A Formalization of the Proof-Carrying Code Architecture in a Linear Logical Framework

One of the major challenges in the design of modular and extensible operating systems is to guarantee safety in the presence of untrusted code. A similar problem arises in the domain of mobile code. One solution, adopted, for example, in the Java Virtual Machine [LY97], is to perform extensive safety checks at run time. In the alternative paradigm of proof-carrying code (PCC) proposed by Necula and Lee [NL96, Nec97], the code producer attaches a safety proof to mobile code which can be independently verified by the code consumer before execution. This eliminates the need for run-time checks and leads to a small trusted computing base. A difficulty with PCC is the complexity of proving the correctness of the architecture itself. In particular, we would like to ensure that a program which passes the safety check before execution will indeed run safely. While this can be quite difficult, it has to be done only once for each machine architecture and safety policy. For example, Necula [Nec98] has given a mathematical proof for the correctness of his safety policy. Unfortunately, minor changes or additions to a policy may require substantial changes in its correctness proof. In this paper we formalize the PCC safety architecture in a logical framework, which constitutes an important first step towards an environment for experimentation and formal verification of properties of safety policies and their implementations in the PCC architecture. Our main tool is LLF [CP96], a logical framework based on linear logic [Gir87]. Linear logic provides natural means of describing programming languages and their semantics, especially those of an imperative nature. LLF permits us to give a high-level description of assembly code, safety policies, and safety proofs within the same language. In future work we plan to formally verify safety policies based on their encoding in LLF. We also hope to introduce linearity to the PCC architecture itself in order to reduce the size of safety proofs. We will first further describe the PCC infrastructure in Section 2 followed by a brief sketch of our meta-language, the linear logical framework in Section 3. In order to implement portions of the PCC system, we must choose a language for our simulated agent. We follow [Nec98] and use Safe Assembly Language (SAL), a generic RISC architecture. SAL is described in Section 4. Two execution models, one without and one with run-time safety checks, are described in Section 5. A formal connection between these two models is provided in Section 6, where we specify safety as a