David Swasey

Ph.D. student
MPI-SWS & Saarland University
last name at mpi-sws dot org

I am a Ph.D. student studying Computer Science at the Max Planck Institute for Software Systems (MPI-SWS), co-advised by Derek Dreyer and Deepak Garg. Prior to joining the MPI-SWS in 2012, I worked as a research programmer at Carnegie Mellon University under the direction of Lujo Bauer (2006–12), Bob Harper (1998–2006), and Roger Dannenberg (1994–98). Please see my CV for the full story.

Research Interests

• Programming language design and implementation, type systems, and type theory.
• Logical frameworks, proof assistants, automated deduction, and verification.
• Computer security and privacy.

I am interested in Kripke models and logics for concurrency and security; for example, in the design of concurrency logics that support compositional verification of security protocols.

Publications

• Robust and compositional verification of object capability patterns.
  David Swasey, Deepak Garg, and Derek Dreyer.
  To appear in OOPSLA 2017: Proceedings of the 2017 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications.
  • paper in PDF
  • Coq development, VM image (an Open Virtualization Format archive with CoqIDE and our Coq development)
  Abstract

  In scenarios such as web programming, where code is linked together from multiple sources, object capability patterns (OCPs) provide an essential safeguard, enabling programmers to protect the private state of their objects from corruption by unknown and untrusted code. However, the benefits of OCPs in terms of program verification have never been properly formalized. In this paper, building on the recently developed Iris framework for concurrent separation logic, we develop OCPL, the first program logic for compositionally specifying and verifying OCPs in a language with closures, mutable state, and concurrency. The key idea of OCPL is to account for the interface between verified and untrusted code by adopting a well-known idea from the literature on security protocol verification, namely robust safety. Programs that export only properly wrapped values to their environment can be proven robustly safe, meaning that their untrusted environment cannot violate their internal invariants. We use OCPL to give the first general, compositional, and machine-checked specs for several commonly-used OCPs—including the dynamic sealing, membrane, and caretaker patterns—which we then use to verify robust safety for representative client code. All our results are fully mechanized in the Coq proof assistant.

• Iris: Monoids and invariants as an orthogonal basis for concurrent reasoning.
  Ralf Jung, David Swasey, Filip Sieczkowski, Kasper Svendsen, Aaron Turon, Lars Birkedal, and Derek Dreyer.
  In POPL 2015: 42nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 637–650, Mumbai, India, January 2015.
  • paper in PDF, publisher's site
  • Web site with technical appendix and Coq source
  Abstract

  We present Iris, a concurrent separation logic with a simple premise: monoids and invariants are all you need. Partial commutative monoids enable us to express—and invariants enable us to enforce—user-defined protocols on shared state, which are at the conceptual core of most recent program logics for concurrency. Furthermore, through a novel extension of the concept of a view shift, Iris supports the encoding of logically atomic specifications, i.e., Hoare-style specs that permit the client of an operation to treat the operation essentially as if it were atomic, even if it is not.

• Modeling and enhancing Android's permission system.
  Elli Fragkaki, Lujo Bauer, Limin Jia, and David Swasey.
  In Computer Security — ESORICS 2012 — 17th European Symposium on Research in Computer Security, pages 1–18, Pisa, Italy, September 2012. Springer LNCS 7459.
  • paper in PDF, publisher's site
  • technical report: Carnegie Mellon University CyLab Technical Report CMU-CyLab-11-020, April 2012.
  Abstract

  Several works have recently shown that Android's security architecture cannot prevent many undesired behaviors that compromise the integrity of applications and the privacy of their data. This paper makes two main contributions to the body of research on Android security: first, it develops a formal framework for analyzing Android-style security mechanisms; and, second, it describes the design and implementation of Sorbet, an enforcement system that enables developers to use permissions to specify secrecy and integrity policies. Our formal framework is composed of an abstract model with several specific instantiations. The model enables us to formally define some desired security properties, which we can prove hold on Sorbet but not on Android. We implement Sorbet on top of Android 2.3.7, test it on a Nexus S phone, and demonstrate its usefulness through a case study.

• xDomain: Cross-border proofs of access.
  Lujo Bauer, Limin Jia, Michael K. Reiter, and David Swasey.
  In SACMAT '09: Proceedings of the 14th ACM Symposium on Access Control Models and Technologies, pages 43–52, Stresa, Italy, June 2009.
  • paper in PDF, publisher's site
  • technical report: Carnegie Mellon University CyLab Technical Report CMU-CyLab-09-005, March 2009.
  Abstract

  A number of research systems have demonstrated the benefits of accompanying each request with a machine-checkable proof that the request complies with access-control policy—a technique called proof-carrying authorization. Numerous authorization logics have been proposed as vehicles by which these proofs can be expressed and checked. A challenge in building such systems is how to allow delegation between institutions that use different authorization logics. Instead of trying to develop the authorization logic that all institutions should use, we propose a framework for interfacing different, mutually incompatible authorization logics. Our framework provides a very small set of primitives that defines an interface for communication between different logics without imposing any fundamental constraints on their design or nature. We illustrate by example that a variety of different logics can communicate over this interface, and show formally that supporting the interface does not impinge on the integrity of each individual logic. We also describe an architecture for constructing authorization proofs that contain components from different logics and report on the performance of a prototype proof checker.

• A separate compilation extension to Standard ML.
  David Swasey, Tom Murphy VII, Karl Crary, and Robert Harper.
  In ML '06: Proceedings of the 2006 ACM SIGPLAN Workshop on ML, pages 32–42, Portland, Oregon, USA, September 2006.
  • paper in PDF, publisher's site
  • technical report: Carnegie Mellon University School of Computer Science Technical Report CMU-CS-06-104R, September 2006.
    This is a significantly expanded version of our ML '06 paper.
  • preliminary TR: Carnegie Mellon University School of Computer Science Technical Report CMU-CS-06-104, January 2006.
    Superseded by our ML '06 paper.
    
  Abstract

  We present an extension to Standard ML, called SMLSC, to support separate compilation. The system gives meaning to individual program fragments, called units. Units may depend on one another in a way specified by the programmer. A dependency may be mediated by an interface (the type of a unit); if so, the units can be compiled separately. Otherwise, they must be compiled in sequence. We also propose a methodology for programming in SMLSC that reflects code development practice and avoids syntactic repetition of interfaces. The language is given a formal semantics, and we argue that this semantics is implementable in a variety of compilers.