On Systematic Design of Protectors for Employing OTS Items

Off-the-shelf (OTS) components are increasingly used in application areas with stringent dependability requirements. Component wrapping is a well known structuring technique used in many areas. We propose a general approach to developing protective wrappers that assist in integrating OTS items with a focus on the overall system dependability. The wrappers are viewed as redundant software used to detect errors or suspicious activity and to execute appropriate recovery when possible; wrapper development is considered as a part of system integration activities. Wrappers are to be rigorously specified and executed at run time as a means of protecting OTS items against faults in the rest of the system, and the system against the OTS item's faults. Possible symptoms of erroneous behaviour to be detected by a protective wrapper and possible actions to be undertaken in response are listed and discussed. The information required for wrapper development is provided by traceability analysis. Possible approaches to implementing “protectors” in the standard current component technologies are briefly outline

Building safe software

Murphy is a set of techniques and tools under investigation for their potential in enhancing the safety of software. This paper describes some of the work which has been done and some which is planned

Ein verallgemeinerter Prozess zur Verifikation und Validerung von Modellen und Simulationsergebnissen

With technologies increasing rapidly, symbolic, quantitative modeling and computer-based simulation (M&S) have become affordable and easy-to-apply tools in numerous application areas as, e.g., supply chain management, pilot training, car safety improvement, design of industrial buildings, or theater-level war gaming. M&S help to reduce the resources required for many types of projects, accelerate the development of technical systems, and enable the control and management of systems of high complexity. However, as the impact of M&S on the real world grows, the danger of adverse effects of erroneous or unsuitable models or simu-lation results also increases. These effects may range from the delayed delivery of an item ordered by mail to hundreds of avoidable casualties caused by the simulation-based acquisi-tion (SBA) of a malfunctioning communication system for rescue teams. In order to benefit from advancing M&S, countermeasures against M&S disadvantages and drawbacks must be taken. Verification and Validation (V&V) of models and simulation results are intended to ensure that only correct and suitable models and simulation results are used. However, during the development of any technical system including models for simulation, numerous errors may occur. The later they are detected, and the further they have propagated through the model development process, the more resources they require to correct thus, their propaga-tion should be avoided. If the errors remain undetected, and major decisions are based on in-correct or unsuitable models or simulation results, no benefit is gained from M&S, but a dis-advantage. This thesis proposes a structured and rigorous approach to support the verification and valida-tion of models and simulation results by a) the identification of the most significant of the current deficiencies of model develop-ment (design and implementation) and use, including the need for more meaningful model documentation and the lack of quality assurance (QA) as an integral part of the model development process; b) giving an overview of current quality assurance measures in M&S and in related areas. The transferability of concepts like the capability maturity model for software (SW-CMM) and the ISO9000 standard is discussed, and potentials and limits of documents such as the VV&A Recommended Practices Guide of the US Defense Modeling and Simulation Office are identified; c) analysis of quality assurance measures and so called V&V techniques for similarities and differences, to amplify their strengths and to reduce their weaknesses. d) identification and discussion of influences that drive the required rigor and intensity of V&V measures (risk involved in using models and simulation results) on the one hand, and that limit the maximum reliability of V&V activities (knowledge about both the real system and the model) on the other. This finally leads to the specification of a generalized V&V process - the V&V Triangle. It illustrates the dependencies between numerous V&V objectives, which are derived from spe-cific potential errors that occur during model development, and provides guidance for achiev-ing these objectives by the association of V&V techniques, required input, and evidence made available. The V&V Triangle is applied to an M&S sample project, and the lessons learned from evaluating the results lead to the formulation of future research objectives in M&S V&V

Self-Adaptive Systems for Information Survivability: PMOP and AWDRAT

Information systems form the backbones of the critical infrastructures of modern societies. Unfortunately, these systems are highly vulnerable to attacks that can result in enormous damage. Furthermore, traditional approaches to information security have not provided all the protections necessary to defeat and recover from a concerted attack; in particular, they are largely irrelevant to the problem of defending against attacks launched by insiders.This paper describes two related systems PMOP and AWDRAT that were developed during the DARPA Self Regenerative Systems program. PMOP defends against insider attacks while AWDRAT is intended to detect compromises to software systems. Both rely on self-monitoring, diagnosis and self-adaptation. We describe both systems and show the results of experiments with each

Architectural mismatch tolerance

The integrity of complex software systems built from existing components is becoming more dependent on the integrity of the mechanisms used to interconnect these components and, in particular, on the ability of these mechanisms to cope with architectural mismatches that might exist between components. There is a need to detect and handle (i.e. to tolerate) architectural mismatches during runtime because in the majority of practical situations it is impossible to localize and correct all such mismatches during development time. When developing complex software systems, the problem is not only to identify the appropriate components, but also to make sure that these components are interconnected in a way that allows mismatches to be tolerated. The resulting architectural solution should be a system based on the existing components, which are independent in their nature, but are able to interact in well-understood ways. To find such a solution we apply general principles of fault tolerance to dealing with arch itectural mismatche

On the engineering of crucial software

The various aspects of the conventional software development cycle are examined. This cycle was the basis of the augmented approach contained in the original grant proposal. This cycle was found inadequate for crucial software development, and the justification for this opinion is presented. Several possible enhancements to the conventional software cycle are discussed. Software fault tolerance, a possible enhancement of major importance, is discussed separately. Formal verification using mathematical proof is considered. Automatic programming is a radical alternative to the conventional cycle and is discussed. Recommendations for a comprehensive approach are presented, and various experiments which could be conducted in AIRLAB are described

Integrated analysis of error detection and recovery

An integrated modeling and analysis of error detection and recovery is presented. When fault latency and/or error latency exist, the system may suffer from multiple faults or error propagations which seriously deteriorate the fault-tolerant capability. Several detection models that enable analysis of the effect of detection mechanisms on the subsequent error handling operations and the overall system reliability were developed. Following detection of the faulty unit and reconfiguration of the system, the contaminated processes or tasks have to be recovered. The strategies of error recovery employed depend on the detection mechanisms and the available redundancy. Several recovery methods including the rollback recovery are considered. The recovery overhead is evaluated as an index of the capabilities of the detection and reconfiguration mechanisms

Study of fault-tolerant software technology

Presented is an overview of the current state of the art of fault-tolerant software and an analysis of quantitative techniques and models developed to assess its impact. It examines research efforts as well as experience gained from commercial application of these techniques. The paper also addresses the computer architecture and design implications on hardware, operating systems and programming languages (including Ada) of using fault-tolerant software in real-time aerospace applications. It concludes that fault-tolerant software has progressed beyond the pure research state. The paper also finds that, although not perfectly matched, newer architectural and language capabilities provide many of the notations and functions needed to effectively and efficiently implement software fault-tolerance

Quality measures and assurance for AI (Artificial Intelligence) software

This report is concerned with the application of software quality and evaluation measures to AI software and, more broadly, with the question of quality assurance for AI software. Considered are not only the metrics that attempt to measure some aspect of software quality, but also the methodologies and techniques (such as systematic testing) that attempt to improve some dimension of quality, without necessarily quantifying the extent of the improvement. The report is divided into three parts Part 1 reviews existing software quality measures, i.e., those that have been developed for, and applied to, conventional software. Part 2 considers the characteristics of AI software, the applicability and potential utility of measures and techniques identified in the first part, and reviews those few methods developed specifically for AI software. Part 3 presents an assessment and recommendations for the further exploration of this important area

Test-driven development of embedded control systems: application in an automotive collision prevention system

With test-driven development (TDD) new code is not written until an automated test has failed, and duplications of functions, tests, or simply code fragments are always removed. TDD can lead to a better design and a higher quality of the developed system, but to date it has mainly been applied to the development of traditional software systems such as payroll applications. This thesis describes the novel application of TDD to the development of embedded control systems using an automotive safety system for preventing collisions as an example. The basic prerequisite for test-driven development is the availability of an automated testing framework as tests are executed very often. Such testing frameworks have been developed for nearly all programming languages, but not for the graphical, signal driven language Simulink. Simulink is commonly used in the automotive industry and can be considered as state-of-the-art for the design and development of embedded control systems in the automotive, aerospace and other industries. The thesis therefore introduces a novel automated testing framework for Simulink. This framework forms the basis for the test-driven development process by integrating the analysis, design and testing of embedded control systems into this process. The thesis then shows the application of TDD to a collision prevention system. The system architecture is derived from the requirements of the system and four software components are identified, which represent problems of particular areas for the realisation of control systems, i.e. logical combinations, experimental problems, mathematical algorithms, and control theory. For each of these problems, a concept to systematically derive test cases from the requirements is presented. Moreover two conventional approaches to design the controller are introduced and compared in terms of their stability and performance. The effectiveness of the collision prevention system is assessed in trials on a driving simulator. These trials show that the system leads to a significant reduction of the accident rate for rear-end collisions. In addition, experiments with prototype vehicles on test tracks and field tests are presented to verify the system’s functional requirements within a system testing approach. Finally, the new test-driven development process for embedded control systems is evaluated in comparison to traditional development processes