{"references": ["Peter B. Andrews. An introduction to mathematical logic and type theory: to truth through proof. Academic Press Professional, Inc., San Diego, CA, USA, 1986.", "Peter B. Andrews. Introduction to Mathematical Logic and Type Theory: To Truth through Proof. Kluwer Academic Publishers, Dordrecht, 2002.", "Clemens Ballarin. Tutorial to Locales and Locale Interpretation, 2010.", "Sascha B\u00a8ohme, Michal Moskal,Wolfram Schulte, and BurkhartWolff. Hol-boogie- an interactive prover-backend for the verifying c compiler. J. Autom. Reasoning, 44(1-2):111\u2013144, 2010.", "Sascha B\u00a8ohme and Tjark Weber. Fast LCF-style proof reconstruction for Z3. In ITP, pages 179\u2013194, 2010.", "Achim D. Brucker and Burkhart Wolff. On theorem prover-based testing. Formal Aspects of Computing, 25(5):683\u2013721, 2013.", "Alonzo Church. A formulation of the simple theory of types. Journal of Symbolic Logic, pages 56\u201368, June 1940.", "Pascal Cuoq, Florent Kirchner, Nikolai Kosmatov, Virgile Prevosto, Julien Signoles, and Boris Yakobowski. Frama-c: a software analysis perspective. In International Conference on Software Engineering and Formal Methods (SEFM'12), pages 233\u2013247. Springer, October 2012.", "EURO-MILS. Formal implementation of TOE inclusive formal proofs. Technical Report D31.3, EURO-MILS: Secure European Virtualisation for Trustworthy Applications in Critical Domains, FP7/2007-2013, 2015.", "Jean-Christophe Filliatre and Andrei Paskevich. Why3 \u2014 where programs meet provers. In Matthias Felleisen and Philippa Gardner, editors, Proceedings of the 22nd European Symposium on Programming, volume 7792 of Lecture Notes in Computer Science, pages 125\u2013128. Springer, March 2013.", "David Greenaway, June Andronick, and Gerwin Klein. Bridging the gap: Automatic verified abstraction of c. In ITP, pages 99\u2013115, 2012.", "Mike J. C. Gordon and Tom F. Melham. Introduction to HOL. Cambridge University Press, 1993.", "Georges Gonthier. Engineering mathematics: the odd order theorem proof. In POPL, pages 1\u20132, 2013.", "Mike Gordon. From LCF to HOL: a short history. In Proof, Language, and Interaction, pages 169\u2013185. MIT Press, 2000.", "Thomas C Hales. Formal proof. Notices of the AMS, 55(11):1370\u20131380, 2008.", "John Harrison. Towards self-verification of hol light. In IJCAR, pages 177\u2013191, 2006.", "ISO/IEC DIS 29119: Software and Systems Engineering\u2014Software Testing. ISO Draft International Standard, July 2012.", "Eric Jaeger. Remarques relatives \u00e1 l'emploi des m\u00e9thodes formelles (d\u00e9ductives) en s\u00e9curit\u00e9 des syst\u00e8mes d'information. 2008. 51 Boulevard de la Tour-Maubourg 75700 Paris SP 07, France.", "Ramana Kumar, Rob Arthan, Magnus O. Myreen, and Scott Owens. HOL with definitions: Semantics, soundness, and a verified implementation. In Interactive Theorem Proving - 5th International Conference, ITP 2014, Held as Part of the Vienna Summer of Logic, VSL 2014, Vienna, Austria, July 14-17, 2014. Proceedings, pages 308\u2013324, 2014.", "Gerwin Klein, Ralf Huuck, and Bastian Schlich. Operating system verification. J. Autom. Reasoning, 42(2-4):123\u2013124, 2009.", "Gerwin Klein. Gerwin's style guide for Isabelle/HOL. part 1: Good proofs, 2015. http://proofcraft.org/blog/isabelle-style.html, accessed 29 May 2015.", "Leonardo Moura and Nikolaj Bjorner. Z3: An efficient SMT solver. In C.R. Ramakrishnan and Jakob Rehof, editors, Tools and Algorithms for the Construction and Analysis of Systems, volume 4963 of Lecture Notes in Computer Science, pages 337\u2013340. Springer Berlin Heidelberg, 2008.", "The Common Criteria Recognition Agreement Members. Common Criteria for Information Technology Security Evaluation. http://www.commoncriteriaportal.org/, September 2006.", "Robin Milner. A theory of type polymorphism in programming. Journal of Computer and System Sciences, 17(3):348 \u2013 375, 1978.", "Magnus O. Myreen, Scott Owens, and Ramana Kumar. Steps towards verified implementations of hol light. In ITP, pages 490\u2013495, 2013.", "Robin Milner, Mads Tofte, and David Macqueen. The Definition of Standard ML. MIT Press, Cambridge, MA, USA, 1997.", "R. Milner and C.P. Wadsworth. Edinburgh LCF: A Mechanized Logic of Computation. Lecture Notes in Computer Science. Springer, 1979.", "Tobias Nipkow, Larry C. Paulson, and Markus Wenzel. Isabelle/HOL\u2014A Proof Assistant for Higher-Order Logic, volume 2283 of Lecture Notes in Computer Science. Springer-Verlag, Heidelberg, 2002.", "Lawrence C. Paulson. A generic tableau prover and its integration with isabelle. J. UCS, 5(3):73\u201387, 1999.", "Larry Paulson, Tobias Nipkow, and Makarius Wenzel. Isabelle, 2013. http://", "isabelle.in.tum.de/website-Isabelle2013-2/index.html, accessed 26 May 2015.", "Leaf Petersen and Enrico Pontelli, editors. Proceedings of the POPL 2010 Workshop on Declarative Aspects of Multicore Programming, DAMP 2010, Madrid, Spain, January 19, 2010. ACM, 2010.", "Markus Wenzel Tobias Nipkow, Lawrence C. Paulson. A Proof Assistant For Higher-Order Logic.", "PhilipWadler and Stephen Blott. How to make ad-hoc polymorphism less ad-hoc. In POPL, pages 60\u201376, 1989.", "Makarius Wenzel. The Isabelle/Isar Reference Manual.", "Markus Wenzel. Type classes and overloading in higher-order logic. In TPHOLs, pages 307\u2013322, 1997.", "Markus M Wenzel. Isabelle/Isar\u2014a versatile environment for human-readable", "formal proof documents. PhD thesis, Technische Universit\u00e4t M\u00fcnchen, Universit\u00e4tsbibliothek, 2002.", "Freek Wiedijk. The Seventeen Provers of the World: Foreword by Dana S. Scott (Lecture Notes in Computer Science / Lecture Notes in Artificial Intelligence). Springer-Verlag New York, Inc., Secaucus, NJ, USA, 2006."]}

This document consists of three chapters: Chapter 1 describes how Isabelle/HOL works and how to use it in a certification processnbsp;in a sound way./li> li>Chapter 2: Style Guide. It describes how to write Isabelle theories so that they are suitablenbsp;for collaborative work and human readers in a certification context./li> li>Chapter 3: Compliance statement. We state how, in the EURO-MILS project, the developednbsp;theories are compliant with (1) and (2)./li> /ul>