Following the Collaborators' Workshop held on 26th Sept (presentations available on KTN's SlideShare account), EPSRC/ESRC are running a Collaboration Development workshop on 22nd November 2019 in London to facilitate academia-industry and academia-academia collaboration ahead of the closing dates for the EPSRC and ESRC ISCF Digital Security by Design calls. The calls need to be led by academic institutions. Industrial involvement, while not mandatory, is highly desirable and will be required for future competitions. Hence this workshop aims to have a mix of academic and industrial participants. The Digital Security by Design challenge was announced in July. This challenge, amounting to £70 million of government funding over 5 years, will be delivered by UK Research and Innovation (UKRI) through the Industrial Strategy Challenge Fund (ISCF). Find out more: https://ktn-uk.co.uk/news/iscf-digital-security-by-design-collaboration-development-workshop

1. 1
Sophia Drossopoulou, Imperial College London
Worked on programming language models, design and implementation, ownership types,
session types, Pony.
Proposed type state (Fickle), gradual types, Javascript type inference
Robustness by Design

2. Robustness goes beyond traditional concerns
1
Sophia Drossopoulou, Imperial College London
Worked on programming language models, design and implementation, ownership types,
session types, Pony.
Proposed type state (Fickle), gradual types, Javascript type inference
Robustness by Design

3. • closed world
• sufficient conditions for some effect
• about individual functions;
Robustness goes beyond traditional concerns
1
Traditional Specs
Sophia Drossopoulou, Imperial College London
Worked on programming language models, design and implementation, ownership types,
session types, Pony.
Proposed type state (Fickle), gradual types, Javascript type inference
Robustness by Design

4. • closed world
• sufficient conditions for some effect
• about individual functions;
Robustness goes beyond traditional concerns
1
Traditional Specs Robustness considerations
• open world
• necessary conditions for some effect
• about emergent behaviour
Sophia Drossopoulou, Imperial College London
Worked on programming language models, design and implementation, ownership types,
session types, Pony.
Proposed type state (Fickle), gradual types, Javascript type inference
Robustness by Design

5. 2
Robustness goes beyond traditional concerns

6. 2
class SafeOne{
private fld secret;
private fld treasure;
mthd take(s){
if (s==secret)
{ t=treasure;
treasure = null;
return t; } }
constr SafeOne(s,t){
secret=s; treasure = t; }
}
Robustness goes beyond traditional concerns

7. 2
class SafeOne{
private fld secret;
private fld treasure;
mthd take(s){
if (s==secret)
{ t=treasure;
treasure = null;
return t; } }
constr SafeOne(s,t){
secret=s; treasure = t; }
}
SpecA:
{ true }
sf.take(s)
{ s=sf.secret -> sf.treasurepost = null
∧
s≠sf.secret -> sf.treasurepost = sf.treasurepre }
Robustness goes beyond traditional concerns

8. 2
class SafeOne{
private fld secret;
private fld treasure;
mthd take(s){
if (s==secret)
{ t=treasure;
treasure = null;
return t; } }
constr SafeOne(s,t){
secret=s; treasure = t; }
}
SpecA:
{ true }
sf.take(s)
{ s=sf.secret -> sf.treasurepost = null
∧
s≠sf.secret -> sf.treasurepost = sf.treasurepre }
SafeOne ⊨ SpecA
Robustness goes beyond traditional concerns
😀

9. 2
class SafeOne{
private fld secret;
private fld treasure;
mthd take(s){
if (s==secret)
{ t=treasure;
treasure = null;
return t; } }
constr SafeOne(s,t){
secret=s; treasure = t; }
}
class SafeTwo{
private fld secret;
private fld treasure;
mthd take(s){
…. }
constr SafeTwo(s,t){
… }
mthd set(s)
{ this.secret=s;}
}
SpecA:
{ true }
sf.take(s)
{ s=sf.secret -> sf.treasurepost = null
∧
s≠sf.secret -> sf.treasurepost = sf.treasurepre }
SafeOne ⊨ SpecA
Robustness goes beyond traditional concerns
😀

10. 2
class SafeOne{
private fld secret;
private fld treasure;
mthd take(s){
if (s==secret)
{ t=treasure;
treasure = null;
return t; } }
constr SafeOne(s,t){
secret=s; treasure = t; }
}
class SafeTwo{
private fld secret;
private fld treasure;
mthd take(s){
…. }
constr SafeTwo(s,t){
… }
mthd set(s)
{ this.secret=s;}
}
SpecA:
{ true }
sf.take(s)
{ s=sf.secret -> sf.treasurepost = null
∧
s≠sf.secret -> sf.treasurepost = sf.treasurepre }
SafeOne ⊨ SpecA
SafeTwo ⊨ SpecA
Robustness goes beyond traditional concerns
😱
😀

11. 2
class SafeOne{
private fld secret;
private fld treasure;
mthd take(s){
if (s==secret)
{ t=treasure;
treasure = null;
return t; } }
constr SafeOne(s,t){
secret=s; treasure = t; }
}
class SafeTwo{
private fld secret;
private fld treasure;
mthd take(s){
…. }
constr SafeTwo(s,t){
… }
mthd set(s)
{ this.secret=s;}
}
SpecA:
{ true }
sf.take(s)
{ s=sf.secret -> sf.treasurepost = null
∧
s≠sf.secret -> sf.treasurepost = sf.treasurepre }
SafeOne ⊨ SpecA
SafeTwo ⊨ SpecA
SpecB: ∀sf:Safe.[ sf.secretpre = sf.secretpost ]
SafeTwo ⊭ SpecB
Robustness goes beyond traditional concerns
😱
😀
😀

12. 2
class SafeOne{
private fld secret;
private fld treasure;
mthd take(s){
if (s==secret)
{ t=treasure;
treasure = null;
return t; } }
constr SafeOne(s,t){
secret=s; treasure = t; }
}
class SafeTwo{
private fld secret;
private fld treasure;
mthd take(s){
…. }
constr SafeTwo(s,t){
… }
mthd set(s)
{ this.secret=s;}
}
class SafeThree{
private fld secret;
private fld treasure;
mthd take(s){
…. }
constr SafeThree(s,t){
… }
mthd set(s,sOld)
{ if sOld==secret then
{ secret=s;}}
}
SpecA:
{ true }
sf.take(s)
{ s=sf.secret -> sf.treasurepost = null
∧
s≠sf.secret -> sf.treasurepost = sf.treasurepre }
SafeOne ⊨ SpecA
SafeTwo ⊨ SpecA
SpecB: ∀sf:Safe.[ sf.secretpre = sf.secretpost ]
SafeTwo ⊭ SpecB
SafeThree ⊭ SpecB
Robustness goes beyond traditional concerns
😱
😀
😀
😱

13. 2
class SafeOne{
private fld secret;
private fld treasure;
mthd take(s){
if (s==secret)
{ t=treasure;
treasure = null;
return t; } }
constr SafeOne(s,t){
secret=s; treasure = t; }
}
class SafeTwo{
private fld secret;
private fld treasure;
mthd take(s){
…. }
constr SafeTwo(s,t){
… }
mthd set(s)
{ this.secret=s;}
}
class SafeThree{
private fld secret;
private fld treasure;
mthd take(s){
…. }
constr SafeThree(s,t){
… }
mthd set(s,sOld)
{ if sOld==secret then
{ secret=s;}}
}
SpecA:
{ true }
sf.take(s)
{ s=sf.secret -> sf.treasurepost = null
∧
s≠sf.secret -> sf.treasurepost = sf.treasurepre }
SafeOne ⊨ SpecA
SafeTwo ⊨ SpecA
SpecB: ∀sf:Safe.[ sf.secretpre = sf.secretpost ]
SafeTwo ⊭ SpecB
SpecC: ∀sf:Safe.[ Will(Changes(sf.treasure))
⟶
∃ o:External.Access(o,sf.secret) ]
SafeThree ⊭ SpecB
Robustness goes beyond traditional concerns
😱
😀
😀
😱

14. 2
class SafeOne{
private fld secret;
private fld treasure;
mthd take(s){
if (s==secret)
{ t=treasure;
treasure = null;
return t; } }
constr SafeOne(s,t){
secret=s; treasure = t; }
}
class SafeTwo{
private fld secret;
private fld treasure;
mthd take(s){
…. }
constr SafeTwo(s,t){
… }
mthd set(s)
{ this.secret=s;}
}
class SafeThree{
private fld secret;
private fld treasure;
mthd take(s){
…. }
constr SafeThree(s,t){
… }
mthd set(s,sOld)
{ if sOld==secret then
{ secret=s;}}
}
SpecA:
{ true }
sf.take(s)
{ s=sf.secret -> sf.treasurepost = null
∧
s≠sf.secret -> sf.treasurepost = sf.treasurepre }
SafeOne ⊨ SpecA
SafeTwo ⊨ SpecA
SpecB: ∀sf:Safe.[ sf.secretpre = sf.secretpost ]
SafeTwo ⊭ SpecB
SpecC: ∀sf:Safe.[ Will(Changes(sf.treasure))
⟶
∃ o:External.Access(o,sf.secret) ]
SafeThree ⊭ SpecB
SafeTwo ⊭ SpecC
SafeThree ⊨ SpecC
Robustness goes beyond traditional concerns
😱
😀
😀
😀
😀
😱

15. Work so far
3
Work to do
Robustness by Design

16. Work so far
3
• designed specification languages
• semantics of the specification
language
• case studies from financial
cyptography and
object capabilities literature
• concepts of trust and risk
Work to do
Robustness by Design

17. Work so far
3
• designed specification languages
• semantics of the specification
language
• case studies from financial
cyptography and
object capabilities literature
• concepts of trust and risk
Work to do
• desk-reason about adherence to
Robustness Specs
• logic to reason adherence to
Robustness Specs
• testing for adherence to
Robustness Specs
• what if external code is executed
on untrusted machine
Robustness by Design