A Framework for Certified Program Analysis and Its Applications to Mobile-Code Safety

  • Bor-Yuh Evan Chang
  • Adam Chlipala
  • George C. Necula
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3855)


A certified program analysis is an analysis whose implementation is accompanied by a checkable proof of soundness. We present a framework whose purpose is to simplify the development of certified program analyses without compromising the run-time efficiency of the analyses. At the core of the framework is a novel technique for automatically extracting Coq proof-assistant specifications from ML implementations of program analyses, while preserving to a large extent the structure of the implementation. We show that this framework allows developers of mobile code to provide to the code receivers untrusted code verifiers in the form of certified program analyses. We demonstrate efficient implementations in this framework of bytecode verification, typed assembly language, and proof-carrying code.


Program Analysis Abstract Interpretation Execution Trace Proof Assistant Java Virtual Machine 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Appel, A.W.: Foundational proof-carrying code. In: Proc. of the 16th Symposium on Logic in Computer Science, June 2001, pp. 247–258 (2001)Google Scholar
  2. 2.
    Appel, A.W., Felty, A.P.: A semantic model of types and machine instructions for proof-carrying code. In: Proc. of the 27th Symposium on Principles of Programming Languages, January 2000, pp. 243–253 (2000)Google Scholar
  3. 3.
    Barthe, G., Courtieu, P., Dufay, G., de Sousa, S.M.: Tool-assisted specification and verification of the javaCard platform. In: Kirchner, H., Ringeissen, C. (eds.) AMAST 2002. LNCS, vol. 2422, p. 41. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  4. 4.
    Benton, N., Kennedy, A., Russell, G.: Compiling Standard ML to Java bytecodes. In: Proc. of the International Conference on Functional Programming, June 1999, pp. 129–140 (1999)Google Scholar
  5. 5.
    Bertot, Y.: Formalizing a JVML verifier for initialization in a theorem prover. In: Berry, G., Comon, H., Finkel, A. (eds.) CAV 2001. LNCS, vol. 2102, pp. 14–24. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. 6.
    Blanchet, B., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., Rival, X.: A static analyzer for large safety-critical software. In: Proc. of the Conference on Programming Language Design and Implementation, pp. 196–207 (2003)Google Scholar
  7. 7.
    Bothner, P.: Kawa — compiling dynamic languages to the Java VM. In: Proc. of the FreeNIX Track: USENIX 1998 annual technical conference (1998)Google Scholar
  8. 8.
    Cachera, D., Jensen, T.P., Pichardie, D., Rusu, V.: Extracting a data flow analyser in constructive logic. In: Schmidt, D. (ed.) ESOP 2004. LNCS, vol. 2986, pp. 385–400. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  9. 9.
    Chang, B.-Y.E., Chlipala, A., Necula, G.C.: A framework for certified program analysis and its applications to mobile-code safety. Technical Report UCB ERL M05/32, University of California, Berkeley (2005)Google Scholar
  10. 10.
    Chang, B.-Y.E., Chlipala, A., Necula, G.C., Schneck, R.R.: The Open Verifier framework for foundational verifiers. In: Proc. of the 2nd Workshop on Types in Language Design and Implementation (January 2005)Google Scholar
  11. 11.
    Colby, C., Lee, P., Necula, G.C., Blau, F., Plesko, M., Cline, K.: A certifying compiler for Java. In: Proc. of the Conference on Programming Language Design and Implementation, May 2000, pp. 95–107 (2000)Google Scholar
  12. 12.
    Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proc. of the 4th Symposium on Principles of Programming Languages, pp. 234–252 (January 1977)Google Scholar
  13. 13.
    Cousot, P., Cousot, R.: Abstract interpretation frameworks. J. Log. Comput. 2(4), 511–547 (1992)CrossRefMathSciNetzbMATHGoogle Scholar
  14. 14.
    Crary, K.: Toward a foundational typed assembly language. In: Proc. of the 30th Symposium on Principles of Programming Languages, January 2003, pp. 198–212 (2003)Google Scholar
  15. 15.
    Dijkstra, E.W.: Guarded commands, nondeterminancy and formal derivation of programs. Communications of the ACM 18, 453–457 (1975)CrossRefMathSciNetzbMATHGoogle Scholar
  16. 16.
    Filliâtre, J.-C.: Why: a multi-language multi-prover verification tool. Research Report 1366, LRI, Université Paris Sud (March 2003)Google Scholar
  17. 17.
    Filliâtre, J.-C., Marché, C.: Multi-Prover Verification of C Programs. In: Davies, J., Schulte, W., Barnett, M. (eds.) ICFEM 2004. LNCS, vol. 3308, pp. 15–29. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  18. 18.
    Gordon, A.D., Syme, D.: Typing a multi-language intermediate code. In: Proc. of the 28th Symposium on Principles of Programming Languages, pp. 248–260 (January 2001)Google Scholar
  19. 19.
    Gough, K.J., Corney, D.: Evaluating the Java virtual machine as a target for languages other than Java. In: Joint Modula Languages Conference (September 2000)Google Scholar
  20. 20.
    Hamid, N.A., Shao, Z., Trifonov, V., Monnier, S., Ni, Z.: A syntactic approach to foundational proof-carrying code. In: Proc. of the 17th Symposium on Logic in Computer Science, pp. 89–100 (July 2002)Google Scholar
  21. 21.
    Klein, G., Nipkow, T.: Verified lightweight bytecode verification. Concurrency – practice and experience 13(1) (2001)Google Scholar
  22. 22.
    Klein, G., Nipkow, T.: Verified bytecode verifiers. Theor. Comput. Sci. 298(3), 583–626 (2003)CrossRefMathSciNetzbMATHGoogle Scholar
  23. 23.
    Lasseter, J.H.E.F.: Toolkits for the automatic construction of data flow analyzers. Technical Report CIS-TR-04-03, University of Oregon (2003)Google Scholar
  24. 24.
    Lerner, S., Millstein, T., Rice, E., Chambers, C.: Automated soundness proofs for dataflow analyses and transformations via local rules. In: Proc. of the 32nd Symposium on Principles of Programming Languages, pp. 364–377 (2005)Google Scholar
  25. 25.
    Lindholm, T., Yellin, F.: The Java Virtual Machine Specification. The Java Series. Addison-Wesley, Reading (January 1997)Google Scholar
  26. 26.
    Morrisett, G., Crary, K., Glew, N., Grossman, D., Samuels, R., Smith, F., Walker, D., Weirich, S., Zdancewic, S.: Talc releases (2003),
  27. 27.
    Necula, G.C.: Proof-carrying code. In: Proc. of the 24th Symposium on Principles of Programming Languages, pp. 106–119 (January 1997)Google Scholar
  28. 28.
    Necula, G.C., Jhala, R., Majumdar, R., Henzinger, T.A., Weimer, W.: Temporal-safety proofs for systems code. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, p. 526. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  29. 29.
    Paulson, L.C.: Isabelle. LNCS, vol. 828. Springer, Heidelberg (1994)zbMATHGoogle Scholar
  30. 30.
    Rose, E.: Lightweight bytecode verification. J. Autom. Reason. 31(3-4), 303–334 (2003)CrossRefzbMATHGoogle Scholar
  31. 31.
    Wadler, P.: Monads for functional programming. In: Jeuring, J., Meijer, E. (eds.) AFP 1995. LNCS, vol. 925, pp. 24–52. Springer, Heidelberg (1995)Google Scholar
  32. 32.
    Wu, D., Appel, A.W., Stump, A.: Foundational proof checkers with small witnesses. In: Proc. of the 5th International Conference on Principles and Practice of Declarative Programming, August 2003, pp. 264–274 (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Bor-Yuh Evan Chang
    • 1
  • Adam Chlipala
    • 1
  • George C. Necula
    • 1
  1. 1.University of CaliforniaBerkeleyUSA

Personalised recommendations