A relational logic for higher-order programs

Relational program verification is a variant of program verification where one can reason about two programs and as a special case about two executions of a single program on different inputs. Relational program verification can be used for reasoning about a broad range of properties, including equivalence and refinement, and specialized notions such as continuity, information flow security or relative cost. In a higher-order setting, relational program verification can be achieved using relational refinement type systems, a form of refinement types where assertions have a relational interpretation. Relational refinement type systems excel at relating structurally equivalent terms but provide limited support for relating terms with very different structures. We present a logic, called Relational Higher Order Logic (RHOL), for proving relational properties of a simply typed $\lambda$-calculus with inductive types and recursive definitions. RHOL retains the type-directed flavour of relational refinement type systems but achieves greater expressivity through rules which simultaneously reason about the two terms as well as rules which only contemplate one of the two terms. We show that RHOL has strong foundations, by proving an equivalence with higher-order logic (HOL), and leverage this equivalence to derive key meta-theoretical properties: subject reduction, admissibility of a transitivity rule and set-theoretical soundness. Moreover, we define sound embeddings for several existing relational type systems such as relational refinement types and type systems for dependency analysis and relative cost, and we verify examples that were out of reach of prior work.

[1]  Olivier Danvy,et al.  A computational formalization for partial evaluation , 1996, Mathematical Structures in Computer Science.

[2]  Amir Pnueli,et al.  CoVaC: Compiler Validation by Program Analysis of the Cross-Product , 2008, FM.

[3]  Gilles Barthe,et al.  Higher-Order Approximate Relational Refinement Types for Mechanism Design and Differential Privacy , 2014, POPL.

[4]  Benjamin Grégoire,et al.  Formal certification of code-based cryptographic proofs , 2009, POPL '09.

[5]  Benjamin Grégoire,et al.  Coupling proofs are probabilistic product programs , 2016, POPL.

[6]  Bowen Alpern,et al.  Defining Liveness , 1984, Inf. Process. Lett..

[7]  William W. Tait,et al.  Intensional interpretations of functionals of finite type I , 1967, Journal of Symbolic Logic.

[8]  G.D. Plotkin,et al.  LCF Considered as a Programming Language , 1977, Theor. Comput. Sci..

[9]  Bart Jacobs,et al.  Categorical Logic and Type Theory , 2001, Studies in logic and the foundations of mathematics.

[10]  Zhaohui Luo,et al.  Classical predicative logic-enriched type theories , 2010, Ann. Pure Appl. Log..

[11]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[12]  Naoki Kobayashi,et al.  Verifying relational properties of functional programs by first-order refinement , 2017, Sci. Comput. Program..

[13]  Lars Birkedal,et al.  A relational modal logic for higher-order stateful ADTs , 2010, POPL '10.

[14]  Lars Birkedal,et al.  A relational model of types-and-effects in higher-order concurrent separation logic , 2017, POPL.

[15]  Andreas Haeberlen,et al.  Linear dependent types for differential privacy , 2013, POPL.

[16]  Naoki Kobayashi,et al.  Verifying Relational Properties of Functional Programs by First-Order Refinement , 2015, PEPM.

[17]  Anindya Banerjee,et al.  Dependent types for enforcement of information flow and erasure policies in heterogeneous data structures , 2013, PPDP.

[18]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[19]  Martín Abadi,et al.  Formal parametric polymorphism , 1993, POPL '93.

[20]  Lars Birkedal,et al.  Logical Step-Indexed Logical Relations , 2009, 2009 24th Annual IEEE Symposium on Logic In Computer Science.

[21]  Frank Pfenning,et al.  Tridirectional typechecking , 2004, POPL.

[22]  Lars Birkedal,et al.  Iris: Monoids and Invariants as an Orthogonal Basis for Concurrent Reasoning , 2015, POPL.

[23]  Martín Abadi,et al.  A core calculus of dependency , 1999, POPL '99.

[24]  Nick Benton,et al.  Simple relational correctness proofs for static analyses and program transformations , 2004, POPL.

[25]  VolpanoDennis,et al.  A sound type system for secure flow analysis , 1996 .

[26]  Hongseok Yang,et al.  Relational separation logic , 2007, Theor. Comput. Sci..

[27]  Marco Gaboardi,et al.  Relational cost analysis , 2017, POPL.

[28]  Gilles Barthe,et al.  Relational Verification Using Product Programs , 2011, FM.

[29]  Alexander Aiken,et al.  Secure Information Flow as a Safety Problem , 2005, SAS.

[30]  Peter Aczel,et al.  Collection Principles in Dependent Type Theory , 2000, TYPES.

[31]  Peter Aczel,et al.  The generalised type-theoretic interpretation of constructive set theory , 2006, Journal of Symbolic Logic.

[32]  Frank Pfenning,et al.  Dependent types in practical programming , 1999, POPL '99.

[33]  Frank Pfenning,et al.  Church and Curry: Combining Intrinsic and Extrinsic Typing , 2008 .

[34]  Martin Hofmann,et al.  Secure information flow and program logics , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[35]  Gilles Barthe,et al.  Probabilistic relational reasoning for differential privacy , 2012, POPL '12.

[36]  Deepak Garg,et al.  Dependent Type Theory for Verification of Information Flow and Access Control Policies , 2013, TOPL.

[37]  Gilles Barthe,et al.  Formal verification of higher-order probabilistic programs: reasoning about approximation, convergence, Bayesian inference, and optimization , 2018, Proc. ACM Program. Lang..

[38]  Isil Dillig,et al.  Cartesian hoare logic for verifying k-safety properties , 2016, PLDI.