This paper describes proof-carrying code (PCC), a mechanism by which a host system can determine with certainty thatitissafetoexecute a program supplied (possibly in binary form) by anuntrusted source. For this to be possible, the untrusted code producer must supply with the code a safety proof that attests to the code's adherence to a previously de ned safety policy. The host can then easily and quickly validate the proof without using cryptography and without consulting any external agents. In order to gain preliminary experience with PCC, we have performed several case studies. We showinthis paper how proof-carrying code mightbeusedtodevelop safe assembly-language extensions of ML programs. In the context of this case study, we present and prove the adequacy of concrete representations for the safety policy, the safety proofs, and the proof validation. Finally, we brie y discuss how we use proof-carrying code to develop network packet lters that are faster than similar lters developed using other techniques and are formally guaranteed to be safe with respect to a given operating system safety policy.

Abstract This paper describes a mechanism by which an operating system kernel can determine with certainty that it is safe to execute a binary supplied by an untrusted source. The kernel first defines a safety policy and makes it public. Then, using this policy, an application can provide binaries in a special form called proof-carrying code, or simply PCC. Each PCC binary contains, in addition to the native code, a formal proof that the code obeys the safety policy. The kernel can easily validate the proof without using cryptography and without consulting any external trusted entities. If the validation succeeds, the code is guaranteed to respect the safety policy without relying on run-time checks. The main practical difficulty of PCC is in generating the safety proofs. In order to gain some preliminary experience with this, we have written several network packet filters in hand-tuned DEC Alpha assembly language, and then generated PCC binaries for them using a special prototype assembler. The PCC binaries can be executed with no run-time overhead, beyond a one-time cost of 1 to 3 milliseconds for validating the enclosed proofs. The net result is that our packet filters are formally guaranteed to be safe and are faster than packet filters created using Berkeley Packet Filters, Software Fault Isolation, or safe languages such as Modula-3.

A module system ought to enable assembly-line programming using separate compilation and an expressive linking language. Separate compilation allows programmers to develop parts of a program independently. A linking language gives programmers precise control over the assembly of parts into a whole. This paper presents models of program units, MzScheme's module language for assembly-line programming. Units support separate compilation, independent module reuse, cyclic dependencies, hierarchical structuring, and dynamic linking. The models explain how to integrate units with untyped and typed languages such as Scheme and ML.

Linear type systems allow destructive operations such as object deallocation and imperative updates of functional data structures. These operations and others, such as the ability to reuse memory at di#erent types, are essential in low-level typed languages. However, traditional linear type systems are too restrictive for use in low-level code where it is necessary to exploit pointer aliasing. We present a new typed language that allows functions to specify the shape of the store that they expect and to track the flow of pointers through a computation. Our type system is expressive enough to represent pointer aliasing and yet safely permit destructive operations.

Today's type-safe low-level languages rely on garbage collection to recycle heap-allocated objects safely. We present LTAL, a safe, low-level, yet simple language that "stands on its own": it guarantees safe execution within a fixed memory space, without relying on external run-time support. We demonstrate the expressiveness of LTAL by giving a type-preserving compiler for the functional core of ML. But this independence comes at a steep price: LTAL's type system imposes a draconian discipline of linearity that ensures that memory can be reused safely, but prohibits any useful kind of sharing. We present the results of experiments with a prototype LTAL system that show just how high the price of linearity can be.

This paper presents the initial results of a project to determine if the techniques of proof-carrying code and certifying compilers can be applied to programming languages of realistic size and complexity. The experiment shows that: (1) it is possible to implement a certifying native-code compiler for a large subset of the Java programming language; (2) the compiler is freely able to apply many standard local and global optimizations; and (3) the PCC binaries it produces are of reasonable size and can be rapidly checked for type safety by a small proof-checker. This paper also presents further evidence that PCC provides several advantages for compiler development. In particular, generating proofs of the target code helps to identify compiler bugs, many of which would have been dicult to discover by testing.

In the standard Java implementation, a Java language program is compiled to Java bytecode. This bytecode may be sent across the network to another site, where it is then interpreted by the Java Virtual Machine. Since bytecode may be written by hand, or corrupted during network transmission, the Java Virtual Machine contains a bytecode verifier that performs a number of consistency checks before code is interpreted. As illustrated by previous attacks on the Java Virtual Machine, these tests, which include type correctness, are critical for system security. In order to analyze existing bytecode verifiers and to understand the properties that should be verified, we develop a precise specification of statically-correct Java bytecode, in the form of a type system. Our focus in this paper is a subset of the bytecode language dealing with object creation and initialization. For this subset, we prove that for every Java bytecode program that satisfies our typing constraints, every object is in...

MLJ compiles SML'97 into verifier-compliant Java bytecodes. Its features include type-checked interlanguage working extensions which allow ML and Java code to call each other, automatic recompilation management, compact compiled code and runtime performance which, using a `just in time' compiling Java virtual machine, usually exceeds that of existing specialised bytecode interpreters for ML. Notable features of the compiler itself include whole-program optimisation based on rewriting, compilation of polymorphism by specialisation, a novel monadic intermediate...

The FLINT project at Yale aims to build a state-of-the-art systems environment for modern typesafe languages. One important component of the FLINT system is a high-performance type-directed compiler for SML'97 (extended with higher-order modules). The FLINT/ML compiler provides several new capabilities that are not available in other type-based compilers: ffl type-directed compilation is carried over across the higher-order module boundaries; ffl recursive and mutable data objects can use unboxed representations without incurring expensive runtime cost on heavily polymorphic code; ffl parameterized modules (functors) can be selectively specialized, just as normal polymorphic functions; ffl new type representations are used to reduce the cost of type manipulation thus the compilation time. This paper gives an overview of these novel aspects, and a preliminary report on the current status of the implementation. 1 Introduction The FLINT project at Yale aims to build a state-of-the-ar...

A'(=$B#127$C7D-7E"#%9F< >$7'(-7:;<<"G$&%- 12-*#)+1+)H7IJ->0" ;<<":'(%- 1+687)29:K*,< B>0"$%L.M.D.&%<1+12%&%7< 'K)2$"#=$)2; >%"ON5<'.$D- '(="P6 9F%9:< '(IF9?B127)+/#'(<&=%$$< '($C->0"Q)2$A*0-$%"R<>S- >S%- '1+)2('C&%<1+12%&%7< ' -12;<')27D09UT VW84X.D)2&YDG/'(<Z)2"#%"R[@%"R*,<B#>"$\< >]7D0C7)29FC- >I 7D'(%-"R9CB0$7./- B$\N5< 'K&=< 1+12%&%7)2<>^LE_\<X.=Z3'4$)+>&%`< B'E%- '1+)23' -12;<')27D09aX.-$"#%$)2;>0="bN5<'K$)29c/12c->0-12I$)2$%40)27.D0-"R$<9Fd)29c6 /'(-&=7)2&%- 1.Ne%-7B'(%$%L`M.D#)2$C/0-/,3'C/'(%$3>7$`7D0`%@73>$)2< >$c>%&36 =$$- '(IfNe< 'G-!/#'(-&%7)2&%- 1`)29c/12%9:3>7-7)2< >hgi'(%"B0&()+>0;j%@&=%$$)2Z )+>7('12%-Z)+>0;4kD- >"1+)+>0;!$7-&l$\->0"!; 12<*0-1Z -')2- *12%$%4^'(%"B&3)+>0; "< B*12O-1+12<&%-7)2<>^4->0"G$/,=&3)2- 17'(%-79F3>7C< N12-'(;:->0"!$9:- 1+1 <*m%&%7$%LonK>i)29c/12%9:3>7-7)2< >o*-$%"j<>p7D0G9:<")+[%"q-12;<6 ')27D9r)2$G%Z- 1+B-7%"p< >p-J$=7R< NQstvuPwGxq*y3>0&D9:- 'l$G<>pu B>Jz>73'/')2$bs={{{{#4|-O}~ 68X.-IGd127'(-u/- '(&(6K9?B127)+/'(<&%%$6 $<'L!M<G7D0:*,%$7`< NE<B#':l><X.12%"#;4.7D)2$c)2$:7D:[#'($7`)29c/#12(6 9F3>7-7)2<>J<N-c/- '(-1+123154^'(%-1+67)29Fc;- '*-;`&%<1+12%&%7< 'L M.Dc-Z('(-;Q&%<1+12%&%7<':$/,=%"PB/J)2$FPL t:-7CO/'(<&%%$$<'($c->0" sPL -7FVb/'(<&%%$$<'($%LjwG-@)29CB09r/- B$G7)29:%$:'(- >;RN'(<9 j9F$7<ti9:$%Lr>o&%<>7'(-$7%4:-i>< >65)+>0&('(%9:3>7-1G&%<1+12%&%7< ' X.D%7D3'G;3>0('(-7)2< >- 1< 'R><7(:...