## Certifying machine code safety: Shallow versus deep embedding (2004)

### Cached

### Download Links

- [www.in.tum.de]
- [isabelle.in.tum.de]
- [isabelle.in.tum.de]
- [www4.in.tum.de]
- DBLP

### Other Repositories/Bibliography

Venue: | IN TPHOLS, NUMBER 3223 IN LNCS |

Citations: | 21 - 3 self |

### BibTeX

@INPROCEEDINGS{Wildmoser04certifyingmachine,

author = {Martin Wildmoser and Tobias Nipkow},

title = {Certifying machine code safety: Shallow versus deep embedding},

booktitle = {IN TPHOLS, NUMBER 3223 IN LNCS},

year = {2004},

pages = {305--320},

publisher = {Springer}

}

### Years of Citing Articles

### OpenURL

### Abstract

We formalise a simple assembly language with procedures and a safety policy for arithmetic overflow in Isabelle/HOL. To verify individual programs we use a safety logic. Such a logic can be realised in Isabelle/HOL either as shallow or deep embedding. In a shallow embedding logical formulas are written as HOL predicates, whereas a deep embedding models formulas as a datatype. This paper presents and discusses both variants pointing out their specific strengths and weaknesses.

### Citations

1121 | Proof-carrying code
- Necula
(Show Context)
Citation Context ...ormulas as a datatype. This paper presents and discusses both variants pointing out their specific strengths and weaknesses. 1 Introduction Proof Carrying Code (PCC), first proposed by Necula and Lee =-=[14,15]-=-, is a scheme for executing untrusted code safely. It works without cryptography and without a trusted third party. Instead, it places the burden on showing safety on the code producer, who is obliged... |

752 |
Isabelle/HOL — A Proof Assistant for Higher-Order Logic
- Nipkow, Paulson, et al.
- 2002
(Show Context)
Citation Context ...mbly language (SAL) with a safety policy that prevents type errors and arithmetic overflows. Both are kept rather simple. This paper focuses on the safety logic, which can be embedded in Isabelle/HOL =-=[16]-=- either in shallow or deep style. In the first one models safety logic formulas as HOL predicates on states. The safety logic automatically inherits the infrastructure of the theorem prover such as it... |

601 | From system f to typed assembly language
- Morrisett, Walker, et al.
- 1998
(Show Context)
Citation Context ...dle more complex properties, for example checking that programs operate within their granted memory range (memory safety), type systems can be combined with a logic or extended to a logic like system =-=[10,13,7]-=-. Foundational proof carrying code tries prove safety directly in terms of the machine semantics [2,3], without a VCG or safety logic as an extra layer. Our approach uses a VCG, but keeps it small and... |

246 |
The formal semantics of programming languages
- Winskel
- 1993
(Show Context)
Citation Context ...ressions. datatype expr = V nat | Lv nat | �tval� | Pc | Rp | Tm | expr �+� expr | expr �−� expr | expr �∗� expr | �if� expr �=� expr �then� expr �else� expr | Deref expr | Old expr Following Winskel =-=[17]-=- we distinguish two kinds of variables. Program variables V 1 , V 2 , . . . denote values we find at specific locations in memory. For example V 1 stands for the value we find at location 1 in memory.... |

234 | Foundational proof-carrying code - Appel |

141 | Compiling with Proofs
- Necula
- 1998
(Show Context)
Citation Context ...ormulas as a datatype. This paper presents and discusses both variants pointing out their specific strengths and weaknesses. 1 Introduction Proof Carrying Code (PCC), first proposed by Necula and Lee =-=[14,15]-=-, is a scheme for executing untrusted code safely. It works without cryptography and without a trusted third party. Instead, it places the burden on showing safety on the code producer, who is obliged... |

135 | A certifying compiler for java
- Colby, Lee, et al.
- 2000
(Show Context)
Citation Context ... resulting program would also be safe. Proof Checkers are relatively small standard components and well researched. The VCG is a different story. In early PCC systems it is large (23000 lines of C in =-=[8]-=-) and complex. The formulas it produces are usually influenced by the machine language, the safety policy and the safety logic. The machine language determines syntax and semantics of programs. These ... |

129 | A semantic model of types and machine instructions for proofcarrying code
- Appel, Felty
- 2000
(Show Context)
Citation Context ...(memory safety), type systems can be combined with a logic or extended to a logic like system [10,13,7]. Foundational proof carrying code tries prove safety directly in terms of the machine semantics =-=[2,3]-=-, without a VCG or safety logic as an extra layer. Our approach uses a VCG, but keeps it small and generic. We model this VCG as part of an Isabelle/HOL framework for PCC, which can be instantiated to... |

96 | A syntactic approach to foundational proof-carrying code
- Hamid, Shao, et al.
- 2002
(Show Context)
Citation Context ...dle more complex properties, for example checking that programs operate within their granted memory range (memory safety), type systems can be combined with a logic or extended to a logic like system =-=[10,13,7]-=-. Foundational proof carrying code tries prove safety directly in terms of the machine semantics [2,3], without a VCG or safety logic as an extra layer. Our approach uses a VCG, but keeps it small and... |

52 | Executing higher order logic
- Berghofer, Nipkow
- 2002
(Show Context)
Citation Context ...e safety policy, which in turn can be replaced without disturbing any proof at all. In addition Isabelle/HOL supports the whole range of code producer and consumer activities. We can generate ML code =-=[5]-=- for our VCG and use Isabelle/HOL to produce and check proof objects for verification conditions [6]. By now we have instantiated various non trivial safety policies, such as constraints on runtime or... |

40 | A provably sound TAL for back-end optimization
- Chen, Wu, et al.
- 2003
(Show Context)
Citation Context ...dle more complex properties, for example checking that programs operate within their granted memory range (memory safety), type systems can be combined with a logic or extended to a logic like system =-=[10,13,7]-=-. Foundational proof carrying code tries prove safety directly in terms of the machine semantics [2,3], without a VCG or safety logic as an extra layer. Our approach uses a VCG, but keeps it small and... |

34 | Proof terms for simply typed higher order logic
- Berghofer, Nipkow
- 2000
(Show Context)
Citation Context ...elle/HOL supports the whole range of code producer and consumer activities. We can generate ML code [5] for our VCG and use Isabelle/HOL to produce and check proof objects for verification conditions =-=[6]-=-. By now we have instantiated various non trivial safety policies, such as constraints on runtime or memory consumption, and verified various example programs, including recursive procedures and point... |

16 | Verified Java Bytecode Verification
- Klein
- 2003
(Show Context)
Citation Context ...ystem could play the role of the safety logic. VCG and proof checking could be replaced by automatic type inference. A typical example is Java Bytecode Verification, which is formally verified by now =-=[12]-=-.sTo handle more complex properties, for example checking that programs operate within their granted memory range (memory safety), type systems can be combined with a logic or extended to a logic like... |

9 | Program extraction in simply-typed higher order logic
- Berghofer
- 2002
(Show Context)
Citation Context ...⇒ (case m Y of ILLEGAL ⇒ False | POS r ′ ⇒ False | NAT y ⇒ Q(p ′ ,m(y ↦→ m x),e(|h:=(h e)@[p]|)))) ...s3.5 Code generation Isabelle can generate ML programs out of executable Isabelle/HOL definitions =-=[4]-=-. However, for wpF this code generator does not produce the kind of ML program we want. Due to our shallow embedding the code generator also turns safety logic formulas into ML programs. Instead we wo... |

2 | Secure mechanical verification of mutually recursive procedures
- Homeier, Martin
- 2003
(Show Context)
Citation Context ...rmulas. However, once the deep embedding is proven correct it buys us a lot. We can specify and prove correct an optimiser or pre-prover for VCs and handle more instructions (computed gotos). Homeier =-=[11]-=- also works with a deep embedded assertion language and points out similar advantages. Based on these experiences we instantiated our PCC framework to a down-sized version of the Java Virtual Machine ... |

1 | A machine-checked model for a Java-like language, virtual machine and compiler - Gerwin, Tobias |