Results 1  10
of
188
ProofCarrying Code
, 1997
"... This paper describes proofcarrying code (PCC), a mechanism by which a host system can determine with certainty that it is safe to execute a program supplied (possibly in binary form) by an untrusted source. For this to be possible, the untrusted code producer must supply with the code a safety proo ..."
Abstract

Cited by 1263 (27 self)
 Add to MetaCart
This paper describes proofcarrying code (PCC), a mechanism by which a host system can determine with certainty that it is safe to execute a program supplied (possibly in binary form) by an untrusted source. For this to be possible, the untrusted code producer must supply with the code a safety proof that attests to the code's adherence to a previously defined safety policy. The host can then easily and quickly validate the proof without using cryptography and without consulting any external agents. In order to gain preliminary experience with PCC, we have performed several case studies. We show in this paper how proofcarrying code might be used to develop safe assemblylanguage extensions of ML programs. In the context of this case study, we present and prove the adequacy of concrete representations for the safety policy, the safety proofs, and the proof validation. Finally, we briefly discuss how we use proofcarrying code to develop network packet filters that are faster than similar filters developed using other techniques and are formally guaranteed to be safe with respect to a given operating system safety policy.
Formal Methods: State of the Art and Future Directions
 ACM Computing Surveys
, 1996
"... ing with credit is permitted. To copy otherwise, to republish, to post on servers, to redistribute to lists, or to use any component of this work in other works, requires prior specific permission and/or a fee. Permissions may be requested from Publications Dept, ACM Inc., 1515 Broadway, New York, N ..."
Abstract

Cited by 422 (6 self)
 Add to MetaCart
ing with credit is permitted. To copy otherwise, to republish, to post on servers, to redistribute to lists, or to use any component of this work in other works, requires prior specific permission and/or a fee. Permissions may be requested from Publications Dept, ACM Inc., 1515 Broadway, New York, NY 10036 USA, fax +1 (212) 8690481, or permissions@acm.org. 2 \Delta E.M. Clarke and J.M. Wing About ProgramsMechanical verification, Specification techniques; F.4.1 [Mathematical Logic and Formal Languages]: Mathematical LogicMechanical theorem proving General Terms: Software engineering, formal methods, hardware verification Additional Key Words and Phrases: Software specification, model checking, theorem proving 1. INTRODUCTION Hardware and software systems will inevitably grow in scale and functionality. Because of this increase in complexity, the likelihood of subtle errors is much greater. Moreover, some of these errors may cause catastrophic loss of money, time, or even huma...
KIDS: A SemiAutomatic Program Development System
 Client Resources on the Internet, IEEE Multimedia Systems ’99
, 1990
"... The Kestrel Interactive Development System (KIDS) provides automated sup port for the development of correct and efficient programs from formal specifications. ..."
Abstract

Cited by 268 (26 self)
 Add to MetaCart
(Show Context)
The Kestrel Interactive Development System (KIDS) provides automated sup port for the development of correct and efficient programs from formal specifications.
HigherOrder Modules and the Phase Distinction
 In Seventeenth ACM Symposium on Principles of Programming Languages
, 1990
"... Typed λcalculus is an important tool in programming language research because it provides an extensible framework for studying language features both in isolation and in their relation to each other. In earlier work we introduced a predicative function calculus, XML, for modeling several ..."
Abstract

Cited by 136 (25 self)
 Add to MetaCart
Typed &lambda;calculus is an important tool in programming language research because it provides an extensible framework for studying language features both in isolation and in their relation to each other. In earlier work we introduced a predicative function calculus, XML, for modeling several aspects of the Standard ML type system. Following MacQueen, our study focused on the use of dependent types to represent the modularity constructs of Standard ML. In addition to shedding some light on the tradeoffs between language features, our analysis suggested that the firstorder modules system of ML could be naturally extended to higher orders. However, whereas ML maintains a clear distinction between compiletime and runtime in both its implementation and formal semantics, the XML calculus blurs this distinction. Since static type checking is, in our view, essential to the practical utility of ML, we introduce a refinement of the XML calculus for which type checking is decidable at compile time....
Building reliable, highperformance communication systems from components
 OPERATING SYSTEMS REVIEW
, 1999
"... Although building systems from components has attractions, this approach also has problems. Can we be sure that a certain configuration of components is correct? Can it perform as well as a monolithic system? Our paper answers these questions for the Ensemble communication architecture by showing ho ..."
Abstract

Cited by 87 (31 self)
 Add to MetaCart
(Show Context)
Although building systems from components has attractions, this approach also has problems. Can we be sure that a certain configuration of components is correct? Can it perform as well as a monolithic system? Our paper answers these questions for the Ensemble communication architecture by showing how, with help of the Nuprl formal system, configurations may be checked against specifications, and how optimized code can be synthesized from these configurations. The performance results show that we can substantially reduce endtoend latency in the already optimized Ensemble system. Finally, we discuss whether the techniques we used are general enough for systems other than communication systems.
Metatheory and Reflection in Theorem Proving: A Survey and Critique
, 1995
"... One way to ensure correctness of the inference performed by computer theorem provers is to force all proofs to be done step by step in a simple, more or less traditional, deductive system. Using techniques pioneered in Edinburgh LCF, this can be made palatable. However, some believe such an appro ..."
Abstract

Cited by 69 (2 self)
 Add to MetaCart
One way to ensure correctness of the inference performed by computer theorem provers is to force all proofs to be done step by step in a simple, more or less traditional, deductive system. Using techniques pioneered in Edinburgh LCF, this can be made palatable. However, some believe such an approach will never be efficient enough for large, complex proofs. One alternative, commonly called reflection, is to analyze proofs using a second layer of logic, a metalogic, and so justify abbreviating or simplifying proofs, making the kinds of shortcuts humans often do or appealing to specialized decision algorithms. In this paper we contrast the fullyexpansive LCF approach with the use of reflection. We put forward arguments to suggest that the inadequacy of the LCF approach has not been adequately demonstrated, and neither has the practical utility of reflection (notwithstanding its undoubted intellectual interest). The LCF system with which we are most concerned is the HOL proof ...
Software Model Checking
"... Software model checking is the algorithmic analysis of programs to prove properties of their executions. It traces its roots to logic and theorem proving, both to provide the conceptual framework in which to formalize the fundamental questions and to provide algorithmic procedures for the analysis o ..."
Abstract

Cited by 50 (0 self)
 Add to MetaCart
Software model checking is the algorithmic analysis of programs to prove properties of their executions. It traces its roots to logic and theorem proving, both to provide the conceptual framework in which to formalize the fundamental questions and to provide algorithmic procedures for the analysis of logical questions. The undecidability theorem [Turing 1936] ruled out the possibility of a sound and complete algorithmic solution for any sufficiently powerful programming model, and even under restrictions (such as finite state spaces), the correctness problem remained computationally intractable. However, just because a problem is hard does not mean it never appears in practice. Also, just because the general problem is undecidable does not imply that specific instances of the problem will also be hard. As the complexity of software systems grew, so did the need for some reasoning mechanism about correct behavior. (While we focus here on analyzing the behavior of a program relative to given correctness specifications, the development of specification mechanisms happened in parallel, and merits a different survey.) Initially, the focus of program verification research was on manual reasoning, and
Constructing Specification Morphisms
 Journal of Symbolic Computation
, 1993
"... This paper is part of a broader research program to explore a mechanizable model of software development based on algebraic specifications and specification morphisms. An algebraic specification (or simply a specification) defines a language and constrains its possible meanings via axioms and infere ..."
Abstract

Cited by 47 (8 self)
 Add to MetaCart
This paper is part of a broader research program to explore a mechanizable model of software development based on algebraic specifications and specification morphisms. An algebraic specification (or simply a specification) defines a language and constrains its possible meanings via axioms and inference rules. Specifications can be used to express many kinds of softwarerelated artifacts, including domain models (Srinivas(1991)), formal requirements (Astesiano and Wirsing (1987), Ehrig and Mahr (1990), Partsch (1990), Sannella and Tarlecki (1985)), programming languages (Broy et al. (1987), Goguen and Winkler (1988), Hoare (1989)), abstract data types (Goguen et al. (1978), Guttag and Horning (1978)), and abstract algorithms (Smith and Lowry (1990)). There has been much work on operations for constructing larger specifications from smaller specifications (Astesiano and Wirsing (1987), Burstall and Goguen (1977), Sannella and Tarlecki (1988)). A specification morphism translates the language of one specification into the language of another specification in a way that preserves theorems. Specification morphisms underlie several aspects of software development, including specification refine