Results 1  10
of
12
Foundational ProofCarrying Code
, 2001
"... Proofcarrying code is a framework for the mechanical verification of safety properties of machine language programs, but the problem arises of quis custodiat ipsos custodeswho will verify the verifier itself? Foundational proofcarrying code is verification from the smallest possible set of axio ..."
Abstract

Cited by 232 (9 self)
 Add to MetaCart
Proofcarrying code is a framework for the mechanical verification of safety properties of machine language programs, but the problem arises of quis custodiat ipsos custodeswho will verify the verifier itself? Foundational proofcarrying code is verification from the smallest possible set of axioms, using the simplest possible verifier and the smallest possible runtime system. I will describe many of the mathematical and engineering problems to be solved in the construction of a foundational proofcarrying code system.
An Indexed Model of Recursive Types for Foundational ProofCarrying Code
 ACM Transactions on Programming Languages and Systems
, 2000
"... The proofs of "traditional" proof carrying code (PCC) are typespecialized in the sense that they require axioms about a specific type system. In contrast, the proofs of foundational PCC explicitly define all required types and explicitly prove all the required properties of those types as ..."
Abstract

Cited by 136 (13 self)
 Add to MetaCart
The proofs of "traditional" proof carrying code (PCC) are typespecialized in the sense that they require axioms about a specific type system. In contrast, the proofs of foundational PCC explicitly define all required types and explicitly prove all the required properties of those types assuming only a fixed foundation of mathematics such as higherorder logic. Foundational PCC is both more flexible and more secure than typespecialized PCC.
A syntactic approach to foundational proofcarrying code
 In Seventeenth IEEE Symposium on Logic in Computer Science
, 2002
"... ProofCarrying Code (PCC) is a general framework for verifying the safety properties of machinelanguage programs. PCC proofs are usually written in a logic extended with languagespecific typing rules. In Foundational ProofCarrying Code (FPCC), on the other hand, proofs are constructed and verifie ..."
Abstract

Cited by 94 (19 self)
 Add to MetaCart
ProofCarrying Code (PCC) is a general framework for verifying the safety properties of machinelanguage programs. PCC proofs are usually written in a logic extended with languagespecific typing rules. In Foundational ProofCarrying Code (FPCC), on the other hand, proofs are constructed and verified using strictly the foundations of mathematical logic, with no typespecific axioms. FPCC is more flexible and secure because it is not tied to any particular type system and it has a smaller trusted base. Foundational proofs, however, are much harder to construct. Previous efforts on FPCC all required building sophisticated semantic models for types. In this paper, we present a syntactic approach to FPCC that avoids the difficulties of previous work. Under our new scheme, the foundational proof for a typed machine program simply consists of the typing derivation plus the formalized syntactic soundness proof for the underlying type system. We give a translation from a typed assembly language into FPCC and demonstrate the advantages of our new system via an implementation in the Coq proof assistant. 1.
A type system for certified binaries
 In ACM Symposium on Principles of Programming Languages
, 2002
"... A certified binary is a value together with a proof that the value satisfies a given specification. Existing compilers that generate certified code have focused on simple memory and controlflow safety rather than more advanced properties. In this paper, we present a general framework for explicitly ..."
Abstract

Cited by 84 (12 self)
 Add to MetaCart
A certified binary is a value together with a proof that the value satisfies a given specification. Existing compilers that generate certified code have focused on simple memory and controlflow safety rather than more advanced properties. In this paper, we present a general framework for explicitly representing complex propositions and proofs in typed intermediate and assembly languages. The new framework allows us to reason about certified programs that involve effects while still maintaining decidable typechecking. We show how to integrate an entire proof system (the calculus of inductive constructions) into a compiler intermediate language and how the intermediate language can undergo complex transformations (CPS and closure conversion) while preserving proofs represented in the type system. Our work provides a foundation for the process of automatically generating certified binaries in a typetheoretic framework. 1
Propertybased attestation for computing platforms: caring about properties, not mechanisms
 NSPW '04 Proceedings of the 2004 workshop on
, 2004
"... Over the past years, the computing industry has started various initiatives announced to increase computer security by means of new hardware architectures. The most notable effort is the Trusted Computing Group (TCG) and the NextGeneration Secure Computing Base (NGSCB). This technology offers usefu ..."
Abstract

Cited by 76 (7 self)
 Add to MetaCart
Over the past years, the computing industry has started various initiatives announced to increase computer security by means of new hardware architectures. The most notable effort is the Trusted Computing Group (TCG) and the NextGeneration Secure Computing Base (NGSCB). This technology offers useful new functionalities as the possibility to verify the integrity of a platform (attestation) or binding quantities on a specific platform (sealing). In this paper, we point out the deficiencies of the attestation and sealing functionalities proposed by the existing specification of the TCG: we show that these mechanisms can be misused to discriminate certain platforms, i.e., their operating systems and consequently the corresponding vendors. A particular problem in this context is that of managing the multitude of possible configurations. Moreover, we highlight other shortcomings related to the attestation, namely system updates and backup. Clearly, the consequences caused by these problems lead to an unsatisfactory situation both for the private and business branch, and to an unbalanced market when such platforms are in wide use. To overcome these problems generally, we propose a completely new approach: the attestation of a platform should not depend on the specific software or/and hardware (configuration) as it is today’s practice but only on the “properties” that the platform offers. Thus, a propertybased attestation should only verify whether these properties are sufficient to fulfill certain (security) requirements of the party who asks for attestation. We propose and discuss a variety of solutions based on the existing Trusted Computing (TC) functionality. We also demonstrate, how a propertybased attestation protocol can be realized based on the existing TC hardware such as a Trusted Platform Module (TPM).
Building Certified Libraries for PCC: Dynamic Storage Allocation
, 2003
"... ProofCarrying Code (PCC) allows a code producer to provide to a host a program along with its formal safety proof. The proof attests a certain safety policy enforced by the code, and can be mechanically checked by the host. While this languagebased approach to code certification is very general in ..."
Abstract

Cited by 33 (9 self)
 Add to MetaCart
ProofCarrying Code (PCC) allows a code producer to provide to a host a program along with its formal safety proof. The proof attests a certain safety policy enforced by the code, and can be mechanically checked by the host. While this languagebased approach to code certification is very general in principle, existing PCC systems have only focused on programs whose safety proofs can be automatically generated.
An Abstract Model of Certificate Translation
"... A certificate is a mathematical object that can be used to establish that a piece of mobile code satisfies some security policy. In general, certificates cannot be generated automatically. There is thus an interest in developing methods to reuse certificates generated for source code to provide stro ..."
Abstract
 Add to MetaCart
A certificate is a mathematical object that can be used to establish that a piece of mobile code satisfies some security policy. In general, certificates cannot be generated automatically. There is thus an interest in developing methods to reuse certificates generated for source code to provide strong guarantees of the compiled code correctness. Certificate translation is a method to transform certificates of program correctness along semantically justified program transformations. These methods have been developed in previous work, but they were strongly dependent on particular programming and verification settings. This article provides a more general development in the setting of abstract interpretation, showing the scalability of certificate translation.
Intel Corporation and
"... A certified binary is a value together with a proof that the value satisfies a given specification. Existing compilers that generate certified code have focused on simple memory and controlflow safety rather than more advanced properties. In this article, we present a general framework for explicit ..."
Abstract
 Add to MetaCart
A certified binary is a value together with a proof that the value satisfies a given specification. Existing compilers that generate certified code have focused on simple memory and controlflow safety rather than more advanced properties. In this article, we present a general framework for explicitly representing complex propositions and proofs in typed intermediate and assembly languages. The new framework allows us to reason about certified programs that involve effects while still maintaining decidable typechecking. We show how to integrate an entire proof system (the calculus of inductive constructions) into a compiler intermediate language and how the intermediate language can undergo complex transformations (CPS and closure conversion) while preserving proofs represented in the type system. Our work provides a foundation for the process of automatically generating certified binaries in a typetheoretic framework.
Abstract A Type System For Certified Runtime Type Analysis
, 2002
"... Modern programming paradigms are increasingly giving rise to applications that require type information at runtime. For example, services like garbage collection, marshalling, and serialization need to analyze type information at runtime. When compiling code which uses runtime type inspections, mos ..."
Abstract
 Add to MetaCart
Modern programming paradigms are increasingly giving rise to applications that require type information at runtime. For example, services like garbage collection, marshalling, and serialization need to analyze type information at runtime. When compiling code which uses runtime type inspections, most existing compilers use untyped intermediate languages and discard type information at an early stage. Unfortunately, such an approach is incompatible with typebased certifying compilation. A certifying compiler generates not only the code but also a proof that the code obeys a security policy. Therefore, one need not trust the correctness of a compiler generating certified code, instead one can verify the correctness of the generated code. This allows a code consumer to accept code from untrusted sources which is specially advantageous in a networked environment. In practice, most certifying compilers use a type system for generating and encoding the proofs. These systems are called typebased certifying compilers. This dissertation describes a type system that can be used for supporting runtime type analysis in typebased certifying compilers. The type system has two novel features. First, type analysis can be applied to the type of any runtime value. In particular quantified