Skip to main content

Trust in Cyberspace (1999) / Chapter Skim
Currently Skimming:

3 Software for Networked Information Systems
Pages 62-108

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.


From page 62...
... A less visible consequence of cheap, dispersed computing is the ease with which special-purpose networked information systems (NISs) can now be built.
From page 63...
... . So, while market forces can help foster the deployment of trustworthiness mechanisms, these forces are unlikely to do so in advance of directly experienced or highly publicized violations of trustworthiness properties.
From page 64...
... In fact, the role of software in an NIS is typically so pervasive that the responsibilities of a software engineer differ little from those of a systems engineer. NIS software developers must therefore possess a systems viewpoint,2 and systems engineers must be intimately familiar with the strengths (and, more importantly, the limitations)
From page 65...
... But the implication is that achieving and assessing the trustworthiness of a networked information system necessarily occur in an environment including COTS software components (operating systems, database systems, networks, compilers, and other system tools) with only limited access to internals or control over their design.
From page 66...
... Development of a Networked Information System The development of an NIS proceeds in phases that are similar to the phases of development for other computerized information systems: · Decide on the structure or architecture of the system. · Build and acquire components.
From page 67...
... For software-intensive products, early arrival in the marketplace is often critical to success in that marketplace. This means that software development practice becomes distorted to maximize functionality and minimize development time, with little attention paid to other qualities.
From page 68...
... provide other opportunities for unanticipated schedule and cost perturbation. For use in an NIS, a configuration management tool not only must track changes in locally developed software components but also must keep track of vendor updates to COTS components.
From page 69...
... As a consequence, requirements documents are supplemented (and often supplanted) with a concept of operations
From page 70...
... Notation and Style Requirements documents are written first in ordinary English, which is notorious for imprecision and ambiguity. Most industrial developers do not use even semiformal specification notations, such as the SCR/A7 tabular technique (Heninger, 1980~.
From page 71...
... The issue is illustrated by turning to building codes, which are a kind of requirements document. Building codes distinguish between performance specifications and design specifications.
From page 72...
... An understanding of the application domain itself and mastery of a variety of engineering disciplines other than software engineering may be necessary to perform requirements analysis for an NIS. Identification of system vulnerabilities is one process for which a broad understanding of the larger system context (including users, operators, and the physical environment)
From page 73...
... Interviews conducted in the 1970s with experienced project managers revealed their skepticism about making significant investments in system-level requirements documents (Honeywell Corporation, 1975~. Those veterans of large-scale aerospace and defense projects believed that any significant efforts regarding requirements should be directed to the level of subsystems or components.
From page 74...
... Conceivably, other techniques could be developed for acquiring this insight. However, systems requirements documents serve also for communication within a project team as well as with customers and suppliers; any alternative technique would have to address this need as well.
From page 75...
... A rigorous interface description is particularly important when the interface being defined is between subsystems implemented by different teams.6 The definition of interfaces and the determination of which interfaces are sufficiently important to warrant control by project management are, like the rest of toplevel design, more an art than a science. 5As with the top-level design itself, there exist no generally accepted notations for such diagrams, nor do there exist widely used tools to support the development of dependency diagrams.
From page 76...
... Critical Components A critical component is one whose failure would result in an undetected and irrecoverable failure to satisfy a trustworthiness requirement. Experienced designers attempt to produce top-level designs for which the number of components that depend on critical components is not constrained but the critical components themselves depend on as few other
From page 77...
... Unless the critical components come from vendors with impeccable credentials, development teams generally prefer, wherever feasible, to implement the critical components themselves. That way, all aspects of the design, implementation, and verification of critical components can be strictly controlled.
From page 78...
... Project Structure, Standards, and Process Other branches of engineering rely heavily on controlling the development process to ensure the quality of engineering artifacts. The Software Engineering Institute's Capability Maturity Model (CMM)
From page 81...
... They try to improve software development practices by replacing or supplementing human effort. Testing an interactive application that employs a graphic user interface, for example, requires the manipulation of complex software structures, the management of extensive detail, and the application of sophisticated algorithms.
From page 82...
... 10. Since the investment of resources needed for a large software development project is substantial, managers are reluctant to embrace new software technologies because they entail greater risks.
From page 83...
... However, the popularity of graphical user interfaces has led to the development of tools that enable designers to rapidly prototype user interfaces. Generally speaking, prototyping is sensible in requirements analysis and can even serve as an executable requirements document.
From page 84...
... As practiced within the aerospace, defense, and other large-scale computing system development communities (but not necessarily in commercial practice) over the last two decades, that process consists of roughly the following steps: · Review the component requirements document for sanity.
From page 85...
... Moreover, certain NIS building blocks mobile code and Web browsers with helper applications, for example compromise the advantages of modular design by permitting unrestricted interactions between different software components. Programming Languages Modern programming languages, such as C++, Java, and Ada, include compile-time checks to detect a wide range of possible errors.
From page 86...
... The preponderance of COTS and legacy components in a typical networked information system assures the relevance of scripting languages to the enterprise. Also of interest to NIS developers are very-high-level languages and domain-specific languages, which provide far-higher-level programming abstractions than traditional programming languages do.
From page 87...
... ,~° common object model (COM) (Microsoft Corporation and Digital Equipment Corporation, 1995)
From page 88...
... COTS software development practices in the personal computer (PC) era arose in a technical and economic environment that tended to ignore trustworthiness.
From page 89...
... But today, COTS software is moving toward being a business of providing components and possibly critical components for NISs that can be high consequence, either because they were explicitly designed that way or because people assign to them a level of trust that their designers never intended. General Problems with COTS Components The use of COTS components presents special problems for the responsible developer of an NIS.
From page 90...
... Finally, using COTS software in an NIS has the advantages and disadvantages that accompany any form of "outsourcing." COTS components can offer rich functionality and may be better engineered and tested than would be cost-effective for components developed from scratch for a relatively smaller user community. But an NIS that uses COTS components becomes dependent on a third party for decisions about a component's evolution and the engineering processes used in its construction (notably regarding assurance)
From page 91...
... 4. Modern programming languages include features, such as compile-time checks and support for modularity and component integration, that promote trustworthiness.
From page 92...
... COTS components may be less expensive, have greater functionality, and be better engineered and tested than is feasible for customized components. Yet the use of COTS makes developers dependent on outside vendors for the design and enhancement of important components; specifications may be incomplete and may compel users to discover features by experimentation.
From page 93...
... In both top-down and bottom-up integration, confidence in correct behavior is gained through the use of simulated rather than actual components; stubs are used in top-down integration, and test drivers are used in bottom-up integration. Clearly, the use of the actual components would be preferable, so software developers devised a more sophisticated approach known as thread integration or thread testing.
From page 94...
... but also work together. In traditional software development, the word "subsystem" in the preceding discussion could be replaced by the word "system." Once the integration of a single node was complete, the job was done.
From page 95...
... Formal Methods Formal methods is the name given to a broad class of mathematically based techniques for the description and analysis of hardware, software, and entire computing systems. The descriptions may range, on the one hand, from general statements about desirable system properties, as might be found in a requirements document or high-level specification, to, on the other hand, detailed depictions of intended behavior for specific pieces of software or hardware.
From page 96...
... have no systemindependent formalization and, therefore, are not amenable to direct analysis using formal methods.~9 Growth in cost-effective desktop computing power continues to move the field of formal methods toward computer-aided and fully mechanized formal methods from more manual ones. A second significant force has been the need to build confidence when programming ever richer system behaviors (involving time, other physical processes, faulttolerance, security)
From page 97...
... Formal methods applied to requirements analysis has led to some of the more visible of these industrial successes. By formulating requirements in a language having unambiguous semantics, developers can better understand requirements and can use automated tools to discover ambiguity, inconsistency, and incompleteness.
From page 98...
... Even if size were not an issue, COTS components are rarely accompanied by the formal specifications necessary for doing formal verification of an NIS built from COTS components. It would be wrong, however, to conclude that formal verification cannot contribute to the construction of an NIS.
From page 99...
... This is the impetus for recent interest by the software engineering community in so-called lightweight formal methods, like the LCLint tool, which is able to check C programs for a variety of variable type and use errors (Detlefs, 1996) , and Eraser, a tool for detecting data races in lock-based multithreaded programs (Savage et al., 1997~.
From page 100...
... Today, companies are marketing formal verification tools for use in hardware design and synthesis.26 And there are anecdotal reports that the number of doctoral graduates in mechanized formal methods is now insufficient to fill the current demands of industry.27 Although once there was a belief that the deployment of formal methods required educating the entire development team, most actual deployments have simply augmented a development team with formal methods experts. The job of these experts was beautifully characterized by I S
From page 101...
... Over the last decade, formal methods researchers survived only by devoting a significant fraction of their effort to performing realistic demonstration exercises (and these have helped to move formal methods from the research laboratory into industrial settings)
From page 102...
... The characteristics of networked information systems geographic distribution of inputs and outputs, uncontrollable and unmonitorable subsystems (e.g., networks and legacy systems) , and large numbers of inputs make this class of system especially sensitive to the inadequacy of testing only subsets of the input space.
From page 103...
... 5. Formal methods are being used with success in commercial and industrial settings for hardware development and requirements analysis and with some success for software development.
From page 104...
... 1993. "The Infeasibility of Quantifying the Reliability of Lifecritical Real-time Software," IEEE Transactions on Software Engineering, 19~1~:3-12.
From page 105...
... 1998. "Experiences Using Lightweight Formal Methods for Requirements Modeling," IEEE Transactions on Software Engineering, 24~7)
From page 106...
... 1995. "A Correlational Study of the CMM and Software Development Performance," Crosstalk: The Journal of Defense Software Engineering, 8~9~:21-25.
From page 107...
... 1997. "An Experiment to Assess the Cost-Benefits of Code Inspections in Large Scale Software Development," IEEE Transactions on Software Engineering, 23~6~:329-346.
From page 108...
... 1991. "Software Process Improvement at Hughes Aircraft," IEEE Software, 8~4~:11-23.


This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.