Proof-Carrying Code with Untrusted Proof Rules

  • George C. Necula
  • Robert R. Schneck
Conference paper

DOI: 10.1007/3-540-36532-X_18

Part of the Lecture Notes in Computer Science book series (LNCS, volume 2609)
Cite this paper as:
Necula G.C., Schneck R.R. (2003) Proof-Carrying Code with Untrusted Proof Rules. In: Okada M., Pierce B.C., Scedrov A., Tokuda H., Yonezawa A. (eds) Software Security — Theories and Systems. Lecture Notes in Computer Science, vol 2609. Springer, Berlin, Heidelberg


Proof-carrying code (PCC) allows a code producer to associate to a program a machine-checkable proof of its safety. In traditional implementations of PCC the producer negotiates beforehand, and in an unspecified way, with the consumer the permission to prove safety in whatever high-level way it chooses. In practice this has meant that highlevel rules for type safety have been hard-wired into the system as part of the trusted code base. This limits the security and flexibility of the PCC system.

In this paper, we exhibit an approach to removing the safety proof rules from the trusted base, with a technique by which the producer can convince the consumer that a given set of high-level safety rules enforce a strong global invariant that entails the trusted low-level memory safety policy.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • George C. Necula
    • 1
  • Robert R. Schneck
    • 2
  1. 1.Department of Electrical Engineering and Computer SciencesUniversity of CaliforniaBerkeley
  2. 2.Group in Logic and the Methodology of ScienceUniversity of CaliforniaBerkeley

Personalised recommendations