(Ebook) Formal Methods – The Next 30 Years: Third

World Congress, FM 2019, Porto, Portugal, October

7–11, 2019, Proceedings by Maurice H. ter Beek,
Annabelle McIver, José N. Oliveira ISBN
9783030309411, 9783030309428, 303030941X, 3030309428
digital download
Available on ebooknice.com
( 4.7/5.0 ★ | 405 downloads )

https://ebooknice.com/product/formal-methods-the-next-30-years-
third-world-congress-fm-2019-porto-portugal-
october-711-2019-proceedings-10800470
 (Ebook) Formal Methods – The Next 30 Years: Third World
Congress, FM 2019, Porto, Portugal, October 7–11, 2019,
Proceedings by Maurice H. ter Beek, Annabelle McIver, José
N. Oliveira ISBN 9783030309411, 9783030309428, 303030941X,
3030309428 Pdf Download

EBOOK

Available Formats

■ PDF eBook Study Guide Ebook

EXCLUSIVE 2025 EDUCATIONAL COLLECTION - LIMITED TIME

INSTANT DOWNLOAD VIEW LIBRARY

Here are some recommended products that we believe you will be
interested in. You can click the link to download.

(Ebook) Formal Methods – The Next 30 Years: Third World Congress, FM

2019, Porto, Portugal, October 7–11, 2019, Proceedings by Maurice H.
ter Beek, Annabelle McIver, José N. Oliveira ISBN 9783030309411,
9783030309428, 303030941X, 3030309428
https://ebooknice.com/product/formal-methods-the-next-30-years-third-
world-congress-fm-2019-porto-portugal-
october-711-2019-proceedings-10800470

(Ebook) Matematik 5000+ Kurs 2c Lärobok by Lena Alfredsson, Hans

Heikne, Sanna Bodemyr ISBN 9789127456600, 9127456609

https://ebooknice.com/product/matematik-5000-kurs-2c-larobok-23848312

(Ebook) SAT II Success MATH 1C and 2C 2002 (Peterson's SAT II Success)

by Peterson's ISBN 9780768906677, 0768906679

https://ebooknice.com/product/sat-ii-success-
math-1c-and-2c-2002-peterson-s-sat-ii-success-1722018

(Ebook) Master SAT II Math 1c and 2c 4th ed (Arco Master the SAT
Subject Test: Math Levels 1 & 2) by Arco ISBN 9780768923049,
0768923042

https://ebooknice.com/product/master-sat-ii-math-1c-and-2c-4th-ed-
arco-master-the-sat-subject-test-math-levels-1-2-2326094
(Ebook) Cambridge IGCSE and O Level History Workbook 2C - Depth Study:
the United States, 1919-41 2nd Edition by Benjamin Harrison ISBN
9781398375147, 9781398375048, 1398375144, 1398375047

https://ebooknice.com/product/cambridge-igcse-and-o-level-history-
workbook-2c-depth-study-the-united-states-1919-41-2nd-edition-53538044

(Ebook) Formal Methods Teaching: Third International Workshop and

Tutorial, FMTea 2019, Held as Part of the Third World Congress on
Formal Methods, FM 2019, Porto, Portugal, October 7, 2019, Proceedings
by Brijesh Dongol, Luigia Petre, Graeme Smith ISBN 9783030324407,
9783030324414, 3030324400, 3030324419
https://ebooknice.com/product/formal-methods-teaching-third-
international-workshop-and-tutorial-fmtea-2019-held-as-part-of-the-
third-world-congress-on-formal-methods-fm-2019-porto-portugal-
october-7-2019-proceedings-10800930

(Ebook) Formal Methods. FM 2019 International Workshops: Porto,

Portugal, October 7–11, 2019, Revised Selected Papers, Part II by Emil
Sekerinski, Nelma Moreira, José N. Oliveira, Daniel Ratiu, Riccardo
Guidotti, Marie Farrell, Matt Luckcuck, Diego Marmsoler, José Campos,
Troy Astarte, Laure Gonnord, Antonio Cerone, Luis Couto, Brijesh
https://ebooknice.com/product/formal-methods-fm-2019-international-
Dongol, Martin Kutrib, Pedro Monteiro, David De ISBN 9783030549961,
workshops-porto-portugal-october-711-2019-revised-selected-papers-
9783030549978, 3030549968, 3030549976
part-ii-22500518

(Ebook) Mathematics of Program Construction: 13th International

Conference, MPC 2019, Porto, Portugal, October 7–9, 2019, Proceedings
by Graham Hutton ISBN 9783030336356, 9783030336363, 3030336352,
3030336360
https://ebooknice.com/product/mathematics-of-program-
construction-13th-international-conference-mpc-2019-porto-portugal-
october-79-2019-proceedings-10801250

(Ebook) Verification and Evaluation of Computer and Communication

Systems: 13th International Conference, VECoS 2019, Porto, Portugal,
October 9, 2019, Proceedings by Pierre Ganty, Mohamed Kaâniche ISBN
9783030350918, 9783030350925, 3030350916, 3030350924
https://ebooknice.com/product/verification-and-evaluation-of-computer-
and-communication-systems-13th-international-conference-
vecos-2019-porto-portugal-october-9-2019-proceedings-10801542
Formal Methods Maurice H. ter Beek
Annabelle McIver
José N. Oliveira (Eds.)
LNCS 11800

Formal Methods –
The Next 30 Years
Third World Congress, FM 2019
Porto, Portugal, October 7–11, 2019
Proceedings

123
Lecture Notes in Computer Science 11800
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board Members

David Hutchison, UK Takeo Kanade, USA
Josef Kittler, UK Jon M. Kleinberg, USA
Friedemann Mattern, Switzerland John C. Mitchell, USA
Moni Naor, Israel C. Pandu Rangan, India
Bernhard Steffen, Germany Demetri Terzopoulos, USA
Doug Tygar, USA

Formal Methods
Subline of Lectures Notes in Computer Science

Subline Series Editors

Ana Cavalcanti, University of York, UK
Marie-Claude Gaudel, Université de Paris-Sud, France

Subline Advisory Board

Manfred Broy, TU Munich, Germany
Annabelle McIver, Macquarie University, Sydney, NSW, Australia
Peter Müller, ETH Zurich, Switzerland
Erik de Vink, Eindhoven University of Technology, The Netherlands
Pamela Zave, AT&T Laboratories Research, Bedminster, NJ, USA
More information about this series at http://www.springer.com/series/7408
Maurice H. ter Beek Annabelle McIver
• •

José N. Oliveira (Eds.)

Formal Methods –
The Next 30 Years
Third World Congress, FM 2019
Porto, Portugal, October 7–11, 2019
Proceedings

123
Editors
Maurice H. ter Beek Annabelle McIver
Consiglio Nazionale delle Ricerche Macquarie University
Pisa, Italy Sydney, NSW, Australia
José N. Oliveira
University of Minho
Braga, Portugal

ISSN 0302-9743 ISSN 1611-3349 (electronic)

Lecture Notes in Computer Science
ISBN 978-3-030-30941-1 ISBN 978-3-030-30942-8 (eBook)
https://doi.org/10.1007/978-3-030-30942-8
LNCS Sublibrary: SL2 – Programming and Software Engineering

© Springer Nature Switzerland AG 2019

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are
believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors
give a warranty, expressed or implied, with respect to the material contained herein or for any errors or
omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in
published maps and institutional affiliations.

This Springer imprint is published by the registered company Springer Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
 Preface

This volume contains the papers presented at the 23rd Symposium on Formal Methods
(FM 2019), held in Porto, Portugal, in the form of the Third World Congress on Formal
Methods, during October 7–11, 2019. These proceedings also contain five papers
selected by the Program Committee (PC) of the Industry Day (I-Day).
FM 2019 was organized under the auspices of Formal Methods Europe (FME), an
independent association whose aim is to stimulate the use of, and research on, formal
methods for software development. It has been more than 30 years since the first VDM
symposium in 1987 brought together researchers with the common goal of creating
methods to produce high-quality software based on rigor and reason. Since then the
diversity and complexity of computer technology has changed enormously and the
formal methods community has stepped up to the challenges those changes brought by
adapting, generalizing, and improving the models and analysis techniques that were the
focus of that first symposium. The theme for FM 2019, “The Next 30 Years,” was a
reflection on how far the community has come and the lessons we can learn for
understanding and developing the best software for future technologies.
To reflect the fact that it has been 20 years since FM 1999 in Toulouse and 10 years
since FM 2009 in Eindhoven, FM 2019 was organized as a World Congress, and we
composed a PC of renowned scientists from 42 different countries spread across all
continents except for Antarctica. We originally received a stunning total of 185 abstract
submissions, which unfortunately resulted in ‘only’ 129 paper submissions from 36
different countries. Each submission went through a rigorous review process in which
95% of the papers were reviewed by four PC members. Following an in-depth dis-
cussion phase lasting two weeks, we selected 37 full papers and 2 short tool papers, an
acceptance rate of 30%, for presentation during the symposium and inclusion in these
proceedings. The symposium featured keynotes by Shriram Krishnamurthi (Brown
University, USA), Erik Poll (Radboud University, The Netherlands), and June
Andronick (CSIRO-Data61 and UNSW, Australia). We hereby thank these invited
speakers for having accepted our invitation. The program also featured a Lucas Award
and FME Fellowship Award Ceremony.
We are grateful to all involved in FM 2019. In particular the PC members and
subreviewers for their accurate and timely reviewing, all authors for their submissions,
and all attendees of the symposium for their participation. We also thank all the other
committees (I-Day, Doctoral Symposium, Journal First Track, Workshops, and
Tutorials), itemized on the following pages, and particularly the excellent local orga-
nization and publicity teams. In addition to FM 2019 they also managed the FM week
consisting of another 8 conferences, 17 workshops, and 7 tutorials, as well as ‘X’, the
secret project of a colloquium in honor of Stefania Gnesi based on a Festschrift to
celebrate her 65th birthday.
We are very grateful to our platinum sponsors: Amazon Web Services (AWS),
Google, and Sony; our gold sponsors: Springer, Semmle, ASML, and PT-FLAD Chair
vi Preface

in Smart Cities & Smart Governance; our silver sponsors: Oracle Labs, Runtime
Verification Inc., Standard Chartered, GMV, United Technologies Research Center
(UTRC), and Efacec; our bronze sponsors i2S, Foundations of Perspicuous Software
Systems Collaborative Research Center, and the Mathematical research center of the
University of Porto (CMUP); and our basic sponsors: Natixis and Neadvance.
Finally, we thank Springer for publishing these proceedings in their FM subline and
we acknowledge the support from EasyChair in assisting us in managing the complete
process from submissions to these proceedings to the program.

August 2019 Maurice H. ter Beek

Annabelle McIver
José N. Oliveira
 Organization

General Chair
José N. Oliveira University of Minho and INESC TEC, Portugal

FM Program Chairs
Maurice H. ter Beek ISTI–CNR, Italy
Annabelle McIver Macquarie University, Australia

Industry Day Chairs

Joe Kiniry Galois Inc., USA
Thierry Lecomte ClearSy, France

Doctoral Symposium Chairs

Alexandra Silva University College London, UK
Antónia Lopes University of Lisbon, Portugal

Journal First Track Chair

Augusto Sampaio Federal University of Pernambuco, Brazil

Workshop and Tutorial Chairs

Emil Sekerinski McMaster University, Canada
Nelma Moreira University of Porto, Portugal

FM Program Committee
Bernhard Aichernig TU Graz, Austria
Elvira Albert Complutense University of Madrid, Spain
María Alpuente Polytechnic University of Valencia, Spain
Dalal Alrajeh Imperial College, UK
Mário S. Alvim Federal University of Minas Gerais, Brazil
June Andronick CSIRO-Data61, Australia
Christel Baier TU Dresden, Germany
Luís Barbosa University of Minho and UN University, Portugal
Gilles Barthe IMDEA Software Institute, Spain
Marcello Bersani Polytechnic University of Milan, Italy
Gustavo Betarte Tilsor SA and University of the Republic, Uruguay
viii Organization

Nikolaj Bjørner Microsoft Research, USA

Frank de Boer CWI, The Netherlands
Sergiy Bogomolov Australian National University, Australia
Julien Brunel ONERA, France
Néstor Cataño Universidad del Norte, Colombia
Ana Cavalcanti University of York, UK
Antonio Cerone Nazarbayev University, Kazakhstan
Marsha Chechik University of Toronto, Canada
David Chemouil ONERA, France
Alessandro Cimatti FBK–IRST, Italy
Alcino Cunha University of Minho and INESC TEC, Portugal
Michael Dierkes Rockwell Collins, France
Alessandro Fantechi University of Florence, Italy
Carla Ferreira New University of Lisbon, Portugal
João Ferreira Teesside University, UK
José L. Fiadeiro Royal Holloway University of London, UK
Marcelo Frias Buenos Aires Institute of Technology, Argentina
Fatemeh Ghassemi University of Tehran, Iran
Silvia Ghilezan University of Novi Sad, Serbia
Stefania Gnesi ISTI–CNR, Italy
Reiner Hähnle TU Darmstadt, Germany
Osman Hasan University of Sciences and Technology, Pakistan
Klaus Havelund NASA Jet Propulsion Laboratory, USA
Anne Haxthausen TU Denmark, Denmark
Ian Hayes University of Queensland, Australia
Constance Heitmeyer Naval Research Laboratory, USA
Jane Hillston University of Edinburgh, UK
Thai Son Hoang University of Southampton, UK
Zhenjiang Hu National Institute of Informatics, Japan
Dang Van Hung Vietnam National University, Vietnam
Atsushi Igarashi Kyoto University, Japan
Suman Jana Columbia University, USA
Ali Jaoua Qatar University, Qatar
Einar Broch Johnsen University of Oslo, Norway
Joost-Pieter Katoen RWTH Aachen University, Germany
Laura Kovács TU Vienna, Austria
Axel Legay UCLouvain, Belgium
Gabriele Lenzini University of Luxembourg, Luxembourg
Yang Liu Nanyang Technical University, Singapore
Alberto Lluch Lafuente TU Denmark, Denmark
Malte Lochau TU Darmstadt, Germany
Michele Loreti University of Camerino, Italy
Anastasia Mavridou NASA Ames, USA
Hernán Melgratti University of Buenos Aires, Argentina
Sun Meng Peking University, China
Dominique Méry LORIA and University of Lorraine, France
 Organization ix

Rosemary Monahan Maynooth University, Ireland

Olfa Mosbahi University of Carthage, Tunisia
Mohammad Mousavi University of Leicester, UK
César Muñoz NASA Langley, USA
Tim Nelson Brown University, USA
Gethin Norman University of Glasgow, UK
Colin O’Halloran D-RisQ Software Systems, UK
Federico Olmedo University of Chile, Chile
Gordon Pace University of Malta, Malta
Jan Peleska University of Bremen, Germany
Marielle Petit-Doche Systerel, France
Alexandre Petrenko Computer Research Institute of Montréal, Canada
Anna Philippou University of Cyprus, Cyprus
Jorge Sousa Pinto University of Minho and INESC TEC, Portugal
André Platzer Carnegie Mellon University, USA
Jaco van de Pol Aarhus University, Denmark
Tahiry Rabehaja Macquarie University, Australia
Steve Reeves University of Waikato, New Zealand
Matteo Rossi Polytechnic University of Milan, Italy
Augusto Sampaio Federal University of Pernambuco, Brazil
Gerardo Schneider Chalmers University of Gothenburg, Sweden
Daniel Schwartz Narbonne Amazon Web Services, USA
Natasha Sharygina University of Lugano, Switzerland
Nikolay Shilov Innopolis University, Russia
Ana Sokolova University of Salzburg, Austria
Marielle Stoelinga University of Twente, The Netherlands
Jun Sun University of Technology and Design, Singapore
Helen Treharne University of Surrey, UK
Elena Troubitsyna Äbo Akademi University, Finland
Tarmo Uustalu Reykjavik University, Iceland
Andrea Vandin TU Denmark, Denmark
R. Venkatesh TCS Research, India
Erik de Vink TU Eindhoven and CWI, The Netherlands
Willem Visser Stellenbosch University, South Africa
Farn Wang National Taiwan University, Taiwan
Bruce Watson Stellenbosch University, South Africa
Tim Willemse TU Eindhoven, The Netherlands
Kirsten Winter University of Queensland, Australia
Jim Woodcock University of York, UK
Lijun Zhang Chinese Academy of Sciences, China
x Organization

Additional Reviewers

Rui Abreu Gloria Gori Paolo Masci

Arthur Américo Friedrich Gretz Mieke Massink
Hugo Araujo Jerry den Hartog Franco Mazzanti
Myla Archer Raju Halder Larissa Meinicke
Sepideh Asadi Hossein Hojjat Alexandra Mendes
Florent Avellaneda Karel Horak Stephan Merz
Eduard Baranov Zhe Hou Ravindra Metta
Davide Basile Thomas Hujsa Andrea Micheli
Cláudio Belo Lourenço Andreas Humenberger Stefan Mitsch
Philipp Berger Antti Hyvarinen Alvaro Miyazawa
František Blahoudek Peter Häfner Carroll Morgan
Martin Blicha Fabian Immler Mariano Moscato
Jean-Paul Bodeveix Miguel Isabel Toby Murray
Brandon Bohrer Shaista Jabeen David Müller
Ioana Boureanu Phillip James Koji Nakazawa
Laura Bozzelli Seema Jehan Pham Ngoc Hung
Daniel Britten Saul Johnson Omer Nguena-Timo
James Brotherston Violet Ka I Pun Hans de Nivelle
Richard Bubel Eduard Kamburjan Quentin Peyras
Doina Bucur Minh-Thang Khuu Paul Piho
Juan Diego Campo Sascha Klüppelholz Danny Bøgsted Poulsen
Laura Carnevali Dimitrios Kouzapas James Power
Gustavo Carvalho Robbert Krebbers Tim Quatmann
Davide Cavezza Shrawan Kumar Jean-Baptiste Raclet
Xiaohong Chen Luca Laurenti Markus Roggenbach
Yu-Ting Chen Maurice Laveaux Guillermo Román-Díez
Robert Colvin Corey Lewis Jurriaan Rot
Jesús Correas Fernández Jianlin Li Albert Rubio
Silvano Dal Zilio Yi Li Enno Ruijters
Carlos Diego Damasceno Yong Li Sebastian Ruland
Quoc Huy Do Ai Liu David Sanan
Sebastian Ehmes Wanwei Liu Julia Sapiña
Santiago Escobar Martin Lukac Andy Schürr
Marco Faella Carlos Luna Ramy Shahin
Paul Fiterau Brostean Lars Luthmann Neeraj Singh
Simon Foster Joshua Moerman Andrew Sogokon
Maria João Frade Hendrik Maarand B. Srivathsan
Maciej Gazda Kumar Madhukar Dominic Steinhöfel
Lorenzo Gheri Shahar Maoz Ivan Stojic
Eduardo Giménez Matteo Marescotti Sandro Stucki
Pablo Gordillo Bojan Marinkovic Martin Tappler
 Organization xi

Laura Titolo Inna Vistbakka Stephan Wesemeyer

Andrea Turrini Matthias Volk Pengfei Yang
Ben Tyler Jingyi Wang Haodong Yao
Evangelia Vanezi Shuling Wang
Alicia Villanueva Markus Weckesser

I-Day Program Committee

M. Antony Aiello AdaCore, USA
Flemming Andersen Galois Inc., USA
Stylianos Basagianni United Technologies Research Centre, Ireland
Roderick Chapman Protean Code Limited, UK
David Cok GrammaTech, USA
Alessandro Fantechi University of Florence, Italy
Chris Hawblitzel Microsoft, USA
Peter Gorm Larsen Aarhus University, Denmark
Michael Leuschel University of Düsseldorf, Germany
Yannick Moy AdaCore, France
Jan Peleska Verified Systems International GmbH, Germany
Etienne Prun ClearSy, France
Kenji Taguchi CAV Technologies Co., Ltd., Japan
Stefano Tonetta FBK–IRST, Italy
Daniel Zimmerman Galois Inc., USA

DS Program Committee
Ana Cavalcanti University of York, UK
André Platzer Carnegie Mellon University, USA
Alessandro Fantechi University of Florence, Italy
Carlo A. Furia USI, Switzerland
Dalal Alrajeh Imperial College, UK
Einar Broch Johnson University of Oslo, Norway
Elvira Albert Complutense University of Madrid, Spain
Jaco van de Pol Aarhus University, Denmark
Matteo Rossi Polytechnic University of Milan, Italy
Stefania Gnesi ISTI-CNR, Italy
Stephan Merz Inria, France

JFT Program Committee

Cliff Jones University of Newcastle, UK
Manfred Broy TU Munich, Germany
xii Organization

Organizing Committee
Luís Soares Barbosa University of Minho and INESC TEC, Portugal
José Creissac Campos University of Minho and INESC TEC, Portugal
João Pascoal Faria University of Porto and INESC TEC, Portugal
Sara Fernandes University of Minho and INESC TEC, Portugal
Luís Neves Critical Software, Portugal
Ana Paiva University of Porto and INESC TEC, Portugal

Local Organizers
Catarina Fernandes University of Minho and INESC TEC, Portugal
Paula Rodrigues INESC TEC, Portugal
Ana Rita Costa INESC TEC, Portugal

Web Team
Francisco Neves University of Minho and INESC TEC, Portugal
Rogério Pontes University of Minho and INESC TEC, Portugal
Paula Rodrigues INESC TEC, Portugal

FME Board
Ana Cavalcanti University of York, UK
Lars-Henrik Eriksson Uppsala University, Sweden
Stefania Gnesi ISTI–CNR, Italy
Einar Broch Johnsen University of Oslo, Norway
Nico Plat Thanos, The Netherlands
 Formal Methods for Security Functionality
and for Secure Functionality
(Invited Presentation)

Erik Poll

Digital Security group, Radboud University Nijmegen, The Netherlands

[email protected]

With cyber security becoming a growing concern, it has naturally attracted the attention
of researchers in formal methods. One recent success story here is TLS: the devel-
opment of the new TLS 1.3 specification has gone hand-in-hand with efforts to verify
security properties of formal models [5] and the development of a fully verified
implementation [3]. Earlier well-known success stories in using formal methods for
security are the verifications of operating system kernels or hypervisors, namely seL4
[7] and Microsoft’s Hyper-V [10].
These examples – security protocols and OS kernels – are applications whose
primary purpose is to provide security. It is natural to apply formal methods to such
systems: they are by their very nature security-critical and they provide some security
functionality that we can try to specify and verify.
However, we want all our systems to be secure, not just these security systems.
There is an important difference between secure functionality and security function-
ality, or – given that most functionality and most security problems are down to
software – between software security and security software [11]. Many, if not most,
security problems arise in systems that have no specific security objective, say PDF
viewers or video players, but which can still be hacked to provide attackers with
unwanted functionality they can abuse.
Using formal methods to prove security is probably not on the cards of something
as complex as a PDF viewer or video player. Just defining what it would mean for such
a system to be secure is probably already infeasible. Still, formal methods can be
useful, to prove the absence of certain types of security flaws or simply find security
flaws. Successes here have been in the use of static analysis in source code analysers,
e.g. tools like Fortify SCA that look for flaws in web applications and tools like
Coverity that look for memory vulnerabilities in C(++) code. Another successful
application of formal methods is the use of symbolic (or concolic) execution to generate
test cases for security testing, as in SAGE [6] or, going one step further, not just
automatically finding flaws but also automatically generating exploits, as in angr [16].
Downside of these approaches is that they are post-hoc and can only look for flaws
in existing code. The LangSec paradigm [4, 9], on the other hand, provides ideas on
how to prevent many security problems by construction. Key insights are that most
security flaws occur in input handling and that there are several root causes in play
here. Firstly, the input languages involved (e.g. file formats and network protocols) are
complex, very expressive, and poorly, informally, specified. Secondly, there are many
xiv E. Poll

of these input languages, sometimes nested or stacked. Finally, parsers for these lan-
guages are typically hand-written, with parsing code scattered throughout the appli-
cation code in so-called shotgun parsers [12]. With clearer, formal specifications of
input languages and generated parser code much security misery could be avoided.
(Recent initiatives in tools for parser generation here include Hammer [1] and Nail [2].)
Given that formal languages and parser generation are some of the most basic and
established formal methods around, it is a bit of an embarrassment to us as formal
methods community that sloppy language specifications and hand-coded parsers should
cause so many security problems.
Some security flaws in input handling are not so much caused by buggy parsing of
inputs, but rather by the unexpected parsing of input [13]. Classic examples of this are
command injection, SQL injection, and Cross-Site Scripting (XSS). Tell-tale sign that
unwanted parsing of input may be happening in unexpected places is the heavy use of
strings as data types [14].
Information or data flow analysis can be used to detect such flaws; indeed, this is a
standard technique used in the source code analysis tools mentioned above. These
flaws can also be prevented by construction, namely by using type systems. A recent
example of this is the ‘Trusted Types’ browser API [8] by Google, where different
types are used to track different kinds of data and different trust level of data to prevent
XSS vulnerabilities, esp. the DOM-based XSS vulnerabilities that have proved so
difficult to root out.
To conclude, formal methods cannot only be used to prove security of
security-critical applications and components – i.e. the security software –, but they can
be much more widely used to improve security by ruling out of the root causes behind
security flaws in input handling, and do so by construction, and hence improve soft-
ware security in general. Moreover, some very basic and lightweight formal methods
can be used for this: methods that we teach – or should be teaching – our students in the
first years of their Bachelor degree, such as regular expressions, finite state machines,
grammars, and types. Indeed, in my own research I have been surprised to see how
useful the simple notion of finite state machine for describing input sequences is to
discover security flaws [15].
That we have not been able to get these basic techniques into common use does not
say much for our success in transferring formal methods to software engineering
practice. Still, looking at the bright side, it does suggest opportunities for improvement.

References
1. Anantharaman, P., Millian, M.C., Bratus, S., Patterson, M.L.: Input handling done right:
building hardened parsers using language-theoretic security. In: Cybersecurity Development
(SecDev), pp. 4–5. IEEE (2017)
2. Bangert, J., Zeldovich, N.: Nail: A practical tool for parsing and generating data formats. In:
OSDI 2014, pp. 615–628. Usenix (2014)
 Formal Methods for Security Functionality and for Secure Functionality xv

3. Bhargavan, K., Blanchet, B., Kobeissi, N.: Verified models and reference implementations
for the TLS 1.3 standard candidate. In: Security and Privacy (S&P 2017), pp. 483–502. IEEE
(2017)
4. Bratus, S., Locasto, M.E., Patterson, M.L., Sassaman, L., Shubina, A.: Exploit program-
ming: from buffer overflows to weird machines and theory of computation. Login, 13–21
(2011)
5. Cremers, C., Horvat, M., Hoyland, J., Scott, S., van der Merwe, T.: A comprehensive
symbolic analysis of TLS 1.3. In: SIGSAC Conference on Computer and Communications
Security (CCS 2017), pp. 1773–1788. ACM (2017)
6. Godefroid, P., Levin, M.Y., Molnar, D.: SAGE: Whitebox fuzzing for security testing.
Commun. ACM 55(3), 40–44 (2012)
7. Klein, G., et al.: seL4: Formal verification of an OS kernel. In: ACM SIGOPS, pp. 207–220.
ACM (2009)
8. Kotowicz, K.: Trusted types help prevent cross-site scripting (2019). https://developers.
google.com/web/updates/2019/02/trusted-types. blog
9. LangSec: Recognition, validation, and compositional correctness for real world security
(2013). http://langsec.org/bof-handout.pdf. uSENIX Security BoF hand-out
10. Leinenbach, D., Santen, T.: Verifying the microsoft hyper-V hypervisor with VCC. In:
Cavalcanti, A., Dams, D.R. (eds.) FM 2009, LNCS, vol. 5850, pp. 806–809. Springer,
Heidelberg (2009). https://doi.org/10.1007/978-3-642-05089-3_51
11. McGraw, G.: Software security. IEEE Secur. Priv. 2(2), 80–83 (2004)
12. Momot, F., Bratus, S., Hallberg, S.M., Patterson, M.L.: The seven turrets of Babel: a
taxonomy of LangSec errors and how to expunge them. In: Cybersecurity Development
(SecDev 2016), pp. 45–52. IEEE (2016)
13. Poll, E.: LangSec revisited: input security flaws of the second kind. In: Workshop on
Language-Theoretic Security (LangSec 2018). IEEE (2018)
14. Poll, E.: Strings considered harmful. Login, 43(4), 21–26 (2018)
15. Poll, E., de Ruiter, J., Schubert, A.: Protocol state machines and session languages: speci-
fication, implementation, and security flaws. In: Workshop on Language-Theoretic Security
(LangSec 2015), pp. 125–133. IEEE (2015)
16. Shoshitaishvili, Y., et al.: SoK:(state of) the art of war: offensive techniques in binary
analysis. In: Symposium on Security and Privacy (SP 2016), pp. 138–157. IEEE (2016)
 Contents

Invited Presentations

The Human in Formal Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Shriram Krishnamurthi and Tim Nelson

Successes in Deployed Verified Software

(and Insights on Key Social Factors) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
June Andronick

Verification

Provably Correct Floating-Point Implementation

of a Point-in-Polygon Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Mariano M. Moscato, Laura Titolo, Marco A. Feliú,
and César A. Muñoz

Formally Verified Roundoff Errors Using SMT-based Certificates

and Subdivisions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Joachim Bard, Heiko Becker, and Eva Darulova

Mechanically Verifying the Fundamental Liveness Property

of the Chord Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Jean-Paul Bodeveix, Julien Brunel, David Chemouil, and Mamoun Filali

On the Nature of Symbolic Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Frank S. de Boer and Marcello Bonsangue

Synthesis Techniques

GR(1)*: GR(1) Specifications Extended with Existential Guarantees . . . . . . . 83

Gal Amram, Shahar Maoz, and Or Pistiner

Counterexample-Driven Synthesis for Probabilistic Program Sketches . . . . . . 101

Milan Češka, Christian Hensel, Sebastian Junges,
and Joost-Pieter Katoen

Synthesis of Railway Signaling Layout from Local Capacity Specifications . . . . 121

Bjørnar Luteberget, Christian Johansen, and Martin Steffen

Pegasus: A Framework for Sound Continuous Invariant Generation. . . . . . . . 138

Andrew Sogokon, Stefan Mitsch, Yong Kiam Tan, Katherine Cordwell,
and André Platzer
xviii Contents

Concurrency

A Parametric Rely-Guarantee Reasoning Framework for Concurrent

Reactive Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Yongwang Zhao, David Sanán, Fuyuan Zhang, and Yang Liu

Verifying Correctness of Persistent Concurrent Data Structures . . . . . . . . . . . 179

John Derrick, Simon Doherty, Brijesh Dongol, Gerhard Schellhorn,
and Heike Wehrheim

Compositional Verification of Concurrent Systems

by Combining Bisimulations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Frédéric Lang, Radu Mateescu, and Franco Mazzanti

Model Checking Circus

Towards a Model-Checker for Circus . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Artur Oliveira Gomes and Andrew Butterfield

Circus2CSP: A Tool for Model-Checking Circus Using FDR. . . . . . . . . . . 235

Artur Oliveira Gomes and Andrew Butterfield

Model Checking

How Hard Is Finding Shortest Counter-Example Lassos

in Model Checking? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Rüdiger Ehlers

From LTL to Unambiguous Büchi Automata via Disambiguation

of Alternating Automata. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Simon Jantsch, David Müller, Christel Baier, and Joachim Klein

Generic Partition Refinement and Weighted Tree Automata . . . . . . . . . . . . . 280

Hans-Peter Deifel, Stefan Milius, Lutz Schröder, and Thorsten Wißmann

Equilibria-Based Probabilistic Model Checking for Concurrent

Stochastic Games . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Marta Kwiatkowska, Gethin Norman, David Parker, and Gabriel Santos

Analysis Techniques

Abstract Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

Dominic Steinhöfel and Reiner Hähnle

Static Analysis for Detecting High-Level Races in RTOS Kernels . . . . . . . . . 337

Abhishek Singh, Rekha Pai, Deepak D’Souza, and Meenakshi D’Souza
 Contents xix

Parallel Composition and Modular Verification of Computer Controlled

Systems in Differential Dynamic Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Simon Lunel, Stefan Mitsch, Benoit Boyer, and Jean-Pierre Talpin

An Axiomatic Approach to Liveness for Differential Equations. . . . . . . . . . . 371

Yong Kiam Tan and André Platzer

Local Consistency Check in Synchronous Dataflow Models . . . . . . . . . . . . . 389

Dina Irofti and Paul Dubrulle

Gray-Box Monitoring of Hyperproperties . . . . . . . . . . . . . . . . . . . . . . . . . . 406

Sandro Stucki, César Sánchez, Gerardo Schneider,
and Borzoo Bonakdarpour

Quantitative Verification of Numerical Stability for Kalman Filters . . . . . . . . 425

Alexandros Evangelidis and David Parker

Concolic Testing Heap-Manipulating Programs . . . . . . . . . . . . . . . . . . . . . . 442

Long H. Pham, Quang Loc Le, Quoc-Sang Phan, and Jun Sun

Specification Languages

Formal Semantics Extraction from Natural Language Specifications

for ARM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Anh V. Vu and Mizuhito Ogawa

GOSPEL—Providing OCaml with a Formal Specification Language . . . . . . . 484

Arthur Charguéraud, Jean-Christophe Filliâtre, Cláudio Lourenço,
and Mário Pereira

Unification in Matching Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502

Andrei Arusoaie and Dorel Lucanu

Embedding High-Level Formal Specifications into Applications . . . . . . . . . . 519

Philipp Körner, Jens Bendisposto, Jannik Dunkelau, Sebastian Krings,
and Michael Leuschel

Reasoning Techniques

Value-Dependent Information-Flow Security on Weak Memory Models. . . . . 539

Graeme Smith, Nicholas Coughlin, and Toby Murray

Reasoning Formally About Database Queries and Updates . . . . . . . . . . . . . . 556

Jon Haël Brenas, Rachid Echahed, and Martin Strecker

Abstraction and Subsumption in Modular Verification of C Programs . . . . . . 573

Lennart Beringer and Andrew W. Appel
xx Contents

Modelling Languages

IELE: A Rigorously Designed Language and Tool Ecosystem

for the Blockchain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
Theodoros Kasampalis, Dwight Guth, Brandon Moore,
Traian Florin Șerbănuță, Yi Zhang, Daniele Filaretti, Virgil Șerbănuță,
Ralph Johnson, and Grigore Roşu

APML: An Architecture Proof Modeling Language . . . . . . . . . . . . . . . . . . . 611

Diego Marmsoler and Genc Blakqori

Learning-Based Techniques and Applications

Learning Deterministic Variable Automata over Infinite Alphabets . . . . . . . . 633

Sarai Sheinvald

L -Based Learning of Markov Decision Processes . . . . . . . . . . . . . . . . . . . . 651

Martin Tappler, Bernhard K. Aichernig, Giovanni Bacci,
Maria Eichlseder, and Kim G. Larsen

Star-Based Reachability Analysis of Deep Neural Networks . . . . . . . . . . . . . 670

Hoang-Dung Tran, Diago Manzanas Lopez, Patrick Musau,
Xiaodong Yang, Luan Viet Nguyen, Weiming Xiang,
and Taylor T. Johnson

Refactoring and Reprogramming

SOA and the Button Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689

Sung-Shik Jongmans, Arjan Lamers, and Marko van Eekelen

Controlling Large Boolean Networks with Temporary

and Permanent Perturbations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707
Cui Su, Soumya Paul, and Jun Pang

I-Day Presentations

Formal Methods Applicability on Space Applications Specification

and Implementation Using MORA-TSP . . . . . . . . . . . . . . . . . . . . . . . . . . . 727
Daniel Silveira, Andreas Jung, Marcel Verhoef, and Tiago Jorge

Industrial Application of Event-B to a Wayside Train Monitoring System:

Formal Conceptual Data Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 738
Robert Eschbach

Property-Driven Software Analysis (Extended Abstract) . . . . . . . . . . . . . . . . 746

Mathieu Comptier, David Déharbe, Paulin Fournier,
and Julien Molinero-Perez
 Contents xxi

Practical Application of SPARK to OpenUxAS. . . . . . . . . . . . . . . . . . . . . . 751

M. Anthony Aiello, Claire Dross, Patrick Rogers, Laura Humphrey,
and James Hamil

Adopting Formal Methods in an Industrial Setting: The Railways Case . . . . . 762

Maurice H. ter Beek, Arne Borälv, Alessandro Fantechi, Alessio Ferrari,
Stefania Gnesi, Christer Löfving, and Franco Mazzanti

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 773

Invited Presentations
 The Human in Formal Methods

Shriram Krishnamurthi(B) and Tim Nelson

Brown University, Providence, RI, USA

{sk,tn}@cs.brown.edu

Abstract. Formal methods are invaluable for reasoning about complex

systems. As these techniques and tools have improved in expressiveness
and scale, their adoption has grown rapidly. Sustaining this growth, how-
ever, requires attention to not only the technical but also the human side.
In this paper (and accompanying talk), we discuss some of the challenges
and opportunities for human factors in formal methods.

Keywords: Human factors · User Interfaces · Education ·

Formal methods

1 Humans and Formal Methods

Formal methods are experiencing a long-overdue surge in popularity. This ranges
from an explosion in powerful traditional tools, like proof assistants and model
checkers, to embeddings of formal methods in program analysis, to a growing
recognition of the value to writing formal properties in other settings (like soft-
ware testing). Whereas traditionally, corporate use was primarily in hardware
(e.g., Seger [26]), now major software companies like Amazon [1,7,21], Facebook
[6], and Microsoft [3,12] are growing their use of formal methods.
What does it take to support this growth? Researchers will, naturally, con-
tinue to work on formal techniques. We believe, however, that not enough atten-
tion has been paid to the humans in the loop. In this paper and accompanying
talk, we discuss some of the challenges and opportunities in this area.
To set a context for what follows, our own work has focused largely on auto-
mated methods, specifically model finding [18,34], as typified by tools like Alloy
[15] and SAT/SMT solvers. This is not to decry the value of other techniques,
including deductive methods, which we have worked with in some of our research.
However, we find that model-finding tools offer a useful sweet spot:
– Because of their automation, they provide a helpful separation between spec-
ification and proof, enabling the user to focus on the former without having
to dwell very much on the latter. This separation of concerns is invaluable in
training contexts, since it enables us to focus on one skill at a time.
– Because model-finders can be used without properties, they enable exploration
in addition to verification and proof. Furthermore, this can start with small
amounts of partial specification. This idea, which is one aspect of lightweight
formal methods [16], is a powerful enabler for quickly seeing the value that
formal methods can provide.
c Springer Nature Switzerland AG 2019
M. H. ter Beek et al. (Eds.): FM 2019, LNCS 11800, pp. 3–10, 2019.
https://doi.org/10.1007/978-3-030-30942-8_1
4 S. Krishnamurthi and T. Nelson

– The manifestation of these methods in tools like Alloy proves particularly

convenient. An Alloy user can write a small part of a specification and click
“Run” (an action already familiar from programming environments), and
immediately get at least somewhat useful feedback from the system.

Due to these factors, in our experience, we have found these methods more
accessible than others to a broad range of students. Since, in particular, our
emphasis is not just on cultivating the small group of “hard core” students but
to bring the “other 90%” into the fold, tools that immediately appeal to them—
and hold their attention, while they are choosing between courses in formal
methods and in other exciting areas such as machine learning—are important.
In the rest of this paper, we focus on two human-facing concerns: the human-
factors qualities of model finding tools (Sect. 2), and education (Sect. 3). We
believe both are vital: the latter to growing the number of people comfortable
with formal methods, and the former to their effectiveness.

2 User Experience

We believe that the user experience of formal-methods tools has largely been
understudied, although there have been promising past venues such as the Work-
shops on User Interfaces for Theorem Provers (e.g., [2]) and Human-Oriented
Formal Methods (e.g., [19]). The majority of this work focuses on interactive
tools such as proof assistants, which is to be expected. For instance, in deduc-
tive methods, the experience of stating and executing deduction steps is critical.
(For early student-facing work, see the efforts of Barker-Plummer, Barwise, and
Etchemendy [4]).
However, other formal tools could also benefit from user-focused research. For
instance, model finders are often integrated into higher-level tools (with their
model output presented in a domain-specific way). Thus, questions of quality
and comprehensibility by lay users are key.
Our own work [8] has found that a model finder’s choice of output and
its presentation can make a major difference in user experience. Experiments
with students found that output minimality, while intutively appealing, is not
necessarily helpful for comprehending systems. Moreover, experiments with users
on Amazon’s Mechanical Turk crowdsourcing platform seem to suggest that
providing a small amount of additional information alongside output can be
helpful for comprehension.

3 Education
An equally important—and critically human-centric—problem is thinking about
education. Numerous authors have books that present different educational view-
points but, to our knowledge, most of these have not been subjected to any
rigorous evaluation of effectiveness. Nevertheless, beyond books and curricula,
 The Human in Formal Methods 5

we believe much more attention should be paid to design methods and student-
centric tools. There is a large body of literature on these topics in programming
education, but its counterparts are often missing in formal methods education.
We are focusing primarily on the task of writing specifications, because:

– It is a near-universal requirement shared between different formal methods—

indeed, it is perhaps a defining characteristic of the field.
– Specifications are sufficiently different from programs that we cannot blindly
reuse existing knowledge about programming education, though of course
there are many problems in common and we should try to port ideas. If
anything, we conjecture that the need for formal methods to consider all
possible behaviors, thanks to attributes like non-determinism, might make it
harder than programming.
– Specifications are useful even outside traditional formal methods settings,
such as in property-based testing, monitoring, etc. Hence, they increasingly
affect a growing number of programmers, even ones who don’t think of them-
selves as using traditional formal methods.

We will in turn discuss design methods (Sect. 3.1) and tools (Sect. 3.2).

3.1 A Design Recipe for Writing Specifications

One of the challenges every author faces is the “blank page syndrome” [9]: given a
problem statement, they must fill a blank page (or editor) with magical incanta-
tions that match the given statement. For many students, this can be a daunting
and even overwhelming experience; ones for whom it is not are sometimes merely
overconfident in their abilities.
However, in other design disciplines—from electrical engineering to building
architecture—designers produce not just one final artifact but a series of inter-
mediate artifacts, using a range of representations with distinct viewpoints that
hide some aspects and make others salient. What might that look like in our
discipline?
One answer is provided by How to Design Programs [9], which breaks down
the programming process into a series of steps called the Design Recipe. These
steps incrementally build towards a solution, alternating abstract and concrete
steps that build on previous ones. For programming, these steps are:

1. Data definitions: translating what is given in the problem statement into

abstract descriptions for the computer system.
2. Data examples: constructing examples of each data definition to ensure the
student understands it, has created a well-formed definition, and can cover
the cases the problem demands.
3. Function outline: translating the function expected in the problem into an
abstract computational representation, including type signatures, purpose
statements, and a function header.
6 S. Krishnamurthi and T. Nelson

4. Function examples: constructing input-output examples of the function’s use,

using the data examples and the function outline components. These ensure
the student actually understands the problem before they start working on it.
These are usually written using the syntax of test cases, so they can eventually
be run against the final function, but they are conceptually different: they
represent exploration and understanding of the problem.
5. Function template: Using the data definition and function outline to create a
skeleton of the body based purely on the structure of the data.
6. Function definition: Filling in the template to match the specific function
definition, using the examples as a guide.
7. Testing: Constructing tests based on the chosen implementation strategy,
checking for implementation-specific invariants. The goal of tests, in contrast
to function examples, is to falsify the purported implementation.

There is significant cognitive theory backing the use of this recipe. The pro-
cess corresponds to Bruner’s notion of scaffolding [31], while the steps reflect
Vygotsky’s theory of zones of proximal development [29]. The progression from
data through examples to code and tests provides a form of concreteness fading
[13]. Completed sequences form worked examples [28] that students can apply to
new problems. The templates are a form of program schema [22,27] that students
can recall and reuse in constructing solutions to new problems.
How can we translate this from writing programs to writing specifications?
We believe many of the steps carry over directly (and serve the same purpose),
while others need some adaptation, depending on what students are authoring
(the process for specifications would look different than that for models given
to a model-checker, etc.). For instance, the “function examples” stage translates
well to students creating concrete instances of behavior that they believe should
or should not satisfy the eventual specification.
We will not go here into the details of how to adapt this process to different
settings, especially authoring specifications. However, we believe the basic ideas
are fairly universal: of proceeding in a step-wise way with new artifacts building
on old artifacts; of proceeding from the concrete to the abstract; of writing
illustrative, concrete examples of preceding abstract steps to test well-formedness
and understanding; and so on.

3.2 Tools

Researchers and developers have invested significant effort into formal methods
tools, many of which are then brought into the classroom. On the one hand,
industrial-strength tools tend to be robust and performant, and are endowed
with authenticity, which can make a difference for some students. On the other
hand, they may expose too much power: they accept full and complex languages
that contain features that may confuse students, they produce errors and other
feedback with terminology that students may not understand, and so on. In light
of this, projects have advocated the use of language levels [5,10,14], arguing that
 The Human in Formal Methods 7

students would benefit from a graduated introduction through a sequence of sub-

languages (and corresponding tool interfaces), each sub-language presenting an
epistemic closure that corresponds to a student’s learning at that point.
Beyond this, we argue that educational settings have one key advantage that
conventional industrial use does not: the presence of ground truth, i.e., someone
already knows the answer! In industry, users rarely build a whole new specifica-
tion that precisely matches one that already exists. In education, however, that
is exactly what students do almost all the time. Therefore, we can ask:

How does the presence of a ground truth affect formal tools in education?

We argue that “knowing the answer” especially helps in light of the Design
Recipe discussed above, because we can build tools to help with each step. We
discuss a concrete manifestation of this below. These should be thought of as
training wheels to help beginners become comfortable with formal methods;
naturally, we need to study how to wean students so that they can engage in the
more authentic experience of writing specifications and models un-aided.

Understanding Before Authoring. A growing body of literature in programming

education [17,25,30] shows that students frequently start to write programs
before they have understood the problem. As a result they “solve” the wrong
problem entirely. Not only is this frustrating, it also leads to learning loss: the
stated problem presumably had certain learning goals, which the student may
not have met as a result of their misdirection.
Recent work [24,32] has begun to address this issue by devising techniques
to make sure students can check their understanding of the problem before they
embark on a solution. These critically rely on having intermediate artifacts
authored by the student in the process of authoring, precisely matching the
intermediate steps proposed by the Design Recipe. In particular, function exam-
ples are a valuable way for them to demonstrate their understanding; because
they are written in executable form, they can be run against implementations.
We especially draw on the perspective of Politz et al. [23] and Wrenn et
al. [33], which think of tests (and examples) as classifiers. That is, the quality
of a suite of tests or examples can be judged by how well they classify a pur-
ported implementation as correct or faulty. If we want a quantitative result, we
can compute precision and recall scores to characterize these classifiers. Thus,
students can rapidly obtain concrete feedback about how well they are doing in
terms of understanding the problem, and our evidence in the context of program-
ming [32] suggests that they take great advantage of this. Initial explorations for
specification authoring suggests that this phenomenon carries over.
More Artifacts. More broadly, there are several artifacts that can be produced
on both sides for specification-authoring assignments, including:

– Student’s concrete examples

– Student’s properties
– Student’s completed specification
8 S. Krishnamurthi and T. Nelson

– Instructor’s concrete examples

– Instructor’s properties
– Instructor’s completed specification

the latter three of which are ground truth components. Furthermore, instruc-
tional staff can be pressed to produce multiple kinds of each of these, such as
correct and faulty specifications to enable classification.
Given this rich set of artifacts, it is instructive to consider all their (at
least) pairwise combinations. For example, consider the point where the student
believes they have completed their specification. This can now be compared for
semantic difference [11,20] against the instructor’s specification, with the differ-
ences presented as concrete examples that the student has to determine how to
incorporate to adjust their specification. There are several interesting questions
of mechanism design, i.e., how to structure rewards and penalties for students
using these modes.

4 Conclusion

In sum, we believe there are large human-facing aspects of formal methods that
have not yet been explored, and that exploring them is vital for the field to
thrive. With enough emphasis, we believe formal methods can be democratized
and made accessible to large numbers of users—not only scientists and trained
operators, but even the general public, from children to retirees. Even the most
non-technical user has to make consequential decisions every time they set a
configuration option on a system, and would hence benefit from the specification
and state-exploration powers that characterize our field. These problems are
intellectually exciting and challenging, and serious progress requires wedding
technical results to cognitive and social ones.

Acknowledgements. This work was partially supported by the U.S. National Sci-
ence Foundation. We are grateful for numerous valuable conversations with Daniel
J. Dougherty, Natasha Danas, Jack Wrenn, Kathi Fisler, Daniel Jackson, and Emina
Torlak.

References
1. Amazon Web Services: Provable security. https://aws.amazon.com/security/
provable-security/. Accessed 5 July 2019
2. Autexier, S., Benzmüller, C. (eds.): User Interfaces for Theorem Provers, Proceed-
ings of UITP 2006, Electronic Notes in Theoretical Computer Science, vol. 174.
Elsevier (2007)
3. Ball, T., Cook, B., Levin, V., Rajamani, S.K.: SLAM and static driver verifier:
technology transfer of formal methods inside microsoft. In: Boiten, E.A., Derrick,
J., Smith, G. (eds.) IFM 2004. LNCS, vol. 2999, pp. 1–20. Springer, Heidelberg
(2004). https://doi.org/10.1007/978-3-540-24756-2 1
 The Human in Formal Methods 9

4. Barker-Plummer, D., Barwise, J., Etchemendy, J.: Language, Proof, and Logic,
2nd edn. Center for the Study of Language and Information/SRI, Stanford (2011)
5. du Boulay, B., O’Shea, T., Monk, J.: The black box inside the glass box. Int. J.
Hum.-Comput. Stud. 51(2), 265–277 (1999)
6. Calcagno, C., et al.: Moving fast with software verification. In: Havelund, K., Holz-
mann, G., Joshi, R. (eds.) NFM 2015. LNCS, vol. 9058, pp. 3–11. Springer, Cham
(2015). https://doi.org/10.1007/978-3-319-17524-9 1
7. Cook, B.: Formal reasoning about the security of amazon web services. In: Chock-
ler, H., Weissenbacher, G. (eds.) CAV 2018. LNCS, vol. 10981, pp. 38–47. Springer,
Cham (2018). https://doi.org/10.1007/978-3-319-96145-3 3
8. Danas, N., Nelson, T., Harrison, L., Krishnamurthi, S., Dougherty, D.J.: User stud-
ies of principled model finder output. In: Cimatti, A., Sirjani, M. (eds.) SEFM 2017.
LNCS, vol. 10469, pp. 168–184. Springer, Cham (2017). https://doi.org/10.1007/
978-3-319-66197-1 11
9. Felleisen, M., Findler, R.B., Flatt, M., Krishnamurthi, S.: How to Design Programs,
2nd edn. MIT Press, Cambridge (2018). https://www.htdp.org/
10. Findler, R.B., et al.: DrScheme: a programming environment for Scheme. J. Funct.
Prog. 12(2), 159–182 (2002)
11. Fisler, K., Krishnamurthi, S., Meyerovich, L., Tschantz, M.: Verification and
change impact analysis of access-control policies. In: International Conference on
Software Engineering, pp. 196–205 (2005)
12. Fogel, A., et al.: A general approach to network configuration analysis. In: Net-
worked Systems Design and Implementation (2015)
13. Fyfe, E.R., McNeil, N.M., Son, J.Y., Goldstone, R.L.: Concreteness fading in math-
ematics and science instruction: a systematic review. Educ. Psychol. Rev. 26(1),
9–25 (2014)
14. Holt, R.C., Wortman, D.B.: A sequence of structured subsets of PL/I. SIGCSE
Bull. 6(1), 129–132 (1974)
15. Jackson, D.: Software Abstractions: Logic, Language, and Analysis, 2nd edn. MIT
Press, Cambridge (2012)
16. Jackson, D., Wing, J.: Lightweight formal methods. IEEE Comput. (1996)
17. Loksa, D., Ko, A.J.: The role of self-regulation in programming problem solving
process and success. In: SIGCSE International Computing Education Research
Conference (2016)
18. McCune, W.: Mace4 reference manual and guide. CoRR (2003). https://arxiv.org/
abs/cs.SC/0310055
19. Milazzo, P., Varró, D., Wimmer, M. (eds.): STAF 2016. LNCS, vol. 9946. Springer,
Cham (2016). https://doi.org/10.1007/978-3-319-50230-4
20. Nelson, T., Ferguson, A.D., Krishnamurthi, S.: Static differential program analysis
for software-defined networks. In: Bjørner, N., de Boer, F. (eds.) FM 2015. LNCS,
vol. 9109, pp. 395–413. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-
19249-9 25
21. Newcombe, C., Rath, T., Zhang, F., Munteanu, B., Brooker, M., Deardeuff, M.:
How amazon web services uses formal methods. Commun. ACM 58(4), 66–73
(2015)
22. Pirolli, P.L., Anderson, J.R.: The role of learning from examples in the acquisition
of recursive programming skills. Canadian Journal of Psychology/Revue canadi-
enne de psychologie 39(2), 240–272 (1985)
23. Politz, J.G., Krishnamurthi, S., Fisler, K.: In-flow peer-review of tests in test-
first programming. In: Conference on International Computing Education Research
(2014)
Another Random Scribd Document
with Unrelated Content
 Mr. Hubert. Now, how is the particular timeclock which was used
to stamp the time on Exhibit 5118 synchronized to the master clock
in Dallas?
Mr. Lane. When the master clock is set by the Naval Observatory
Time, at the same time our master clock here synchronizes all our
timeclocks.
Mr. Hubert. Is that done automatically?
Mr. Lane. It is done automatically.
Mr. Hubert. Are you willing to state, therefore, that from your
knowledge of how time and timeclocks throughout the Western
Union system are set, that at 11 o’clock on November 24th, the
master clock in Dallas and the particular timeclock used to stamp
Exhibit 5118, were all synchronized on Naval Observatory Time?
Mr. Lane. Yes; they were.
Mr. Hubert. Now, I show you a document which, for the purpose
of identification, I have marked, “Dallas, Texas, Exhibit 5119,”
already identified by you, and your name appears on it, and ask you
to tell me what that is?
Mr. Lane. This is a copy of the original receipt that I wrote for
Jack Ruby.
Mr. Hubert. That is in your handwriting?
Mr. Lane. That is my handwriting.
Mr. Hubert. What happened to the original itself?
Mr. Lane. The original is given to the customer. It was given to
Mr. Ruby.
Mr. Hubert. Do you remember giving it to him?
Mr. Lane. Yes; very definitely.
Mr. Hubert. Was that document given to him when the change
was given to him?
 Mr. Lane. When the change was given back, his receipt was given
back at the same time.
Mr. Hubert. I notice that document also bears a time at the top of
it. What time does it show?
Mr. Lane. 11:17.
Mr. Hubert. When did you say it was stamped or would you say it
was stamped at the same time as Exhibit 5118?
Mr. Lane. Yes.
Mr. Hubert. In the normal course of business, which one would
be stamped first?
Mr. Lane. There would be no first. We stamp them at the same
time.
Mr. Hubert. But, it takes two different actions.
Mr. Lane. Not fully.
Mr. Hubert. No? Do you mean——
Mr. Lane. We have carbons. See, like on this receipt. That is a
carbon receipt. Well, you would stamp it one—or both could be
stamped at the same time.
Mr. Hubert. But, both have to actually be put in the machine,
don’t they?
Mr. Lane. Right.
Mr. Hubert. I notice the times on those documents are in terms
of minutes.
Mr. Lane. Yes.
Mr. Hubert. There is nothing to indicate the fractions of minutes
involved?
Mr. Lane. No.
 Mr. Hubert. Would you be willing to say that the time that these
transactions took place could not have been earlier than 11:17 a.m.,
of November 24, nor later than 11:18?
Mr. Lane. Yes; I would be willing to state that.
Mr. Hubert. But, you can’t tell whether it would be 11:17 and a
half or something of that sort?
Mr. Lane. No.
Mr. Hubert. You do know that the clock mechanism had turned
already to 11:17, but it had not yet turned to 11:18?
Mr. Lane. That’s correct.
Mr. Hubert. After you had handed Mr. Ruby his change and the
original receipt, of which 5119 is a copy, what did he do?
Mr. Lane. He turned immediately from the counter, went through
the door and went out and turned to the left.
Mr. Hubert. How much distance is there between the counter and
the door?
Mr. Lane. Oh, approximately 8 or 10 feet.
Mr. Hubert. Now, he went out the door that opened on Main
Street?
Mr. Lane. Yes, sir.
Mr. Hubert. And he turned to his left?
Mr. Lane. To the left as you are facing the street.
Mr. Hubert. In what direction would he then—towards what
street would he then be going?
Mr. Lane. Toward Harwood Street.
Mr. Hubert. Did he stay any appreciable length of time in the
office after you had handed him the change and the receipt?
 Mr. Lane. No, he did not spend anytime—he went straight to the
door.
Mr. Hubert. He simply accepted the change and the receipt. Do
you know what he did with them?
Mr. Lane. I have no idea. I mean, he had them in his hand.
Mr. Hubert. He didn’t put them in his pocket?
Mr. Lane. Not immediately.
Mr. Hubert. You didn’t see him put them in his pocket?
Mr. Lane. No, I did not.
Mr. Hubert. Could you observe him after he left the office and
turned to his left?
Mr. Lane. No, after he turned he would be out of sight—the
shades were drawn on that side, and I just saw him turn, and that
was the last I saw of him.
Mr. Hubert. Did he seem to be walking fast, slow, medium?
Mr. Lane. Just ordinary gait.
Mr. Hubert. Now, I notice on Exhibit 5118, another time, which
seems to be 1963, November 24, p.m., 12:26. What does that
mean?
Mr. Lane. That is the time that the money order was put into the
wire in the upstairs office——
Mr. Hubert. Well, explain what you do after the application is
accepted, the money received, the change given back, the receipt
given to the customer?
Mr. Lane. I put it in a tube, suction tube that takes it directly
upstairs to be transmitted.
Mr. Hubert. Do you endorse anything on the application at that
time?
Mr. Lane. I endorse nothing. I have done all that before.
 Mr. Hubert. I see. “MOD,”——
Mr. Lane. “MOD,” is a transmission mark.
Mr. Hubert. That is your handwriting?
Mr. Lane. Yes, it is.
Mr. Hubert. What is the significance?
Mr. Lane. Money Order Department, Fort Worth from Money
Order Department, Dallas.
Mr. Hubert. That is done before it is stamped by the clock?
Mr. Lane. Before it is stamped.
Mr. Hubert. Now, once you put it in the tube, that is the end of it,
as far as you are concerned?
Mr. Lane. Right.
Mr. Hubert. Do you know from your experience in your 10 or 12
years employment with Western Union what happens when it gets
upstairs?
Mr. Lane. Yes, sir; it is removed from the tube, put on a sending
position, and sent. This day it was different because of the press.
Press releases coming in immediately, and many of them, so, it was
delayed quite a while. Ordinarily, it is about 20 minutes from here to
Fort Worth.
Mr. Hubert. But, that stamp on 5118, is the Dallas time of——
Mr. Lane. Time it was actually transmitted here in Dallas.
Mr. Hubert. Does that work on the same clock system that you
were speaking of before?
Mr. Lane. A different machine, but synchronized, by the same
master clock.
Mr. Hubert. Now, you mentioned something about a lot of press
releases coming in which delayed the message a little bit. Those
press releases were being handled upstairs, were they?
 Mr. Lane. Most of them were.
Mr. Hubert. Were any being handled downstairs?
Mr. Lane. Well, reporters, running in there with scribbled notes.
Mr. Hubert. What I am trying to get at, do you recall whether any
reporters came in with any kind of notes, or saying anything during
the time that Jack Ruby was there, which would have indicated to
Ruby that the transfer of Oswald was imminent?
Mr. Lane. Oh, no. There was, as I recall—like I say, I don’t always
notice who comes in that office, because it is a stopping place for
everyone, but as I remember, my previous customer, before Jack
Ruby, turned around and left after the transaction. Ruby came up
and was right there. He just handed me the money order, apparently
he had come in while I was waiting on the other customer, because I
believe there were only the two in the office.
Mr. Hubert. After the first customer left, there was only you and
Ruby at the counter?
Mr. Lane. Yes.
Mr. Hubert. You don’t remember anybody coming in?
Mr. Lane. Well, there was nobody between that time.
Mr. Hubert. Well, do you remember anybody coming in while
Ruby was there indicating in any way whatsoever that the transfer of
Oswald was going to happen very shortly?
Mr. Lane. Oh, no, no.
Mr. Hubert. Were you aware at any time between 10:30 and
11:20 that an armored car had driven up and been placed in the
Commerce Street entrance of the jail?
Mr. Lane. No, I was not.
Mr. Hubert. Is it possible for an individual who has a telephone,
to send money by use of a telephone instead of filing an application
personally and paying over the money in cash?
 Mr. Lane. Not an individual. Not just the ordinary telephone
subscriber is not.
Mr. Hubert. I gather from your answer that in certain instances it
is possible.
Mr. Lane. It is possible by prearrangement only.
Mr. Hubert. Would you explain just what that would mean?
Mr. Lane. Ordinarily a prearrangement is a money deposit—
deposit with Western Union a certain sum of money and they are
usually companies. In fact, most of ours are companies that make
these deposits in order that they can phone that money order to be
sent, we have money on deposit, we send it.
Mr. Hubert. It is a prepaid money order?
Mr. Lane. A prepaid arrangement.
Mr. Hubert. All that happens over the telephone is the request
that money already made on deposit be sent to a certain address?
Mr. Lane. Yes.
Mr. Hubert. Is it possible to do it that way when no money is
placed on deposit?
Mr. Lane. Only on a prearranged basis. Sometimes we won’t
require deposits if they are legitimate companies and a good credit
rating with us.
Mr. Hubert. Do you know if Jack Ruby had any such
arrangement?
Mr. Lane. No; he did not.
Mr. Hubert. Is it normal for any individual to have it?
Mr. Lane. No; it is very seldom. In fact, we don’t even have any in
Dallas, individuals.
Mr. Hubert. Only companies?
Mr. Lane. Only companies.
 Mr. Hubert. Have you any kind of security device to be sure that
the person calling is really authorized to be sending the money
either on deposit or to be charged?
Mr. Lane. Every money order called in is confirmed by telephone
with certain individuals within the firm.
Mr. Hubert. That is by prearrangement also?
Mr. Lane. That is by prearrangement.
Mr. Hubert. Do you know what system is used by the Western
Union Co., from your experience with the company during your
tenure of employment with them in connection with the payment of
money to the addressee? What is the normal system? What usually
happens?
Mr. Lane. Well, that depends on whether he comes into the office
or not. In this instance the girl had identification as required. They
have—the paying clerk has to be satisfied within his or her own mind
that the individual they are talking to is the correct person, and like I
say, identification is required.
Mr. Hubert. Well, how does the Western Union office at the
receiving end get the information about paying money?
Mr. Lane. It is transmitted over the wires to the receiving end,
stating the amounts to be paid, the person to be paid to, the
person’s address if they sent it, and the person it is from.
Mr. Hubert. Now, when that is received, is a check written out
payable to that person, or how is it handled?
Mr. Lane. If it is to be delivered a Western Union check is written.
If it is to be picked up a cash receipt copy is made out and attached
to the money, and when the person comes in and gives them the
identification required, asks them the required questions, such as,
“How much are you expecting? Who is it from? Where is it from?”
They have to answer those questions.
Mr. Hubert. And is any identification of the individual required?
 Mr. Lane. Yes; it is very definitely personal identification.
Mr. Hubert. Now, what system is used by way of timing the
various transactions on the receiving end?
Mr. Lane. On the receiving end, whenever the telegram is
received in the receiving office, it is time stamped.
Mr. Hubert. It is time stamped by use of the same kind of
machine that you have identified before?
Mr. Lane. That we used before.
Mr. Hubert. Synchronized to the national time?
Mr. Lane. That is correct, and also timed at the time of payment.
Time you actually give the addressee the money.
Mr. Hubert. Stamped with the same clock?
Mr. Lane. Yes.
Mr. Hubert. By the way, all of this time that we have been
speaking of is central standard time?
Mr. Lane. Central standard time; yes.
Mr. Hubert. Have you anything else, Mr. Lane, that we have not
covered?
Mr. Lane. No; I can’t think of anything that we haven’t covered.
Mr. Hubert. Have you been interviewed by any member of the
Commission’s staff other than myself prior to the taking of this
deposition?
Mr. Lane. No; I have not.
Mr. Hubert. Now, there was an interview between you and me,
was there not, just before the beginning of this deposition?
Mr. Lane. Well, that is correct, sir.
Mr. Hubert. Have we covered in this deposition everything that
we talked about in the course of the interview?
 Mr. Lane. Yes; we have.
Mr. Hubert. Have you—has there been anything of a material
nature at all covered in the interview which has not been covered in
this deposition?
Mr. Lane. Not a thing that I can think of.
Mr. Hubert. Thank you very much.
 TESTIMONY OF ELNORA PITTS
The testimony of Elnora Pitts was taken at 2:40 p.m., on March
31, 1964, in the office of the U.S. attorney, 301 Post Office Building,
Bryan and Ervay Streets, Dallas, Tex., by Leon D. Hubert, Jr.,
assistant counsel of the President’s Commission.

Mr. Hubert. This is the deposition of Elnora Pitts.

Mrs. Pitts, my name is Leon Hubert.
Mrs. Pitts. Yes, sir.
Mr. Hubert. I am a member of the advisory staff of the General
Counsel for the President’s Commission on the Assassination of
President Kennedy.
Mrs. Pitts. Yes, sir.
Mr. Hubert. Under the provisions of Executive Order 11130, dated
November 29, issued by President Johnson——
Mrs. Pitts. Yes, sir.
Mr. Hubert. And by a Joint Resolution of Congress No. 137, and
the rules of procedure adopted by the President’s Commission in
conformance with the Executive order and the joint resolution, I
have been authorized to take the sworn deposition from you today.
I say to you that the general nature of the Commission’s inquiry
is to ascertain, evaluate, and report upon the facts relating to the
assassination of President Kennedy and to the subsequent violent
death of Lee Harvey Oswald. And in particular, as to you, Mrs. Pitts,
the nature of the inquiry today is to determine what facts that you
know about the death of Oswald and any other pertinent facts you
may know about the general inquiry, particularly those facts
concerning Jack Ruby.
Mrs. Pitts. Yes, sir.
Mr. Hubert. Now, I think you are appearing here as a result of a
letter sent to you by J. Lee Rankin?
Mrs. Pitts. Yes, sir.
Mr. Hubert. General Counsel of the Commission. You have
received that letter, haven’t you?
Mrs. Pitts. Yes, sir.
Mr. Hubert. That letter was received more than 3 days from
today?
Mrs. Pitts. Yes, sir; it was—it must have been longer than that.
Mr. Hubert. Sometime last week?
Mrs. Pitts. But, the man there, Mr. Sorrels——
Mr. Hubert. Mr. Sorrels?
Mrs. Pitts. They called me and talked with me and called me
again and told me to come today.
Mr. Hubert. But, the letter was received more than 3 days ago?
Mrs. Pitts. Yes, sir.
Mr. Hubert. Because 3 days ago would be last Saturday, and it
was received before that, wasn’t it?
Mrs. Pitts. Yes, sir.
Mr. Hubert. Would you mind rising and taking the oath? Raise
you right hand, please.
Do you solemnly swear to tell the truth, the whole truth, and
nothing but the truth, so help you God?
Mrs. Pitts. Yes, sir.
 Mr. Hubert. All right. For the record, will you state your name.
Mrs. Pitts. My name is Elnora Pitts.
Mr. Hubert. I understand that you are a widow?
Mrs. Pitts. Yes, sir.
Mr. Hubert. And your husband’s name was what?
Mrs. Pitts. McKinley.
Mr. Hubert. And he has been dead how long?
Mrs. Pitts. Well, it has been a long time. Just exactly the date, I
don’t know.
Mr. Hubert. You have not remarried?
Mrs. Pitts. No, sir.
Mr. Hubert. What was your maiden name, before you married?
Mrs. Pitts. Elnora Magee.
Mr. Hubert. Magee. How old are you, Mrs. Pitts?
Mrs. Pitts. Well, I was born 1903. That makes me about 60,
don’t it?
Mr. Hubert. Where do you live?
Mrs. Pitts. I live at 1316 East Jefferson.
Mr. Hubert. Dallas?
Mrs. Pitts. Yes, sir; Oak Cliff.
Mr. Hubert. Oak Cliff?
Mrs. Pitts. Yes.
Mr. Hubert. What do you do for a living, Mrs. Pitts?
Mrs. Pitts. I work in apartment houses.
Mr. Hubert. In apartment houses?
Mrs. Pitts. Yes.
 Mr. Hubert. What kind of work do you do?
Mrs. Pitts. That is cleaning. Cleaning, you see, from one
apartment to another but I don’t——
Mr. Hubert. You work in several apartment houses?
Mrs. Pitts. I go—I don’t work everyday. When they call me I go;
yes; and then I have some regulars.
Mr. Hubert. In other words, some apartments that you clean
everyday, or every week, or certain times?
Mrs. Pitts. Certain time every week.
Mr. Hubert. Do you know Mr. Jack Ruby?
Mrs. Pitts. Yes, sir. I know him, but——
Mr. Hubert. How long have you known him?
Mrs. Pitts. Well, now, that, I would have to get the real
information on Mr. David, Glen David, that was the manager of the
apartments there. He was with me down here on Ewing, Mr. David
was, and then they transferred me on over to another apartment on
Ewing where this Jack Ruby lived, so, just to tell the truth how long
that I worked for Mr. Ruby somewhere—so—along 8 or 9 or maybe
10 months.
Mr. Hubert. How often did you go to his apartment?
Mrs. Pitts. I went one part of a day. On—I first started going to
him on Tuesday, and then he said that was because he hadn’t
cleaned it in a long time, and it was in a bad shape, so he paid me
7½ to clean it the first time, and so, next time he paid me $4 and
give me busfare and then he said to me, said, “Well, it is getting
pretty dirty,” said, “I’m going to give you a little raise now today,”
and I said, “All right.” So, the next time he give me 5½. From then
on he pay me 5½.
Mr. Hubert. That is for how much time?
 Mrs. Pitts. Until then I was going on Tuesday. Then he changed
it then until Saturday and from Saturday to Sunday. He says he had
company and wanted it fresh and clean on Sunday, and asked me if
I would come on Sunday morning and I told him, “Yes,” so that is
why I called him that Sunday morning, because that was my time to
go, because I had something to do at home before I went, so then I
didn’t go.
Mr. Hubert. So, as of November 24, 1963, it was your custom to
go there on a Sunday morning?
Mrs. Pitts. Yes, sir; I guess that was the time when he done his
killing, was it?
Mr. Hubert. Well, November 24 is the day that Oswald was shot.
Mrs. Pitts. Uh-huh. Well, then I called him on the next
Sunday——
Mr. Hubert. Let me get this——
Mrs. Pitts. Okay.
Mr. Hubert. Had you been going to him regularly on Sundays
before?
Mrs. Pitts. Yes, sir.
Mr. Hubert. You always called?
Mrs. Pitts. I called—called him, and always called the manager
because I went once and I didn’t call so they had to do something in
there, and he had a dog, and I was scared of this dog, so, the
manager, she was there, and she said, “Well, I will lock the dog in
the bathroom,” and I said, “No; I don’t work that way. I will just go
back home.”
So, the next time I didn’t call and she was gone and he was
gone, too, and I—from then on I always called.
Mr. Hubert. And you called about what time in the morning?
 Mrs. Pitts. Well, just different times, but that morning I don’t
know what time it was that I called. I know that it was 8:30, or
might have been later than that. I really don’t know for—I didn’t
look at the clock.
Mr. Hubert. That morning—what morning do you mean?
Mrs. Pitts. I think it was Sunday morning, you know, when you
was saying about——
Mr. Hubert. When Oswald was shot?
Mrs. Pitts. Yes, sir.
Mr. Hubert. Now, you do remember that Oswald was shot——
Mrs. Pitts. Yes, sir.
Mr. Hubert. It was on Sunday?
Mrs. Pitts. Yes, sir.
Mr. Hubert. And you do know that Mr. Ruby was accused of
shooting Mr. Oswald and was tried, as a matter of fact?
Mrs. Pitts. Yes, sir.
Mr. Hubert. And that is the man we are talking about, is that
right?
Mrs. Pitts. Yes, sir.
Mr. Hubert. And that is the Sunday we are talking about?
Mrs. Pitts. Yes, sir.
Mr. Hubert. You called in there, as was your custom——
Mrs. Pitts. Yes, sir.
Mr. Hubert. To do the regular weekly——
Mrs. Pitts. Cleaning.
Mr. Hubert. Work, and you say you don’t know what time it was?
 Mrs. Pitts. No, I don’t, but it was—it was after 8. I know way
after 8, and when I called him he said to me, “What do you want?”
And I said——
Mr. Hubert. Did you recognize his voice?
Mrs. Pitts. Well, I’ll tell you how he talked to me, then I said,
“What do I want?” I says, “This is Elnora.” He says, “Yes, well, what
—you need some money?” And I says, “No; I was coming to clean
today.”
“Coming to clean?” Like you know, like he just——
Mr. Hubert. In other words, when you told him that you were
coming to clean he seemed to express some surprise, is that it?
Mrs. Pitts. Yes, sir; like he didn’t know that I was going to come
and clean.
Mr. Hubert. Did he recognize you?
Mrs. Pitts. I don’t know if he did or not. And I says to him again,
I says, “This is Elnora.” And he says, “Well, what do you want?” And
I said, “Well, I was coming to clean today.”
“You coming now?” And I says, “No.”
Mr. Hubert. He asked you then, “Are you coming now?”
Mrs. Pitts. Yes, sir; and then I says, “No.” And he says, “Well,
what you got to do?” And I says, “I have got to go to the store for
the children.” I always goes to the store for the children before I
come to work whenever I come. He says, “Well,”—I says, “You seem
so funny to me.” And I says, “Do you want me to come today?” And
he says, “Well, yes; you can come, but you call me.” And I says,
“That’s what I’m doing now, calling you so I won’t have to call you
again.” And he says, “And you coming to clean today?” And I said,
“Yes.” Well, he sounded so strange to me but I still wouldn’t say
nothing to him. I just stopped another few minutes, and I said,
“Who am I talking to? Is this Mr. Jack Ruby?” And he said, “Yes.
Why?” And I said, “Oh, nothing.” But he just sounded terrible
strange to me, so, I said, “Well, I’ll call you.” And he says, “But, I
don’t see why I called you.” And he said, “Yes, so I can tell you
where the key will be and the money.” And I said, “Okay.” So, I hung
up.
Mr. Hubert. Did you arrange a time to go then?
Mrs. Pitts. He told me to call him before I come.
Mr. Hubert. Did he tell you what time?
Mrs. Pitts. I told him that I would be there before 2 and he says
for me to call him.
Mr. Hubert. Did he suggest 2 o’clock?
Mrs. Pitts. No; I did.
Mr. Hubert. What did he say when you suggested 2?
Mrs. Pitts. He said, “Why so late?”
Mr. Hubert. And what did you say?
Mrs. Pitts. I told him, said, “Well, I have got to go to the store,
and I have got some things to do.”
Mr. Hubert. Did you tell him you had some cleaning to do?
Mrs. Pitts. Yes, sir; I had some cleaning to do, straightening up.
Mr. Hubert. Did he agree that 2 o’clock would be all right?
Mrs. Pitts. No; he didn’t seem to think that 2 o’clock was all
right.
Mr. Hubert. But he asked you to call him?
Mrs. Pitts. Yes, sir; he asked me to call him.
Mr. Hubert. Did he ask you to call him at 2 or what?
Mrs. Pitts. No; he says, “You call me before 2,” that is what he
says. He says, “Be sure you call me.” To call before 2, “Before you
come.” He says, “You call me before 2, before you start,” and I says,
“Well, what I have to call you again for?” And he says, “Well, so I
can tell you where the key is and the money.” And I said, “Uh-huh.”
So, before I could, you know, hang up, he says, “Be sure and
call me.” “Did you say you was coming in today?” And I said, “Yes.”
And when he said that, that’s when it kind of scared me, so, I just
hung—I say, “okay,” and I hung up.
Mr. Hubert. What were you scared about?
Mrs. Pitts. The way he talked. He didn’t talk like—he never did
sound like hisself to me.
Mr. Hubert. Are you sure you were talking to him?
Mrs. Pitts. Well, I guess so.
Mr. Hubert. Had you ever talked to him before on the telephone?
Mrs. Pitts. Yes, it sounded like him in one way, and when he
went to talking, you know, just saying the same thing two or three
times, that is what—that is when I asked him, you know, if I was
talking to Mr. Jack Ruby.
Mr. Hubert. So, there was some doubt in your mind as to whether
it was Jack Ruby?
Mrs. Pitts. Yes, sir. It was a doubt in something wrong with him
the way he was talking to me. Other things—times I would have,
you know, just laid my work down and went ahead on.
I called my daughter and told her, and she said, “Well, are you
going over there now?” And, “No; he don’t sound right to me over
the phone. I am going to wait.”
Mr. Hubert. What I want to get at is this, whether or not you can
say it was Jack Ruby that you were talking to but that he seemed
different?
Mrs. Pitts. Yes, sir; that was him.
Mr. Hubert. Or whether or not he seemed so different that you
were not sure that it was Jack Ruby?
 Mrs. Pitts. Yes, sir. It was him. I’m sure of that, but then he just
was indifferent. He sure did talk indifferent; yes, sir. He sure did.
Mr. Hubert. Now, did he tell you that he was going out, or that he
would be back around 2?
Mrs. Pitts. Said he was going out, he would try to be back by 2.
That is what he told me. He says, “You call me before.” That is what
he told me.
Mr. Hubert. Did he tell you when he was going out, Mrs. Pitts?
Mrs. Pitts. No, sir; didn’t tell me, says, “I am going out.” That is
what he says, and I says to him, I says, “If you are going to have
company or something”—I says, “I can wait and come tomorrow.”
He said, “Oh, no; you come on.”
Mr. Hubert. Can you fix a little better for us the time that this
conversation took place?
Mrs. Pitts. It was after 8 o’clock, was way after 8, but just to tell
the truth——
Mr. Hubert. You say “Way after 8,” you mean way after 8 on the
way to 9?
Mrs. Pitts. Well, I imagine somewhere around 8:30, then, I
guess it was.
Mr. Hubert. It wasn’t after 9?
Mrs. Pitts. No, sir; it wasn’t after 9.
Mr. Hubert. How can you be sure about that? Is there anything
that you remember that makes you say it was not before 8 but
afterward, and not before 9?
Mrs. Pitts. Well, the children had the programs on Sundays, and
I know then that they was a, you know, singing, and that is why I
know it was between 8—8:30 and 9.
Mr. Hubert. That was what I was trying to get at, get something
that you could identify so that you could fix the time that way.
 Mrs. Pitts. Yes.
Mr. Hubert. Did you go to church, perhaps, that day?
Mrs. Pitts. No, sir; I didn’t.
Mr. Hubert. Children go to church?
Mrs. Pitts. No, sir; they—they was intending to go to church.
One—you see, one, I think, did go to Sunday school, but church.
Mr. Hubert. What time did he go?
Mrs. Pitts. That one going to Sunday school was ready and gone
before then.
Mr. Hubert. What time does Sunday school begin?
Mrs. Pitts. Well, Sunday school begins around, I think, 9 o’clock.
Mr. Hubert. So, he had already gone?
Mrs. Pitts. Yes, sir.
Mr. Hubert. Could you say——
Mrs. Pitts. Have to walk a little piece.
Mr. Hubert. Well, does that help you to fix the time of the
conversation with Mr. Ruby?
Mrs. Pitts. Well, that program there, that is what I——
Mr. Hubert. What program was it?
Mrs. Pitts. Something on that KBOX program where those
preaching, you know, and having church there, and that is the
reason I said it is between 8:30 and 9.
Mr. Hubert. When you first spoke to Mr. Ruby, did he seem to
have just awakened, or what?
Mrs. Pitts. Well, I don’t know know if he——
Mr. Hubert. Did he say he had just awakened?
Mrs. Pitts. No; I didn’t ask him that.
 Mr. Hubert. Do you know Mr. George Senator?
Mrs. Pitts. I know of him. I cleaned for him twice.
Mr. Hubert. He lived in the same apartment, or a different one?
Mrs. Pitts. He was living next door to him when I cleaned for
him. He was 206, and Mr. Ruby was 205.
Mr. Hubert. Let’s see. This apartment that you were going to
clean on November 24, what was the number of it?
Mrs. Pitts. That was Mr. Ruby. In 205.
Mr. Hubert. Sure it was not 207?
Mrs. Pitts. That is it. He—206. Senator was right next door.
Mr. Hubert. Next door, or across?
Mrs. Pitts. No; right against Mr. Ruby’s, and, Senator—and Mr.
George Senator was right at—you’re right, 207. I keep saying 205,
but it was 207.
Mr. Hubert. 207?
Mrs. Pitts. Yes.
Mr. Hubert. Do you know whether or not Mr. Senator and Mr.
Ruby were sharing apartment 207 on November 24, or sometime
before that?
Mrs. Pitts. Well, I hadn’t been there in—and seen him. I hadn’t,
but when I had went there and cleaned—started to clean his
apartment where Mr. George used to live, and he had moved out,
but when—where did he move then, I don’t know.
Mr. Hubert. So, any Sunday you ever went to Mr. Ruby’s
apartment, you don’t know whether Mr. Senator was sharing that
apartment or not?
Mrs. Pitts. No; he would come over there when he lived right
there next to him, but, see, when he moved, well, then, I hadn’t
been there in a long time, so, then, I had seven vacant apartments
to do just before this all happened, so, then I——
Mr. Hubert. Did Mr. Ruby have a two-bedroom apartment?
Mrs. Pitts. Yes, sir.
Mr. Hubert. Had you noticed before that both bedrooms had been
occupied by people, that is to say, by cleaning up, by seeing that the
beds had been slept in and so forth, you can tell when the
rooms——
Mrs. Pitts. No; the bed was made. Now, the manager told me,
but I didn’t see him there. Now, the manager told me that they must
—this man Senator had moved over there, but then I didn’t see him
there.
Mr. Hubert. He didn’t pay you?
Mrs. Pitts. No, sir.
Mr. Hubert. Did you ever talk to Mr. Senator over the phone?
Mrs. Pitts. No, no. I—he called me from his apartment once and
talked to me about coming to clean for him, but he didn’t talk to me,
Mr. Ruby.
Mr. Hubert. Was it possible that the man you spoke to on
November 24, was not Mr. Ruby, but Mr. Senator?
Mrs. Pitts. It sounded like Mr. Ruby, but he just—he started
talking off all right and then he would go, you know, to talking funny
to me, and don’t sound like himself, and hollering and talking loud
and that is something he didn’t ever do.
Mr. Hubert. You mean kind of mad at you?
Mrs. Pitts. No; it wasn’t mad, but just talking strange, you know
how a person talks strange, kind of. Don’t really understand what
they are really saying, I guess.
Mr. Hubert. You testified, didn’t you, in Mr. Ruby’s trial?
Mrs. Pitts. Yes, sir.
 Mr. Hubert. Had you been interviewed prior to that by his
attorney?
Mrs. Pitts. Say had I been what?
Mr. Hubert. Interviewed prior to your testimony in the trial by his
attorney?
Mrs. Pitts. Yes, sir; by his—Mr. Belli.
Mr. Hubert. Mr. Belli? He talked to you?
Mrs. Pitts. He talked to me. He come out there and got me when
I was sitting out there waiting. They had—Mr. Burleson was the one
that talks to me over the phone and told me that I had to come
down there.
Mr. Hubert. Did he ask you whether or not his voice was strange?
Mrs. Pitts. They just told me to tell how he talked to me, so, that
is what I did. That is what he said that they wanted to know. So,
that is what I did.
Mr. Hubert. Do you remember that you were interviewed by Mr.
Jack French, special agent of the FBI, around 2 or 3 days after this
shooting occurred?
Mrs. Pitts. Yes, sir.
Mr. Hubert. Do you recall whether you told Mr. French at that
time that you thought that Mr. Ruby’s voice sounded odd the way
you testified today?
Mrs. Pitts. Yes, sir; I told him that, but he told me what he was
wanting to know if I had seen any books or letters or papers around
there, and that I didn’t ever look, and——
Mr. Hubert. But you say you told Mr. French that you thought that
Mr. Ruby’s voice was odd like you testified to today?
Mrs. Pitts. Yes, sir; I told him that.
Mr. Hubert. Did you tell him that, or was the first time that you
testified like that at the time of the Ruby trial?
Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.

Let us accompany you on the journey of exploring knowledge and

personal growth!

ebooknice.com