Reasoning about External Calls

In today’s complex software, internal trusted code is tightly intertwined with external untrusted code. To reason about internal code, programmers must reason about the potential effects of calls to external code, even though that code is not trusted and may not even be available. The effects of external calls can be limited if internal code is programmed defensively, limiting potential effects by limiting access to the capabilities necessary to cause those effects. This paper addresses the specification and verification of internal code that relies on encapsulation and object capabilities to limit the effects of external calls. We propose new assertions for access to capabilities, new specifications for limiting effects, and a Hoare logic to verify that a module satisfies its specification, even while making external calls. We illustrate the approach though a running example with mechanised proofs, and prove soundness of the Hoare logic.

• Publication year

  2025

• Venue

  Proc. ACM Program. Lang.

• Publication date

  2025-06-06

• Fields of study

  Computer Science

• Identifiers
  DOI 10.1145/3763064arXiv 2506.06544
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• Lightweight Affine Types for Safe Concurrency in Scala (Keynote)

  2024cited by this paper
• A Formal Foundation of Reach Capabilities

  2024cited by this paper
• Consolidating Smart Contracts with Behavioral Contracts

  2024cited by this paper
• Cedar: A New Language for Expressive, Fast, Safe, and Analyzable Authorization

  2024cited by this paper
• Oxidizing OCaml with Modal Memory Management

  2024cited by this paper
• Iris-Wasm: Robust and Modular Verification of WebAssembly Programs

  2023cited by this paper
• VMSL: A Separation Logic for Mechanised Robust Safety of Virtual Machines Communicating above FF-A

  2023cited by this paper
• Verus: Verifying Rust Programs using Linear Ghost Types

  2023cited by this paper
• Hyper Hoare Logic: (Dis-)Proving Program Hyperproperties

  2023cited by this paper
• Sound Gradual Verification with Symbolic Execution

  2023cited by this paper
• Functional Ownership through Fractional Uniqueness

  2023cited by this paper
• Cerise: Program Verification on a Capability Machine in the Presence of Untrusted Code

  2023cited by this paper
• Relaxed Effective Callback Freedom: A Parametric Correctness Condition for Sequential Modules With Callbacks

  2023cited by this paper
• Borrowable Fractional Ownership Types for Verification

  2023cited by this paper
• Capturing Types

  2023cited by this paper
• With or Without You: Programming with Effect Exclusion

  2023cited by this paper
• Polymorphic Reachability Types: Tracking Freshness, Aliasing, and Separation in Higher-Order Generic Programs

  2023cited by this paper
• Securing Verified IO Programs Against Unverified Code in F*

  2023cited by this paper
• What If We Don't Pop the Stack? The Return of 2nd-Class Values (Artifact)

  2022cited by this paper
• Proving hypersafety compositionally

  2022cited by this paper
• Effects, capabilities, and boxes: from scope-based reasoning to type-based reasoning and back

  2022cited by this paper
• RustHornBelt: a semantic foundation for functional verification of Rust programs with unsafe code

  2022cited by this paper
• Specifying the Boundary Between Unverified and Verified Code

  2022cited by this paper
• Deductive verification of smart contracts with Dafny

  2022cited by this paper
• Proving full-system security properties under multiple attacker models on capability machines

  2022cited by this paper
• Necessity specifications for robustness

  2022cited by this paper
• Reachability types: tracking aliasing and separation in higher-order functional programs

  2021cited by this paper
• RefinedC: automating the foundational verification of C code with refined ownership types

  2021cited by this paper
• Formalizing Stack Safety as a Security Property

  2021cited by this paper
• Rich specifications for Ethereum smart contract verification

  2021cited by this paper
• Holistic Specifications for Robust Programs

  2020cited by this paper
• VerX: Safety Verification of Smart Contracts

  2020cited by this paper
• RustHorn: CHC-Based Verification for Rust Programs

  2020cited by this paper
• CheriABI: Enforcing Valid Pointer Provenance and Minimizing Pointer Privilege in the POSIX C Run-time Environment

  2019cited by this paper
• Incorrectness logic

  2019cited by this paper
• Leveraging rust types for modular specification and verification

  2019cited by this paper
• Safer smart contract programming with Scilla

  2019cited by this paper
• Towards Confidentiality-by-Construction

  2018cited by this paper
• Iris from the ground up: A modular foundation for higher-order concurrent separation logic

  2018cited by this paper
• AutoAlias: Automatic Variable-Precision Alias Analysis for Object-Oriented Programs

  2018cited by this paper
• RustBelt: securing the foundations of the rust programming language

  2017cited by this paper
• A Guide to Rely/Guarantee Thinking

  2017cited by this paper
• Robust and compositional verification of object capability patterns

  2017cited by this paper
• Online detection of effectively callback free objects with applications to smart contracts

  2017cited by this paper
• CapNet: security and least authority in a capability-enabled cloud

  2017cited by this paper
• A Capability-Based Module System for Authority Control (Artifact)

  2017cited by this paper
• Capabilities for Java: Secure Access to Resources

  2017cited by this paper
• LaCasa: lightweight affinity and object capabilities in Scala

  2016cited by this paper
• Reasoning about Object Capabilities with Logical Relations and Effect Parametricity

  2016cited by this paper
• Object Inheritance Without Classes

  2016cited by this paper
• Gentrification gone too far? affordable 2nd-class values for fun and (co-)effect

  2016cited by this paper
• Extensible access control with authorization contracts

  2016cited by this paper
• Permission and Authority Revisited towards a formalisation

  2016cited by this paper
• The Dart Programming Language

  2015cited by this paper
• On Rely-Guarantee Reasoning

  2015cited by this paper
• Alias calculus, change calculus and frame inference

  2015cited by this paper
• The spirit of ghost code

  2014cited by this paper
• Dynamic detection of object capability violations through model checking

  2014cited by this paper
• Declarative Policies for Capability Control

  2014cited by this paper
• Distributed Electronic Rights in JavaScript

  2013cited by this paper
• Understanding Ownership Types with Dependent Types

  2013cited by this paper
• The need for capability policies

  2013cited by this paper
• Grace: the absence of (inessential) difficulty

  2012cited by this paper
• Analysing the security properties of object-capability patterns

  2010cited by this paper
• Local Verification of Global Invariants in Concurrent Programs

  2010cited by this paper
• Joe-E: A Security-Oriented Subset of Java

  2010cited by this paper
• Universe-Type-Based Verification Techniques for Mutable Static Fields and Methods

  2009cited by this paper
• Deny-Guarantee Reasoning

  2009cited by this paper
• Verifying the Microsoft Hyper-V Hypervisor with VCC

  2009cited by this paper
• Refinement Types for Secure Implementations

  2008cited by this paper
• A Unified Framework for Verification Techniques for Object Invariants

  2008cited by this paper
• Using History Invariants to Verify Observers

  2007cited by this paper
• Generic Universe Types

  2007cited by this paper
• Modular invariants for layered object structures

  2006cited by this paper
• Robust composition: towards a unified approach to access control and concurrency control

  2006cited by this paper
• Protecting representation with effect encapsulation

  2006cited by this paper
• Separation logic and abstraction

  2005cited by this paper
• Beyond Assertions: Advanced Specification and Verification with JML and ESC/Java2

  2005cited by this paper
• Universes: Lightweight Ownership for JML

  2005cited by this paper
• Ambient-oriented programming in ambientTalk

  2005cited by this paper
• Object Invariants in Dynamic Contexts

  2004cited by this paper
• The Spec# Programming System: An Overview

  2004cited by this paper
• Ownership types for object encapsulation

  2003cited by this paper
• Scalable Visualizations of Object-Oriented Systems with Ownership Trees

  2002cited by this paper
• Ownership confinement ensures representation independence for object-oriented programs

  2002cited by this paper
• Separation logic: a logic for shared mutable data structures

  2002cited by this paper
• Simple Ownership Types for Object Containment

  2001cited by this paper
• Alias burying: Unique variables without destructive reads

  2001cited by this paper
• Contract Soundness for object-oriented languages

  2001cited by this paper
• Featherweight Java: a minimal core calculus for Java and GJ

  2001cited by this paper
• BI as an assertion language for mutable data structures

  2001cited by this paper
• Promises: limited specifications for analysis and manipulation

  1998cited by this paper
• Flexible Alias Protection

  1998cited by this paper
• The ins and outs of objects

  1998cited by this paper
• Ownership types for flexible alias protection

  1998cited by this paper
• Programming as an Experience: The Inspiration for Self

  1995cited by this paper
• A behavioral notion of subtyping

  1994cited by this paper
• Assigning Meanings to Programs

  1993cited by this paper
• Applying 'design by contract'

  1992cited by this paper
• SELF: The power of simplicity

  1987cited by this paper

• No citing papers are available for this paper.