Towards Compiler-Independent Certifying Compilation

Certifying compilation allows a compiler to produce annotations which prove that target code abides by a speciied safety policy. An independent veriier can check the code without needing to trust the compiler. For such a system to be generally useful, the safety policy should be expressive enough to allow diierent compilers to eeectively produce certiiable code. In this work, we use our experience in writing a certifying compiler to suggest general design principles which should allow concise yet expressive certiicates. As an extended example , we present our compiler's translation of the control ow of Popcorn, a high-level language with function pointers and exception handlers, to TALx86, a typed assembly language with registers, a stack, memory, and code blocks. This example motivates techniques for controlling certiicate size and veriication time. We quantify the eeectiveness of techniques for reducing the overhead of certifying compilation by measuring the effects their use has on a real Popcorn application, the compiler itself. The selective use of these techniques can change certiicate size and veriication time by well over an order of magnitude. 1 Background A certifying compiler takes high-level source code and produces target code with a certiicate which ensures that the target code respects a desired safety or security policy. To date, certifying compilers have primarily concentrated on producing certiicates of type safety. For example, Sun's javac compiler maps Java source code to statically typed Java Virtual Machine Language (JVML) code. The JVML code includes typing annotations that a dataaow analysis-based veriier can use to ensure that the code is type safe. However, both the instructions and the type system of JVML are relatively high-level and are speciically tailored to Java. Consequently, JVML is ill-suited for compiling a variety of source-level programming languages to high-performance code. For example, JVML provides only high-level method-call and method-return operations. Also, it provides no provision for performing general tail-calls on methods. Therefore, JVML cannot be used as a target for certifying compilers of functional programming languages such as Scheme that require tail-call elimination. In addition, current platforms for JVML either interpret programs or compile them further to native code. To achieve acceptable performance seems to demand compilation with a good deal of optimization. To avoid security or safety holes, the translation from JVML to native code should also be certifying so that we may easily verify the safety of the resulting code. Another example of a certifying …