Team Lande

Overall Objectives
Scientific Foundations
New Results
Contracts and Grants with Industry

Section: New Results

Keywords : abstract interpretation, result certification, Proof-Carrying Code, proof-assistant.

Static analysis and Proof Carrying Code

Participants : Frédéric Besson, Thomas Jensen, David Pichardie, Tiphaine Turpin.

Proof-Carrying Code (PCC) is a technique for downloading mobile code on a host machine while ensuring that the code adheres to the host's safety policy. In the past, we have demonstrated how to use certified abstract interpretations (see Section  3.1.3 ) as the foundation for PCC architectures. For the approach to be practical, a number of issues have to tackled:

Abstract interpretation-based proof carrying code uses post-fixpoints of abstract interpretations to witness that a program respects a safety policy. Some witnesses carry more information than needed and are therefore unnecessarily large and costly to verify  [35] . As a case study, we propose an enhanced lightweight Java bytecode verifier able to check interface types with negligible extra cost  [18] . The standard way of checking interfaces is to encode the type of an interface by a conjunction of types. We present a fixpoint pruning algorithm able to remove conjunction types while preserving typability thus allowing to reuse the standard verification algorithm.

The goal of the european Mobius project is to develop a PCC architecture to secure global computers that consist of Java-enabled mobile devices. In  [16] , we have presented the consumer side of the Mobius PCC infrastructure, for which we have developed formally certified, executable checkers. We consider wholesale Proof Carrying Code scenarios, in which a trusted authority verifies the certificate before cryptographically signing the application. We also discuss retail Proof Carrying Code, where the verification is performed on the consumer device.

PCC rely on hybrid methods that combine static analyses and verification condition generation. While preliminary verification operate on source programs, it is often preferable to achieve guarantees about executable code. We have showed  [17] that, for a hybrid verification method based on numerical static analysis and verification condition generation, compilation preserves proof obligations and therefore it is possible to transfer evidence from source to compiled programs. Our result relies on the preservation of the solutions of analysis by compilation; this is achieved by relying on a bytecode analysis that performs symbolic execution of stack expressions in order to overcome the loss of precision incurred by performing static analyses on compiled (rather than source) code. Finally, we show that hybrid verification methods are sound by proving that every program provable by hybrid methods is also provable (at a higher cost) by standard methods.


Logo Inria