Successful formal methods applications have four characteristics: intrinsically important applications, concise correctness theorems, validated models, and proof automation. We describe a recentlycompleted verification of a microprocessor's intrinsic partitioning mechanism in those terms. What Makes for a Good Application of Formal Methods? Formal methods is the application of mathematical reasoning to establish properties about digital systems. Formal methods can be applied in many different ways with many different notations and tools. They can deal with system models that describe the lowest level of implementation or the most abstract requirements, with properties to be proved that may be comprehensive descriptions of “correctness” or minor aspects that indicate good system development. Despite the wide range of formal methods applications, we observe that successful formal methods projects share four characteristics. 1. The target being analyzed is intrinsically important. Formal methods can provide a high level of certainty about a target, but the extra assurance must be worth the effort that formal verification usually entails. Three applications of formal methods that we consider successful are Microsoft’s SLAM project [Ball2004], AMD’s floating-point verification [Russinoff2000], and Rockwell Collins’ requirements validation [Miller2004]. The SLAM project aims to reduce crashes of Microsoft’s Windows OS by proving important device driver behaviors. AMD’s floating-point work seeks to eliminate errors in the floating-point units on AMD's x86 microprocessors. Rockwell Collins is applying model-checking to help validate requirements for safety-critical systems. Each of these applications of formal methods is solving a problem that is important enough to justify an extra effort. 2. The target’s desired behavior has a concise and understandable formalization. An important indicator of successful formal methods application is the degree to which the description of the needed property is compelling. A proved theorem only increases assurance about a target of evaluation if we trust in the formalization of the desired
[1]
John M. Rushby,et al.
Design and verification of secure systems
,
1981,
SOSP.
[2]
David M. Russinoff.
A Case Study in Fomal Verification of Register-Transfer Logic with ACL2: The Floating Point Adder of the AMD AthlonTM Processor
,
2000,
FMCAD.
[3]
Matthew Wilding,et al.
A Separation Kernel Formal Security Policy
,
2003,
ACL 2003.
[4]
Matthew Wilding,et al.
Typed ACL2 Records
,
2003
.
[5]
Mats Per Erik Heimdahl,et al.
Proving the shalls
,
2003,
International Journal on Software Tools for Technology Transfer.
[6]
John Rushby.
A Separation Kernel Formal Security Policy in PVS
,
2004
.
[7]
Sriram K. Rajamani,et al.
SLAM and Static Driver Verifier: Technology Transfer of Formal Methods inside Microsoft
,
2004,
IFM.
[8]
David Greve,et al.
The Common Criteria , Formal Methods and ACL 2
,
2004
.