Results

**21 - 25**of**25**### Foundational Certified Code in the Twelf Metalogical Framework

"... Foundational certified code systems seek to prove untrusted programs to be safe relative to safety policies given in terms of actual machine architectures, thereby improving the systems ' flexibility and extensibility. Using the Twelf metalogical framework, we have constructed a safety policy for th ..."

Abstract
- Add to MetaCart

Foundational certified code systems seek to prove untrusted programs to be safe relative to safety policies given in terms of actual machine architectures, thereby improving the systems ' flexibility and extensibility. Using the Twelf metalogical framework, we have constructed a safety policy for the IA-32 architecture with a trusted runtime library. The safety policy is based on a formalized operational semantics. We have also developed a complete, foundational proof that a fully expressive typed assembly language satisfies that safety policy.

### TU Munich and

"... LF is a dependent type theory in which many other formal systems can be conveniently embedded. However, correct use of LF relies on nontrivial metatheoretic developments such as proofs of correctness of decision procedures for LF’s judgments. Although detailed informal proofs of these properties hav ..."

Abstract
- Add to MetaCart

LF is a dependent type theory in which many other formal systems can be conveniently embedded. However, correct use of LF relies on nontrivial metatheoretic developments such as proofs of correctness of decision procedures for LF’s judgments. Although detailed informal proofs of these properties have been published, they have not been formally verified in a theorem prover. We have formalized these properties within Isabelle/HOL using the Nominal Datatype Package, closely following a recent article by Harper and Pfenning. In the process, we identified and resolved a gap in one of the proofs and a small number of minor lacunae in others. We also formally derive a version of the type checking algorithm from which Isabelle/HOL can generate executable code. Besides its intrinsic interest, our formalization provides a foundation for studying the adequacy of LF encodings, the correctness of Twelf-style metatheoretic reasoning, and the metatheory of extensions to LF.

### Framework

"... Foundational certified code systems seek to prove untrusted programs to be safe relative to safety policies given in terms of actual machine architectures, thereby improving the systems ’ flexibility and extensibility. Previous efforts have employed a structure wherein the proofs are expressed in th ..."

Abstract
- Add to MetaCart

Foundational certified code systems seek to prove untrusted programs to be safe relative to safety policies given in terms of actual machine architectures, thereby improving the systems ’ flexibility and extensibility. Previous efforts have employed a structure wherein the proofs are expressed in the same logic used to express the safety policy. We propose an alternative structure wherein safety proofs are expressed in the Twelf metalogic, thereby eliminating from those proofs an extra layer of encoding needed in the previous accounts. Using this metalogical approach, we have constructed a complete, foundational account of safety for a fully expressive typed assembly language.

### CMU-CyLab-06-015

, 2006

"... We present a new algorithm for generating a formal proof that an access request satisfies accesscontrol policy, for use in logic-based access-control frameworks. Our algorithm is tailored to settings where credentials needed to complete a proof might need to be obtained from, or reactively created b ..."

Abstract
- Add to MetaCart

We present a new algorithm for generating a formal proof that an access request satisfies accesscontrol policy, for use in logic-based access-control frameworks. Our algorithm is tailored to settings where credentials needed to complete a proof might need to be obtained from, or reactively created by, distant components in a distributed system. In such contexts, our algorithm substantially improves upon previous proposals in both computation and communication costs, and better guides users to create the most appropriate credentials in those cases where needed credentials do not yet exist. At the same time, our algorithm offers strictly superior proving ability, in the sense that it finds a proof in every case that previous approaches would (and more). We detail our algorithm and empirically evaluate an implementation of it using policies in active use in a testbed at our institution for experimenting with access-control technologies. 1

### Recommended for Acceptance

"... Proof-Carrying Code (PCC) is a static mechanism that mechanically verifies safety of machine-language programs. But the problem in conventional PCC is, who will verify the verifier (the type checker) itself? The Foundational Proof-Carrying Code (FPCC) project at Princeton verifies the soundness of t ..."

Abstract
- Add to MetaCart

Proof-Carrying Code (PCC) is a static mechanism that mechanically verifies safety of machine-language programs. But the problem in conventional PCC is, who will verify the verifier (the type checker) itself? The Foundational Proof-Carrying Code (FPCC) project at Princeton verifies the soundness of the type checker from the smallest possible set of axioms — logic plus machine semantics. One challenge in the verification is that machine code, unlike high-level languages, contains unstructured control flow (due to arbitrary jumps). A piece of machine code can contain multiple entry points that jump instructions might jump to, and multiple exit points. Traditional Hoare logic and its variants either verify programs with only one entry and one exit, or need the whole program to verify jump instructions, which is not modular. The major contribution of this dissertation is a program logic, Lc, which modularly verifies properties of machine-code fragments. Unlike previous program logics, the basic reasoning units in Lc are multiple-entry and multiple-exit code fragments. Lc provides composition rules to combine code fragments and to eliminate intermediate