## A Scalable Architecture for Proof-Carrying Code (2001)

Venue: | In Fifth International Symposium on Functional and Logic Programming, Waseda |

Citations: | 12 - 1 self |

### BibTeX

@INPROCEEDINGS{Necula01ascalable,

author = {George C. Necula},

title = {A Scalable Architecture for Proof-Carrying Code},

booktitle = {In Fifth International Symposium on Functional and Logic Programming, Waseda},

year = {2001},

pages = {21--39}

}

### OpenURL

### Abstract

Proof-Carrying Code (PCC) is a general mechanism for verifying that a code fragment can be executed safely on a host system. The key technical detail that makes PCC simple yet very powerful is that the code fragment is required to be accompanied by a detailed and precise explanation of how it satisfies the safety policy. This leaves the code receiver with the simple task of verifying that the explanation is correct and that it matches the code in question. Previous implementations of PCC used safety explanations in the form of explicit formal proofs of code safety, thus gaining leverage from a substantial amount of previous research in the area of proof representation and checking, but at the expense of poor scalability due to large proof sizes. In this paper we describe a series of changes that are necessary to achieve a truly scalable architecture for PCC. These include a new proof representation form along with a better integration of the various components of a PCC c...

### Citations

1091 | Proof-Carrying Code - Necula - 1997 |

587 | From system F to typed assembly language
- Morrisett, Walker, et al.
- 1999
(Show Context)
Citation Context ...der to reduce the size of the proofs. For example, the PCC proofs of type safety are an order of magnitude larger than the size of the typing annotations that the Typed Assembly Language (TAL) system =-=[MWCG9-=-9] uses. The overhead in TAL is smaller because TAL is less general than PCC and targets a specic type-safety policy, for a specic language and type system. The TAL type checker can be viewed as a pro... |

398 | Safe Kernel Extensions without Run-Time Checking - Necula, Lee - 2004 |

302 | Lambda calculus notation with nameless dummies, a tool for automatic formula manipulation, with application to the Church-Rosser theorem
- Bruijn
- 1972
(Show Context)
Citation Context ...sent various syntactic entities. For the purpose of computing the size of LF i proofs, we streamline LF i terms as 16-bit tokens, each containing tag and data bits. The data can be the deBruijn index =-=[DeB72]-=- for a 16 Fig. 8. Ratio between LF i proof size and oracle size. Fig. 9. Ratio between oracle size and machine code. Fig. 10. Ratio between logic-interpretation time and LF i type-checking time. 17 va... |

138 | Compiling with Proofs
- Necula
- 1998
(Show Context)
Citation Context ...h its own advantages and disadvantages. In any implementation the safety explanations must be precise and comprehensive, just like formal proofs. In fact, in thesrst realization of a PCC architecture =-=[Nec98-=-] the explanations were precisely formal proofs represented as terms in a variant of the dependently-typed -calculus called the Edinburgh Logical Framework (LF) [HHP93]. The major advantage of this ap... |

129 | A certifying compiler for Java - Colby, Lee, et al. - 2000 |

60 | Efficient representation and validation of proofs
- Necula, Lee
- 1998
(Show Context)
Citation Context ...system.) In an attempt to address this issue wesrst devised a simple extension of the LF type checker that enables it to reconstruct certain small but numerous fragments of proofs while type checking =-=[NL98-=-]. This variant of LF, which we call LF i (for implicit LF), allows us to omit those fragments from the representation of proofs with the major benet that proof sizes and the checking times are now gr... |

57 |
A framework for de logics
- Harper, Honsell, et al.
- 1993
(Show Context)
Citation Context ...alization of a PCC architecture [Nec98] the explanations were precisely formal proofs represented as terms in a variant of the dependently-typed -calculus called the Edinburgh Logical Framework (LF) [=-=HHP93]-=-. The major advantage of this approach is that proof checking can be accomplished using a relatively simple and well understood LF type checker. The proof-based realization of PCC was very useful for ... |

21 |
Automata-driven indexing of prolog clauses
- Ramesh, Ramakrishnan, et al.
- 1990
(Show Context)
Citation Context ...ptimizations to reduce the amount of non-determinism and thus to reduce the size of the necessary oracle. Among the available logic program optimizations we selected automatadriven term indexing(ATI) =-=[RRW95]-=- because it has a relatively small complexity and good clause selectivity. The basic idea behind ATI is that the conclusions of all the active clauses are scanned and a decision tree is build from the... |

2 |
Oracle-based checking of untrusted programs
- Necula, Rahul
- 2001
(Show Context)
Citation Context ...g to the goal. This allows the quick computation of the set of clauses the could match a goal. For details on how the ATI technique is used in the implementation of the Checker the reader can consult =-=[NR01]-=-. In our example the ATI optimization works almost perfectly. For nearly all goals and subgoals it manages to infer that exactly one clause is usable. However, for three of the subgoals involving the ... |