Creating high confidence, highly dependable, critical software

Slides:



Advertisements
Similar presentations
1 Verification by Model Checking. 2 Part 1 : Motivation.
Advertisements

IB Portfolio Tasks 20% of final grade
Test process essentials Riitta Viitamäki,
Acceptance Testing.
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
LIFE CYCLE MODELS FORMAL TRANSFORMATION
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation 2.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation.
VIDE als voortzetting van Cocktail SET Seminar 11 september 2008 Dr. ir. Michael Franssen.
Software Reliability CIS 640 Adapted from the lecture notes by Doron Pelel (
Software Quality Assurance Inspection by Ross Simmerman Software developers follow a method of software quality assurance and try to eliminate bugs prior.
Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.
May 11, ACL2 Panel: What is the Future of Theorem Proving? Arvind Computer Science & Artificial Intelligence Laboratory.
COMP2001 Testing. Aims of Testing To achieve a correct system producing correct results with a variety of input data.
Modified from Sommerville’s originals Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation.
Writing Good Software Engineering Research Papers A Paper by Mary Shaw In Proceedings of the 25th International Conference on Software Engineering (ICSE),
High Confidence Medical Device Software and Systems: A programming languages and tools perspective Mark P Jones Department of Computer Science & Electrical.
School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification
1 Computer Systems & Architecture Lesson 1 1. The Architecture Business Cycle.
Formal Methods 1. Software Engineering and Formal Methods  Every software engineering methodology is based on a recommended development process  proceeding.
Expert System Presentation On…. Software Certification for Industry - Verification and Validation Issues in Expert Systems By Anca I. Vermesan Presented.
University of Palestine software engineering department Testing of Software Systems Fundamentals of testing instructor: Tasneem Darwish.
Assurance techniques for code generators Ewen Denney USRA/RIACS, NASA Ames Bernd Fischer ECS, U Southampton.
Course: Software Engineering © Alessandra RussoUnit 1 - Introduction, slide Number 1 Unit 1: Introduction Course: C525 Software Engineering Lecturer: Alessandra.
Verification and Validation Overview References: Shach, Object Oriented and Classical Software Engineering Pressman, Software Engineering: a Practitioner’s.
2.2 Software Myths 2.2 Software Myths Myth 1. The cost of computers is lower than that of analog or electromechanical devices. –Hardware is cheap compared.
Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.
B. Fernández, D. Darvas, E. Blanco Formal methods appliedto PLC code verification Automation seminar CERN – IFAC (CEA) 02/06/2014.
West Virginia University Towards Practical Software Reliability Assessment for IV&V Projects B. Cukic, E. Gunel, H. Singh, V. Cortellessa Department of.
Introduction to Problem Solving. Steps in Programming A Very Simplified Picture –Problem Definition & Analysis – High Level Strategy for a solution –Arriving.
Software Debugging, Testing, and Verification Presented by Chris Hundersmarck November 10, 2004 Dr. Bi’s SE516.
Formal Methods.
More on Correctness. Prime Factorization Problem: Write a program that computes all the prime factors of a given number Solution (Idea): Factors are less.
An Axiomatic Basis for Computer Programming Robert Stewart.
Formal Methods in SE Software Verification Using Formal Methods By: Qaisar Javaid, Assistant Professor Formal Methods1.
Scientific Debugging. Errors in Software Errors are unexpected behaviors or outputs in programs As long as software is developed by humans, it will contain.
Software Quality Assurance and Testing Fazal Rehman Shamil.
CSC3315 (Spring 2009)1 CSC 3315 Languages & Compilers Hamid Harroud School of Science and Engineering, Akhawayn University
“The Role of Experience in Software Testing Practice” A Review of the Article by Armin Beer and Rudolf Ramler By Jason Gero COMP 587 Prof. Lingard Spring.
Certification of Reusable Software Artifacts
PeerWise Student Instructions
PREPARED BY G.VIJAYA KUMAR ASST.PROFESSOR
Professor: Zvi Aronson, Ph.D.
Lecture 3 Prescriptive Process Models
Formal Methods: Model Checkers and Theorem Provers
Experiences Using Lightweight Formal Methods for Requirements Modeling
Definition CASE tools are software systems that are intended to provide automated support for routine activities in the software process such as editing.
Rapid Application Development
Chapter 18 Maintaining Information Systems
ANALYZING AND RECORDING TRANSACTIONS
Verification and Testing
Creating high confidence, highly dependable, critical software
Research Process №5.
Chapter 6: Design of Expert Systems
Level 1 Level 1 – Initial: The software process is characterized as ad hoc and occasionally even chaotic. Few processes are defined, and success depends.
Jared Davis CyberTrust Meeting March 1, 2006
Critical Systems Validation
More about Tests and Intervals
Automated Extraction of Inductive Invariants to Aid Model Checking
CS240: Advanced Programming Concepts
Creating high confidence, highly dependable, critical software
CHAPTER 10 METHODOLOGIES FOR CUSTOM SOFTWARE DEVELOPMENT
DMAIC Roadmap DMAIC methodology is central to Six Sigma process improvement projects. Each phase provides a problem solving process where-by specific tools.
Copyright © Cengage Learning. All rights reserved.
Introduction to ISO & The Quality Process.
Language-based Security
CS310 Software Engineering Lecturer Dr.Doaa Sami
Department of Computer Science Abdul Wali Khan University Mardan
When, What, Why create system and software models
Software Development Techniques
Presentation transcript:

Creating high confidence, highly dependable, critical software For the last year I’ve been interested in how to make software more dependable, how to have more confidence in our software. I’d like to share with you some of the things I’ve learned. Roger L. Costello March 24, 2018

View the “Notes” section I added notes under each slide. Be sure to read the notes. Read the notes in here. Did you see my introductory note on the previous slide?

Traditional approach Test the heck out of it. Verification Microsoft: One tester for every developer Verification Mathematical theorem-proving techniques Follow a formal certification process. Aeronautical software: follow the DO-178C process Traditionally, the approach to creating highly dependable software is three-pronged: (1) Test the heck out of the software. At Microsoft there is approximately one tester for every developer. (2) Use formal, theorem-proving techniques to prove the correctness of the code. (3) Follow a formal certification process. For example, aerospace companies must follow the certification process DO-178C for their software to be approved by the FAA.

Testing to produce dependable software Testing is indispensable. No software system can be regarded as dependable if it has not been extensively tested. At the same time, it is important to realize that testing alone is incomplete and is rarely sufficient to establish high levels of dependability. Even the largest test suites will not exercise enough paths to provide evidence that the software is correct and will have little statistical significance for the levels of confidence usually desired. It is erroneous to believe that a rigorous development process, in which testing and code review are the only verification techniques used, justifies claims of high levels of dependability.

Acknowledgement: this diagram is from Greg Dennis’ Ph.D dissertation. Due to its low initial costs, testing can be an attractive option for checking program correctness. A handful of test cases can be written quickly without much expertise, run fully automatically, and when bugs are found, testing provides the user with concrete counterexamples that exhibit the error. As this diagram shows, testing allows users, for relatively little cost, to obtain an immediate boost in confidence in the correctness of their code. The challenge of testing is that high confidence is very difficult and costly to obtain. If high confidence is required, a developer might instead opt for theorem proving. As its name implies, theorem proving yields a proof of the program’s correctness—a very high level of confidence. However, as reflected in this diagram, theorem proving requires a large investment in both time and expertise before any confidence is obtained. It is common for a theorem prover to carry a learning curve of about 6 months, even for a highly skilled developer. That amount of upfront investment makes theorem proving prohibitively expensive for most projects. Acknowledgement: this diagram is from Greg Dennis’ Ph.D dissertation.

Certification process to produce dependable software DO-178C, Software Considerations in Airborne Systems and Equipment Certification is the primary document by which the certification authorities such as FAA, approve all commercial software-based aerospace systems. IEC 60880 provides requirements for the purpose of achieving highly reliable nuclear software. To date, most approaches to developing dependable software have relied on fixed prescriptions, in which particular processes are applied and from which dependability is assumed to follow. Some certification schemes, for example, associate higher safety integrity levels with more burdensome process prescriptions and imply that following the processes recommended for the highest integrity levels will ensure that the failure rate is minuscule. In the absence of a carefully constructed dependability case, such confidence is misplaced.

Model of an aircraft Aircraft companies create models before building aircraft. Why? Because models are more convenient to analyze and because an actual aircraft contains lots of details that are irrelevant for analysis. Models allow concepts to be developed before committing to physically building the aircraft.

Model of software model of the software software (application) Enlightened software companies create models before building software. Why? Because models are more convenient to analyze and because the actual software contains lots of details that are irrelevant for analysis. Models allow concepts to be developed before committing to implementing the code.

MIT Professor Daniel Jackson created Alloy for making software models A couple years ago I was looking for ways to create more dependable software. I discovered something called Alloy, which was created at MIT. Alloy is both a language and an analysis tool. The language is used to create models of software. The analysis tool can automatically, exhaustively evaluate models for vulnerabilities. Further, the analysis tool can automatically generate instances that satisfies the model’s constraints. In a project that I recently worked on, this instance-generator capability of Alloy enabled us to find an error that had gone undetected for more than a decade.

Alloy = “lightweight formal modeling” Formal theorem proving can create highly dependable software, but it is very expensive. Alloy is rigorous, like formal theorem proving, but simpler. The modeling done in Alloy is called lightweight formal modeling. Unlike formal modeling, there are no complicated mathematics or unfamiliar symbols. The Alloy language is based on simple notions of basic logic. http://www.cs.cornell.edu/conferences/formalnetworks/pamela-slides-i.pdf

Traditional testing Alloy analysis Whereas testing is incomplete, the Alloy Analyzer does exhaustive checking, within a bound. It leaves no stone unturned. If there are problems in corner cases, the Analyzer will find them. This forearms the developer to be aware and alert to those corner cases. In other words, through modeling and analysis the concepts are worked out and verified prior to committing to code. This leads to a higher level of confidence in the code.

Alloy Alloy requires a greater upfront investment than testing, but once that initial investment is made, it provides a dramatic increase in confidence. Being fully automatic, its cost is much lower than theorem proving, though it can never attain the confidence of a proof. The Alloy language is expressive. It is capable of checking a model against strong, user-provided properties, such as: The radiotherapy system will not deliver an overdose to the patient.

Recently I have been reading this book from the National Academy of Sciences. Its central premise is that a “dependability case” must be made which provides evidence that the software is dependable. Part of that dependability case are models and exhaustive analysis of the models.

Creating software that is highly dependable Testing Certification process Dependable software To wrap things up, I think that Alloy can help create more dependable software. Software model and analysis (Alloy)

Acknowledgement Much of the information in these slides come from these sources: The book Software Abstractions by Daniel Jackson. The National Academy of Sciences book (see 2 slides back). Greg Dennis’ Ph.D dissertation.