There has recently been great progress in proving the correctness of compilers for increasingly realistic languages with increasingly realistic runtime systems. Most work on this problem has focused on proving the correctness of a particular compiler, leaving open the question of how to verify the correctness of assembly code that is hand-optimized or linked together from the output of multiple compilers. This has led Benton and other researchers to propose more abstract, compositional notions of when a low-level program correctly realizes a high-level one. However, the state of the art in so-called “compositional compiler correctness ” has only considered relatively simple high-level and low-level languages. In this paper, we propose a novel, extensional, compilerindependent notion of equivalence between high-level programs in an expressive, impure ML-like λ-calculus and low-level programs in an (only slightly) idealized assembly language. We define this equivalence by means of a biorthogonal, step-indexed, Kripke logical relation, which enables us to reason quite flexibly about assembly code that uses local state in a different manner than the high-level code it implements (e.g., self-modifying code). In contrast to prior work, we factor our relation in a symmetric, languagegeneric fashion, which helps to simplify and clarify the formal presentation, and we also show how to account for the presence of a garbage collector. Our approach relies on recent developments in Kripke logical relations for ML-like languages, in particular the idea of possible worlds as state transition systems. 1.

rely on the correctness of runtime systems for programming languages like ML, OCaml or Common Lisp. These runtime systems are complex and critical to the integrity of the theorem provers. In this paper, we present a new Lisp runtime which has been formally verified and can run the Milawa theorem prover. Our runtime consists of 7,500 lines of machine code and is able to complete a 4 gigabyte Milawa proof effort. When our runtime is used to carry out Milawa proofs, less unverified code must be trusted than with any other theorem prover. Our runtime includes a just-in-time compiler, a copying garbage collector, a parser and a printer, all of which are HOL4-verified down to the concrete x86 code. We make heavy use of our previously developed tools for machine-code verification. This work demonstrates that our approach to machine-code verification scales to non-trivial applications. 1

Abstract—Separation logic has proven to be a highly effective tool for the verification of heap-manipulating programs. However, it has been applied almost exclusively in language settings where either memory is managed manually or the issue of memory management is ignored altogether. In this paper, we present a variant of separation logic, GCSL, for reasoning about low-level programs that interface to a garbage collector. In contrast to prior work by Calcagno et al., our model of GCSL (1) permits reasoning about programs that use internal pointers and address arithmetic, (2) supports logical variables that range over pointers, and (3) validates the “frame ” rule, as well as a standard interpretation of separation-logic assertions, without requiring any restrictions on existentially-quantified formulae. Essential to our approach is the technique (due originally to McCreight et al.) of distinguishing between “logical” and “physical ” states, which enables us to insulate the logic from the physical reality that pointer “values ” may be moved and/or deallocated by the garbage collector. I.

Abstract not found

The Problem: Today’s DoD missions operate over a large, heterogeneous, distributed set of computing resources—from personal mobile devices to massively parallel multicomputers managing millions of connections and petabytes of data. These distributed components must cooperate across agencies and across coalitions of allies; each partner brings independently-managed systems of varying reliability and trust into the distributed resource mix, and each has different policies and legal restrictions. Today, we cannot reliably secure any single system against CyberAttacks, even when it is wholly owned by a single agency with a single mission. Computations can be disrupted (denial-of-service); machines can be co-opted (taken over and used by attacker); data can be corrupted and stolen. The problem is even further beyond the state-of-the-art when considering a coalition of machines under different jurisdictions. There is today no principled way to describe what such systems should be doing and thereby differentiate proper and compliant agents from rogue actors. SOUND Solution: Our proposal, called SOUND (Safety On Untrusted Network Devices) provides a way to compute reliably on distributed coalition systems assembled from a wide range of heterogeneous components while ensuring desired restrictions on information flow (confidentiality), by trusted actors (identification and authentication), preventing information corruption (integrity), and maintaining high computational throughput (availability) despite the fact that the underlying set of computers and processes offered to perform the computation may be vulnerable to attacks or actively trying to compromise the mission. We propose to achieve scalable and tunable innate distributed defense (BAA Task Area 1) by implementing shared situational awareness and trust modeling (first two elements of BAA Technical Area 2). Additionally we are proposing an option for Technical Area 6, Technology Demonstrator. In the following, we list many of the challenges facing the implementation of secure resilient distributed systems today and how the SOUND system proposes to address those challenges. We use the format Challenge: description. SOUND response: response. We also reference numbered

Abstract—Standard implementations of common data structures such as hash tables can leak information, e.g. the operation history, to attackers with later access to a machine’s memory. This leakage is particularly damaging whenever the history of operations performed on a data structure must remain secret, such as in voting machines. We show how unique representation—the requirement that a data structure have canonical machine representations—can be used to perform modular verification of information flow policies in programs that compose data structures with their clients. We present a compositional verification system based on Relational Hoare Type Theory (RHTT) that uses unique representation to enforce end-to-end security guarantees such as noninterference for such programs. We validate our system and technique with examples drawn from arrays, multisets, hash tables, and a medical database application. The system, theorems, and examples have all been verified in Coq. I.