A Dependently Typed Programming Language, with applications to Foundational Certified Code Systems

Certified code systems enable trust to be generated in untrusted pieces of code. This is done by requiring that a machine–verifiable certificate be packaged with code, which can then be proved safe independently. Safety is defined with respect to a defined safety policy. Recent work has focused on “foundational certified code systems”, which define the safety policy as execution on a concrete machine architecture. This makes the safety guarantees of the system more concrete relative to previous systems. There are two advantages. One, we gain in flexibility since the proof producers can use different assumptions and techniques. Two, the parts of the system that must be trusted become substantially simpler. This work describes our design of a practical foundational certified code system. Foundational systems have new proof obligations, for which we need different proof techniques and verification environments. In common with other such systems, we use an intermediate formal system such as a type system to isolate a group of programs. There are then two proof obligations. A program– specific proof verifies that the program belongs to the group so defined. This is the type checking problem. A generic safety proof says that all programs belonging to the group is safe to execute on the concrete machine. For a type system this is the type safety property. Our first main contribution is a functional language, which we call LF/ML. Programs written in this language can be statically proved to be partially correct with respect to their specification. This requires us to program with formal representations. LF/ML, is designed to program with representations in the logical framework LF. Partial correctness of programs in LF/ML can be statically verified with respect to specifications in LF. Our second contribution is a mechanized proof of the safety of a low-level type system, TALT, with respect to the concrete IA-32 architecture. This proof leverages the Twelf metalogical reasoning framework to prove safety. This allows us to have a complete foundational certified code system.