This paper explores a new point in the design space of formal reasoning systems - part programming language, part logical framework. The system is built on a programming language where the user expresses equality constraints between types and the type checker then enforces these constraints. This simple extension to the type system allows the programmer to describe properties of his program in the types of witness objects which can be thought of as concrete evidence that the program has the property desired. These techniques and two other rich typing mechanisms, rank-N polymorphism and extensible kinds, create a powerful new programming idiom for writing programs whose types enforce semantic properties. A language with these features is both a practical programming language and a logic. This marriage between two previously separate entities increases the probability that users will apply formal methods to their programming designs. This kind of synthesis creates the foundations for the languages of the future.

Certified code systems protect computers from faulty or malicious code by requiring untrusted software to be accompanied by checkable evidence of its safety. This paper presents a certified code solution to a problem in grid computing, namely, controlling the CPU usage of untrusted programs. Specifically, we propose to endow the runtime system supervising local execution of grid programs with a trusted “yield ” operation, and require the untrusted code to execute this operation with at least a certain frequency. Compliance with this requirement is enforced by a special typed assembly language, which we describe. We also describe a compilation strategy for a generalpurpose programming language that can enforce and certify conformance to such policies automatically without any sophisticated program analyses. This means that owners of hosts participating in the computation network can be confident that executing foreign code will not compromise the availability of their machines for running their own processes, and application programmers do not need to modify their coding style in order to produce compliant software.

Explicit or implicit, enforced or not, safety policies are ubiquitous in software systems. In the many settings where third-party software is executed in the context of a larger client program, the supervisor usually enforces a safety policy that prevents the foreign code from behaving in ways that would disrupt the client, corrupt data or destabilize the system. Certified code provides a static means for controlling the behavior of untrusted programs or components by bringing the power of type systems and formal logic to bear on the problem. Code certification systems that prevent bad memory accesses and enforce the abstractions provided by libraries and runtime system interfaces have been well studied. This thesis presents a system for certifying conformance to timing requirements. The approach is simple, comprising an incremental change to an existing type system for assembly language, but flexible in the set of policies it can enforce. Moreover, in principle, it can be extended to support arbitrarily complex coding idioms. Focusing on a particular timing policy of interest, I describe a compiler that produces certifiably compliant programs with no help from the programmer and only a small impact on runtime performance. Later, I discuss the applicability of both the type

ABSTRACT Certified code systems protect computers from faulty or malicious code by requiring untrusted software to be accompanied by checkable evidence of its safety. This paper presents a certified code solution to a problem in grid computing, namely, controlling the CPU usage of untrusted programs. Specifically, we propose to endow the runtime system supervising local execution of grid programs with a trusted "yield " operation, and require the untrusted code to execute this operation with at least a certain frequency. Compliance with this requirement is enforced by a special typed assembly language, which we describe. We also describe a compilation strategy for a generalpurpose programming language that can enforce and certify conformance to such policies automatically without any sophisticated program analyses. This means that owners of hosts participating in the computation network can be confident that executing foreign code will not compromise the availability of their machines for running their own processes, and application programmers do not need to modify their coding style in order to produce compliant software.

Grid computing has become increasingly popular with the growth of the Internet, especially in large-scale scientific computation. Computational Grids are characterized by their scale, their heterogeneity, and their unreliability, making the creation of Grid software quite a challenge. Security concerns make the deployment of Grid infrastructure similarly daunting.