Abstract
Proof-carrying code (PCC) and other applications in computer security require machine-checkable proofs of properties of machine-language programs. The main advantage of the PCC approach is that the amount of code that must be explicitly trusted is very small: it consists of the logic in which predicates and proofs are expressed, the safety predicate, and the proof checker. We have built a minimal proof checker, and we explain its design principles and the representation issues of the logic, safety predicate, and safety proofs. We show that the trusted computing base (TCB) in such a system can indeed be very small. In our current system the TCB is less than 2,700 lines of code (an order of magnitude smaller even than other PCC systems), which adds to our confidence of its correctness.
Similar content being viewed by others
References
Ahmed, A. J., Appel, A. W. and Virga, R.: A stratified semantics of general references embeddable in higher-order logic, in Proceedings of the 17th Annual IEEE Symposium on Logic in Computer Science (LICS 2002), 2002.
Appel, A. W.: Foundational proof-carrying code, in Symposium on Logic in Computer Science (LICS '01), IEEE, 2001, pp. 247–258.
Appel, A. W. and Felten, E. W.: Proof-carrying authentication, in 6th ACM Conference on Computer and Communications Security, ACM Press, 1999.
Appel, A. W. and Felty, A. P.: A semantic model of types and machine instructions for proof-carrying code, in POPL '00: The 27th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, ACM Press, New York, 2000, pp. 243–253.
Appel, A. W. and McAllester, D.: An indexed model of recursive types for foundational proofcarrying code, ACM Trans. on Programming Languages and Systems (2001), 657–683.
Appel, A. W. and Wang, D. C.: JVM TCB: Measurements of the trusted computing base of Java virtual machines, Technical Report CS-TR-647-02, Princeton University, 2002.
Barras, B., Boutin, S., Cornes, C., Courant, J., Coscoy, Y., Delahaye, D., de Rauglaudre, D., Filliâtre, J.-C., Giménez, E., Herbelin, H., Huet, G., Laulhère, H., Muñoz, C., Murthy, C., Parent-Vigouroux, C., Loiseleur, P., Paulin-Mohring, C., Saïbi, A. and Werner, B.: The Coq proof assistant reference manual, Technical report, INRIA, 1998.
Bauer, L., Schneider, M. A. and Felten, E. W.: A general and flexible access-control system for the Web, in Proceedings of USENIX Security, 2002.
Boyer, R. S. and Moore, J. S.: A Computational Logic Handbook, Academic Press, 1988.
Boyer, R. S. and Yu, Y.: Automated correctness proofs of machine code programs for a commercial microprocessor, in Eleventh International Conference of Automated Deduction, Springer-Verlag, New York, 1992, pp. 416–430.
Colby, C., Lee, P., Necula, G. C., Blau, F., Cline, K. and Plesko, M.: A certifying compiler for Java, in Proceedings of the 2000 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI '00), ACM Press, New York, 2000.
Coquand, T.: An algorithm for testing conversion in type theory, in G. Huet and G. Plotkin (eds), Logical Frameworks, Vol. 1, Cambridge University Press, 1991, pp. 255–279.
Dean, D., Felten, E. W., Wallach, D. S. and Balfanz, D.: Java security: Web browers and beyond, in D. E. Denning and P. J. Denning (eds.), Internet Beseiged: Countering Cyberspace Scofflaws, ACM Press, New York, 1997.
DeTreville, J.: Binder, a logic-based security language, in Proceedings of 2002 IEEE Symposium on Security and Privacy, IEEE, 2002, pp. 105–113.
Felten, E. W.: Personal communication, 2002.
Gordon, M.: A mechanized Hoare logic of state transitions, in A.W. Roscoe (ed.), A Classical Mind: Essays in Honour of C. A. R. Hoare, Prentice-Hall, 1994, pp. 143–159.
Gordon, M. J., Milner, A. J. and Wadsworth, C. P.: Edinburgh LCF: A Mechanised Logic of Computation, Lecture Notes in Comput. Sci. 78, Springer-Verlag, New York, 1979.
Gordon, M. J. C.: From LCF to HOL: Short history, in G. Plotkin, C. P. Stirling, and M. Tofte (eds), Proof, Language, and Interaction, MIT Press, Cambridge, MA, 2000.
Harper, R., Honsell, F. and Plotkin, G.: A framework for defining logics, J. ACM 40(1) (1993), 143–184.
Harper, R. and Pfenning, F.: On equivalence and canonical forms in the LF type theory, Technical Report CMU-CS-00-148, Carnegie Mellon University, 2000.
Harrison, J. and Slind, K.: A reference version of HOL, presented in poster session of 1994 HOL Users Meeting and published in participants supplementary proceedings. Available on the Web from http://www.dcs.glasgow.ac.uk/~hug94/sproc.html.
Huet, G.: The constructive engine, in R. Narasimhan (ed.), A Perspective in Theoretical Computer Science, Commemorative Volume for Gift Siromoney, World Scientific, 1989.
Huet, G. and Plotkin, G. (eds): Logical Frameworks, Cambridge University Press, 1991.
Michael, N. G. and Appel, A. W.: Machine instruction syntax and semantics in higher-order logic, in 17th International Conference on Automated Deduction, LNAI 1831, Springer-Verlag, Berlin, 2000, pp. 7–24.
Milner, R. and Weyhrauch, R.: Proving compiler correctness in a mechanized logic, Machine Intelligence 7 (1972), 51–70.
Morrisett, G., Walker, D., Crary, K. and Glew, N.: From System F to typed assembly language, in POPL '98: 25th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, ACM Press, New York, 1998, pp. 85–97.
Necula, G.: Proof-carrying code, in 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, ACM Press, New York, 1997, pp. 106–119.
Necula, G. C. and Rahul, S. P.: Oracle-based checking of untrusted software, in POPL 2001: The 28th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, ACM Press, New York, 2001, pp. 142–154.
Pfenning, F. and Schürmann, C.: System description: Twelf – A meta-logical framework for deductive systems, in The 16th International Conference on Automated Deduction, Springer-Verlag, Berlin, 1999.
Pollack, R.: How to believe a machine-checked proof, in Sambin and Smith (eds), Twenty Five Years of Constructive Type Theory, Oxford University Press, 1996.
Robinson, A. and Voronkov, A. (eds): Handbook of Automated Reasoning, Elsevier and MIT Press, 2001.
Stringer-Calvert, D. W. J.: Mechanical verification of compiler correctness, Ph.D. thesis, University of York, York, England, 1998.
Thompson, K.: Reflections on trusting trust, Comm. ACM 27(8) (1984), 761–763.
Wahab, M.: Verification and abstraction of flow-graph programs with pointers and computed jumps, Technical Report CS-RR-354, University of Warwick, Coventry, UK, 1998.
Watson, G. N.: Proof representations in theorem provers, Technical Report 98-13, Software Verification Research Center, School of Information Technology, University of Queensland, 2001.
von Wright, J.: The formal verification of a proof checker, SRI internal report, 1994.
Wong, W.: Recording and checking HOL proofs, in P.J. W. E. Thomas Shubert and J. Alves-Foss (eds), Higher Order Logic Theorem Proving and Its Applications: 8th International Workshop, Lecture Notes in Comput. Sci. 971. Springer-Verlag, New York, 1995, pp. 353–368.
Wong, W.: E-mail to Andrew Appel, 2003.
Wu, D., Appel, A. W. and Stump, A.: Foundational proof checkers with small witnesses, in 5th ACM SIGPLAN International Conference on Principles and Practice of Declarative Programming, 2003.
Author information
Authors and Affiliations
Rights and permissions
About this article
Cite this article
Appel, A.W., Michael, N., Stump, A. et al. A Trustworthy Proof Checker. Journal of Automated Reasoning 31, 231–260 (2003). https://doi.org/10.1023/B:JARS.0000021013.61329.58
Issue Date:
DOI: https://doi.org/10.1023/B:JARS.0000021013.61329.58