Looking for a Good Argument: Assurance Case Frameworks for High Confidence Software Chuck Howell 10 October 2002.

Slides:



Advertisements
Similar presentations
Software Engineering Key construction decisions Design challenges.
Advertisements

MDI 2010, Oslo, Norway Behavioural Interoperability to Support Model-Driven Systems Integration Alek Radjenovic, Richard Paige The University of York,
Intelligence Step 5 - Capacity Analysis Capacity Analysis Without capacity, the most innovative and brilliant interventions will not be implemented, wont.
What Behaviors Indicate a Student is Meeting Course Goals and Objectives? “Indicators”
CHAPTER 13 Inference Techniques. Reasoning in Artificial Intelligence n Knowledge must be processed (reasoned with) n Computer program accesses knowledge.
The design process IACT 403 IACT 931 CSCI 324 Human Computer Interface Lecturer:Gene Awyzio Room:3.117 Phone:
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation 2.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation.
Literature review Cindy Wee Te Puna Ako Learning centre.
G53SEC 1 Foundations of Computer Security. G53SEC Overview of Today’s Lecture: Definitions Fundamental Dilemma Data vs. Information Principles of Computer.
Overview of Nursing Informatics
Lab/Sessional -CSE-374. SYSTEM DEVELOPMENT LIFE CYCLE.
1 Certification Chapter 14, Storey. 2 Topics  What is certification?  Various forms of certification  The process of system certification (the planning.
Scientific Web Intelligence The Birth of a New Research Field Mike Thelwall Statistical Cybermetrics Research Group University of Wolverhampton, UK.
Knowledge Acquisitioning. Definition The transfer and transformation of potential problem solving expertise from some knowledge source to a program.
Analysis Modeling Over view of today’s lesson T he analysis model is the first technical representation of a system. Analysis modeling uses a combination.
Marakas: Decision Support Systems, 2nd Edition © 2003, Prentice-Hall Chapter Chapter 1: Introduction to Decision Support Systems Decision Support.
Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 1: Software and Software Engineering.
Lecture 11 Reliability and Security in IT infrastructure.
Software Process and Product Metrics
Science and Engineering Practices
Developing the Marketing Plan
Health Systems and the Cycle of Health System Reform
Who is doing a good job in digital preservation? Audit and Certification of Digital Repositories: ISO and the European Framework.
Exmouth House 3–11 Pine Street London EC1R 0JH T F E W CAE – Next generation and Building.
Romaric GUILLERM Hamid DEMMOU LAAS-CNRS Nabil SADOU SUPELEC/IETR ESM'2009, October 26-28, 2009, Holiday Inn Leicester, Leicester, United Kingdom.
Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.
Chapter : Software Process
Romaric GUILLERM Hamid DEMMOU LAAS-CNRS Nabil SADOU SUPELEC/IETR.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 27 Slide 1 Quality Management 1.
Introduction to Software Quality Assurance (SQA)
Performance Measurement and Analysis for Health Organizations
VTT-STUK assessment method for safety evaluation of safety-critical computer based systems - application in BE-SECBS project.
Software Engineering DKT 311 Lecture 11 Verification and critical system validation.
Philosophy of IR Evaluation Ellen Voorhees. NIST Evaluation: How well does system meet information need? System evaluation: how good are document rankings?
Classroom Assessment A Practical Guide for Educators by Craig A
Chapter 2 Process: A Generic View
Software Quality Assurance SE Software Quality Assurance What is “quality”?
Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 1: Software and Software Engineering.
Module 4: Systems Development Chapter 12: (IS) Project Management.
Assurance Case Frameworks Part of High Confidence Software MSR T. Scott Ankrum MITRE — Software Engineering Center March 11, 2004.
Cambridge Pre-U Getting Started In-service Training Liberating learning Developing successful students.
Chapter 1: Introduction Omar Meqdadi SE 2730 Lecture 1 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.
Software Engineering Principles Principles form the basis of methods, techniques, methodologies and tools Principles form the basis of methods, techniques,
1 FRENCH PROPOSAL FOR ESARR6 1 - BACKGROUND - 15/02/00 : Kick-off meeting, Presentation of the CAA/SRG input (SW01), Request from the chairman to comment.
Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 1: Software and Software Engineering.
Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 1: Software and Software Engineering.
Deciding how much confidence to place in a systematic review What do we mean by confidence in a systematic review and in an estimate of effect? How should.
Open Platform for EvolutioNary Certification Of Safety-critical Systems Large-scale integrating project (IP) Nuanced Term-Matching to Assist in Compositional.
ITGS Databases.
Software Safety Case Why, what and how… Jon Arvid Børretzen.
Federal Aviation Administration 0 Complex Integrated Avionics and System Safety June 9, Complex Integrated Avionic Systems and System Safety Presentation.
Human Computer Interaction
Academic Reading ENG 115.
Formal Specification: a Roadmap Axel van Lamsweerde published on ICSE (International Conference on Software Engineering) Jing Ai 10/28/2003.
Industrial Avionics Working Group 18/04/07 The Relationship Between the Design and Safety Domains in IAWG Modular Certification Part 2: Completeness of.
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
Security WG: Report of the Fall 2003 Meeting October 28, 2003 Howard Weiss, NASA/JPL/SPARTA.
.  Evaluators are not only faced with methodological challenges but also ethical challenges on a daily basis.
Requirement Elicitation Nisa’ul Hafidhoh Teknik Informatika
Classroom Assessment A Practical Guide for Educators by Craig A
Modern Systems Analysis and Design Third Edition
Complexity Time: 2 Hours.
CMMI Q & A.
Critical Systems Validation
The Literature Review 3rd edition
Building Independent Learners
Modern Systems Analysis and Design Third Edition
Chapter 13 Quality Management
Modern Systems Analysis and Design Third Edition
Presentation transcript:

Looking for a Good Argument: Assurance Case Frameworks for High Confidence Software Chuck Howell 10 October 2002

2 Our Reach Exceeds Our Grasp in Software l Cause: simple software error - Overflow converting 64 bit value to 16 bit l Failure despite … - Hardware confidence measures: Redundant computers - Software confidence measures: Software used successfully on Ariane-4 l Why? - Both computers ran the same software - Different flight envelope, and evolutionary use changed software’s environment in unanticipated ways 4 June 1996: 1st flight of Ariane-5

3 The Trend: Our Reach Keeps Increasing Consequences of Failure Complexity Software-intensive critical systems Additional pressures: Increasing COTS/legacy use Pace of technology adoption/change Systems of Systems increasing Increasingly a target of attack Often no manual alternative past present future

4 l Software is a discrete system; traditional engineering disciplines typically work with continuous systems l Sensitivity to small errors l Limited ability to generalize test results l Absence of safety margins l Enormous numbers of states to consider l Good experiments and empirical studies are rare, and we have a weak scientific and engineering basis for decisions l Many problems are latent in rarely used portions, waiting for “rare events” to trigger them l “Best practices” often optimize specific activities without respect to the total process and problem Why is This Hard?

5 Bridge Building and Learning What Can go Wrong l Engineers to Nature: “Fool me once, shame on you – fool me twice, shame on me” l Software developers: “Fool me N times, hey, this is complex and anyway no one expects software to work the first time…”

6 So What is an “Assurance Case”? l Safety-critical, security-critical systems are frequently under regulation or acquisition constraints - Third party certification, approval, licensing, etc. - Require a documented body of evidence that provides a compelling case that the system satisfies certain critical properties for specific contexts (to “make the case”) - Examples include DO-178B (civilian avionics), Common Criteria (Infosec), MIL-STD-882D (weapon system safety) - Called “safety case”, “certification evidence”, “security case”… - Collectively we’ll refer to them as “assurance cases”

7 So What is an “Assurance Case”? Claims, subclaims Arguments Evidence

8 Claims in Assurance Cases l Assertion of compliance with key requirements and properties l Must be in a specific context - Environment - Services or behavior - Threats - “Is this brick safe?” illustrates why… l Subclaims may be analogous to “lemmas” in a proof - Supports separation of concerns, workflow, makes overall case more manageable Terminology used here and next few slides is from the SHIP project (EU Environment Programme)

9 Arguments in Assurance Cases l Link evidence to claims via a series of inference rules l Three types of argument - Deterministic: application of defined rules to produce a true/false assertion (e.g., formal proof, exhaustive test) - Probabilistic: quantitative statistical reasoning to establish a numerical threshold (e.g., MTTF) - Qualitative: Relying on adherence to rules that have an indirect link to desired properties (e.g., standards, process guides) l No such thing as perfection: “It is quite possible to follow a faulty analytical process and write a clear and persuasive argument in support of an erroneous judgment” -- R. Heuer, The Psychology of Intelligence Analysis (quotation courtesy Brant Cheikes, MITRE)

10 Evidence in Assurance Cases: The “Assurance Tripod” ProcessProcess ProductProduct TestTest Software Assurance Combining evidence from multiple sources: 0 Process and people used to develop the system 0 Systematic testing 0 Product review and analyses 0 Testing alone cannot provide adequate evidence

11 Combining Evidence: Domain and Structural Expertise Required Domain Issues Structural Software Issues Evidence required to support claims

12 “The Trouble with Assurance Cases Today”… l Much room for improvement - Post-mortems of spectacular mishaps - Cost and burden of high assurance systems l There are problems in every aspects of assurance cases - Building them - Reviewing them - Maintaining them - Reusing them

13 Building the Assurance Case l Most guidance is strong on excruciating detail for format, weak on gathering, merging, and reviewing technical evidence l Guidance often uses the “cast a wide net” tactic - Assurance costs time and money - “Squandered diagnostic resources” l Little tool support and free format text files makes coordination, tracking, and workflow management hard - Imagine building a 500 page project plan by hand, on paper

14 Reviewing the Assurance Case l Stacks of free-format text makes the review process tedious - Hard to see linkages or patterns - Hides key results in sheer volume l Weak guidance on review of arguments and evidence often results in ad hoc criteria (be very nice to your reviewer!) l “It should be what you’ve accomplished, not how hard you’ve worked”… l What if evidence is incomplete, or inconsistent? How to evaluate strength of evidence?

15 Maintaining the Assurance Case l The one thing more brittle than software: the associated assurance case l Volume and free format text makes it difficult to understand impact of a change on assurance structure - Have the claims changed? - Are arguments invalidated or new ones needed? - Is evidence still relevant, new evidence needed? - “Weak link effect” of discrete systems compounds the problem l Revalidation costs are a major burden for critical systems

16 Reusing the Assurance Case l Assurance case frameworks are rarely “1 st class objects”, the subject of study per se l Not much attention paid to tool support, idioms and templates, extracting patterns for future use l The relationship between claims, arguments, and evidence is not often explicit, making it hard to distinguish reusable from project specific portions of assurance case l Compare this with building a deck using a project planning tool

17 Opportunities for Improvement: Focus of MITRE Research l Ask me again this time next year… l Areas being explored (including connecting with existing work) - Notation (including graphical representations) l Goal Structuring Notation, Toulmin structures,… - Tool support l Simple editor and templates l Structural flaws and checking l Templates and idioms l Browser and annotations for review - Empirical study l Comparing various existing assurance cases l Apply early results to guinea pig projects (in parallel)

18 Potential Impact of New Tools and Techniques They’re teaching a new way of plowing over at the Grange tonight - you going? Naw - I already don’t plow as good as I know how... “Knowing is not enough, we must apply. Willing is not enough, we must do.” Goethe

19 Why is This Relevant? Software assurance is to MITRE’s sponsors what oil is to car engines: Slippery, difficult to handle, and easily overlooked - but if not taken care of, everything grinds to a halt...

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.