Isabelle/SACM: Computer-Assisted Assurance Cases with Integrated Formal Methods

  • Yakoub Nemouchi
  • Simon FosterEmail author
  • Mario Gleirscher
  • Tim Kelly
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11918)


Assurance cases (ACs) are often required to certify critical systems. The use of integrated formal methods (FMs) in assurance can improve automation, increase confidence, and overcome errant reasoning. However, ACs can rarely be fully formalised, as the use of FMs is contingent on models that are validated by informal processes. Consequently, assurance techniques should support both formal and informal artifacts, with explicated inferential links between them. In this paper, we contribute a formal machine-checked interactive language for the computer-assisted construction of ACs called Isabelle/SACM. The framework guarantees well-formedness, consistency, and traceability of ACs, and allows a tight integration of formal and informal evidence of various provenance. To validate Isabelle/SACM, we present a novel formalisation of the Tokeneer benchmark, verify its security requirements, and form a mechanised AC that combines the resulting formal and informal artifacts.



This work is funded by EPSRC projects CyPhyAssure8, (grant reference EP/S001190/1), and RoboCalc (grant reference EP/M025756/1), and additionally German Science Foundation (DFG) grant 381212925.


  1. 1.
    Barnes, J., Chapman, R., Johnson, R., Widmaier, J., Cooper, D., Everett, B.: Engineering the Tokeneer enclave protection software. In: Proceedings of IEEE International Symposium on Secure Software Engineering (ISSSE) (2006)Google Scholar
  2. 2.
    Bishop, P.G., Bloomfield, R.E.: A methodology for safety case development. In: Redmill, F., Anderson, T. (eds.) Industrial Perspectives of Safety-Critical Systems, pp. 194–204. Springer, London (1998). Scholar
  3. 3.
    Blanchette, J.C., Bulwahn, L., Nipkow, T.: Automatic proof and disproof in Isabelle/HOL. In: Tinelli, C., Sofronie-Stokkermans, V. (eds.) FroCoS 2011. LNCS (LNAI), vol. 6989, pp. 12–27. Springer, Heidelberg (2011). Scholar
  4. 4.
    Brucker, A.D., Ait-Sadoune, I., Crisafulli, P., Wolff, B.: Using the isabelle ontology framework. In: Rabe, F., Farmer, W.M., Passmore, G.O., Youssef, A. (eds.) CICM 2018. LNCS (LNAI), vol. 11006, pp. 23–38. Springer, Cham (2018). Scholar
  5. 5.
    Common Criteria Consortium: Common criteria for information technology security evaluation - part 1: introduction and general model. Technical report CCMB-2017-04-001 (2017).
  6. 6.
    Cooper, D., et al.: Tokeneer ID station: formal specification. Technical report, Praxis High Integrity Systems, August 2008.
  7. 7.
    Cooper, D., et al.: Tokeneer ID station: security properties. Technical report, Praxis High Integrity Systems, August 2008.
  8. 8.
    Cruanes, S., Hamon, G., Owre, S., Shankar, N.: Tool integration with the evidential tool bus. In: Giacobazzi, R., Berdine, J., Mastroeni, I. (eds.) VMCAI 2013. LNCS, vol. 7737, pp. 275–294. Springer, Heidelberg (2013). Scholar
  9. 9.
    Denney, E., Pai, G.: Tool support for assurance case development. Autom. Softw. Eng. 25, 435–499 (2018)CrossRefGoogle Scholar
  10. 10.
    Dijkstra, E.W.: Guarded commands, nondeterminacy and formal derivation of programs. Commun. ACM 18(8), 453–457 (1975)MathSciNetCrossRefGoogle Scholar
  11. 11.
    Diskin, Z., Maibaum, T., Wassyng, A., Wynn-Williams, S., Lawford, M.: Assurance via model transformations and their hierarchical refinement. In: MODELS. IEEE (2018)Google Scholar
  12. 12.
    Foster, S., Baxter, J., Cavalcanti, A., Miyazawa, A., Woodcock, J.: Automating verification of state machines with reactive designs and Isabelle/UTP. In: Bae, K., Ölveczky, P.C. (eds.) FACS 2018. LNCS, vol. 11222, pp. 137–155. Springer, Cham (2018). Scholar
  13. 13.
    Foster, S., Cavalcanti, A., Canham, S., Woodcock, J., Zeyda, F.: Unifying theories of reactive design contracts. Theoretical Computer Science, September 2019Google Scholar
  14. 14.
    Foster, S., Cavalcanti, A., Woodcock, J., Zeyda, F.: Unifying theories of time with generalised reactive processes. Inf. Process. Lett. 135, 47–52 (2018)MathSciNetCrossRefGoogle Scholar
  15. 15.
    Foster, S., Thiele, B., Cavalcanti, A., Woodcock, J.: Towards a UTP semantics for modelica. In: Bowen, J.P., Zhu, H. (eds.) UTP 2016. LNCS, vol. 10134, pp. 44–64. Springer, Cham (2017). Scholar
  16. 16.
    Foster, S., Zeyda, F., Nemouchi, Y., Ribeiro, P., Wolff, B.: Isabelle/UTP: mechanised theory engineering for unifying theories of programming. Archive of Formal Proofs (2019).
  17. 17.
    Foster, S., Zeyda, F., Woodcock, J.: Unifying heterogeneous state-spaces with lenses. In: Sampaio, A., Wang, F. (eds.) ICTAC 2016. LNCS, vol. 9965, pp. 295–314. Springer, Cham (2016). Scholar
  18. 18.
    Gleirscher, M., Foster, S., Nemouchi, Y.: Evolution of formal model-based assurance cases for autonomous robots. In: Ölveczky, P.C., Salaün, G. (eds.) SEFM 2019. LNCS, vol. 11724, pp. 87–104. Springer, Cham (2019). Scholar
  19. 19.
    Gleirscher, M., Foster, S., Woodcock, J.: New opportunities for integrated formal methods. ACM Comput. Surv. (2019, in Press). Preprint:
  20. 20.
    Greenwell, W., Knight, J., Holloway, C.M., Pease, J.: A taxonomy of fallacies in system safety arguments. In: Proceedings of the 24th International System Safety Conference, July 2006Google Scholar
  21. 21.
    Habli, I., Kelly, T.: Balancing the formal and informal in safety case arguments. In: VeriSure Workshop, colocated with CAV, July 2014Google Scholar
  22. 22.
    Hoare, C.A.R., He, J.: Unifying Theories of Programming. Prentice-Hall, Upper Saddle River (1998)zbMATHGoogle Scholar
  23. 23.
    Jackson, D.: Alloy: a lightweight object modelling notation. ACM Trans. Softw. Eng. Methodol. 11(2), 256–290 (2000)CrossRefGoogle Scholar
  24. 24.
    Kelly, T.: Arguing safety - a systematic approach to safety case management. Ph.D. thesis, University of York (1998)Google Scholar
  25. 25.
    Nipkow, T., Paulson, L.C., Wenzel, M.: Isabelle/HOL – A Proof Assistant for Higher-Order Logic. LNCS, vol. 2283. Springer, Heidelberg (2002). Scholar
  26. 26.
    Paige, R.F.: A meta-method for formal method integration. In: Fitzgerald, J., Jones, C.B., Lucas, P. (eds.) FME 1997. LNCS, vol. 1313, pp. 473–494. Springer, Heidelberg (1997). Scholar
  27. 27.
    Rivera, V., Bhattacharya, S., Cataño, N.: Undertaking the tokeneer challenge in event-B. In: FormaliSE 2016. ACM Press (2016)Google Scholar
  28. 28.
    Rushby, J.: Logic and epistemology in safety cases. In: Bitsch, F., Guiochet, J., Kaâniche, M. (eds.) SAFECOMP 2013. LNCS, vol. 8153, pp. 1–7. Springer, Heidelberg (2013). Scholar
  29. 29.
    Rushby, J.: Mechanized support for assurance case argumentation. In: Nakano, Y., Satoh, K., Bekki, D. (eds.) JSAI-isAI 2013. LNCS (LNAI), vol. 8417, pp. 304–318. Springer, Cham (2014). Scholar
  30. 30.
    Wei, R., Kelly, T., Dai, X., Zhao, S., Hawkins, R.: Model based system assurance using the structured assurance case metamodel. Syst. Softw. 154, 211–233 (2019)CrossRefGoogle Scholar
  31. 31.
    Wenzel, M., Wolff, B.: Building formal method tools in the Isabelle/Isar framework. In: Schneider, K., Brandt, J. (eds.) TPHOLs 2007. LNCS, vol. 4732, pp. 352–367. Springer, Heidelberg (2007). Scholar
  32. 32.
    Wenzel, M.: Isabelle/jEdit as IDE for domain-specific formal languages and informal text documents. In: Proceedings of the 4th Workshop on Formal Integrated Development Environment (F-IDE), pp. 71–84 (2018). Scholar
  33. 33.
    Woodcock, J.: First steps in the verified software grand challenge. IEEE Comput. 39(10), 57–64 (2006)CrossRefGoogle Scholar
  34. 34.
    Woodcock, J., Aydal, E.G., Chapman, R.: The tokeneer experiments. In: Roscoe, A.W., Jones, C.B., Wood, K.R. (eds.) Reflections on the Work of C.A.R. Hoare, pp. 405–430. Springer, London (2010). Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Yakoub Nemouchi
    • 1
  • Simon Foster
    • 1
    Email author
  • Mario Gleirscher
    • 1
  • Tim Kelly
    • 1
  1. 1.University of YorkYorkUK

Personalised recommendations