A Framework for Dependability analysis of software systems with trusted bases

A new approach is suggested for arguing that a software system is dependable. The key idea is to structure the system so that highly critical requirements are localized in small subsets of the system called trusted bases. In most systems, the satisfaction of a requirement relies on assumptions about the environment, in addition to the behavior of software. Therefore, establishing a trusted base for a critical property must be carried out as early as the requirements phase. This thesis proposes a new framework to support this activity. A notation is used to construct a dependability argument that explains how the system satisfies critical requirements. The framework provides a set of analysis techniques for checking the soundness of an argument, identifying the members of a trusted base, and illustrating the impact of failures of trusted components. The analysis offers suggestions for redesigning the system so that it becomes more reliable. The thesis demonstrates the effectiveness of this approach with a case study on electronic voting systems. Thesis Supervisor: Daniel N. Jackson Title: Professor

[1]  Jeremy Clark,et al.  Scantegrity II: End-to-End Verifiability for Optical Scan Election Systems using Invisible Ink Confirmation Codes , 2008, EVT.

[2]  Liming Chen,et al.  N-VERSION PROGRAMMINC: A FAULT-TOLERANCE APPROACH TO RELlABlLlTY OF SOFTWARE OPERATlON , 1995, Twenty-Fifth International Symposium on Fault-Tolerant Computing, 1995, ' Highlights from Twenty-Five Years'..

[3]  Michael Jackson What Can We Expect from Program Verification? , 2006, Computer.

[4]  T. Anderson Kernels for Safety ? , 1989 .

[5]  Aggelos Kiayias,et al.  Taking total control of voting systems: firmware manipulations on an optical scan voting terminal , 2009, SAC '09.

[6]  Martín Abadi,et al.  Authentication in distributed systems: theory and practice , 1991, SOSP '91.

[7]  Jean-Raymond Abrial,et al.  The B-book - assigning programs to meanings , 1996 .

[8]  Ronald L Rivest,et al.  On the notion of ‘software independence’ in voting systems , 2008, Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences.

[9]  Daniel Jackson,et al.  Module Dependences in Software Design , 2002, RISSEF.

[10]  Herbert Bos,et al.  Can we make operating systems reliable and secure? , 2006, Computer.

[11]  Daniel Jackson,et al.  Formal Modeling and Analysis of a Flash Filesystem in Alloy , 2008, ABZ.

[12]  Michael Jackson,et al.  Problem Oriented Software Engineering: Solving the Package Router Control Problem , 2008, IEEE Transactions on Software Engineering.

[13]  David Lorge Parnas,et al.  Review of David L. Parnas' "Designing Software for Ease of Extension and Contraction" , 2004 .

[14]  Robert Seater,et al.  Building dependability arguments for software intensive systems , 2009 .

[15]  Daniel Jackson,et al.  A direct path to dependable software , 2009, CACM.

[16]  Cliff B. Jones,et al.  Systematic software development using VDM , 1986, Prentice Hall International Series in Computer Science.

[17]  Daniel Jackson,et al.  Requirement Progression in Problem Frames Applied to a Proton Therapy System , 2006, 14th IEEE International Requirements Engineering Conference (RE'06).

[18]  Nancy G. Leveson,et al.  Design for safe software , 1983 .

[19]  Felix Sheng-Ho Chang,et al.  Finding Minimal Unsatisfiable Cores of Declarative Specifications , 2008, FM.

[20]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[21]  Daniel Jackson,et al.  Software Abstractions - Logic, Language, and Analysis , 2006 .

[22]  Michael Jackson,et al.  Separating Concerns in Requirements Analysis: An Example , 2006, RODIN Book.

[23]  Axel van Lamsweerde,et al.  Handling Obstacles in Goal-Oriented Requirements Engineering , 2000, IEEE Trans. Software Eng..

[24]  Daniel Jackson,et al.  Property-part diagrams: A dependence notation for software systems , 2009 .

[25]  C. A. R. Hoare Programs are predicates , 1984, Philosophical Transactions of the Royal Society of London. Series A, Mathematical and Physical Sciences.

[26]  John C. Knight,et al.  Assurance Based Development of Critical Systems , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[27]  Jerome H. Saltzer,et al.  End-to-end arguments in system design , 1984, TOCS.

[28]  D. L. Parnas,et al.  On the criteria to be used in decomposing systems into modules , 1972, Software Pioneers.

[29]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[30]  Stephen Fickas,et al.  Goal-Directed Requirements Acquisition , 1993, Sci. Comput. Program..

[31]  Butler W. Lampson,et al.  Hints for Computer System Design , 1983, IEEE Software.

[32]  Tim Kelly,et al.  The Goal Structuring Notation – A Safety Argument Notation , 2004 .

[33]  B. Lampson,et al.  Authentication in distributed systems: theory and practice , 1991, TOCS.

[34]  Robert Hanmer,et al.  Patterns for Fault Tolerant Software , 2007 .

[35]  Mary Shaw,et al.  Software architecture - perspectives on an emerging discipline , 1996 .

[36]  Dan S. Wallach,et al.  Analysis of an electronic voting system , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[37]  Bashar Nuseibeh,et al.  Architecture-driven problem decomposition , 2004, Proceedings. 12th IEEE International Requirements Engineering Conference, 2004..

[38]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[39]  Helen M. Edwards,et al.  Problem frames: analyzing and structuring software development problems , 2002, Softw. Test. Verification Reliab..

[40]  Aggelos Kiayias,et al.  Security Assessment of the Diebold Optical Scan Voting Terminal , 2006 .

[41]  Manu Sridharan,et al.  A micromodularity mechanism , 2001, ESEC/FSE-9.

[42]  Michael Jackson,et al.  A reference model for requirements and specifications - extended abstract , 2000, Proceedings Fourth International Conference on Requirements Engineering. ICRE 2000. (Cat. No.98TB100219).

[43]  Bashar Nuseibeh,et al.  Composing requirements using problem frames , 2004, Proceedings. 12th IEEE International Requirements Engineering Conference, 2004..

[44]  Eric S. K. Yu,et al.  Towards modelling and reasoning support for early-phase requirements engineering , 1997, Proceedings of ISRE '97: 3rd IEEE International Symposium on Requirements Engineering.