Curriculum Vitae

1 Name

Andrei Popescu, Ph.D.

2 Qualifications, with awarding body and dates

Education – Ph.D. in computer science, University of Illinois at Urbana-Champaign, Sept. 2010. Advisor: Elsa L. Gunter. – Ph.D. in mathematics, University of Bucharest, June 2005. Advisor: George Georgescu. – M.Sc. in computer science, University of Bucharest, June 2003. – B.A. in computer science, University of Bucharest, June 2001.

Prizes and Awards – Best Paper Award for 2012/2013 within the Reliably Secure Software Systems (RS3), a pri- ority program funded by the German Research Foundation (DFG), encompassing 12 main projects and 6 associated projects. This was for the paper “Proving Concurrent Noninterfer- ence”, coauthored with Johannes H¨olzland Tobias Nipkow. – Mavis Memorial Fund Scholarship Award 2006, offered by the College of Engineering, UIUC. – Saburo Muroga Fellowship for outstanding CS graduate students 2005, offered by the De- partment of Computer Science, UIUC.

3 Membership of Professional Bodies and Learned Societies (NA)

4 Career details – Present employment

– Postdoctoral researcher at the Chair of Logic and Verification, Technische Universit¨atM¨unchen, Germany, October 2010–present

5 Previous employment and appointments

– Postdoctoral researcher at the Chair of Logic and Verification, Technische Universit¨atM¨unchen, Germany, October 2010–present – Co-instructor at University of Illinois at Urbana-Champaign (UIUC), US (course: Introduc- tion to Computing with Application to Business and Commerce), January 2010–May 2010 – Intern at Microsoft Research at the Cambridge lab, July 2008–August 2008. – Teaching Assistant at UIUC (courses: Programming Languages and Compilers, Introduction to Computer Science), January 2007–January 2010 – Research Assistant in the area of Programming Language Semantics and Verification at UIUC, August 2004–September 2010 – On-leave researcher at the Institute of Mathematics “Simion Stoilow” of the Romanian Academy, June 2005–present. – Assistant Professor at the Department of Computer Science, University of Bucharest, Ro- mania. February 2003–May 2004. – Research and Teaching Assistant at the same department, September 2001 - January 2003. 6 Teaching and Learning

Please see Appendix 3 for more details.

Courses and tutorials

In all of the following, except for number 2, I was a teaching assistant. For number 2, I was main instructor.

1. Semantics of Programming Languages. Master course. TUM. Spring 2010. Instructor: Tobias Nipkow. 2. Introduction to Computing with Application to Business and Commerce (CS105). First-year course. UIUC. Spring 2010. Instructors: Tom Gambill and myself.1 3. Introduction to Computer Science (CS125). First-year course. UIUC. Fall 2009. Instructor: Lawrence Angrave. 4. Introduction to Computing for Engineers and Physical Scientists (CS101). First-year course. UIUC. Spring 2007—Spring 2009. Instructor: Tom Gambill. 5. Programming Languages and Compilers (CS421). Fourth-year course. UIUC. Fall 2006. Instructor: Elsa Gunter. 6. Fuzzy Logic. Fourth-year course. University of Bucharest. Spring 2004. Instructor: George Georgescu. 7. Fundamentals of Computer Science, I and II. Second-year course. University of Bucharest. Spring 2003 and Fall 2004. Instructor: Virgil C˘az˘az˘anescu.

Advised graduate students

– Sudeep Kanav (coadvised jointly with Peter Lammich). A secure web interface for a ver- ified conference management system. Individual research project, Technische Universit¨at M¨unchen, 2012 – Dmitriy Traytel (coadvised jointly with Jasmin Blanchette). A category theory based (co)datatype package for Isabelle/HOL. Master thesis, Technische Universit¨atM¨unchen, 2012 – Andreas Schropp. Instantiating deeply embedded many-sorted theories into HOL types in Isabelle. Master thesis, Technische Universit¨atM¨unchen, 2012.

7 Research and Knowledge Transfer

I currently participate in the project “Security Type Systems and Deduction” Reliably Secure Software Systems (RS3)[9] funded by the DFG (German Research Foundation). In the first two phases of the project (covering four years) I was a funded researcher, and Tobias Niopkow and Christoph Weidenbach were principal investigators. For phase III (aimed at covering another two years), I am a co-applicant jointly with Tobias Nipkow [8] – the funding decision for phase III has not been made yet.

1 This was a large course, encompassing about 600 students and 8 teaching assistants. I was responsible for managing half of the students and the assistants. 8 Knowledge Transfer and Professional Practice

– Program committee member at the 8th International Workshop on Logical Frameworks and Meta-Languages: Theory and Practice (LFMTP) 2013. – Reviewer for many conferences and journals, including recent assignments at: • Conferences: ESOP 2014, FoSSaCS 2014, IJCAR 2014, LPAR-19 2013, FoSSaCS 2013, ITP 2013 • Journals: Theoretical Computer Science, Logical Methods in Computer Science

9 External and Internal Academic Leadership or Evidence of Academic Standing

Within the priority program Reliably Secure Software Systems (RS3)[9], the so-called reference scenarios are aimed at bridging the gap between theory and practice. According to the speci- fication of RS3, a reference scenario is a software development involving multiple projects that should act as a “basis for evaluation of developed methods and tools” and as a “platform for demonstration of results to industrial companies and public authorities.” With the endorsement of Tobias Nipkow and principal investigators in other affiliated projects, I was the initiator of one of the three current RS3 reference scenarios: the implementation of a conference management system (for submitting, discussing and reviewing papers), whose func- tional kernel is represented and verified in Isabelle. Appendix 2 (Section 4) gives more details.

Appendix 1: Public Output

Refereed and published (or accepted) conference proceedings

1. Sudeep Kanav, Peter Lammich and Andrei Popescu. A Conference Management System with Verified Document Confidentiality. 26th International Conference on Computer Aided Verification (CAV) 2014, to appear 2. Jasmin Christian Blanchette, Andrei Popescu Dmitriy Traytel. Modular First-Order Logic Completeness—A Coinductive Pearl. 7th International Joint Conference on Automated Rea- soning (IJCAR) 2014, to appear 3. Jasmin Christian Blanchette, Andrei Popescu Dmitriy Traytel. Cardinals in Isabelle/HOL. 4th Conference on Interactive Theorem Proving (ITP) 2014, to appear 4. Jasmin Christian Blanchette, Johannes H¨olzl,Andreas Lochbihler, Lorenz Panny, Andrei Popescu and Dmitriy Traytel. Truly Modular (Co)datatypes for Isabelle/HOL. 4th Confer- ence on Interactive Theorem Proving (ITP) 2014, to appear 5. Andrei Popescu, Johannes H¨olzland Tobias Nipkow. Formalizing Probabilistic Noninter- ference. 3rd International Conference on Certified Programs and Proofs (CPP) 2013, pp. 259-275 6. Andreas Schropp and Andrei Popescu. Nonfree Datatypes in Isabelle/HOL: Animating a Many-Sorted Metatheory. 3rd International Conference on Certified Programs and Proofs (CPP) 2013, pp. 114-130 7. Andrei Popescu, Johannes H¨olzland Tobias Nipkow. Formal Verification of Language-Based Concurrent Noninterference. Journal of Formalized Reasoning 6(1), 2013. 8. Jasmin Christian Blanchette and Andrei Popescu. Mechanizing the metatheory of Sledge- hammer. 9th International Symposium on Frontiers of Combining Systems (FroCoS) 2013, pp. 245-260. 9. Andrei Popescu, Johannes H¨olzland Tobias Nipkow. Noninterfering Schedulers: When Pos- sibilistic Noninterference Implies Probabilistic Noninterference. 5th International Conference on Algebra and Coalgebra in Computer Science (CALCO) 2013. pp. 236-252. 10. Jasmin Christian Blanchette, Sascha B¨ohme,Andrei Popescu and Nicholas Smallbone. En- coding Monomorphic and Polymorphic Types. 19th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS) 2013, pp. 493-507. 11. Andrei Popescu, Johannes H¨olzland Tobias Nipkow. Proving Concurrent Noninterference. 2nd International Conference on Certified Programs and Proofs (CPP) 2012, pp. 109-125. 12. Jasmin Christian Blanchette, Andrei Popescu, Daniel Wand and Christoph Weidenbach. More SPASS with Isabelle: Superposition with Hard Sorts and Configurable Simplification. 3rd Conference on Interactive Theorem Proving (ITP) 2012, pp. 345-360. 13. Dmitriy Traytel, Andrei Popescu and Jasmin Christian Blanchette. Foundational, Composi- tional (Co)datatypes for Higher-Order Logic: Category Theory Applied to Theorem Proving. 27th IEEE Symposium on Logic In Computer Science (LICS) 2012, pp. 596-605. 14. Andrei Popescu and Elsa L. Gunter. Recursion principles for syntax with bindings and sub- stitution. The 16th ACM SIGPLAN International Conference on Functional Programming (ICFP) 2011, pp. 346-358. 15. Andrei Popescu, Elsa Gunter and Chris Osborn. Strong Normalization for System F by HOAS on top of FOAS. 25th IEEE Symposium on Logic In Computer Science (LICS) 2010, pp. 31-40. 16. Andrei Popescu and Elsa Gunter. Incremental pattern-based coinduction for process algebra and its Isabelle formalization. 13th International Conference on Foundations of Software and Computational Structures (FOSSACS) 2010, LNCS 6014, pp. 109-127. 17. Elsa Gunter, Chris Osborn and Andrei Popescu. Theory support for Weak Higher-Order Abstract Syntax. 4th International Workshop on Logical Frameworks and Meta-Languages: Theory and Practice, 2009. ACM International Conference Proceeding Series 2009. 18. Andrei Popescu. Weak bisimilarity coalgebraically. 3rd International Conference on Algebra and Coalgebra in Computer Science (CALCO) 2009, LNCS 5728, pp. 157-172. 19. Andrei Popescu and Grigore Ro¸su.Term-Generic Logic. 19th International Workshop on Algebraic Development Techniques (WADT) 2008, LNCS 5486, pp. 290-307. 20. Andrei Popescu, Traian S¸erb˘anut¸˘aand Grigore Ro¸su.A semantic approach to interpolation. 9th International Conference on Foundations of Software Science and Computation Structure (FOSSACS) 2006, LNCS 3921, pp. 307-321. 21. Andrei Popescu and Grigore Ro¸su.Behavioral extensions of institutions. 1st International Conference on Algebra and Coalgebra in Computer Science (CALCO) 2005, LNCS 3629, pp. 331-347. 22. Andrei Popescu. Languages generated using an abstract catenation. Grammars, 7, 2004, pp. 31-40.

Refereed articles in academic journals

1. Andrei Popescu, Johannes H¨olzland Tobias Nipkow. Formal Verification of Language-Based Concurrent Noninterference. Journal of Formalized Reasoning 6(1), 2013. 2. Andrei Popescu, Traian S¸erb˘anut¸˘aand Grigore Ro¸su.A semantic approach to interpolation. Theoretical Computer Science, 410(12-13), 2009, pp. 1109-1128. 3. Daniel G˘ain˘aand Andrei Popescu. An institution-independent proof of the Robinson consis- tency theorem. Studia Logica, 85(1), 2007, pp. 41-73. 4. Andrei Popescu. Some algebraic theory for many-valued relation algebras. Algebra Univer- salis, 56, 2007, pp. 211-235. 5. Daniel G˘ain˘aand Andrei Popescu. An institution-independent generalization of Tarski’s elementary chain theorem. Journal of Logic and Computation, 16(6), 2006, pp. 713-735. 6. George Georgescu and Andrei Popescu. A common generalization for MV-algebras and Lukasiewicz-Moisil algebras. Archive for Mathematical Logic, 45(8), 2006, pp. 947-981. 7. George Georgescu and Andrei Popescu. A new class of probabilities onLukasiewicz-Moisil algebras. Journal of Multiple-Valued Logic and Soft Computing, 12(3-4), 2006, pp. 337-354. 8. George Georgescu, Ioana Leu¸steanand Andrei Popescu. Order convergence and distance on Lukasiewicz-Moisil algebras. Journal of Multiple-Valued Logic and Soft Computing, 12(1-2), 2006, pp. 33-69. 9. Andrei Popescu.Lukasiewicz-Moisil relation algebras. Studia Logica 81(2), 2005, pp. 167-190. 10. George Georgescu and Andrei Popescu. Similarity convergence in residuated lattices. Logic Journal of IGPL, 13, 2005, pp. 389 - 413. 11. Andrei Popescu. Many-valued relation algebras. Algebra Universalis 53, 2005, pp. 73-108. 12. George Georgescu and Andrei Popescu. Non-commutative fuzzy structures and pairs of weak negations. Fuzzy Sets and Systems 143, 2004, pp. 129-155. 13. Andrei Popescu. A general approach to fuzzy concepts. Mathematical Logic Quarterly 50(3), 2004, pp. 1-17. 14. George Georgescu and Andrei Popescu. Non-dual fuzzy connections. Archive for Mathemat- ical Logic 43, 2004, pp. 1009-1039. 15. George Georgescu and Andrei Popescu. Non-commutative fuzzy Galois connections. Soft Computing, 7(7), 2003, pp. 458-467. 16. George Georgescu and Andrei Popescu. Closure operators and concept equations in non- commutative fuzzy logic. Tatra Mountains Publication, 27, 2003, pp. 67-90. 17. George Georgescu and Andrei Popescu. Concept lattices and similarity in non-commutative fuzzy logic. Fundamenta Informaticae, 53(1), 2002, pp. 23-54.

Published formal developments in the Isabelle theorem prover

1. Andrei Popescu and Peter Lammich. Bounded-Deducibility Security. Archive of Formal Proofs (AFP) 2014. 2. Markus N. Rabe, Peter Lammich, Andrei Popescu. A shallow embedding of HyperCTL. Archive of Formal Proofs (AFP) 2014. 3. Andrei Popescu and Johannes H¨olzl.Probabilistic Noninterference. Archive of Formal Proofs (AFP) 2014. 4. Jasmin Christian Blanchette, Andrei Popescu and Dmitriy Traytel. Modular First-Order Logic Completeness. Archive of Formal Proofs (AFP) 2014. 5. Jasmin Christian Blanchette and Andrei Popescu. Sound and Complete Sort Encodings for First-Order Logic. Archive of Formal Proofs (AFP) 2013. 6. Andrei Popescu and Johannes H¨olzl.Possibilistic Noninterference. Archive of Formal Proofs (AFP) 2012. 7. Andrei Popescu. Ordinals and Cardinals. Archive of Formal Proofs (AFP) 2009. Appendix 2: Research Statement

My research combines formal logic with software engineering in developing proof assistant tech- nology and pursuing formal verification of systems by interactive theorem proving. Theorem proving is emerging as a major technology in computer science, and my research is contributing to its progress. But we are not there quite yet. I still occasionally meet computer scientists who have not heard of theorem proving or regard it as an exotic approach.

1 The Context of My Research

Interactive theorem proving is the art and science of developing machine-checked mathematical theories, including definitions, theorem statements, and formal proofs. This is achieved using proof assistants (also known as interactive theorem provers), which are software systems for interactive proof development. Proof assistants arose independently in the late sixties and early seventies in several parts of the world [3, 26, 28, 56], and at first they consisted of mere proof checkers. The pioneers took different views and engineering approaches, launching schools of thought that led to the mature theorem provers of today, based on various logical foundations: first-order logic (ACL2), higher- order logic (HOL4 [5], HOL Light [41], Isabelle/HOL [58], etc.) and type theory (Agda [1], Coq [15], Nuprl [27], Twelf [4], etc.). In mathematics, proof assistants are used to achieve greater rigor and confidence, which are especially important for results where the usual social process of peer reviewing is unsatisfactory due to the combinatorial complexity [2, 37]. In computer science, hardware and software verifi- cation have a long history: “Instead of debugging a program, one should prove that it meets its specifications, and this proof should be checked by a computer program.” [53] Verification success stories include several microprocessors [39], C and Java compilers [49,50], and an operating sys- tem kernel [48]. But why prefer interactive theorem proving, often a very laborious task, to lighter fully automatic methods? There are at least three reasons [42]: the need for higher assurance (e.g., in safety-critical systems), the inherent complexity/undecidability of the very properties under consideration, and, not least, the ideal of designing functionally correct systems from the ground up guided by a proof assistant [48]. In practice, one may combine theorem proving with lighter methods [10, 32], integrate proof infrastructure in a programming environment [13, 52], or, conversely, extract programs from formal definitions and proofs [14, 59]. For formal developments, users need automation support for proof search, as well as a high- level datatype specification infrastructure. The need for the former is self-evident. As for the latter, a main feature of programming languages is the abundance of datatypes: lists, arrays, hash tables, red-black trees, and so on. Moreover, syntax with variable bindings, pervasive in the metatheory of programming languages [11], forms datatypes of a special non-local nature. Finally, the description of interactive processes and computing systems themselves (such as operating systems) is best achieved using datatypes that store possibly “nonterminating” infinitary objects. Consequently, a major goal of proof assistants aiming at computer science applications is an expressive and convenient mechanism for defining and reasoning about datatypes. My research targets the aforementioned topics in proof assistant technology—datatypes (Sec- tion 2) and automation (Section 3)—being concerned with their solid mathematical foundation and their practical realization. In close connection with this infrastructure work, I am formalizing language and system information-flow security (Section 4). Most of my ideas find their realization in Isabelle (usually in its Isabelle/HOL variant [58]), a popular theorem prover with hundreds of users world-wide, in both industry and academia. 2 Datatypes and Bindings Datatype specification mechanisms are at the heart of every modern proof assistant or pro- gramming language. There is a quest (and a competition) amongst proof assistants on offering expressive and flexible datatypes that also enjoy a solid logical foundation. In theory, datatypes can be both expressive and compositional and can export a rich set of operations for manipu- lating data. In practice, proof assistant technology is far behind this ideal. My work provides a framework for bringing theory into practice. In particular, it endows Isabelle/HOL with state- of-the-art datatypes. Fitting a Tight Foundational Shoe. Isabelle/HOL is based on higher-order logic (HOL), arguably the most popular logic for computer science applications. It adheres to the so-called LCF philosophy originating from Robin Milner, requiring that every new piece of structure and functionality, including datatypes, be reduced to a small trusted logic kernel. LCF is the best known approach to ensuring that new developments are free of bugs, and in particular, do not introduce inconsistencies in the logic. But living up to the HOL/LCF standards is not easy. State-or-the-art datatypes are developed only in the field of category theory, where one typically employs a logic that is stronger than HOL. Furthermore, LCF requires that all constructions be reduced to the underlying logic; hence the difficulty of introducing state-of-the-art datatypes in HOL/LCF. Compositional (Co)inductive Datatypes. I undertook this challenge, first from a theo- retical point of view, showing that the flexible and compositional datatypes recommended by category theory can be defined in HOL. After my initial demonstrations, which included a rough implementation prototype, I was joined by my colleagues Jasmin Blanchette, Dmitriy Traytel, and later by others. We engaged in a substantial design and implementation effort to realize the idea as a full-fledged Isabelle package, including a whole variety of conveniences for the users [17,18,21,23,82]. On the way, a theory of cardinal numbers had to be adapted to HOL and formalized in Isabelle [22,67] in order to support the categorical foundations of datatypes—initial algebras and final coalgebras—in a localized form suitable for HOL. Thanks to our work, for the first time an LCF prover features truly compositional datatypes, as well as nested and mutual combinations of inductive and coinductive types. Moreover, conve- nient operations for data manipulation, such as relators and mappers, are produced automatically (while in all other proof assistants these would have to be defined by users for each new datatype). Finally, modular recursors and corecursors are supported, in different constellations [18]. The en- gineering benefits of our infrastructure work are starting to show. The developer of the Isabelle representation of Java’s memory model [50] has recently ported his formalization to use our package’s coinductive datatypes—this saved him thousands of script lines. Flexible Containers as Datatypes. Most theorem provers and programming languages have their datatype specification mechanism restricted to rigid containers, where each element has a fixed position—lists are the prototypical example. On the other hand, one often wishes to employ more flexible containers modulo equational theories, such as finite sets or bags, as if they were themselves datatypes, that is, to be able to pattern-match and recurse over them [81]. Andreas Schropp and I have provided the technology for doing this in Isabelle/HOL [80]. Programming in Isabelle/HOL. A side effect of our group’s overall engineering activity is that Isabelle/HOL is now an attractive programming environment, including Haskell-style support for lazy data structures. The user can write, prototype and verify (aspects of) their programs in Isabelle/HOL, and then automatically extract efficient code in one of the target programming languages [38]. In particular, coinductive datatypes organize this proof assistant into a total-programming front end for Haskell [23, §7]. Binding and Substitution Mechanisms. Binding syntaxes is a central topic in the metathe- ory of programming languages and logical systems. Indeed, the core engine behind modern pro- graming languages consists of a mechanism for scoping, binding, and substituting objects such as variables, references, and device identifiers. Similarly, formal logics and type systems are es- sentially characterized by their specific interplay between binding (λ-abstraction, quantification, etc.) and substitution. The influential POPLmark manifesto [11] has brought the topic of mechan- ical representation of syntax with bindings to the attention of researchers in both programming languages and theorem proving. The manifesto acknowledged a persistent problem—the fun- damental difficulty of rigorous, reliable reasoning about binders—and challenged the theorem proving community to provide solutions. I was interested in the problem both theoretically and from the perspective of mechanical representation. My theoretical contribution was demonstrating that substitution and bindings interact recursively in a harmonious way, yielding a useful recursion principle for the λ-calculus and related systems [70]. I have employed this insight in a fresh look at a major paradigm for representing bindings, higher-order abstract syntax (HOAS) [40,61]. This resulted in a represen- tation style that I call HOAS on top of FOAS [62,71], combining a higher-order and a first-order view into an integrated environment that capitalizes on the strengths of both. My work also offers a solution to the problem of combining inductive reasoning and HOAS, which, unlike pre- vious solutions [4,6, 54], only requires standard logical foundations; in fact, it even fits HOL’s “tight foundational shoe.” I have illustrated the practical feasibility and scalability of my frame- work with Isabelle mechanizations, covering a generic theory of bindings [62, §2.9.1] and large fragments of the metatheory of λ-calculus [62, §2.9.2] and first-order logic [19, 20]

3 Automation I am interested in making interactive theorem proving more automatic, and generally in capital- izing on the opportunities for higher automation hiding inside undecidable problems. Type Encodings for Automatic Theorem Provers. Sledgehammer [60] is a tool that con- nects Isabelle/HOL with third-party automatic theorem provers (ATPs) such as E, SPASS, and Vampire. An Isabelle proof goal, together with a few hundred other facts deemed relevant for proving the goal, are automatically encoded in the language of the ATPs and several ATPs are run in parallel trying to infer the goal from the relevant facts; if one succeeds, then, using knowl- edge of the facts actually needed, a proof is reconstructed and replayed in Isabelle. The main challenge here is encoding polymorphic higher-order logic (Isabelle/HOL’s logic) into first-order logic (the ATPs’ logic) soundly and completely, yet efficiently. I have collaborated with Jasmin Blanchette (the developer and maintainer of Sledgehammer) on designing encodings that try to fulfill the above antagonistic goals in a reasonable way. It turns out that the answer is not a single “perfect” encoding, but a judicious combination of encodings that follow different strategies [16]. We have used Isabelle itself to formally certify the soundness and completeness of these encodings [19]. This work required formalizing some metatheory of many-sorted first-order logic. Results such as the completeness and skolemization theorems were major case studies for our recently developed infrastructure of coinductive datatypes and syntax with bindings. Partly thanks to the new encodings, partly to the higher courtesy towards Isabelle from the ATPs’ side [24], Sledgehammer has become significantly more powerful, as reported by represen- tative benchmarks [25] and numerous pleased users [7]. Moreover, its strength has inspired the advancement of similar tools in different proof assistants [45, 78] Towards Automating Coinduction and Bisimilarity Proofs. Coinduction is the dual of induction, and is useful for modeling properties of systems with infinite behavior. For example, behavioral equivalence of processes in process algebra [57], a.k.a. bisimilarity, as well as equal- ity on coinductive datatypes, can be characterized coinductively. Traditionally, bisimilarity and coinductive equality are proved by exhibiting a bisimulation relation that witnesses the overall synchronization of the two sides as they unfold their behavior—the requirement of producing upfront a possibly very involved bisimulation is a bottleneck for automation. I have shown that, under mild assumptions on the format of specifications, bisimilarity admits a proof system where the witness bisimulation is produced incrementally by the goal exploration [69]. Moreover, weak bisimilarity, a more realistic version of bisimilarity that factors out internal steps of a process, can be cast in this format [68]. This paves the way for partly automating bisimilarity proofs, as I illustrate in an Isabelle mechanization [69]. Language-based security proofs (Section 4) are a main beneficiary of this approach. Work is under way to integrate incremental proofs with Isabelle’s new coinductive datatypes. Similar ideas are currently being explored by others in Coq [31, 43].

4 Information-Flow Security Information-flow security studies means of controlling the flow of information in programs or systems. The tremendous growth of this area of research in recent years has been motivated by the increasing complexity of software, triggering more and more possibilities for its malicious use. I am interested in all aspects of information-flow security, including language and system security, especially in conjunction with the secure implementation and verification of systems. Language-Based Security. Information-flow language-based security [79] is concerned with techniques to prevent or restrict, in programs, the flow of information between designated sources and sinks (e.g., variables, object references). Different security type systems have been put for- ward to cope with aspects of information flow (nondeterminism, termination and probabilistic channels) and language features (exceptions, objects, concurrency). Following lively discussions on the topic at the meetings of Reliably Secure Software Systems (RS3)[9] (a priority program of the German Research Foundation encompassing 12 main projects and 6 associated projects), I took over the task of systematizing the multitude of type systems that the literature has gathered over the years. In a series of joint papers with Johannes H¨olzl and Tobias Nipkow [72–74], I showed that many of these type systems and their soundness theorems emerge from the interplay and iteration of two simple principles behind information flow: ordering and compositionality. We also discovered optimized combinations, leading to novel type systems with better tradeoffs between requirements and guarantees. The uniform pattern behind security type systems emerged during the formalization process, using Isabelle’s versatile proof exploration tools. A concurrency feature notoriously brittle for security type systems is the presence of an arbitrary scheduler. To cope with this, we designed a framework for analyzing scheduler security in isolation from the thread-pool security, in such a manner that combining them afterward yields overall secure behavior [75]. Our systematization and unification endeavor was honored with the RS3 best paper award for 2012–2013 offered by a committee of prominent RS3 members. Realistic System Security. Language-based security focuses on programs written in a pro- gramming language, and its methods operate on program syntax. By contrast, system security covers general event systems, and its methods are mainly semantic. The research landscape of information-flow system security is divided between theoretical work proposing elaborate security notions and proof methods [51,55,83] and practical implementations usually focusing on enforc- ing simpler, tractable properties. RS3 reference scenarios are aimed at bridging the gap between theory and practice. According to the specification of RS3, a reference scenario is a software development involving multiple projects that should act as a “basis for evaluation of developed methods and tools” and as a “platform for demonstration of results to industrial companies and public authorities.” With the endorsement of Tobias Nipkow and principal investigators in other affiliated projects, I was the initiator of one of the three current RS3 reference scenarios: the implementation of CoCon [46], a conference management system (for submitting, discussing and reviewing papers), whose functional kernel is represented and verified in Isabelle. The carefully designed architecture of CoCon ensures that the Isabelle specification is faithful to the implementation, so that the formal properties established in Isabelle for the kernel have strong guarantees to hold for the overall system. This work, described in detail in [47], is a realization of the security by design paradigm, with the specificity that the design phase is backed by mechanical verification. Here, security refers to the absence of undesired information flow and includes temporal and declassification dimensions. For example, a user should learn nothing about the content of a paper but the final uploaded version unless they are or become an author of that paper. The formulation of such relevant properties follows a different route than most of the theoretic research in the area: we get direct inspiration from the behavior of a full realistic system, without the usual conceptual simplifications that may overlook fundamental aspects. Perhaps not surprisingly, off-the-shelf concepts from the literature did not fit here. We had to design our own framework for security specification and proof [47].

5 Early Research

I received my early academic education at the University of Bucharest, where, due to cultural and economic reasons, the highest-quality research was purely theoretical, and, moreover, formal methods were essentially identified with formal logic and category theory. To pick an illustrative example of the kind of abstract views I was offered as a young computer science student: In the programming language course, a compiler was defined without further ado as a morphism between two objects in a category. My early exercises in non-classical logics and abstract (logic-independent) model theory equipped me with the inclination to extract the general reusable idea behind particular phenom- ena, as well as with the tendency to be drastic about consistent foundation, but not dogmatic about the choice of the foundation. Later, I become more interested in applying formal logic as opposed to studying it for its own sake. Fuzzy Logic. My most representative work in the area is concerned with recovering for fuzzy logic some fundamental symmetries of classical logic [35] and organizing fuzzy concept analysis in a logic-connective-free manner [64]. I have also developed the bases of fuzzy relation algebra and its representation theorems [65, 66]. Abstract Model Theory. As a logician, I was delighted to discover that computer science often requires a higher degree of formal rigor and generality than ordinary mathematics. Notably, the theory of institutions [36], a type of logic-independent model theory emerging from theoretical computer science, is probably the most abstract treatment of logic ever imagined. I showed that landmark concepts and results of logic such as elementary chain [33], Robinson consistency [34] and Craig interpolation [76] can be stated and proved for institutions, covering with one formu- lation many logical systems of interest. These results were included in the state-of-the-art mono- graph on institutions [30] and are frequently cited amongst “jewels of institution-independent model theory” [29].

6 Future Directions

I continue to believe that solid yet flexible mathematical foundations are the key to the success of formal methods. Moreover, I have now reached a better understanding of the balance between theory and practice: the latter should inspire and guide the former, and not vice versa; although well-practiced theory should eventually lead to better practice. Next I describe some possible future directions for my research based on this principle, each offering ample opportunities for Ph.D. topics. Prover-Endorsed Programming Languages. It is widely believed that programming is much easier and more wide-spread than theorem proving. However, all modern programming languages feature some simple automatic provers: their engine for type checking and/or type inference. More advanced integration of theorem proving support can tremendously help reliable programming. The key to a realistic such integration is unobtrusiveness : in normal mode, the theorem prover should run on the background and check useful properties on the fly, without the programmer even noticing. For example, thanks to the datatype infrastructure and other tools, programming in Isabelle feels like programming in an ordinary functional language; but, unlike with usual programming, here a lot happens on the background: properties such as totality (via termination or productivity) or well-definedness on flexible-container domains are ensured mostly automat- ically. For more ambitious programmers, the prover should of course allow verifying arbitrarily complex functional properties. Many programmers do not realize that proving, besides being more reliable, is often much easier than testing! The advantage of having a prover “inside the system” is omniscience: it would know everything that has been programmed and proved in the vicinity of the program of interest. Self-Improving Infrastructure for (Co)inductive Datatypes. The ideal environments for software development, be they proof assistants or programming languages, should be able to learn from user specifications. Proof assistants have especially great potential here, thanks to their theorem database. Basically, any successful function definition can be recorded as a theorem for later reuse. For example, we are currently designing the Isabelle infrastructure for corecursive definitions so that the corecursor gets better and better (accepts more definitions) with each new invocation [63, §1.3]. Ideally, the learning mechanism should be able to identify and store general successful patterns rather than mere successful instances: the theory of parametricity [77] is well-suited for such a task and is currently insufficiently exploited in proof assistants. Mechanized Metatheory and Automation. The theorem proving community should do more for reaching out and understanding the needs of other research communities. Often, expressing a problem in a theorem prover can contribute far beyond gaining confidence or discovering errors. Specifically, it can help identify general patterns and fully automatable aspects, so that one can work at the proper level of generality and focus on the genuinely difficult parts. But it usually takes a theorem proving expert to pursue this, at least in the initial stages. The work of Gilles Barthe in cryptography is a prominent example [12]—using tools based on the Coq proof assistant, he shows how to handle quasi-automatically a wide class of problems on whose pen-and-paper proofs cryptographers traditionally invest substantial time and effort. My own work on language-based security is another example (on a smaller scale). I plan to continue my quest for identifying areas that could benefit from the rigor, expressive power and automation of theorem provers and collaborate with experts in those areas. Web-Based Workflow Management Systems Secure by Design. My experience with the verification of a realistic conference management system can be reused for systems whose security is of wider interest. Examples include mail services and social networks. Indeed, the concepts of users uploading and downloading documents whose content should only be revealed under certain circumstances to certain categories of users is rather general. This is reflected in my Isabelle formalization, where the generic, reusable aspects of the verification infrastructure are clearly separated from the system-specific aspects. Another future direction is concerned with making the security guarantees more holistic, by enhancing the verified kernel with a verification of the web interface using language-based tools [44]. Appendix 3: Teaching Statement

1 Teaching Philosophy

I was involved in teaching at a variety of levels (from first-year introductory courses to master courses) and in a variety of topics (from theoretical computer science to Java programming to scientific computing). Below I express a few thoughts on teaching, perhaps biased towards topics that involve a mathematical development of the concepts. In my view, a course should cover two dimensions: (1) The “official” material, with a well-defined technical content (if applicable). Here the discourse should be as unambiguous as possible. (2) Intuitive explanations, connections, analogies, motivations. Here the exposition can follow an informal style, with language adapted as much as possible to the students’ understanding but accepting the possibility that part of the explanation may not be fully understandable. Both are equally important. (1) should offer a self-contained solid ground where the students’ knowledge is likely to progress linearly, while (2) should offer a network of conceptual shortcuts and pointers with the help of which the students’ knowlege may progress exponentially. It should be emphasized to the students that (2) is very helpful for sedimenting and applying the knowl- edge. However, the technical scope of (1) should be clearly separated from that of (2)—while (2) may be food for some minds, it may also be poison for others, who might feel intimidated by the vastness of an open-ended view. The exam should be designed in such a way that only the material from (1) is being tested, but that it is very unlikely that a student who has completely ignored the insights offered by (2) should be able to obtain maximum score. I also believe in the (very popular nowadays) active learning technique, meaning that the students should be encouraged to actively participate in the process of building their knowledge. However, this technique should be applied with care, discreetly encouraging (even alluring) the students to reach out towards knowledge themselves. To this end, the professor should try to create a relaxed atmosphere, and choose the interactive parts of the lectures and tutorials so that they are a real dialogue. At the same time, the professor should send the clear message that active participation is a prerequisite for solid learning. Finally, I believe that the one-to-many communication from lectures can never replace the one- to-one communication from office hours. As a teaching assistant as well as (on one occasion) as a lecturer, I have always enjoyed answering student questions and further illustrating the course material without the time constraints of lectures or tutorials, where usually a predetermined material needs to be covered. I have noticed that such “off-line availability” of the instructor is decisive for the students’ general impression about the course, and also for their willingness to further deepen the study of the course topic.

2 Teaching Experience

My experience as a teaching assistant spans over two years at the University of Bucharest, 4 years at the University of Illinois (UIUC), and so far one semester at the Technische Universit¨at M¨unchen (TUM). At UIUC, I have worked for one semester with Elsa Gunter, assisting her with a course in programming languages and compilers. For several semesters I then worked with Tom Gambill at an introductory course in computer science for non-computer-science majors, and then for one semester with Lawrence Angrave at an introductory course in computer science for computer science majors. At TUM, I have held the tutorial session on a master course on programming language semantics, with the lectures held by Tobias Nipkow. In the last year of my Ph.D. in Illinois, I was offered to teach (as coinstructor together with Tom Gambill) an introductory course in computer science for economics students, with about 300 students and 4 teaching assistants being assigned to my half of the course. In 2006, I was a recipient of the Mavis Memorial Fund Scholarship Award, offered by the UIUC College of Engineering (http://cs.illinois.edu/csillinois/awards) to ”those stu- dents planning to become engineering teachers”. For this scholarship, “recipients are chosen based on their academic performance, research accomplishments, and demonstrated interest in engineering education.” As a teaching assistant at the University of Bucharest for courses on logic and theoretical computer science held by George Georgescu and Virgil C˘az˘anescu,I have helped recruiting some gifted students for academic jobs, among whom Daniel G˘ain˘aand Mihai Codescu. For Daniel, our interaction has yielded his first publications (two joint papers on abstract model theory). Nowadays, I have an active collaboration with Dmitriy Traytel, whose master thesis I have coadvised. Today Dmitriy is a Ph.D. student at our chair. Also, Andreas Schropp wrote a diploma thesis under my supervision, and now we have a joint paper accepted at a major theorem proving conference.

The following people are willing to testify on my teaching and leadership capabilities.

Ex-Supervisors and Senior Collaborators Dr. Tom Gambill—senior lecturer, UIUC Email: [email protected] Website: http://cs.illinois.edu/people/faculty

Prof. Tobias Nipkow—professor, TUM Email: [email protected] Website: http://www21.in.tum.de/~nipkow

Dr. Lawrence Angrave—senior lecturer, UIUC Email: [email protected] Website: https://www.coursera.org/instructor/lawrenceangrave

Prof. Elsa Gunter—research associate professor, UIUC Website: http://www.cs.uiuc.edu/~egunter Email: [email protected]

Prof. George Georgescu—professor, University of Bucharest http://fmi.unibuc.ro/ro/departamente/profasoc/georgescu_george/ email: [email protected]

Prof. Virgil C˘az˘anescu—professor, University of Bucharest http://www.unibuc.ro/prof/cazanescu_v_e email: [email protected]

Ex-Students and Junior Collaborators Daniel G˘ain˘a,Ph.D.—postdoctoral fellow, Japan Advanced Institute of Science and Technology Website: http://www.jaist.ac.jp/profiles/info_e.php?profile_id=568 Email: [email protected]

Mihai Codescu, Ph.D.—postdoctoral fellow, Friedrich-Alexander Universit¨atErlangen-N¨urnberg Website: http://www8.informatik.uni-erlangen.de/~codescu Email: [email protected]

Dmitriy Traytel, M.Sc. Website: http://home.in.tum.de/~traytel Email: [email protected]

Andreas Schropp, M.Sc. Website: http://home.in.tum.de/~schropp Email: [email protected] References

1. The Agda webpage. http://wiki.portal.chalmers.se/agda/pmwiki.php. 2. The Flyspeck project. https://code.google.com/p/flyspeck. 3. The Mizar home page. http://mizar.uwb.edu.pl. 4. The Twelf Project. http://twelf.plparty.org. 5. The HOL4 Theorem prover, 2010. http://hol.sourceforge.net. 6. The Abella Theorem prover, 2013. http://abella.cs.umn.edu. 7. The Isabelle mailing list, 2013. https://lists.cam.ac.uk/mailman/listinfo/cl-isabelle-users. 8. Project proposal: Security type systems and deduction. http://www21.in.tum.de/~popescua/rs3/ secded3-proposal.pdf, 2014. 9. Reliably secure software systems (RS3). http://www.reliably-secure-software-systems.de, 2014. 10. B. Akbarpour, A. T. Abdel-Hamid, S. Tahar, and J. Harrison. Verifying a synthesized implementa- tion of IEEE-754 floating-point exponential function using HOL. Comput. J., 53(4):465–488, 2010. 11. B. E. Aydemir, A. Bohannon, M. Fairbairn, J. N. Foster, B. C. Pierce, P. Sewell, D. Vytiniotis, G. Washburn, S. Weirich, and S. Zdancewic. Mechanized metatheory for the masses: The POPLmark challenge. In TPHOLs, pp. 50–65, 2005. 12. G. Barthe, B. Gr´egoire,S. Heraud, and S. Z. B´eguelin. Computer-aided security proofs for the working cryptographer. In CRYPTO, pp. 71–90, 2011. 13. B. Beckert, R. H¨ahnle,and P. H. Schmitt. Verification of Object-oriented Software: The KeY Ap- proach. Springer-Verlag, Berlin, Heidelberg, 2007. 14. S. Berghofer and T. Nipkow. Executing higher order logic. In TYPES, pp. 24–40, 2000. 15. Y. Bertot and P. Casteran. Interactive Theorem Proving and Program Development. Coq’Art: The Calculus of Inductive Constructions. Springer, 2004. 16. J. C. Blanchette, S. B¨ohme,A. Popescu, and N. Smallbone. Encoding monomorphic and polymorphic types. In TACAS, pp. 493–507, 2013. 17. J. C. Blanchette, J. H¨olzl,A. Lochbihler, L. Panny, A. Popescu, and D. Traytel. Truly modular (co)datatypes for Isabelle/HOL. In 4th Conference on Interactive Theorem Proving (ITP), 2014. Draft available at http://www21.in.tum.de/~popescua/pdf/codat-impl.pdf. 18. J. C. Blanchette, L. Panny, A. Popescu, and D. Traytel. Defining (co)datatypes in Isabelle/HOL. Isabelle documentation http://isabelle.in.tum.de/dist/Isabelle/doc/datatypes.pdf, 2013. 19. J. C. Blanchette and A. Popescu. Mechanizing the metatheory of Sledgehammer. In FroCoS, pp. 245–260, 2013. 20. J. C. Blanchette and A. Popescu. Sound and complete sort encodings for first-order logic. Archive of Formal Proofs, 2013. 21. J. C. Blanchette, A. Popescu, and D. Traytel. Witnessing (co)datatypes. Draft available at http: //www21.in.tum.de/~popescua/pdf/WIT.pdf. 22. J. C. Blanchette, A. Popescu, and D. Traytel. Cardinals in Isabelle/HOL. In 4th Conference on Interactive Theorem Proving (ITP), 2014. Draft available at http://www21.in.tum.de/~popescua/ pdf/card.pdf. 23. J. C. Blanchette, A. Popescu, and D. Traytel. Modular first-order logic completeness—a coinductive pearl. 2014. 24. J. C. Blanchette, A. Popescu, D. Wand, and C. Weidenbach. More SPASS with Isabelle - superpo- sition with hard sorts and configurable simplification. In ITP, pp. 345–360, 2012. 25. S. B¨ohmeand T. Nipkow. Sledgehammer: Judgement day. In IJCAR, pp. 107–121, 2010. 26. R. Boyer and J. Moore. A Computational Logic Handbook. Academic Press, 1998. 27. R. L. Constable, S. F. Allen, H. M. Bromley, W. R. Cleaveland, J. F. Cremer, R. W. Harper, D. J. Howe, T. B. Knoblock, N. P. Mendler, P. Panangaden, J. T. Sasaki, and S. F. Smith. Implementing mathematics with the Nuprl proof development system. Prentice-Hall, Inc., 1986. 28. N. de Bruijn. Automath, a language for mathematics. Technical Report, Eindhoven University of Technology, 1967. 29. R. Diaconescu. Jewels of institution-independent model theory. In Essays Dedicated to Joseph A. Goguen, pp. 65–98, 2006. 30. R. Diaconescu. Institution-independent Model Theory. Springer, 2008. 31. J. Endrullis, D. Hendriks, and M. Bodin. Circular coinduction in coq using bisimulation-up-to techniques. In ITP, pp. 354–369, 2013. 32. J. Esparza, P. Lammich, R. Neumann, T. Nipkow, A. Schimpf, and J.-G. Smaus. A fully verified executable LTL model checker. In CAV, pp. 463–478, 2013. 33. D. G˘ain˘aand A. Popescu. An institution-independent generalization of Tarski’s elementary chain theorem. Journal of Logic and Computation, 16(6):713–735, 2007. 34. D. G˘ain˘aand A. Popescu. An institution-independent proof of the Robinson consistency theorem. Studia Logica, 85(1):41–73, 2007. 35. G. Georgescu and A. Popescu. Non-dual fuzzy connections. Arch. Math. Log., 43(8):1009–1039, 2004. 36. J. Goguen and R. Burstall. Institutions: Abstract model theory for specification and programming. Journal of the Association for Computing Machinery, 39(1):95–146, 1992. 37. G. Gonthier. The four colour theorem: Engineering of a formal proof. In ASCM, p. 333, 2007. 38. F. Haftmann and T. Nipkow. Code generation via higher-order rewrite systems. In FLOPS 2010, pp. 103–117. Springer, 2010. 39. D. S. Hardin. Design and Verification of Microprocessor Systems for High-Assurance Applications. Springer Publishing Company, Incorporated, 1st ed., 2010. 40. R. Harper, F. Honsell, and G. Plotkin. A framework for defining logics. In LICS, pp. 194–204, 1987. 41. J. Harrison. HOL Light: A tutorial introduction. In FMCAD ’96, vol. 1166 of LNCS, pp. 265–269. Springer, 1996. 42. J. Harrison. Formal proof – theory and practice. Notices of the American Mathematical Society, 55:1395–1406, 2008. 43. C.-K. Hur, G. Neis, D. Dreyer, and V. Vafeiadis. The power of parameterization in coinductive proof. In POPL, pp. 193–206, 2013. 44. IFC4BC, IFC4MC, MORES, SecDed, and SpAGAT. Security in web-based workflow management 3 systems – RS reference scenario report. Available at http://www21.in.tum.de/~popescua/rs3/ ref-scen-2014.pdf. 45. C. Kaliszyk and J. Urban. Learning-assisted automated reasoning with Flyspeck. CoRR, abs/1211.7012, 2012. 46. S. Kanav, P. Lammich, and A. Popescu. The CoCon website. http://www21.in.tum.de/~popescua/ rs3/GNE.html. 47. S. Kanav, P. Lammich, and A. Popescu. A conference management system with verified document confidentiality. In 26th International Conference on Computer Aided Verification (CAV), 2014. To appear. Preprint available at http://www21.in.tum.de/~popescua/pdf/CAV2014.pdf. 48. G. Klein, J. Andronick, K. Elphinstone, G. Heiser, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. seL4: formal verification of an operating-system kernel. Commun. ACM, 53(6):107–115, 2010. 49. X. Leroy. A formally verified compiler back-end. J. Autom. Reasoning, 43(4):363–446, 2009. 50. A. Lochbihler. Java and the Java memory model—A unified, machine-checked formalisation. In ESOP 2012, pp. 497–517, 2012. 51. H. Mantel. Possibilistic definitions of security - an assembly kit. In CSFW, pp. 185–199, 2000. 52. C. McBride. Epigram: Practical programming with dependent types. In Advanced Functional Pro- gramming, pp. 130–170, 2004. 53. J. McCarthy. A basis for a mathematical theory of computation. In Computer Programming and Formal Systems, pp. 33–70. North-Holland, 1963. 54. R. C. McDowell. Reasoning in a logic with definitions and induction. PhD thesis, University of Pennsylvania, 1997. 55. J. McLean. A general theory of composition for a class of “possibilistic” properties. IEEE Trans. Software Eng., 22(1):53–67, 1996. 56. R. Milner. Logic for computable functions: description of a machine implementation. Technical Report, Stanford University, 1972. 57. R. Milner. Communication and concurrency. Prentice Hall, 1989. 58. T. Nipkow, L. C. Paulson, and M. Wenzel. Isabelle/HOL: A Proof Assistant for Higher-Order Logic. Springer, 2002. 59. C. Paulin-Mohring and B. Werner. Synthesis of ML programs in the system Coq. J. Symb. Comput., 15(5/6):607–640, 1993. 60. L. C. Paulson and J. C. Blanchette. Three years of experience with sledgehammer, a practical link between automatic and interactive theorem provers. In G. Sutcliffe, S. Schulz, and E. Ternovska, eds., IWIL 2010, vol. 2 of EPiC Series, pp. 1–11. EasyChair, 2012. 61. F. Pfenning and C. Elliot. Higher-order abstract syntax. In PLDI, pp. 199–208, 1988. 62. A. Popescu. Contributions to the theory of syntax with bindings and to process algebra. Ph.D. Thesis, Univ. of Illinois, 2010. http://www4.in.tum.de/~popescua/thesis.pdf. 63. A. Popescu. My work on datatypes. http://www21.in.tum.de/~popescua/Work_on_Datatypes.pdf. 64. A. Popescu. A general approach to fuzzy concepts. Math. Log. Q., 50(3):265–280, 2004. 65. A. Popescu. Many-valued relation algebras. Algebra Universalis, 53(1):73–108, 2005. 66. A. Popescu. Some algebraic theory for many-valued relation algebras. Algebra Universalis, 56(2):211– 235, 2007. 67. A. Popescu. Ordinals and cardinals. Archive of Formal Proofs, March 2009. http://afp. sourceforge.net/entries/Coinductive.shtml, Formal proof development. 68. A. Popescu. Weak bisimilarity coalgebraically. In CALCO’09, pp. 157–172, 2009. 69. A. Popescu and E. L. Gunter. Incremental pattern-based coinduction for process algebra and its isabelle formalization. In FOSSACS, pp. 109–127, 2010. 70. A. Popescu and E. L. Gunter. Recursion principles for syntax with bindings and substitution. In ICFP, pp. 346–358, 2011. 71. A. Popescu, E. L. Gunter, and C. J. Osborn. Strong normalization of System F by HOAS on top of FOAS. In LICS, pp. 31–40, 2010. 72. A. Popescu, J. H¨olzl,and T. Nipkow. Proving concurrent noninterference. In CPP, pp. 109–125, 2012. 73. A. Popescu, J. H¨olzl,and T. Nipkow. Formal verification of concurrent noninterference. Journal of Formalized Reasoning, 6(1), 2013. 74. A. Popescu, J. H¨olzl,and T. Nipkow. Formalizing probabilistic noninterference. In CPP, pp. 259–275, 2013. 75. A. Popescu, J. H¨olzl,and T. Nipkow. Noninterfering schedulers - when possibilistic noninterference implies probabilistic noninterference. In CALCO, pp. 236–252, 2013. 76. A. Popescu, T.-F. Serbanuta, and G. Rosu. A semantic approach to interpolation. Theor. Comput. Sci., 410(12-13):1109–1128, 2009. 77. J. C. Reynolds. Types, abstraction and parametric polymorphism. In IFIP Congress, pp. 513–523, 1983. 78. P. Rudnicki and J. Urban. Escape to ATP for Mizar. PxTP 2011. 79. A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21(1):5–19, 2003. 80. A. Schropp and A. Popescu. Nonfree datatypes in isabelle/hol - animating a many-sorted metatheory. In CPP, pp. 114–130, 2013. 81. V. Tannen and R. Subrahmanyam. Logical and computational aspects of programming with sets/bags/lists. In ICALP, pp. 60–75, 1991. 82. D. Traytel, A. Popescu, and J. C. Blanchette. Foundational, compositional (co)datatypes for higher- order logic—Category theory applied to theorem proving. In LICS, pp. 596–605. 2012. 83. A. Zakinthinos and E. S. Lee. A general theory of security properties. In IEEE Symposium on Security and Privacy, pp. 94–102, 1997.