Verification in the Grand Challenge

Abstract

We review Tony Hoare’s verification challenge. We start in 2003 with his challenge to construct a verifying compiler and his continuing theme on unifying theo­ ries in computer science. We describe the industrial-scale pilot projects that were proposed to drive this challenge forward: NatWest’s Mondex smart card, NASA’s space-flight flash filestore, Ofcom’s radio spectrum auctions, Microsoft’s hypervi­ sor, NSA’s Tokeneer identification station, Wittenstein’s FreeRTOS real-time ker­ nel, and Boston Scientific’s cardiac pacemaker. We go into detail on the conduct and achievements of the Tokeneer project. We discuss the wider impact of the ver­ ification challenge and the sea change since 2003. We look forward to the next 15 years and suggest a pilot project in robotics for the verification community. review of all specifications. (2) Independent design assessment: to ensure that all essential system functional requirements are correctly represented in all stages of the software design. (3) Malpas analysis: formal verification of the source code against its specifications. (4) Object/source code comparison: to eliminate the possibility of errors being introduced by the compiler and linker. (5) Dynamic testing: randomly generated test cases on one of the four identical channels of the PPS. Ward estimates that these five activities involved around 250 person-years of effort, an amount equivalent to that spent by the software manufac­ turer in their own development and verification work. The Malpas activity has been estimated at 100 person-years. Ward concludes that, although high, this level of effort was considered necessary. core functions of one component of the Tokeneer system. The development