The open verifier framework for foundational verifiers
TLDI '05 Proceedings of the 2005 ACM SIGPLAN international workshop on Types in languages design and implementation
Type-based verification of sssembly language for compiler debugging
TLDI '05 Proceedings of the 2005 ACM SIGPLAN international workshop on Types in languages design and implementation
Using dependent types to certify the safety of assembly code
SAS'05 Proceedings of the 12th international conference on Static Analysis
| Hi-index | 0.00 |
Various mechanisms exist for enforcing that untrusted code satisfies basic but essential security properties, such as memory safety. A security mechanism needs to be trustworthy, so that users can feel secure that the mechanism can not in some way be tricked by malicious or erroneous code. It is increasingly important that security mechanisms be flexible enough to handle software systems written in more than one language. Finally a security mechanism must be a practical and usable tool; it must scale to handle realistic software systems. Standard security enforcement techniques using intermediate languages run on virtual machines are disappointing; in particular, the intermediate languages are too fixed to handle a wide variety of source languages in a natural way, even when the intermediate language is designed with flexibility in mind. In this dissertation I propose a security enforcement mechanism called the Open Verifier. The Open Verifier allows a producer of untrusted code to include with the code an untrusted verifier called an extension. The trusted framework of the Open Verifier works together with the untrusted extension to produce a complete trustworthy verification. The code producer can tailor the extension to the particular source language and compilation strategy used to produce the untrusted code, ensuring the flexibility of the system. At the same time the trusted framework is kept reasonably simple and small, and easy to trust. In order to produce a trustworthy verification from an untrusted verifier, the extension is required to emit intermediate results which can be checked by the trusted components of the system. In fact, the extension must produce the proofs of obligations produced by the trusted framework. The heart of this dissertation is the architecture and logic of that interaction. Additionally, to show that the Open Verifier is a practical and usable tool, I describe by example the process of producing an extension for a realistic language, highlighting in particular the proof development strategies.