Re: Proof of correctness proves what, exactly?
Does this class of "proof" prove the source matches the formal specification? Mostly, proofs like this seem to be derived from source code. Mostly, processors execute executable code (with some data).
What's the relationship between source and executable? Has that process ever been usefully proven correct, or has it been shown to be generally untrustworthy (which isn't the same as showing it broken). See e.g. another wise man and his "Reflections on Trusting Trust", and various related discussions which followed.
More to this than meets the eye - as Professor Ross Anderson recently discovered, at this kind of level, safety and security can be rather closely related. His background is security. Others have been coming at it from a safety point of view. It'd be nice to see them talking more to each other:
https://www.lightbluetouchpaper.org/2017/06/01/when-safety-and-security-become-one/
"What happens when your car starts getting monthly upgrades like your phone and your laptop? It’s starting to happen, and the changes will be profound. We’ll be able to improve car safety as we learn from accidents, and fixing a flaw won’t mean spending billions on a recall. But if you’re writing navigation code today that will go in the 2020 Landrover, how will you be able to ship safety and security patches in 2030? In 2040? In 2050? At present we struggle to keep software patched for three years; we have no idea how to do it for 30.
Our latest paper reports a project that Éireann Leverett, Richard Clayton and I undertook for the European Commission into what happens to safety in this brave new world. Europe is the world’s lead safety regulator for about a dozen industry sectors, of which we studied three: road transport, medical devices and the electricity industry.
Up till now, we’ve known how to make two kinds of fairly secure system. There’s the software in your phone or laptop which is complex and exposed to online attack, so has to be patched regularly as vulnerabilities are discovered. It’s typically abandoned after a few years as patching too many versions of software costs too much. The other kind is the software in safety-critical machinery which has tended to be stable, simple and thoroughly tested, and not exposed to the big bad Internet. As these two worlds collide, there will be some rather large waves.
(continues)"
Recommended reading (even if a little overdue).