A Proof-Carrying Code Architecture for Java Christopher Colby, Peter Lee, and George C. Necula Cedilla Systems Incorporated 4616 Henry Street Pittsburgh, Pennsylvania 15213 Hackers@CedillaSystems.com 1 Introduction In earlier work, Necula and Lee developed proof-carrying code (PCC) [3,5], which is a mechanism for ensuring the safe behavior of programs. In PCC, a program contains both the code and an encoding of an easy-to-check proof. The validity of the proof, which can be automatically determined by a simple proof-checking program, implies that the code, when executed, will behave safely according to a user-supplied formal definition of safe behavior. Later, Necula and Lee demon- strated the concept of a certifying compiler [6,7]. Certifying compilers promise to make PCC more practical by compiling high-level source programs into op- timized PCC binaries completely automatically, as opposed to depending on semi-automatic theorem-proving techniques. Taken together, PCC and certify- ing compilers provide a possible solution to the code safety problem, even in applications involving mobile code [4]. In this paper we describe a PCC architecture comprising two tools: – A thin PCC layer implemented in C that protects a host system from unsafe software. The host system can be anything from a desktop computer down to a smartcard. The administrator of the host system specifies a safety policy in a variant of the Edinburgh Logical Framework (LF) [1]. This layer loads PCC binaries, which are Intel x86 object files that contain a .lf section providing a binary encoding of a safety proof, and checks them against the safety policy before installing the software. – A software-development tool that produces x86 PCC binaries from Java .class files. It is implemented in Objective Caml [2]. From a developer’s perspective, this tool works just like any other compiler, with an interface similar to javac or gcc. Behind the scenes, the tool produces x86 machine code along with a proof of type safety according to the Java typing rules. The demonstration will use a small graphics program to show that this archi- tecture delivers Java safety guarantees without sacrificing the performance of native compilation. E.A. Emerson and A.P. Sistla (Eds.): CAV 2000, LNCS 1855, pp. 557–560, 2000. c  Springer-Verlag Berlin Heidelberg 2000