Isolation without taxation: near-zero-cost transitions for WebAssembly and SFI

Software sandboxing or software-based fault isolation (SFI) is a lightweight approach to building secure systems out of untrusted components. Mozilla, for example, uses SFI to harden the Firefox browser by sandboxing third-party libraries, and companies like Fastly and Cloudflare use SFI to safely co-locate untrusted tenants on their edge clouds. While there have been significant efforts to optimize and verify SFI enforcement, context switching in SFI systems remains largely unexplored: almost all SFI systems use heavyweight transitions that are not only error-prone but incur significant performance overhead from saving, clearing, and restoring registers when context switching. We identify a set of zero-cost conditions that characterize when sandboxed code has sufficient structured to guarantee security via lightweight zero-cost transitions (simple function calls). We modify the Lucet Wasm compiler and its runtime to use zero-cost transitions, eliminating the undue performance tax on systems that rely on Lucet for sandboxing (e.g., we speed up image and font rendering in Firefox by up to 29.7% and 10% respectively). To remove the Lucet compiler and its correct implementation of the Wasm specification from the trusted computing base, we (1) develop a static binary verifier , VeriZero, which (in seconds) checks that binaries produced by Lucet satisfy our zero-cost conditions, and (2) prove the soundness of VeriZero by developing a logical relation that captures when a compiled Wasm function is semantically well-behaved with respect to our zero-cost conditions. Finally, we show that our model is useful beyond Wasm by describing a new, purpose-built SFI system, SegmentZero32, that uses x86 segmentation and LLVM with mostly off-the-shelf passes to enforce our zero-cost conditions; our prototype performs on-par with the state-of-the-art Native Client SFI system.

Observational equality: now for good

Building on the recent extension of dependent type theory with a universe of definitionally proof-irrelevant types, we introduce TTobs, a new type theory based on the setoidal interpretation of dependent type theory. TTobs equips every type with an identity relation that satisfies function extensionality, propositional extensionality, and definitional uniqueness of identity proofs (UIP). Compared to other existing proposals to enrich dependent type theory with these principles, our theory features a notion of reduction that is normalizing and provides an algorithmic canonicity result, which we formally prove in Agda using the logical relation framework of Abel et al. Our paper thoroughly develops the meta-theoretical properties of TTobs, such as the decidability of the conversion and of the type checking, as well as consistency. We also explain how to extend our theory with quotient types, and we introduce a setoidal version of Swan's Id types that turn it into a proper extension of MLTT with inductive equality.

Logical Relations as Types: Proof-Relevant Parametricity for Program Modules

The theory of program modules is of interest to language designers not only for its practical importance to programming, but also because it lies at the nexus of three fundamental concerns in language design: the phase distinction , computational effects , and type abstraction . We contribute a fresh “synthetic” take on program modules that treats modules as the fundamental constructs, in which the usual suspects of prior module calculi (kinds, constructors, dynamic programs) are rendered as derived notions in terms of a modal type-theoretic account of the phase distinction. We simplify the account of type abstraction (embodied in the generativity of module functors) through a lax modality that encapsulates computational effects, placing projectibility of module expressions on a type-theoretic basis. Our main result is a (significant) proof-relevant and phase-sensitive generalization of the Reynolds abstraction theorem for a calculus of program modules, based on a new kind of logical relation called a parametricity structure . Parametricity structures generalize the proof-irrelevant relations of classical parametricity to proof- relevant families, where there may be non-trivial evidence witnessing the relatedness of two programs—simplifying the metatheory of strong sums over the collection of types, for although there can be no “relation classifying relations,” one easily accommodates a “family classifying small families.” Using the insight that logical relations/parametricity is itself a form of phase distinction between the syntactic and the semantic, we contribute a new synthetic approach to phase separated parametricity based on the slogan logical relations as types , by iterating our modal account of the phase distinction. We axiomatize a dependent type theory of parametricity structures using two pairs of complementary modalities (syntactic, semantic) and (static, dynamic), substantiated using the topos theoretic Artin gluing construction. Then, to construct a simulation between two implementations of an abstract type, one simply programs a third implementation whose type component carries the representation invariant.

Anachronisms in Charles Dickens’s ‘Great Expectations’: A Case Study Based on Gerard Genette’s Structural Narratology: الإيقاع الزمني في رواية تشارلز ديكنز "آمال عظيمة" دراسة حالة في ضوء تقنيات السرد البنائي عند جيرارد جينيت

This paper deals with the narrative order of time in Charles Dickens’s novel Great Expectations. Time is crucial in narratological structure as it establishes a logical relation for events in the narrative. Besides, a narrative develops its point of view through the voices in the narrative. This point of view is called focalization. This paper assumes that the sequence of events in Dickens’s Great Expectations does not follow a linear order and consequently, the point of focalization changes throughout the narrative. Accordingly, the current paper intends to investigate the order of narration in the novel. It intends to explore the ultimate thematic concern of the novel as well. The discussion will be in the light of Gerard Genette’s narratological structure and will be applied on Dickens’s Great Expectations. It is the 13th novel in his independent literary works. It has been published unillustrated in 36 weekly instalments in All the Year Round from 1860 through 1861. Then, it has been published in three volumes by Chapman & Hall in1861. The narrative voice has a great impact on the story’s timeline and on the readers because it is narrated in the first-person voice by the protagonist, Philip Pirrip. (Davis, 2007: P 126) The analysis is based on Genette’s theorization of time order in telling a story and communicating a broader point of view that the author intends to make throughout the whole narrative structure.

Emerging Status of Multidrug-Resistant Bacteria and Fungi in the Arabian Peninsula

We aimed to identify the prevalence and emerging status of multidrug-resistant bacteria and fungi and their associated mortality in nine countries in the Arabian Peninsula. Original research articles and case studies regarding multidrug-resistant bacteria and fungi in the Arabian Peninsula, published during the last 10 years, were retrieved from PubMed and Scopus. A total of 382 studies were included as per the inclusion and exclusion criteria, as well as the PRISMA guidelines, from a thorough screening of 1705 articles, in order to analyse the emerging status and mortality. The emerging nature of >120 multidrug-resistant (MDR) bacteria and fungi in the Arabian Peninsula is a serious concern that requires continuous monitoring and immediate preventive measures. More than 50% (n = 453) of multidrug-resistant, microbe-associated mortality (n = 871) in the Arabian Peninsula was due to MDR Acinetobacter baumannii, Mycobacterium tuberculosis and Staphylococcus aureus infection. Overall, a 16.51% mortality was reported among MDR-infected patients in the Arabian Peninsula from the 382 articles of this registered systematic review. MDR A. baumannii (5600 isolates) prevailed in all the nine countries of the Arabian Peninsula and was one of the fastest emerging MDR bacteria with the highest mortality (n = 210). A total of 13087 Mycobacterium tuberculosis isolates were reported in the region. Candida auris (580 strains) is the most prevalent among the MDR fungal pathogen in the Arabian Peninsula, having caused 54 mortalities. Active surveillance, constant monitoring, the development of a candidate vaccine, an early diagnosis of MDR infection, the elimination of multidrug resistance modulators and uninterrupted preventive measures with enhanced data sharing are mandatory to control MDR infection and associated diseases of the Arabian Peninsula. Accurate and rapid detection methods are needed to differentiate MDR strain from other strains of the species. This review summarises the logical relation, prevalence, emerging status and associated mortality of MDR microbes in the Arabian Peninsula.

Compiling with continuations, correctly

In this paper we present a novel simulation relation for proving correctness of program transformations that combines syntactic simulations and logical relations. In particular, we establish a new kind of simulation diagram that uses a small-step or big-step semantics in the source language and an untyped, step-indexed logical relation in the target language. Our technique provides a practical solution for proving semantics preservation for transformations that do not preserve reductions in the source language. This is common when transformations generate new binder names, and hence α-conversion must be explicitly accounted for, or when transformations introduce administrative redexes. Our technique does not require reductions in the source language to correspond directly to reductions in the target language. Instead, we enforce a weaker notion of semantic preorder, which suffices to show that semantics are preserved for both whole-program and separate compilation. Because our logical relation is transitive, we can transition between intermediate program states in a small-step fashion and hence the shape of the proof resembles that of a simple small-step simulation. We use this technique to revisit the semantic correctness of a continuation-passing style (CPS) transformation and we demonstrate how it allows us to overcome well-known complications of this proof related to α-conversion and administrative reductions. In addition, by using a logical relation that is indexed by invariants that relate the resource consumption of two programs, we are able show that the transformation preserves diverging behaviors and that our CPS transformation asymptotically preserves the running time of the source program. Our results are formalized in the Coq proof assistant. Our continuation-passing style transformation is part of the CertiCoq compiler for Gallina, the specification language of Coq.

Compositional optimizations for CertiCoq

Compositional compiler verification is a difficult problem that focuses on separate compilation of program components with possibly different verified compilers. Logical relations are widely used in proving correctness of program transformations in higher-order languages; however, they do not scale to compositional verification of multi-pass compilers due to their lack of transitivity. The only known technique to apply to compositional verification of multi-pass compilers for higher-order languages is parametric inter-language simulations (PILS), which is however significantly more complicated than traditional proof techniques for compiler correctness. In this paper, we present a novel verification framework for lightweight compositional compiler correctness . We demonstrate that by imposing the additional restriction that program components are compiled by pipelines that go through the same sequence of intermediate representations , logical relation proofs can be transitively composed in order to derive an end-to-end compositional specification for multi-pass compiler pipelines. Unlike traditional logical-relation frameworks, our framework supports divergence preservation—even when transformations reduce the number of program steps. We achieve this by parameterizing our logical relations with a pair of relational invariants . We apply this technique to verify a multi-pass, optimizing middle-end pipeline for CertiCoq, a compiler from Gallina (Coq’s specification language) to C. The pipeline optimizes and closure-converts an untyped functional intermediate language (ANF or CPS) to a subset of that language without nested functions, which can be easily code-generated to low-level languages. Notably, our pipeline performs more complex closure-allocation optimizations than the state of the art in verified compilation. Using our novel verification framework, we prove an end-to-end theorem for our pipeline that covers both termination and divergence and applies to whole-program and separate compilation, even when different modules are compiled with different optimizations. Our results are mechanized in the Coq proof assistant.

CPS transformation with affine types for call-by-value implicit polymorphism

Transformation of programs into continuation-passing style (CPS) reveals the notion of continuations, enabling many applications such as control operators and intermediate representations in compilers. Although type preservation makes CPS transformation more beneficial, achieving type-preserving CPS transformation for implicit polymorphism with call-by-value (CBV) semantics is known to be challenging. We identify the difficulty in the problem that we call scope intrusion. To address this problem, we propose a new CPS target language Λ open that supports two additional constructs for polymorphism: one only binds and the other only generalizes type variables. Unfortunately, their unrestricted use makes Λ open unsafe due to undesired generalization of type variables. We thus equip Λ open with affine types to allow only the type-safe generalization. We then define a CPS transformation from Curry-style CBV System F to type-safe Λ open and prove that the transformation is meaning and type preserving. We also study parametricity of Λ open as it is a fundamental property of polymorphic languages and plays a key role in applications of CPS transformation. To establish parametricity, we construct a parametric, step-indexed Kripke logical relation for Λ open and prove that it satisfies the Fundamental Property as well as soundness with respect to contextual equivalence.

(Mere) Verbalness and Substantivity Revisited

Verbal disputes are often seen as closely related to a lack of substantivity. However, a systematic and comprehensive investigation of how verbalness relates to substantivity is still missing. The present paper attempts to close this gap. In addition to offering different conceptions of verbalness, the paper further develops Sider’s (Writing the Book of the World, OUP, Oxford, 2011) notion of substantivity. Ultimately, I argue for a more careful choice of terminology when it comes to assessing a dispute as “(merely) verbal” or “nonsubstantive”. While the paper shows that there is no strict logical relation between mere verbalness and nonsubstantivity construed along the lines set out by Sider, it also demonstrates that further notable notions of (mere) verbalness and substantivity are in fact closely intertwined.

Translation Features of Chinese Version of Emily Dickinson’s Poetry Selection Final Harvest

Final Harvest(1996) is the first and only Chinese translation of Emily Dickinson’s poetry selection of 576 poems, Final Harvest(1961). Using Antconc software and program written in python language, a statistical analysis of relevant data of stanzas, lines, punctuation marks, transliterated words and conjunctions in translated version and original book is conducted, to reveal translation features of the translation. It is found that the translation deviates slightly from the original in terms of stanza, line and punctuation, yet there are obvious deviations from the original in translation of transliterated words and conjunctions in that a large number of transliterated words are not annotated with footnotes or given explanation, and original logical relation displayed by conjunctions are often distorted or missing in translation. In general, the faithfulness of the translation to the original is mainly manifested in poetic form rather than in content.