Results 1  10
of
47
ProofCarrying Authentication
 In Proceedings of the 6th ACM Conference on Computer and Communications Security
, 1999
"... We have designed and implemented a general and powerful distributed authentication framework based on higherorder logic. Authentication frameworks  including Taos, SPKI, SDSI, and X.509  have been explained using logic. We show that by starting with the logic, we can implement these framework ..."
Abstract

Cited by 179 (6 self)
 Add to MetaCart
We have designed and implemented a general and powerful distributed authentication framework based on higherorder logic. Authentication frameworks  including Taos, SPKI, SDSI, and X.509  have been explained using logic. We show that by starting with the logic, we can implement these frameworks, all in the same concise and efficient system. Because our logic has no decision procedure  although proof checking is simple  users of the framework must submit proofs with their requests.
TemporalSafety Proofs for Systems Code
, 2002
"... We present a methodology and tool for verifying and certifying systems code. The veri cation is based on the lazyabstraction paradigm for intertwining the following three logical steps: construct a predicate abstraction from the code, model check the abstraction, and automatically re ne the a ..."
Abstract

Cited by 70 (9 self)
 Add to MetaCart
We present a methodology and tool for verifying and certifying systems code. The veri cation is based on the lazyabstraction paradigm for intertwining the following three logical steps: construct a predicate abstraction from the code, model check the abstraction, and automatically re ne the abstraction based on counterexample analysis. The certi cation is based on the proofcarrying code paradigm. Lazy abstraction enables the automatic construction of small proof certi cates. The methodology is implemented in Blast, the Berkeley Lazy Abstraction Software veri cation Tool. We describe our experience applying Blast to Linux and Windows device drivers. Given the C code for a driver and for a temporalsafety monitor, Blast automatically generates an easily checkable correctness certi cate if the driver satis es the speci cation, and an error trace otherwise.
OracleBased Checking of Untrusted Software
, 2001
"... We present a variant of ProofCarrying Code (PCC) in which the trusted inference rules are represented as a higherorder logic program, the proof checker is replaced by a nondeterministic higherorder logic interpreter and the proof by an oracle implemented as a stream of bits that resolve the nondet ..."
Abstract

Cited by 55 (3 self)
 Add to MetaCart
We present a variant of ProofCarrying Code (PCC) in which the trusted inference rules are represented as a higherorder logic program, the proof checker is replaced by a nondeterministic higherorder logic interpreter and the proof by an oracle implemented as a stream of bits that resolve the nondeterministic interpretation choices. In this setting, ProofCarrying Code allows the receiver of the code the luxury of using nondeterminism in constructing a simple yet powerful checking procedure. This oraclebased variant of PCC is able to adapt quite naturally to situations when the property being checked is simple or there is a fairly directed search procedure for it. As an example, we demonstrate that if PCC is used to verify type safety of assembly language programs compiled from Java source programs, the oracles that are needed are on the average just 12% of the size of the code, which represents an improvement of a factor of 30 over previous syntactic representations of PCC proofs. ...
Semantics of Types for Mutable State
, 2004
"... Proofcarrying code (PCC) is a framework for mechanically verifying the safety of machine language programs. A program that is successfully verified by a PCC system is guaranteed to be safe to execute, but this safety guarantee is contingent upon the correctness of various trusted components. For in ..."
Abstract

Cited by 55 (5 self)
 Add to MetaCart
Proofcarrying code (PCC) is a framework for mechanically verifying the safety of machine language programs. A program that is successfully verified by a PCC system is guaranteed to be safe to execute, but this safety guarantee is contingent upon the correctness of various trusted components. For instance, in traditional PCC systems the trusted computing base includes a large set of lowlevel typing rules. Foundational PCC systems seek to minimize the size of the trusted computing base. In particular, they eliminate the need to trust complex, lowlevel type systems by providing machinecheckable proofs of type soundness for real machine languages. In this thesis, I demonstrate the use of logical relations for proving the soundness of type systems for mutable state. Specifically, I focus on type systems that ensure the safe allocation, update, and reuse of memory. For each type in the language, I define logical relations that explain the meaning of the type in terms of the operational semantics of the language. Using this model of types, I prove each typing rule as a lemma. The major contribution is a model of System F with general references — that is, mutable cells that can hold values of any closed type including other references, functions, recursive types, and impredicative quantified types. The model is based on ideas from both possible worlds and the indexed model of Appel and McAllester. I show how the model of mutable references is encoded in higherorder logic. I also show how to construct an indexed possibleworlds model for a von Neumann machine. The latter is used in the Princeton Foundational PCC system to prove type safety for a fullfledged lowlevel typed assembly language. Finally, I present a semantic model for a region calculus that supports typeinvariant references as well as memory reuse. iii
Evidencebased Audit
"... Authorization logics provide a principled and flexible approach to specifying access control policies. One of their compelling benefits is that a proof in the logic is evidence that an accesscontrol decision has been made in accordance with policy. Using such proofs for auditing purposes is implici ..."
Abstract

Cited by 42 (14 self)
 Add to MetaCart
Authorization logics provide a principled and flexible approach to specifying access control policies. One of their compelling benefits is that a proof in the logic is evidence that an accesscontrol decision has been made in accordance with policy. Using such proofs for auditing purposes is implicit in much of the work on authorization logics and proofcarrying authorization. This paper explores some ramifications of adopting this “proofs as log entries ” approach to auditing. Two benefits of evidencebased audit are a reduced trusted computing base and the ability to detect flaws in complex authorization policies. Moreover, the proof structure is itself useful, because operations like proof normalization can yield information about the relevance of policy statements. To explain these observations concretely, we develop a rich authorization logic based on a dependentlytyped variant of DCC and prove the metatheoretic properties of subjectreduction and normalization. We show untrusted but welltyped applications, that access resources through an appropriate interface, must obey the access control policy and create proofs useful for audit. We show the utility of proofbased auditing in a number of examples and discuss several pragmatic issues, such as proof size, that must be addressed in this context. 1
Proof Terms for Simply Typed Higher Order Logic
 IN THEOREM PROVING IN HIGHER ORDER LOGICS, 13TH INTERNATIONAL CONFERENCE, VOLUME 1869 OF LNCS
, 2000
"... This paper presents proof terms for simply typed, intuitionistic higher order logic, a popular logical framework. Unificationbased algorithms for the compression and reconstruction of proof terms are described and have been implemented in the theorem prover Isabelle. Experimental results confir ..."
Abstract

Cited by 35 (8 self)
 Add to MetaCart
This paper presents proof terms for simply typed, intuitionistic higher order logic, a popular logical framework. Unificationbased algorithms for the compression and reconstruction of proof terms are described and have been implemented in the theorem prover Isabelle. Experimental results confirm the effectiveness of the compression scheme.
The software model checker BLAST: Applications to software engineering
 INTERNATIONAL JOURNAL ON SOFTWARE TOOLS TECHNOLOGY TRANSFER
, 2006
"... BLAST is an automatic verification tool for checking temporal safety properties of C programs. Given a C program and a temporal safety property, BLAST either statically proves that the program satisfies the safety property, or provides an execution path that exhibits a violation of the property (or, ..."
Abstract

Cited by 34 (5 self)
 Add to MetaCart
BLAST is an automatic verification tool for checking temporal safety properties of C programs. Given a C program and a temporal safety property, BLAST either statically proves that the program satisfies the safety property, or provides an execution path that exhibits a violation of the property (or, since the problem is undecidable, does not terminate). BLAST constructs, explores, and refines abstractions of the program state space based on lazy predicate abstraction and interpolationbased predicate discovery. This paper gives an introduction to BLAST and demonstrates, through two case studies, how it can be applied to program verification and testcase generation. In the first case study, we use BLAST to statically prove memory safety for C programs. We use CCURED, a typebased memorysafety analyzer, to annotate a program with runtime assertions that check for safe memory operations. Then, we use BLAST to remove as many of the runtime checks as possible (by proving that these checks never fail), and to generate execution scenarios that violate the assertions for the remaining runtime checks. In our second case study, we use BLAST to automatically generate test suites that guarantee full coverage with respect to a given predicate. Given a C program and a target predicate p, BLAST determines the program locations q for which there exists a program execution that reaches q with p true, and automatically generates a set of test vectors that generate such executions. Our experiments show that BLAST can provide automated, precise, and scalable analysis for C programs.
LanguageBased Security
 IN MATHEMATICAL FOUNDATIONS OF COMPUTER SCIENCE
, 1999
"... Security of mobile code is a major issue in today's global computing environment. When you download a program from an untrusted source, how can you be sure it will not do something undesirable? In this paper I will discuss a particular approach to this problem called languagebased security. In th ..."
Abstract

Cited by 28 (0 self)
 Add to MetaCart
Security of mobile code is a major issue in today's global computing environment. When you download a program from an untrusted source, how can you be sure it will not do something undesirable? In this paper I will discuss a particular approach to this problem called languagebased security. In this approach, security information is derived from a program written in a highlevel language during the compilation process and is included in the compiled object. This extra security information can take the form of a formal proof, a type annotation, or some other form of certificate or annotation. It can be downloaded along with the object code and automatically verified before running the code locally, giving some assurance against certain types of failure or unauthorized activity. The verifier must be trusted, but the compiler, code, and certificate need not be. Java bytecode verification is an example of this approach. I will give an overview of some recent work in this area, including...
ProofCarrying Code from Certified Abstract Interpretation and Fixpoint Compression
, 2006
"... ProofCarrying Code (PCC) is a technique for downloading mobile code on a host machine while ensuring that the code adheres to the host's safety policy. We show how certified abstract interpretation can be used to build a PCC architecture where the code producer can produce program certi cates autom ..."
Abstract

Cited by 28 (8 self)
 Add to MetaCart
ProofCarrying Code (PCC) is a technique for downloading mobile code on a host machine while ensuring that the code adheres to the host's safety policy. We show how certified abstract interpretation can be used to build a PCC architecture where the code producer can produce program certi cates automatically. Code consumers use proof checkers derived from certi ed analysers to check certificates. Proof checkers carry their own correctness proofs and accepting a new proof checker amounts to type checking the checker in Coq. Certi cates take the form of strategies for reconstructing a xpoint and are kept small due to a technique for fixpoint compression. The PCC architecture has been implemented and evaluated experimentally on a byte code language for which we have designed an interval analysis that allows to generate certificates ascertaining that no arrayoutofbounds accesses will occur.