A Syntactic Approach to Foundational Proof-Carrying Code

Proof-carrying code (PCC) is a general framework for verifying the safety properties of machine-language programs. PCC proofs are usually written in a logic extended with language-specific typing rules; they certify safety but only if there is no bug in the typing rules. In foundational proof-carrying code (FPCC), on the other hand, proofs are constructed and verified by using strictly the foundations of mathematical logic, with no type-specific axioms. FPCC is more flexible and secure because it is not tied to any particular type system and it has a smaller trusted base. Foundational proofs, however, are much harder to construct. Previous efforts on FPCC all required building sophisticated semantic models for types. Furthermore, none of them can be easily extended to support mutable fields and recursive types. In this article, we present a syntactic approach to FPCC that avoids all of these difficulties. Under our new scheme, the foundational proof for a typed machine program simply consists of the typing derivation plus the formalized syntactic soundness proof for the underlying type system. The former can be readily obtained from a type-checker, while the latter is known to be much easier to construct than the semantic soundness proofs. We give a translation from a typed assembly language into FPCC and demonstrate the advantages of our new system through an implementation in the Coq proof assistant.

[1]  Robert Harper,et al.  A dependently typed assembly language , 2001, ICFP '01.

[2]  George C. Necula,et al.  Compiling with proofs , 1998 .

[3]  Zhong Shao,et al.  A Syntactic Approach to Foundational Proof-Carrying Code , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[4]  Andrew W. Appel,et al.  Typed Machine Language and its Semantics , 2001 .

[5]  Andrew W. Appel,et al.  Machine Instruction Syntax and Semantics in Higher Order Logic , 2000, CADE.

[6]  Zhong Shao,et al.  Fully reflexive intensional type analysis , 2000, ICFP '00.

[7]  Thierry Coquand,et al.  The Calculus of Constructions , 1988, Inf. Comput..

[8]  George C. Necula,et al.  Safe kernel extensions without run-time checking , 1996, OSDI '96.

[9]  Andrew W. Appel,et al.  A semantic model of types and machine instructions for proof-carrying code , 2000, POPL '00.

[10]  Hugo Herbelin,et al.  The Coq proof assistant : reference manual, version 6.1 , 1997 .

[11]  Benjamin Werner,et al.  Une Théorie des Constructions Inductives , 1994 .

[12]  David Walker,et al.  Stack-based typed assembly language , 1998, Journal of Functional Programming.

[13]  Christine Paulin-Mohring,et al.  Inductive Definitions in the system Coq - Rules and Properties , 1993, TLCA.

[14]  Zhong Shao,et al.  Precision in Practice: A Type-Preserving Java Compiler , 2003, CC.

[15]  George C. Necula,et al.  A certifying compiler for Java , 2000, PLDI '00.

[16]  Andrew W. Appel,et al.  An indexed model of recursive types for foundational proof-carrying code , 2001, TOPL.

[17]  William A. Howard,et al.  The formulae-as-types notion of construction , 1969 .

[18]  Andrew W. Appel,et al.  Foundational proof-carrying code , 2001, Proceedings 16th Annual IEEE Symposium on Logic in Computer Science.

[19]  Matthias Felleisen,et al.  A Syntactic Approach to Type Soundness , 1994, Inf. Comput..

[20]  David Walker,et al.  From System F to Typed Assembly Language (Extended Version) , 1997 .

[21]  Dan Grossman,et al.  Syntactic type abstraction , 2000, TOPL.

[22]  Andrew W. Appel,et al.  A stratified semantics of general references embeddable in higher-order logic , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[23]  George C. Necula,et al.  The design and implementation of a certifying compiler , 1998, PLDI.