Safe, Untrusted Agents Using Proof-Carrying Code

Proof-Carrying Code (PCC) enables a computer system to determine, automatically and with certainty, that program code provided by another system is safe to install and execute without requiring interpretation or run-time checking. PCC has applications in any computing system in which the safe, efficient, and dynamic installation of code is needed. The key idea is to attach to the code an easily-checkable proof that its execution does not violate the safety policy of the receiving system. This paper describes the design and a typical implementation of Proof-Carrying Code, where the language used for specifying the safety properties is first-order predicate logic. Examples of safety properties described in this paper are memory safety and compliance with data access policies, resource usage bounds, and data abstraction boundaries.

[1]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[2]  F. Pfenning Elf : A MetaLanguage for Deductive Systems ( System Description ) , 1994 .

[3]  F. Honsell,et al.  A Framework for De ning LogicsRobert Harper , 1987 .

[4]  Robert S. Boyer,et al.  Computational Logic , 1990, ESPRIT Basic Research Series.

[5]  Rance Cleaveland,et al.  Implementing mathematics with the Nuprl proof development system , 1986 .

[6]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[7]  Peter J. Landin,et al.  PROGRAMS AND THEIR PROOFS: AN ALGEBRAIC APPROACH, , 1968 .

[8]  T. Anderson,et al.  Eecient Software-based Fault Isolation , 1993 .

[9]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[10]  Thierry Coquand,et al.  Constructions: A Higher Order Proof System for Mechanizing Mathematics , 1985, European Conference on Computer Algebra.

[11]  Natarajan Shankar,et al.  PVS: A Prototype Verification System , 1992, CADE.

[12]  M. Gordon HOL : A machine oriented formulation of higher order logic , 1985 .

[13]  John K. Ousterhout,et al.  Tcl and the Tk Toolkit , 1994 .

[14]  Steven M. German,et al.  Stanford Pascal Verifier user manual , 1979 .

[15]  Edsger W. Dijkstra,et al.  Guarded commands, nondeterminacy and formal derivation of programs , 1975, Commun. ACM.

[16]  Steven McCanne,et al.  The BSD Packet Filter: A New Architecture for User-level Packet Capture , 1993, USENIX Winter.

[17]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[18]  George C. Necula,et al.  The design and implementation of a certifying compiler , 1998, PLDI.

[19]  Furio Honsell,et al.  A framework for defining logics , 1993, JACM.

[20]  Greg Nelson,et al.  Simplification by Cooperating Decision Procedures , 1979, TOPL.

[21]  George C. Necula,et al.  Efficient Representation and Validation of Logical Proofs , 1997, LICS 1997.

[22]  Stephen J. Garland,et al.  PVS: A Prototype . . . , 1992 .