Safe, Untrusted Agents Using Proof-Carrying Code

  • George C. Necula
  • Peter Lee
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1419)


Proof-Carrying Code (PCC) enables a computer system to determine, automatically and with certainty, that program code provided by another system is safe to install and execute without requiring interpretation or run-time checking. PCC has applications in any computing system in which the safe, efficient, and dynamic installation of code is needed. The key idea is to attach to the code an easily-checkable proof that its execution does not violate the safety policy of the receiving system. This paper describes the design and a typical implementation of Proof-Carrying Code, where the language used for specifying the safety properties is first-order predicate logic. Examples of safety properties described in this paper are memory safety and compliance with data access policies, resource usage bounds, and data abstraction boundaries.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, David Becker, Marc Fiuczynski, Craig Chambers, and Susan Eggers. Extensibility, safety and performance in the SPIN operating system. In Symposium on Operating System Principles, pages 267–284, December 1995.Google Scholar
  2. [2]
    Robert Boyer and J. Strother Moore. A Computational Logic. Academic Press, 1979.Google Scholar
  3. [3]
    R.M. Burstall and P.J. Landin. Programs and their proofs: an algebraic approach. Machine Intelligence, (4), 1969.Google Scholar
  4. [4]
    R. L. Constable, S. F. Allen, H. M. Bromley, W. R. Cleaveland, J. F. Cremer, R.W. Harper, D. J. Howe, T. B. Knoblock, N. P. Mendler, P. Panangaden, J. T. Sasaki, and S. F. Smith. Implementing Mathematics with the Nuprl Proof Development System. Prentice-Hall, 1986.Google Scholar
  5. [5]
    Thiery Coquand and Gerard Huet. Constructions: A higher order proof system for mechanizing mathematics. In Proc. European Conf. on Computer Algebra (EUROCAL’85), LNCS 203, pages 151–184. Springer-Verlag, 1985.Google Scholar
  6. [6]
    D.C. Luckham et al. Stanford Pascal verifier user manual. Technical Report STAN-CS-79-731, Dept. of Computer Science, Stanford Univ., March 1979.Google Scholar
  7. [7]
    David Detlefs. An overview of the Extended Static Checking system. In Proceedings of the First Formal Methods in Software Practice Workshop, 1996.Google Scholar
  8. [8]
    Edsger W. Dijkstra. Guarded commands, nondeterminancy and formal derivation of programs. Communications of the ACM, 18:453–457, 1975.MATHCrossRefMathSciNetGoogle Scholar
  9. [9]
    Michael Gordon. HOL: A machine oriented formulation of higher-order logic. Technical Report 85, University of Cambridge, Computer Laboratory, July 1985.Google Scholar
  10. [10]
    James Gosling, Bill Joy, and Guy L. Steele. The Java Language Specification. The Java Series. Addison-Wesley, Reading, MA, USA, 1996.MATHGoogle Scholar
  11. [11]
    Robert Harper, Furio Honsell, and Gordon Plotkin. A framework for defining logics. Journal of the Association for Computing Machinery, 40(1):143–184, January 1993.MATHMathSciNetGoogle Scholar
  12. [12]
    Steven McCanne and Van Jacobson. The BSD packet filter: A new architecture for user-level packet capture. In The Winter 1993 USENIX Conference, pages 259–269. USENIX Association, January 1993.Google Scholar
  13. [13]
    Sun Microsystems. The Java Virtual Machine specification. Available as, 1995.
  14. [14]
    George C. Necula and Peter Lee. Efficient representation and validation of logical proofs. Technical Report CMU-CS-97-172, Computer Science Department, Carnegie Mellon University, October 1997.Google Scholar
  15. [15]
    George C. Necula and Peter Lee. The design and implementation of a certifying compiler. In ACM SIGPLAN’98 Conference on Programming Language Design and Implementation, June 1998.Google Scholar
  16. [16]
    Greg Nelson and Derek Oppen. Simplification by cooperating decision procedures. ACM Transactions on Programming Languages and Systems, 1(2):245–257, October 1979.MATHCrossRefGoogle Scholar
  17. [17]
    John R. Ousterhout. Tcl and the Tk Toolkit. Addison Wesley, 1994.Google Scholar
  18. [18]
    S. Owre, J. M. Rushby, and N. Shankar. PVS: A prototype verification system. In Deepak Kapur, editor, 11th International Conference on Automated Deduction (CADE), volume 607 of Lecture Notes in Artificial Intelligence, pages 748–752, Saratoga, NY, June 1992. Springer-Verlag.Google Scholar
  19. [19]
    Frank Pfenning. Elf: A meta-language for deductive systems (system description). In Alan Bundy, editor, 12th International Conference on Automated Deduction, LNAI 814, pages 811–815, Nancy, France, June 26–July 1, 1994. Springer-Verlag.Google Scholar
  20. [20]
    R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient software-based fault isolation. In 14th ACM Symposium on Operating Systems Principles, pages 203–216. ACM, December 1993.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1998

Authors and Affiliations

  • George C. Necula
    • 1
  • Peter Lee
    • 1
  1. 1.School of Computer ScienceCarnegie Mellon UniversityPittsburghUSA

Personalised recommendations