Formal Methods: State of the Art and Future Directions Working Group Members

Hardware and software systems will inevitably grow in scale and functionality. Because of this increase in complexity, the likelihood of subtle errors is much greater. Moreover, some of these errors may cause catastrophic loss of money, time, or even human life. A major goal of software engineering is to enable developers to construct systems that operate reliably despite this complexity. One way of achieving this goal is by using formal methods, which are mathematically based languages, techniques, and tools for specifying and verifying such systems. Use of formal methods does not a priori guarantee correctness. However, they can greatly increase our understanding of a system by revealing inconsistencies, ambiguities, and incompleteness that might otherwise go undetected. The first part of this report assesses the state of the art in specification and verification. For verification, we highlight advances in model checking and theorem proving. In the three sections on specification, model checking, and theorem proving, we explain what we mean by the general technique and briefly describe some successful case studies and well-known tools. The second part of this report outlines future directions in fundamental concepts, new methods and tools, integration of methods, and education and technology transfer. We close with summary remarks and pointers to resources for more information.

[1]  André Arnold,et al.  The Embedded Software of an Electricity Meter: An Experience in Using Formal Methods in an Industrial Project , 1997, Sci. Comput. Program..

[2]  James Kirby,et al.  Con-sortium requirements engineering guidebook , 1993 .

[3]  Robert S. Boyer,et al.  Computational Logic , 1990, ESPRIT Basic Research Series.

[4]  Pierre Lescanne,et al.  Computer experiments with the REVE term rewriting system generator , 1983, POPL '83.

[5]  Wang Yi,et al.  Verification of an Audio Protocol with Bus Collision Using UPPAAL , 1996, CAV.

[6]  Gerard J. Holzmann,et al.  Practical methods for the formal validation of SDL specifications , 1992, Comput. Commun..

[7]  Leslie Lamport,et al.  The temporal logic of actions , 1994, TOPL.

[8]  Paul Pettersson,et al.  Tools and Algorithms for the Construction and Analysis of Systems: 28th International Conference, TACAS 2022, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2022, Munich, Germany, April 2–7, 2022, Proceedings, Part II , 1998, TACAS.

[9]  Robert P. Kurshan,et al.  The complexity of verification , 1994, STOC '94.

[10]  Nancy G. Leveson,et al.  Completeness and Consistency in Hierarchical State-Based Requirements , 1996, IEEE Trans. Software Eng..

[11]  Susan Gerht Observations on Industrial Practice Using Formal Methods , 1993 .

[12]  T. Henzinger,et al.  Automatic Symbolic Veri cation of Embedded Systems , 1996 .

[13]  Martin Croxford,et al.  Breaking Through the V and V Bottleneck , 1995, Ada-Europe.

[14]  Robert de Simone,et al.  Auto/Autograph , 1990, Formal Methods Syst. Des..

[15]  Cliff B. Jones,et al.  Systematic software development using VDM , 1986, Prentice Hall International Series in Computer Science.

[16]  Robert S. Boyer,et al.  Automated proofs of object code for a widely used microprocessor , 1996, JACM.

[17]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[18]  Gerard J. Holzmann,et al.  An improvement in formal verification , 1994, FORTE.

[19]  Gerard J. Holzmann,et al.  Design and validation of computer protocols , 1991 .

[20]  Matt Kaufmann,et al.  A Mechanically Checked Proof of the , 1998 .

[21]  K. Mani Chandy,et al.  Parallel program design - a foundation , 1988 .

[22]  Nadia Tawbi,et al.  Specification and Verification of the PowerScale , 2022 .

[23]  Lalita Jategaonkar Jagadeesan,et al.  A formal approach to reactive systems software: A telecommunications application in Esterel , 1996, Formal Methods Syst. Des..

[24]  Miquel Bertran,et al.  FME '94: Industrial Benefit of Formal Methods , 1994, Lecture Notes in Computer Science.

[25]  Robert P. Kurshan,et al.  Computer-Aided Verification of Coordinating Processes: The Automata-Theoretic Approach , 2014 .

[26]  Tiziano Villa,et al.  VIS: A System for Verification and Synthesis , 1996, CAV.

[27]  Arvind Srinivasan,et al.  Verity - A formal verification program for custom CMOS circuits , 1995, IBM J. Res. Dev..

[28]  Edmund M. Clarke,et al.  Model checking, abstraction, and compositional verification , 1993 .

[29]  Somesh Jha,et al.  Verification of the Futurebus+ cache coherence protocol , 1993, Formal Methods Syst. Des..

[30]  Thomas A. Henzinger,et al.  Automatic Symbolic Verification of Embedded Systems , 1996, IEEE Trans. Software Eng..

[31]  Joseph Sifakis,et al.  Specification and verification of concurrent systems in CESAR , 1982, Symposium on Programming.

[32]  Kenneth L. McMillan,et al.  Symbolic model checking: an approach to the state explosion problem , 1992 .

[33]  Anthony Boswell Specification and Validation of a Security Policy Model , 1995, IEEE Trans. Software Eng..

[34]  Doron A. Peled Combining Partial Order Reductions with On-the-fly Model-Checking , 1994, CAV.

[35]  Anthony Boswell,et al.  Specification and Validation of a Security Policy Model , 1993, IEEE Trans. Software Eng..

[36]  BarrettGeoff Formal Methods Applied to a Floating-Point Number System , 1989 .

[37]  Robert P. Kurshan,et al.  Software for analytical development of communications protocols , 1990, AT&T Technical Journal.

[38]  Jeannette M. Wing,et al.  Fast, automatic checking of security protocols , 1996 .

[39]  Sérgio Vale Aguiar Campos,et al.  Symbolic Model Checking , 1993, CAV.

[40]  Natarajan Shankar,et al.  PVS: A Prototype Verification System , 1992, CADE.

[41]  Debra J. Richardson,et al.  Approaches to Speci cation-Based Testing , 1989 .

[42]  C. Rattray,et al.  Specification and Verification of Concurrent Systems , 1990, Workshops in Computing.

[43]  Sentot Kromodimoeljo,et al.  m-EVES: a tool for verifying software , 1988, Proceedings. [1989] 11th International Conference on Software Engineering.

[44]  Anthony Hall Using Formal Methods to Develop an ATC Information System , 1996, IEEE Softw..

[45]  Alan M. Davis,et al.  Tracing: A Simple Necessity Neglected , 1995, IEEE Softw..

[46]  Kathryn L. Heninger Specifying Software Requirements for Complex Systems: New Techniques and Their Application , 2001, IEEE Transactions on Software Engineering.

[47]  Robert S. Boyer,et al.  A computational logic handbook , 1979, Perspectives in computing.

[48]  Andrew William Roscoe,et al.  Model-checking CSP , 1994 .

[49]  Rance Cleaveland,et al.  The Concurrency Workbench , 1990, Automatic Verification Methods for Finite State Systems.

[50]  J. Michael Spivey,et al.  Understanding Z : A specification language and its formal semantics , 1985, Cambridge tracts in theoretical computer science.

[51]  W. J. Kubitz,et al.  Biting the silver bullet: toward a brighter future for system development , 1992 .

[52]  Howard Wong-Toi,et al.  Automated Analysis of an Audio Control Protocol , 1995, CAV.

[53]  David Lorge Parnas,et al.  Tabular Representations in Relational Documents , 1997, Relational Methods in Computer Science.

[54]  Babak Dehbonei,et al.  Error-free software development for critical systems using the B-Methodology , 1992, [1992] Proceedings Third International Symposium on Software Reliability Engineering.

[55]  Conrado Daws,et al.  Two examples of verification of multirate timed automata with Kronos , 1995, Proceedings 16th IEEE Real-Time Systems Symposium.

[56]  Rance Cleaveland,et al.  A Front-End Generator for Verification Tools , 1995, TACAS.

[57]  C. Hennebert,et al.  SACEM software validation , 1990, [1990] Proceedings. 12th International Conference on Software Engineering.

[58]  Debra J. Richardson,et al.  Approaches to specification-based testing , 1989 .

[59]  Deepak Kapur,et al.  Proof by Consistency , 1987, Artif. Intell..

[60]  Rance Cleaveland,et al.  Modeling and Verifying Active Structural Control Systems , 1997, Sci. Comput. Program..

[61]  Gerard J. Holzmann,et al.  The Theory and Practice of A Formal Method: NewCoRe , 1994, IFIP Congress.

[62]  Steve King,et al.  CICS Project Report: Experiences and Results from the use of Z in IBM , 1991, VDM Europe.

[63]  HarelDavid Statecharts: A visual formalism for complex systems , 1987 .

[64]  共立出版株式会社 コンピュータ・サイエンス : ACM computing surveys , 1978 .

[65]  Edmund M. Clarke,et al.  Analytica - A Theorem Prover in Mathematica , 1992, CADE.

[66]  Leslie Lamport,et al.  Verification of a Multiplier: 64 Bits and Beyond , 1993, CAV.

[67]  Rance Cleaveland,et al.  Implementing mathematics with the Nuprl proof development system , 1986 .

[68]  Trevor King,et al.  Formalising British Rail's Signalling Rules , 1994, FME.

[69]  Robin Milner,et al.  A Calculus of Communicating Systems , 1980, Lecture Notes in Computer Science.

[70]  David Harel,et al.  Statecharts: A Visual Formalism for Complex Systems , 1987, Sci. Comput. Program..

[71]  Pierre Wolper,et al.  An Automata-Theoretic Approach to Automatic Program Verification (Preliminary Report) , 1986, LICS.

[72]  Geoff Barrett,et al.  Formal Methods Applied to a Floating-Point Number System , 1989, IEEE Trans. Software Eng..

[73]  James F. Dray,et al.  Formal specification and verification of control software for cryptographic equipment , 1990, [1990] Proceedings of the Sixth Annual Computer Security Applications Conference.

[74]  Mandayam K. Srivas,et al.  Formal verification of the AAMP5 microprocessor: a case study in the industrial use of formal methods , 1995, Proceedings of 1995 IEEE Workshop on Industrial-Strength Formal Specification Techniques.

[75]  Thomas A. Henzinger,et al.  Symbolic Model Checking for Real-Time Systems , 1994, Inf. Comput..

[76]  Nancy A. Lynch,et al.  Hierarchical correctness proofs for distributed algorithms , 1987, PODC '87.

[77]  Tiziana Margaria,et al.  An Environment for the Creation of Intelligent Network Services , 1995 .

[78]  Anthony S. Wojcik,et al.  Formal Verification of Fault Tolerance Using Theorem-Proving Techniques , 1989, IEEE Trans. Computers.

[79]  A. Kuehlmann,et al.  Formal Veri cation of a PowerPC Microprocessor , 1995 .

[80]  Carlos Delgado Kloos,et al.  Practical Formal Methods for Hardware Design , 2001, Research Reports Esprit.

[81]  Somesh Jha,et al.  Verification of the Futurebus+ cache coherence protocol , 1993, Formal Methods Syst. Des..

[82]  Jonathan Jacky Specifying a Safety-Critical Control System in Z , 1993, FME.

[83]  Amir Pnueli The Temporal Semantics of Concurrent Programs , 1981, Theor. Comput. Sci..

[84]  Robert K. Brayton,et al.  BDD-Based Debugging Of Design Using Language Containment and Fair CTL , 1993, CAV.

[85]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[86]  Geoff Barrett,et al.  Model Checking in Practice - The T9000 Virtual Channel Processor , 1993, FME.

[87]  Stephen J. Garland,et al.  PVS: A Prototype . . . , 1992 .

[88]  James E. Tomayko,et al.  The CMU Master of Software Engineering Core Curriculum , 1995, CSEE.

[89]  Dominique Borrione,et al.  Semantics of a verification-oriented subset of VHDL , 1995, CHARME.

[90]  Pierre Wolper,et al.  Simple on-the-fly automatic verification of linear temporal logic , 1995, PSTV.

[91]  Natarajan Shankar,et al.  Modular Verification of SRT Division , 1996, CAV.

[92]  Zohar Manna,et al.  The Temporal Logic of Reactive and Concurrent Systems , 1991, Springer New York.

[93]  Gerard J. Holzmann,et al.  Validating SDL Specifications: an Experiment , 1989, PSTV.

[94]  G. Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol using CSP and FDR , 1996 .

[95]  Markus Kaltenbach,et al.  Model Checking for UNITY , 1994 .

[96]  Dan Craigen,et al.  Experience with formal methods in critical systems , 1994, IEEE Software.

[97]  Hugo Herbelin,et al.  The Coq proof assistant : reference manual, version 6.1 , 1997 .

[98]  Dan Craigen,et al.  Formal Methods Reality Check: Industrial Usage , 1993, IEEE Trans. Software Eng..

[99]  Michael Jackson,et al.  Where Do Operations Come From: A Multiparadigm Specification Technique , 1996, IEEE Trans. Software Eng..

[100]  Stephen J. Garland,et al.  Inductive methods for reasoning about abstract data types , 1988, POPL '88.

[101]  N. Dellsie,et al.  A formal specification of an oscilloscope , 1990, IEEE Software.

[102]  Rance Cleaveland,et al.  The concurrency workbench: a semantics-based tool for the verification of concurrent systems , 1993, TOPL.

[103]  Edward Y. Chang,et al.  STeP: Deductive-Algorithmic Verification of Reactive and Real-Time Systems , 1996, CAV.

[104]  M. Srivas,et al.  Modular Veriication of Srt Division * , 1996 .

[105]  M. Gordon HOL: A Proof Generating System for Higher-Order Logic , 1988 .

[106]  Dan Craigen,et al.  An International Survey of Industrial Applications of Formal Methods , 1992, Z User Workshop.

[107]  Andreas Kuehlmann,et al.  Formal verification of a PowerPC microprocessor , 1995, Proceedings of ICCD '95 International Conference on Computer Design. VLSI in Computers and Processors.

[108]  Robin Milner,et al.  Edinburgh LCF , 1979, Lecture Notes in Computer Science.

[109]  George W. Dinolt,et al.  Multinet Gateway -- Towards A1 Certification , 1984, 1984 IEEE Symposium on Security and Privacy.

[110]  K. Mani Chandy Parallel program design , 1989 .

[111]  G. H. Chisholm,et al.  An approach to the verification of a fault-tolerant, computer-based reactor safety system: A case study using automated reasoning: Volume 2, Appendixes: Interim report , 1987 .

[112]  Edmund M. Clarke,et al.  Symbolic model checking for sequential circuit verification , 1993, IEEE Trans. Comput. Aided Des. Integr. Circuits Syst..

[113]  Edmund M. Clarke,et al.  Design and Synthesis of Synchronization Skeletons Using Branching-Time Temporal Logic , 1981, Logic of Programs.

[114]  Geoff Barrett,et al.  Model Checking in Practice: The T9000 Virtual Channel Processor , 1995, IEEE Trans. Software Eng..

[115]  Alan J. Hu,et al.  Protocol verification as a hardware design aid , 1992, Proceedings 1992 IEEE International Conference on Computer Design: VLSI in Computers & Processors.

[116]  Natarajan Shankar,et al.  An Integration of Model Checking with Automated Proof Checking , 1995, CAV.

[117]  Edmund M. Clarke,et al.  Automatic Verification of Sequential Circuits Using Temporal Logic , 1986, IEEE Transactions on Computers.

[118]  Pamela Zave,et al.  Secrets of Call Forwarding: A Specification Case Study , 1995, FORTE.

[119]  Stephen J. Garland,et al.  Larch: Languages and Tools for Formal Specification , 1993, Texts and Monographs in Computer Science.

[120]  Bernhard Josko,et al.  Specification and verification of VHDL-based system-level hardware designs , 1995, Specification and validation methods.

[121]  John A. Chaves,et al.  Formal Methods at AT&T - An Industrial Usage Report , 1991, FORTE.

[122]  Stephen Bear,et al.  An Overview of HP-SL , 1991, VDM Europe.