## Interfacing Compilers, Proof Checkers, and Proofs for Foundational Proof-Carrying Code (2005)

Citations: | 3 - 0 self |

### BibTeX

@TECHREPORT{Wu05interfacingcompilers,,

author = {Dinghao Wu},

title = {Interfacing Compilers, Proof Checkers, and Proofs for Foundational Proof-Carrying Code},

institution = {},

year = {2005}

}

### OpenURL

### Abstract

Proof-Carrying Code (PCC) is a general framework for the mechanical verification of safety properties of machine-language programs. It allows a code producer to provide an executable program to a code consumer, along with a machine-checkable proof of safety such that the code consumer can check the proof before running the program. PCC has the advantage of small Trusted Computing Base (TCB), since the proof checking can be a simple mechanical procedure. A weakness of previous PCC systems is that the proof-checking infrastructure is based on some complicated logic or type system that is not necessarily sound.

### Citations

1074 |
The Java Virtual Machine Specification
- Lindholm, Yellin
- 1999
(Show Context)
Citation Context ...of-Carrying Code (PCC) [Necula and Lee, 1996; Necula, 1997], security types and information flow security [Sabelfeld and Myers, 2003], software fault isolation [Wahbe et al., 1993], virtual machines [=-=Lindholm and Yellin, 1996-=-;sCHAPTER 1. INTRODUCTION 5 Platt, 2001], typed intermediate languages [Tarditi et al., 1996; Shao, 1997; Shao and Appel, 1995; Chen et al., 2003], and certifying compilers [Colby et al., 2000; League... |

529 |
The Mythical Man-Month
- Brooks
- 1995
(Show Context)
Citation Context ...g technology since then, software is still extremely fragile: unreliable, insecure, and full of bugs. Frederick Brooks explains “why programming is hard to manage” in his book The Mythical Man-Month [=-=Brooks, 1975-=-], and many principles and observations still apply today. 1.1 Software Security: A Growing Problem On the other hand, the extensive use of computers and the accelerating trends of interconnectedness,... |

441 |
The formulae-as-types notion of construction
- Howard
- 1980
(Show Context)
Citation Context ...ecked for validity. The lemmas imp_trans, imp_refl, and imp_true are proved and checked. The proof checking in LF is based on the formulae-as-types principle (as know as Curry-Howard correspondence) [=-=Howard, 1980-=-]. A formula or theorem is encoded as a type in the LF type theory, and a proof of the theorem is an LF term of the LF types that encodes the theorem. Thus, the proof checking in the object logic is r... |

389 | Explicit substitutions
- Abadi, Cardelli, et al.
- 1990
(Show Context)
Citation Context ...We must shift φ before adding the new binding A : τ into the typing environment. The result typing environment is φ [↑] , A : τ, where [↑] is the shift operator in the explicit substitution calculus [=-=Abadi et al., 1990-=-]. Injection: The injection coercion cinjt[sum(τr, τu)] coerces a type τu into a sum type sum(τr, τu). From sum to range: The coercion csum2range coerces a sum type sum(τr, ⊥) to a range type τr. Note... |

228 | Foundational proof-carrying code
- Appel
- 2001
(Show Context)
Citation Context ... the proof-checking infrastructure is too complex to prove sound using conventional techniques.sCHAPTER 1. INTRODUCTION 8 1.4 Foundational Proof-Carrying Code Foundational Proof-Carrying Code (FPCC) [=-=Appel, 2001-=-] aims to further reduce the TCB size by an order of magnitude and to build the soundness proof based on the foundation of mathematical logic. There are three main components in a foundational proof-c... |

195 | Standard ml of new jersey - Appel, MacQueen - 1991 |

173 | Proof-carrying authentication
- Appel, Felten
- 1999
(Show Context)
Citation Context ...at permits small proof witnesses and machine-checkable proofs of the soundness of the system. 5.1 Introduction In a proof-carrying code system [Necula, 1997], or in other proof-carrying applications [=-=Appel and Felten, 1999-=-], an untrusted prover must convince a trusted checker of the validity of a theorem by sending a proof. Two of the potential problems with this approach are that the proofs might be too large, and tha... |

135 | An indexed model of recursive types for foundational proof-carrying code
- Appel, McAllester
- 2001
(Show Context)
Citation Context ...chine states; we avoid VCGen entirely [Appel and Felty, 2000]. In order to support contravariant recursive datatypes and mutable fields, we model types as predicates on states, approximation indices [=-=Appel and McAllester, 2001-=-], and type levels [Ahmed et al., 2002]. We have an abstraction layer, Typed Machine Language (TML) [Swadi and Appel, 2001; Swadi, 2003], to hide the complex semantic models for types. TML provides a ... |

129 | A certifying compiler for Java
- Colby, Lee, et al.
- 2000
(Show Context)
Citation Context ... of source code in average in the first-generation implementations. The TCBs of various Java Virtual Machines are at between 50,000 and 200,000 lines of code [Appel and Wang, 2002]. The SpecialJ JVM [=-=Colby et al., 2000-=-] reduces the TCB to 36,000 lines by using proof-carrying code. In this work, we will show how to reduce the size of the TCB to under 3,000 lines and make the proof checker small and simple enough to ... |

127 | A semantic model of types and machine instructions for proof-carrying code
- Appel, Felty
(Show Context)
Citation Context ...with a few axioms of arithmetic, give types a semantic model to move the type system out of the TCB, and model machine instructions by a step relation between machine states; we avoid VCGen entirely [=-=Appel and Felty, 2000-=-]. In order to support contravariant recursive datatypes and mutable fields, we model types as predicates on states, approximation indices [Appel and McAllester, 2001], and type levels [Ahmed et al., ... |

93 | A Standard ML Compiler - Appel, MacQueen |

93 | A syntactic approach to foundational proof-carrying code
- Hamid, Shao, et al.
- 2002
(Show Context)
Citation Context ... 3. LOW-LEVEL TYPED ASSEMBLY LANGUAGE 22 TAL Systems 1 2 3 4 5 6 7 8 9 10 11 12 SpecialJ [Colby et al., 2000] � � � � TALx86 [Morrisett et al., 1999b] ⊙ � � � � � � DTAL [Xi and Harper, 2001] � FTAL [=-=Hamid et al., 2002-=-] ⊙ � � TALT [Crary, 2003] � ⊙ � � � � Open Verifier [Chang et al., 2005] ⊙ � � � � � � Our LTAL [Chen et al., 2003] ⊙ � � ⊙ � ⊙ � � � � � ⊙ TAL Features: Keys: 1 Compiles “real” source language � par... |

87 | Toward a foundational typed assembly language - Crary |

55 | Semantics of Types for Mutable State
- Ahmed
- 2004
(Show Context)
Citation Context ...s such as LTAL and proving its soundness are rather intricate. Interested readers should refer to several papers and PhD theses [Appel and Felty, 2000; Appel and McAllester, 2001; Ahmed et al., 2002; =-=Ahmed, 2004-=-; Swadi, 2003; Tan et al., 2004]. Appel and Felty [2000] and Appel and McAllester [2001] present an (indexed) semantic model of types; Ahmed et al. [2002] and [Ahmed, 2004] extend the model for genera... |

40 | A provably sound TAL for back-end optimization
- Chen, Wu, et al.
- 2003
(Show Context)
Citation Context ...how to build and verify secure software from the minimum trusted computing base. Part of this thesis work has been published in several conferences. Chapter 3 is the extended version of a PLDI paper [=-=Chen et al., 2003-=-]. Chapter 4 is based on the techniques described in Appel and McAllester [2001], Wu et al. [2003] and Tan et al. [2004]. Chapter 5 is the extended version of a PPDP paper [Wu et al., 2003]. 1.2 Class... |

35 | Attacking malicious code: A report to the Infosec Research Council
- McGraw, Morisett
- 2000
(Show Context)
Citation Context ...d applets. The infamous Melissa and Love Bug viruses took advantage of the Internet and the macro and scripting extensions of the Microsoft Word document processing program and Outlook e-mail client [=-=McGraw and Morrisett, 2000-=-; Martin, 2000; Slade, 1999]. As our society becomes increasingly dependent on information technology, we must be able to produce software systems that are more secure, reliable, and dependable. In th... |

29 | A trustworthy proof checker
- Appel, Michael, et al.
(Show Context)
Citation Context ...erving compiler from core ML to SPARC [Chen, 2004] (based on SML/NJ [Appel and MacQueen, 1987, 1991]), a low-level typed assembly language LTAL [Chen et al., 2003], a foundational proof-checker Flit [=-=Appel et al., 2002-=-; Wu et al., 2003],sCHAPTER 1. INTRODUCTION 9 and a nearly complete machine-checkable soundness proof [Tan et al., 2004]. In the following, we briefly explain some of the design choices and implementa... |

25 | Precision in practice: A type-preserving Java compiler
- League, Shao, et al.
- 2003
(Show Context)
Citation Context ..., 1996;sCHAPTER 1. INTRODUCTION 5 Platt, 2001], typed intermediate languages [Tarditi et al., 1996; Shao, 1997; Shao and Appel, 1995; Chen et al., 2003], and certifying compilers [Colby et al., 2000; =-=League et al., 2003-=-; Chen et al., 2003] have generated exciting results on low-level code safety, demonstrating that language-based security is a promising technique for many security problems, such as buffer overflow a... |

22 |
MLRISC: Customizable and reusable code generators
- George
- 1998
(Show Context)
Citation Context ...their addresses.sCHAPTER 2. FOUNDATIONAL PROOF-CARRYING CODE 19 SML/NJ’s back end uses the untyped MLRISC retargetable instruction selection, register allocation, and low-level optimization software [=-=George, 1997-=-]. The difficulty is to make MLRISC preserve and manipulate type information, without rewriting the MLRISC or making it dependent on our particular type system. Fortunately, MLRISC already had some su... |

21 | Lambda-splitting: A higher-order approach to cross-module optimizations
- Blume, Appel
- 1997
(Show Context)
Citation Context ...he Linker! To avoid the need to reason about possible bugs in the link-loader, we arrange that each compilation unit needs no link-editing, and links to others using closures, in the style of SML/NJ [=-=Blume and Appel, 1997-=-, §3]. We must avoid the need for a linker to do relocation. Our safety policy says, “a program is safe if, no matter where we load it in memory, it will never access an illegal address or execute an ... |

18 | A simple typed intermediate language for object-oriented languages
- Chen, Tarditi
- 2005
(Show Context)
Citation Context ... iffull instructions and pairs of cmpcc and iftag instructions. Chen and Tarditi [2005] have subsequently used this to type check method lookup and call in virtual table in object-oriented languages [=-=Chen and Tarditi, 2005-=-]. Branch instruction ifboxedone: The ifboxedone instruction is a special case of ifboxed. Its type checking rule does an additional check that the type τs above is not a union type; that is, there is... |

9 | Java Security: Web Browers and Beyond - Dean, Felten, et al. - 1997 |

6 | JVM TCB: Measurements of the trusted computing base of Java virtual machines - Appel, Wang - 2002 |

4 |
A Low-Level Typed Assembly Language with a Machine-Checkable Soundness Proof
- Chen
- 2004
(Show Context)
Citation Context ...ann, 1999, 2002], we can manipulate proofs and specification in the same language. Our prototype system is the first end-to-end FPCC system, including a typepreserving compiler from core ML to SPARC [=-=Chen, 2004-=-] (based on SML/NJ [Appel and MacQueen, 1987, 1991]), a low-level typed assembly language LTAL [Chen et al., 2003], a foundational proof-checker Flit [Appel et al., 2002; Wu et al., 2003],sCHAPTER 1. ... |

1 |
Social aspects of the Love Bug virus. Available online at http://www.attrition.org/∼jericho/works/security/lovebug.html
- Martin
- 2000
(Show Context)
Citation Context ...ssa and Love Bug viruses took advantage of the Internet and the macro and scripting extensions of the Microsoft Word document processing program and Outlook e-mail client [McGraw and Morrisett, 2000; =-=Martin, 2000-=-; Slade, 1999]. As our society becomes increasingly dependent on information technology, we must be able to produce software systems that are more secure, reliable, and dependable. In this thesis, we ... |