Proof checkers for proof-carrying code (and similar systems) can su#er from two problems: huge proof witnesses and untrustworthy proof rules. No previous design has addressed both of these problems simultaneously. We show the theory, design, and implementation of a proof-checker that permits small proof witnesses and machine-checkable proofs of the soundness of the system.

Certified code systems enable untrusted programs to be proven safe to execute in a machine–checkable manner. Recent work has focused on building foundational certified code systems, where safety is defined relative to a concrete machine architecture. We wish to build a cost–effective system, with practicality along two dimensions — the intellectual effort to engineer the proofs, and the resource usage by the machine in verifying these proofs. Thus, we factor the proof that a particular program is safe to execute into two parts, a generic part and a program–specific part. These parts are linked by a mediating logic, typically a type system, which we call the safety condition. Consequently, we must prove that all programs that satisfy this condition are safe to execute, and then, we prove that the particular program satisfies this safety condition. Moreover, each of these proofs must be done in a cost–effective manner. In previous work, we have described a machine–checkable proof for the first part, based on defining an operational semantics in LF and using the Twelf metalogic. For the second part, experience has shown that proof terms for a reasonable logic, or type system, are too big to generate, send across the network, and check. We wish to check adherence to the safety condition by an untrusted functional program. It remains to prove (in a machine–checkable manner) that the program implements the logic specified in a LF signature. We propose to accomplish this by static typechecking. We have designed an expressive type system using dependent refinements for this purpose. 1

We give a syntactic proof of decidability and consistency of equivalence for the singleton type calculus, which lies at the foundation of modern module systems such as that of ML. Unlike existing proofs, which work by constructing a model, our syntactic proof makes few demands on the underlying proof theory and mathematical foundation. Consequently, it can be — and has been — entirely formulated in the Twelf meta-logic, and provides an important piece of a Twelf-formalized type-safety proof for Standard ML. The proof works by translation of the singleton type calculus into a canonical presentation, adapted from work on logical frameworks, in which equivalent terms are written identically. Canonical forms are not preserved under standard substitution, so we employ an alternative definition of substitution called hereditary substitution, which contracts redices that arise during substitution. 1