Type-preserving Compilation for Verification of Security Enforcement
Juan Chen, Ravi Chugh, and Nikhil Swamy
PLDI 2010
[ paper ]
A number of programming languages use rich type systems to verify
security properties of code. Some of these languages are meant for
source programming, but programs written in these languages are
compiled without explicit security proofs, limiting their utility in
settings where proofs are necessary, e.g., proof-carrying
authorization. Others languages do include explicit proofs, but these
are generally lambda calculi not intended for source programming, that
must be further compiled to an executable form. A language suitable
for source programming backed by a compiler that enables end-to-end
verification is missing.
In this paper, we present a type-preserving compiler that translates
programs written in Fine, a source-level functional language with
dependent refinements and affine types, to DCIL, a new extension of
the .NET Common Intermediate Language. Fine is type checked using
an external SMT solver to reduce the proof burden on source
programmers. We extract explicit LCF-style proof terms from the solver
and carry these proof terms in the compilation to DCIL, thereby
removing the solver from the trusted computing base. Explicit proofs
enable DCIL to be used in a number of important scenarios,
including the verification of mobile code, proof-carrying
authorization, and evidence-based auditing. We report on our
experience using Fine to build reference monitors for several
applications, ranging from a plugin-based email client to a
conference management server.
Software
I implemented the first version of proof reconstruction for Fine by converting proofs from Z3. More recent details about F*, a language that derives from Fine, can be found here.