A Gradual Approach to a More Trustworthy, Yet Scalable, Proof-Carrying Code
Proof-carrying code (PCC) allows a code producer to associate to a program a machine-checkable proof of its safety. In the original approach to PCC, the safety policy includes proof rules which determine how various actions are to be proved safe. These proof rules have been considered part of the trusted code base (TCB) of the PCC system. We wish to remove the proof rules from the TCB by providing a formal proof of their soundness. This makes the PCC system more secure, by reducing the TCB; it also makes the system more flexible, by allowing code producers to provide their own safety-policy proof rules, if they can guarantee their soundness. Furthermore this security and flexibility are gained without any loss in the ability to handle large programs.
In this paper we discuss how to produce the necessary formal soundness theorem given a safety policy. As an application of the framework, we have used the Coq system to prove the soundness of the proof rules for a type-based safety policy for native machine code compiled from Java.
Unable to display preview. Download preview PDF.
- 1.Andrew W. Appel. Foundational proof-carrying code. In Proceedings of the 16th Annual IEEE Symposium on Logic in Computer Science, pages 247–258, June 2001.Google Scholar
- 2.Andrew W. Appel and Amy P. Felty. A semantic model of types and machine instructions for proof-carrying code. In POPL’ 00: The 27th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 243–253. ACM Press, January 2000.Google Scholar
- 3.Christopher Colby, Peter Lee, George C. Necula, Fred Blau, Mark Plesko, and Kenneth Cline. A certifying compiler for Java. ACM SIGPLAN Notices, 35(5):95–107, May 2000.Google Scholar
- 4.Coq Development Team. The Coq proof assistant reference manual, version 7.2. January 2002.Google Scholar
- 5.Nadeem A. Hamid, Zhong Shao, Valery Trifonov, Stefan Monnier, and Zhaozhong Ni. A syntactic approach to foundational proof-carrying code. Submitted for publication, January 2002.Google Scholar
- 6.Neophytos G. Michael and Andrew W. Appel. Machine instruction syntax and semantics in higher-order logic. In Proceedings of the 17th International Conference on Automated Deduction, pages 7–24. Springer-Verlag, June 2000.Google Scholar
- 7.George C. Necula. Proof-carrying code. In The 24th Annual ACM Symposium on Principles of Programming Languages, pages 106–119. ACM, January 1997.Google Scholar
- 8.George C. Necula. Compiling with Proofs. PhD thesis, Carnegie Mellon University, September 1998. Also available as CMU-CS-98-154.Google Scholar
- 9.George C. Necula. A scalable architecture for proof-carrying code. In The 5th International Symposium of Functional and Logic Programming, pages 21–39, March 2001.Google Scholar