Kĩ thuật lập trình - Chapter 10: Predicting system trustworthiness

Chapter 10Predicting System TrustworthinessChapter 10 - Predicting System TrustworthinessOverviewIntroductionWhat else can be done? Predicting component interoperability SummaryPage Building Reliable Component-based Systems IntroductionFunctional Composability (FC) and functional correctness: FC is concerned with whether f(a) x f(b) = f(a x B) is true. These concerns stem from the problem of composing "ilities". ReliabilitySafetySecurityPage Building Reliable Component-based Systems The ProblemThe problem stems from our inability to know a priori, For example, that the security of a system composed of two components, A and B, can be determined from knowledge about the security of A and the security of B. Why? Because the security of the composite is based on more than just the security of the individual components. Page Building Reliable Component-based Systems An ExampleAs an example, suppose that:A is an operating system and B is an intrusion detection system.Operating systems have some level of built-in authentication security. Intrusion detection systems have some definition of the types of event patterns that warn of a possible attack.Thus, the security of the composition clearly depends on the security models of the individual components.Page Building Reliable Component-based Systems The Example ContinuedBut even if A has a worthless security policy or flawed implementation, the composite can still be secure. How? IF A has poor performance THEN no one can log inORIF A's security mechanism not reliable THEN security is increased While these last 2 examples are clearly not a desirable way to attain higher levels of system security, both do actually decrease the likelihood that a system will be successfully attacked.Page Building Reliable Component-based Systems Another ExampleA as an operating system and B as an intrusion detection system, AND We assume that A provides excellent security and B provides excellent security, WE MUST still accept the fact that the security of B is also a function of calendar time. So the question then comes down to: which "ilities", if any, are easy to compose? The answer is that there are no "ilities" easy to compose and that some are much harder to compose than others. Page Building Reliable Component-based Systems What Else Can Be Done?If a piece of software fails only once after 100 tests, DO NOT calculate quantitative score based on the result!DO consider it to be the result of the testing.Page Building Reliable Component-based Systems Isolating Potential ContributorsParties that have contributed software functionality (whether COTS or custom) to the system. Potential contributors to the system failure include: Defective software componentsProblems with interfaces between components Problems with assumptions between componentsHidden interfaces and non-functional component behaviors that cannot be detected at the component level. Page Building Reliable Component-based Systems Interface Propagation AnalysisInterface propagation analysis (IPA):Perturbs the states that propagate through the interfaces that connect COTS software components to other types of components. Note that software fault injection is also a form of accelerated testing.Page Building Reliable Component-based Systems Reliability TestingOperational profile testing  test-casesTest for defects occuring in operational phaseMany insignificant experimentsTime consumingComponent/SystemInputPage Building Reliable Component-based Systems IPA at WorkTo modify the information (states) that components use for inter-communicationwrite access to those states is required (in order to modify the data in those states). This is obtained by creating a small software routine named PERTURB which replaces, during system execution, the original output state with a different (corrupted) state. Component AComponent BInputPage Building Reliable Component-based Systems PERTURBAn Example using:double cos(double x)if (cos(a) > THRESHOLD) {do something}if (PERTURB(cos(a)) > THRESHOLD) {do something}The value added by having a utility such as PERTURB is, in general, dependent on how well PERTURB mimics corruptions that the utility under consideration. Page Building Reliable Component-based Systems Technique 1The first technique: Involves the deliberate inversion of the operational profile originally anticipated by the system designers.This technique is most beneficial when the description of the expected profile is accurate. Component/SystemInputInversed operational profilePage Building Reliable Component-based Systems Technique 2The second technique:Is simply a combination of the previous technique with IPA. This is a situation in which the software is operating in an unusual input mode while being bombarded with corrupt information.Inversed operational profileComponent AComponent BInputPage Building Reliable Component-based Systems Summary Non-functional behaviors are difficult to handle in compositionOrdinary (reliability) testing is not enoughSWIFI can be used for testing non-functional behaviorsIPA is a technique for predicting interoperabilityIPA is not the answer, but a complement to other (traditional) testing techniques. Page Building Reliable Component-based Systems