Learn More
Existing security models require that information of a given security level be prevented from ``leaking'' into lower-security information. High-security applications must be demonstrably free of such leaks, but such demonstration may require substantial manual analysis. Other authors have argued that the natural way to enforce these models automatically is(More)
Personal use of this material is permitted. However , permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists or to reuse any copyrighted component of this work in other works must be obtained from the IEEE. This material is presented to(More)
ÐThis paper describes the use of formal development methods on an industrial safety-critical application. The Z notation was used for documenting the system specification and part of the design, and the SPARK 1 subset of Ada was used for coding. However, perhaps the most distinctive nature of the project lies in the amount of proof that was carried out:(More)
Using automated reasoning techniques, we tackle the niche activity of proving that a program is free from run-time exceptions. Such a property is particularly valuable in high integrity software, e.g. safety or security critical applications. The context for our work is the SPARK Approach for the development of high integrity software. The SPARK Approach(More)
This paper describes a new development of the GNAT Ada95 compilation system (GNORT) that is appropriate for the development of high integrity embedded systems. We describe GNORT, the motivation for its development, and give some technical detail of its implementation. The latter part of the paper goes on to describe SHOLIS—an existing safety-critical(More)