Abstract
For decades, formal methods have offered the promise of verified software that does not have exploitable bugs. Until recently, however, it has not been possible to verify software of sufficient complexity to be useful. Recently, that situation has changed. SeL4 is an open-source operating system microkernel efficient enough to be used in a wide range of practical applications. Its designers proved it to be fully functionally correct, ensuring the absence of buffer overflows, null pointer exceptions, use-after-free errors, etc., and guaranteeing integrity and confidentiality. The CompCert Verifying C Compiler maps source C programs to provably equivalent assembly language, ensuring the absence of exploitable bugs in the compiler. A number of factors have enabled this revolution, including faster processors, increased automation, more extensive infrastructure, specialized logics and the decision to co-develop code and correctness proofs rather than verify existing artefacts. In this paper, we explore the promise and limitations of current formal-methods techniques. We discuss these issues in the context of DARPA’s HACMS program, which had as its goal the creation of high-assurance software for vehicles, including quadcopters, helicopters and automobiles.This article is part of the themed issue ‘Verified trustworthy software systems’.
Highlights
Formal methods have offered the promise of verified software that does not have exploitable bugs
The emerging Internet of Things means that we have to worry about the security of many seemingly mundane objects: everything from supervisory control and data acquisition (SCADA) systems that control industrial infrastructure like sewage treatment plants and prison doors, to medical devices like insulin pumps and pacemakers, to computer peripherals like printers, scanners and routers, to communication equipment like radios and cellphones, to household appliances like television sets and refrigerators, to various kinds of vehicles and so on
The premise of DARPA’s high-assurance cyber-military systems (HACMS) program was that systems built using formal methods could be significantly more secure than current norms
Summary
To a first approximation all computers are networked. Even many systems that are supposedly air-gapped are periodically connected, often via USB keys, so their software can be updated. When mechanics connect the computer to a car via the ODB-II port, the virus spreads to the car and allows the attackers to take control just as if they had a direct physical connection They could exploit a strcpy bug in the car’s Bluetooth interface provided to support hands-free dialing. The hackers adjusted the air conditioning, the radio and the windshield wipers They disabled the transmission, which meant the driver could no longer control the speed of the car, which slowed to a crawl and caused a potentially dangerous situation. This demonstration did not show any fundamentally new security issues with automobiles. Lead to the recall of 1.4 million vehicles
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
