Proof-carrying code

This paper describes proof-carrying code (PCC), a mechanism by which a host system can determine with certainty that it is safe to execute a program supplied (possibly in binary form) by an untrusted source. For this to be possible, the untrusted code producer must supply with the code a safety proof that attests to the code's adherence to a previously defined safety policy. The host can then easily and quickly validate the proof without using cryptography and without consulting any external agents.In order to gain preliminary experience with PCC, we have performed several case studies. We show in this paper how proof-carrying code might be used to develop safe assembly-language extensions of ML programs. In the context of this case study, we present and prove the adequacy of concrete representations for the safety policy, the safety proofs, and the proof validation. Finally, we briefly discuss how we use proof-carrying code to develop network packet filters that are faster than similar filters developed using other techniques and are formally guaranteed to be safe with respect to a given operating system safety policy.

[1]  Robert Harper,et al.  TIL: a type-directed optimizing compiler for ML , 1996, PLDI '96.

[2]  Gopalan Nadathur,et al.  Uniform Proofs as a Foundation for Logic Programming , 1991, Ann. Pure Appl. Log..

[3]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[4]  Robin Milner,et al.  Definition of standard ML , 1990 .

[5]  Steven McCanne,et al.  The BSD Packet Filter: A New Architecture for User-level Packet Capture , 1993, USENIX Winter.

[6]  Robert W. Floyd,et al.  Assigning Meanings to Programs , 1993 .

[7]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[8]  D. L. Clutterbuck,et al.  The verification of low-level code , 1988, Softw. Eng. J..

[9]  George C. Necula,et al.  Safe kernel extensions without run-time checking , 1996, OSDI '96.

[10]  Richard L. Sites,et al.  Alpha Architecture Reference Manual , 1995 .

[11]  François Rouaix A Web Navigator with Applets in Caml , 1996, Comput. Networks.

[12]  Jeffrey C. Mogul,et al.  The packer filter: an efficient mechanism for user-level network code , 1987, SOSP '87.

[13]  Robert S. Boyer,et al.  Automated proofs of object code for a widely used microprocessor , 1996, JACM.

[14]  Furio Honsell,et al.  A framework for defining logics , 1993, JACM.

[15]  Frank Pfenning,et al.  Elf: a language for logic definition and verified metaprogramming , 1989, [1989] Proceedings. Fourth Annual Symposium on Logic in Computer Science.