Research on Proof-Carrying Code for Untrusted-Code Security

A powerful method of interaction between two software systems is through mobile code. By allowing code to be installed dynamically and then executed, a host system can provide a flexible means of access to its internal resources and services. There are many problems to be solved before such uses of untrusted code can become practical. For this position paper, we will focus on the problem of how to establish guarantees about the intrinsic behavior of untrusted programs. Of particular interest are the following: (1) How can the host system ensure that the untrusted code will not damage it, for example, by corrupting internal data structures? (2) How can the host ensure that the untrusted code will not use too many resources (such as CPU, memory, and so forth) or use them for too long a time period?; and, (3) How can the host make these assurances without undue effort and deleterious effect on overall system performance? Our position is that the theory of programming languages, including formal semantics, type theory, and applications of logic, are critical to solving the untrusted-code security problem. To illustrate the possibilities of programming language theory, we will briefly describe one rather extreme but promising example, which is proof-carrying code (PCC).