Towards proving type safety of .NET CIL

A crucial role in the Microsoft .NET Framework Common Language Runtime (CLR) security model is played by type safety of the Common Intermediate Language (CIL). In this paper, we formally prove type safety of a large subset of CIL. To do so, we begin by specifying the static and dynamic semantics of CIL by providing an abstract interpreter for CIL programs. We then formalize the bytecode verification algorithm, whose job it is to compute a well-typing for a given method. We then prove type safety of well-typed methods, i.e., the execution according to the semantics model of legal and well-typed methods does not lead to any run-time type violations. Finally, to prove CIL’s type safety, we show that the verification algorithm is sound, i.e., the typings it produces are well-typings, and complete, i.e., if a well-typing exists, then the algorithm computes one.