Automated Deduction—CADE-18

Volume 2392 of the series Lecture Notes in Computer Science pp 47-62


A Gradual Approach to a More Trustworthy, Yet Scalable, Proof-Carrying Code

  • Robert R. SchneckAffiliated withGroup in Logic and the Methodology of Science, University of California
  • , George C. NeculaAffiliated withDepartment of Electrical Engineering and Computer Sciences, University of California

* Final gross prices may vary according to local VAT.

Get Access


Proof-carrying code (PCC) allows a code producer to associate to a program a machine-checkable proof of its safety. In the original approach to PCC, the safety policy includes proof rules which determine how various actions are to be proved safe. These proof rules have been considered part of the trusted code base (TCB) of the PCC system. We wish to remove the proof rules from the TCB by providing a formal proof of their soundness. This makes the PCC system more secure, by reducing the TCB; it also makes the system more flexible, by allowing code producers to provide their own safety-policy proof rules, if they can guarantee their soundness. Furthermore this security and flexibility are gained without any loss in the ability to handle large programs.

In this paper we discuss how to produce the necessary formal soundness theorem given a safety policy. As an application of the framework, we have used the Coq system to prove the soundness of the proof rules for a type-based safety policy for native machine code compiled from Java.