Formal methods provide remarkable tools allowing for high levels of confidence in the correctness of developments. Their use is therefore encouraged, when not required, for the development of systems in which safety or security is mandatory. But effectively specifying a secure system or deriving a secure implementation can be tricky. We propose a review of some classical `gotchas' and other possible sources of concerns with the objective to improve the confidence in formal developments, or at least to better assess the actual confidence level.
@article{arxiv.0902.3861,
title = {A Few Remarks About Formal Development of Secure Systems},
author = {Eric Jaeger and Thérèse Hardin},
journal= {arXiv preprint arXiv:0902.3861},
year = {2009}
}