A low-level typed assembly language with a machine-checkable soundness proof

To verify the safety of a machine-language program, the Proof-Carrying Code framework requires machine code accompanied by a proof of safety. Typed assembly languages provide a way to generate such safety proofs automatically. But the soundness proofs of most existing typed assembly languages are hand-written and cannot be machine-checked, which is worrisome for such large calculi. In this dissertation I explain a low-level typed assembly language (LTAL) with a semantic model that proves LTAL's soundness with a machine-checkable proof. Compared to existing typed assembly languages, LTAL is more scalable and more secure; it has no macro instructions that hinder low-level optimizations such as instruction scheduling; its type constructors are expressive enough to capture dataflow information, support the compiler's choice of data representations and permit typed position-independent code; and its type-checking algorithm is completely syntax-directed. I also explain a prototype system that uses LTAL to compile core ML to Sparc code and generate safety proofs. I show how we were able to build type-preserving back end based on an untyped one, without restricting low-level optimizations and without knowledge of a type system pervading the instruction selector and register allocator.

[1]  Andrew W. Appel,et al.  Type-preserving garbage collectors , 2001, POPL '01.

[2]  Martín Abadi,et al.  An interpretation of objects and object types , 1996, POPL '96.

[3]  Sarfraz Khurshid,et al.  Is the Java Type System Sound? , 1999, Theory Pract. Object Syst..

[4]  Robert Harper,et al.  Typed closure conversion , 1996, POPL '96.

[5]  Amer Diwan,et al.  The Full Cost of a Generational Copying Garbage Collection Implementation , 1993 .

[6]  Fred B. Schneider,et al.  A Language-Based Approach to Security , 2001, Informatics.

[7]  Andrew W. Appel,et al.  An indexed model of recursive types for foundational proof-carrying code , 2001, TOPL.

[8]  Andrew W. Appel,et al.  A type-based compiler for standard ML , 1995, PLDI '95.

[9]  Andrew W. Appel,et al.  A stratified semantics of general references embeddable in higher-order logic , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[10]  ScienceYale UniversityNew Haven An Overview of the Flint/ml Compiler , 1997 .

[11]  Robert Harper,et al.  Compiling polymorphism using intensional type analysis , 1995, POPL '95.

[12]  Andrew W. Appel,et al.  Lambda-splitting: a higher-order approach to cross-module optimizations , 1997, ICFP '97.

[13]  Andrew W. Appel,et al.  Foundational proof checkers with small witnesses , 2003, PPDP '03.

[14]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[15]  Dan Grossman,et al.  TALx86: A Realistic Typed Assembly Language∗ , 1999 .

[16]  David Walker,et al.  Alias Types , 2000, ESOP.

[17]  Don Syme,et al.  Proving Java Type Soundness , 1999, Formal Syntax and Semantics of Java.

[18]  J. Y. Girard,et al.  Interpretation fonctionelle et elimination des coupures dans l'aritmetique d'ordre superieur , 1972 .

[19]  Xavier Leroy,et al.  Unboxed objects and polymorphic typing , 1992, POPL '92.

[20]  Jarred Adam Ligatti,et al.  More Enforceable Security Policies , 2002 .

[21]  Andrew W. Appel,et al.  Typed machine language , 2003 .

[22]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[23]  Lujo Bauer,et al.  Edit automata: enforcement mechanisms for run-time security policies , 2005, International Journal of Information Security.

[24]  Matthias Felleisen,et al.  A Syntactic Approach to Type Soundness , 1994, Inf. Comput..

[25]  Robert Harper,et al.  A dependently typed assembly language , 2001, ICFP '01.

[26]  Mads Tofte,et al.  Region-based Memory Management , 1997, Inf. Comput..

[27]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[28]  Andrew W. Appel,et al.  Machine Instruction Syntax and Semantics in Higher Order Logic , 2000, CADE.

[29]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[30]  George C. Necula,et al.  Safe kernel extensions without run-time checking , 1996, OSDI '96.

[31]  Zhong Shao,et al.  Representing Java classes in a typed intermediate language , 1999, ICFP '99.

[32]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[33]  Dan S. Wallach,et al.  Java security: from HotJava to Netscape and beyond , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[34]  John C. Mitchell,et al.  F-bounded quantification for object-oriented programming , 1989 .

[35]  Úlfar Erlingsson,et al.  IRM enforcement of Java stack inspection , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[36]  David Walker,et al.  Reasoning about hierarchical storage , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[37]  Andrew W. Appel,et al.  Space-efficient closure representations , 1994, LFP '94.

[38]  Guy L. Steele,et al.  Java(TM) Language Specification, The (3rd Edition) (Java (Addison-Wesley)) , 2005 .

[39]  Suresh Jagannathan,et al.  Compiling Java to a Typed Lambda-Calculus: A Preliminary Report , 1998, Tic.

[40]  Karl Crary,et al.  Toward a foundational typed assembly language , 2003, POPL '03.

[41]  Frank Pfenning,et al.  A type theory for memory allocation and data layout , 2003, POPL '03.

[42]  Luca Cardelli,et al.  Comparing Object Encodings , 1997, TACS.

[43]  Robert A. Gingell,et al.  Shared Libraries in SunOS , 1987 .

[44]  Furio Honsell,et al.  A framework for defining logics , 1993, JACM.

[45]  Avishai Wool,et al.  Fang: a firewall analysis engine , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[46]  Andrew W. Appel,et al.  A Trustworthy Proof Checker , 2004, Journal of Automated Reasoning.

[47]  Andrew W. Appel,et al.  Foundational proof-carrying code , 2001, Proceedings 16th Annual IEEE Symposium on Logic in Computer Science.

[48]  Tobias Nipkow,et al.  Javalight is type-safe—definitely , 1998, POPL '98.

[49]  Zhong Shao,et al.  Type-preserving compilation of featherweight java , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[50]  Peter Lee,et al.  TIL: a type-directed, optimizing compiler for ML , 2004, SIGP.

[51]  Greg Nelson,et al.  Systems programming in modula-3 , 1991 .

[52]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[53]  Andrew W. Appel,et al.  Standard ML of New Jersey , 1991, PLILP.

[54]  George C. Necula,et al.  A certifying compiler for Java , 2000, PLDI '00.

[55]  Zhong Shao,et al.  A Syntactic Approach to Foundational Proof-Carrying Code , 2004, Journal of Automated Reasoning.

[56]  Andrew W. Appel,et al.  Compiling with Continuations , 1991 .

[57]  John C. Reynolds,et al.  Towards a theory of type structure , 1974, Symposium on Programming.

[58]  Andrew W. Appel,et al.  Construction of a Semantic Model for a Typed Assembly Language , 2004, VMCAI.

[59]  Andrew W. Appel,et al.  A semantic model of types and machine instructions for proof-carrying code , 2000, POPL '00.

[60]  Andrew W. Appel,et al.  A provably sound TAL for back-end optimization , 2003, PLDI '03.