Proceedings of the fourth ACM workshop on Formal methods in security

It is our great pleasure to welcome you to the Third ACM Workshop on Formal Methods in Security Engineering (FMSE 2005) held in conjunction with the 12th ACM Conference on Computer and Communications Security.The purpose of FMSE is to bring together researchers and practitioners from both the security and the software engineering communities, from academia and industry, who are working on applying formal methods to designing and validating large-scale security-critical systems. The scope of the workshop covers security and formal-methods related aspects of security specification techniques, formal trust models, combination of formal techniques with semi-formal techniques like UML, formal analyses of specific security properties relevant to software development, security-preserving composition and refinement of processes, faithful abstractions of cryptographic primitives and protocols in process abstractions, integration of formal security specifications, as well as refinement and validation techniques in development methods and tools.The paper selection process was very competitive this year. The call for papers attracted 22 submissions from Australia, Asia, Europe, New Zealand, and the United States. The program committee accepted 8 papers for presentation at the workshop, which means that many high-quality papers had to be rejected. In addition, the program includes invited talks by Virgil Gligor and Andrew Myers.

This volume contains the proceedings of the first ACM Workshop on Formal Methods in Security Engineering (FMSE 2003) held in Washington D.C., October 30th, in conjunction with the 10th ACM Conference on Computer and Communications Security. The purpose of FMSE is to bring together researchers and practitioners from both the security and the software engineering communities, from academia and industry, who are working on applying formal methods to designing and validating large-scale security-critical systems. The scope of the workshop covers security and formal-methods related aspects of: security specification techniques, formal trust models, combination of formal techniques with semi-formal techniques like UML, formal analyses of specific security properties relevant to software development, securitypreserving composition and refinement of processes, faithful abstractions of cryptographic primitives and protocols in process abstractions, integration of formal security specifications, as well as refinement and validation techniques in development methods and tools. We accepted 8 papers for presentation at the workshop. Furthermore, there was an invited talk by Iliano Cervesato as well as a panel on Relating Cryptography and Formal Methods by Catherine Meadows, John C. Mitchell, and Birgit Pfitzmann.

Starting with the Trusted Computer System Evaluation Criteria (aka the Orange Book), the information security community within the US Department of Defense has been advocating formal methods for decades. Others have followed suit, culminating in the appearance of the Common Criteria. The advantages of formal analysis seem self-evident. First, of the three things that are subject to certification -- people, process, and product -- product seems to be the most immediately relevant. Second, if we focus on product, testing seems insufficient; as Dijkstra famously noted, testing can reveal the presence flaws, but not their absence. This is especially true of security, where flaws may be intentionally constructed not to reveal themselves during normal testing. Despite this, the acceptance of formal methods has been less than universal.In this talk I will discuss the history of formal methods, but with a focus on how that history has shaped our current situation. I'll also discuss what we need to do to make formal methods more appealing. This will involve the development of formal methods or new ways of using formal methods that will: have a more predictable, quantifiable impact on validation costs; support software engineering for nonstandard properties and multiple properties; incorporate untrusted software; and support flexible release strategies. I will also discuss a recent application of formal methods NRL undertook as part of the development of a new security device [1] and new directions formal methods must take if they are to be applicable to future systems. The focus here will be on their use in autonomous systems that incorporate nondeterministic learning algorithms.

This contribution discusses two main lines of developments concerning the use of formal methods in security engineering. Fully automated and highly specialized methods that hide most of the formal theory from its users are compared to formal security models centered around explicit formal system models. It is argued that only the latter offer the perspective to comprehensively control the development process with its various security aspects and phases. In putting more emphasis on the combination of theories, fragmentation could be overcome by an integration of the specialized methods that are presently still applied in isolation.

FM 2012 is the eighteenth in a series of symposia organized by Methods Europe, an independent association whose aim is to stimulate the use of, and research on, formal methods for software development. The symposia have been notably successful in bringing together innovators and practitioners in precise mathematical methods for software and systems development, industrial users, as well as researchers. In August 2012, the Conservatoire National des Arts et Metiers (Le Cnam Paris), hosted FM 2012 in Paris (France). The special theme of FM 2012 was Methods, with a goal of highlighting the development and application of formal methods in connection with a variety of disciplines including medicine, biology, human cognitive modeling, human automation interactions and aeronautics. We were honored to have three invited speakers whose talks emphasized the special theme. Pr Martin Abadi, with his talk titled Software Security -- A Perspective, discussed software security with an emphasis on low-level attacks and defenses and on their formal aspects. Dr Asaf Degani gave a talk titled Formal Methods in the Wild: Trains, Planes, & Automobiles. Through this talk, Dr Degani drew upon his experience with aerospace and automotive applications to provide a perspective on how formal methods could improve the design of such applications. Finally, Dr Alan Wassyng, in his talk titled Who are we, and what are we doing here?, stressed the importance of viewing formal methods from a rigorous software engineering perspective, and discussed his experiences with the certification of software intensive systems. All three talks raised the awareness of the community to the fact that formal methods live in the intersection of disciplines; research in this domain must also consider how to increase the industrial impact of formal methods. FM 2012 welcomed submissions in the following areas, among others: - Interdisciplinary formal methods: techniques, tools and experiences demonstrating formal methods in interdisciplinary frameworks, such as formal methods related to maintenance, human automation interaction, human in the loop, system engineering, medicine and biology. - methods in practice: industrial applications of formal methods, experience with introducing formal methods in industry, tool usage reports, experiments with challenge problems. - Tools for formal methods: advances in automated verification and model-checking, integration of tools, environments for formal methods, experimental validation of tools. - Role of formal methods in software and systems engineering: development processes with formal methods, usage guidelines for formal methods, method integration. - Theoretical foundations: all aspects of theory related to specification, verification, refinement, and static and dynamic analysis. - Teaching formal methods: insight, evaluations and suggestions for courses of action regarding the teaching of formal methods, including teaching experiences, educational resources, the integration of formal methods into the curriculum, the definition of a formal methods body of knowledge, etc. We solicited two types of contributions: research papers and tool demonstration papers. We received submissions from 39 countries around the world: 162 abstracts followed by 132 full submissions. The selection process was rigorous. Each paper received at least four reviews. We obtained external reviews for papers that lacked expertise within the Program Committee. The program committee, after long and very careful discussions of the submitted papers, decided to accept only 28 full papers, and 7 tool papers which corresponds to an overall acceptance rate of approximately 26 %. Some of the accepted papers were additionally shepherded by expert members of the PC to ensure the quality of their final version. The accepted papers made a scientifically strong and exciting program, which triggered interesting discussions and exchange of ideas among the FM participants. The accepted papers cover several aspects of formal methods, including verification, synthesis, runtime monitoring, testing and controller synthesis, as well as novel applications of formal methods in interesting domains such as satellites, autonomous vehicles and disease dynamics. We would like to thank all authors who submitted their work to FM 2012. Without their excellent contributions we would not have managed to prepare a strong program. We are grateful to the Program Committee members and external reviewers for their high-quality reviews and dedication. Finally, we wish to thank the Steering Committee members for their excellent support. The logistics of our job as Program Chairs were facilitated by the EasyChair system.

The International Conference on Formal Engineering Methods (ICFEM) gathers researchers and practitioners interested in the recent development in the use and development of formal engineering methods for software and system development. It records the latest development in formal engineering methods. ICFEM 2020 – the 22nd edition of ICFEM – was planned for late October 2020, but due to the COVID-19 pandemic, the conference was delayed and postponed to Singapore during March 1–3, 2021. ICFEM 2020 received 41 submissions covering theory and applications in formal engineering methods together with case studies. Each paper was reviewed by at least three reviewers, and the Program Committee accepted 16 regular papers and 4 short papers, leading to an attractive scientific program. After the success of the doctoral symposium of the previous edition, we decided to host a doctoral symposium again at ICFEM 2020. The doctoral symposium Program Committee (chaired by Lei Ma from Kyushu University, Japan; Weiyi Shang from Concordia University, Canada; and Xiaoning Du from Monash University, Australia) accepted one doctoral symposium paper, included in the back matter of ICFEM 2020 proceedings. ICFEM 2020 would not have been successful without the contribution and involvement of the Program Committee members and the external reviewers who contributed to the review process (with more than 120 reviews) and the selection of the best contributions. This event would not exist if authors and contributors did not submit their proposals. We address our thanks to every person, reviewer, author, Programme Committee member and Organizing Committee member involved in the success of ICFEM 2020. The EasyChair system was set up for the management of ICFEM 2020 supporting submission, review, and volume preparation processes. It proved to be a powerful framework. ICFEM 2020 had one affiliated workshop: the 10th International Workshop on SOFL + MSVL for Reliability and Security (SOFL+MSVL 2020), which brought in additional participants to the ICFEM week and helped make it an interesting and successful event. We thank all the workshop organizers for their hard work. ICFEM 2020 was hosted and sponsored by the National University of Singapore. The Local Organizing Committee offered all the facilities to run the conference in a lovely and friendly atmosphere. Many thanks to all the local organizers. We wish to express our special thanks to the general co-chairs, the Steering Committee members and in particular Shaoying Liu and Jin Song Dong for their valuable support.

The B formal development method in the safety critical software has changed the development methodology in particular on how to combine the verification and the proof activities of software. This paper provides a new approach for assessing a safety critical software developed by using B formal method. After presenting an overview of the assessment requirements, the paper presents and discusses the impact of the B formal software development methodology. The approach for assessing a safety critical software developed by using B formal method is the central point of this paper. This assessment approach is based on the traceability analysis, the safety properties validation, the complementary tests and the metrics.

Proceedings of the 2004 ACM workshop on Formal methods in security engineering

Proceedings of the 6th ACM workshop on Formal methods in security engineering

Proceedings of the 2007 ACM workshop on Formal methods in security engineering

<div class="htmlview paragraph">Legislative bodies are directing that automotive products comply with stringent safety levels. The liability for the safety of passengers in an automobile has traditionally been quite complex. Other transport sectors are externally regulated, and liability lies with the manufacturer or the transport service provider. The automotive industry is self-regulated and the individual driver carries a significant liability.</div> <div class="htmlview paragraph">Software and electronics increasingly provide greater control of automotive safety, possibly reducing driver liability, and increasing the need for more formal software development methods. The automotive business model, however, also presents challenges to the effective use of formal methods. An automotive design change costing €600 per vehicle could consume 100% of gross margin. In aviation, this cost represents 0.01% of gross margin [<span class="xref">1</span>] [<span class="xref">2</span>].</div> <div class="htmlview paragraph">The automotive industry is responding to the increasing impact of automotive software with the development of standards such as AUTOSAR [<span class="xref">3</span>], and EU funded projects such as ATESST [<span class="xref">4</span>] and EASIS [<span class="xref">5</span>]. They propose architectures which might deliver the benefits of best software engineering practice to the industry. In terms of safety, they recommend existing accepted standards such as IEC61508 [<span class="xref">6</span>], which stipulates various formal methods for the development of safety-critical software. However, IEC61508 does not compare specific formal methods in terms of their suitability to industry.</div> <div class="htmlview paragraph">This paper discusses the suitability for industry of formal methods of specification and verification. It provides a classification which looks at categories such as commercialization; capacity to solve industry-scale problems; cost effectiveness, etc. The paper looks at the relevance of the classification in terms of the challenges and constraints of the automotive domain and discusses how it might facilitate the engineer to make design decisions which improve safety in a cost effective manner.</div>

IWFM'03 is the Sixth International Workshop in Formal Methods. It follows in the series of workshops organised by the Irish Formal Methods Special Interest Group (IFMSIG) and previously known as the Irish Workshop in Formal Methods. This year it was held in Dublin City University on 11 July, 2003. The workshop has traditionally been an occasion for scholars and industry experts from Europe and further a field to share knowledge and develop ideas within the general scope of the workshop, which covers a wide range of topics related to formal methods and foundations of computing. The series focuses primarily the following topics: (i) Formal methods for security, including formal models of secrecy, authenticity, availability, etc. and security-motivated extensions of language formalisms. (ii) Tool development, in particular model checking, theorem proving and static analysis. (iii) Specification, verification and validation of infinite-state systems. (iv) Foundations, including topologies, category theory and unifying theories. (v) Formal methods in software engineering and hardware development. The papers published in the proceedings were all refereed by an international programme committee. In addition, David L. Parnas of and Michael Rusinowitch gave invited talks.

Formal consensus development methods are ways of obtaining and synthesising views of experts, opinion leaders and other stakeholders, and are increasingly being used to develop clinical practice guidelines. Our objective was to examine the impact that the characteristics of individual participants, groups and the consensus process have on the judgments produced by formal consensus development methods in health care. Studies were identified from an earlier methodological review and a search of five bibliographic databases for the period January 1996 to December 2004. Studies were eligible if they involved formal consensus development methods and reported differences in judgments between groups or participants. For studies comparing two or more groups overall percentage agreement, the kappa coefficient and the odds ratio for differences in judgments were calculated. There were 22 studies comparing the impact of the characteristics of individual participants within groups and 30 studies comparing the results produced by two or more groups. Practitioners who perform a procedure tend to emphasise the appropriateness of the procedure compared with non-performing practitioners, and individuals from groups that were subject to performance criteria are more critical of those criteria than individuals from other groups. There was no clear pattern for the differences in judgments produced by participants and groups from different countries. Except for participant specialty there is little general evidence for how the characteristics of participants and groups influence the judgments produced in formal consensus development methods. Multi-specialty groups are preferable to single-specialty groups because of their potential for taking account of a wider range of opinions.

In this chapter, we study the use of a formal object-oriented method within Relational Unified Process (RUP). Our purposes are (a) to unify different views of UML models; (b) to enhance RUP and UML with a formal method to improve the quality of software; (c) to scale up the use of the formal method with the use-case driven, iterative and incremental aspects of RUP. Our overall aim is to establish a sound foundation of RUP and UML and scale up the use of formal methods in software-intensive system development.

Formal methods are recognized as the most promising way to produce high assurance software systems. In reality this fact is not enough to convince industry to use them. Formal methods must be applicable and usable in several areas (security, safety), engineers have to accept a change in software development work but should not be asked to give up the environment they are used to and bosses must realize that higher effort during the design phase can save money and time later. This paper describes the recently completed formal specification and verification tool Verification Support Environment (VSE). An advantage of the design of the VSE tool is the possibility of using formal and semiformal development methods combined in a unique working environment. After official release of the VSE-system March 1995 several pilot projects were carried out with industry. The paper gives an overview of the VSE-system and describes the results of the pilot applications.KeywordsFormal MethodPilot ProjectPredicate LogicDynamic LogicProof ObligationThese keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.