In this course you will be introduced to best practices for the application of formal methods, a set of mathematically rigourous techniques for the formal specification, validation, and verification of safety- and security-critical cyberphysical systems, of which aircraft and spacecraft are the prime example. We will explore the tools, techniques, and applications of formal methods, focusing on the aerospace domain. We will examine the latest research to gain an understanding of the current state of the art, including the capabilities and limitations of applying formal methods for systems analysis. Students will leave with a better understanding of real-world system specification, design, and verification, including why the FAA specifically calls out formal methods in certification requirements such as DO-178B, DO-178C, and DO-254, and why modern security teams from DARPA to AWS require formal methods for cloud security.

This course is intended to be a fun, interactive introduction to applying formal analysis in the context of real-world systems. Hands-on learning, through the use of software tools in homeworks and projects, will be emphasized. We will learn the real tools used at NASA, Boeing, Collins Aerospace, Honeywell, Airbus, Amazon, and others. Students from all areas of aerospace engineering, electrical and computer engineering, computer science, cybersecurity, mathematics, and other engineering disciplines, are encouraged to enroll. It is registered in the international FME Education Course Database.

Course Syllabus

The prerequisite is mathematical maturity: Calculus II plus familiarity with discrete mathematics (or ability to learn them quickly from review material made available in the course). This prerequisite take the form of a disjunction; one of the following is required: AERE 361, COMS 311, or permission of the instructor (e.g., for students in other departments). Registering for 407 always requires instructor permission.

	Spin Model Checker http://spinroot.com/ Books: http://spinroot.com/spin/books.html
	SPOT Produces Our Traces https://spot.lrde.epita.fr/ More generally, JFLAP simulates automata
	nuXmv Model Checker https://es-static.fbk.eu/tools/nuxmv/ In addition to the manuals, see the Introduction Slides
	Isabelle Theorem Prover https://isabelle.in.tum.de/ Also: The Isabelle Cookbook and Guide for Beginners; See also Linear Temporal Logic, and Propositional and Modal Logic in Isabelle (also Modal Logics for Nominal Transition Systems), and Hybrid Logics like Epistemic Logic, State Counting/Reduction
	PVS Theorem Prover http://pvs.csl.sri.com/ NASA PVS Library (NASALib) v7.1 (https://github.com/nasa/pvslib) NASA PVS VSCode GUI (https://github.com/nasa/vscode-pvs) 30+ years of theorem proving at NASA: https://shemesh.larc.nasa.gov/fm/pvs/
	PRISM Model Checker http://www.prismmodelchecker.org/
	Responsive Realizable Unobtrusive Unit (R2U2) http://temporallogic.org/research/R2U2/
	Dafny Language and Program Verifier http://rise4fun.com/dafny/ https://github.com/dafny-lang/dafny Note that Dafny has many popular video tutorials!
	Z3 SMT Solver https://github.com/Z3Prover/z3 See also: SMT: Something You Must Try
	CBMC (Bounded Model Checker for C programs) http://www.cprover.org/cbmc/ Tip: CBMC has little support for C++; use for C only. Use CBMC for "unit proof" starting from the leaves of the call tree and working toward the root call; see Amazon's strategy here: https://nchong.github.io/papers/icse-seip20.pdf
	Coq Proof Assistant https://coq.inria.fr/ Book: Formal Reasoning About Programs
	Software Model Checking Competition on Software Verification (SV-COMP)
	Hardware Model Checking HardWare Model Checking Competition (HWMCC)
	Static Analysis Static Analysis: An Introduction
	ATP (Automated Theorem Proving) The CADE ATP System Competition: The World Championship for Automated Theorem Proving

Midterm: 10/24

Final Project: (in lieu of final exam)

Homework 0 due 8/28

Homework 1 due 9/4

Homework 2 due 9/16

Homework 3 due 10/2

Homework 4 due 10/14

Homework 5 due 10/23

Choice of research paper for in-class presentation due 10/21

Homework 0 (Review of Version Control and LaTeX primer): distributed 8/26 from CANVAS

Note: if you want a deeper understanding of git, there are many online courses.

Homework 1 (Propositional Logic Review): distributed 8/28 from CANVAS

• Here is a handy condensed list of definitions here.

Homework 2 (Temporal Logic): distributed 8/30 from CANVAS

Homework 3: distributed 9/11 from CANVAS

Homework 4: distributed 10/2. Submit CANVAS

• Proving Theorems With Computers

Homework 5: distributed 10/14 CANVAS

Choice of research paper for presention due via email: 10/21
You may not choose a paper authored by the professor.

Professor evaluation form for in-class presentations is available HERE
Student evaluation form for in-class presentations is available HERE

Here is some great advice on How to Give a Good Research Presentation.

Here is some great advice on How to Read a Paper (there is also advice on how to write papers and how to peer review papers).

Paper Presentation Schedule:
Each presentation should be approximately 30 minutes, including time for questions.

Use this for: good background on LTL: well-formed formulas, semantics, encoding English sentences, expressivity, normal forms, relationship to automata reactive system properties: safety, liveness, fairness specification and modeling of real systems deciding the truth of a temporal formula; related proof techniques including explicit model checking thorough chapter on Spin, including how to run it from the command line and a good Promela tutorial review of classical and propositional logic extensions including synthesizing software from specifications Be cautious that: LTL is instead called PTL in this book; that is non-standard LTL2BA is not the best tool; SPOT is far superior now: https://spot.lrde.epita.fr/ URLs provided are outdated (no longer active or superseded by the state of the art) Spin chapter refers to outdated xspin (though only briefly)

Use this for: supplemental material on temporal logics (LTL, CTL, CTL*) background on automata as system models review of explicit and symbolic model checking reachability, safety, liveness, deadlock-freeness, fairness overview of modeling abstraction methods out-of-date chapters on SPIN and SMV still have useful reviews of basic tool usage ideas for related formal methods, including timed automata models, additional tools Be cautious that: This book is extremely out of date! LTL is the proper name for Linear Temporal Logic (book calls it PLTL) comparisons of LTL vs CTL/CTL* have been changed/been disproved SMV version described is no longer available; current tool is nuXmv Spin version described has been updated (xspin vs ispin)

• LaTeX Symbols Guide: The ultimate symbol list! And the 2021 Edition
• LaTeX Wikibook: Good general purpose reference manual
• LaTeX for Logicians: Symbols of logic and proofs!
• Detexify: Draw your symbol!
• LaTeX Cheat Sheet: All the basics on one (two-sided) page!

• Beginner's guide and DO-333 Case Studies from NASA Langley!
• High-Assurance Cyber Military Systems (HACMS)
• Provable Security (and a blog too!)
• Verifiable Robotics
• PRISM Case Studies
• Collins Aerospace Trusted Systems
• Software Correctness
• pseuCo.com: an entirely-online Java-to-Labeled Transition System generator!
• Engineering Embedded Systems
• Formally Verified Software in the Real World (and on-board Boeing's Unmanned Little Bird)
• Trusted Autonomy in Air Force Flight Critical Systems
• International Mathematical Olympiad 2019
• TPTP (Thousands of Problems for Theorem Provers)
• Library of Proofs!
• Oh yeah? Well Verify This! (There's also a VerifyThis Long-Term Challenge with a video.)
• There are a large collection of Verification Competitions for different types of formal methods tools!
• Proving for Fun (Isabelle instructional videos are HERE and HERE.)
• QED at Large: A Survey of Engineering of Formally Verified Software
• Are there examples of originally widely accepted proofs that were later discovered to be wrong by attempting to formalize them using a proof assistant?
• How Close Are Computers to Automating Mathematical Reasoning?
• ISASAT: a SAT solver with provable full functional correctness verified, down to LLVM intermediate code, using Isabelle/LLVM
• Computer science, software and mathematics: Interactive proof assistants
• Proving that Android's, Java's and Python's sorting algorithm is broken (and showing how to fix it) using Key
• Proof General provides a generic Emacs mode for Proof Assistants: Coq, PhoX, EasyCrypt, Qrhl-tool
• Lean Together: a practical theorem prover with a great math library and community!
• A great survey paper on modelling and program verification tools
• An interactive Linear Temporal Logic Visualizer

• From Aristotle to the iPhone
• Knowledge Processing, Logic, and the Future of AI
• Video Lectures on advanced cyber-physical system verification by Prof. Andre Platzer