Results 11  20
of
33
Building Reliable Voting Machine Software
, 2007
"... BackCover Texts. A copy of the license is included in the appendix entitled GNU Free ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
BackCover Texts. A copy of the license is included in the appendix entitled GNU Free
Validated ProofProducing Decision Procedures
, 2004
"... A widely used technique to integrate decision procedures (DPs) with other systems is to have the DPs emit proofs of the formulas they report valid. One problem that arises is debugging the proofproducing code; it is very easy in standard programming languages to write code which produces an incorre ..."
Abstract

Cited by 10 (5 self)
 Add to MetaCart
A widely used technique to integrate decision procedures (DPs) with other systems is to have the DPs emit proofs of the formulas they report valid. One problem that arises is debugging the proofproducing code; it is very easy in standard programming languages to write code which produces an incorrect proof. This paper demonstrates how proofproducing DPs may be implemented in a programming language, called RogueSigmaPi (RSP), whose type system ensures that proofs are manipulated correctly. RSP combines the Rogue rewriting language and the Edinburgh Logical Framework (LF). Typecorrect RSP programs are partially correct: essentially, any putative LF proof object produced by a typecorrect RSP program is guaranteed to type check in LF. The paper describes a simple proofproducing combination of propositional satisfiability checking and congruence closure implemented in RSP.
A Metalogical Approach to Foundational Certified Code
, 2003
"... Foundational certified code systems seek to prove untrusted programs to be safe relative to safety policies given in terms of actual machine architectures. Previous e#orts have employed a structure wherein the proofs are expressed in the same logic used to express the safety policy. We propose an al ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
(Show Context)
Foundational certified code systems seek to prove untrusted programs to be safe relative to safety policies given in terms of actual machine architectures. Previous e#orts have employed a structure wherein the proofs are expressed in the same logic used to express the safety policy. We propose an alternative structure wherein safety proofs are expressed in the Twelf metalogic, thereby eliminating from those proofs an extra layer of encoding needed in the previous accounts. Using this metalogical approach, we have constructed a complete and foundational account of safety for a fully expressive typed assembly language.
A costeffective foundational certified code system
, 2005
"... Certified code systems enable untrusted programs to be proven safe to execute in a machine–checkable manner. Recent work has focused on building foundational certified code systems, where safety is defined relative to a concrete machine architecture. We wish to build a cost–effective system, with pr ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Certified code systems enable untrusted programs to be proven safe to execute in a machine–checkable manner. Recent work has focused on building foundational certified code systems, where safety is defined relative to a concrete machine architecture. We wish to build a cost–effective system, with practicality along two dimensions — the intellectual effort to engineer the proofs, and the resource usage by the machine in verifying these proofs. Thus, we factor the proof that a particular program is safe to execute into two parts, a generic part and a program–specific part. These parts are linked by a mediating logic, typically a type system, which we call the safety condition. Consequently, we must prove that all programs that satisfy this condition are safe to execute, and then, we prove that the particular program satisfies this safety condition. Moreover, each of these proofs must be done in a cost–effective manner. In previous work, we have described a machine–checkable proof for the first part, based on defining an operational semantics in LF and using the Twelf metalogic. For the second part, experience has shown that proof terms for a reasonable logic, or type system, are too big to generate, send across the network, and check. We wish to check adherence to the safety condition by an untrusted functional program. It remains to prove (in a machine–checkable manner) that the program implements the logic specified in a LF signature. We propose to accomplish this by static typechecking. We have designed an expressive type system using dependent refinements for this purpose. 1
A Dependently Typed Programming Language, with applications to Foundational Certified Code Systems
, 2009
"... Certified code systems enable trust to be generated in untrusted pieces of code. This is done by requiring that a machine–verifiable certificate be packaged with code, which can then be proved safe independently. Safety is defined with respect to a defined safety policy. Recent work has focused on “ ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Certified code systems enable trust to be generated in untrusted pieces of code. This is done by requiring that a machine–verifiable certificate be packaged with code, which can then be proved safe independently. Safety is defined with respect to a defined safety policy. Recent work has focused on “foundational certified code systems”, which define the safety policy as execution on a concrete machine architecture. This makes the safety guarantees of the system more concrete relative to previous systems. There are two advantages. One, we gain in flexibility since the proof producers can use different assumptions and techniques. Two, the parts of the system that must be trusted become substantially simpler. This work describes our design of a practical foundational certified code system. Foundational systems have new proof obligations, for which we need different proof techniques and verification environments. In common with other such systems, we use an intermediate formal system such as a type system to isolate a group of programs. There are then two proof obligations. A program– specific proof verifies that the program belongs to the group so defined. This is the type checking problem. A generic safety proof says that all programs belonging to the group is safe to execute on the concrete machine. For a type system this is the type safety property.
Interfacing Compilers, Proof Checkers, and Proofs for Foundational ProofCarrying Code
, 2005
"... ProofCarrying Code (PCC) is a general framework for the mechanical verification of safety properties of machinelanguage programs. It allows a code producer to provide an executable program to a code consumer, along with a machinecheckable proof of safety such that the code consumer can check the ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
ProofCarrying Code (PCC) is a general framework for the mechanical verification of safety properties of machinelanguage programs. It allows a code producer to provide an executable program to a code consumer, along with a machinecheckable proof of safety such that the code consumer can check the proof before running the program. PCC has the advantage of small Trusted Computing Base (TCB), since the proof checking can be a simple mechanical procedure. A weakness of previous PCC systems is that the proofchecking infrastructure is based on some complicated logic or type system that is not necessarily sound.
Typesafe Computation with Heterogeneous Data
, 2007
"... Computation with largescale heterogeneous data typically requires universal traversal to search forall occurrences of a substructure that matches a possibly complex search pattern, whose context may be different in different places within the data. Both aspects cause difficulty for existing general ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
Computation with largescale heterogeneous data typically requires universal traversal to search forall occurrences of a substructure that matches a possibly complex search pattern, whose context may be different in different places within the data. Both aspects cause difficulty for existing generalpurpose programming languages, because these languages are designed for homogeneous data and have problems typing the different substructures in heterogeneous data, and the complex patterns to match with the substructures. Programmers either have to hardcode the structures and search patterns, preventing programs from being reusable and scalable, or have to use lowlevel untyped programming or programming with specialpurpose query languages, opening the door to type mismatches that cause a high risk of program correctness and security problems. This thesis invents the concept of pattern structures, and proposes a general solution to the above problems  a programming technique using pattern structures. In this solution, welltyped pattern structures are defined to represent complex search patterns, and pattern searching over heterogeneous data is programmed with pattern parameters, in a staticallytyped language that supports firstclass typing of structures and patterns. The resulting programs are staticallytyped, highly reusable for different data structures and different patterns, and highly scalable in terms of the complexity of data structures and patterns. Adding new kinds of patterns for an application no longer requires changing the language in use or creating new ones, but is only a programming task. The thesis demonstrates the application of this approach to, and its advantages in, two important examples of computation with heterogeneous data, i.e., XML data processing and Java bytecode analysis.
Comparing Semantic and Syntactic Methods in Mechanized Proof Frameworks Abstract
"... We present a comparison of semantic and syntactic proof methods for reasoning about typed assembly languages in Coq. We make available our complete Coq developments for a simple and easily understood benchmark system presenting both styles of soundness proof to the same interface. The syntactic proo ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
We present a comparison of semantic and syntactic proof methods for reasoning about typed assembly languages in Coq. We make available our complete Coq developments for a simple and easily understood benchmark system presenting both styles of soundness proof to the same interface. The syntactic proof is standard subject reduction; the semantic proof uses Gödal Löb modal logic, shallowly embedded in Coq. The proof style of the modal logic is flexible and facilitates experimental modifications to the underlying machine. As an example of this flexibility, we discuss how to add fault tolerance to the list machine. In addition, we discus how the the choice of proof methodology affects the trusted computing base of a typed assembly language system.
Foundational Certified Code in the Twelf Metalogical Framework
"... Foundational certified code systems seek to prove untrusted programs to be safe relative to safety policies given in terms of actual machine architectures, thereby improving the systems ’ flexibility and extensibility. Using the Twelf metalogical framework, we have constructed a safety policy for th ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Foundational certified code systems seek to prove untrusted programs to be safe relative to safety policies given in terms of actual machine architectures, thereby improving the systems ’ flexibility and extensibility. Using the Twelf metalogical framework, we have constructed a safety policy for the IA32 architecture with a trusted runtime library. The safety policy is based on a formalized operational semantics. We have also developed a complete, foundational proof that a fully expressive typed assembly language satisfies that safety policy.
Foundational Certified Code in a Metalogical
 In Nineteenth International Conference on Automated Deduction
, 2005
"... Stage: a type safety proof for TALT relative to an abstract machine, using the usual tools of progress and type preservation. ..."
Abstract
 Add to MetaCart
Stage: a type safety proof for TALT relative to an abstract machine, using the usual tools of progress and type preservation.