Lectures on Proof-Carrying Code
Peter Lee   CMU

Observations
  Many failures are due to simple problems "in the details"

  Code reuse is necessary but perilous

  Updateable/mobile code is essential

  Performance matters a lot

Opportunities
  Progress depends fundamentally on our ability to reason
  about programs

Proof-carrying code, an example of certified code
  The code safety problem

  Approach 1: Trust the code producer, but trust is not
	      based on program properties, but personal
	      authority. And, scaling problem.

  Approach 2: Baby-sit the program. (through an 'execution
	      monitor')
	      - Sofware Fault Isolation (wahbe, lucco)
	      - Inline reference monitors (schneider)
	      Problem: expensive

  Approach 3: Java (through Interp/JIT, Verifier)
	      Program: the interpreter is expensive and/or big,
	      the verifier of limmited in expressive power.

  Approach 4: Formal Verification (through theorem prover)
	      Really really hard and must be correct: prover)
                -- certifying prover (generate proof)
		-- proof checker

  Approach 5: PCC (certified prover) (Necula & Lee, OSDI 96)

FAQ:
  1. How are the proofs represented and checked?
     Formal proofs:
       write "x is a proof of predicate P" as:
	  x:P
     Example inference rule:
       ...
     Oracle strings: represented as binary string

  2. How well does this work in practice?
     ...
     In research experiments:
       checker: simple small and fast < 52KB
       proof: 0-10% of program
       prover: no longer needed to be trusted
       much faster than Java (bytecode verifier) and JIT

  3. Aren't the properties we're trying to prove undecidable?
     How on earth can we generate proof?
       certified compiler
       compiler know what it's doing so can generate a proof that
       safety i preserved. (Necular, Lee, PLDI 98)

  4. Just what, exactly, are we proving? What ar the limits?
     Isn't static checking inherently less powerful than dynamic
     checking?
       S: state
       Step: transition function
       SP: proof
       Safe(S) : predicate
       PCC : proof-carrying code
       RI : Reference Interpreter (executes only safe instructions)

  5. Even if the proof is valid, how do we know that is is a safty
     proof of the excuted program?
       Logic guaranteess, and interactive proof.

Architecture
  Code      Verification Condition Generator
  Proof              Proof Checker

VCgen
  In program, safety opeartion should be sperated from safety check
  Seperate use from check.
