We present a unified approach to type checking and property checking for low-level code. Type checking for low-level code is challenging because type safety often depends on complex, programspecific invariants that are difficult for traditional type checkers to express. Conversely, property checking for low-level code is challenging because it is difficult to write concise specifications that distinguish between locations in an untyped program’s heap. We address both problems simultaneously by implementing a type checker for low-level code as part of our property checker. We present a low-level formalization of a C program’s heap and its types that can be checked with an SMT solver, and we provide a decision procedure for checking type safety. Our type system is flexible enough to support a combination of nominal and structural subtyping for C, on a per-structure basis. We discuss several case studies that demonstrate the ability of this tool to express and check complex type invariants in low-level C code, including several small Windows device drivers.

Software systems usually use many different computation features and span different abstraction levels (e.g., user code level and the runtime system level). To build foundational certified systems, it is hard to have one verification system supporting all computation features. In this paper we present an open framework for foundational proof-carrying code (FPCC). It allows program modules to be specified and certified separately using different type systems or program logics. Certified modules (code + proof) can be linked to compose fully certified systems. The framework supports modular verification and proof reuse. It is extensible, and is expressive enough to allow invariants established in verification systems to be maintained when they are embedded in. Our framework is the first FPCC framework that systematically supports interoperation between different verification systems. It is fully mechanized in the Coq proof assistant with machine-checkable soundness proof.

Abstract not found

The execution of untrusted bytecode programs can produce undesired behavior. A proof on the bytecode programs can be generated to ensure safe execution. Automatic techniques to generate proofs, such as certifying compilation, can only be used for a restricted set of properties such as type safety. Interactive verification of bytecode is difficult due to its unstructured control flow. Our approach is verify programs on the source level and then translate the proof to the bytecode level. This translation is non-trivial for programs with abrupt termination. We present proof transforming compilation from Java to Java Bytecode. This paper formalizes

Executing untrusted code while preserving security requires enforcement of memory and control-flow safety policies: untrusted code must be prevented from modifying memory or executing code except as explicitly allowed. Software-based fault isolation (SFI) or “sandboxing” enforces those policies by rewriting the untrusted code at the level of individual instructions. However, the original sandboxing technique of Wahbe et al. is applicable only to RISC architectures, and other previous work is either insecure, or has been not described in enough detail to give confidence in its security properties. We present a novel technique that allows sandboxing to be easily applied to a CISC architecture like the IA-32. The technique can be verified to have been applied at load time, so that neither the rewriting tool nor the compiler needs to be trusted. We describe a prototype implementation which provides a robust security guarantee, is scalable to programs of any size, and has low runtime overheads. Further, we give a machine-checked proof that any program approved by the verification algorithm is guaranteed to respect the desired safety property.

In modern development schemes the processing of programs often involves an intermediate step of translation to some intermediate bytecode, complicating the verification task. Expanding on the ideas of Proof-Carrying Code (PCC), we have built a proof-transforming compiler which translates a contract-equipped program and its proof into bytecode representing both the program and the proof; before execution starts, the program will be run through a proof checker. The proofs address not only security properties, as in the original PCC work, but full functional correctness as expressed by the original contracts. The task of the proof-transforming compiler is made particularly challenging by the impedance mismatch between the source language, Eiffel, and the target code,.NET CIL, which does not directly support such important Eiffel mechanisms as multiple inheritance and contract-based exceptions. We present the overall proof-transforming compilation architecture, the issues encountered, and the solutions that have been devised to bridge the impedance mismatch.

Abstract. In authorization, there is often a wish to shift the burden of proof to those making requests, since they may have more resources and more specific knowledge to construct the required proofs. We introduce an extreme instance of this approach, which we call Code-Carrying Authorization (CCA). With CCA, access-control decisions can partly be delegated to untrusted code obtained at run-time. The dynamic verification of this code ensures the safety of authorization decisions. We define and study this approach in the setting of a higher-order spi calculus. The type system of this calculus provides the needed support for static and dynamic verification. 1

Abstract. We present BCiC, a system for verifying and authenticating code that combines language-based proof methods with public-key digital signatures. BCiC aims to augment the rigor of formal proofs about intrinsic properties of code by relying on authentication and trust relations. BCiC integrates the Binder security language with the Calculus of (Co)Inductive Constructions (CiC). In this respect, it is a descendant of our previous logic BLF, which was based on LF rather than CiC. This paper focuses on the architecture and implementation of BCiC. In addition to a logical inference engine, the design most notably includes a network communication module for the efficient exchange of logical facts between hosts, and a cryptography module for generating and checking signatures. The implementation cooperates with the Open Verifier, a state-of-the-art system for proof-carrying code with modular checkers. 1

Abstract. There are many source-level analyses or instrumentation tools that enforce various safety properties. In this paper we present an infrastructure that can be used to check independently that the assembly output of such tools has the desired safety properties. By working at assembly level we avoid the complications with unavailability of source code, with source-level parsing, and we certify the code that is actually deployed. The novel feature of the framework is an extensible dependently-typed framework that supports type inference and mutation of dependent values in memory. The type system can be extended with new types as needed for the source-level tool that is certified. Using these dependent types, we are able to express the invariants enforced by CCured, a sourcelevel instrumentation tool that guarantees type safety in legacy C programs. We can therefore check that the x86 assembly code resulting from compilation with CCured is in fact type-safe. 1

The execution of mobile code can produce unexpected behavior, which may comprise security and correctness of a software system. Proof-Carrying Code allows one to execute mobile code in a safe way by checking a formal proof before the code is executed. However, automatic generation of proofs works only for basic safety properties such as type safety. To apply PCC to functional correctness properties, we propose to verify the source program interactively and then to translate the proof to bytecode. This proof translation is relatively straightforward if the source and target language are similar, such as Java and Java bytecode, but poses challenges for more complex translations. In this paper, we present a prooftransforming compiler for a subset of Eiffel to the.NET CIL. In particular, we show how the