Software Security — Theories and Systems

Volume 2609 of the series Lecture Notes in Computer Science pp 283-298


Proof-Carrying Code with Untrusted Proof Rules

  • George C. NeculaAffiliated withDepartment of Electrical Engineering and Computer Sciences, University of California
  • , Robert R. SchneckAffiliated withGroup in Logic and the Methodology of Science, University of California

* Final gross prices may vary according to local VAT.

Get Access


Proof-carrying code (PCC) allows a code producer to associate to a program a machine-checkable proof of its safety. In traditional implementations of PCC the producer negotiates beforehand, and in an unspecified way, with the consumer the permission to prove safety in whatever high-level way it chooses. In practice this has meant that highlevel rules for type safety have been hard-wired into the system as part of the trusted code base. This limits the security and flexibility of the PCC system.

In this paper, we exhibit an approach to removing the safety proof rules from the trusted base, with a technique by which the producer can convince the consumer that a given set of high-level safety rules enforce a strong global invariant that entails the trusted low-level memory safety policy.