This paper presents the initial results of a project to determine if the techniques of proof-carrying code and certifying compilers can be applied to programming languages of realistic size and complexity. The experiment shows that: (1) it is possible to implement a certifying native-code compiler for a large subset of the Java programming language; (2) the compiler is freely able to apply many standard local and global optimizations; and (3) the PCC binaries it produces are of reasonable size and can be rapidly checked for type safety by a small proof-checker. This paper also presents further evidence that PCC provides several advantages for compiler development. In particular, generating proofs of the target code helps to identify compiler bugs, many of which would have been dicult to discover by testing.

This paper presents a logical framework derived from the Edinburgh Logical Framework (LF) [5] that can be used to obtain compact representations of proofs and efficient proof checkers. These are essential ingredients of any application that manipulates proofs as first-class objects, such as a Proof-Carrying Code [11] system, in which proofs are used to allow the easy validation of properties of safety-critical or untrusted code. Our framework, which we call LF i , inherits from LF the capability to encode various logics in a natural way. In addition, the LF i framework allows proof representations without the high degree of redundancy that is characteristic of LF representations. The missing parts of LF i proof representations can be reconstructed during proof checking by an efficient reconstruction algorithm. We also describe an algorithm that can be used to strip the unnecessary parts of an LF representation of a proof. The experimental data that we gathered in the context of a Proof...

After a short period of being not much more than a curiosity, the World-Wide Web quickly became an important medium for discussion, commerce, and business. Instead of holding just information that the entire world could see, web pages also became used to access email, financial records, and other personal or proprietary data that was meant to be viewed only by particular individuals or groups. This made it necessary to design mechanisms that would restrict access to web pages. Unfortunately, most current mechanisms are lacking in generality and flexibility---they interoperate poorly and can express only a limited number of security policies.

. Proof-Carrying Code (PCC) enables a computer system to determine, automatically and with certainty, that program code provided by another system is safe to install and execute without requiring interpretation or run-time checking. PCC has applications in any computing system in which the safe, efficient, and dynamic installation of code is needed. The key idea of Proof-Carrying is to attach to the code an easily-checkable proof that its execution does not violate the safety policy of the receiving system. This paper describes the design and a typical implementation of Proof-Carrying Code, where the language used for specifying the safety properties is first-order predicate logic. Examples of safety properties that are covered in this paper are memory safety and compliance with data access policies, resource usage bounds, and data abstraction boundaries. 1 Introduction Proof-Carrying Code (PCC) enables a computer system to determine, automatically and with certainty, that program cod...

Abstract. Code certification is a lightweight approach for formally demonstrating software quality. Its basic idea is to require code producers to provide formal proofs that their code satisfies certain quality properties. These proofs serve as certificates that can be checked independently. Since code certification uses the same underlying technology as program verification, it requires detailed annotations (e.g., loop invariants) to make the proofs possible. However, manually adding annotations to the code is time-consuming and error-prone. We address this problem by combining code certification with automatic program synthesis. Given a high-level specification, our approach simultaneously generates code and all annotations required to certify the generated code. We describe a certification extension of AutoBayes, a synthesis tool for automatically generating data analysis programs. Based on built-in domain knowledge, proof annotations are added and used to generate proof obligations that are discharged by the automated theorem prover E-SETHEO. We demonstrate our approach by certifying operator- and memory-safety on a data-classification program. For this program, our approach was faster and more precise than PolySpace, a commercial static analysis tool.

Elf is a general meta-language for the specification and implementation of logical systems in the style of the logical framework LF. Based on a logic programming interpretation, it supports executing logical systems and reasoning with and about them, thereby reducing the effort required for each particular logical system. The traditional logic programming paradigm is extended by replacing first-order terms with dependently typed -terms and allowing implication and universal quantification in the bodies of clauses. These higher-order features allow us to model concisely and elegantly conditions on variables and the discharge of assumptions which are prevalent in many logical systems. However, many specifications are not executable under the traditional logic programming semantics and performance may be hampered by redundant computation. To address these problems, I propose a tabled higher-order logic programming interpretation for Elf. Some redundant computation is eliminated by memoizing sub-computation and re-using its result later. If we do not distinguish different proofs for a property, then search based on tabled logic programming is complete and terminates for programs with bounded recursion. In this proposal, I present a proof-theoretical characterization for tabled higher-order logic programming. It is the basis of the implemented prototype for tabled logic programming interpreter for Elf. Preliminary experiments indicate that many more logical specifications are executable under the tabled semantics. In addition, tabled computation leads to more efficient execution of programs. The goal of the thesis is to demonstrate that tabled logic programming allows us to efficiently automate reasoning with and about logical systems in the logical f...

Abstract. Formal system development needs expressive specification languages, but also calls for highly automated tools. These two goals are not easy to reconcile, especially if one also aims at high assurances for correctness. In this paper, we describe a combination of Isabelle/HOL with a proof-producing SMT (Satisfiability Modulo Theories) solver that contains a SAT engine and a decision procedure for quantifier-free first-order logic with equality. As a result, a user benefits from the expressiveness of Isabelle/HOL when modeling a system, but obtains much better automation for those fragments of the proofs that fall within the scope of the (automatic) SMT solver. Soundness is not compromised because all proofs are submitted to the trusted kernel of Isabelle for certification. This architecture is straightforward to extend for other interactive proof assistants and proof-producing reasoners. 1

This paper presents the design, the implementation and experiments of the integration of syntactic, conditional possibly associative-commutative term rewriting into proof assistants based on constructive type theory. Our approach is called external since it consists in performing term rewriting in a speci c and ecient environment and to check the computations later in a proof assistant.

Code review is an important step during the process of certifying safetycritical software because only code that passes review can be implemented. Reviews are performed by review boards composed of highly skilled and experienced computer scientists, engineers and analysts who generally rely upon a checklist of properties ranging from high-level requirements to minute language details. While many checklists and coding standards exist, the actual decision of which properties are most important is generally based on the experience of the person in charge. This paper addresses the questions: How can code review ensure certification of trustworthy code? and Is code review trustworthy? We surveyed technical leaders at NASA and the Aerospace industry to find out which properties are most important during the code review. To make analyze easier, the most common properties have been classified along different ”views”, ranging from a standards-oriented view (defined as the properties needed to satisfy a specific standard) to a tool-oriented view. In this paper, we present this classification together with a summary of findings and feed-back from the survey. We also discuss how a more uniform view on properties of code review and tool capabilities can result in increased trust for safety-critical software. 1

Architectural definition often begins with a very highlevel architectural description, e.g., specification of dataflow among a few abstract components. This highlevel description is then refined in order to ultimately achieve a much more detailed description that can be implemented directly. On the other hand, with the advent of the object-oriented paradigm, architectural definition can consist of assembling a collection of standard components and connectors. But, if such an assemblage is complex, it is desirable to generate more abstract descriptions from it, in order to facilitate understanding and analysis. In either case, the end product of the architecting process is an architectural hierarchy, a collection of architectural descriptions linked by mappings that interpret the more abstract descriptions in the more concrete descriptions. Formalized transformational approaches to architecture refinement and abstraction have been proposed. One argument in favor of formalization is that...