Extensible Code Verification

Popular language-based security mechanisms for software systems are based on verifiers that enforce a fixed and trusted type system. We live in a multi-lingual world and no system is written entirely in a single strongly-typed language. Rather than seek the absolute most general type system, we propose a sound framework for customizing the mechanism (e.g., a type system or an explicit safety proof) used to enforce a particular safety policy, enabling a producer of untrusted code to choose the most appropriate verification mechanism. In this framework, called the Open Verifier, code producers can provide untrusted verifiers for checking, for example, the well-typedness of the code. This gives a code producer the maximum of flexibility of the code generation schemes and the type system used. To ensure soundness, the untrusted verifier runs under the supervision of a trusted module that queries it about the safety of individual instructions. Each answer must be accompanied by a proof that allows the trusted module to check the correctness of the answer. We demonstrate this framework in the context of two untrusted cooperating verifiers. One handles code that is compiled from Cool, a strongly-typed, objectoriented language (roughly, a subset of Java). The other one is used for runtime support functions written in C. Furthermore, we demonstrate that through careful layering of the proof-generation effort, the cost of building such an untrusted verifier above constructing a conventional, trusted verifier is manageable.