 
Summary: A Trustworthy Proof Checker
Andrew W. Appel and Neophytos Michael
Princeton University
Aaron Stump
Washington University in St. Louis
Roberto Virga
Princeton Universixxty
Abstract. ProofCarrying Code (PCC) and other applications in computer security require
machinecheckable proofs of properties of machinelanguage programs. The main advantage
of the PCC approach is that the amount of code that must be explicitly trusted is very small: it
consists of the logic in which predicates and proofs are expressed, the safety predicate, and the
proof checker. We have built a minimal proof checker, and we explain its design principles,
and the representation issues of the logic, safety predicate, and safety proofs. We show that
the trusted computing base (TCB) in such a system can indeed be very small. In our current
system the TCB is less than 2,700 lines of code (an order of magnitude smaller even than other
PCC systems) which adds to our confidence of its correctness.
1. Introduction
Machineverified proofs have applications in computer security, program ver
ification, and the formalization of mathematics. We are particularly interested
in security applications such as proofcarrying code, in which an untrusted
