A panel of seven experts discusses the state of the practice of formal methods (FM) in software development, with a focus on FM's relevance to security.
In a 1996 article, formal methods (FM) advocate Tony Hoare asked, "How Did Software Get So Reliable without Proof?"1 Twenty years later, in the same vein, we wondered: How did software get so insecure with proof? Given daily media accounts of new malware, data breaches, and privacy loss, is FM still relevant to security—or was it ever?
To explore whether the application of FM is as suitable for today's "build it, hack it, patch it" mindset as it has been for safety-critical system design, we posed seven questions to a panel of seven experts: Paul E. Black of the National Institute of Standards and Technology (NIST); Connie Heitmeyer of the US Naval Research Laboratory (NRL); Joseph Kiniry of Galois, Inc.; Karl Levitt of the University of California, Davis; John McLean of NRL; Eugene Spafford of Purdue University; and ICT executive Joseph Williams. See the "Roundtable Panelists" sidebar for more information about the panel members. Their unique personal insights are presented below.
A panel of seven experts discusses the state of the practice of formal methods (FM) in software development, with a focus on FM's relevance to security. In a 1996 article, formal methods (FM) advocate Tony Hoare asked, "How Did Software Get So Reliable without Proof?"1 Twenty years later, in the...
See full abstract
A panel of seven experts discusses the state of the practice of formal methods (FM) in software development, with a focus on FM's relevance to security.
In a 1996 article, formal methods (FM) advocate Tony Hoare asked, "How Did Software Get So Reliable without Proof?"1 Twenty years later, in the same vein, we wondered: How did software get so insecure with proof? Given daily media accounts of new malware, data breaches, and privacy loss, is FM still relevant to security—or was it ever?
To explore whether the application of FM is as suitable for today's "build it, hack it, patch it" mindset as it has been for safety-critical system design, we posed seven questions to a panel of seven experts: Paul E. Black of the National Institute of Standards and Technology (NIST); Connie Heitmeyer of the US Naval Research Laboratory (NRL); Joseph Kiniry of Galois, Inc.; Karl Levitt of the University of California, Davis; John McLean of NRL; Eugene Spafford of Purdue University; and ICT executive Joseph Williams. See the "Roundtable Panelists" sidebar for more information about the panel members. Their unique personal insights are presented below.
Hide full abstract
