Results 1 
8 of
8
A Trustworthy Proof Checker
 IN ILIANO CERVESATO, EDITOR, WORKSHOP ON THE FOUNDATIONS OF COMPUTER SECURITY
, 2002
"... ProofCarrying Code (PCC) and other applications in computer security require machinecheckable proofs of properties of machinelanguage programs. The main advantage of the PCC approach is that the amount of code that must be explicitly trusted is very small: it consists of the logic in which predic ..."
Abstract

Cited by 29 (7 self)
 Add to MetaCart
ProofCarrying Code (PCC) and other applications in computer security require machinecheckable proofs of properties of machinelanguage programs. The main advantage of the PCC approach is that the amount of code that must be explicitly trusted is very small: it consists of the logic in which predicates and proofs are expressed, the safety predicate, and the proof checker. We have built a minimal proof checker, and we explain its design principles, and the representation issues of the logic, safety predicate, and safety proofs. We show that the trusted computing base (TCB) in such a system can indeed be very small. In our current system the TCB is less than 2,700 lines of code (an order of magnitude smaller even than other PCC systems) which adds to our confidence of its correctness.
PSOS Revisited
, 2003
"... This paper provides a retrospective view of the design of SRI's Provably Secure Operating System (PSOS), a formally specified taggedcapability hierarchical system architecture. It examines PSOS in the light of what has happened in computer system developments since 1980, and assesses the relevance ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
This paper provides a retrospective view of the design of SRI's Provably Secure Operating System (PSOS), a formally specified taggedcapability hierarchical system architecture. It examines PSOS in the light of what has happened in computer system developments since 1980, and assesses the relevance of the PSOS concepts in that light.
Mechanical Proof of the Optimality of a Partial Evaluator
, 1999
"... We present a proof of the optimality of lambdamix, Gomard's partial evaluator for an untyped applied lambda calculus. We also report on a mechanically verified version of the proof, which was done using Isabelle/HOL, the typed higher order logic instance of the generic proof system Isabelle. ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
We present a proof of the optimality of lambdamix, Gomard's partial evaluator for an untyped applied lambda calculus. We also report on a mechanically verified version of the proof, which was done using Isabelle/HOL, the typed higher order logic instance of the generic proof system Isabelle.
HWHume in Isabelle
"... Abstract. HWHume is the decidable Hume level oriented to direct implementation in hardware. As a first stage in the development of a verified compiler from HWHume to Java, we have implemented the semantics of HWHume in the Isabelle/HOL theorem prover, enabling the automatic proof of correctness o ..."
Abstract
 Add to MetaCart
Abstract. HWHume is the decidable Hume level oriented to direct implementation in hardware. As a first stage in the development of a verified compiler from HWHume to Java, we have implemented the semantics of HWHume in the Isabelle/HOL theorem prover, enabling the automatic proof of correctness of programs in a Floyd/Hoare style. 1
By
"... and to Remix (to make derivative works), under the following conditions: (1) Attribution. You must attribute the work in the manner specified by the author or licensor (but not in any way that suggests that they endorse you or your use of the work). (2) Share Alike. If you alter, transform, or build ..."
Abstract
 Add to MetaCart
and to Remix (to make derivative works), under the following conditions: (1) Attribution. You must attribute the work in the manner specified by the author or licensor (but not in any way that suggests that they endorse you or your use of the work). (2) Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under the same, similar or a compatible license. Alternatively, permission is also granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2
Translation Validation: Automatically Proving the Correctness of Translations Involving Optimized Code
"... and ProofCarrying Code) Definition: a means for proving for a given compiler (or any program translation procedure) for a high level language H and a low level language L that a program written in H is successfully translated to L Motivation is desire to prove that optimizations performed during th ..."
Abstract
 Add to MetaCart
and ProofCarrying Code) Definition: a means for proving for a given compiler (or any program translation procedure) for a high level language H and a low level language L that a program written in H is successfully translated to L Motivation is desire to prove that optimizations performed during the translation process are correct 1. Often, optimizations are heuristics 2. Optimizations could be performed by simply peering over the code Proof procedure should be independent of the translation process (e.g., compiler) Notion of correctness must be defined carefully Need a representation that reflects properties of both the high and low level language programs. Must identify: 1. Critical semantic properties of high level language 2. Interrelationship to instruction set of computer executing the resulting translation
Abstract An Air Force evaluation of Multics, and Ken
"... Thompson’s famous Turing award lecture “Reflections on Trusting Trust, ” showed that compilers can be subverted to insert malicious Trojan horses into critical software, including themselves. If this attack goes undetected, even complete analysis of a system’s source code will not find the malicious ..."
Abstract
 Add to MetaCart
Thompson’s famous Turing award lecture “Reflections on Trusting Trust, ” showed that compilers can be subverted to insert malicious Trojan horses into critical software, including themselves. If this attack goes undetected, even complete analysis of a system’s source code will not find the malicious code that is running, and methods for detecting this particular attack are not widely known. This paper describes a practical technique, termed diverse doublecompiling (DDC), that detects this attack and some compiler defects as well. Simply recompile the source code twice: once with a second (trusted) compiler, and again using the result of the first compilation. If the result is bitforbit identical with the untrusted binary, then the source code accurately represents the binary. This technique has been mentioned informally, but its issues and ramifications have not been identified or discussed in a peerreviewed work, nor has a public demonstration been made. This paper describes the technique, justifies it, describes how to overcome practical challenges, and demonstrates it. 1.