Core Concepts
Formal verification techniques have been successfully applied to develop and deploy real-world software systems across various domains, providing valuable lessons on the practicality and limitations of formal methods in industry.
Abstract
The article surveys a range of formally verified and deployed software systems, examining the technologies used, the verification approaches applied, the results obtained, and the lessons learned. Key findings include:
Formal verification has been applied to develop and deploy systems in diverse domains such as compilers, operating systems, cryptographic libraries, and aerospace applications, demonstrating the practicality of the approach.
The verification approaches used include axiomatic semantics, abstract interpretation, model checking, theorem proving, and refinement-based methods like B and Event-B. The choice of approach depends on the properties to be verified and the characteristics of the system.
Formally verified systems have achieved properties such as functional correctness, security, memory safety, and timing/resource constraints. However, the effort required can be substantial, ranging from less than a year to over 250 person-years.
Maintaining a realistic view of verification is important, as specifications may be incomplete and hypotheses can be violated. Verification is an iterative process, not a one-shot solution.
Verifying the entire verification toolchain, including compilers and execution environments, is a significant challenge. Bootstrapping the verification process is an active area of research.
The survey provides a factual basis to discuss the practicality and limitations of formal verification in industry, highlighting both the successes and the remaining challenges.
Stats
The CompCert compiler is formally verified to preserve the semantics of the source C program in the generated assembly code.
The CakeML compiler is formally verified to preserve the semantics of the source CakeML program in the generated machine code.
The seL4 microkernel is formally verified to satisfy functional correctness and security properties.
The HACL* cryptographic library is formally verified to satisfy security, functional correctness, and memory safety properties.
Quotes
"Formal verification has been applied to develop and deploy systems in diverse domains such as compilers, operating systems, cryptographic libraries, and aerospace applications, demonstrating the practicality of the approach."
"Maintaining a realistic view of verification is important, as specifications may be incomplete and hypotheses can be violated. Verification is an iterative process, not a one-shot solution."
"Verifying the entire verification toolchain, including compilers and execution environments, is a significant challenge. Bootstrapping the verification process is an active area of research."