## A syntactic approach to foundational proof-carrying code (2002)

### Cached

### Download Links

- [www.utdallas.edu]
- [www.utdallas.edu]
- [flint.cs.yale.edu]
- [flint.cs.yale.edu]
- [flint.cs.yale.edu]
- [flint.cs.yale.edu]
- [flint.cs.yale.edu]
- [flint.cs.yale.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | In Seventeenth IEEE Symposium on Logic in Computer Science |

Citations: | 93 - 19 self |

### BibTeX

@INPROCEEDINGS{Hamid02asyntactic,

author = {Nadeem A. Hamid and Zhong Shao and Valery Trifonov and Stefan Monnier and Zhaozhong Ni},

title = {A syntactic approach to foundational proof-carrying code},

booktitle = {In Seventeenth IEEE Symposium on Logic in Computer Science},

year = {2002},

pages = {89--100}

}

### Years of Citing Articles

### OpenURL

### Abstract

Proof-Carrying Code (PCC) is a general framework for verifying the safety properties of machine-language programs. PCC proofs are usually written in a logic extended with language-specific typing rules. In Foundational Proof-Carrying Code (FPCC), on the other hand, proofs are constructed and verified using strictly the foundations of mathematical logic, with no type-specific axioms. FPCC is more flexible and secure because it is not tied to any particular type system and it has a smaller trusted base. Foundational proofs, however, are much harder to construct. Previous efforts on FPCC all required building sophisticated semantic models for types. In this paper, we present a syntactic approach to FPCC that avoids the difficulties of previous work. Under our new scheme, the foundational proof for a typed machine program simply consists of the typing derivation plus the formalized syntactic soundness proof for the underlying type system. We give a translation from a typed assembly language into FPCC and demonstrate the advantages of our new system via an implementation in the Coq proof assistant. 1.

### Citations

1091 | Proof-Carrying Code
- Necula
- 1997
(Show Context)
Citation Context ...ssembly language into FPCC and demonstrate the advantages of our new system via an implementation in the Coq proof assistant. 1. Introduction Proof-Carrying Code (PCC), as pioneered by Necula and Lee =-=[17, 15]-=-, allows a code producer to provide a machinelanguage program to a host along with a formal proof of its safety. The proof can be mechanically checked by the host and the producer need not be trusted ... |

587 | From system F to typed assembly language
- Morrisett, Walker, et al.
- 1999
(Show Context)
Citation Context ... of the existing work has shown how to use the syntactic proof to build the foundational proof. In addition, we show in Sections 3 and 4 that naïvely combining existing typed assembly languages (TAL) =-=[14, 13, 25]-=- with their soundness proofs do not necessarily produce valid FPCC. • The relationship between TAL [14] and PCC [17] has never been made precise even though the two are considered as related approache... |

539 | A Syntactic Approach to Type Soundness
- Wright, Felleisen
- 1994
(Show Context)
Citation Context ...ying type system). Here the typing derivation can be readily obtained from a type-checker while the syntactic soundness proof is known to be muchseasier to construct than the semantic soundness proof =-=[24]-=-. Our paper makes the following new contributions: • Foundational proofs are widely perceived as extremely hard and tedious to construct, partly because existing efforts [4, 8, 1, 5, 2, 21] on FPCC ha... |

471 |
The calculus of constructions
- Coquand, Huet
- 1988
(Show Context)
Citation Context ...tions of mathematics. 2.1. The logic To encode our safety policies and proofs, we use the calculus of inductive constructions (CiC) [22, 19]. CiC is an extension of the calculus of constructions (CC) =-=[7]-=-, which is a higher-order typed lambda calculus. CC corresponds to Church’s higher-order predicate logic via the Curry-Howard isomorphism [10]. The syntax of CC is: A, B ::= Set | Type | X | λX :A. B ... |

441 |
The formulae-as-types notion of construction
- Howard
- 1980
(Show Context)
Citation Context ... CiC is an extension of the calculus of constructions (CC) [7], which is a higher-order typed lambda calculus. CC corresponds to Church’s higher-order predicate logic via the Curry-Howard isomorphism =-=[10]-=-. The syntax of CC is: A, B ::= Set | Type | X | λX :A. B | A B | ΠX :A. B The λ term corresponds to the abstraction of the lambda calculus, and the Π term is a dependent product type. When the bound ... |

397 | Safe kernel extensions without run-time checking
- Necula, Lee
- 1996
(Show Context)
Citation Context ...ssembly language into FPCC and demonstrate the advantages of our new system via an implementation in the Coq proof assistant. 1. Introduction Proof-Carrying Code (PCC), as pioneered by Necula and Lee =-=[17, 15]-=-, allows a code producer to provide a machinelanguage program to a host along with a formal proof of its safety. The proof can be mechanically checked by the host and the producer need not be trusted ... |

268 | The design and implementation of a certifying compiler
- Necula, Lee
- 1998
(Show Context)
Citation Context ... and Lee [17, 15, 16], as discussed in our introduction. In addition to the general framework laid out in their work, implementation effort on building a certifying compiler has also been carried out =-=[18, 6]-=-. As also mentioned previously, however, these existing certifying compilers and clients are very language-specific and incorporate “built-in” understanding of a particular type-system into the logic.... |

228 | Foundational proof-carrying code
- Appel
- 2001
(Show Context)
Citation Context ...o error-prone: League et al. [11] recently discovered a serious bug in the Special J typing rules that undermines the integrity of the entire PCC-based system. Foundational Proof-Carrying Code (FPCC) =-=[4, 3]-=- tackles these problems by constructing and verifying its proofs using strictly the foundations of mathematical logic, with no type-specific axioms. FPCC is more flexible and secure because it is not ... |

145 | Stack-Based Typed Assembly Language
- Morrisett, Crary, et al.
- 1998
(Show Context)
Citation Context ... of the existing work has shown how to use the syntactic proof to build the foundational proof. In addition, we show in Sections 3 and 4 that naïvely combining existing typed assembly languages (TAL) =-=[14, 13, 25]-=- with their soundness proofs do not necessarily produce valid FPCC. • The relationship between TAL [14] and PCC [17] has never been made precise even though the two are considered as related approache... |

138 | Compiling with Proofs
- Necula
- 1998
(Show Context)
Citation Context ...f of its safety. The proof can be mechanically checked by the host and the producer need not be trusted because a valid proof is a dependable certificate of safety. The proofs in Necula’s PCC systems =-=[16, 6]-=- are written in a logic extended with many language-specific typing ∗ This research is based on work supported in part by DARPA OASIS grant F30602-99-1-0519, NSF grant CCR-9901011, and NSF ITR grant C... |

135 | An indexed model of recursive types for foundational proof-carrying code
- Appel, McAllester
- 2001
(Show Context)
Citation Context ...C is more flexible and secure because it is not tied to any particular type system and has a smaller trusted base. Foundational proofs, however, are much harder to construct. Previous efforts on FPCC =-=[4, 8, 1, 5]-=- required constructing sophisticated semantic models to reason about types. For example, to support contravariant recursive types, Appel and Felty [8] initially decided to model each type as a partial... |

129 | A certifying compiler for Java
- Colby, Lee, et al.
- 2000
(Show Context)
Citation Context ...echnical report [9]. We thus have a complete system which starts with a typed assembly language program and compiles it into a FPCC package. Although our current implementation is not as realistic as =-=[6, 4]-=-, the advantages of the syntactic FPCC approach are still clear. We compare the syntactic and semantic approaches to FPCC in detail in Section 7. With respect to PCC implementations in general, the tw... |

127 | A semantic model of types and machine instructions for proof-carrying code
- Appel, Felty
(Show Context)
Citation Context ...critical tool which makes automatic generation of PCC proofs possible—following either the syntactic or the semantic approach. Appel and Felty were the first to propose the notion of foundational PCC =-=[4, 3]-=-. Work on the semantic approach to FPCC has been carried out by Appel, Felty, and others [4, 5, 1, 12]. In a recent paper, Shao et al. [20] showed how to incorporate a logic such as CiC into a typed i... |

83 | A type system for certified binaries
- Shao, Trifonov, et al.
- 2005
(Show Context)
Citation Context ...y were the first to propose the notion of foundational PCC [4, 3]. Work on the semantic approach to FPCC has been carried out by Appel, Felty, and others [4, 5, 1, 12]. In a recent paper, Shao et al. =-=[20]-=- showed how to incorporate a logic such as CiC into a typed intermediate language. Together with the work described in this paper, wescan now build an end-to-end compiler that compiles highlevel richl... |

68 | A dependently typed assembly language
- Xi, Harper
- 1999
(Show Context)
Citation Context ... of the existing work has shown how to use the syntactic proof to build the foundational proof. In addition, we show in Sections 3 and 4 that naïvely combining existing typed assembly languages (TAL) =-=[14, 13, 25]-=- with their soundness proofs do not necessarily produce valid FPCC. • The relationship between TAL [14] and PCC [17] has never been made precise even though the two are considered as related approache... |

44 | Fully reflexive intensional type analysis
- Trifonov, Saha, et al.
- 2000
(Show Context)
Citation Context ...and first-class code pointers without using complex constructions required by the semantic approaches. With our recent results on certified binaries [20] and inductive definitions of quantified types =-=[23]-=-, the syntactic approach o#ers a more scalable alternative for compiling high-level richly typed programs into FPCC. - Finally, independent of our results on FPCC, the typed assembly language presente... |

32 |
Machine instruction syntax and semantics in higher-order logic
- Michael, Appel
- 2000
(Show Context)
Citation Context ...actic or the semantic approach. Appel and Felty were the first to propose the notion of foundational PCC [4, 3]. Work on the semantic approach to FPCC has been carried out by Appel, Felty, and others =-=[4, 5, 1, 12]-=-. In a recent paper, Shao et al. [20] showed how to incorporate a logic such as CiC into a typed intermediate language. Together with the work described in this paper, wescan now build an end-to-end c... |

30 | A stratified semantics of general references embeddable in higher-order logic
- Ahmed, Appel, et al.
- 2002
(Show Context)
Citation Context ... of these approaches can be easily extended to support mutable fields and higher-order polymorphism. In fact, the only known solution to mutable fields was proposed only very recently by Ahmed et al. =-=[2]-=-—the proposal involves building a hierarchy of Gödel numberings and making extensive changes to semantic models used in existing FPCC systems [4, 5]. In this paper, we present a syntactic approach to ... |

28 |
Inductive definitions in the system Coq—rules and properties
- Paulin-Mohring
- 1993
(Show Context)
Citation Context ...cepts and proofs must be explicitly defined based only on the foundations of mathematics. 2.1. The logic To encode our safety policies and proofs, we use the calculus of inductive constructions (CiC) =-=[22, 19]-=-. CiC is an extension of the calculus of constructions (CC) [7], which is a higher-order typed lambda calculus. CC corresponds to Church’s higher-order predicate logic via the Curry-Howard isomorphism... |

25 | Precision in practice: A type-preserving Java compiler
- League, Shao, et al.
- 2003
(Show Context)
Citation Context ...on generator (VCgen), the typing rules, and the proof checker. The VCgen is fairly large, so establishing its full correctness is a daunting task. The typing rules are also error-prone: League et al. =-=[11]-=- recently discovered a serious bug in the Special J typing rules that undermines the integrity of the entire PCC-based system. Foundational Proof-Carrying Code (FPCC) [4, 3] tackles these problems by ... |

12 |
Models for security policies in proof-carrying code
- APPEL, FELTEN
- 2001
(Show Context)
Citation Context ...actic or the semantic approach. Appel and Felty were the first to propose the notion of foundational PCC [5, 3]. Work on the semantic approach to FPCC has been carried out by Appel, Felty, and others =-=[5, 6, 1, 12, 4]-=-. In a recent paper, Shao et al. [20] showed how to incorporate a logic such as CiC into a typed intermediate language. Together with the work paper.tex; 12/04/2002; 15:12; p.40 A Syntactic Approach t... |

11 |
Une Théorie des Constructions Inductives. PhD thesis, A L’Université Paris 7
- Werner
- 1994
(Show Context)
Citation Context ...founded and for iterators to terminate, a few constraints are imposed on the shape of inductive definitions. Mutually inductive types are also supported. CiC has been shown to be strongly normalizing =-=[23]-=-, hence the corresponding logic is consistent. It is supported by the Coq proof assistant [22], which we use to implement a prototype system of the results presented in this paper. In the remainder of... |

3 |
Mutable fields in a semantic model of types
- Ahmed
- 2000
(Show Context)
Citation Context ...C is more flexible and secure because it is not tied to any particular type system and has a smaller trusted base. Foundational proofs, however, are much harder to construct. Previous efforts on FPCC =-=[4, 8, 1, 5]-=- required constructing sophisticated semantic models to reason about types. For example, to support contravariant recursive types, Appel and Felty [8] initially decided to model each type as a partial... |

3 |
Typed machine language and its semantics. Preliminary version available at www.cs.princeton.edu/~appel/papers/tml.pdf
- Swadi, Appel
- 2001
(Show Context)
Citation Context ... semantic soundness proof [24]. Our paper makes the following new contributions: • Foundational proofs are widely perceived as extremely hard and tedious to construct, partly because existing efforts =-=[4, 8, 1, 5, 2, 21]-=- on FPCC have all adopted the semantic approach (which requires building sophisticated models from first principles). We show that this perception is not true: with a syntactic approach, constructing ... |