Whatever Happened to Formal Methods for Security?

We asked 7 experts 7 questions to find out what has occurred recently in terms of applying formal methods (FM) to security-centric, cyber problems. We are continually reminded of the 1996 paper by Tony Hoare "How did Software Get So Reliable Without Proof?" [1] In that vein, how did we get so insecure with proof? Given daily press announcements concerning new malware, data breaches, and privacy loss, is FM still relevant or was it ever? Our experts answered with unique personal insights. We were curious as to whether this successful methodology in "safety-critical" has succeeded as well for today's "build it, hack it, patch it" mindset. Our experts were John McLean (Naval Research Labs), Paul Black (National Institute of Standards and Technology), Karl Levitt (University of California at Davis), Joseph Williams (CloudEconomist.Com), Connie Heitmeyer (Naval Research Labs), Eugene Spafford (Purdue University), and Joseph Kiniry (Galois, Inc.). The questions and responses follow.

[1]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[2]  Jonathan P. Bowen,et al.  Ten Commandments of Formal Methods , 1995, Computer.

[3]  Donald MacKenzie,et al.  Mechanizing Proof: Computing, Risk, and Trust , 2001 .

[4]  Gerard J. Holzmann,et al.  Mars code , 2014, CACM.

[5]  Jonathan K. Millen,et al.  Three systems for cryptographic protocol analysis , 1994, Journal of Cryptology.

[6]  Lawrence Robinson,et al.  Proof techniques for hierarchically structured programs , 1977, CACM.

[7]  C. A. R. Hoare,et al.  How Did Software Get So Reliable Without Proof? , 1996, FME.

[8]  Michael R. Lowry,et al.  Formal Analysis of a Space-Craft Controller Using SPIN , 2001, IEEE Trans. Software Eng..

[9]  Bernd Finkbeiner,et al.  Verifying Temporal Properties of Reactive Systems: A STeP Tutorial , 2000, Formal Methods Syst. Des..

[10]  Rita C. Summers Secure Computing: Threats and Safeguards , 1996 .

[11]  London South Ten Commandments of Formal Methods … Ten Years Later , 2006 .

[12]  Kingsley Jones,et al.  Regulatory Analytics and Data Architecture (RADAR) , 2015 .

[13]  John McLean,et al.  Applying Formal Methods to a Certifiably Secure Software System , 2008, IEEE Transactions on Software Engineering.

[14]  Matthew Wilding,et al.  A Separation Kernel Formal Security Policy , 2003, ACL 2003.

[15]  Catherine A. Meadows,et al.  Analysis of the Internet Key Exchange protocol using the NRL Protocol Analyzer , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[16]  Angelo Gargantini,et al.  Using model checking to generate tests from requirements specifications , 1999, ESEC/FSE-7.

[17]  S. Rajamani,et al.  A decade of software model checking with SLAM , 2011, Commun. ACM.

[18]  Jean Souyris,et al.  Astrée: From Research to Industry , 2007, SAS.

[19]  Carl E. Landwehr,et al.  A security model for military message systems , 1984, TOCS.

[20]  Dawson R. Engler,et al.  A few billion lines of code later , 2010, Commun. ACM.