A capability machine is a type of CPU allowing fine-grained privilege separation using capabilities, machine words that represent certain kinds of authority. We present a mathematical model and accompanying proof methods that can be used for formal verification of functional correctness of programs running on a capability machine, even when they invoke and are invoked by unknown (and possibly malicious) code. We use a program logic called Cerise for reasoning about known code, and an associated logical relation, for reasoning about unknown code. The logical relation formally captures the capability safety guarantees provided by the capability machine. The Cerise program logic, logical relation, and all the examples considered in the paper have been mechanized using the Iris program logic framework in the Coq proof assistant.

The methodology we present underlies recent work of the authors on formal reasoning about capability machines [Georges et al. 2021; Skorstengaard et al. 2019a; Van Strydonck et al. 2022], but was left somewhat implicit in those publications. In this paper we present a pedagogical introduction to the methodology, in a simpler setting (no exotic capabilities), and starting from minimal examples. We work our way up to new results about a heap-based calling convention and implementations of sophisticated object-capability patterns of the kind previously studied for high-level languages with object-capabilities, demonstrating that the methodology scales to such reasoning.

功能机是一种 CPU，允许使用功能（代表某种权限的机器字）进行细粒度的权限分离。我们提出了一个数学模型和随附的证明方法，可用于对在功能机上运行的程序的功能正确性进行形式验证，即使它们调用未知（可能是恶意）代码或被未知（可能是恶意）代码调用。我们使用名为 Cerise 的程序逻辑来推理已知代码，并使用关联的逻辑关系来推理未知代码。逻辑关系形式化地捕获了能力机提供的能力安全保证。 Cerise 程序逻辑、逻辑关系以及本文中考虑的所有示例均已使用 Coq 证明助手中的 Iris 程序逻辑框架进行了机械化。

我们提出的方法是作者最近关于能力机器的形式推理工作的基础[Georges et al. 2021 年；斯科斯滕加德等人。 2019a；范·斯特里登克等人。 2022]，但在这些出版物中有些隐含。在本文中，我们在更简单的环境中（没有奇异的功能）并从最小的示例开始，对该方法进行了教学介绍。我们努力获得关于基于堆的调用约定和复杂对象功能模式实现的新结果，这种模式是先前针对具有对象功能的高级语言所研究的类型，证明了该方法可以扩展到这种推理。