The use of formal methods provides confidence in the correctness of developments. Yet one may argue about the actual level of confidence obtained when the method itself -or its implementation -is not formally checked. We address this question for the B, a widely used formal method that allows for the derivation of correct programs from specifications. Through a deep embedding of the B logic in Coq, we check the B theory but also implement B tools. Both aspects are illustrated by the description of a proved prover for the B logic.A clear benefit of formal methods is to increase the confidence in the correctness of developments. However, one may argue about the actual level of confidence obtained, when the method or its implementation are not themselves formally checked. This question is legitimate for safety, as one may accidentally derive invalid results. It is even more relevant when security is a concern, as any flaw can be deliberately exploited by a malicious developer to obfuscate undesirable behaviours of a system while still getting a certification.B [1] is a popular formal method that allows for the derivation of correct programs from specifications. Several industrial implementations are available (e.g. AtelierB, B Toolkit ), and it is widely used in the industry for projects where safety or security is mandatory. So the B is a good candidate for addressing our concern: when the prover says that a development is right, who says that the prover is right? To answer this question, one has to check the theory as well as the prover w.r.t. this theory (or, alternatively, to provide a proof checker). Those are the objectives of BiCoq, a deep embedding of the B logic in Coq [2].BiCoq benefits from the support of Coq to study the theory of B, and to check the validity of standard definitions and results. BiCoq also allows us, through an implementation strategy, to develop formally checked B tools. This strategy is illustrated in this paper by the development of a prover engine for the B logic, that can be extracted and used independently of Coq. Coq is therefore our notary public, witnessing the validity of the results associated to the B theory, as well as the correctness of tools implementing those results -ultimately increasing confidence in B developments. The approach, combining a deep embedding and an implementation technique, can be extended to address further elements of the B, beyond its logic, or to safely enrich it, as illustrated in this paper. This paper is divided into 9 sections. Sections 1, 2 and 3 briefly introduce B, Coq and the notion of embedding. The B logic and its formalisation in Coq are presented in Sec. 4. Section 5 describes various results proved using BiCoq. Section 6 focuses on the implementation strategy, and presents its application to the development of a set of extractible proof tactics for a B prover. Section 7 discusses further uses of BiCoq, and mentions some existing extensions. Finally, Sect. 8 concludes and identifies further activities.
