Proof effort

• a few days, for first simplified version
• 1-2 man weeks in total
  • for whom?
  • code written by someone else, not intimately familiar with it
  • never tried to prove separation before, not an expert on security
  • familiar with the programming language
  • familiar with the proof tool