Compiling with proofs

One of the major challenges of building software systems is to ensure that the various components fit together in a well-defined manner. This problem is exacerbated by the recent advent of software components whose origin is unknown or inherently untrusted, such as mobile code or user extensions for operating-system kernels or database servers. Such extensions are useful for implementing an efficient interaction model between a client and a server because several data exchanges between them can be saved at the cost of a single code exchange. In this dissertation, I propose to tackle such system integrity and security problems with techniques from mathematical logic and programming-language semantics. I propose a framework, called proof-carrying code, in which the extension provider sends along with the extension code a representation of a formal proof that the code meets certain safety and correctness requirements. Then, the code receiver can ensure the safety of executing the extension by validating the attached proof. The major advantages of proof-carrying code are that it requires a simple trusted infrastructure and that it does not impose run-time penalties for the purpose of ensuring safety. In addition to the concept of proof-carrying code, this dissertation contributes the idea of certifying compilation. A certifying compiler emits, in addition to optimized target code, function specifications and loop invariants that enable a theorem-proving agent to prove non-trivial properties of the target code, such as type safety. Such a certifying compiler, along with a proof-generating theorem prover, is not only a convenient producer of proof-carrying code but also a powerful software-engineering tool. The certifier also acts as an effective referee for the correctness of each compilation, thus simplifying considerably compiler testing and maintenance. A complete system for proof-carrying code must also contain a proof-generating theorem prover for the purpose of producing the attached proofs of safety. This dissertation shows how standard decision procedures can be adapted so that they can produce detailed proofs of the proved predicates and also how these proofs can be encoded compactly and checked efficiently. Just like for the certifying compiler, a proof-generating theorem prover has significant software-engineering advantages over a traditional prover. In this case, a simple proof checker can ensure the soundness of each successful proving task and indirectly assist in testing and maintenance of the theorem prover.

[1]  Wilhelm Ackermann,et al.  Solvable Cases Of The Decision Problem , 1954 .

[2]  John McCarthy,et al.  Correctness of a compiler for arithmetic expressions , 1966 .

[3]  James C. King,et al.  An interpretation oriented theorem prover over integers , 1970, STOC '70.

[4]  James C. King,et al.  Proving Programs to be Correct , 1971, IEEE Transactions on Computers.

[5]  F. Lockwood Morris,et al.  Advice on structuring compilers and proving them correct , 1973, POPL.

[6]  D. I. Good,et al.  An interactive program verification system , 1975, IEEE Transactions on Software Engineering.

[7]  Edsger W. Dijkstra,et al.  Guarded commands, non-determinacy and a calculus for the derivation of programs , 1975, Language Hierarchies and Interfaces.

[8]  Edsger W. Dijkstra,et al.  A Discipline of Programming , 1976 .

[9]  Leslie Lamport,et al.  Proving the Correctness of Multiprocess Programs , 1977, IEEE Transactions on Software Engineering.

[10]  Richard Statman,et al.  The typed λ-calculus is not elementary recursive , 1977, 18th Annual Symposium on Foundations of Computer Science (sfcs 1977).

[11]  Dexter Kozen,et al.  Complexity of finitely presented algebras , 1977, STOC '77.

[12]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[13]  Robert E. Shostak,et al.  An algorithm for reasoning about equality , 1977, CACM.

[14]  C. G. Nelson An $n^{log n}$ algorithm for the two-variable-per-constraint linear programming satisfiability problem , 1978 .

[15]  Charles Gregory Nelson,et al.  Techniques for program verification , 1979 .

[16]  Greg Nelson,et al.  Simplification by Cooperating Decision Procedures , 1979, TOPL.

[17]  James W. Thatcher,et al.  More on Advice on Structuring Compilers and Proving them Correct , 1979, Theor. Comput. Sci..

[18]  Steven M. German,et al.  Stanford Pascal Verifier user manual , 1979 .

[19]  Robert E. Tarjan,et al.  Variations on the Common Subexpression Problem , 1980, J. ACM.

[20]  Greg Nelson,et al.  Fast Decision Procedures Based on Congruence Closure , 1980, JACM.

[21]  Bengt Aspvall,et al.  A Polynomial Time Algorithm for Solving Systems of Linear Inequalities with Two Variables per Inequality , 1980, SIAM J. Comput..

[22]  Robert E. Shostak,et al.  Deciding Linear Inequalities by Computing Loop Residues , 1981, JACM.

[23]  Robert S. Boyer,et al.  The Correctness Problem in Computer Science , 1982 .

[24]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[25]  Thierry Coquand,et al.  Constructions: A Higher Order Proof System for Mechanizing Mathematics , 1985, European Conference on Computer Algebra.

[26]  Bowen Alpern,et al.  Defining Liveness , 1984, Inf. Process. Lett..

[27]  Peter Dybjer,et al.  Using Domain Algebras to Prove the Correctness of a Compiler , 1985, STACS.

[28]  M. Gordon HOL : A machine oriented formulation of higher order logic , 1985 .

[29]  Rance Cleaveland,et al.  Implementing mathematics with the Nuprl proof development system , 1986 .

[30]  Jeffrey C. Mogul,et al.  The packer filter: an efficient mechanism for user-level network code , 1987, SOSP '87.

[31]  Dale A. Miller,et al.  A compact representation of proofs , 1987, Stud Logica.

[32]  Tsung-Min Kuo,et al.  Strictness analysis: a new perspective based on type inference , 1989, FPCA.

[33]  Philip Wadler,et al.  Theorems for free! , 1989, FPCA.

[34]  Robin Milner,et al.  Definition of standard ML , 1990 .

[35]  Amy P. Felty,et al.  The Coq proof assistant user's guide : version 5.6 , 1990 .

[36]  Robert S. Boyer,et al.  Computational Logic , 1990, ESPRIT Basic Research Series.

[37]  A. Benveniste,et al.  Synchronous Programming with Events and Relations: the SIGNAL Language and Its Semantics , 1991, Sci. Comput. Program..

[38]  Frank Pfenning,et al.  Unification and anti-unification in the calculus of constructions , 1991, [1991] Proceedings Sixth Annual IEEE Symposium on Logic in Computer Science.

[39]  Gopalan Nadathur,et al.  Uniform Proofs as a Foundation for Logic Programming , 1991, Ann. Pure Appl. Log..

[40]  Fritz Henglein,et al.  Efficient Type Inference for Higher-Order Binding-Time Analysis , 1991, FPCA.

[41]  Dale Miller,et al.  A Logic Programming Language with Lambda-Abstraction, Function Variables, and Simple Unification , 1991, J. Log. Comput..

[42]  Martín Abadi,et al.  Explicit substitutions , 1989, POPL '90.

[43]  F. Pfenning Logic programming in the LF logical framework , 1991 .

[44]  Greg Nelson,et al.  Systems programming in modula-3 , 1991 .

[45]  John Bradley Interactive Image Display for the X Window System , 1992 .

[46]  Frank Pfenning,et al.  An Empirical Study of the Runtime Behavior of Higher-Order Logic Programs , 1992 .

[47]  Natarajan Shankar,et al.  PVS: A Prototype Verification System , 1992, CADE.

[48]  Furio Honsell,et al.  A framework for defining logics , 1993, JACM.

[49]  Steven McCanne,et al.  The BSD Packet Filter: A New Architecture for User-level Packet Capture , 1993, USENIX Winter.

[50]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[51]  Frank Pfenning,et al.  Higher-Order Logic Programming as Constraint Logic Programming , 1993, PPCP.

[52]  Martín Abadi,et al.  Formal Parametric Polymorphism , 1993, Theor. Comput. Sci..

[53]  de Ng Dick Bruijn,et al.  Lambda calculus notation with nameless dummies, a tool for automatic formula manipulation, with application to the Church-Rosser theorem , 1972 .

[54]  Frank Pfenning,et al.  Elf: A Meta-Language for Deductive Systems (System Descrition) , 1994, CADE.

[55]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[56]  Jens Palsberg,et al.  Safety Analysis versus Type Inference , 1992, Inf. Comput..

[57]  S. Savage,et al.  Writing an Operating System with Modula-3 , 1995 .

[58]  Richard L. Sites,et al.  Alpha Architecture Reference Manual , 1995 .

[59]  Nevin Heintze Control-Flow Analysis and Type Systems , 1995, SAS.

[60]  A type system equivalent to flow analysis , 1995, TOPL.

[61]  Mitchell Wand,et al.  The VLISP verified PreScheme compiler , 1995, LISP Symb. Comput..

[62]  David I. August,et al.  Compiler technology for future microprocessors , 1995, Proc. IEEE.

[63]  Mitchell Wand,et al.  VLISP: A verified implementation of Scheme , 1995, LISP Symb. Comput..

[64]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[65]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[66]  George C. Necula,et al.  Safe kernel extensions without run-time checking , 1996, OSDI '96.

[67]  Margo I. Seltzer,et al.  Dealing with disaster: surviving misbehaved kernel extensions , 1996, OSDI '96.

[68]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[69]  Geoffrey Smith,et al.  A Type-Based Approach to Program Security , 1997, TAPSOFT.

[70]  Fausto Giunchiglia,et al.  A Provably Correct Embedded Verifier for the Certification of Safety Critical Software , 1997, CAV.

[71]  George C. Necula,et al.  Efficient representation and validation of proofs , 1998, Proceedings. Thirteenth Annual IEEE Symposium on Logic in Computer Science (Cat. No.98CB36226).

[72]  George C. Necula,et al.  Safe, Untrusted Agents Using Proof-Carrying Code , 1998, Mobile Agents and Security.

[73]  George C. Necula,et al.  The design and implementation of a certifying compiler , 1998, PLDI.

[74]  Dexter Kozen Efficient Code Certification , 1998 .

[75]  LaboratoriesLucent,et al.  The SLam Calculus : Programming with Security and IntegrityNevin HeintzeBell LaboratoriesLucent Technologies , 1998 .

[76]  Benjamin C. Pierce,et al.  Local type inference , 1998, POPL '98.

[77]  Amir Pnueli,et al.  Translation Validation , 1998, TACAS.

[78]  MorrisettGreg,et al.  From system F to typed assembly language , 1999 .

[79]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.