Abstract
This paper proposes a new proof-based approach to safe evolution of distributed software systems. Specifically, it extends the simple certification mechanism of proof-carrying code (PCC) to make it interactive and probabilistic, thereby devising interactive proof-carrying code (iPCC). With iPCC, a code consumer is convinced, with overwhelming probability, of the existence and validity of a safety proof of a transmitted code through interaction with a code producer. The iPCC mechanism theoretically solves the problem of proof explosion with PCC and can be used to efficiently prove a greater variety of safety properties that may require longer proofs. Technically, the class (PSPACE) of safety properties that are efficiently provable by iPCC is larger than the class (NP) efficiently provable by PCC. To illustrate the power of iPCC, this paper demonstrates that the verification of certain basic safety properties of typical machine instruction codes needs co-NP-complete computation, and shows how these safety properties can be efficiently verified by the iPCC mechanism.
Similar content being viewed by others
Explore related subjects
Discover the latest articles, news and stories from top researchers in related subjects.References
Appel, A.W. 2001. Foundational proof-carrying code. In Proceedings of the 16th Annual Symposium on Logic in Computer Science, IEEE Computer Society, pp. 247–256.
Appel, A.W. and Felty, A.P. 2000. A semantic model of types and machine instruction for proof-carrying code. In Proceedings of the 27th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, ACM Press, pp. 243–253.
Bellare, M. and Goldreich, O. 1993. On defining proofs of knowledge. In Advances in Cryptology—Crypto’92, Vol. 740 of Lecture Notes in Computer Science, Springer-Verlag, pp. 390–420.
Ben-Or, M., Goldreich, O., Goldwasser, S., Håstad, S., Kilian, J., Micali, S., and Rogaway, P. 1990. Everything provable is provable in zero-knowledge. In Advances in Cryptology—Crypto’88, Vol. 403 of Lecture Notes in Computer Science, Springer-Verlag, pp. 37–56.
Ben-Or, M., Goldwasser, S., Kilian, J., and Wigderson, A. 1988. Multi-prover interactive proofs: How to remove intractability. In Proceedings of the 20th Annual ACM Symposium on Theory of Computing, ACM Press, pp. 113–131.
Bernard, A. and Lee, P. 2002. Temporal logic for proof-carrying code. In Proceedings of the 18th International Conference on Automated Deduction, Vol. 2392 of Lecture Notes in Computer Science, Springer-Verlag, pp. 31–46.
Bershad, B.N., Savage, S., Pardyak, P., Sirer, E.G., Fiuczynski, M.E., Becker, D., Chambers, C., and Eggers, S.J. 1995. Extensibility, safety and performance in the SPIN operating system. In Proceedings of the 15th ACM Symposium on Operating System Principles, ACM Press, pp. 267–284.
Blum, M., Feldman, P., and Micali, S. 1988. Non-interactive zero-knowledge and its applications. In Proceedings of the 20th Annual ACM Symposium on Theory of Computing, ACM Press, pp. 103–112.
Boppana, R., Hastad, J., and Zachos, S. 1987. Does co-NP have short interactive proofs? Information Processing Letters, 25:127–132.
Brassard, G., Chaum, D., and Crépeau, C. 1988. Minimum disclosure proofs of knowledge. Journal of Computer and System Science, 37(2):156–189.
Clarke, Jr., E.M., Grumberg, O., and Peled, D.A. 1999. Model Checking. Cambridge, Massachusetts: The MIT Press.
Colby, C., Lee, P., Necula, G.C., Blau, F., Plesko, M., and Cline, K. 2000. A certifying compiler for Java. In Proceedings of the 2000 ACM SIGPLAN Conference on Programming Language Design and Implementation, ACM Press, pp. 95–107.
Collberg, C. and Thomborson, C. 1999. Software watermarking: Models and dynamic embeddings. In Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, ACM Press, pp. 311–324.
de Santis, A., Micali, S., and Persiano, G. 1988. Non-interactive zero-knowledge proof systems. In Advances in Cryptology—Crypto’87, Vol. 293 of Lecture Notes in Computer Science, Springer-Verlag, pp. 52–72.
Emerson, E.A. 1990. Temporal and modal logic. In J. van Leeuwen, editor, Handbook of Theoretical Computer Science, Volume B, Formal Models and Semantics, The MIT Press and Elsevier, pp. 995–1072.
Feige, U., Lapidot, D., and Shamir, A. 1990. Multiple non-interactive zero-knowledge proofs based on a single random string. In Proceedings of the 31th IEEE Symposium on Foundations of Computer Science, pp. 308–317.
Fiat, A. and Shamir, A. 1987. How to prove yourself: Practical solution to identification and signature problems. In Advances in Cryptology—Crypto’86, Vol. 263 of Lecture Notes in Computer Science, Springer-Verlag, pp. 186–189.
Flanagan, C. and Saxe, J.B. 2001. Avoiding exponential explosion: Generating compact verification conditions. In Proceedings of the 28th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, ACM Press, pp. 193–205.
Floyd, R.W. 1967. Assigning meanings to programs. In J.T. Schwartz, editor, Mathematical Aspects of Computer Science, Vol. 19 of Symposia in Applied Mathematics, American Mathematical Society, pp. 19–32.
Fortnow, L., Rompel, J., and Sipser, M. 1988. On the power of multi-prover interactive protocols. In Proceedings of the 3rd IEEE Symposium on Structure in Complexity Theory, pp. 156–161.
Garey, M.R. and Johnson, D.S. 1979. Computers and Intractability: A Guide to the Theory of NP-Completeness. San Francisco, California: W.H. Freeman.
Goldreich, O. 1999. Modern Cryptography, Probabilistic Proofs and Pseudorandomness. No. 17 in Algorithms and Combinatorics. Berlin: Springer-Verlag.
Goldreich, O. and Krawczyk, H. 1990. On the composition of zero-knowledge proof systems. In Proceedings of the 17th International Colloquium on Automata, Languages, and Programming, Vol. 443 of Lecture Notes in Computer Science, Springer-Verlag, pp. 268–282.
Goldwasser, S., Micali, S., and Rackoff, C. 1989. The knowledge complexity of interactive proof systems. SIAM Journal of Computing, 18(1):186–208.
Haldar, V., Stork, C.H., and Franz, M. 2002. The source is the proof. In Proceedings of the 2002 Workshop on New Security Paradigms, ACM Press, pp. 69–73.
Henzinger, T.A., Jhala, R., Majumdar, R., Necula, G.C., Sutre, G., and Weimer, W. 2002. Temporal-safety proofs for systems code. In Proceedings of the 14th International Conference on Computer Aided Verification, Vol. 2404 of Lecture Notes in Computer Science, Springer-Verlag, pp. 526–538.
Impagliazzo, R. and Yung, M. 1988. Direct minimum-knowledge computations. In Advances in Cryptology—Crypto’87, Vol. 293 of Lecture Notes in Computer Science, Springer-Verlag, pp. 40–51.
Lindholm, T. and Yellin, F. 1999. The Java Virtual Machine Specification, Second Edition. Reading, Massachusetts: Addison-Wesley.
Lund, C., Fortnow, L., Karloff, H., and Nisan, N. 1992. Algebraic method for interactive proof systems. Journal of the ACM, 39(4):859–868.
Manna, Z. and Pnueli, A. 1992. The Temporal Logic of Reactive and Concurrent Systems. Berlin: Springer-Verlag.
McGraw, G. and Morrisett, G. 2000. Attacking malicious code: A report to the Infosec Research Council. IEEE Software, 17(5):33–41.
Micali, S. 1998. Computationally-sound proofs. In J.A. Makowsky and E.V. Ravve, editors, Logic Colloquium ‘95, Vol. 11 of Lecture Notes in Logic, Springer-Verlag, pp. 214–268.
Milner, R., Tofte, M., and Harper, R. 1990. The Definition of Standard ML. Cambridge, Massachusetts: The MIT Press.
Mori, R. and Kawahara, M. 1990. Superdistribution: The concept and the architecture. The Transactions of the Institute of Electronics, Information and Communication Engineers, E73(7):1133–1146.
Morrisett, G., Walker, D., Crary, K., and Glew, N. 1999. From System F to typed assembly language. ACM Transactions on Programming Languages and Systems, 21(3):528–569.
Namjoshi, K.S. 2001. Certifying model checkers. In Proceedings of the 13th International Conference on Computer Aided Verification, Vol. 2102 of Lecture Notes in Computer Science, Springer-Verlag, pp. 2–13.
Necula, G.C. 1997. Proof-carrying code. In Proceedings of the 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, ACM Press, pp. 106–119.
Necula, G.C. 2001. A scalable architecture for proof-carrying code. In H. Kuchen and K. Ueda, editors, Proceedings of the Fifth International Symposium on Functional and Logic Programming, Vol. 2024 of Lecture Notes in Computer Science, Springer-Verlag, pp. 21–39.
Necula, G.C. and Lee, P. 1996. Safe kernel extensions without run-time checking. In Proceedings of the Second Symposium on Operating Systems Design and Implementation, pp. 229–243.
Necula, G.C. and Lee, P. 1998a. The Design and implementation of a certifying compiler. In Proceedings of the 1998 ACM SIGPLAN Conference on Programming Language Design and Implementation, ACM Press, pp. 333–344.
Necula, G.C. and Lee, P. 1998b. Efficient representation and validation of proofs. In Proceedings of the 13th Annual Symposium on Logic in Computer Science, pp. 93–104.
Necula, G.C. and Rahul, S.P. 2001. Oracle-based checking of untrusted software. In Proceedings of the 28th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, ACM Press, pp. 142–154.
Ohori, A. 1999. A Curry-Howard isomorphism for compilation and program execution. In Proceedings of the Fourth International Conference on Typed Lambda Calculi and Applications, Vol. 1581 of Lecture Notes in Computer Science, Springer-Verlag, pp. 258–279.
Sekar, R., Ramakrishnan, C.R., Ramakrishnan, I.V., and Smolka, S.A. 2001. Model-carrying code (MCC): A new paradigm for mobile-code security. In Proceedings of the 2001 Workshop on New Security Paradigms, ACM Press, pp. 23–30.
Shamir, A. 1992. IP = PSPACE. Journal of the ACM, 39(4):869–877.
Shen, A. 1992. IP = PSPACE: Simplified proof. Journal of the ACM, 39(4):878–880.
Sites, R.L. 1992. Alpha Architecture Reference Manual. Digital Press.
Tarditi, D., Morrisett, G., Cheng, P., Stone, C., Harper, R., and Lee, P. 1996. TIL: A type-directed optimizing compiler for ML. In Proceedings of the 1996 ACM SIGPLAN Conference on Programming Language Design and Implementation, ACM Press, pp. 181–192.
Tennenhouse, D.L., Smith, J.M., Sincoskie, W.D., Wetherall, D.J., and Minden, G.J. 1997. A survey of active network research. IEEE Communications Magazine, 35(1):80–86.
Tennenhouse, D.L. and Wetherall, D.J. 1996. Towards an active network architecture. Computer Communication Review, 26(2):5–18.
Tsukada, Y. 2001a. Mobile codes with interactive proofs: An approach to provably safe evolution of distributed software systems. In T. Katayama, T. Tamai, and N. Yonezaki, editors, 2000 International Symposium on Principles of Software Evolution (ISPSE 2000), IEEE Computer Society Press, pp. 23–27.
Tsukada, Y. 2001b. Interactive and probabilistic proof of mobile code safety. In Proceedings of the International Conference on Advances in Infrastructure for Electronic Business, Science, and Education on the Internet (SSGRR 2001), L’Aquila, Italy, Scuola Superiore Guglielmo Reiss Romoli.
Wahbe, R., Lucco, S., Anderson, T.E., and Graham, S.L. 1993. Efficient software-based fault isolation. In Proceedings of the 14th ACM Symposium on Operating System Principles, ACM Press, pp. 203–216.
Xia, S. and Hook, J. 2003a. An implementation of abstraction-carrying code. In Proceedings of the Workshop on Foundations of Computer Security, pp. 103–116.
Xia, S. and Hook, J. 2003b. Abstraction-carrying code: A new method to certify temporal properties. In Formal Techniques for Java-like Programs 2003 (Proceedings), Technical Report, No. 408, ETH Zurich.
Author information
Authors and Affiliations
Corresponding author
Additional information
This is an extended and revised version of Tsukada (2001a), which appeared in the Proceedings of the 2000 International Symposium on Principles of Software Evolution. A preliminary version was also presented at the International Conference on Advances in Infrastructure for Electronic Business, Science, and Education on the Internet (Tsukada, 2001b).
Rights and permissions
About this article
Cite this article
Tsukada, Y. Interactive and Probabilistic Proof of Mobile Code Safety. Autom Software Eng 12, 237–257 (2005). https://doi.org/10.1007/s10515-005-6207-9
Issue Date:
DOI: https://doi.org/10.1007/s10515-005-6207-9