Type safety for feature-oriented product lines

A feature-oriented product line is a family of programs that share a common set of features. A feature implements a stakeholder’s requirement and represents a design decision or configuration option. When added to a program, a feature involves the introduction of new structures, such as classes and methods, and the refinement of existing ones, such as extending methods. A feature-oriented decomposition enables a generator to create an executable program by composing feature code solely on the basis of the feature selection of a user—no other information needed. A key challenge of product line engineering is to guarantee that only well-typed programs are generated. As the number of valid feature combinations grows combinatorially with the number of features, it is not feasible to type check all programs individually. The only feasible approach is to have a type system check the entire code base of the feature-oriented product line. We have developed such a type system on the basis of a formal model of a feature-oriented Java-like language. The type system guaranties type safety for feature-oriented product lines. That is, it ensures that every valid program of a well-typed product line is well-typed. Our formal model including type system is sound and complete.     

特征功能分析在产品线构件设计中的应用研究

以功能交互的视角解剖特征模型结构, 从中分析特征之间存在的功能交互, 并根据其中的功能实现特点设计了一套特征—构件模型映射算法来构造面向特征的高内聚构件模型。这一过程实现了特征的内在功能完整性, 其之上的功能耦合也随之解除。这不仅提高了可复用软件资产自动化效率, 且大大减低了日后的维护成本。     

rbFeatures: Feature-oriented programming with Ruby

Features are pieces of core functionality of a program that is relevant to particular stakeholders. Features pose dependencies and constraints among each other. These dependencies and constraints describe the possible number of variants of the program: A valid feature configuration generates a specific variant with unique behavior. Feature-Oriented Programming is used to implement features as program units. This paper introduces rbFeatures, a feature-oriented programming language implemented on top of the dynamic programming language Ruby. With rbFeatures, programmers use software product lines, variants, and features as first-class entities. This allows several runtime reflection and modification capabilities, including the extension of the product line with new features and the provision of multiple variants. The paper gives a broad overview to the implementation and application of rbFeatures. We explain how features as first-class entities are designed and implemented, and discuss how the semantics of features are carefully added to Ruby programs. We show two case studies: The expression product line, a common example in feature-oriented programming, and a web application.     

Context-aware privacy-preserving access control for mobile computing

In mobile and pervasive computing applications, opportunistic connections allow co-located devices to exchange data directly. Keeping data sharing local enables large-scale cooperative applications and empowers individual users to control what and how information is shared. Supporting such applications requires runtime frameworks that allow them to manage the who, what, when, and how of access to resources. Existing frameworks have limited expressiveness and do not allow data owners to modulate the granularity of information released. In addition, these frameworks focus exclusively on security and privacy concerns of data providers and do not consider the privacy of data consumers. We present PADEC, a context-sensitive, privacy-aware framework that allows users to define rich access control rules over their resources and to attach levels of granularity to each rule. PADEC is also characterized by its expressiveness, allowing users to decide under which conditions should which information be shared. We provide a formal definition of PADEC and an implementation based on private function evaluation. Our evaluation shows that PADEC is more expressive than other mechanisms, protecting privacy of both consumers and providers.     

The dynamic predicate: integrating access control with query processing in XML databases

Recently, access control on XML data has become an important research topic. Previous research on access control mechanisms for XML data has focused on increasing the efficiency of access control itself, but has not addressed the issue of integrating access control with query processing. In this paper, we propose an efficient access control mechanism tightly integrated with query processing for XML databases. We present the novel concept of the dynamic predicate (DP), which represents a dynamically constructed condition during query execution. A DP is derived from instance-level authorizations and constrains accessibility of the elements. The DP allows us to effectively integrate authorization checking into the query plan so that unauthorized elements are excluded in the process of query execution. Experimental results show that the proposed access control mechanism improves query processing time significantly over the state-of-the-art access control mechanisms. We conclude that the DP is highly effective in efficiently checking instance-level authorizations in databases with hierarchical structures.     

Aspectual Feature Modules

Two programming paradigms are gaining attention in the overlapping fields of software product lines (SPLs) and incremental software development (ISD). Feature-oriented programming (FOP) aims at large-scale compositional programming and feature modularity in SPLs using ISD. Aspect-oriented programming (AOP) focuses on the modularization of crosscutting concerns in complex software. Although feature modules, the main abstraction mechanisms of FOP, perform well in implementing large-scale software building blocks, they are incapable of modularizing certain kinds of crosscutting concerns. This weakness is exactly the strength of aspects, the main abstraction mechanisms of AOP. We contribute a systematic evaluation and comparison of FOP and AOP. It reveals that aspects and feature modules are complementary techniques. Consequently, we propose the symbiosis of FOP and AOP and aspectual feature modules (AFMs), a programming technique that integrates feature modules and aspects. We provide a set of tools that support implementing AFMs on top of Java and C++. We apply AFMs to a nontrivial case study demonstrating their practical applicability and to justify our design choices.     

Feature-interaction detection based on feature-based specifications

Formal specification and verification techniques have been used successfully to detect feature interactions. We investigate whether feature-based specifications can be used for this task. Feature-based specifications are a special class of specifications that aim at modularity in open-world, feature-oriented systems. The question we address is whether modularity of specifications impairs the ability to detect feature interactions, which cut across feature boundaries. In an exploratory study on 10 feature-oriented systems, we found that the majority of feature interactions could be detected based on feature-based specifications, but some specifications have not been modularized properly and require undesirable workarounds to modularization. Based on the study, we discuss the merits and limitations of feature-based specifications, as well as open issues and perspectives. A goal that underlies our work is to raise awareness of the importance and challenges of feature-based specification.     

基于适应性构件模型的软件产品线设计和实现(英文)

在当前面向特征的软件产品线开发方法中,需求级的可变性分析、可变点表示以及面向应用的定制已经得到了较好的支持。但是,从需求级的定制和裁剪( 特征模型) 到实现级( 体系结构和构件) 的映射仍然存在许多困难。针对这一问题,文章提出了一种基于适应性构件模型的软件产品线开发方法。这种适应性构件模型引入基于特征的领域模型作为构件端口( 包括内部端口和外部端口) 的语义基础。另一方面, 适应性构件模型所具有的微体系结构使得面向特定应用的构件行为定制成为可能。为了实现构件级面向特征的定制, 构件内部负责内部和外部协作的控制中心与构件的计算逻辑被分离开来执行经定制后的构件行为协议和端口语义。构件协作和计算功能的分离使针对构件行为的面向应用的定制更加便利。这样,产品线应用开发中需求级的特征定制就可以映射为体系结构和构件级的结构和行为调整。     

基于XACML的Web服务访问控制模型

Web服务的一个显著特点是在于它们能够被互联网上的用户方便地访问。但这种方便带来了安全性的隐患。该文提出了一个适合Web服务的访问控制系统模型。基于属性证书的使用，采用XACML作为描述访问控制准则的语言。系统充分利用了Web服务支持XML和XACML的特点，集成了权限管理基础设施和XACML，使自身适合各种异构的Web服务。     

Strongly competitive algorithms for caching with pipelined prefetching

Suppose that a program makes a sequence of m accesses (references) to data blocks; the cache can hold k<m blocks. An access to a block in the cache incurs one time unit, and fetching a missing block incurs d time units. A fetch of a new block can be initiated while a previous fetch is in progress; thus, min{k,d} block fetches can be in progress simultaneously. Any sequence of block references is modeled as a walk on the access graph of the program. The goal is to find a policy for prefetching and caching, which minimizes the overall execution time of a given reference sequence. This study is motivated from the pipelined operation of modern memory controllers, and from program execution on fast processors. In the offline case, we show that an algorithm proposed by Cao et al. [Proc. of SIGMETRICS, 1995, pp. 188-197] is optimal for this problem. In the online case, we give an algorithm that is within factor of 2 from the optimal in the set of online deterministic algorithms, for any access graph, and k,d?1. Better ratios are obtained for several classes of access graphs which arise in applications, including complete graphs and directed acyclic graphs (DAG).     

PolicyUpdater: a system for dynamic access control

PolicyUpdater is a fully-implemented authorisation system that provides policy evaluations as well as dynamic policy updates. These functions are achieved by the use of a logic-based language, , to represent the underlying access control policies, constraints and update propositions. The system performs access control query evaluations and conditional policy updates by translating the language policies to a normal logic program in a form suitable for evaluation using the Stable Model semantics. In this paper, we show the underlying mechanisms that make up the PolicyUpdater system, including the theoretical foundation of its formal language, system structure, implementation issues and performance analysis.     

Spatial Domains for the Administration of Location-based Access Control Policies

In the last few years there has been an increasing interest for a novel category of access control models known as location-based or spatially-aware role-based access control (RBAC) models. Those models advance classical RBAC models in that they regulate the access to sensitive resources based on the position of mobile users. An issue that has not yet been investigated is how to administer spatially-aware access control policies. In this paper we introduce GEO-RBAC Admin, the administration model for the location-based GEO-RBAC model. We discuss the concepts underlying such administrative model and present a language for the specification of GEO-RBAC policies.

Automated verification of access control policies using a SAT solver

Managing access control policies in modern computer systems can be challenging and error-prone. Combining multiple disparate access policies can introduce unintended consequences. In this paper, we present a formal model for specifying access to resources, a model that encompasses the semantics of the xacml access control language. From this model we define several ordering relations on access control policies that can be used to automatically verify properties of the policies. We present a tool for automatically verifying these properties by translating these ordering relations to Boolean satisfiability problems and then applying a sat solver. Our experimental results demonstrate that automated verification of xacml policies is feasible using this approach. This work is supported by NSF grants CCF-0614002 and CCF-0716095.     

Building hybrid access control by configuring RBAC and MAC features

ContextRole-Based Access Control (RBAC) and Mandatory Access Control (MAC) are widely used access control models. They are often used together in domains where both data integrity and information flow are concerned. However, there is little work on techniques for building hybrid access control of RBAC and MAC.ObjectiveIn this work, we present a systematic approach for developing a hybrid access control model using feature modeling with the aim of reducing development complexity and error-proneness.MethodIn the approach, RBAC and MAC are defined in terms of features based on partial inheritance. Features are then configured for specific access control requirements of an application. Configured features are composed homogeneously and heterogeneously to produce a hybrid access model for the application. The resulting hybrid model is then instantiated in the context of the application to produce an initial design model supporting both RBAC and MAC. We evaluate the approach using a hospital system and present its tool support.ResultsRBAC and MAC features that are specifically configured for the application are systematically incorporated into a design model. The heterogeneous features of RBAC and MAC are not only present in the resulting model, but also semantically composed for seamless integration of RBAC and MAC. Discharging the proof obligations of composition rules to the resulting model proves its correctness. The successful development of the prototype demonstrates its practicality.ConclusionFeatures in the access control domain are relatively small in size and are suitable to be defined as design building blocks. The formal definition of partial inheritance and composition methods in the presented approach enables precisely specifying access control features and feature configuration, which paves the way for systematic development of a hybrid access control model in an early development phase.     

Maintenance of integrity during concurrent access in a building design database

This paper proposes an implementation structure and the corresponding relational model for a building design database. The structure strongly supports designer—database interaction by providing extremely versatile access mechanisms and an associated concurrrency control mechanism. It is demonstrated that the relational model provides a flexibility of access not readily available in other models. The implementation structure supports designer access to database entities by location, attribute value, and combinations of both. It also supports ad hoc groupings of data. At the same time it maintains the integrity of the database against violations caused by concurrent use. Existing concurrency control methods are explored and a new level of locking for concurrency control is proposed. The module is recommended as the optimal level to which a locking mechanism be applied.     

Efficient implementation of globally-aware network flow control

Network flow control mechanisms that are aware of global conditions potentially can achieve higher performance than flow control mechanisms that are only locally aware. Owing to high implementation overhead, globally-aware flow control mechanisms in their purest form are seldom adopted in practice, leading to less efficient simplified implementations. In this paper, we propose an efficient implementation of a globally-aware flow control mechanism, called Critical Bubble Scheme, for k-ary n-cube networks. This scheme achieves near-optimal performance with the same minimal buffer requirements of globally-aware flow control and can be further generalized to implement the general class of buffer occupancy-based network flow control. We prove deadlock freedom of the proposed scheme and exploit its use in handling protocol-induced deadlocks in on-chip environments. We evaluate the proposed scheme using both synthetic traffic and real application loads. Simulation results show that the proposed scheme can reduce the buffer access component of packet latency by as much as 62% over locally-aware flow control, and improve average packet latency by 18.8% and overall execution time by 7.2% in full system simulation.     

Quantifying structural attributes of system decompositions in 28 feature-oriented software product lines

A key idea of feature orientation is to decompose a software product line along the features it provides. Feature decomposition is orthogonal to object-oriented decomposition—it crosscuts the underlying package and class structure. It has been argued often that feature decomposition improves system structure by reducing coupling and by increasing cohesion. However, recent empirical findings suggest that this is not necessarily the case. In this exploratory, observational study, we investigate the decompositions of 28 feature-oriented software product lines into classes, features, and feature-specific class fragments. The product lines under investigation are implemented using the feature-oriented programming language Fuji. In particular, we quantify and compare the internal attributes import coupling and cohesion of the different product-line decompositions in a systematic, reproducible manner. For this purpose, we adopt three established software measures (e.g., coupling between units, CBU; internal-ratio unit dependency, IUD) as well as standard concentration statistics (e.g., Gini coefficient). In our study, we found that feature decomposition can be associated with higher levels of structural coupling in a product line than a decomposition into classes. Although coupling can be concentrated in very few features in most feature decompositions, there are not necessarily hot-spot features in all product lines. Interestingly, feature cohesion is not necessarily higher than class cohesion, whereas features are more equal in serving dependencies internally than classes of a product line. Our empirical study raises critical questions about alleged advantages of feature decomposition. At the same time, we demonstrate how our measurement approach of coupling and cohesion has potential to support static and dynamic analyses of software product lines (i.e., type checking and feature-interaction detection) by facilitating product sampling.     

A Trust-Based Context-Aware Access Control Model for Web-Services

A key challenge in Web services security is the design of effective access control schemes that can adequately meet the unique security challenges posed by the Web services paradigm. Despite the recent advances in Web based access control approaches applicable to Web services, there remain issues that impede the development of effective access control models for Web services environment. Amongst them are the lack of context-aware models for access control, and reliance on identity or capability-based access control schemes. Additionally, the unique service access control features required in Web services technology are not captured in existing schemes. In this paper, we motivate the design of an access control scheme that addresses these issues, and propose an extended, trust-enhanced version of our XML-based Role Based Access Control (X-RBAC) framework that incorporates trust and context into access control. We outline the configuration mechanism needed to apply our model to the Web services environment, and provide a service access control specification. The paper presents an example service access policy composed using our framework, and also describes the implementation architecture for the system.This is an extended version of the paper that has been presented at the 3rd International Conference on Web Services (ICWS), San Diego, 6–9 July 2004.Recommended by: Athman Bouguettaya and Boualem Benatallah     

Multiple domain feature mapping: a methodology based on deep models of features

In the research described in this paper, an approach that utilizes deep models of features to transform a component design represented by neutral features into domain-specific features has been developed. The neutral features are known as feature-oriented generic shapes (FOGSs). The proposed approach provides the flexibility needed to represent both the deep and shallow knowledge required in feature mapping. A deep model of a feature is represented in the form of a face connectivity graph (FCG) that embodies deep knowledge about its geometry, while other non-geometrical information can be represented as rules or procedural functions. By comparing the original faces of a product model with those of the resultant evaluated boundary model, faces of interest can be easily extracted and described using FCGs. A FCG can then be examined to determine its class and the relevant parameters for applications in such domains as process planning. The mapping shell is designed with layered architecture that makes it highly appropriate for implementation using blackboard technology.     

一种面向对象系统基于角色的访问控制模型研究

针对面向对象系统,提出面向对象的基于角色的访问控制模型.本模型通过在模型中添加角色类,并描述了角色类的继承关系,从而有效地减少了面向对象系统中类和类之间的关系表达,更加便于类和类之间安全策略的描述和管理.描述该模型的信息流控制特征,其能够有效地保障面向对象系统中对象与对象之间消息传递的可控性,防止信息的泄漏.