Twenty years of formal methods

Abstract

Following Godel, consider a formal mathematical system to be a system of symbols together with rules for employing them (K. Godel, 1965). The rules may be formation rules (stipulating the strings of symbols that constitute well formed formulae), proof rules (stipulating the strings of formulae that constitute proofs), or semantic rules (mapping formulae into an algebraic domain). The rules must be recursive. The requirement that the rules be recursive is an important one since it makes it possible to construct a computer program that can determine whether a rule set has been correctly applied. This, in theory, should give us the ability to use computers to determine whether properties we attribute to specifications or computer programs hold for certain. However, the assurance that can be obtained from formal methods comes at a price. For many applications, formal methods are prohibitively expensive. The formal methods community has traditionally looked to computer security as an application area where the expense of faulty software would make the application of formal methods cost-effective. For its part, the computer security community has traditionally looked to formal methods as a source of assurance that goes beyond what is attainable by testing. Although the marriage of formal methods and computer security has not been completely smooth sailing, it has led to a substantial growth in each partner. The article documents that growth.