Proof-oriented Programming in F* - PowerPoint Presentation

1. Proof-oriented Programming in F*How to customize F* to your own program logicAseem RastogiMicrosoft Research(Joint work with my collaborators: https://project-everest.github.io/people/)

2. Talk outlineF* overviewIntroduction to F* by examplesIndexed effects in F* (a.k.a. customize F* for your own program logic)

3. What is F*https://www.fstar-lang.orgA functional programming languageLike OCaml, F#, HaskellF* programs can be compiled to OCaml and F# by-default*Expressive type system based on dependent type theory (like proof assistants Coq, Lean, Agda, Idris, …)SMT-based semi-automation(like program verifiers Dafny, Why3, …)Meta-programming and tactics for interactive proofs(like Coq, Lean, Isabelle, …)

4. A first exampletype list (a:Type) = | Nil : list a | Cons : a -> list a -> list a//[1; 2]Cons 1 (Cons 2 Nil)let rec length (l:list a) = match l with | [] -> 0 | _::tl -> 1 + length tl//append [1] [2] = [1; 2]let rec append (l1 l2:list a) = …let rec length_append (l1 l2:list a) : Lemma (ensures length (append l1 l2) = length l1 + length l2) = match l1 with | [] -> () | _::tl -> length_append tl l2

5. Behind the scenes 

6. F* LandscapeEmbeddeddomain-specificlanguagesInterfacingwith existing toolchainsLogical foundationsof programsand proofsX86 AssemblyValeVerifiedassembly codeLow*Verified C programsVerified parser generatorSteelConcurrency and distribution with separation logicCWebAssemblyOCaml, F#, …… Rust?

7. F* and friendsEverParseHACL*ValeEverCryptQUICVeritasmitls …More than 600,000 lines of F*Under Continuous IntegrationBuilt several times a day

8. Proofs for Billions of Unsuspecting UsersSecure communicationsHigh-value domains:Fintech, verifiable computing, …Cloud infrastructureVeritasWysteriaAutomated parsing untrusted data with proofs in Hyper-V/VMSwitchVerified cryptography in the Linux kernelQuic transport, MSQuic in Windows, Verified crypto in Firefox, mbedTLS,Signal in Wasm, Wireguard, … Verified Merkle trees for Enterprise blockchainsDICEAn upcoming TCG standard for boot firmware (e.g. in IoT)

9. Basic types, functions as first-class values, lambdastype empty =type unit = ()type bool = true | falselet incr (x:int) : int = x + 1let apply_twice (f:a -> a) (x:a) = f (f x)let add_2 (x:int) : int = apply_twice incr xlet add_4 (x:int) : int = apply_twice (fun x -> x + 2) x //lambdas

10. Inductive types, pattern matching, recursiontype list (a:Type) = | Nil : list a | Cons : a -> list a -> list a//[1; 2]Cons 1 (Cons 2 Nil)let rec map (f:a -> b) (l:list a) : list b = match l with | [] -> [] | hd::tl -> f hd :: map f tl

11. Semantic termination checkinglet rec map (f:a -> b) (l:list a) : list b = match l with | [] -> [] | hd::tl -> f hd :: map f tlSemantic termination checkingBased on well-founded ordering ( << )a:nat << b:nat if a < bInductive subterm orderinghd << Cons hd tl and tl << Cons hd tlUser-defined well-founded relationsPrimitive support for lexicographic orderinglet rec ackermann (m n : nat) : nat (decreases %[m;n]) = if m=0 then n+1 else if n=0 then ackermann (m-1) 1 else ackermann (m-1) (ackermann m (n-1))

12. Refinement typestype nat = x:int{x >= 0}type pos = x:int{x > 0}type monotonic = f:int -> int{ forall x y. (x <= y) => (f x <= f y)}//coercivelet f (x:int) : nat = if x >= 0 then x else 0x:t{phi}where x may occur free in phiIntuition: values of type t that satisfy phi

13. Dependent function typeslet incr (x:int) : y:int{y > x} = x + 1let rec sum (x:nat) : y:nat{y >= x} = if x = 0 then 0 else x + sum (x-1)//writing specifications using dependent typeslet rec length_append (l1 l2:list a) : Lemma (ensures length (append l1 l2) = length l1 + length l2) = match l1 with | [] -> () | _::tl -> length_append tl l2

14. Proofs by Induction//writing specifications using dependent typeslet rec length_append (l1 l2:list a) : Lemma (ensures length (append l1 l2) = length l1 + length l2) = match l1 with | [] -> () | _::tl -> length_append tl l2 //invoke Induction HypothesisProof by induction on list l1:Base case, l1 = [] L.H.S. = length (append [] l2) = length l2 R.H.S. = length [] + length l2 = length l2Inductive case: l1 = hd::tl Induction Hypothesis: length (append tl l2) = length tl + length l2 L.H.S. = length (append hd::tl l2) = length (hd::append tl l2) = 1+length (append tl l2) //apply I.H. at this step = 1+length tl+length l2 = length l1+length l2 = R.H.S.

15. Effectful programming and provingSo far, we have seen side-effects free, terminating functions of type a -> bWhat about programming and proving with effects?State, exception, I/O, non-determinism, …Indexed effects: a user-extensible effect system in F*Based on modeling effects using monads (Wadler, Moggi, …)

16. Computation typesIn general functions have types: x:a -> M b isType (M b is) is called a computation typeM is an effect label, upper-bound on the effect of the functionEffects are arranged in an orderingis are the effect indices, may encode effect-specific program logic

17. Primitive effects Pure and DivPure a pre post where pre : prop and post : a -> prop A side-effect free computation that if called when pre holds, terminates, and returns a result of type a s.t. post a holdsDiv a pre post Similar, but the computation may divergeTot a =def= Pure a True (fun _ -> True)a -> b =def= a -> Tot ba -> Lemma pre post =def= a -> Pure unit pre (fun _ -> post)

18. Modeling effects using monadsChoose a representation for effectful functionsDefine two combinators that obey monadic laws:return : turn a pure value into an effectful computationbind : compose two effectful computationsDefine basic actionstype st (a:Type) = int -> a * intlet return (x:a) = fun s -> s, xlet bind (f:st a) (g:a -> st b) : st b = fun s0 -> let s1, x = f s0 in (g x) s1let get () : st int = fun s -> s, slet put (s:int) : st unit = fun _ -> (), s

19. Programming with monadstype st (a:Type) = int -> a * intlet return (x:a) = fun s -> s, xlet bind (f:st a) (g:a -> st b) : st b = fun s0 -> let s1, x = f s0 in (g x) s1let get () : st int = fun s -> s, slet put (s:int) : st unit = fun _ -> (), slet incr () : st int = bind (get ()) (fun s -> bind (put (s+1)) (fun _ -> return s)))//with shorthandlet incr () : st int = s <- get (); put (s+1);; return s

20. Proving with monadstype st (a:Type) is = ...Indexed monads : indices encode reasoning principlesSeveral of them in the literature (graded monads, parameterized monads, …)Indexed effects in F* : A unifying framework for programming and proving with indexed monads and combinations thereofExample: Reasoning for stateful computations

21. ExamplesFStar/Sec1.GST.fst at master · FStarLang/FStar (github.com)FStar/HoareST.fst at master · FStarLang/FStar (github.com)FStar/examples/layeredeffects at master · FStarLang/FStar (github.com)

22. Indexed effectsIndexed effects in F* : A unifying framework for programming and proving with indexed monads and combinations thereofAbstractionComposition (via lifts and layering)Primitive syntax (let … in)Seamless integration with rest of F*Inductive types, recursion, termination checking, refinement types, … for free!Customize F* to your own program logic!

23. Indexed effects in actionhttps://www.fstar-lang.org/papers/indexedeffects/Steel, embedding of Concurrent Separation Logic in F*, based on indexed effectsThe indices are separation logic pre- and post assertionsA variant has two additional indices for Hoare-style pre- and postDescribed in our ICFP’20 and ICFP’21 papersMeta-programming and tactics framework in F*Meta-programs are F* programs in the TAC indexed effectSee ulib/FStar.Tactics.Effect.fstiDY*: Bhargavan et al., Euro S&P’21, based on a state and exception indexed effecthttps://github.com/reprosec/dolev-yao-star