Proof-Carrying Code (PCC) and other applications in computer security require machine-checkable proofs of properties of machine-language programs. The main advantage of the PCC approach is that the amount of code that must be explicitly trusted is very small: it consists of the logic in which predicates and proofs are expressed, the safety predicate, and the proof checker. We have built a minimal proof checker, and we explain its design principles, and the representation issues of the logic, safety predicate, and safety proofs. We show that the trusted computing base (TCB) in such a system can indeed be very small. In our current system the TCB is less than 2,700 lines of code (an order of magnitude smaller even than other PCC systems) which adds to our confidence of its correctness.

This paper provides a retrospective view of the design of SRI's Provably Secure Operating System (PSOS), a formally specified tagged-capability hierarchical system architecture. It examines PSOS in the light of what has happened in computer system developments since 1980, and assesses the relevance of the PSOS concepts in that light.

We present a proof of the optimality of lambda-mix, Gomard's partial evaluator for an untyped applied lambda calculus. We also report on a mechanically verified version of the proof, which was done using Isabelle/HOL, the typed higher order logic instance of the generic proof system Isabelle.

Abstract. HW-Hume is the decidable Hume level oriented to direct implementation in hardware. As a first stage in the development of a verified compiler from HW-Hume to Java, we have implemented the semantics of HW-Hume in the Isabelle/HOL theorem prover, enabling the automatic proof of correctness of programs in a Floyd/Hoare style. 1

Abstract not found

and to Remix (to make derivative works), under the following conditions: (1) Attribution. You must attribute the work in the manner specified by the author or licensor (but not in any way that suggests that they endorse you or your use of the work). (2) Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under the same, similar or a compatible license. Alternatively, permission is also granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2