Performance techniques for COTS systems

COTS components can provide much of the functionality of distributed information systems. These components range from stand-alone elements, such as a Web server or database system, to platform software or an operating system, to embedded functional components, such as a calendar manager or an inventory-management JavaBean. COTS-based software performance demands more powerful investigative methods than custom software. This performance is particularly important when components include internal concurrency, as is the case in J2EE application servers. We need component-based performance modeling to drive system planning, using layered modeling when considering concurrency, and we need high-level traces to capture measurements related to these structures and diagnose performance issues.     

Requirements engineering for COTS based systems

In spite of the increasing use of commercial off-the-shelf (COTS) products for system development, there is little consideration on how to acquire requirements for COTS products, how to select COTS components and how to assemble them to comply to these requirements. The paper addresses the issue of the requirements engineering process for COTS components acquisition and assembly. It proposes an approach based on the notion of requirements maps and assembly strategies and demonstrates the approach with the selection of a CASE tool.     

硅芯片助力汽车制动系统实现更高安全性

微处理器(MCU)是ECU中的关键组件。使用传统的汽车MCU不可能达到SIL3认证要求。因此需要采用全新的芯片架构,以确保处理结果、总线流量的数据完整性以及存储器中数据的安全性与可靠性,同时满足严格的响应时间要求。开发人员可充分利用市场上的微处理器,为ECU制动控制功能达到SIL3认证标准提供所需技术。TI与罗伯特·博世有限公司联合开发的TMS570就是这样一款MCU。     

CLF-CBF-QP新形式下非线性系统的安全攸关控制与优化

利用二次规划(QP)结合控制Lyapunov函数(CLF)和控制障碍函数(CBF)形成非线性系统的一种安全攸关控 制策略, 称为CLF-CBF-QP, 其在实现控制目标和确保安全之间起到协调作用. 然而, 一旦引入附加的约束, 如输入 约束, QP求解可能变得不可行. 另外, 当考虑系统本身的体积或环境中存在快速移动的障碍物时, 动态系统与障碍 物发生碰撞的可能性会极大地提高. 因此, 本文首先从控制输入空间和状态空间的角度分别分析QP求解可行性以 及CLF和CBF中参数对QP求解可行性和系统性能的影响, 并提出一种CLF-CBF-QP新形式来提高优化问题的可解 性; 其次, 在考虑动态系统本身的体积且环境中存在动态障碍物时, 设计一种CBF新形式使其仍能保证系统的安全 性; 最后, 通过线性平面四旋翼在存在动态或静态障碍物的环境中进行轨迹跟踪来验证所提出方法的有效性.     

Pattern based configuration generation for highly available COTS components based systems

ContextService availability is an important quality factor that distinguishes between providers. High availability is achieved when the service is available at least 99.999% of the time. The Service Availability Forum has defined several middleware services, among them the Availability Management Framework (AMF) aims at ensuring the high availability of services provided by applications under its control. AMF requires a configuration. The design of an AMF configuration is complex and error prone. For improving the quality of such configurations, an automated generation technique has been proposed in the literature. However, this technique may generate several configurations among which some may not meet the required level of availability. Therefore, the generated configurations are evaluated using availability analysis tools to select an appropriate one for deployment.ObjectiveInstead of generating configurations, analyze them and select one that meets the required level of availability if any, we target directly configurations that are estimated to satisfy the required level of availability.MethodWe investigated the different aspects/attributes of an AMF configuration that may affect service recovery when a failure happens to come up with configuration design patterns and integrate them into an enhanced configuration generation technique.ResultsA set of configuration design patterns and two lightweight methods for availability estimation have been defined. These configuration design patterns and analysis methods are embedded into an enhanced configuration generation technique to target only the configurations that are estimated to satisfy the required level of availability or the configuration that is the closest to the required level of availability when it is not possible to meet the requirements.ConclusionWe conclude it is possible to target directly the best configurations in terms of estimated availability using configuration design patterns and estimation methods. The enhanced configuration generation technique is less resource and time consuming than related approaches.     

一种新型二乘二取二安全计算机系统

设计一种用于轨道交通系统的二乘二取二安全计算机系统,包括I/O模块、CPU模块和切换模块。在I/O模块中,利用动态电路实现数据安全输入及输出。在CPU模块中,提出一种基于以太网通信的同步表决方案。在切换模块中,通过输出回路控制实现主备之间的无缝切换。测试结果表明,该系统能够满足轨道交通系统对安全计算机平台的可靠性和安全性要求。     

核安全关键软件的验证与确认技术

介绍了加拿大重水铀反应堆CANDU的安全关键软件的验证与确认(V&V)技术,说明了CANDU核反应堆停堆系统的脱扣计算机及其设计方法,详细描述了用于停堆脱扣计算机软件的确认和可靠性V&R测试的多功能测试平台,以及该测试平台在停堆脱扣计算机软件V&R测试中的应用.V&V技术已被成功地应用于各国CANDU核反应堆停堆系统的脱扣计算机设计中,如韩国的月城CANDU核反应堆、中国的秦山CANDU核反应堆、罗马尼亚Cernavda的2号CANDU核反应堆和加拿大Point Lepreau重建的CANDU核反应堆.随着计算机软硬件技术的发展,所描述的过程和工具在近期的项目中已得到了不断的改善.     

软件功能需求驱动的商业构件评估

提出了一种由软件功能需求驱动的评估和选择商业构件（COTS）的新方法。该方法首先基于FCD方法将系统的功能需求分解到各个功能模块。对每个功能模块,识别出一组候选构件,用户根据给定的模板评价候选构件对功能需求的满足度和构件功能的有用性。最优构件组合在给定成本约束下,具有最大的全局需求满足度。选择最优组合的过程是求解一系列优化问题的过程。最后用一个例子进一步说明和验证了该方法。     

测试资源受约束的安全关键软件加速测试方法

基于马尔可夫链使用模型提出了一种针对安全关键软件测试资源受约束的启发式加速测试方法.该方法利用一种新的随机优化技术--交叉熵方法,以软件投放后软件失效风险损失最小为目标,基于失效风险损失通过修正操作剖面,自动生成测试数据集.实验结果表明该方法能有效地降低软件失效风险,提高测试效率,是一种快速有效的加速测试方法.     

Safety-critical Java programs from Circus models

Safety-Critical Java (SCJ) is a novel version of Java that addresses issues related to real-time programming and certification of safety-critical applications. In this paper, we propose a technique that reveals the issues involved in the formal verification of an SCJ program, and provides guidelines for tackling them in a refinement-based approach. It is based on Circus, a combination of well established notations: Z, CSP, Timed CSP, and object orientation. We cater for the specification of timing requirements and their decomposition towards the structure of missions and event handlers of SCJ. We also consider the integrated refinement of value-based specifications into class-based designs using SCJ scoped memory areas. We present a refinement strategy, a Circus variant that captures the essence of the SCJ paradigm, and a substantial example based approach on a concurrent version of a case study that has been used as a benchmark by the SCJ community: an aircraft collision detector.     

A map of security risks associated with using COTS

Combining Internet connectivity and COTS based systems results in increased threats from both external and internal sources. Traditionally, security design has been a matter of risk avoidance. Now more and more members of the security community realize the impracticality and insufficiency of this doctrine. It turns out that strict development procedures can only reduce the number of flaws in a complex system, not eliminate every single one. Vulnerabilities may also be introduced by changes in the system environment or the way the system operates. Therefore, both developers and system owners must anticipate security problems and have a strategy for dealing with them. This is particularly important with COTS based systems, because system owners have no control over the development of the components. The authors present a taxonomy of potential problem areas. It can be used to aid the analysis of security risks when using systems that to some extent contain COTS components     

Acquiring COTS software selection requirements

Commercial off the shelf software can save development time and money if you can find a package that meets your customer's needs. The authors propose a model for matching COTS product features with user requirements. To support requirements acquisition for selecting commercial off the shelf products, we propose a method we used recently for selecting a complex COTS software system that had to comply with over 130 customer requirements. The lessons we learned from that experience refined our design of PORE (procurement oriented requirements engineering), a template based method for requirements acquisition. We report 11 of these lessons, with particular focus on the typical problems that arose and solutions to avoid them in the future. These solutions, we believe, extend state of the art requirements acquisition techniques to the component based software engineering process     

Security control for COTS components

Using COTS components poses serious threats to system security. The authors analyze the risks and describe how their sandbox method can limit the damage potential of COTS components. The sandbox model was originally developed for fault tolerance. Rather than eliminating actual failures, it provides a restricted environment to confine application behavior. The approach confines the damage caused if an application accidentally or maliciously misbehaves. The authors' sandbox method differs from Java's, in that it is built with OS support rather than with support from a particular language. The authors describe the Sendmail version of their sandbox method. Their approach requires B-level security features not found on most conventional OSs. Typically developed for government or military use, B-level certified OSs have more sophisticated security features. The authors explain that their method does not eliminate security problems but rather mitigates the damage caused by compromised applications and thus prevents most common security breaches. Untrusted COTS components can thus be safely plugged into a system without major reengineering, provided there is a suitable security platform     

构造入侵容忍的COTS服务器

文中提出一种可为COTS服务器提供入侵容忍能力的开放式结构,该结构可以在系统已经被入侵时仍然保护系统的可用性、完整性和机密性,并且通过用户代理解决了系统透明性的问题。     

通用的安全苛求软件安全性测试方法

传统的测试脚本语言与测试策略不能满足安全苛求软件系统的测试需求,针对该问题,基于安全苛求软件测试的需求提出一种安全性测试方法,使用场景-事件驱动的安全性测试策略,设计基于该策略的安全性测试脚本语言。高速铁路既有线车站列控中心软件的安全性仿真测试结果证明了该方法的有效性。     

Dependable and predictable time-triggered Ethernet networks with COTS components

TTEthernet is a cross-industry communication standard that supports the integration of predictable time-triggered communication and event-triggered standard Ethernet traffic. This paper explores the ability of extending the firmware of Commercial-Off-The-Shelf (COTS) routers in order to support TTEthernet. Thereby, we can achieve a significant cost reduction, upgrade existing infrastructures and make field-failure rates of COTS devices available for certification. Based on a generic model of a COTS router, we introduce four methods for extending a COTS router with support for time-triggered and event-triggered message exchanges. The extended COTS router redirects time-triggered messages within pre-planed time intervals, while also processing event-triggered messages when no time-triggered message are scheduled. We achieve temporal predictability and low jitter by minimizing the effect of event-triggered messages onto the timing of time-triggered messages. Furthermore, experimental results from a prototype implementation provide insight into the performance differences between a COTS router and dedicated hardware.     

COTS tenders and integration requirements

When buying COTS-based software, the customer has to choose between what is available. The supplier may add some minor parts, but rarely everything the customer wants. This means that the customer cannot write down his requirements and expect that they can all be met. A scoring system is necessary rather than traditional mandatory requirements. Requirements for integrating the new COTS system with other systems are particularly hard because suppliers may integrate in different ways and with different other systems. A related problem is that once the new COTS system is purchased, the COTS supplier may have a de facto monopoly. Only he can expand the system or integrate it with other systems. The traditional way to purchase COTS is to iteratively find the right product. However, in a tender process this is not possible, and another solution is necessary. Experience shows that customers fail to deal with these issues adequately. As an example they may believe that asking for open interfaces is sufficient to guard them against monopoly. In this paper we analyze the problems and show ways to deal with them. We illustrate the problems and solutions with real-life examples from electronic patient recording systems.