Comments on: The Tokeneer Project

By: Microsoft Research: 2011 Verified Software Milestone Award Winners - Ada Resource Association

Thu, 07 Apr 2011 14:58:43 +0000

[...] From the announcement: We are delighted to announce that the recipients of the inaugural Microsoft Research Verified Software Milestone Award are Janet Barnes and Rod Chapman for the Tokeneer Project (http://www.altran-praxis.com/security.aspx). [...]

By: Links » Useful Security

Links » Useful Security — Sun, 16 Aug 2009 14:59:49 +0000

[...] Michael asked “what about Tokeneer?” [...]

By: Open source and certified systems | carlodaffara.conecta.it

Open source and certified systems | carlodaffara.conecta.it — Thu, 16 Apr 2009 07:58:31 +0000

[...] FIPS standard, common criteria Evaluation Assurance Level EAL4+ (and in one case, meet or exceed EAL5), civil engineering (where the product is used for the stability computations for EDF nuclear [...]

By: Ada for C++ Developers: Development Environments « The Global Engineer’s Notebook

Fri, 27 Mar 2009 05:20:09 +0000

[...] of PR about Ada in the news these days revolves around SPARK, such as the NSA Tokeneer [DrDobbs, AdaCore] project. From the vendor’s web page: SPARK gives confidence in the correctness of code – [...]

By: ANN: SPARK Proof - Tutorials and Tools | keyongtech

ANN: SPARK Proof - Tutorials and Tools | keyongtech — Mon, 23 Mar 2009 15:07:28 +0000

[...] Re: SPARK Proof – Tutorials and Tools Thank you Phil, It is the best documentation and "how to use guide" ever made on this subject. That is a long overdue and great clarification on the SPARK purpose, constraints and limitations. (i.e.: Proof of Absence of Run-time Error). "The Simplifier does not prove all provable Verification Conditions (a provable VC is one where the conclusions can be shown to be logical consequences of the hypotheses). Any VCs remaining after simplification may be provable (but beyond the capability of the Simplifier to prove) or unprovable." That’s start to make sense. Mathematical approximations sometimes don’t deal easily with computer calculation errors. I was assuming that is a flight trajectory/airspace intersection instability risk that SPARK or Praxis’s Correctness by construction can’t easily evaluate. I think that shall confirm SPARK as one programming insurance tool (doing it right), and don’t compromise the use of Ada like a Computer Assisted Engineering tool (doing the right thing). Now, about knowing what we are doing, did you suggest the proof must be elaborated once the functional behaviour has been thoroughly tested (unit, non-regression, integration, verification, (validation) testing – all the kit indeed)? i.e.: "Proof Checker, (This option may lead to proofs that are difficult to maintain.)" Indeed, that is what could have prevented the Praxis’s iFACTS project from entering the wall. (see above for a plausible explanation) And about project as complex and big than iFACTS, (I have another similar in mind, and mind a responsible answer) would you suggest SPARK could still be an affordable option, e.g.: taking into account the overhead that annotations and proofs shall require (quite twice of the project’s level of effort, as I would figure – learning curve not entirely included) Cheers, Michael, Vancouver, British Columbia Praxis’s Tokeneer demo is also available – example is still instructive, but SPARK usage and limitations are poorly documented: http://www.adacore.com/home/products/gnatpro/tokeneer/ [...]