Selected contributions from the Open Source Software Certification (OpenCert) workshops
暂无分享,去创建一个
We present to you this special issue dedicated to the 2nd, 3rd and 4th editions of the International Workshop on Foundations and Techniques for Open Source Software Certification (OpenCert) held in 2008 (Milan, Italy), 2009 (York, UK) and 2010 (Pisa, Italy) respectively. This is a compilation of a selected set of extended papers presented at these workshops. OpenCert provides for a unique venue advancing the state of the art in the analysis and assurance of open source software with an ultimate aim of achieving certification and standards. The dramatic growth in open source software over recent years has provided for a fertile ground for fundamental research and demonstrative case studies. Over the years, OpenCert has enabled a thriving community, small but focused, examining issues ranging from certification to security and safety analysis for applications areas as diverse as railways, aviation, knowledge management, sustainable development, and the open source developers community. Writing correct C programs is well-known to be hard, not least due to the many language features intrinsic to C. Writing secure C programs is even harder. This is precisely what Olesen et al. set out to address in their paper titled ‘‘Coccinelle: Tool support for automated CERT C Secure Coding Standard certification". They aim to develop a prototype tool to ensure that C programs comply with US CERT standards for secure C coding. Coccinelle is a programmatching and transformation engine providing for specifying desired matches and transformations in C code. Clang is a source code analyser for security. By combining the two, the authors aim to assist the task of programwriting and easy compliancewith secure coding standards. Breuer and Pickin take advantage of the modern shift towards the cloud computing paradigm and propose a ‘volunteer cloud’ to analyse large open source code bases. In their paper titled ‘‘Open Source Verification in an Anonymous Volunteer Network" they show that the computation may be handled incrementally by the client CPUs of the distributed ‘volunteer cloud’ essentially each taking a fragment of the work at a time. An experiment to demonstrate this for a million lines of C code serves to validate their approach. This may very well be the future of a crowd-sourced verification. Open approaches to software and models increasingly find their way to serve safety-critical systems, and railway signalling and control is certainly one such area. Feuser and Peleska address this challenge, in their contribution titled ‘‘Dependability in Open Proof Software with Hardware Virtualization—The Railway Control Systems Perspective", by examining the openETCS initiative: this is an effort to bring the rigour of formal methods for specification and analysis to the European Train Control System (ETCS) standard. They particularly narrowdown to ensure that the safety of amixed open/closed source system is addressed by mechanisms to prevent software components of minor trustworthiness to corrupt the behaviour of a trusted safety-critical core. Lessons drawn from this work would be undoubtedly valuable in several other domains. Almeida et al., in their paper titled ‘‘CAOVerif: An open-source deductive verification platform for cryptographic software implementations", tackle a domain-specific language for cryptographic software, namely CAO, which is part of an open source toolbox dedicated to cryptographic algorithms and protocol implementation. As part of their work they present a model in first-order logic and use a deductive verification approach to verify CAO code for cryptography-relevant security properties. With over 500 known distributions of Linux available, one challenge for software developers is to ensure portability of their applications across all distributions. Rubanov and Silakov address this problem in their paper titled ‘‘Ensuring Portability of Linux Applications through Standardization and Knowledge Base Driven Analysis". They propose an approach to automatic portability for Linux applications, and in the context of a Linux Standard Base (LSB), which is an attempt to standardise common interfaces, they describe the Linux Application Checker tool to help explore external dependencies for applications. Sowe et al. present an ‘‘An Empirical Study of FOSS Developers Patterns of Contribution: Challenges for Data Linkage and Analysis" where the open source developer community’s contribution is analysed using Bayesian networks to look for patterns of contribution and the impact on end-product quality. This work serves to provide insights into various aspects of developer behaviour and how this could be used at an advantage in terms of tools and project leadership. Undoubtedly,