Results 1  10
of
128
Foundational ProofCarrying Code
, 2001
"... Proofcarrying code is a framework for the mechanical verification of safety properties of machine language programs, but the problem arises of quis custodiat ipsos custodeswho will verify the verifier itself? Foundational proofcarrying code is verification from the smallest possible set of axio ..."
Abstract

Cited by 232 (9 self)
 Add to MetaCart
Proofcarrying code is a framework for the mechanical verification of safety properties of machine language programs, but the problem arises of quis custodiat ipsos custodeswho will verify the verifier itself? Foundational proofcarrying code is verification from the smallest possible set of axioms, using the simplest possible verifier and the smallest possible runtime system. I will describe many of the mathematical and engineering problems to be solved in the construction of a foundational proofcarrying code system.
An Indexed Model of Recursive Types for Foundational ProofCarrying Code
 ACM Transactions on Programming Languages and Systems
, 2000
"... The proofs of "traditional" proof carrying code (PCC) are typespecialized in the sense that they require axioms about a specific type system. In contrast, the proofs of foundational PCC explicitly define all required types and explicitly prove all the required properties of those types as ..."
Abstract

Cited by 136 (13 self)
 Add to MetaCart
The proofs of "traditional" proof carrying code (PCC) are typespecialized in the sense that they require axioms about a specific type system. In contrast, the proofs of foundational PCC explicitly define all required types and explicitly prove all the required properties of those types assuming only a fixed foundation of mathematics such as higherorder logic. Foundational PCC is both more flexible and more secure than typespecialized PCC.
A Certifying Compiler for Java
 ACM SIGPLAN Notices
, 2000
"... This paper presents the initial results of a project to determine if the techniques of proofcarrying code and certifying compilers can be applied to programming languages of realistic size and complexity. The experiment shows that: (1) it is possible to implement a certifying nativecode compiler f ..."
Abstract

Cited by 131 (15 self)
 Add to MetaCart
This paper presents the initial results of a project to determine if the techniques of proofcarrying code and certifying compilers can be applied to programming languages of realistic size and complexity. The experiment shows that: (1) it is possible to implement a certifying nativecode compiler for a large subset of the Java programming language; (2) the compiler is freely able to apply many standard local and global optimizations; and (3) the PCC binaries it produces are of reasonable size and can be rapidly checked for type safety by a small proofchecker. This paper also presents further evidence that PCC provides several advantages for compiler development. In particular, generating proofs of the target code helps to identify compiler bugs, many of which would have been dicult to discover by testing.
A syntactic approach to foundational proofcarrying code
 In Seventeenth IEEE Symposium on Logic in Computer Science
, 2002
"... ProofCarrying Code (PCC) is a general framework for verifying the safety properties of machinelanguage programs. PCC proofs are usually written in a logic extended with languagespecific typing rules. In Foundational ProofCarrying Code (FPCC), on the other hand, proofs are constructed and verifie ..."
Abstract

Cited by 94 (19 self)
 Add to MetaCart
ProofCarrying Code (PCC) is a general framework for verifying the safety properties of machinelanguage programs. PCC proofs are usually written in a logic extended with languagespecific typing rules. In Foundational ProofCarrying Code (FPCC), on the other hand, proofs are constructed and verified using strictly the foundations of mathematical logic, with no typespecific axioms. FPCC is more flexible and secure because it is not tied to any particular type system and it has a smaller trusted base. Foundational proofs, however, are much harder to construct. Previous efforts on FPCC all required building sophisticated semantic models for types. In this paper, we present a syntactic approach to FPCC that avoids the difficulties of previous work. Under our new scheme, the foundational proof for a typed machine program simply consists of the typing derivation plus the formalized syntactic soundness proof for the underlying type system. We give a translation from a typed assembly language into FPCC and demonstrate the advantages of our new system via an implementation in the Coq proof assistant. 1.
Toward a Foundational Typed Assembly Language
, 2002
"... We present the design of a typed assembly language called TALT that supports heterogeneous tuples, disjoint sums, and a general account of addressing modes. TALT also implements the von Neumann model in which programs are stored in memory, and supports relative addressing. Type safety for execution ..."
Abstract

Cited by 90 (7 self)
 Add to MetaCart
We present the design of a typed assembly language called TALT that supports heterogeneous tuples, disjoint sums, and a general account of addressing modes. TALT also implements the von Neumann model in which programs are stored in memory, and supports relative addressing. Type safety for execution and for garbage collection are shown by machinecheckable proofs. TALT is the first formalized typed assembly language to provide any of these features.
A type system for certified binaries
 In ACM Symposium on Principles of Programming Languages
, 2002
"... A certified binary is a value together with a proof that the value satisfies a given specification. Existing compilers that generate certified code have focused on simple memory and controlflow safety rather than more advanced properties. In this paper, we present a general framework for explicitly ..."
Abstract

Cited by 84 (12 self)
 Add to MetaCart
A certified binary is a value together with a proof that the value satisfies a given specification. Existing compilers that generate certified code have focused on simple memory and controlflow safety rather than more advanced properties. In this paper, we present a general framework for explicitly representing complex propositions and proofs in typed intermediate and assembly languages. The new framework allows us to reason about certified programs that involve effects while still maintaining decidable typechecking. We show how to integrate an entire proof system (the calculus of inductive constructions) into a compiler intermediate language and how the intermediate language can undergo complex transformations (CPS and closure conversion) while preserving proofs represented in the type system. Our work provides a foundation for the process of automatically generating certified binaries in a typetheoretic framework. 1
Semantics of Types for Mutable State
, 2004
"... Proofcarrying code (PCC) is a framework for mechanically verifying the safety of machine language programs. A program that is successfully verified by a PCC system is guaranteed to be safe to execute, but this safety guarantee is contingent upon the correctness of various trusted components. For in ..."
Abstract

Cited by 55 (5 self)
 Add to MetaCart
Proofcarrying code (PCC) is a framework for mechanically verifying the safety of machine language programs. A program that is successfully verified by a PCC system is guaranteed to be safe to execute, but this safety guarantee is contingent upon the correctness of various trusted components. For instance, in traditional PCC systems the trusted computing base includes a large set of lowlevel typing rules. Foundational PCC systems seek to minimize the size of the trusted computing base. In particular, they eliminate the need to trust complex, lowlevel type systems by providing machinecheckable proofs of type soundness for real machine languages. In this thesis, I demonstrate the use of logical relations for proving the soundness of type systems for mutable state. Specifically, I focus on type systems that ensure the safe allocation, update, and reuse of memory. For each type in the language, I define logical relations that explain the meaning of the type in terms of the operational semantics of the language. Using this model of types, I prove each typing rule as a lemma. The major contribution is a model of System F with general references — that is, mutable cells that can hold values of any closed type including other references, functions, recursive types, and impredicative quantified types. The model is based on ideas from both possible worlds and the indexed model of Appel and McAllester. I show how the model of mutable references is encoded in higherorder logic. I also show how to construct an indexed possibleworlds model for a von Neumann machine. The latter is used in the Princeton Foundational PCC system to prove type safety for a fullfledged lowlevel typed assembly language. Finally, I present a semantic model for a region calculus that supports typeinvariant references as well as memory reuse. iii
Safe and flexible dynamic linking of native code
 In Proceedings of the ACM SIGPLAN Workshop on Types in Compilation
, 2000
"... Abstract. We present the design and implementation of the first complete framework for flexible and safe dynamic linking of native code. Our approach extends Typed Assembly Language with a primitive for loading and typechecking code, which is flexible enough to support a variety of linking strategie ..."
Abstract

Cited by 41 (11 self)
 Add to MetaCart
Abstract. We present the design and implementation of the first complete framework for flexible and safe dynamic linking of native code. Our approach extends Typed Assembly Language with a primitive for loading and typechecking code, which is flexible enough to support a variety of linking strategies, but simple enough that it does not significantly expand the trusted computing base. Using this primitive, along with the ability to compute with types, we show that we can program many existing dynamic linking approaches. As a concrete demonstration, we have used our framework to implement dynamic linking for a typesafe dialect of C, closely modeled after the standard linking facility for Unix C programs. Aside from the unavoidable cost of verification, our implementation performs comparably with the standard, untyped approach. 1
A Provably Sound TAL for Backend Optimization
, 2003
"... Typed assembly languages provide a way to generate machinecheckable safety proofs for machinelanguage programs. But the soundness proofs of most existing typed assembly languages are handwritten and cannot be machinechecked, which is worrisome for such large calculi. We have designed and impleme ..."
Abstract

Cited by 40 (9 self)
 Add to MetaCart
Typed assembly languages provide a way to generate machinecheckable safety proofs for machinelanguage programs. But the soundness proofs of most existing typed assembly languages are handwritten and cannot be machinechecked, which is worrisome for such large calculi. We have designed and implemented a lowlevel typed assembly language (LTAL) with a semantic model and established its soundness from the model. Compared to existing typed assembly languages, LTAL is more scalable and more secure; it has no macro instructions that hinder lowlevel optimizations such as instruction scheduling; its type constructors are expressive enough to capture dataflow information, support the compiler's choice of data representations and permit typed positionindependent code; and its typechecking algorithm is completely syntaxdirected.
Unifying Type Checking and property checking for lowlevel code
, 2009
"... We present a unified approach to type checking and property checking for lowlevel code. Type checking for lowlevel code is challenging because type safety often depends on complex, programspecific invariants that are difficult for traditional type checkers to express. Conversely, property checking ..."
Abstract

Cited by 37 (12 self)
 Add to MetaCart
We present a unified approach to type checking and property checking for lowlevel code. Type checking for lowlevel code is challenging because type safety often depends on complex, programspecific invariants that are difficult for traditional type checkers to express. Conversely, property checking for lowlevel code is challenging because it is difficult to write concise specifications that distinguish between locations in an untyped program’s heap. We address both problems simultaneously by implementing a type checker for lowlevel code as part of our property checker. We present a lowlevel formalization of a C program’s heap and its types that can be checked with an SMT solver, and we provide a decision procedure for checking type safety. Our type system is flexible enough to support a combination of nominal and structural subtyping for C, on a perstructure basis. We discuss several case studies that demonstrate the ability of this tool to express and check complex type invariants in lowlevel C code, including several small Windows device drivers.