About

Justin Hsu is an associate professor of computer science at Cornell University. He previously served as an assistant professor in the Department of Computer Sciences at the University of Wisconsin–Madison and completed postdoctoral research in the Department of Computer Science at Cornell University and in the Programming Principles, Logic, and Verification Group at University College London. He obtained his Ph.D. from the Department of Computer Science at the University of Pennsylvania. Hsu's research focuses on designing methods to formally verify that algorithms are correct. He is especially interested in programs satisfying quantitative guarantees or other properties from mathematical or scientific applications. A particular focus of his work has been verifying programs that use randomization, which can be easy to show correct on paper but challenging for computers to analyze. Drawing inspiration from human reasoning about randomized algorithms, he develops simpler and more automated verification techniques. His applications include properties such as statistical accuracy, incentive compatibility, Markov chain mixing, algorithmic stability, and differential privacy. Broadly, Hsu is interested in verification for programs with rich mathematical structures and properties, including continuous-time systems, programs with symmetries, economic mechanisms, runtime monitors for hierarchical policies, and algorithms from numerical analysis and applied mathematics.

Research topics

• Artificial Intelligence
• Computer Science
• Programming language
• Mathematics
• Theoretical computer science
• Algorithm

Selected publications

• eggshel: A Floating-Point Backward Error Analysis Tool

  Zenodo (CERN European Organization for Nuclear Research) · 2026-03-14

  otherOpen accessSenior author

  eggshel is the tool described in Section 6 of the paper Synthesizing Backward Error Bounds, Backward.

  PublisherDOI

• eggshel: A Floating-Point Backward Error Analysis Tool

  Zenodo (CERN European Organization for Nuclear Research) · 2026-04-02

  otherOpen accessSenior author

  eggshel is the tool described in Section 6 of the paper Synthesizing Backward Error Bounds, Backward.

  PublisherDOI

• SafeTree: Expressive Tree Policies for Microservices

  Proceedings of the ACM on Programming Languages · 2025-10-09

  articleOpen accessSenior author

  A microservice-based application is composed of multiple self-contained components called microservices, and controlling inter-service communication is important for enforcing safety properties. Presently, inter-service communication is configured using microservice deployment tools. However, such tools only support a limited class of single-hop policies, which can be overly permissive because they ignore the rich service tree structure of microservice calls. Policies that can express the service tree structure can offer development and security teams more fine-grained control over communication patterns. To this end, we design an expressive policy language to specify service tree structures, and we develop a visibly pushdown automata-based dynamic enforcement mechanism to enforce service tree policies. Our technique is non-invasive: it does not require any changes to service implementations, and does not require access to microservice code. To realize our method, we build a runtime monitor on top of a service mesh, an emerging network infrastructure layer that can control inter-service communication during deployment. In particular, we employ the programmable network traffic filtering capabilities of Istio, a popular service mesh implementation, to implement an online and distributed monitor. Our experiments show that our monitor can enforce rich safety properties while adding minimal latency overhead on the order of milliseconds.

  PublisherDOI

• A Hoare Logic for Symmetry Properties

  ArXiv.org · 2025-08-30

  preprintOpen accessSenior author

  Many natural program correctness properties can be stated in terms of symmetries, but existing formal methods have little support for reasoning about such properties. We consider how to formally verify a broad class of symmetry properties expressed in terms of group actions. To specify these properties, we design a syntax for group actions, supporting standard constructions and a natural notion of entailment. Then, we develop a Hoare-style logic for verifying symmetry properties of imperative programs, where group actions take the place of the typical pre- and post-condition assertions. Finally, we develop a prototype tool SymVerif, and use it to verify symmetry properties on a series of handcrafted benchmarks. Our tool uncovered an error in a model of a dynamical system described by \citet{McLachlan_Quispel_2002}.

  PublisherOA PDFDOI

• Convex language semantics for nondeterministic probabilistic automata

  Theoretical Computer Science · 2025-03-22 · 1 citations

  article
  PublisherDOI

• Stable and Fault-Tolerant Decentralized Traffic Engineering

  ArXiv.org · 2025-10-13

  preprintOpen access

  Cloud providers have recently decentralized their wide-area network traffic engineering (TE) systems to contain the impact of TE controller failures. In the decentralized design, a controller fault only impacts its slice of the network, limiting the blast radius to a fraction of the network. However, we find that autonomous slice controllers can arrive at divergent traffic allocations that overload links by 30% beyond their capacity. We present Symphony, a decentralized TE system that addresses the challenge of divergence-induced congestion while preserving the fault-isolation benefits of decentralization. By augmenting TE objectives with quadratic regularization, Symphony makes traffic allocations robust to demand perturbations, ensuring TE controllers naturally converge to compatible allocations without coordination. In parallel, Symphony's randomized slicing algorithm partitions the network to minimize blast radius by distributing critical traffic sources across slices, preventing any single failure from becoming catastrophic. These innovations work in tandem: regularization ensures algorithmic stability to traffic allocations while intelligent slicing provides architectural resilience in the network. Through extensive evaluation on cloud provider WANs, we show Symphony reduces divergence-induced congestion by 14x and blast radius by 79% compared to current practice.

  PublisherOA PDFDOI

• Bean: A Language for Backward Error Analysis

  Proceedings of the ACM on Programming Languages · 2025-06-10 · 2 citations

  articleOpen accessSenior author

  Backward error analysis offers a method for assessing the quality of numerical programs in the presence of floating-point rounding errors. However, techniques from the numerical analysis literature for quantifying backward error require substantial human effort, and there are currently no tools or automated methods for statically deriving sound backward error bounds. To address this gap, we propose Bean, a typed first-order programming language designed to express quantitative bounds on backward error. Bean’s type system combines a graded coeffect system with strict linearity to soundly track the flow of backward error through programs. We prove the soundness of our system using a novel categorical semantics, where every Bean program denotes a triple of related transformations that together satisfy a backward error guarantee. To illustrate Bean’s potential as a practical tool for automated backward error analysis, we implement a variety of standard algorithms from numerical linear algebra in Bean, establishing fine-grained backward error bounds via typing in a compositional style. We also develop a prototype implementation of Bean that infers backward error bounds automatically. Our evaluation shows that these inferred bounds match worst-case theoretical relative backward error bounds from the literature, underscoring Bean’s utility in validating a key property of numerical programs: numerical stability .

  PublisherDOI

• A Hoare Logic for Symmetry Properties

  Proceedings of the ACM on Programming Languages · 2025-10-09

  articleOpen accessSenior author

  Many natural program correctness properties can be stated in terms of symmetries, but existing formal methods have little support for reasoning about such properties. We consider how to formally verify a broad class of symmetry properties expressed in terms of group actions. To specify these properties, we design a syntax for group actions, supporting standard constructions and a natural notion of entailment. Then, we develop a Hoare-style logic for verifying symmetry properties of imperative programs, where group actions take the place of the typical pre- and post-condition assertions. Finally, we develop a prototype tool SymVerif , and use it to verify symmetry properties on a series of handcrafted benchmarks. Our tool uncovered an error in a model of a dynamical system described by McLachlan and Quispel [Acta Numerica 2002].

  PublisherDOI

• A Categorical Approach to DIBI Models

  arXiv (Cornell University) · 2024-01-11

  preprintOpen access

  The logic of Dependence and Independence Bunched Implications (DIBI) is a logic to reason about conditional independence (CI); for instance, DIBI formulas can characterise CI in probability distributions and relational databases, using the probabilistic and relational DIBI models, respectively. Despite the similarity of the probabilistic and relational models, a uniform, more abstract account remains unsolved. The laborious case-by-case verification of the frame conditions required for constructing new models also calls for such a treatment. In this paper, we develop an abstract framework for systematically constructing DIBI models, using category theory as the unifying mathematical language. In particular, we use string diagrams -- a graphical presentation of monoidal categories -- to give a uniform definition of the parallel composition and subkernel relation in DIBI models. Our approach not only generalises known models, but also yields new models of interest and reduces properties of DIBI models to structures in the underlying categories. Furthermore, our categorical framework enables a logical notion of CI, in terms of the satisfaction of specific DIBI formulas. We compare it with string diagrammatic approaches to CI and show that it is an extension of string diagrammatic CI under reasonable conditions.

  PublisherOA PDFDOI

• Numerical Fuzz: A Type System for Rounding Error Analysis

  Proceedings of the ACM on Programming Languages · 2024-06-20 · 4 citations

  articleOpen accessSenior author

  Algorithms operating on real numbers are implemented as floating-point computations in practice, but floatingpoint operations introduce roundoff errors that can degrade the accuracy of the result. We propose <mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML" display="inline" overflow="scroll"> <mml:msub> <mml:mi mathvariant="normal">Λ</mml:mi> <mml:mi fontfamily="Georgia" mathvariant="bold">num</mml:mi> </mml:msub> </mml:math> , a functional programming language with a type system that can express quantitative bounds on roundoff error. Our type system combines a sensitivity analysis, enforced through a linear typing discipline, with a novel graded monad to track the accumulation of roundoff errors. We prove that our type system is sound by relating the denotational semantics of our language to the exact and floating-point operational semantics. To demonstrate our system, we instantiate <mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML" display="inline" overflow="scroll"> <mml:msub> <mml:mi mathvariant="normal">Λ</mml:mi> <mml:mi fontfamily="Georgia" mathvariant="bold">num</mml:mi> </mml:msub> </mml:math> with error metrics proposed in the numerical analysis literature and we show how to incorporate rounding operations that faithfully model aspects of the IEEE 754 floating-point standard. To show that <mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML" display="inline" overflow="scroll"> <mml:msub> <mml:mi mathvariant="normal">Λ</mml:mi> <mml:mi fontfamily="Georgia" mathvariant="bold">num</mml:mi> </mml:msub> </mml:math> can be a useful tool for automated error analysis, we develop a prototype implementation for <mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML" display="inline" overflow="scroll"> <mml:msub> <mml:mi mathvariant="normal">Λ</mml:mi> <mml:mi fontfamily="Georgia" mathvariant="bold">num</mml:mi> </mml:msub> </mml:math> that infers error bounds that are competitive with existing tools, while often running significantly faster. Finally, we consider semantic extensions of our graded monad to bound error under more complex rounding behaviors, such as non-deterministic and randomized rounding.

  PublisherOA PDFDOI

Recent grants

• SaTC: CORE: Medium: SPIPS: Security and Privacy in Programmable Switches

  NSF · $1.2M · 2021–2026

• CAREER: SHF: Compositional Analysis of Randomized Algorithms

  NSF · $412k · 2020–2021

Frequent coauthors

• Gilles Barthe

  Max Planck Institute for Security and Privacy

  55 shared

• Marco Gaboardi

  Boston University

  43 shared

• Pierre-Yves Strub

  35 shared

• Thomas Espitau

  20 shared

• Benjamin Grégoire

  19 shared

• Aaron Roth

  18 shared

• Tetsuya Sato

  14 shared

• Aws Albarghouthi

  12 shared

Education

• Ph.D., Computer Science

  University of Pennsylvania

• Other, Computer Science

  Cornell University

• Other, Programming Principles, Logic, and Verification

  University College London

Awards & honors

• NSF Faculty Early Career Development Award (CAREER)