Safe, Untrusted Agents Using Proof-Carrying Code
Proof-Carrying Code (PCC) enables a computer system to determine, automatically and with certainty, that program code provided by another system is safe to install and execute without requiring interpretation or run-time checking. PCC has applications in any computing system in which the safe, efficient, and dynamic installation of code is needed. The key idea is to attach to the code an easily-checkable proof that its execution does not violate the safety policy of the receiving system. This paper describes the design and a typical implementation of Proof-Carrying Code, where the language used for specifying the safety properties is first-order predicate logic. Examples of safety properties described in this paper are memory safety and compliance with data access policies, resource usage bounds, and data abstraction boundaries.
Unable to display preview. Download preview PDF.
- Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, David Becker, Marc Fiuczynski, Craig Chambers, and Susan Eggers. Extensibility, safety and performance in the SPIN operating system. In Symposium on Operating System Principles, pages 267–284, December 1995.Google Scholar
- Robert Boyer and J. Strother Moore. A Computational Logic. Academic Press, 1979.Google Scholar
- R.M. Burstall and P.J. Landin. Programs and their proofs: an algebraic approach. Machine Intelligence, (4), 1969.Google Scholar
- R. L. Constable, S. F. Allen, H. M. Bromley, W. R. Cleaveland, J. F. Cremer, R.W. Harper, D. J. Howe, T. B. Knoblock, N. P. Mendler, P. Panangaden, J. T. Sasaki, and S. F. Smith. Implementing Mathematics with the Nuprl Proof Development System. Prentice-Hall, 1986.Google Scholar
- Thiery Coquand and Gerard Huet. Constructions: A higher order proof system for mechanizing mathematics. In Proc. European Conf. on Computer Algebra (EUROCAL’85), LNCS 203, pages 151–184. Springer-Verlag, 1985.Google Scholar
- D.C. Luckham et al. Stanford Pascal verifier user manual. Technical Report STAN-CS-79-731, Dept. of Computer Science, Stanford Univ., March 1979.Google Scholar
- David Detlefs. An overview of the Extended Static Checking system. In Proceedings of the First Formal Methods in Software Practice Workshop, 1996.Google Scholar
- Michael Gordon. HOL: A machine oriented formulation of higher-order logic. Technical Report 85, University of Cambridge, Computer Laboratory, July 1985.Google Scholar
- Steven McCanne and Van Jacobson. The BSD packet filter: A new architecture for user-level packet capture. In The Winter 1993 USENIX Conference, pages 259–269. USENIX Association, January 1993.Google Scholar
- Sun Microsystems. The Java Virtual Machine specification. Available as ftp://ftp.javasoft.com/docs/vmspec.ps.zip, 1995.
- George C. Necula and Peter Lee. Efficient representation and validation of logical proofs. Technical Report CMU-CS-97-172, Computer Science Department, Carnegie Mellon University, October 1997.Google Scholar
- George C. Necula and Peter Lee. The design and implementation of a certifying compiler. In ACM SIGPLAN’98 Conference on Programming Language Design and Implementation, June 1998.Google Scholar
- John R. Ousterhout. Tcl and the Tk Toolkit. Addison Wesley, 1994.Google Scholar
- S. Owre, J. M. Rushby, and N. Shankar. PVS: A prototype verification system. In Deepak Kapur, editor, 11th International Conference on Automated Deduction (CADE), volume 607 of Lecture Notes in Artificial Intelligence, pages 748–752, Saratoga, NY, June 1992. Springer-Verlag.Google Scholar
- Frank Pfenning. Elf: A meta-language for deductive systems (system description). In Alan Bundy, editor, 12th International Conference on Automated Deduction, LNAI 814, pages 811–815, Nancy, France, June 26–July 1, 1994. Springer-Verlag.Google Scholar
- R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient software-based fault isolation. In 14th ACM Symposium on Operating Systems Principles, pages 203–216. ACM, December 1993.Google Scholar