Pierce, Benjamin C

Email Address
ORCID
Disciplines
Research Projects
Organizational Units
Position
Introduction
Research Interests

Search Results

Now showing 1 - 10 of 40
  • Publication
    How Good Is Local Type Inference?
    (1999-06-22) Hosoya, Haruo; Pierce, Benjamin C
    A partial type inference technique should come with a simple and precise specification, so that users predict its behavior and understand the error messages it produces. Local type inference techniques attain this simplicity by inferring missing type information only from the types of adjacent syntax nodes, without using global mechanisms such as unification variables. The paper reports on our experience with programming in a full-featured programming language including higher-order polymorphism, subtyping, parametric datatypes, and local type inference. On the positive side, our experiments on several nontrivial examples confirm previous hopes for the practicality of the type inference method. On the negative side, some proposed extensions mitigating known expressiveness problems turn out to be unsatisfactory on close examination.
  • Publication
    Differential Privacy Under Fire
    (2011-08-01) Haeberlen, Andreas; Pierce, Benjamin C; Narayan, Arjun
    Anonymizing private data before release is not enough to reliably protect privacy, as Netflix and AOL have learned to their cost. Recent research on differential privacy opens a way to obtain robust, provable privacy guarantees, and systems like PINQ and Airavat now offer convenient frameworks for processing arbitrary userspecified queries in a differentially private way. However, these systems are vulnerable to a variety of covertchannel attacks that can be exploited by an adversarial querier. We describe several different kinds of attacks, all feasible in PINQ and some in Airavat. We discuss the space of possible countermeasures, and we present a detailed design for one specific solution, based on a new primitive we call predictable transactions and a simple differentially private programming language. Our evaluation, which relies on a proof-of-concept implementation based on the Caml Light runtime, shows that our design is effective against remotely exploitable covert channels, at the expense of a higher query completion time.
  • Publication
    On Inner Classes
    (1999-07-19) Igarashi, Atsushi; Pierce, Benjamin C
    Inner classes in object-oriented languages play a role similar to nested function definitions in functional languages, allowing an object to export other objects with direct access to its own methods and instance variables. However, the similarity is deceptive: a close look at inner classes reveals significant subtleties arising from their interactions with inheritance. The goal of this work is a precise understanding of the essential features of inner classes; our object of study is a fragment of Java with inner classes and inheritance (and almost nothing else). We begin by giving a direct reduction semantics for this language. We then give an alternative semantics by translation into a yet smaller language with only top-level classes, closely following Java’s Inner Classes Specification. We prove that the two semantics coincide, in the sense that translation commutes with reduction, and that both are type-safe.
  • Publication
    Distance Makes the Types Grow Stronger: A Calculus for Differential Privacy
    (2010-09-27) Reed, Jason; Pierce, Benjamin C
    We want assurances that sensitive information will not be disclosed when aggregate data derived from a database is published. Differential privacy offers a strong statistical guarantee that the effect of the presence of any individual in a database will be negligible, even when an adversary has auxiliary knowledge. Much of the prior work in this area consists of proving algorithms to be differentially private one at a time; we propose to streamline this process with a functional language whose type system automatically guarantees differential privacy, allowing the programmer to write complex privacy-safe query programs in a flexible and compositional way.T he key novelty is the way our type system captures function sensitivity, a measure of how much a function can magnify the distance between similar inputs: well-typed programs not only can’t go wrong, they can’t go too far on nearby inputs. Moreover, by introducing a monad for random computations, we can show that the established definition of differential privacy falls out naturally as a special case of this soundness principle. We develop examples including known differentially private algorithms, privacy-aware variants of standard functional programming idioms, and compositionality principles for differential privacy.
  • Publication
    The XTATIC Experience
    (2004-10-26) Gapeyev, Vladimir; Levin, Michael Y; Pierce, Benjamin C; Schmitt, Alan
    XTATIC is a lightweight extension of C# with native support for statically typed XML processing. It features XML trees as built-in values, a refined type system based on regular types in the style of XDUCE, and "tree grep"-style regular patterns for traversing and manipulating XML. Previous papers on XTATIC have reported results on a number of specific technical issues: basic theoretical properties of an idealized core language, novel compilation algorithms for regular pattern matching, and efficient runtime support for XML processing in the style encouraged by XTATIC. The aim of the present paper is to discuss XTATIC—less formally and more holistically—from the perspective of language design. We survey the most significant issues we faced in the design process and evaluate the choices we have made in addressing them.
  • Publication
    Contracts Made Manifest
    (2012-05-01) Pierce, Benjamin C; Greenberg, Michael; Weirich, Stephanie
    Since Findler and Felleisen (Findler, R. B. & Felleisen, M. 2002) introduced higher-order contracts, many variants have been proposed. Broadly, these fall into two groups: some follow Findler and Felleisen (2002) in using latent contracts, purely dynamic checks that are transparent to the type system; others use manifest contracts, where refinement types record the most recent check that has been applied to each value. These two approaches are commonly assumed to be equivalent—different ways of implementing the same idea, one retaining a simple type system, and the other providing more static information. Our goal is to formalize and clarify this folklore understanding. Our work extends that of Gronski and Flanagan (Gronski, J. & Flanagan, C. 2007), who defined a latent calculus λC and a manifest calculus λH, gave a translation φ from λC to λH, and proved that if a λC term reduces to a constant, so does its φ-image. We enrich their account with a translation ψ from λH to λC and prove an analogous theorem. We then generalize the whole framework to dependent contracts, whose predicates can mention free variables. This extension is both pragmatically crucial, supporting a much more interesting range of contracts, and theoretically challenging. We define dependent versions of λH and two dialects (“lax” and “picky”) of λC, establish type soundness—a substantial result in itself, for λH — and extend φ and ψ accordingly. Surprisingly, the intuition that the latent and manifest systems are equivalent now breaks down: the extended translations preserve behavior in one direction, but in the other, sometimes yield terms that blame more.
  • Publication
    Paths Into Patterns
    (2004-10-27) Gapeyev, Vladimir; Pierce, Benjamin C
    The XML Path Language (XPATH) is an industry standard notation for addressing parts of an XML document. It is supported by many XML processing libraries and has been used as the foundation for several dedicated XML processing languages. Regular patterns, an alternative way of investigating and destructing XML documents, were first proposed in the XDUCE language and feature in a number of its descendants. The processing styles offered by XPATH and by regular patterns are each quite convenient for certain sorts of tasks, and the designer of a future XML processing language might well like to provide both. This designer might wonder, however, to what extent these mechanisms can be based on a common foundation. Can one be implemented by translating it into the other? Can aspects of both be combined into a single notation? As a first step toward addressing these questions, we show in this paper that a language closely related to the "downward axis" fragment of XPATH can be accurately translated into ambiguous XDUCE-style regular patterns with a "collect all matches" interpretation.
  • Publication
    Schema-Directed Data Synchronization
    (2005-03-23) Greenwald, Michael B; Foster, J. Nathan; Pierce, Benjamin C; Kirkegaard, Christian; Schmitt, Alan
    Increased reliance on optimistic data replication has led to burgeoning interest in tools and frameworks for synchronizing disconnected updates to replicated data. We have implemented a generic, synchronization framework, called Harmony, that can be instantiated to yield state-based synchronizers for a wide variety of tree-structured data formats. A novel feature of this framework is that the synchronization process—in particular, the recognition of situations where changes are in conflict—is driven by the schema of the structures being synchronized. We formalize Harmony’s synchronization algorithm, prove that it obeys a simple and intuitive specification, and illustrate how it can be used to synchronize a variety of specific forms of application data—sets, records, tuples, and relations.
  • Publication
    Exploiting Schemas in Data Synchronization
    (2007-06-01) Foster, J. Nathan; Greenwald, Michael B; Kirkegaard, Christian; Pierce, Benjamin C; Schmitt, Alan
    Increased reliance on optimistic data replication has led to burgeoning interest in tools and frameworks for synchronizing disconnected updates to replicated data. But good data synchronizers are challenging both to specify and to build. We have implemented a generic synchronization framework, called Harmony, that can be used to build state-based synchronizers for a wide variety of tree-structured data formats. A novel feature of this framework is that the synchronization process— in particular, the recognition of conflicts—is driven by the schema of the structures being synchronized. We formalize Harmony’s synchronization algorithm, prove that it obeys a simple and intuitive specification, and illustrate, using simple address books as a case study, how it can be used to synchronize trees representing a variety of specific forms of application data, including sets, records, tuples, and relations.
  • Publication
    TinkerType: A Language for Playing With Formal Systems
    (2000-10-23) Levin, Michael Y; Pierce, Benjamin C
    TinkerType is a pragmatic framework for compact and modular description of formal systems (type systems, operational semantics, logics, etc.). A family of related systems is broken down into a set of clauses — individual inference rules — and a set of features controlling the inclusion of clauses in particular systems. Simple static checks are used to help maintain consistency of the generated systems. We present TinkerType and its implementation, and describe its application to two substantial repositories of typed λ-calculi. The first repository covers a broad range of typing features, including subtyping, polymorphism, type operators and kinding, computational effects, and dependent types. It describes both declarative and algorithmic aspects of the systems, and can be used with our tool, the TinkerType Assembler, to generate calculi either in the form of typeset collections of inference rules or as executable ML typecheckers. The second repository addresses a smaller collection of systems, and provides modularized proofs of basic safety properties.