Results 1 
5 of
5
A Trustworthy Proof Checker
 IN ILIANO CERVESATO, EDITOR, WORKSHOP ON THE FOUNDATIONS OF COMPUTER SECURITY
, 2002
"... ProofCarrying Code (PCC) and other applications in computer security require machinecheckable proofs of properties of machinelanguage programs. The main advantage of the PCC approach is that the amount of code that must be explicitly trusted is very small: it consists of the logic in which predic ..."
Abstract

Cited by 29 (7 self)
 Add to MetaCart
ProofCarrying Code (PCC) and other applications in computer security require machinecheckable proofs of properties of machinelanguage programs. The main advantage of the PCC approach is that the amount of code that must be explicitly trusted is very small: it consists of the logic in which predicates and proofs are expressed, the safety predicate, and the proof checker. We have built a minimal proof checker, and we explain its design principles, and the representation issues of the logic, safety predicate, and safety proofs. We show that the trusted computing base (TCB) in such a system can indeed be very small. In our current system the TCB is less than 2,700 lines of code (an order of magnitude smaller even than other PCC systems) which adds to our confidence of its correctness.
MachineChecked RealTime System Verificatio
, 1996
"... System Lemma : : : : : : : : : : : : : : : : : : 108 7.4.2 FM9001 Reasonableness Proof : : : : : : : : : : : : : : : 109 7.4.3 FM9001 Program Proof : : : : : : : : : : : : : : : : : : 111 7.4.4 Deriving the Final Theorem : : : : : : : : : : : : : : : : 112 7.5 Invariants Proved in the Quizshow Proo ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
System Lemma : : : : : : : : : : : : : : : : : : 108 7.4.2 FM9001 Reasonableness Proof : : : : : : : : : : : : : : : 109 7.4.3 FM9001 Program Proof : : : : : : : : : : : : : : : : : : 111 7.4.4 Deriving the Final Theorem : : : : : : : : : : : : : : : : 112 7.5 Invariants Proved in the Quizshow Proof : : : : : : : : : : : : : 113 7.5.1 Abstract System Lemma Invariants : : : : : : : : : : : : 114 7.5.2 FM9001 Reasonableness Lemma Invariants : : : : : : : : 117 7.5.3 Program Correctness Lemma Invariants : : : : : : : : : : 118 7.6 The LightSwitch Example : : : : : : : : : : : : : : : : : : : : : 122 7.6.1 A Correctness Lemma : : : : : : : : : : : : : : : : : : : 122 7.6.2 A LightSwitch Program Specification : : : : : : : : : : : 125 7.6.3 Example Execution of the LightSwitch System : : : : : 126 8. Some Implications of the Proved Realtime System 128 8.1 Execution on the FM9001 Singleboard Computer : : : : : : : : 128 8.2 Comparison with Scheduling Theorem : : : : : : : : : : : : :...
A Detailed Processor Model for Verification of Realtime Applications
, 1995
"... . We describe a microprocessor model and its use for reasoning about realtime applications. The model is very detailed, and is expressed in the logic of a generalpurpose theorem proving program that checks proofs. We verify mathematically that the bit vectors constituting an application cause a re ..."
Abstract
 Add to MetaCart
. We describe a microprocessor model and its use for reasoning about realtime applications. The model is very detailed, and is expressed in the logic of a generalpurpose theorem proving program that checks proofs. We verify mathematically that the bit vectors constituting an application cause a realtime system to have specified properties. Key Words. microprocessor, realtime systems, reasoning, verification, mathematical models 1. Introduction The correct operation of computer systems is difficult to assure because of their immense complexity. Building a reliable computerbased controller in a realtime environment is particularly difficult because events to which the computer must respond occur unpredictably. Many computer systems that operate in a realtime environment are safetycritical, so their correctness is crucial. Formal proofs about computer programs are complex but not very deep, which makes them amenable to mechanical checking. Researchers have proved properties of pr...
Modular Machine Code Verification
, 2007
"... Formally establishing safety properties of software presents a grand challenge to the computer science community. Producing proofcarrying code, i.e., machine code with machinecheckable specifications and proofs, is particularly difficult for system softwares written in lowlevel languages. One cen ..."
Abstract
 Add to MetaCart
Formally establishing safety properties of software presents a grand challenge to the computer science community. Producing proofcarrying code, i.e., machine code with machinecheckable specifications and proofs, is particularly difficult for system softwares written in lowlevel languages. One central problem is the lack of verification theories that can handle the expressive power of lowlevel code in a modular fashion. In particular, traditional type and logicbased verification approaches have restrictions on either expressive power or modularity. This dissertation presents XCAP, a logicbased proofcarrying code framework for modular machine code verification. In XCAP, program specifications are written as general logic predicates, in which syntactic constructs are used to modularly specify some crucial higherorder programming concepts for system code, including embedded code pointers, impredicative polymorphisms, recursive invariants, and general references, all in a logical setting. Thus, XCAP achieves the expressive power of logicbased approaches and the modularity of typebased approaches. Its meta theory has been completely mechanized and proved.
A Practical Logic Framework for Verifying Safety Properties of Executables
"... Abstractâ€”We present a novel program logic, Lf, which is designed on top of a Hoare logic, but is simpler, more flexible and more scalable. Based on Lf, we develop a framework for automatically verifying safety properties of executables. It utilizes a wholeprogram interprocedural abstract interpreta ..."
Abstract
 Add to MetaCart
Abstractâ€”We present a novel program logic, Lf, which is designed on top of a Hoare logic, but is simpler, more flexible and more scalable. Based on Lf, we develop a framework for automatically verifying safety properties of executables. It utilizes a wholeprogram interprocedural abstract interpretation to automatically discover the specifications needed by Lf to prove a program judgment. We implemented Lf and the framework in the HOL theorem prover. I.