Correctness of Source-Level Safety Policies

Program certification techniques formally show that programs satisfy certain safety policies. They rely on the correctness of the safety policy which has to be established externally. In this paper we investigate an approach to show the correctness of safety policies which are formulated as a set of Hoare-style inference rules on the source code level. We develop a framework which is generic with respect to safety policies and which allows us to establish that proving the safety of a program statically guarantees dynamic safety, i.e., that the program never violates the safety property during its execution. We demonstrate our framework by proving safety policies for memory access safety and memory read/write limitations to be sound and complete. Finally, we formulate a set of generic safety inference rules which serve as the blueprint for the implementation of a verification condition generator which can be parameterized with different safety policies, and identify conditions on appropriate safety policies.

[1]  Andrew W. Appel,et al.  Foundational proof-carrying code , 2001, Proceedings 16th Annual IEEE Symposium on Logic in Computer Science.

[2]  Johann Schumann,et al.  Synthesizing Certified Code , 2002, FME.

[3]  Grigore Rosu,et al.  Monitoring Java Programs with Java PathExplorer , 2001, RV@CAV.

[4]  George C. Necula,et al.  A Gradual Approach to a More Trustworthy, Yet Scalable, Proof-Carrying Code , 2002, CADE.

[5]  Frank Pfenning,et al.  Eliminating array bound checking through dependent types , 1998, PLDI.

[6]  K. Rustan M. Leino,et al.  An Extended Static Checker for Modular-3 , 1998, CC.

[7]  Roderick Chapman,et al.  Industrial strength exception freedom , 2003 .

[8]  Zhong Shao,et al.  A Syntactic Approach to Foundational Proof-Carrying Code , 2004, Journal of Automated Reasoning.

[9]  Alexander Aiken,et al.  A theory of type qualifiers , 1999, PLDI '99.

[10]  David A. Wagner,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Detecting Format String Vulnerabilities with Type Qualifiers , 2001 .

[11]  David Walker,et al.  A type system for expressive security policies , 2000, POPL '00.

[12]  Mark Lillibridge,et al.  Extended static checking for Java , 2002, PLDI '02.

[13]  Zhong Shao,et al.  Precision in Practice: A Type-Preserving Java Compiler , 2003, CC.

[14]  Wolfgang Reif,et al.  The KIV-Approach to Software Verification , 1995, KORSO Book.

[15]  Mikael Rittri,et al.  Dimension inference under polymorphic recursion , 1995, FPCA '95.

[16]  Manfred Broy,et al.  KORSO: Methods, Languages, and Tools for the Construction of Correct Software , 1995, Lecture Notes in Computer Science.

[17]  Andrew John Kennedy,et al.  Programming languages and dimensions , 1995 .

[18]  John C. Mitchell,et al.  Foundations for programming languages , 1996, Foundation of computing series.

[19]  George C. Necula,et al.  The design and implementation of a certifying compiler , 1998, PLDI.

[20]  Michael R. Lowry,et al.  Certifying domain-specific policies , 2001, Proceedings 16th Annual International Conference on Automated Software Engineering (ASE 2001).