Proof-Carrying Code (PCC) and other applications in computer security require machine-checkable proofs of properties of machine-language programs. The main advantage of the PCC approach is that the amount of code that must be explicitly trusted is very small: it consists of the logic in which predicates and proofs are expressed, the safety predicate, and the proof checker. We have built a minimal proof checker, and we explain its design principles, and the representation issues of the logic, safety predicate, and safety proofs. We show that the trusted computing base (TCB) in such a system can indeed be very small. In our current system the TCB is less than 2,700 lines of code (an order of magnitude smaller even than other PCC systems) which adds to our confidence of its correctness.

System Lemma : : : : : : : : : : : : : : : : : : 108 7.4.2 FM9001 Reasonableness Proof : : : : : : : : : : : : : : : 109 7.4.3 FM9001 Program Proof : : : : : : : : : : : : : : : : : : 111 7.4.4 Deriving the Final Theorem : : : : : : : : : : : : : : : : 112 7.5 Invariants Proved in the Quiz-show Proof : : : : : : : : : : : : : 113 7.5.1 Abstract System Lemma Invariants : : : : : : : : : : : : 114 7.5.2 FM9001 Reasonableness Lemma Invariants : : : : : : : : 117 7.5.3 Program Correctness Lemma Invariants : : : : : : : : : : 118 7.6 The Light-Switch Example : : : : : : : : : : : : : : : : : : : : : 122 7.6.1 A Correctness Lemma : : : : : : : : : : : : : : : : : : : 122 7.6.2 A Light-Switch Program Specification : : : : : : : : : : : 125 7.6.3 Example Execution of the Light-Switch System : : : : : 126 8. Some Implications of the Proved Real-time System 128 8.1 Execution on the FM9001 Single-board Computer : : : : : : : : 128 8.2 Comparison with Scheduling Theorem : : : : : : : : : : : : :...

. We describe a microprocessor model and its use for reasoning about real-time applications. The model is very detailed, and is expressed in the logic of a general-purpose theorem proving program that checks proofs. We verify mathematically that the bit vectors constituting an application cause a real-time system to have specified properties. Key Words. microprocessor, real-time systems, reasoning, verification, mathematical models 1. Introduction The correct operation of computer systems is difficult to assure because of their immense complexity. Building a reliable computer-based controller in a real-time environment is particularly difficult because events to which the computer must respond occur unpredictably. Many computer systems that operate in a real-time environment are safety-critical, so their correctness is crucial. Formal proofs about computer programs are complex but not very deep, which makes them amenable to mechanical checking. Researchers have proved properties of pr...

Formally establishing safety properties of software presents a grand challenge to the computer science community. Producing proof-carrying code, i.e., machine code with machine-checkable specifications and proofs, is particularly difficult for system softwares written in low-level languages. One central problem is the lack of verification theories that can handle the expressive power of low-level code in a modular fashion. In partic-ular, traditional type- and logic-based verification approaches have restrictions on either expressive power or modularity. This dissertation presents XCAP, a logic-based proof-carrying code framework for modular machine code verification. In XCAP, program specifications are written as gen-eral logic predicates, in which syntactic constructs are used to modularly specify some crucial higher-order programming concepts for system code, including embedded code pointers, impredicative polymorphisms, recursive invariants, and general references, all in a logical setting. Thus, XCAP achieves the expressive power of logic-based approaches and the modularity of type-based approaches. Its meta theory has been completely mech-anized and proved.

Abstract—We present a novel program logic, Lf, which is designed on top of a Hoare logic, but is simpler, more flexible and more scalable. Based on Lf, we develop a framework for automatically verifying safety properties of executables. It utilizes a whole-program interprocedural abstract interpretation to automatically discover the specifications needed by Lf to prove a program judgment. We implemented Lf and the framework in the HOL theorem prover. I.