Using formal methods to eliminate exploitable bugs

For decades, formal methods have offered the promise of software that doesn’t have exploitable bugs. Until recently, however, it hasn’t been possible to verify software of sufficient complexity to be useful. Recently, that situation has changed.  SeL4 is an open-source operating system microkernel efficient enough to be used in a wide range of practical applications. It has been proven to be fully functionally correct, ensuring the absence of buffer overflows, null pointer exceptions, use-after-free errors, etc., and to enforce integrity and confidentiality properties.  The CompCert Verifying C Compiler maps source C programs to provably equivalent assembly language, ensuring the absence of exploitable bugs in the compiler.   

A number of factors have enabled this revolution in the formal methods community, including increased processor speed, better infrastructure like the Isabelle/HOL and Coq theorem provers, specialized logics for reasoning about low-level code, increasing levels of automation afforded by tactic languages and SAT/SMT solvers, and the decision to move away from trying to verify existing artifacts and instead focus on co-developing the code and the correctness proof.  

In this talk Kathleen will explore the promises and limitations of current formal methods and techniques for producing useful software that propably does not contain exploitable bugs. She will discuss these issues in the context of DARPA’s HACMS program, which had as its goal, the creation of high-assurance software for vehicles, including quad-copters, helicopters, and automobiles.  


  • Get people thinking that they can build software that hackers will struggle to break into
  • Get people re-thinking about how formal tools can help them