Proof Planning in Logical Frameworks

Proof Planning in Logical Frameworks

Carsten SchürmannYale University

September 2002

2

Motivating questions

Is the number of CERT advisories increasing or decreasing?

Who can vouch for the correctness of the BLUETOOTH protocol?

Will we ever vote electronically?Is the complexity of network protocols

increasing or decreasing?

3

Safety Architectures

Examples Authentication Network routing E-voting Mobile Code

Requirements Flexible design Extensibility Trust

4

Type System (toy)

5

Type System (real)

6

CompilerSource Proof CheckerSafety Proof

Safety Proof Language

Trusted Computing Base

Binary

Programming Languages

7

Complexity

Safety proof languages PCC : 129 rules [Necula, Lee 97] FPCC : several 100 rules [Appel, Felty 01] FLINT : ?? rules [Zhao, et al 02]

Typed Assembly Language Type theory: 31 rules [Morrisett, Crary … 98]

Proof Checker: approx 4000 lines

Blue Tooth Protocol Type system: 1000 pages prose

8

We need tools to …

… control the inherent complexity

design safety architectures reason about our designs automate reasoning processes involved program with our designs

9

Dimension 1: Design

Logical Frameworks encode Safety Proof Languages Type Systems Security Protocols

Benefit: Storing Shipping Checking

Proof CheckerSafety Proof


BinaryProof Checker

Safety Proof


BinaryProof Checker


Safety Proof

Logical Framework

10

Safety Proof Languages Higher-order logic Temporal Logic Modal Logic Linear Logic Coq Logic Type Systems

Dimension 1: Design

11

Meta logical framework Consistency Completeness Type Safety Freeness of attacks

Benefit: Trusting Verifying

Dimension 2: Reasoning

Is the safety proof language consistent?

Can an intruder steal keys?

Can somebody steal an e-vote?

12

Dimension 2: Reasoning

Is the Safety Proof Language Consistent?

Meta Logical Framework



BinaryProof Checker


Safety Proof

Logical Framework

13

Proof planning [CS, Autexier]

Push buttom technology Ease of use Failure interpretation

Benefit: Level of abstraction Interactive design cycle Quick response

Dimension 3: Automation

Proof Planner

14

Dimension 3: Automation





BinaryProof Checker


Safety Proof

Logical Framework

Proof Planner

15

Delphin [CS, Yu, Poswolsky] Compilers [CS, Xi] Client-server Architecture Theorem Provers for Proof Carrying

Authentication

Benefit: Direct manipulation of derivations Automatic code generation

Dimension 4: Programming

16

Dimension 4: Programming





BinaryProof Checker


Safety Proof

Logical Framework

Proof Planner

DelphinFun. Programming

17

Rest of this Talk

Proof Planning in

Twelf

Used at Yale, CMU, Princeton, Stanford, Harvard (?)…

18

Overview





BinaryProof Checker


Safety Proof

Logical Framework

Proof Planner

19

Let’s get started



BinaryProof Checker


Safety Proof

Logical Framework

20


Intuitionistic logic:

Sequent calculus: [Gentzen 35]

Judgment: Rules:

axiomAA,

imprBA

BA

,

implCBA

CBA

,

,

|| 21 AA

AAA n ,,1

cutC

CAA

,

21

Logical framework LF [Honsell, Harper, Plotkin 93]

Simply typed λ-calculus Dependent types

Paradigm Judgments as types (assumptions as contexts) Derivations as objects

Representation

Logical Framework

Aconc:D|Ahyp:u,,Ahyp:uLFnn11

DAA,,A n1

22

Representation (cont’d)

Inference rules as constants

axiom : (hyp A -> conc A).

impr : (hyp A -> conc B) -> conc (A imp B).

impl : conc A -> (hyp B -> conc C) -> (hyp (A imp B) -> conc C).

cut : conc A -> (hyp A -> conc C) -> conc C.

axiomAAΓ,

implCBAΓ,

CBΓ,AΓ

imprBAΓ

BAΓ,

cutCΓ

CAΓ,AΓ

23

Reasoning about the real worldis as good as the encoding is

Representation (cont’d)

1-to-1

Logic Logical Framework

24

Logical Frameworks Research

Focuses on common concepts Hypotheses State

Enriches logical framework Substitution (beta reduction) Update (resource oriented logics)

'/|

ve

A

25

Logical Frameworks Research

Emphasis 1: RepresentationExtend frameworks conservativelyTerms are not dead, they live!Example: Twelf

Emphasis 2: Reasoning

Examples: Coq, Isabelle, Lego

26

Remarks

Elegance Higher-order representation techniques Dependent types

Benefit for this work: Variables and substitutions come for free!

We can look at the current field of problem solving by computers as a series of ideas about how to present a problem. If a problem can be cast into one of these representations in a natural way, then it is possible to manipulate it and stand some chance of solving it.

[Allen Newell]

27

Overview





BinaryProof Checker


Safety Proof

Logical Framework

28

Is the Logic Consistent?

Theorem [Admissibility]: [Gentzen 35]

If and thenDAΓ

ECAΓ,

FCΓ

Fundamental theorem in logic [Gentzen 35]

Consistency of first-order logic Structural proof [Pfenning 95]

Twelf can prove it automatically

29

Meta Logic Mw

First-order logic Induction principles for arbitrary

higher-order encodings [CS 00,01]

trueC.conc:FC.concAhyp:EA.conc:Do.:Co.:A

Ahyph :,|:: Theorem [Admissibility]:

If and thenD

AE

CA, F

C

+

30

Proof Planning





BinaryProof Checker


Safety Proof

Logical Framework

Proof Planner

31

The Situation

What we have: Logical Framework LF Proofs by induction

How can we find proofs automatically and quickly?

32

Pruning the Search Space

Formulas

Theorems

None-Theorems

33

Common Operations

Splitting (Case analysis)

Recursion (Induction hypothesis)Filling Constructing safety proofs Resolution based techniques

ECA,

DAA C

D: conc A E: hyp A -> conc BA:o C:o

34

Profiling reveals

With naïve Prototype implementation:

0

50

100

150

200

250

300

Filling Splitting Recursion

time

35

Explanation

Reason 1: Search spaces enormousReason 2: Side effect of failure

36

Possible Tackles

Reason 1: Search spaces enormous Tabled proof search [Pientka ‘02] Outsourcing [Vampire?]

Reason 2: Side effect of failure Pruning through proof plans Decidable criterion

37

Approximations

Meta Logic

Proof Plans Framework dependent Problem independent

Theorem

Approximated Theorem

Plan

Theorem Proverabst

ract

ion

search

38

Proof Planning Calculus Pw

First order logic [CS, Autexier 02] Propositions approximate type families Natural deduction Decidable (because of M2L)

CconcC)concA(hypA)(conc -|

+

trueC.conc:FC.concAhyp:EA.conc:Do.:Co.:A

39

Central Insight

Exploit information contained in types indices.

Example:

“We have an object of type family conc containing information on A”“We have another object of type family conc containing information on B once we know …”

D: conc A E: hyp A -> conc B

BconcAhyp Aconc

40

Observation

There is no proof of

But Splitting on (D, E) Proof plans exist for each case. Let’s try to prove.

SUCCESS!

CconcC)concA(hypA)(conc -|

41

A Few Details

Abstraction is defined as follows

P) (approx'(P) approx

B) x.approx(A) (approx)A.B:x( approx

B) x.approx(A) (approxA.B):x( approx

A.B:x

A.B:x A

B

P P

B

A

42

Soundness Theorem

If without case rules

And

Then .Proof: by induction on .

Benefit: Read it backwards!

F|Ψ

G -|

F|Ψ

G F),( approx

43

Summary

Proof planning calculus Pw Recognizes unpromising states Provides proof search guidance Gives a logical explanation to proof plans

Failure criterion Inspects a proof state Recognizes unpromising ones quickly Decidable

+

44

Summary

Importance Push button technology Network/authentication/e-voting protocols

Proof planning system Pw

Works for encodings in LF TI-abstraction [Giungilia, Walsh 91]

Implementation is underway

+

45

Our Goal: Tools to …

design safety architectures reason about our designs automate reasoning processes involved program with our designs

We are on the way!

46

Future Work

Alternative proof techniques Logical relations [CS,

Sarnat] Coinduction [CS,

Momigliano]

Application domain Network protocols E-Voting

Infinite structures Choice sequences vs. Co-induction Adequate representation of infinite traces

47

Conclusion

For more information about

Twelf and Delphin

check

http://www.twelf.org

48

Theorem Prover/Model Checker

Compiler

Server

Authentication Protocols

Client

Safety proof Language

Source

Model

Safety Proof

Trusted Computing Base

Documents

Proof Planning in Logical Frameworks