Results 1  10
of
22
A syntactic approach to foundational proofcarrying code
 In Seventeenth IEEE Symposium on Logic in Computer Science
, 2002
"... ProofCarrying Code (PCC) is a general framework for verifying the safety properties of machinelanguage programs. PCC proofs are usually written in a logic extended with languagespecific typing rules. In Foundational ProofCarrying Code (FPCC), on the other hand, proofs are constructed and verifie ..."
Abstract

Cited by 94 (19 self)
 Add to MetaCart
ProofCarrying Code (PCC) is a general framework for verifying the safety properties of machinelanguage programs. PCC proofs are usually written in a logic extended with languagespecific typing rules. In Foundational ProofCarrying Code (FPCC), on the other hand, proofs are constructed and verified using strictly the foundations of mathematical logic, with no typespecific axioms. FPCC is more flexible and secure because it is not tied to any particular type system and it has a smaller trusted base. Foundational proofs, however, are much harder to construct. Previous efforts on FPCC all required building sophisticated semantic models for types. In this paper, we present a syntactic approach to FPCC that avoids the difficulties of previous work. Under our new scheme, the foundational proof for a typed machine program simply consists of the typing derivation plus the formalized syntactic soundness proof for the underlying type system. We give a translation from a typed assembly language into FPCC and demonstrate the advantages of our new system via an implementation in the Coq proof assistant. 1.
Semantics of Types for Mutable State
, 2004
"... Proofcarrying code (PCC) is a framework for mechanically verifying the safety of machine language programs. A program that is successfully verified by a PCC system is guaranteed to be safe to execute, but this safety guarantee is contingent upon the correctness of various trusted components. For in ..."
Abstract

Cited by 55 (5 self)
 Add to MetaCart
Proofcarrying code (PCC) is a framework for mechanically verifying the safety of machine language programs. A program that is successfully verified by a PCC system is guaranteed to be safe to execute, but this safety guarantee is contingent upon the correctness of various trusted components. For instance, in traditional PCC systems the trusted computing base includes a large set of lowlevel typing rules. Foundational PCC systems seek to minimize the size of the trusted computing base. In particular, they eliminate the need to trust complex, lowlevel type systems by providing machinecheckable proofs of type soundness for real machine languages. In this thesis, I demonstrate the use of logical relations for proving the soundness of type systems for mutable state. Specifically, I focus on type systems that ensure the safe allocation, update, and reuse of memory. For each type in the language, I define logical relations that explain the meaning of the type in terms of the operational semantics of the language. Using this model of types, I prove each typing rule as a lemma. The major contribution is a model of System F with general references — that is, mutable cells that can hold values of any closed type including other references, functions, recursive types, and impredicative quantified types. The model is based on ideas from both possible worlds and the indexed model of Appel and McAllester. I show how the model of mutable references is encoded in higherorder logic. I also show how to construct an indexed possibleworlds model for a von Neumann machine. The latter is used in the Princeton Foundational PCC system to prove type safety for a fullfledged lowlevel typed assembly language. Finally, I present a semantic model for a region calculus that supports typeinvariant references as well as memory reuse. iii
A Provably Sound TAL for Backend Optimization
, 2003
"... Typed assembly languages provide a way to generate machinecheckable safety proofs for machinelanguage programs. But the soundness proofs of most existing typed assembly languages are handwritten and cannot be machinechecked, which is worrisome for such large calculi. We have designed and impleme ..."
Abstract

Cited by 40 (9 self)
 Add to MetaCart
Typed assembly languages provide a way to generate machinecheckable safety proofs for machinelanguage programs. But the soundness proofs of most existing typed assembly languages are handwritten and cannot be machinechecked, which is worrisome for such large calculi. We have designed and implemented a lowlevel typed assembly language (LTAL) with a semantic model and established its soundness from the model. Compared to existing typed assembly languages, LTAL is more scalable and more secure; it has no macro instructions that hinder lowlevel optimizations such as instruction scheduling; its type constructors are expressive enough to capture dataflow information, support the compiler's choice of data representations and permit typed positionindependent code; and its typechecking algorithm is completely syntaxdirected.
Unifying Type Checking and property checking for lowlevel code
, 2009
"... We present a unified approach to type checking and property checking for lowlevel code. Type checking for lowlevel code is challenging because type safety often depends on complex, programspecific invariants that are difficult for traditional type checkers to express. Conversely, property checking ..."
Abstract

Cited by 35 (12 self)
 Add to MetaCart
We present a unified approach to type checking and property checking for lowlevel code. Type checking for lowlevel code is challenging because type safety often depends on complex, programspecific invariants that are difficult for traditional type checkers to express. Conversely, property checking for lowlevel code is challenging because it is difficult to write concise specifications that distinguish between locations in an untyped program’s heap. We address both problems simultaneously by implementing a type checker for lowlevel code as part of our property checker. We present a lowlevel formalization of a C program’s heap and its types that can be checked with an SMT solver, and we provide a decision procedure for checking type safety. Our type system is flexible enough to support a combination of nominal and structural subtyping for C, on a perstructure basis. We discuss several case studies that demonstrate the ability of this tool to express and check complex type invariants in lowlevel C code, including several small Windows device drivers.
Foundational Proof Checkers with Small Witnesses
, 2003
"... Proof checkers for proofcarrying code (and similar systems) can su#er from two problems: huge proof witnesses and untrustworthy proof rules. No previous design has addressed both of these problems simultaneously. We show the theory, design, and implementation of a proofchecker that permits small p ..."
Abstract

Cited by 24 (6 self)
 Add to MetaCart
Proof checkers for proofcarrying code (and similar systems) can su#er from two problems: huge proof witnesses and untrustworthy proof rules. No previous design has addressed both of these problems simultaneously. We show the theory, design, and implementation of a proofchecker that permits small proof witnesses and machinecheckable proofs of the soundness of the system.
Interfacing hoare logic and type systems for foundational proofcarrying code
 In Proc. 17th International Conference on Theorem Proving in Higher Order Logics, volume 3223 of LNCS
, 2004
"... Abstract. In this paper, we introduce a Foundational ProofCarrying Code (FPCC) framework for constructing certified code packages from typed assembly language that will interface with a similarly certified runtime system. Our framework permits the typed assembly language to have a “foreign function ..."
Abstract

Cited by 23 (4 self)
 Add to MetaCart
Abstract. In this paper, we introduce a Foundational ProofCarrying Code (FPCC) framework for constructing certified code packages from typed assembly language that will interface with a similarly certified runtime system. Our framework permits the typed assembly language to have a “foreign function ” interface, in which stubs, initially provided when the program is being written, are eventually compiled and linked to code that may have been written in a language with a different type system, or even certified directly in the FPCC logic using a proof assistant. We have increased the potential scalability and flexibility of our FPCC system by providing a way to integrate programs compiled from different source type systems. In the process, we are explicitly manipulating the interface between Hoare logic and a syntactic type system. 1
An Indexed Model of Impredicative Polymorphism and Mutable References
, 2003
"... We present a semantic model of the polymorphic lambda calculus augmented with a higherorder store, allowing the storage of values of any type, including impredicative quantified types, mutable references, recursive types, and functions. Our model provides the first denotational semantics for a type ..."
Abstract

Cited by 17 (6 self)
 Add to MetaCart
We present a semantic model of the polymorphic lambda calculus augmented with a higherorder store, allowing the storage of values of any type, including impredicative quantified types, mutable references, recursive types, and functions. Our model provides the first denotational semantics for a type system with updatable references to values of impredicative quantified types. The central idea behind our semantics is that instead of tracking the exact type of a mutable reference in a possible world our model keeps track of the approximate type. While highlevel languages like ML and Java do not themselves support storage of impredicative existential packages in mutable cells, this feature is essential when representing ML function closures, that is, in a target language for typed closure conversion of ML programs.
Construction of a Semantic Model for a Typed Assembly Language
 In Proc. of VMCAI ’04
, 2004
"... Typed Assembly Languages (TALs) can be used to validate the safety of assemblylanguage programs. However, typing rules are usually trusted as axioms. ..."
Abstract

Cited by 14 (3 self)
 Add to MetaCart
Typed Assembly Languages (TALs) can be used to validate the safety of assemblylanguage programs. However, typing rules are usually trusted as axioms.
Verified Software Toolchain
, 2011
"... The software toolchain includes static analyzers to check assertions about programs; optimizing compilers to translate programs to machine language; operating systems and libraries to supply context for programs. Our Verified Software Toolchain verifies with machinechecked proofs that the asserti ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
The software toolchain includes static analyzers to check assertions about programs; optimizing compilers to translate programs to machine language; operating systems and libraries to supply context for programs. Our Verified Software Toolchain verifies with machinechecked proofs that the assertions claimed at the top of the toolchain really hold in the machinelanguage program, running in the operatingsystem context, on a weaklyconsistentsharedmemory machine. Our verification approach is modular, in that proofs about operating systems or concurrency libraries are oblivious of the programming language or machine language, proofs about compilers are oblivious of the program logic used to verify static analyzers, and so on. The approach is scalable, in that each component is verified in the semantic idiom most natural for that component. Finally, the verification is foundational: the trusted base for proofs of observable properties of the machinelanguage program includes only the operational semantics of the machine language, not the source language, the compiler, the program logic, or any other part of the toolchain—even when these proofs are
Oracle Semantics
, 2008
"... We define a Concurrent Separation Logic with firstclass locks and threads for the C language, and prove its soundness in Coq with respect to a compilable operataional semantics. We define the language Concurrent C minor, an extension of the C minor language of Leroy. C minor was designed as the hig ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
We define a Concurrent Separation Logic with firstclass locks and threads for the C language, and prove its soundness in Coq with respect to a compilable operataional semantics. We define the language Concurrent C minor, an extension of the C minor language of Leroy. C minor was designed as the highestlevel intermediate language in the CompCert certified ANSI C compiler, and we add to it lock, unlock, and fork statements to make Concurrent C minor, giving it a standard Pthreads style of concurrency. We define a Concurrent Separation Logic for Concurrent C minor, which extends the original Concurrent Separation Logic of O’Hearn to handle firstclass locks and threads. We then prove the soundness of the logic with respect to the operational semantics of the language. First, we define an erased concurrent operational semantics for Concurrent C minor that is a reasonable abstraction for concurrent execution on a real machine. Second, we define