Problem Oriented Engineering for Software Safety

Safety critical systems must satisfy stringent safety standards and there development requires the use of specialist safe software system development (SSSD) approaches as the complexity and penetration of these systems increases. These SSSD approaches satisfy certain useful properties that make them suitable for safety system development. The first objective of this thesis is to select a candidate SSSD approach and evaluate its capabilities against a set of useful properties identified from reviewing a group of existing SSSD approaches, and thus show that this candidate SSSD approach is appropriate for use in safety system development. In addition, a second objective is to use this candidate SSSD approach to improve the early life cycle phase of an existing industrial safety development process used to develop embedded avionics applications. In particular to allow issues to be resolved earlier in the development, which are currently not being uncovered until much later in the development when they are much more difficult and expensive to correct. This involved the identification of further properties and issues that the candidate SSSD approach must address. The overall aim is to demonstrate that this candidate SSSD approach can be used in the early phase of a safety system development to derive a validated specification that can be subjected to safety analysis to show that it satisfies the identified system safety properties and thus forms a viable basis for the rest of the development

Arguing Security: A Framework for Analyzing Security Requirements

When considering the security of a system, the analyst must simultaneously work with two types of properties: those that can be shown to be true, and those that must be argued as being true. The first consists of properties that can be demonstrated conclusively, such as the type of encryption in use or the existence of an authentication scheme. The second consists of things that cannot be so demonstrated but must be considered true for a system to be secure, such as the trustworthiness of a public key infrastructure or the willingness of people to keep their passwords secure. The choices represented by the second case are called trust assumptions, and the analyst should supply arguments explaining why the trust assumptions are valid. This thesis presents three novel contributions: a framework for security requirements elicitation and analysis, based upon the construction of a context for the system; an explicit place and role for trust assumptions in security requirements; and structured satisfaction arguments to validate that a system can satisfy the security requirements. The system context is described using a problem-centered notation, then is validated against the security requirements through construction of a satisfaction argument. The satisfaction argument is in two parts: a formal argument that the system can meet its security requirements, and structured informal arguments supporting the assumptions exposed during argument construction. If one cannot construct a convincing argument, designers are asked to provide design information to resolve the problems and another pass is made through the framework to verify that the proposed solution satisfies the requirements. Alternatively, stakeholders are asked to modify the goals for the system so that the problems can be resolved or avoided. The contributions are evaluated by using the framework to do a security requirements analysis within an air traffic control technology evaluation project

RICIS Symposium 1988

Integrated Environments for Large, Complex Systems is the theme for the RICIS symposium of 1988. Distinguished professionals from industry, government, and academia have been invited to participate and present their views and experiences regarding research, education, and future directions related to this topic. Within RICIS, more than half of the research being conducted is in the area of Computer Systems and Software Engineering. The focus of this research is on the software development life-cycle for large, complex, distributed systems. Within the education and training component of RICIS, the primary emphasis has been to provide education and training for software professionals

Software Development as an Antitrust Remedy: Lessons from the Enforcement of the \u3ci\u3eMicrosoft\u3c/i\u3e Communications Protocol Licensing Requirement

An important provision in each of the final judgments in the government\u27s Microsoft antitrust case requires Microsoft to make available to software developers the communications protocols that Windows client operating systems use to interoperate natively (that is, without adding software) with Microsoft server operating systems in corporate networks or over the Internet. The short-term goal of the provision is to allow developers, as licensees of the protocols, to write applications for non-Microsoft server operating systems that interoperate with Windows client computers in the same ways that applications written for Microsoft\u27s server operating systems interoperate with Windows clients. The long-term goal is to preserve, in the network context, the platform threat to the Windows monopoly that was the focus of the government\u27s theory of monopolization. The platform threat was the possibility that middleware, like Netscape\u27s browser or Sun\u27s Java technologies, might evolve into a platform for other applications and thus erode the applications barrier to entry that protects Windows. This was the threat that the courts held Microsoft illegally thwarted by its contracts and product design. The protocol licensing provision rests on the assumption that middleware running on servers might also pose a platform threat to the Windows monopoly of client operating systems. District Judge Kollar-Kotelly, in entering the final judgments, singled out this provision as the key to assuring that the other provisions do not become irrelevant as more applications move to servers in local networks or the Internet. The provision has, however, proven to be by far the most difficult to implement. We argue in this Article that the provision has not accomplished its purpose and that courts and policymakers can draw some hard lessons from the experience

Curricular trends in four-year baccalaureate degree industrial technology programs

The intents of the research were to determine both curricular trends in four-year baccalaureate industrial technology programs and the role accreditation standards have on such trends. The purpose was to present implications for future curriculum development and to provide a framework and point of reference for both curriculum developers and standards writers. From the literature review, questionnaire items were designed to answer four research questions. The instrument was validated by a jury process and data were collected from 60 respondents, organized and compiled using National Association of Industrial Technology curriculum categories. Chi square and descriptive statistics were used to analyze the data. It was inferred from several trends identified in the results that industrial technology will remain a dynamic field of study. Trends were identified in the areas of accreditation, major courses of study, course titles, concentrations/emphases, mode of change, and program specialization. Representative trends include: Large student enrollments are found in technical accredited programs and smaller student enrollments are more frequent in nontechnical accredited programs. The titles of baccalaureate degree programs are being changed to industrial technology more often than to any other title. Major courses of study are becoming more diverse. The number of baccalaureate degree major courses of study are increasing. Concentrations and emphases are more numerous and diverse for nontechnical accredited programs. Future technical accreditation was being planned for additional programs. Selection of an accrediting agency is becoming more diverse in the discipline. Technical accreditation is not the motivating factor influencing curricular change and accrediting agencies are being selected to meet specialized needs. The technical course work area of computer applications was shown to be significantly different. Course titles have become more diverse and reflect the emerging technologies. Recommendations included: Curriculum developers must continue their dynamic diversity but focus on substantive change. The study should be used as a baseline for further study and future curriculum development. Common standards could be developed for programs with aspirations of technical accreditation by NAIT, ABET, or another technical accrediting agency to limit duplication. Additionally, several studies and needs assessments are recommended to be conducted concerning the curricula of industrial technology