In terms of progress beyond the state of the art, we expect to advance in the following areas:
• Improved formal methods usability and stability: Frama-C has been experimented since 2005 on numerous applications from different domains improve the tool and its methodology. In VESSEDIA we tackle the field of IoT through three IoT use-cases. The same experimental approach holds for the VeriFast, Diversity, Contiki, and FlowArmor tools that have evolved along experiments and applications.
• Improved scalability: VESSEDIA expects to scale up source code analysis tools by improving the efficiency of the tools and demonstrate it on the project’s use-cases.
• Standardisation: In the ISO JTC1 VESSEDIA will produce in three years a normative ISO standard for V&V tools.
• Improved modularity and abstraction: programming languages have improved significantly with abstraction means at the language level allowing more efficient programming and less error prone programs. In VESSEDIA, the connections between design and formal methods will help in the same manner by 1) more abstract descriptions of systems, 2) system-level security properties and their refinements, and 3) integration of detailed specifications at design level.
• Methodology: a proper methodology will be proposed for using the tools, taking into account the environment and the economic and certification constraints.
The expected results of the project concern mainly the analysis of safety and security analysis of IoT applications. We expect the following main results at M36:
- Experimental results from the use-cases: approach to V&V, target of verification, analysis results, quantitative data, and recommendations for other similar applications.
- New and improved tools that permit easy and efficient analysis of critical applications.
- Integrated tools that help improve the analysis work, namely by combining static with dynamic analyses, and modelling with specifications and proofs.
- Improvements in the analysis of C++ source code: we expect to improve the ACSL++ specification language to cover the complex traits of C++.
- Certification help through support of the CC certification activities and integration of the VESSEDIA methodology into existing national certification schemes.
- Help for security evaluation through tool support to software evaluation process.
- A new ISO standard on V&V tools.
- On the dissemination side, we expect an enlarged community of users of the project tools, new partnerships with industry on software safety and security, notoriety of project partners in the IoT security domain, improved security evaluation processes and new security training material.
In terms of potential impacts, the project expects significant impacts in the following areas:
- Improved static analysis tools, allowing easier and cost-effective analyses to be performed on a whole range of medium-criticality software applications.
- More users’ trust in ICT products and services through higher level of security and privacy.
- More resilient critical infrastructures and services by a systems approach.
- Systems-oriented metrics allowing managers to assess and predict the level of security of their software.
- Economic impact and European competitiveness by implementing security in software developments right from the start avoiding costly remediation measures.
- Dissemination of results through all available channels and actors.
- Standardisation through the production of a new ISO standard.
- New releases of the project’s core toolkits.