computation

 Stack inspection

 Annotation of data with information disclosing its origin or

the way it was computed

 Provenance

 A refinement of modal logic allowing one to express

 What is true  What is known to be true and the reason why it is known to be

true

Γ ⊢ 𝑡 𝐵

 Originally defined as an axiomatic proof system à la

Hilbert

 Typed lambda calculi based CH-isomorphic to JL have

been introduced

𝑁 ∷= 𝑦 𝑁 𝑁 𝜇𝑦. 𝑁 | !𝑟 𝑁 𝑚𝑓𝑢 ! 𝑦 ≔ 𝑁 𝑗𝑜 𝑁 𝜅(𝜘)

 A lambda calculus with primitive notions of computation history

and auditing (Bavera and Bonelli, 2015)

 Audited units !𝑟 𝑁 are «boxes» logging the computation history of 𝑁

as a trail 𝑟) Example: context ... if 1 = 2 then M else N context ... if false then M else N

in context: (1=2) → false

 Trails = syntactic representation of reduction chains

 Reflexivity (r), transitivity (t)  Reduction steps (𝛄)  Congruence rules (e.g. app)

! ( 𝜇𝑏, 𝑐. 𝑏, 𝑐 2 6 ↝ !𝐛𝐪𝐪(𝛄,𝐬) 𝜇𝑐. 2, 𝑐 6 ↝ !𝐮(𝐛𝐪𝐪 𝛄,𝐬 ,𝛄) 2,6

 Trails = syntactic representation of reduction chains

 Reflexivity (r), transitivity (t)  Reduction steps (𝛄)  Congruence rules (e.g. app)

! ( 𝜇𝑏, 𝑐. 𝑏, 𝑐 2 6 ↝ !𝐛𝐪𝐪(𝛄,𝐬) 𝜇𝑐. 2, 𝑐 6 ↝ !𝐮(𝐛𝐪𝐪 𝛄,𝐬 ,𝛄) 2,6

 Trails = syntactic representation of reduction chains

 Reflexivity (r), transitivity (t)  Reduction steps (𝛄)  Congruence rules (e.g. app)

! ( 𝜇𝑏, 𝑐. 𝑏, 𝑐 2 6 ↝ !𝐛𝐪𝐪(𝛄,𝐬) 𝜇𝑐. 2, 𝑐 6 ↝ !𝐮(𝐛𝐪𝐪 𝛄,𝐬 ,𝛄) 2,6

 Trails = syntactic representation of reduction chains

 Reflexivity (r), transitivity (t)  Reduction steps (𝛄)  Congruence rules (e.g. app)

! ( 𝜇𝑏, 𝑐. 𝑏, 𝑐 2 6 ↝ !𝐛𝐪𝐪(𝛄,𝐬) 𝜇𝑐. 2, 𝑐 6 ↝ !𝐮(𝐛𝐪𝐪 𝛄,𝐬 ,𝛄) 2,6

 Trails = syntactic representation of reduction chains

 Reflexivity (r), transitivity (t)  Reduction steps (𝛄)  Congruence rules (e.g. app)

! ( 𝜇𝑏, 𝑐. 𝑏, 𝑐 2 6 ↝ !𝐛𝐪𝐪(𝛄,𝐬) 𝜇𝑐. 2, 𝑐 6 ↝ !𝐮(𝐛𝐪𝐪 𝛄,𝐬 ,𝛄) 2,6

 Principle:

!𝑟 ℱ 𝑁 → !𝐮(𝑟,𝒭 𝑟′ ) ℱ 𝑂

Where:

 𝑟′ ∶ 𝑁 → 𝑂  𝒭 is a trail context corresponding to ℱ

 Concrete definition: trail permutations

 A computation step without trails:

𝜇𝑦. 𝑁 𝑂 → 𝑁 ൗ 𝑂 𝑦

 A computation step with trails:

𝜇𝑦. 𝑁 𝑂 → 𝛄 ⊳ 𝑁 ൗ 𝑂 𝑦

 The operation pushing q’ to the outside is called trail

normalization

 Defined as a series of permutation reductions

!𝑟 ℱ 𝑁 → !𝑟 ℱ 𝑟′ ⊳ 𝑂 ↠ !𝐮(𝑟,𝒭 𝑟′ ) ℱ 𝑂

 Its cost depends on the size of ℱ  An efficiency issue similar to the one related to substitution

 A computation step without trails:

𝜇𝑦. 𝑁 𝑂 → 𝑁 ൗ 𝑂 𝑦

 A computation step with trails:

𝜇𝑦. 𝑁 𝑂 → 𝛄 ⊳ 𝑁 ൗ 𝑂 𝑦

 The operation pushing q’ to the outside is called trail

normalization

 Defined as a series of permutation reductions

!𝑟 ℱ 𝑁 → !𝑟 ℱ 𝑟′ ⊳ 𝑂 ↠ !𝐮(𝑟,𝒭 𝑟′ ) ℱ 𝑂

 Its cost depends on the size of ℱ  An efficiency issue similar to the one related to substitution

 A computation step without trails:

𝜇𝑦. 𝑁 𝑂 → 𝑁 ൗ 𝑂 𝑦

 A computation step with trails:

𝜇𝑦. 𝑁 𝑂 → 𝛄 ⊳ 𝑁 ൗ 𝑂 𝑦

 The operation pushing q’ to the outside is called trail

normalization

 Defined as a series of permutation reductions

!𝑟 ℱ 𝑁 → !𝑟 ℱ 𝑟′ ⊳ 𝑂 ↠ !𝐮(𝑟,𝒭 𝑟′ ) ℱ 𝑂

 Its cost depends on the size of ℱ  An efficiency issue similar to the one related to substitution

 A computation step without trails:

𝜇𝑦. 𝑁 𝑂 → 𝑁 ൗ 𝑂 𝑦

 A computation step with trails:

𝜇𝑦. 𝑁 𝑂 → 𝛄 ⊳ 𝑁 ൗ 𝑂 𝑦

 The operation pushing q’ to the outside is called trail

normalization

 Defined as a series of permutation reductions

!𝑟 ℱ 𝑁 → !𝑟 ℱ 𝑟′ ⊳ 𝑂 ↠ !𝐮(𝑟,𝒭 𝑟′ ) ℱ 𝑂

 Its cost depends on the size of ℱ  An efficiency issue similar to the one related to substitution

 Auditing is performed by an inspection operator

!𝑟 ℱ 𝜅(𝜘) → !𝑟 ℱ 𝐮𝐣 ⊳ 𝑟𝜘

 Trail inspection reifies the computation history of the audited

unit currently being executed

 It allows us to analyse the history by primitive recursion  Example: 𝜘 𝛄 = 𝜘 𝐮𝐣 = 1, 𝜘 𝐮 = 𝜘 𝐛𝐪𝐪 = 𝜇𝑏, 𝑐. 𝑏 + 𝑐, 𝜘 𝐬 = 0

! (𝑢0 ← 𝜅 𝜘 ; Evaluates to 0; emits trails ti and 𝛄 _ ← 𝜇𝑏, 𝑐. 𝑏, 𝑐 2 6; Emits trail 𝛄 3 times 𝑢1 ← 𝜅(𝜘); Evaluates to 5, emits trails ti and 𝛄 𝑢1 − 𝑢0) Evaluates to 5

 Auditing is performed by an inspection operator

!𝑟 ℱ 𝜅(𝜘) → !𝑟 ℱ 𝐮𝐣 ⊳ 𝑟𝜘

 Trail inspection reifies the computation history of the audited

unit currently being executed

 It allows us to analyse the history by primitive recursion  Example: 𝜘 𝛄 = 𝜘 𝐮𝐣 = 1, 𝜘 𝐮 = 𝜘 𝐛𝐪𝐪 = 𝜇𝑏, 𝑐. 𝑏 + 𝑐, 𝜘 𝐬 = 0

! (𝑢0 ← 𝜅 𝜘 ; Evaluates to 0; emits trails ti and 𝛄 _ ← 𝜇𝑏, 𝑐. 𝑏, 𝑐 2 6; Emits trail 𝛄 3 times 𝑢1 ← 𝜅(𝜘); Evaluates to 5, emits trails ti and 𝛄 𝑢1 − 𝑢0) Evaluates to 5

 Auditing is performed by an inspection operator

!𝑟 ℱ 𝜅(𝜘) → !𝑟 ℱ 𝐮𝐣 ⊳ 𝑟𝜘

 Trail inspection reifies the computation history of the audited

unit currently being executed

 It allows us to analyse the history by primitive recursion  Example: 𝜘 𝛄 = 𝜘 𝐮𝐣 = 1, 𝜘 𝐮 = 𝜘 𝐛𝐪𝐪 = 𝜇𝑏, 𝑐. 𝑏 + 𝑐, 𝜘 𝐬 = 0

! (𝑢0 ← 𝜅 𝜘 ; Evaluates to 0; emits trails ti and 𝛄 _ ← 𝜇𝑏, 𝑐. 𝑏, 𝑐 2 6; Emits trail 𝛄 3 times 𝑢1 ← 𝜅(𝜘); Evaluates to 5, emits trails ti and 𝛄 𝑢1 − 𝑢0) Evaluates to 5

 Auditing is performed by an inspection operator

!𝑟 ℱ 𝜅(𝜘) → !𝑟 ℱ 𝐮𝐣 ⊳ 𝑟𝜘

 Trail inspection reifies the computation history of the audited

unit currently being executed

 It allows us to analyse the history by primitive recursion  Example: 𝜘 𝛄 = 𝜘 𝐮𝐣 = 1, 𝜘 𝐮 = 𝜘 𝐛𝐪𝐪 = 𝜇𝑏, 𝑐. 𝑏 + 𝑐, 𝜘 𝐬 = 0

! (𝑢0 ← 𝜅 𝜘 ; Evaluates to 0; emits trails ti and 𝛄 _ ← 𝜇𝑏, 𝑐. 𝑏, 𝑐 2 6; Emits trail 𝛄 3 times 𝑢1 ← 𝜅(𝜘); Evaluates to 5, emits trails ti and 𝛄 𝑢1 − 𝑢0) Evaluates to 5

 Auditing is performed by an inspection operator

!𝑟 ℱ 𝜅(𝜘) → !𝑟 ℱ 𝐮𝐣 ⊳ 𝑟𝜘

 Trail inspection reifies the computation history of the audited

unit currently being executed

 It allows us to analyse the history by primitive recursion  Example: 𝜘 𝛄 = 𝜘 𝐮𝐣 = 1, 𝜘 𝐮 = 𝜘 𝐛𝐪𝐪 = 𝜇𝑏, 𝑐. 𝑏 + 𝑐, 𝜘 𝐬 = 0

! (𝑢0 ← 𝜅 𝜘 ; Evaluates to 0; emits trails ti and 𝛄 _ ← 𝜇𝑏, 𝑐. 𝑏, 𝑐 2 6; Emits trail 𝛄 3 times 𝑢1 ← 𝜅(𝜘); Evaluates to 5, emits trails ti and 𝛄 𝑢1 − 𝑢0) Evaluates to 5

 The lambda calculus is defined using eager substitution,

but functional languages are not implemented that way

 Adapt SECD machine to CAU

!𝑟 ℱ 𝑁 → !𝑟ℱ 𝑟′ ⊳ 𝑂 ↠ !𝐮(𝑟,𝒭 𝑟′ ) ℱ 𝑂

 The main problem with trails is the non-local effect of

reduction

 Why do we need to move the trail to the log, anyway?

Let’s not do it!

 Can we postpone the operation indefinitely, until we

evaluate a trail inspection that asks to read the log?

 The lambda calculus is defined using eager substitution,

but functional languages are not implemented that way

 Adapt SECD machine to CAU

!𝑟 ℱ 𝑁 → !𝑟ℱ 𝑟′ ⊳ 𝑂 ↠ !𝐮(𝑟,𝒭 𝑟′ ) ℱ 𝑂

 The main problem with trails is the non-local effect of

reduction

 Why do we need to move the trail to the log, anyway?

Let’s not do it!

 Can we postpone the operation indefinitely, until we

evaluate a trail inspection that asks to read the log?

𝜇𝑦. 𝑁 𝑦 𝑦 (𝑟 ⊳ 𝑂)

𝜇𝑦. 𝑁 𝑦 𝑦 (𝑟 ⊳ 𝑂) 𝐛𝐪𝐪 𝐬, 𝑟 ⊳ 𝜇𝑦. 𝑁 𝑦 𝑦 𝑂

𝜇𝑦. 𝑁 𝑦 𝑦 (𝑟 ⊳ 𝑂) 𝐛𝐪𝐪 𝐬, 𝑟 ⊳ 𝜇𝑦. 𝑁 𝑦 𝑦 𝑂 𝐛𝐪𝐪 𝐬, 𝑟 ⊳ 𝛄 ⊳ 𝑁 𝑂 𝑂

𝜇𝑦. 𝑁 𝑦 𝑦 (𝑟 ⊳ 𝑂) 𝐛𝐪𝐪 𝐬, 𝑟 ⊳ 𝜇𝑦. 𝑁 𝑦 𝑦 𝑂 𝐮 𝐛𝐪𝐪 𝐬, 𝑟 , 𝛄 ⊳ 𝑁 𝑂 𝑂 𝐛𝐪𝐪 𝐬, 𝑟 ⊳ 𝛄 ⊳ 𝑁 𝑂 𝑂

𝛄 ⊳ 𝑁 𝑟 ⊳ 𝑂 (𝑟 ⊳ 𝑂) 𝜇𝑦. 𝑁 𝑦 𝑦 (𝑟 ⊳ 𝑂) 𝐛𝐪𝐪 𝐬, 𝑟 ⊳ 𝜇𝑦. 𝑁 𝑦 𝑦 𝑂 𝐮 𝐛𝐪𝐪 𝐬, 𝑟 , 𝛄 ⊳ 𝑁 𝑂 𝑂 𝐛𝐪𝐪 𝐬, 𝑟 ⊳ 𝛄 ⊳ 𝑁 𝑂 𝑂

𝛄 ⊳ 𝑁 𝑟 ⊳ 𝑂 (𝑟 ⊳ 𝑂) 𝜇𝑦. 𝑁 𝑦 𝑦 (𝑟 ⊳ 𝑂) 𝐮(𝛄, 𝐛𝐪𝐪 𝐛𝐪𝐪 𝐬, 𝑟 , 𝑟 ) ⊳ 𝑁 𝑂 𝑂 𝐛𝐪𝐪 𝐬, 𝑟 ⊳ 𝜇𝑦. 𝑁 𝑦 𝑦 𝑂 𝐮 𝐛𝐪𝐪 𝐬, 𝑟 , 𝛄 ⊳ 𝑁 𝑂 𝑂 𝐛𝐪𝐪 𝐬, 𝑟 ⊳ 𝛄 ⊳ 𝑁 𝑂 𝑂

 Contribution: CAU𝜏

− with explicit substitutions and explicit

trail projections 𝑁 ∷= ⋯ 𝑁 𝑡 𝑁 𝑟 ∷= ⋯ | 𝑁

 Refined, time-honouring computation rules  Trail-normalisation in micro-steps  Computation can happen on denormalised terms

Theorem:

1)

If 𝑁

𝐷𝐵𝑉−

𝑂 then 𝑁

𝐷𝐵𝑉𝜏

−

𝑂

2)

If 𝑁

𝐷𝐵𝑉𝜏

−

𝑂 then σ𝜐(𝑁)

𝐷𝐵𝑉−

σ𝜐(𝑂)

 Contribution: CAU𝜏

− with explicit substitutions and explicit

trail projections 𝑁 ∷= ⋯ 𝑁 𝑡 𝑁 𝑟 ∷= ⋯ | 𝑁

 Refined, time-honouring computation rules  Trail-normalisation in micro-steps  Computation can happen on denormalised terms

Theorem:

1)

If 𝑁

𝐷𝐵𝑉−

𝑂 then 𝑁

𝐷𝐵𝑉𝜏

−

𝑂

2)

If 𝑁

𝐷𝐵𝑉𝜏

−

𝑂 then σ𝜐(𝑁)

𝐷𝐵𝑉−

σ𝜐(𝑂)

 Contribution: CAU𝜏

− with explicit substitutions and explicit

trail projections 𝑁 ∷= ⋯ 𝑁 𝑡 𝑁 𝑟 ∷= ⋯ | 𝑁

 Refined, time-honouring computation rules  Trail-normalisation in micro-steps  Computation can happen on denormalised terms

Theorem:

1)

If 𝑁

𝐷𝐵𝑉−

𝑂 then 𝑁

𝐷𝐵𝑉𝜏

−

𝑂

2)

If 𝑁

𝐷𝐵𝑉𝜏

−

𝑂 then σ𝜐(𝑁)

𝐷𝐵𝑉−

σ𝜐(𝑂)

𝜇𝑦. 𝑁 𝑂 → 𝛾 ⊳ 𝑁 ൗ 𝑂 𝑦

 The usual definition of reduction (computation) is

anachronistic when applied to terms annotated with trails

 These terms have a non-null history which is incorrectly logged

as a future event

 CAU𝜏

− has a time-honouring reduction which is sound

even when applied to terms with a past history 𝜇𝑦. 𝑁 𝑂 → 𝐮(𝐛𝐪𝐪 𝐦𝐛𝐧 𝑁 , 𝑂 , 𝛄) ⊳ 𝑁 ൗ 𝑂 𝑦

𝜇𝑦. 𝑁 𝑂 → 𝛾 ⊳ 𝑁 ൗ 𝑂 𝑦

 The usual definition of reduction (computation) is

anachronistic when applied to terms annotated with trails

 These terms have a non-null history which is incorrectly logged

as a future event

 CAU𝜏

− has a time-honouring reduction which is sound

even when applied to terms with a past history 𝜇𝑦. 𝑁 𝑂 → 𝐮(𝐛𝐪𝐪 𝐦𝐛𝐧 𝑁 , 𝑂 , 𝛄) ⊳ 𝑁 ൗ 𝑂 𝑦

 Tuple under evaluation: τ ∷=

𝑟 ഥ 𝑁 𝑓 ≡ 𝑟 ⊳ ഥ 𝑁 𝑓

 Values: 𝑊 ∷= 𝑟 ⊳ !𝑟1 … !𝑟𝑜 (𝜇 ഥ

𝑁) 𝑓

 State: 𝜌, 𝐸 where 𝜌 ∷= Ԧ

𝜐, 𝐸 ∷= 𝑊 Theorem: If (𝜌, 𝐸) ↣ 𝜌′, 𝐸′ , then 𝜌, 𝐸 CAU𝜏

−

𝜌′, 𝐸′

 Tuple under evaluation: τ ∷=

𝑟 ഥ 𝑁 𝑓 ≡ 𝑟 ⊳ ഥ 𝑁 𝑓

 Values: 𝑊 ∷= 𝑟 ⊳ !𝑟1 … !𝑟𝑜 (𝜇 ഥ

𝑁) 𝑓

 State: 𝜌, 𝐸 where 𝜌 ∷= Ԧ

𝜐, 𝐸 ∷= 𝑊 Theorem: If (𝜌, 𝐸) ↣ 𝜌′, 𝐸′ , then 𝜌, 𝐸 CAU𝜏

−

𝜌′, 𝐸′

𝑟 ഥ 𝑁 ഥ 𝑂 𝑓 ∷ 𝜌, 𝐸 ↣ 𝐬 ഥ 𝑁 𝑓 ∷ 𝐬 ഥ 𝑂 𝑓 ∷ 𝑟|@|𝑓 ∷ 𝜌, 𝐸 ℰ[𝑟 ⊳ ഥ 𝑁 ഥ 𝑂 𝑓 ] CAU𝜏

−

ℰ[𝑟 ⊳ 𝐬 ⊳ ഥ 𝑁 𝑓 𝐬 ⊳ ഥ 𝑂 𝑓 ]

 Tuple under evaluation: τ ∷=

𝑟 ഥ 𝑁 𝑓 ≡ 𝑟 ⊳ ഥ 𝑁 𝑓

 Values: 𝑊 ∷= 𝑟 ⊳ !𝑟1 … !𝑟𝑜 (𝜇 ഥ

𝑁) 𝑓

 State: 𝜌, 𝐸 where 𝜌 ∷= Ԧ

𝜐, 𝐸 ∷= 𝑊 Theorem: If (𝜌, 𝐸) ↣ 𝜌′, 𝐸′ , then 𝜌, 𝐸 CAU𝜏

−

𝜌′, 𝐸′

𝑟 𝜇 ഥ 𝑁 𝑓 ∷ 𝜌, 𝐸 ↣ 𝜌, 𝑟 ⊳ (𝜇 ഥ 𝑁) 𝑓 ∷ 𝐸 ℰ[𝑟 ⊳ (𝜇 ഥ 𝑁) 𝑓 ] CAU𝜏

−

ℰ[𝑟 ⊳ (𝜇 ഥ 𝑁) 𝑓 ]

 Tuple under evaluation: τ ∷=

𝑟 ഥ 𝑁 𝑓 ≡ 𝑟 ⊳ ഥ 𝑁 𝑓

 Values: 𝑊 ∷= 𝑟 ⊳ !𝑟1 … !𝑟𝑜 (𝜇 ഥ

𝑁) 𝑓

 State: 𝜌, 𝐸 where 𝜌 ∷= Ԧ

𝜐, 𝐸 ∷= 𝑊 Theorem: If (𝜌, 𝐸) ↣ 𝜌′, 𝐸′ , then 𝜌, 𝐸 CAU𝜏

−

𝜌′, 𝐸′

 Tuple under evaluation: τ ∷=

𝑟 ഥ 𝑁 𝑓 ≡ 𝑟 ⊳ ഥ 𝑁 𝑓

 Values: 𝑊 ∷= 𝑟 ⊳ !𝑟1 … !𝑟𝑜 (𝜇 ഥ

𝑁) 𝑓

 State: 𝜌, 𝐸 where 𝜌 ∷= Ԧ

𝜐, 𝐸 ∷= 𝑊 Theorem: If (𝜌, 𝐸) ↣ 𝜌′, 𝐸′ , then 𝜌, 𝐸 CAU𝜏

−

𝜌′, 𝐸′

𝑟 @ 𝑓 ∷ 𝜌, 𝑟′ ⊳ 𝐷 ∷ 𝑟′′ ⊳ 𝜇 ഥ 𝑁 𝑓 ∷ 𝐸 ↣ 𝑟; 𝐛𝐪𝐪 𝑟′′, 𝑟′ ; 𝛄 ഥ 𝑁 (𝐬 ⊳ 𝐷) ∙ 𝑓 ∷ 𝜌, 𝐸 ℰ[𝑟 ⊳ ( 𝑟′′ ⊳ 𝜇 ഥ 𝑁 𝑓 𝑟′ ⊳ 𝐷 ] CAU𝜏

−

ℰ[𝑟; 𝐛𝐪𝐪 𝑟′′, 𝑟′ ; 𝛄 ⊳ ഥ 𝑁[(𝐬 ⊳ 𝐷) ∙ 𝑓] ]

 Tuple under evaluation: τ ∷=

𝑟 ഥ 𝑁 𝑓 ≡ 𝑟 ⊳ ഥ 𝑁 𝑓

 Values: 𝑊 ∷= 𝑟 ⊳ !𝑟1 … !𝑟𝑜 (𝜇 ഥ

𝑁) 𝑓

 State: 𝜌, 𝐸 where 𝜌 ∷= Ԧ

𝜐, 𝐸 ∷= 𝑊 Theorem: If (𝜌, 𝐸) ↣ 𝜌′, 𝐸′ , then 𝜌, 𝐸 CAU𝜏

−

𝜌′, 𝐸′

 CAU𝜏

−: CAU with ES and deferrable trail normalisation

 Explicit trail projections  Time-honouring reduction  Correctly refines CAU

 A weak CBV abstract machine

 All rules O(1) except trail inspection  Proved correct wrt CAU𝜏

−

 Future work: application to the Provenance Inspection

Calculus