Programs from Proofs: A Framework for the Safe Execution of Untrusted Software

Authors:
Marie-Christine Jakobs

Paderborn University (Germany)

Paderborn University (Germany)
View Profile

,
Heike Wehrheim

Paderborn University (Germany)

Paderborn University (Germany)
View Profile

ACM Transactions on Programming Languages and Systems Volume 39 Issue 2Article No.: 7pp 1–56https://doi.org/10.1145/3014427

Published:10 March 2017Publication History

ACM Transactions on Programming Languages and Systems

Abstract

Today, software is traded worldwide on global markets, with apps being downloaded to smartphones within minutes or seconds. This poses, more than ever, the challenge of ensuring safety of software in the face of (1) unknown or untrusted software providers together with (2) resource-limited software consumers. The concept of Proof-Carrying Code (PCC), years ago suggested by Necula, provides one framework for securing the execution of untrusted code. PCC techniques attach safety proofs, constructed by software producers, to code. Based on the assumption that checking proofs is usually much simpler than constructing proofs, software consumers should thus be able to quickly check the safety of software. However, PCC techniques often suffer from the size of certificates (i.e., the attached proofs), making PCC techniques inefficient in practice.

In this article, we introduce a new framework for the safe execution of untrusted code called Programs from Proofs (PfP). The basic assumption underlying the PfP technique is the fact that the structure of programs significantly influences the complexity of checking a specific safety property. Instead of attaching proofs to program code, the PfP technique transforms the program into an efficiently checkable form, thus guaranteeing quick safety checks for software consumers. For this transformation, the technique also uses a producer-side automatic proof of safety. More specifically, safety proving for the software producer proceeds via the construction of an abstract reachability graph (ARG) unfolding the control-flow automaton (CFA) up to the degree necessary for simple checking. To this end, we combine different sorts of software analysis: expensive analyses incrementally determining the degree of unfolding, and cheap analyses responsible for safety checking. Out of the abstract reachability graph we generate the new program. In its CFA structure, it is isomorphic to the graph and hence another, this time consumer-side, cheap analysis can quickly determine its safety.

Like PCC, Programs from Proofs is a general framework instantiable with different sorts of (expensive and cheap) analysis. Here, we present the general framework and exemplify it by some concrete examples. We have implemented different instantiations on top of the configurable program analysis tool CPAchecker and report on experiments, in particular on comparisons with PCC techniques.

References

Elvira Albert, Germán Puebla, and Manuel Hermenegildo. 2005. Abstraction-carrying code. In Logic for Programming, Artificial Intelligence, and Reasoning, Franz Baader and Andrei Voronkov (Eds.). Lecture Notes in Computer Science, Vol. 3452. Springer, Berlin, 380--397. DOI:http://dx.doi.org/ 10.1007/978-3-540-32275-7_25 Google ScholarCross Ref
Glenn Ammons and James R. Larus. 2004. Improving data-flow analysis with path profiles. SIGPLAN Not. 39, 4 (Apr. 2004), 568--582. DOI:http://dx.doi.org/10.1145/989393.989451 Google ScholarDigital Library
Torben Amtoft, Josiah Dodds, Zhi Zhang, Andrew Appel, Lennart Beringer, John Hatcliff, Xinming Ou, and Andrew Cousino. 2012. A certificate infrastructure for machine-checked proofs of conditional information flow. In Proceedings of the 1st International Conference on Principles of Security and Trust (POST’12). Springer-Verlag, Berlin, 369--389. DOI:http://dx.doi.org/10.1007/978-3-642-28641-4_20 Google ScholarDigital Library
Gogul Balakrishnan, Sriram Sankaranarayanan, Franjo Ivančić, and Aarti Gupta. 2009. Refining the control structure of loops using static analysis. In Proceedings of the 7th ACM International Conference on Embedded Software (EMSOFT’09). ACM, New York, NY, 49--58. DOI:http://dx.doi.org/10.1145/1629335.1629343 Google ScholarDigital Library
Gogul Balakrishnan, Sriram Sankaranarayanan, Franjo Ivančić, Ou Wei, and Aarti Gupta. 2008. SLR: Path-sensitive analysis through infeasible-path detection and syntactic language refinement. In Static Analysis, María Alpuente and Germán Vidal (Eds.). Lecture Notes in Computer Science, Vol. 5079. Springer, Berlin , 238--254. DOI:http://dx.doi.org/10.1007/978-3-540-69166-2_16 Google ScholarDigital Library
John Barnes. 2012. SPARK - The Proven Approach to High Integrity Software. Altran Praxis. http://www.altran.co.uk, UK.Google Scholar
Joseph L. Bates and Robert L. Constable. 1985. Proofs as programs. ACM Trans. Program. Lang. Syst. 7, 1 (Jan. 1985), 113--136. DOI:http://dx.doi.org/10.1145/2363.2528 Google ScholarDigital Library
Lujo Bauer, Michael A. Schneider, Edward W. Felten, and Andrew W. Appel. 2003. Access control on the web using proof-carrying authorization. In Proceedings of the DARPA Information Survivability Conference and Exposition, 2003, Vol. 2. IEEE, 117--119. DOI:http://dx.doi.org/10.1109/DISCEX.2003.1194942 Google ScholarCross Ref
Holger Benl, Ulrich Berger, Helmut Schwichtenberg, Monika Seisenberger, and Wolfgang Zuber. 1998. Proof theory at work: Program development in the minlog system. In Automated Deduction: A Basis for Applications, Wolfgang Bibel and Peter H. Schmitt (Eds.). Applied Logic Series, Vol. 9. Springer, Netherlands, 41--71. DOI:http://dx.doi.org/10.1007/978-94-017-0435-9_2 Google ScholarCross Ref
Stefan Berghofer. 2003. Program extraction in simply-typed higher order logic. In Types for Proofs and Programs, Herman Geuvers and Freek Wiedijk (Eds.). Lecture Notes in Computer Science, Vol. 2646. Springer, Berlin, 21--38. DOI:http://dx.doi.org/10.1007/3-540-39185-1_2 Google ScholarCross Ref
Dirk Beyer. 2015. Software verification and verifiable witnesses. In Tools and Algorithms for the Construction and Analysis of Systems, Christel Baier and Cesare Tinelli (Eds.). Lecture Notes in Computer Science, Vol. 9035. Springer, Berlin, 401--416. DOI:http://dx.doi.org/10.1007/978-3-662-46681-0_31 Google ScholarDigital Library
Dirk Beyer, Adam J. Chlipala, Thomas A. Henzinger, Ranjit Jhala, and Rupak Majumdar. 2004. The BLAST query language for software verification. In Static Analysis, Roberto Giacobazzi (Ed.). Lecture Notes in Computer Science, Vol. 3148. Springer, Berlin, 2--18. DOI:http://dx.doi.org/10.1007/978-3-540-27864-1_2 Google ScholarCross Ref
Dirk Beyer, Thomas A. Henzinger, and Grégory Théoduloz. 2007. Configurable software verification: Concretizing the convergence of model checking and program analysis. In Computer Aided Verification, Werner Damm and Holger Hermanns (Eds.). Lecture Notes in Computer Science, Vol. 4590. Springer, Berlin, 504--518. DOI:http://dx.doi.org/10.1007/978-3-540-73368-3_51 Google ScholarCross Ref
Dirk Beyer and M. Erkan Keremoglu. 2011. CPAchecker: A tool for configurable software verification. In Computer Aided Verification, Ganesh Gopalakrishnan and Shaz Qadeer (Eds.). Lecture Notes in Computer Science, Vol. 6806. Springer, Berlin, 184--190. DOI:http://dx.doi.org/10.1007/978-3-642-22110-1_16 Google ScholarCross Ref
Dirk Beyer, M. Erkan Keremoglu, and Philipp Wendler. 2010. Predicate abstraction with adjustable-block encoding. In Proceedings of the 2010 Conference on Formal Methods in Computer-Aided Design (FMCAD’10). FMCAD, Austin, TX, 189--198.Google ScholarDigital Library
Dirk Beyer and Stefan Löwe. 2013. Explicit-state software model checking based on CEGAR and interpolation. In Fundamental Approaches to Software Engineering, Vittorio Cortellessa and Dániel Varró (Eds.). Lecture Notes in Computer Science, Vol. 7793. Springer, Berlin, 146--162. DOI:http://dx.doi.org/10.1007/978-3-642-37057-1_11 Google ScholarDigital Library
Dirk Beyer, Stefan Löwe, Evgeny Novikov, Andreas Stahlbauer, and Philipp Wendler. 2013. Precision reuse for efficient regression verification. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering (ESEC/FSE’13). ACM, New York, NY, 389--399. DOI:http://dx.doi.org/ 10.1145/2491411.2491429 Google ScholarDigital Library
Dirk Beyer, Stefan Löwe, and Philipp Wendler. 2015a. Benchmarking and resource measurement. In Proceedings of Model Checking Software: 22nd International Symposium (SPIN’15), Bernd Fischer and Jaco Geldenhuys (Eds.), Lecture Notes of Computer Science, Vol. 9232. Springer International Publishing, Cham, 160--178. Google ScholarDigital Library
Dirk Beyer, Stefan Löwe, and Philipp Wendler. 2015b. Refinement selection. In Proceedings of Model Checking Software: 22nd International Symposium (SPIN’15), Bernd Fischer and Jaco Geldenhuys (Eds.). Lecture Notes in Computer Science, Vol. 9232. Springer International Publishing, Cham, 20--38. DOI:http://dx.doi.org/10.1007/978-3-319-23404-5_3 Google ScholarDigital Library
Dirk Beyer, Stefan Löwe, and Philipp Wendler. 2015c. Sliced path prefixes: An effective method to enable refinement selection. In Formal Techniques for Distributed Objects, Components, and Systems, Susanne Graf and Mahesh Viswanathan (Eds.). Lecture Notes in Computer Science, Vol. 9039. Springer International Publishing, Cham, 228--243. DOI:http://dx.doi.org/10.1007/978-3-319-19195-9_15 Google ScholarCross Ref
Sandrine Blazy, David Bühler, and Boris Yakobowski. 2014. Improving static analyses of C programs with conditional predicates. In Formal Methods for Industrial Critical Systems, Frédéric Lang and Francesco Flammini (Eds.). Lecture Notes in Computer Science, Vol. 8718. Springer International Publishing, 140--154. DOI:http://dx.doi.org/10.1007/978-3-319-10702-8_10 Google ScholarCross Ref
William J. Brown, Raphael C. Malveau, Hays W. McCormick III, and Thomas J. Mowbray. 1998. AntiPatterns: Refactoring Software, Architectures, and Projects in Crisis. John Wiley 8 Sons, New York, NY.Google ScholarDigital Library
Oliver Burn (founder). 2015. Checkstyle Retrieved from http://checkstyle.sourceforge.net/.Google Scholar
Alessandro Cimatti, Alberto Griggio, Bastiaan Joost Schaafsma, and Roberto Sebastiani. 2013. The MathSAT5 SMT solver. In Tools and Algorithms for the Construction and Analysis of Systems, Nir Piterman and Scott A. Smolka (Eds.). Lecture Notes in Computer Science, Vol. 7795. Springer, Berlin, 93--107. DOI:http://dx.doi.org/10.1007/978-3-642-36742-7_7 Google ScholarDigital Library
Edmund Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith. 2000. Counterexample-guided abstraction refinement. In Computer Aided Verification, E. Allen Emerson and Aravinda Prasad Sistla (Eds.). Lecture Notes in Computer Science, Vol. 1855. Springer, Berlin, 154--169. DOI:http://dx.doi.org/10.1007/10722167_15 Google ScholarCross Ref
Byron Cook, Eric Koskinen, and Moshe Vardi. 2011. Temporal property verification as a program analysis task. In Computer Aided Verification, Ganesh Gopalakrishnan and Shaz Qadeer (Eds.). Lecture Notes in Computer Science, Vol. 6806. Springer, Berlin, 333--348. DOI:http://dx.doi.org/ 10.1007/978-3-642-22110-1_26 Google ScholarCross Ref
Patrick Cousot and Radhia Cousot. 1977. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proceedings of the 4th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages (POPL’77). ACM, New York, NY, 238--252. DOI:http://dx.doi.org/10.1145/512950.512973 Google ScholarDigital Library
Patrick Cousot, Pierre Ganty, and Jean-François Raskin. 2007. Fixpoint-guided abstraction refinements. In Static Analysis, Hanne Riis Nielson and Gilberto Filé (Eds.). Lecture Notes in Computer Science, Vol. 4634. Springer, Berlin, 333--348. DOI:http://dx.doi.org/10.1007/978-3-540-74061-2_21 Google ScholarCross Ref
Karl Crary and Stephanie Weirich. 2000. Resource bound certification. In Proceedings of the 27th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’00). ACM, New York, NY, 184--198. DOI:http://dx.doi.org/10.1145/325694.325716 Google ScholarDigital Library
Pascal Cuoq, Florent Kirchner, Nikolai Kosmatov, Virgile Prevosto, Julien Signoles, and Boris Yakobowski. 2012. Frama-C. In Software Engineering and Formal Methods, George Eleftherakis, Mike Hinchey, and Mike Holcombe (Eds.). Lecture Notes in Computer Science, Vol. 7504. Springer, Berlin, 233--247. DOI:http://dx.doi.org/10.1007/978-3-642-33826-7_16 Google ScholarDigital Library
Manuvir Das, Sorin Lerner, and Mark Seigle. 2002. ESP: Path-sensitive program verification in polynomial time. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation (PLDI’02). ACM, New York, NY, 57--68. DOI:http://dx.doi.org/10.1145/512529.512538 Google ScholarDigital Library
Dinakar Dhurjati, Manuvir Das, and Yue Yang. 2006. Path-sensitive dataflow analysis with iterative refinement. In Static Analysis, Kwangkeun Yi (Ed.). Lecture Notes in Computer Science, Vol. 4134. Springer, Berlin, 425--442. DOI:http://dx.doi.org/ 10.1007/11823230_27 Google ScholarDigital Library
Stefanie Drzevitzky, Uwe Kastens, and Marco Platzner. 2009. Proof-Carrying Hardware: Towards runtime verification of reconfigurable modules. In Proceedings of the International Conference on Reconfigurable Computing and FPGAs, 2009 (ReConFig’09). IEEE, 189--194. DOI:http://dx.doi.org/10.1109/ReConFig.2009.31 Google ScholarDigital Library
Eitan Farchi, Yarden Nir, and Shmuel Ur. 2003. Concurrent bug patterns and how to test them. In Proceedings of the 17th International Symposium on Parallel and Distributed Processing (IPDPS’03). IEEE Computer Society, 286.2. DOI:http://dx.doi.org/10.1109/IPDPS.2003.1213511 Google ScholarCross Ref
Jeffrey Fischer, Ranjit Jhala, and Rupak Majumdar. 2005. Joining dataflow with predicates. In Proceedings of the 10th European Software Engineering Conference Held Jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering (ESEC/FSE-13). ACM, New York, NY, 227--236. DOI:http://dx.doi.org/10.1145/1081706.1081742 Google ScholarDigital Library
Susanne Graf and Hassen Saidi. 1997. Construction of abstract state graphs with PVS. In Computer Aided Verification, Orna Grumberg (Ed.). Lecture Notes in Computer Science, Vol. 1254. Springer, Berlin, 72--83. DOI:http://dx.doi.org/10.1007/3-540-63166-6_10 Google ScholarCross Ref
Jan F. Groote, Tim W. D. M. Kouters, and Ammar Osaiweran. 2015. Specification guidelines to avoid the state space explosion problem. Software Test. Verification Reliability 25, 1 (2015), 4--33. DOI:http://dx.doi.org/10.1002/stvr.1536 Google ScholarDigital Library
Bhargav S. Gulavani and Sriram K. Rajamani. 2006. Counterexample driven refinement for abstract interpretation. In Tools and Algorithms for the Construction and Analysis of Systems, Holger Hermanns and Jens Palsberg (Eds.). Lecture Notes in Computer Science, Vol. 3920. Springer, Berlin, 474--488. DOI:http://dx.doi.org/10.1007/11691372_34 Google ScholarDigital Library
Sumit Gulwani, Sagar Jain, and Eric Koskinen. 2009. Control-flow refinement and progress invariants for bound analysis. In Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’09). ACM, New York, NY, 375--385. DOI:http://dx.doi.org/ 10.1145/1542476.1542518 Google ScholarDigital Library
Mary W. Hall, John M. Mellor-Crummey, Alan Carle, and René G. Rodríguez. 1994. FIAT: A framework for interprocedural analysis and transformation. In Languages and Compilers for Parallel Computing, Utpal Banerjee, David Gelernter, Alex Nicolau, and David Padua (Eds.). Lecture Notes in Computer Science, Vol. 768. Springer, Berlin, 522--545. DOI:http://dx.doi.org/10.1007/3-540-57659-2_30 Google ScholarCross Ref
Mark Harman, Lin Hu, Rob Hierons, Joachim Wegener, Harmen Sthamer, André Baresel, and Marc Roper. 2004. Testability transformation. IEEE Trans. Software Eng. 30, 1 (Jan. 2004), 3--16. DOI:http://dx.doi.org/10.1109/TSE.2004.1265732 Google ScholarDigital Library
Matthias Heizmann, Jochen Hoenicke, and Andreas Podelski. 2009. Refinement of trace abstraction. In Static Analysis, Jens Palsberg and Zhendong Su (Eds.). Lecture Notes in Computer Science, Vol. 5673. Springer, Berlin, 69--85. DOI:http://dx.doi.org/10.1007/978-3-642-03237-0_7 Google ScholarDigital Library
Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, and Kenneth L. McMillan. 2004. Abstractions from proofs. In Proceedings of the 31st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’04). ACM, New York, NY, 232--244. DOI:http://dx.doi.org/10.1145/964001.964021 Google ScholarDigital Library
Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, and Marco A.A. Sanvido. 2003. Extreme model checking. In Verification: Theory and Practice, Nachum Dershowitz (Ed.). Lecture Notes in Computer Science, Vol. 2772. Springer, Berlin, 332--358. DOI:http://dx.doi.org/10.1007/978-3-540-39910-0_16 Google ScholarCross Ref
Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, and Grégoire Sutre. 2002a. Lazy abstraction. In Proceedings of the 29th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’02). ACM, New York, NY, 58--70. DOI:http://dx.doi.org/10.1145/503272.503279 Google ScholarDigital Library
Thomas A. Henzinger, George C. Necula, Ranjit Jhala, Grégoire Sutre, Rupak Majumdar, and Westley Weimer. 2002b. Temporal-safety proofs for systems code. In Computer Aided Verification, Ed Brinksma and Kim Guldstrand Larsen (Eds.). Lecture Notes in Computer Science, Vol. 2404. Springer, Berlin, 526--538. DOI:http://dx.doi.org/10.1007/3-540-45657-0_45 Google ScholarCross Ref
Shin Hong and Moonzoo Kim. 2013. Effective pattern-driven concurrency bug detection for operating systems. J. Syst. Software 86, 2 (2013), 377--388. DOI:http://dx.doi.org/10.1016/j.jss.2012.08.063 Google ScholarDigital Library
David Hovemeyer and William Pugh. 2004. Finding bugs is easy. SIGPLAN Not. 39, 12 (Dec. 2004), 92--106. DOI:http://dx.doi.org/10.1145/1052883.1052895 Google ScholarDigital Library
William A. Howard. 1969. The formulae-as-types notion of construction. (1969). Reprinted in To H. B. Curry: Essays on Combinatory Logic, Lambda Calculus and Formalism, J. P. Seldin and J. R. Hindley (Eds). Academic Press, 1980.Google Scholar
Sebastian Hunt and David Sands. 2006. On flow-sensitive security types. In Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’06). ACM, New York, NY, 79--90. DOI:http://dx.doi.org/10.1145/1111037.1111045 Google ScholarDigital Library
IBM Research. 2015. T.J. Watson Libraries for Analysis (WALA) Retrieved from http://wala.sourceforge.net.Google Scholar
Joxan Jaffar and Vijayaraghavan Murali. 2014. A path-sensitively sliced control flow graph. In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE’14). ACM, New York, NY, 133--143. DOI:http://dx.doi.org/10.1145/2635868.2635884 Google ScholarDigital Library
Marie-Christine Jakobs. 2015. Speed up configurable certificate validation by certificate reduction and partitioning. In Software Engineering and Formal Methods, Radu Calinescu and Bernhard Rumpe (Eds.). Lecture Notes in Computer Science, Vol. 9276. Springer International Publishing, 159--174. DOI:http://dx.doi.org/10.1007/978-3-319-22969-0_12 Google ScholarCross Ref
Marie-Christine Jakobs and Heike Wehrheim. 2014. Certification for configurable program analysis. In Proceedings of the 2014 International SPIN Symposium on Model Checking of Software (SPIN’14). ACM, New York, NY, 30--39. DOI:http://dx.doi.org/10.1145/2632362.2632372 Google ScholarDigital Library
Marie-Christine Jakobs and Heike Wehrheim. 2015. Programs from Proofs of predicated dataflow analyses. In Proceedings of the 30th Annual ACM Symposium on Applied Computing (SAC’15). ACM, New York, NY, 1729--1736. DOI:http://dx.doi.org/10.1145/2695664.2695690 Google ScholarDigital Library
Bertrand Jeannet and Antoine Miné. 2009. Apron: A library of numerical abstract domains for static analysis. In Computer Aided Verification, Ahmed Bouajjani and Oded Maler (Eds.). Lecture Notes in Computer Science, Vol. 5643. Springer, Berlin, 661--667. DOI:http://dx.doi.org/10.1007/978-3-642-02658-4_52 Google ScholarDigital Library
Ranjit Jhala and Rupak Majumdar. 2009. Software model checking. ACM Comput. Surv. 41, 4, Article 21 (Oct. 2009), 54 pages.Google Scholar
Ralph E. Johnson, Erich Gamma, John Vlissides, and Richard Helm. 1995. Design Patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley Longman Publishing Co., Boston, MA.Google ScholarDigital Library
John B. Kam and Jeffrey D. Ullman. 1977. Monotone data flow analysis frameworks. Acta Inform. 7, 3 (1977), 305--317. DOI:http://dx.doi.org/10.1007/BF00290339 Google ScholarDigital Library
Gary A. Kildall. 1973. A unified approach to global program optimization. In Proceedings of the 1st Annual ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages (POPL’73). ACM, New York, NY, 194--206. DOI:http://dx.doi.org/10.1145/512927.512945 Google ScholarDigital Library
Kelvin Ku, Thomas E. Hart, Marsha Chechik, and David Lie. 2007. A buffer overflow benchmark for software model checkers. In Proceedings of the 22nd IEEE/ACM International Conference on Automated Software Engineering (ASE’07). ACM, New York, NY, 389--392. DOI:http://dx.doi.org/10.1145/1321631.1321691 Google ScholarDigital Library
Xavier Leroy. 2002. Bytecode verification on Java smart cards. Software: Pract. Exper. 32, 4 (2002), 319--340. DOI:http://dx.doi.org/10.1002/spe.438 Google ScholarDigital Library
Pierre Letouzey. 2003. A new extraction for Coq. In Types for Proofs and Programs, Herman Geuvers and Freek Wiedijk (Eds.). Lecture Notes in Computer Science, Vol. 2646. Springer, Berlin, 200--219. DOI:http://dx.doi.org/10.1007/3-540-39185-1_12 Google ScholarCross Ref
Pierre Letouzey. 2008. Extraction in Coq: An overview. In Logic and Theory of Algorithms, Arnold Beckmann, Costas Dimitracopoulos, and Benedikt Löwe (Eds.). Lecture Notes in Computer Science, Vol. 5028. Springer, Berlin, 359--369. DOI:http://dx.doi.org/10.1007/978-3-540-69407-6_39 Google ScholarDigital Library
Vivien Maisonneuve. 2012. Convex invariant refinement by control node splitting: A heuristic approach. Electronic Notes Theor. Comput. Sci. 288 (2012), 49--59. DOI:http://dx.doi.org/10.1016/j.entcs.2012.10.007 Proceedings of the 3rd International Workshop on Numerical and Symbolic Abstract Domains, {NSAD} 2011. Google ScholarDigital Library
Kedar S. Namjoshi. 2001. Certifying model checkers. In Computer Aided Verification, Gérard Berry, Hubert Comon, and Alain Finkel (Eds.). Lecture Notes in Computer Science, Vol. 2102. Springer, Berlin, 2--13. DOI:http://dx.doi.org/10.1007/3-540-44585-4_2 Google ScholarCross Ref
George C. Necula. 1997. Proof-Carrying Code. In Proceedings of the 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’97). ACM, New York, NY, 106--119. DOI:http://dx.doi.org/10.1145/263699.263712 Google ScholarDigital Library
George C. Necula and Peter Lee. 1998. Safe, untrusted agents using Proof-Carrying Code. In Mobile Agents and Security, Giovanni Vigna (Ed.). Lecture Notes in Computer Science, Vol. 1419. Springer, Berlin, 61--91. DOI:http://dx.doi.org/10.1007/3-540-68671-1_5 Google ScholarCross Ref
George C. Necula, Scott McPeak, and Westley Weimer. 2002. CCured: Type-safe retrofitting of legacy code. In Proceedings of the 29th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’02). ACM, New York, NY, 128--139. DOI:http://dx.doi.org/10.1145/503272.503286 Google ScholarDigital Library
Flemming Nielson, Hanne R. Nielson, and Chris Hankin. 1999. Principles of Program Analysis. Springer-Verlag New York, Secaucus, NJ. Google ScholarCross Ref
Doron Peled and Lenore Zuck. 2001. From model checking to a temporal proof. In Model Checking Software, Matthew Dwyer (Ed.). Lecture Notes in Computer Science, Vol. 2057. Springer, Berlin, 1--14. DOI:http://dx.doi.org/10.1007/3-540-45139-0_1 Google ScholarCross Ref
Xavier Rival and Laurent Mauborgne. 2007. The trace partitioning abstract domain. ACM Trans. Program. Lang. Syst. 29, 5, Article 26 (Aug. 2007), 51 pages. DOI:http://dx.doi.org/10.1145/1275497.1275501 Google ScholarDigital Library
Eva Rose. 2003. Lightweight bytecode verification. J. Autom. Reason. 31, 3--4 (2003), 303--334. DOI:http://dx.doi.org/10.1023/B:JARS.0000021015.15794.82 Google ScholarDigital Library
Sriram Sankaranarayanan and Franjo Ivančić. 2013. NECLA Static Analysis Benchmarks (necla-static-small) v1.1 Retrieved from http://www.nec-labs.com/research/system/systems_SAV-website/small_static_ bench-v1.1.tar.gz.Google Scholar
Sriram Sankaranarayanan, Franjo Ivančić, Ilya Shlyakhter, and Aarti Gupta. 2006. Static analysis in disjunctive numerical domains. In Static Analysis, Kwangkeun Yi (Ed.). Lecture Notes in Computer Science, Vol. 4134. Springer, Berlin, 3--17. DOI:http://dx.doi.org/10.1007/11823230_2 Google ScholarDigital Library
Paul B. Schneck. 1973. A survey of compiler optimization techniques. In Proceedings of the ACM Annual Conference (ACM’73). ACM, New York, NY, 106--113. DOI:http://dx.doi.org/10.1145/800192.805690 Google ScholarDigital Library
Ondrej Sery, Grigory Fedyukovich, and Natasha Sharygina. 2012. Interpolation-based function summaries in bounded model checking. In Hardware and Software: Verification and Testing, Kerstin Eder, João Lourenço, and Onn Shehory (Eds.). Lecture Notes in Computer Science, Vol. 7261. Springer, Berlin, 160--175. DOI:http://dx.doi.org/10.1007/978-3-642-34188-5_15 Google ScholarDigital Library
Rahul Sharma, Isil Dillig, Thomas Dillig, and Alex Aiken. 2011. Simplifying loop invariant generation using splitter predicates. In Computer Aided Verification, Ganesh Gopalakrishnan and Shaz Qadeer (Eds.). Lecture Notes in Computer Science, Vol. 6806. Springer, Berlin, 703--719. DOI:http://dx.doi.org/10.1007/978-3-642-22110-1_57 Google ScholarCross Ref
Bernhard Steffen. 1996. Property-oriented expansion. In Static Analysis, Radhia Cousot and David A. Schmidt (Eds.). Lecture Notes in Computer Science, Vol. 1145. Springer, Berlin, 22--41. DOI:http://dx.doi.org/10.1007/3-540-61739-6_31 Google ScholarCross Ref
Aditya Thakur and R. Govindarajan. 2008. Comprehensive path-sensitive data-flow analysis. In Proceedings of the 6th Annual IEEE/ACM International Symposium on Code Generation and Optimization (CGO’08). ACM, New York, NY, 55--63. DOI:http://dx.doi.org/10.1145/1356058.1356066 Google ScholarDigital Library
Raja Vallée-Rai, Phong Co, Etienne Gagnon, Laurie Hendren, Patrick Lam, and Vijay Sundaresan. 1999. Soot - A Java bytecode optimization framework. In Proceedings of the 1999 Conference of the Centre for Advanced Studies on Collaborative Research (CASCON’99). IBM Press, 13--23.Google ScholarDigital Library
Chao Wang, Zijiang Yang, Aarti Gupta, and Franjo Ivančić. 2007. Using counterexamples for improving the precision of reachability computation with polyhedra. In Computer Aided Verification, Werner Damm and Holger Hermanns (Eds.). Lecture Notes in Computer Science, Vol. 4590. Springer, Berlin, 352--365. DOI:http://dx.doi.org/10.1007/978-3-540-73368-3_40 Google ScholarCross Ref
Kirsten Winter, Chenyi Zhang, Ian J. Hayes, Nathan Keynes, Cristina Cifuentes, and Lian Li. 2013. Path-sensitive data flow analysis simplified. In Formal Methods and Software Engineering, Lindsay Groves and Jing Sun (Eds.). Lecture Notes in Computer Science, Vol. 8144. Springer, Berlin, 415--430. DOI:http://dx.doi.org/10.1007/978-3-642-41202-8_27 Google ScholarCross Ref
Daniel Wonisch, Alexander Schremmer, and Heike Wehrheim. 2013. Programs from Proofs -- A PCC alternative. In Computer Aided Verification, Natasha Sharygina and Helmut Veith (Eds.). Lecture Notes in Computer Science, Vol. 8044. Springer, Berlin, 912--927. DOI:http://dx.doi.org/10.1007/978-3-642-39799-8_65 Google ScholarCross Ref
Daniel Wonisch and Heike Wehrheim. 2012. Predicate analysis with block-abstraction memoization. In Formal Methods and Software Engineering, Toshiaki Aoki and Kenji Taguchi (Eds.). Lecture Notes in Computer Science, Vol. 7635. Springer, Berlin, 332--347. DOI:http://dx.doi.org/10.1007/978-3-642-34281-3_24 Google ScholarDigital Library
Xiang Yin, John C. Knight, Elisabeth A. Nguyen, and Westley Weimer. 2008. Formal verification by reverse synthesis. In Proceedings of the 27th International Conference on Computer Safety, Reliability, and Security (SAFECOMP’08), Michael D. Harrison and Mark-Alexander Sujan (Eds.). Lecture Notes in Computer Science, Vol. 5219. Springer, Berlin, 305--319. DOI:http://dx.doi.org/10.1007/978-3-540-87698-4_26 Google ScholarDigital Library
Xiang Yin, John C. Knight, and Westley Weimer. 2009. Exploiting refactoring in formal verification. In Proceedings of the 2009 IEEE/IFIP International Conference on Dependable Systems and Networks (DSN’09). IEEE Computer Society, 53--62. DOI:http://dx.doi.org/10.1109/DSN.2009.5270355 Google ScholarCross Ref
Sai Zhang and Jianjun Zhao. 2007. On identifying bug patterns in aspect-oriented programs. In Proceedings of the 31st Annual International Computer Software and Applications Conference, 2007 (COMPSAC’07)., Vol. 1. IEEE, 431--438. DOI:http://dx.doi.org/10.1109/COMPSAC.2007.159 Google ScholarDigital Library

Index Terms

Programs from Proofs: A Framework for the Safe Execution of Untrusted Software

Recommendations

Programs from proofs of predicated dataflow analyses
SAC '15: Proceedings of the 30th Annual ACM Symposium on Applied Computing

"Programs from Proofs" is a generic method which generates new programs out of correctness proofs of given programs. The technique ensures that the new and given program are behaviorally equivalent and that the new program is easily verifiable, thus ...
Read More
Code-carrying theory
SAC '08: Proceedings of the 2008 ACM symposium on Applied computing

Code-Carrying Theory (CCT) is an alternative to the Proof-Carrying Code (PCC) approach to secure delivery of code. With PCC, code is accompanied by assertions and a proof of correctness or of other required properties. The code consumer does not accept ...
Read More
An Abstract Interpretation-based Approach to Mobile Code Safety

Recent approaches to mobile code safety, like proof-carrying code, involve associating safety information to programs. The code supplier provides a program and also includes with it a certificate (or proof) whose validity entails compliance with a ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Transactions on Programming Languages and Systems Volume 39, Issue 2
June 2017
194 pages
ISSN:0164-0925
EISSN:1558-4593
DOI:10.1145/3062396
Editor:
Andrew Myers
Cornell University, USA
Issue’s Table of Contents
Copyright © 2017 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 10 March 2017
- Accepted: 1 November 2016
- Revised: 1 June 2016
- Received: 1 October 2015
Published in toplas Volume 39, Issue 2

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Abstract interpretation
program certification
program extraction
program transformation
programs from proofs
proof-carrying code
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 5
  Total Citations
  View Citations
- 391
  Total Downloads
- Downloads (Last 12 months)44
- Downloads (Last 6 weeks)7
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Programs from Proofs: A Framework for the Safe Execution of Untrusted Software

ACM Transactions on Programming Languages and Systems

Abstract

References

Cited By

Index Terms

Recommendations

Programs from proofs of predicated dataflow analyses

Code-carrying theory

An Abstract Interpretation-based Approach to Mobile Code Safety