Prototyping Proof Carrying Code

  • Martin Wildmoser
  • Tobias Nipkow
  • Gerwin Klein
  • Sebastian Nanz
Part of the IFIP International Federation for Information Processing book series (IFIPAICT, volume 155)


We introduce a generic framework for proof carrying code, developed and mechanically verified in Isabelle/HOL. The framework defines and proves sound a verification condition generator with minimal assumptions on the underlying programming language, safety policy, and safety logic. We demonstrate its usability for prototyping proof carrying code systems by instantiating it to a simple assembly language with procedures and a safety policy for arithmetic overflow.


  1. [1]
    Appel, A. W. (2001). Foundational proof-carrying code. In 16th Annual IEEE Symposium on Logic in Computer Science (LICS’ 01), pages 247–258.Google Scholar
  2. [2]
    Appel, A. W. and Felty, A. P. (2000). A semantic model of types and machine instructions for proof-carrying code. In 27th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’ 00), pages 243–253.Google Scholar
  3. [3]
    Aspinall, D., Beringer, L., Hofmann, M., Loidl, H.W. (2003) A Resource-aware Program Logic for a JVM-like Language In Trends in Functional Programming, editor: S. Gilmore, EdinburghGoogle Scholar
  4. [4]
    Berghofer, S. and Nipkow, T. (2000). Proof terms for simply typed higher order logic. In Theorem Proving in Higher Order Logics, Springer LNCS vol. 1869, editors: J. Harrison, M. AagaardGoogle Scholar
  5. [5]
    Berghofer (2003). Program Extraction in simply-typed Higher Order Logic. In Types for Proofs and Programs, International Workshop, (TYPES 2002), Springer LNCS, editors: H. Geuvers, F. WiedijkGoogle Scholar
  6. [6]
    Colby, C., Lee, P., Necula, G. C., Blau, F., Plesko, M., and Cline, K. (2000). A certifying compiler for Java. In Proc. ACM SIGPLAN conf. Programming Language Design and Implementation, pages 95–107.Google Scholar
  7. [7]
    Hamid, N., Shao, Z., Trifonov, V., Monnier, S., and Ni, Z. (2002). A syntactic approach to foundational proof-carrying code. In Proc. 17th IEEE Symp. Logic in Computer Science, pages 89–100.Google Scholar
  8. [8]
    Klein, G. (2003). Verified Java Bytecode Verification. PhD thesis, Institut fur Informatik, Technische Universität München.Google Scholar
  9. [9]
    League, C., Shao, Z., and Trifonov, V. (2002). Precision in practice: A type-preserving Java compiler. Technical Report YALEU/DCS/TR-1223, Department of Computer Science, Yale University.Google Scholar
  10. [10]
    Morrisett, G., Walker, D., Crary, K., and Glew, N. (1998). From system F to typed assembly language. In Proc. 25th ACM Symp. Principles of Programming Languages, pages 85–97. ACM Press.Google Scholar
  11. [11]
    Necula, G. C. (1997). Proof-carrying code. In Proc. 24th ACM Symp. Principles of Programming Languages, pages 106–119. ACM Press.Google Scholar
  12. [12]
    Necula, G. C. (1998). Compiling with Proofs. PhD thesis, Carnegie Mellon University.Google Scholar
  13. [13]
    Necula, G. C. and Lee, P. (2000). Proof generation in the touchstone theorem prover. In McAllester, D., editor, Automated Deduction — CADE-17, volume 1831 of Lect. Notes in Comp. Sci., pages 25–44. Springer-Verlag.Google Scholar
  14. [14]
    Necula, G. C. and Schneck, R. R. (2002). A gradual approach to a more trustworthy, yet scalable, proof-carrying code. In Voronkov, A., editor, Proc.CADE-18, 18th International Conference on Automated Deduction, Copenhagen, Denmark, volume 2392 of Lect. Notes in Comp. Sci., pages 47–62. Springer-Verlag.Google Scholar
  15. [15]
    Necula, G. C. and Schneck, R. R. (2003). A sound framework for untrustred verification-condition generators. In Proc. IEEE Symposium on Logic in Computer Science. (LICS03), pages 248–260.Google Scholar
  16. [16]
    Nipkow, T., Paulson, L. C., and Wenzel, M. (2002). Isabelle/HOL-A Proof Assistant for Higher-Order Logic, volume 2283 of Lect. Notes in Comp. Sci. Springer.Google Scholar
  17. [17]
    Klein, G. and Nipkow, T. (2004) A Machine-Checked Model for a Java-Like Language, Virtual Machine and Compiler Technical Report, National ICT Australia, SydneyGoogle Scholar
  18. [18]
    Wildmoser, M. and Nipkow, T. (2004) Certifying machine code safety: shallow versus deep embedding. TPHOLs 2004 Google Scholar
  19. [19]
    VeryPCC website in Munich (2004),

Copyright information

© Springer Science + Business Media, Inc. 2004

Authors and Affiliations

  • Martin Wildmoser
    • 1
  • Tobias Nipkow
    • 1
  • Gerwin Klein
    • 2
  • Sebastian Nanz
    • 3
  1. 1.Institut für InformatikTechnische Universität MünchenGermany
  2. 2.National ICT AustraliaSydney
  3. 3.Department of Computer ScienceYale UniversityUSA

Personalised recommendations