End-to-end security for hardware running verified software

1 . (canceled) 2 . One or more computer-readable memory storage devices storing instructions that, when executed by one or more processors, program the one or more processors to perform acts comprising: executing, by secure hardware, a software system that has been verified at an assembly language level to conform to a software specification, wherein the software system includes an operating system and a software application, and wherein a particular component of the software system is incapable of subverting other components of the software system; sending a public key from the software application to an external application that is external to the software system, wherein the public key corresponds to a private key that is known to the software system; sending first credentials signed by the secure hardware to the external application, wherein the first credentials indicate that the public key is associated with the software system; and sending second credentials comprising a second certificate signed using a second key by a provider of the secure hardware to the external application, the second credentials attesting to an identity of the secure hardware. 3 . The one or more computer-readable memory storage devices of claim 2 , wherein the acts further comprise: sending a first message signed with the public key, the public key indicating that the first message was sent by the software system. 4 . The one or more computer-readable memory storage devices of claim 2 , wherein the acts further comprise: receiving a second message signed using the public key, the second message readable by the software system but unreadable by other software systems. 5 . The one or more computer-readable memory storage devices of claim 2 , wherein the acts further comprise: determining that an assembly language implementation of the software system implements a functionally correct version of a low-level version of the software specification. 6 . The one or more computer-readable memory storage devices of claim 2 , wherein the acts further comprise: demonstrating remote equivalence between the software system and a low-level version of the software specification. 7 . The one or more computer-readable memory storage devices of claim 2 , wherein the acts further comprise: determining a functional correctness of properties described in a low-level version of the software specification; and proving noninterference between at least two components of the software system. 8 . A server comprising: one or more processors; and a memory device storing instructions executable by the one or more processors to perform acts comprising: performing a verified boot of a software system that is verified at an assembly language level as conforming to a low-level software specification, wherein the software system includes an operating system and a software application, and wherein a particular component of the software system is incapable of subverting other components of the software system; sending a public key from the software application to an external application that is external to the software system, the public key generated based on and corresponding to a private key that is known to the software system; sending a first certificate signed by secure hardware to the external application, wherein the first certificate identifies that the public key is associated with the software system; and sending a second certificate signed using a second key by a provider of the secure hardware to the external application, the second certificate attesting to an identity of the secure hardware. 9 . The server of claim 8 , wherein the acts further comprise: determining that an assembly language implementation of the software system implements a functionally correct version of the low-level software specification. 10 . The server of claim 8 , wherein the acts further comprise: sending a first message signed with the public key, the public key indicating that the first message was sent by the software system. 11 . The server of claim 10 , wherein the acts further comprise: proving noninterference between at least two components of the software system. 12 . The server of claim 8 , wherein the acts further comprise: sending a second message signed using the public key, the second message readable by the software system but unreadable by other software systems. 13 . The server of claim 8 , wherein the acts further comprise: verifying that the software system conforms to a software specification before performing the verified boot of the software system, the verifying comprising demonstrating remote equivalence. 14 . The server of claim 8 , wherein: the server comprises secure hardware. 15 . The server of claim 8 , wherein the acts further comprise: determining a functional correctness of properties described in the low-level software specification. 16 . A computer-implemented method comprising: receiving, by an external application that is external to a software system, a public key from the software system, the software system executed by secure hardware and verified at an assembly language level to conform to a low-level software specification, wherein the software system includes an operating system and a software application, wherein a particular component of the software system is incapable of subverting other components of the software system, and wherein the public key corresponds to a private key that is known to the software system; receiving, by the external application, first credentials signed by the secure hardware, wherein the first credentials attest that the public key is associated with the software system; receiving, by the external application, second credentials comprising a second certificate signed using a second key by a provider of the secure hardware attesting to an identity of the secure hardware; and authenticating, by the external application, the first credentials and the second credentials to determine that the public key was provided by the software system. 17 . The computer-implemented method of claim 16 , further comprising: determining that an assembly language implementation of the software system implements a functionally correct version of the low-level software specification. 18 . The computer-implemented method of claim 16 , further comprising: demonstrating remote equivalence between the software system and the low-level software specification. 19 . The computer-implemented method of claim 16 , further comprising: determining that a system hash associated with the software system matches a previous hash that was provided before the software application began executing on the secure hardware. 20 . The computer-implemented method of claim 16 , further comprising: receiving, from the software system, a first message signed with the public key; and authenticating, using the public key, that the first message was sent by the software application. 21 . The computer-implemented method of claim 16 , further comprising: sending, to the software system, a second message signed with the public key, wherein the second message is decryptable using a private key maintained by the software application.