Rights to individual papers remain with the author or the author's employer. Permission is granted for noncommercial reproduction of the work for educational or research purposes. This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein.

Abstract. There are many source-level analyses or instrumentation tools that enforce various safety properties. In this paper we present an infrastructure that can be used to check independently that the assembly output of such tools has the desired safety properties. By working at assembly level we avoid the complications with unavailability of source code, with source-level parsing, and we certify the code that is actually deployed. The novel feature of the framework is an extensible dependently-typed framework that supports type inference and mutation of dependent values in memory. The type system can be extended with new types as needed for the source-level tool that is certified. Using these dependent types, we are able to express the invariants enforced by CCured, a sourcelevel instrumentation tool that guarantees type safety in legacy C programs. We can therefore check that the x86 assembly code resulting from compilation with CCured is in fact type-safe. 1

Many researchers are investigating the use of adaptive program transformation as a way to efficiently improve program performance. Performance improving transformations are performed at runtime to adapt to the possibly changing runtime characteristics of the program. Leveraging this kind of program transformation on multiple hosts can achieve these same performance gains while reducing the overhead to apply the transformations on the local machine running the program. The reduction in overhead is obtained by distributing the responsibilities for the transformation process to multiple hosts throughout the network. The use of this technology could greatly benefit applications running on networked computation nodes; however, one must first establish confidence in the secure generation and distribution of the transformed versions of the original program before acceptance and execution can occur for many network environments. Since programs are being transformed dynamically, traditional program validation methods such as checksums and digital signatures will be unable to efficiently meet the security needs of this possibly itinerant, transforming software. New validation methods must be developed in order to allow future software to avail itself of the advantages that dynamic program modification may provide while mitigating potential security risks. In this paper, we present our framework to validate dynamically-transforming software in a manner that enables the system to restrict how the software can transform as it executes on a network of hosts. Our prototype system utilizes specification languages to communicate program transformations and controls for those transformations on hosts in the ∗ This material is based upon work supported by the National Science