Safe C

Les Hatton [4] argues that..

Standard C is not good enough on its own, but..

• It is good enough provided we use a set of coding conventions..
• And verify the code with a static analysis tool

Our "machines" (SPoC and PC-lint) generated & verified C

• That C program now securely monitors cargo on many of the world's oil- and gas tankers