Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | Preprint |
| Published: |
2025
|
| Subjects: | |
| Online Access: | https://arxiv.org/abs/2506.06544 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1866917099149983744 |
|---|---|
| author | Drossopoulou, Sophia Mackay, Julian Eisenbach, Susan Noble, James |
| author_facet | Drossopoulou, Sophia Mackay, Julian Eisenbach, Susan Noble, James |
| contents | In today's complex software, internal trusted code is tightly intertwined with external untrusted code. To reason about internal code, programmers must reason about the potential effects of calls to external code, even though that code is not trusted and may not even be available. The effects of external calls can be limited, if internal code is programmed defensively, limiting potential effects by limiting access to the capabilities necessary to cause those effects.
This paper addresses the specification and verification of internal code that relies on encapsulation and object capabilities to limit the effects of external calls. We propose new assertions for access to capabilities, new specifications for limiting effects, and a Hoare logic to verify that a module satisfies its specification, even while making external calls. We illustrate the approach though a running example with mechanised proofs, and prove soundness of the Hoare logic. |
| format | Preprint |
| id |
arxiv_https___arxiv_org_abs_2506_06544 |
| institution | arXiv |
| publishDate | 2025 |
| record_format | arxiv |
| spellingShingle | Reasoning about External Calls Drossopoulou, Sophia Mackay, Julian Eisenbach, Susan Noble, James Programming Languages In today's complex software, internal trusted code is tightly intertwined with external untrusted code. To reason about internal code, programmers must reason about the potential effects of calls to external code, even though that code is not trusted and may not even be available. The effects of external calls can be limited, if internal code is programmed defensively, limiting potential effects by limiting access to the capabilities necessary to cause those effects. This paper addresses the specification and verification of internal code that relies on encapsulation and object capabilities to limit the effects of external calls. We propose new assertions for access to capabilities, new specifications for limiting effects, and a Hoare logic to verify that a module satisfies its specification, even while making external calls. We illustrate the approach though a running example with mechanised proofs, and prove soundness of the Hoare logic. |
| title | Reasoning about External Calls |
| topic | Programming Languages |
| url | https://arxiv.org/abs/2506.06544 |