Designing Trustworthy Software Systems Using the NFR Approach
Nary Subramanian1, Steven Drager2 and William McKeever2, 1University of Texas at Tyler, Tyler, TX, USA, 2US Air Force Research Lab, Rome, NY, USA
Trustworthy systems are essential for critical operations—they ensure that reliability, usability, interoperability, and security are built into the systems, and that the systems deliver when they are most needed. There are environments where trustworthiness is an essential property in military, government, and civil domains. Examples include missile deployment control systems, the tax submission system of the federal government, and nuclear safety control systems. However, not many methods exist for the systematic engineering of trustworthy software systems. In this chapter we describe the application of the NFR Approach for designing a trustworthy software system. The NFR Approach, where NFR stands for “non-functional requirement,” treats trustworthiness as a goal to be achieved during the process of software development. The NFR Approach uses a structure called the Softgoal Interdependency Graph to capture the trustworthiness definition, depict architectural elements as softgoals, and rationalize the extent of trustworthiness in the design. Advantages of this approach include the ability to nurture consensus among multiple definitions of trustworthiness, capture design rationale, evaluate qualitatively the extent of trustworthiness achieved, and maintain historical records of design decisions. We apply the NFR Approach to design a trustworthy Phoenix system, which is a message-oriented middleware system used by the US Air Force.
Keywords
trustworthy; design; software; NFR Approach; Phoenix; Air Force
Information in this chapter
Introduction
The National Institute of Standards and Technology defines trustworthy information systems as reliable, usable, interoperable, and secure [1]. Trustworthy systems are essential for critical operations and are expected to deliver when they are most needed. There are environments in military, government, and civil domains where trustworthiness is an essential property. Examples include missile deployment control systems, the tax submission system of the federal government, and nuclear safety control systems. Improving software trustworthiness is considered the most important goal in cybersecurity by 2015 [2], and trustworthiness in cyberspace is a national priority in the United States [3]. Trustworthiness is also an important emerging requirement for software systems deployed by the US Air Force.
Trustworthiness has been defined differently by different sources, based on their approach to determining trust in a system. For example, in [4], trustworthiness is defined as the degree of confidence that the system meets its requirements; [5] defines trustworthiness as a level of confidence in using software engineering techniques to reduce failure rates and enhance testing, reviews, and inspections; and in [6, p. 114], a trusted computer system is defined as a system that employs sufficient hardware and software integrity measures to allow its use for processing simultaneously a range of sensitive or classified information. Another definition of trustworthiness [7] includes correctness, safety, availability, reliability, performance, security, and privacy. A discussion of software trustworthiness among stakeholders often invokes numerous non-functional attributes like reliability, safety, usability, portability, and maintainability, which together ensure non-interference with the normal operation of the system.
However, there seems to be a lack of systematic processes for developing trustworthy systems. For example, [8] proposes a technique to develop a trustworthy operating system for software applications, and [9] proposes a trustworthy computing platform for a voting application; however, each follows its own approach to develop those specific target systems. While trustworthy systems evaluation criteria have been proposed [6], these criteria are oriented mostly toward incorporating security requirements into systems being developed. A trustworthiness model for open-source software has been proposed in [10] wherein factors that impact trustworthiness in a product are identified and then evaluated for the extent to which the factors have been achieved. A process for improving trustworthiness has been suggested in [11] with the belief that a trustworthy process improves trustworthiness in the product.
In this chapter we employ the goal-oriented framework called the NFR Approach [12] for engineering trustworthy software systems. The NFR Approach, where NFR stands for “non-functional requirements,” treats trustworthiness as a goal to be achieved during the process of software development. NFRs are global characteristics of systems such as flexibility, security, and performance, and they synergistically or conflictingly interact with each other. The NFR Approach is well suited to reason about these NFRs and their interactions. The NFR Approach adapts the NFR Framework [13] to ensure that the system being developed satisfies the goals for which the system is being developed during the process of system development. The NFR Approach uses a structure called the Softgoal Interdependency Graph (SIG) to analyze and reason about trustworthiness. The SIG captures the definition(s) for trustworthiness, depicts design elements as softgoals, and records design rationale. The SIG also provides a platform for arriving at consensus among alternate definitions of trustworthiness from stakeholders and for qualitatively evaluating the extent of trustworthiness in a design; it also maintains an archive of design decisions. The NFR Approach has been used to develop adaptable [14], testable [15], and maintainable [16] systems, and we extend it to develop trustworthy software systems.
It is widely accepted that NFRs such as trustworthiness must be incorporated into designs from the earliest stages so that the final system is trustworthy. Since software architecture [17,18] is the first step in developing a software system after requirements have been elicited, the software architecture should itself be trustworthy for the final system to be trustworthy. In this chapter we develop trustworthy software architecture for the Phoenix system [19] used by the US Air Force. The Phoenix system is a middleware system developed by the air force for use in tactical and enterprise systems. Phoenix belongs to the class of message-oriented middleware and provides transparent message transport facilities over multiple operating systems and network protocols. Applications can communicate with Phoenix using well-defined interfaces and exchange real-time data. Phoenix operates using a producer-consumer paradigm and uses a store-and-forward technique for increased reliability of message transport over any unreliable communication links. The code base of Phoenix is over 100,000 lines of code and consists of fifteen subsystems.
During the process of architecture design, multiple views for the software architecture [20] are developed, including component and connector view, detailed structural view, logical deployment view, physical deployment view, and use-case scenarios. These views follow from the functional and non-functional requirements for the Phoenix system, where the functional requirements specify what is to be done, and non-functional requirements specify the characteristics of the software system such as reliability, maintainability, and flexibility. In this chapter we re-engineer trustworthy designs for the Phoenix system using the NFR Approach. This chapter is a significant extension of the presentation in [21]; detailed discussion of our results is included in this chapter.
The remainder of the chapter is organized into four sections and a summary, as follows: the first section describes the NFR Approach briefly; the second section describes four use-case scenarios that exemplify the lack of trustworthiness in the current Phoenix system; the third applies the NFR Approach to design the trustworthy Phoenix system. The fourth section discusses validation and lessons learned, and the summary concludes the paper and provides directions for future work.
The NFR approach
The NFR Approach is a goal-oriented approach that can be applied to determine the extent to which objectives are achieved by a process or product [22]. NFR stands for “non-functional requirements,” which represent properties of a system such as reliability, maintainability, and flexibility, and could equally well represent functional objectives and constraints for a system. In this chapter we apply the NFR Approach to design a trustworthy software system by evaluating whether a specific design element satisfied trustworthy requirements for the system. The NFR Approach uses a well-defined ontology for this purpose that includes NFR softgoals, operationalizing softgoals, claim softgoals, contributions, and propagation rules; each of these elements is described briefly below (details may be seen in [13]). Furthermore, the NFR Approach uses the concept of satisficing, a term borrowed from economics, which indicates satisfaction within limits instead of absolute satisfaction, since absolute satisfaction of NFRs is usually difficult.
NFR softgoals represent NFRs and their decompositions. Elements that have physical equivalents (process or product elements) are represented by operationalizing softgoals and their decompositions. Each softgoal is named using the convention
where Type is the name of the softgoal and Topic (could be zero or more) is the context where the softgoal is used; Topic is optional for a softgoal; for a claim softgoal, which is a softgoal capturing a design decision, the name may be the justification itself.
Following decompositions of either the NFR softgoals or the operationalizing softgoals are possible:
1. AND decomposition is used when each child softgoal of the decomposition has to be satisficed for the parent softgoal to be satisficed, but the denial of even one child softgoal is sufficient to deny the parent;
2. OR decomposition is used when satisficing of even one child satisfices the parent, but all children need to be denied for the parent to be denied; and
3. EQUAL decomposition has only one child for a parent and propagates the satisficing or the denial of the child to the parent.
Contributions (MAKE, HELP, HURT, and BREAK) are made by operationalizing softgoals to the NFR softgoals. Reasons for contributions are captured by claim softgoals, and claim softgoals may form a chain of evidence where one claim satisfices another, which in turn satisfices another, and so on. Each of the four types of contributions has a specific semantic significance: MAKE contribution refers to a strongly positive degree of satisficing of the objectives (represented by NFR softgoals) by artifacts (represented by operationalizing softgoals) under consideration, HELP contribution refers to a positive degree of satisficing, HURT contribution refers to a negative degree of satisficing, and BREAK contribution refers to a strongly negative degree of satisficing. Due to these contributions, some of the softgoals acquire labels that capture the extent to which a softgoal is satisficed: satisficed, weakly satisficed, weakly denied (or weakly not satisficed), denied (or not satisficed), or unknown (indicated by an absence of any label attribute). Moreover, high priority softgoals, decompositions, and contributions may be indicated using the criticality symbol. The graph that captures the softgoals, their decompositions, and the contributions is called the Softgoal Interdependency Graph (SIG). A partial ontology of the NFR Approach is shown in Figure 13.1.
Propagation rules propagate labels from child softgoal to the parent across decompositions, from operationalizing softgoals to NFR softgoals across contributions, and from claim softgoals to contributions; propagation rules aid in the rationalization process of the NFR Approach. In a SIG represented graphically, the NFR softgoals and their decompositions are shown at the top of the figure, the operationalizing softgoals and their decompositions are shown at the bottom of the figure, while the contributions between the operationalizing softgoals and the NFR softgoals are shown in the middle. Therefore, contributions are usually received by the leaf NFR softgoals that are at the bottom of the NFR softgoal decomposition hierarchy. While detailed propagation rules may be seen in [13], a simplified list is provided here:
R1. A satisficed label is propagated as satisficed by a MAKE contribution, as weakly satisficed by a HELP contribution, as weakly denied by a HURT contribution, and as denied by a BREAK contribution.
R2. A denied label is propagated as denied by a MAKE contribution, as weakly denied by a HELP contribution, as weakly satisficed by a HURT contribution, and as satisficed by a BREAK contribution.
R3. If most of the contributions propagated to an NFR softgoal are satisficed, then that NFR softgoal is considered satisficed.
R4. If most of the contributions propagated to an NFR softgoal are denied, then that NFR softgoal is considered denied.
R5. In the case of priority softgoals, or when there is a tie between positive and negative contributions, the system architect or the developer can take the decision based on, or a variation of, R3 and R4.
R6. In the case of an AND-decomposition, if all the child softgoals are satisficed, then the parent NFR softgoal is satisficed; else the parent softgoal is denied.
R7. In the case of an OR-decompostion, if at least one child softgoal is satisficed then, the parent NFR softgoal is satisficed; else the parent softgoal is denied.
R8. In the case of EQUAL-decomposition (only one child) the parent is satisficed if the child is satisficed, and the parent is denied if the child is denied.
Upon applying these propagation rules, if the root NFR softgoals are satisficed, then the goals for the domain of interest have been met, to a large extent. In this chapter, the root NFR softgoals are related to trustworthiness, and therefore the SIG helps determine the extent to which a particular design is trustworthy.
The NFR Approach requires the following interleaving tasks, which are iterative:
1. Develop NFR goals and their decompositions: In this task, the trustworthiness softgoal is decomposed into its constituent NFR softgoals; this decomposition captures the trustworthiness requirements for a system as viewed by a particular group of stakeholders. These decompositions may be developed from scratch or may be extensions of existing decompositions.
2. Develop operationalizing goals and their decompositions: In this task, we develop operationalizing softgoals and their decompositions. In this chapter, operationalizing softgoals correspond to architectural models since we are focusing on developing architectural models.1 This task consists of two subtasks: the development of architectural models and the development of operationalizing softgoal hierarchy corresponding to the architectural models. Each individual model may form its own operationalizing softgoal decomposition hierarchy. These models may be developed from scratch or may use existing catalogs as a starting point.
3. Develop goal tradeoffs and rationale: In this task, we determine contributions between operationalizing softgoals (task 2) and the NFR softgoals (task 1) and the rationale for the contributions are captured by claim softgoals; synergies and conflicts between different NFR softgoals are captured by the contributions, and tradeoffs (manifested by changes to contributions) that take place are captured by corresponding changes to rationale. This historical record-keeping also helps back-tracking, if required.
4. Develop goal criticalities: In this task, we assign priorities to softgoals—some softgoals (NFR softgoals, operationalizing softgoals, and claim softgoals) may be more important for the stakeholders involved and they are indicated as critical softgoals.
5. Evaluation and analysis: In this task, the propagation rules of the NFR Approach are applied to determine whether the architectural models satisfy the requirements (represented by NFR softgoal decomposition hierarchy) and to what extent, that is, strongly positive, positive, negative, or strongly negative; if positively satisficed, then those architectural models satisfy the requirements and if negatively satisficed, then there is scope for improvement.
The Phoenix system and trustworthiness deficit
In this section we describe the lack of trustworthiness in the current Phoenix system. The Phoenix system is a middleware, and as such, it serves as a transparent transport layer for its users. Publishers and subscribers send messages to each other over the Phoenix system. Figure 13.2 shows four use-case scenarios for the Phoenix system as it exists now.
As can be seen in Figure 13.2 (a), the use-case scenario describes the lack of confidentiality in the current Phoenix system since messages are sent in plain-text. In Figure 13.2 (b), the scenario describes the lack of availability of the system when large messages are sent between the publisher and the subscriber—the system simply crashes. Likewise, the scenario of Figure 13.2 (c) describes how accumulation of non-dropped connections can also make the system available after a period of time. The scenario of Figure 13.2 (d) describes how the lack of sufficient authentication and authorization can reduce the integrity of the data in the Phoenix system due to an attack. For these and other reasons, Phoenix is not considered trustworthy enough for use in future applications that have more stringent trustworthy requirements. In subsequent sections we elicit these trustworthy requirements, analyze the shortcomings using the NFR Approach, and suggest modifications to the Phoenix system for the new environment.
Application of the NFR approach for designing a trustworthy Phoenix system
In this section, we describe the application of the five tasks of the NFR Approach for generating trustworthy designs for the Phoenix system. To obtain trustworthiness requirements, we interviewed stakeholders—users who plan to use the Phoenix system in a trustworthy environment. As mentioned earlier, trustworthiness, being an NFR, can have multiple definitions and each stakeholder can have a different definition for trustworthiness; we apply the five tasks of the NFR Approach to one definition and discuss how the NFR Approach can be used for building consensus among stakeholders. In order to automate the evaluation process, we used the StarUML tool [23] for developing the SIGs. This tool is free to use and comes with a toolset for capturing all aspects of a SIG; moreover, all propagation rules are built into StarUML, which makes its use for the evaluation and analysis task convenient.
Develop NFR softgoals and their decompositions
The upper part of the SIG of Figure 13.3 (indicated by a rounded rectangle marked “Task 1”) shows the definition of trustworthiness from the viewpoint of one stakeholder. This part of the SIG contains the NFR softgoal decomposition hierarchy for the softgoal Trustworthiness[Phoenix], which represents trustworthiness of the Phoenix system. As mentioned earlier, this softgoal’s type is Trustworthiness and the topic to which this softgoal applies is Phoenix. This softgoal is AND-decomposed into five child sub-softgoals: Trustworthiness[Phoenix, Hardware], Trustworthiness[Phoenix, Workers], Trustworthiness[Phoenix, Information], Trustworthiness[Phoenix, Software], and Performance [Phoenix, Environment], wherein the four components of a system [20,242] (hardware, workers, information, and software) have been included. Performance has also been included, as required by the stakeholder. That this decomposition is an AND-decomposition is indicated by a single cross on the line connecting the child (or sub-)softgoals to the parent softgoal, Trustworthiness [Phoenix]. In the “Task 1” rectangle in Figure 13.3, on the left, the NFR softgoal Quality [Information] is AND-decomposed into Quality [Information, Producer], Quality [Information, Manager], Quality [Information, Federates], and Quality [Information, Consumer]; this decomposition is based on [25], which is indicated as “ICCRTS05 Paper” in the accompanying claim softgoal (the cloud-shaped figure with a dashed border). This decomposition captures the fact that quality of information is based on quality of information supplied by the producer, quality of information supplied to the manager, quality of information supplied to federates (partners), and quality of information supplied to consumers.
According to the stakeholder, the information produced in a trustworthy Phoenix system will be disclosed to those who need it and to those who are authorized; moreover, producers assume information is protected. These requirements are captured in the SIG by the AND-decomposition of the NFR softgoal Quality [Information, Producer] into the child softgoals of Disclosure [Information, Needed by Persons], Disclosure [Information, Authorized Persons], and Protected [Information]. In a similar manner we AND-decomposed Quality [Information, Manager] into child softgoals Efficiency [Usage, Resources, Information System] and Appropriateness [Usage, Resources, Information System]. Quality [Information, Federates] was AND-decomposed into Insight [Information] and Reception [Information]. Quality [Information, Consumer] is AND-decomposed into Timeliness [Information], Availability [Information], Pertinence [Information], Usability [Information], and Trustworthiness [Phoenix, Information].
As per the stakeholder needs, the NFR softgoal Trustworthiness [Phoenix, Information] is AND-decomposed into five child softgoals: Trustworthiness [Phoenix, Information, Navy], Accuracy [Information], and Relevancy [Information], where the softgoal Trustworthiness [Phoenix, Information, Navy] indicates the fact that trustworthiness of the Phoenix system’s information processing capabilities is important for the navy (who will use the Phoenix middleware). This softgoal Trustworthiness [Phoenix, Information, Navy] is further AND-decomposed into Consistency [Phoenix, Constrained Communication Links] and Performance [Phoenix, Constrained Communication Links] which refer to, respectively, the information processing capabilities over constrained communication links. Finally, the softgoal Accuracy [Information] is AND-decomposed into four child softgoals: Appropriateness [Representation, Information], Verifiability [Data Source], Trustability [Data Source], and Appropriateness [Information Use].
Finally, on the top right, we have Security [Phoenix] being AND-decomposed into the CIA triad [26]: Confidentiality [Phoenix], Integrity [Phoenix], and Availability [Phoenix].
Develop operationalizing softgoals and their decompositions
This task has two sub-tasks: development of architectural models and creation of operationalizing softgoal hierarchy based on these models. The architectural models may be created from scratch or may use existing catalogs as the basis. We used existing models as the starting point. The models we started with are given in Figure 13.4 and include the Component and Connection (C&C View), the Activity Diagram for one scenario (Produce Submission scenario), the logical and physical deployment architectures, and the module view for one service (the Submission Service).-
We then converted these models into operationalizing softgoals, as indicated in the bottom part of Figure 13.3, within the rounded rectangular box marked “Task 2.” These five models are captured by the operationalizing softgoals C&C View [Logical] representing the component and connection view, Activity Diagram [Producer Submission] representing the activity diagram for the producer submission scenario, Deployment [Logical] for the logical deployment architecture, Deployment [Physical] for the physical deployment architecture, and Module View [Detailed Submission Service] for the submission service module view (which is a detailed view of this service). Many of these softgoals have been further decomposed: C&C View [Logical] is AND-decomposed into Authorization Service and Repository Service operationalizing softgoals,3 Activity Diagram [Producer Submission] is decomposed into Five Partitions [Producer Submission], Deployment [Logical] is decomposed into Seventeen Services, and Module View [Detailed Submission Service] is decomposed into four operationalizing child softgoals: Input Channel Manager, Information Validator, Policy Manager, and Forwarder. This completes task 2.
Develop goal tradeoffs and rationale
During the process of SIG development we determine the contributions between softgoals—specifically, the contributions that operationalizing softgoals make to the NFR softgoals. The reasons (or rationale) for these contributions are captured by claim softgoals. This task is shown in Figure 13.3 within the rounded rectangle named “Task 3.” Table 13.1 lists these contributions and their rationale.
As can be seen in Table 13.1, rows 1 through 10 list the contributions by operationalizing softgoals to NFR softgoals; row 11 describes a contribution between two NFR softgoals. Likewise, contributions may be between operationalizing softgoals, between claim softgoals (as shown in Figure 13.3 corresponding to rows 1, 2, and 3 of Table 13.1), between claim softgoals and contributions themselves (this is shown in Figure 13.3 for all claim softgoals), and between claim softgoals and decompositions (as shown in Figure 13.3 by the claim softgoal “ICCRTS05 Paper” [25] at the top left). In this manner, contributions help capture conflicts and synergies between NFRs—for example, Efficiency [Usage, Resources, Information System] receives a BREAK contribution while Appropriateness [Usage, Resources, Information System] receives a MAKE contribution from two different architectural models; therefore, the parent softgoal Quality [Information, Manager] sees conflicting contributions propagated to itself. Synergies occur similarly, though they are usually easier to handle.
Developing goal criticalities
In practice, not all requirements need be equally important; for example, security may be considered more important for a trusted system by some stakeholders [7]. Likewise, some architectural models may be more important for design since, for example, they are part of the enterprise architecture. The NFR Approach provides facilities to indicate certain NFR softgoals, operationalizing softgoals, claim softgoals, decompositions, and contributions as being higher priority; subsequently, during the evaluation phase, appropriate propagation rules may be used for these critical elements. In this discussion we assume all elements are of the same priority so that we may focus more on the process of the NFR Approach without getting too deep into its nuances.
Evaluation and analysis
During this task, two sub-tasks are performed: evaluation and analysis. During the evaluation task, we apply the propagation rules to determine if the softgoals of interest were satisficed or denied. During the analysis task, we analyze the reasons for satisficing or denial and determine improvement opportunities.
Table 13.2 lists the application of propagation rules to a few key softgoals in the SIG of Figure 13.3. Some of the rows from Table 13.1 appear in Table 13.2, and the latter applies the propagation rules to obtain labels propagated to the destination or parent softgoal. The rows in Table 13.2 are relatively easy to follow: for example, in row 1, the child softgoal Authorization Service makes a BREAK contribution to the parent softgoal Verifiability [Data Source] (which is indicated by row 2 of Table 13.1); therefore, by the propagation rule, R1, since the child softgoal is satisficed, the parent softgoal is denied. In a similar manner, other rows of Table 13.2 may be read. From this table we find that the three root NFR softgoals are all denied: that is, the NFR softgoals Quality [Information], Security [Phoenix], and Trustworthiness [Phoenix] are all denied, which means that the architectural models of Figure 13.4 do not satisfy trustworthiness requirements.
Figure 13.5 shows the SIG of Figure 13.4 updated with propagated labels. This figure was generated using the StarUML [23] tool which automatically propagates the labels. In Table 13.2 and in Figure 13.5, we have assumed the operationalizing softgoals to be satisficed in order to apply the propagation rules; this is because these softgoals represent architectural models that exist. If, in the future, we were to find that some of these models are not correct, then we can modify the labels of those softgoals accordingly and then apply the propagation rules; however, historical record is preserved by the SIGs.
During the analysis sub-task, we identify reasons for poor trustworthiness. As can be observed from Table 13.2 and Figure 13.5, the poor satisficing of the softgoal Trustworthiness [Phoenix] results from the negative contributions (HURT or BREAK) indicated by oval shapes, corresponding to rows 1, 2, 5, and 6 of Table 13.2. What are the reasons for these negative contributions? The rationale in Table 13.1, corresponding to rows 2, 3, 8, and 9, respectively, guides us in improving these contributions. Considering row 1 of Table 13.2, the poor contribution (BREAK) by the Authorization Service to the softgoal Verifiability of Data Source is due to the simplistic nature of the Authorization Service (row 2 of Table 13.1); from the published literature, a few of the techniques to improve verifiability include use of passwords, biometrics, and Kerberos protocol [26]. Therefore, if the Authorization Service is enhanced with these techniques, then its contribution to verifiability of data source will be improved, which will help move the system toward improved trustworthiness. In a similar manner, we identified techniques that will improve these four contributions; they are documented in Table 13.3.
The modified architectural models are shown in Figure 13.6. The updated component in the Component and Connector view is called the Modified Authorization Service (MAS) that has the modifications in rows 1 and 2 of Table 13.3. The modified Activity Diagram shows the use of MAS for authentication during the submission scenario. The physical deployment has two servers, one local and the other remote; the local server caches data locally so that benefits in row 3 of Table 13.3 are realized. Besides, the duplicated servers allow improved integrity by performing data checks between themselves, as mentioned in row 4 of Table 13.3.
Validation and lessons learned
The architectural modifications for improved trustworthiness were validated by three of the original Phoenix development engineers. We presented the modified designs along with a questionnaire that required them to evaluate the artifacts by comparing them with the system documents for Phoenix (which we did not have access to) in the spirit of the Delphi technique [30]. Developers answered the questionnaires independently of each other without having recourse to answers provided by others. The developers were provided the updated architectural models and a modified version of Table 13.3 as part of their questionnaire; their responses are tabulated in Table 13.4.
The development engineers were in agreement that techniques such as passwords, biometrics, and Kerberos will help the Authorization Service component satisfy the requirement for Verifiability of Data Source; one of them pointed out that two-factor authorization will also be a preferred technique. Likewise, the techniques identified from catalogs for improving integrity of the Phoenix system, namely, access control lists and feedback control, were also perceived by the engineers as helpful to achieve the goal; however, it was felt that integrity can still be impacted by bypassing Authorization Service and attacking other components of the system directly. In row 3 of Table 13.4, the technique neighborhood group data caching in a deployed physical system was expected to improve consistency over constrained communication links. However, synchronization of fetched data with that of the central store was important so that data viewed by users were not stale; a differential data pre-fetching (where only differences were obtained from the central store) was felt to be more useful, and this technique is planned for incorporation in a future version of the Phoenix system. In row 4 of Table 13.4, the common techniques of increasing bandwidth/processing power/buffers in a deployed physical system were expected to improve performance of the system; however, it was pointed out that scalability of such an increase is not linear in general and incurs costs of time and effort to realize improved performance. Row 5 of Table 13.4 was a control row. It was used to ensure that engineers were actually focusing on the questionnaire; the technique “noncryption” was a made-up word for plain text transmission, and all three engineers were unanimous in their opinion that this will not improve security.
Table 13.4 conveys the point that recommendations from the NFR Approach are largely acceptable to the industry practitioners from a trustworthy system development standpoint. An interesting observation is the comment in row 3 of Table 13.4: the feature identified as important using the NFR Approach has been under consideration by the development team for some time, but we arrived at this point using the systematic process of the NFR Approach, while the development team identified this issue from user feedback. The suggestions from the SIG analysis could be used to improve the trustworthiness of the system being designed with a high confidence that these suggestions will find acceptance from the designer community.
An important aspect of the NFR Approach is that it helps build consensus among stakeholders: we obtained three differing definitions of trustworthiness from stakeholders. Figure 13.7 shows another definition for trustworthiness from a different stakeholder—trustworthiness includes reliability and dependability attributes. The oval shapes in Figure 13.7 are the constraints imposed on a design to satisfy certain trustworthiness requirements. The architectural models of Figure 13.6 may not satisfy all the requirements in Figure 13.7; however, the NFR Approach provides a mechanism to reason about the “gaps,” if any. For example, one constraint (oval shape) is that all messages be encrypted to satisfice the NFR softgoal Security [Messages]. However, the connector Phoenix Channel in Figure 13.6 does not encrypt messages and therefore, after applying the propagation rules of the NFR Approach, we find the models of Figure 13.6 are not trustworthy by this definition (Figure 13.7), either. Therefore, if an Augmented Phoenix Channel connector is used in the updated models of Figure 13.6, then these updated models will satisfy to some extent the definition in Figure 13.7 besides meeting all requirements in Figure 13.3. This way, consensus between definitions may be reached using the NFR Approach.
As mentioned in the introduction, the SIG captures trustworthiness definitions, architectural or design elements, and the design rationale in the form of claim softgoals. The propagation rules help qualitatively evaluate the extent to which designs satisfy trustworthiness requirements, and the historical record of design decisions are captured by different versions of the SIG. If any change occurs to the SIG due to requirements changes, design changes, or rationale changes, the resulting change to trustworthiness can be quickly recomputed; therefore, impact analysis can be performed. Also, “what if” scenarios can be studied by deliberate changes to the SIG and by analyzing the resulting impact on trustworthiness.
One aspect that we did not discuss is the process of converting interview notes into a SIG, such as in Figure 13.3 and Figure 13.6. We have discussed this aspect in another paper [31]; however, this process involves creating elements of SIG from interview notes and is a predominantly manual process. There does not seem to be a one-to-one correspondence between a given interview note and the SIG developed; however, based on our experience, the results of the reasoning process seem to be highly synchronous between different SIGs generated from an interview note. Therefore, we believe that the NFR Approach’s process is repeatable across projects and organizations.
Certain aspects of the NFR Approach have not been described here; for example, the propagation rules in the section “The NFR Approach” are simplified versions (as mentioned earlier). For example, rule R6 assumes if even one child softgoal is not satisficed in an AND-decomposition, then the parent softgoal is denied. However, what if, as we observe in Table 13.2, rows 8 and 14, one of the child softgoals is weakly denied? The NFR Approach actually defines rules that allow the parent to the weakly denied instead of denied, but we have assumed simpler rules in this chapter to convey the spirit of the NFR Approach without overwhelming the reader with details. Another aspect of the NFR approach not discussed here is the fact that claim softgoals can have labels as well, which allows claims (or rationales) to change with time and their impact(s) to be quickly reflected in the SIG.
Summary
Trustworthiness is an important emerging requirement for software systems deployed by the US Air Force. While NIST [1] has defined trustworthiness to be reliable, usable, interoperable, and secure, there seems to be no uniformity in the definition of this requirement within the Air Force. Moreover, there seems to be no systematic method to develop trustworthy systems. In this chapter, we employ the goal-oriented framework called the NFR Approach [12,13] for engineering trustworthy software systems. The NFR Approach treats trustworthiness as a goal to be achieved during the process of software development. Since software architecture is the first step in the development of a solution, we employ the NFR Approach to develop a trustworthy architecture for a software system. The software system considered for validation is the Phoenix system [19] used by the US Air Force; the Phoenix system is a middleware system developed by the Air Force for use in tactical and enterprise systems. We applied the NFR Approach, developed trustworthy architectural models for the Phoenix system, and validated the models by having them evaluated by Phoenix’s engineers. The results are encouraging, with many design updates for improved trustworthiness being approved by developers as being not only feasible but actually useful for a trustworthy Phoenix system.
In the future we plan to partially automate this process by incorporating natural language processing to identify elements of SIGs from interview notes, which should speed up the process considerably. Furthermore, integrating natural language processing with tools available for handling NFR approach, for example, StarUML [23], will enable automating the processing of knowledge recovery from users. However, we believe that the NFR Approach provides a systematic technique for developing trustworthy software systems.
Acknowledgments
This research was sponsored by Air Force Research Laboratory/Information Directorate, Rome, New York, USA. In the summers of 2011 and 2012, the authors spent many months on this project, and we thank several engineers at the lab for their help, including Mark Lindermann, James Hanna, Vaughn Combs, James Milligan, Chris Schuck, Tim Blocher, Dawn Nelson, Mark Mowers, and Brian Lipa. We also thank the reviewers of the initial version of this chapter for their valuable suggestions and comments.
References
1. [Internet]. Retrieved from: <www.nist.gov/itl/tis/index.cfm> [accessed 22.05.12].
2. Software 2015: A national software strategy to ensure U. S. security and competitiveness. Report of 2nd National Software Summit. [Internet]. Retrieved from: <www.cnsoftware.org/NSS2>; 2005 [accessed 06.06.12].
3. Trustworthy cyberspace: Strategic plan for the federal cybersecurity research and development program. Executive Office of the President, National Science and Technology Council; 2011 Dec.
4. Parnas DL, van Schouwen AJ, Kwan SP. Evaluation of safety-critical software. Communications of ACM. 1990;33(6):636–648.
5. Amoroso E, Taylor C, Watson J, Weiss J. A process-oriented methodology for assessing and improving software trustworthiness. Proceedings of the 2nd ACM Conference On Computer and Communication Security 1994;39–50.
6. DoD 5200.28-STD. Department of Defense standard: Department of Defense trusted computer system evaluation criteria. [Internet]. Retrieved from: <csrc.nist.gov/publications/history/dod85.pdf>; 1985 [accessed 22.05.12].
7. Hasselbring W, Reussner R. Toward trustworthy software systems. IEEE Computer. 2006;39(4):91–92.
8. Garfinkel T, Rosenblum M, Boneh D. Flexible OS support and applications for trusted computing. [Internet]. Retrieved from: <suif.stanford.edu/papers/trusted-hotos03.pdf>; [Accessed 22.05.12].
9. Fink RA, Sherman AT. Combining end-to-end voting with trustworthy computing for greater privacy, trust, accessibility, and usability. [Internet]. Retrieved from: <csrc.nist.gov/groups/ST/e2evoting/documents/papers/SHERMAN_trustworthye2e-NISTrevised9-25-09a.pdf>; [accessed 22.05.12].
10. Taibi D. Defining an open source software trustworthiness model. Proceedings of 3rd International Doctoral Symposium on Emperical Software Engineering 2008.
11. Yang Y, Wang Q, Li M. Process trustworthiness as a capability indicator for measuring and improving software trustworthiness. ICSP '09 Proceedings of the International Conference on Software Process: Trustworthy Software Development Processes 2009;389–401.
12. Subramanian N, Chung L. Software architecture adaptability: An NFR approach. Proceedings of the International Workshop on Principles of Software Evolution (IWPSE 2001) Vienna: ACM Press; 2001; p. 52–61.
13. Chung L, Nixon BA, Yu E, Mylopoulos J. Non-functional requirements in software engineering Boston: Kluwer Academic Publishers; 2000.
14. Chung L, Subramanian N. Adaptable architecture generation of embedded systems. Journal of Systems and Software. 2004;71(3):271–295.
15. Chung L, Subramanian N. Testable and adaptable architectures for embedded systems. University of Texas at Dallas Technical Report No. UTDCS-22-01; 2001 Nov.
16. Subramanian N, Puerzer R, Chung L. A comparative evaluation of maintainability: A study of engineering department’s website maintainability. Proceedings of the International Conference on Software Maintenance; 2005 Sep; Budapest, IEEE Computer Society, Hungary. p. 669–672.
17. Shaw M, Garlan D. Software architecture: Perspectives on an emerging discipline Prentice Hall 1996.
18. Bass L, Clements P, Kazman R. Software architecture in practice. SEI Series in Software Engineering 2nd ed. Addison-Wesley 2003.
19. Combs VT, Hillman RG, Muccio MT, McKeel RW. Joint battlespace infosphere: Information management within a C2 enterprise. 10th International Command and Control Research and Technology Symposium 2005.
20. Eeles P, Cripps P. The process of software architecting Upper Saddle River, NJ: Addison-Wesley; 2010.
21. Subramanian N, Drager S, McKeever W. Engineering a trustworthy software system using the NFR approach. Presented at the Systems & Software Technology Conference; Salt Lake City, UT. 2012 Apr.
22. Chung L, Supakkul S, Subramanian N, et al. Goal-oriented software architecting. In: Avgeriou P, ed. Relating Software Requirements and Architectures. Springer 2011;91–109.
23. [Internet]. Retrieved from: <http://staruml.sourceforge.net/en/modules.php>; [accessed 11.10.11].
24. Ware WH. Perspectives on trusted computer systems. Rand Library Collection; 1988 Sep. p. 7478.
25. Linderman M, et. al. A reference model for information management to support coalition information sharing needs. 10th International Command and Control Research and Technology Symposium. Verginia; 2005 Oct.
26. Stallings W, Brown L. Computer security: Principles and practice 2nd ed. Prentice Hall 2011.
27. Mandke VV, Nayar MK. Information integrity: A structure for its definition. In: Strong DM, Kahn BK, editors. Proceedings of the 1997 Conference on Information Quality; MIT, Cambridge, MA, 1997.
28. Shanmugavadivu K, Madheswaran M. Caching technique for improving data retrieval performance in mobile ad hoc networks. International Journal of Computer Science and Information Technologies. 2010;1(4):249–255.
29. Hennessy JL, Patterson DA. Computer architecture: A quantitative approach 5th ed. Morgan Kaufmann Publication 2011.
30. Hsu C-C, Sandford BA. The delphi technique: making sense of consensus. Journal of Practical Assessment, Research, and Evaluation. 2007 Aug;12:10 ISSN: 1531-7714.
31. Subramanian N, Drager S, McKeever W. Eliciting software design from interviews using the NFR approach. Submitted for publication.
1The NFR Approach supports any level of realization: strategic level, conceptual level, system level, requirements level, architectural design level, detailed design level, code level, and so on; however, in this chapter we develop architectural models and therefore we refer to architectural model development in task 2.
2On page 8 of [24] we find: “[Trust] properly can and should be applied to hardware/software combinations; to communication networks; to overall systems; to application programs; to individual components of a system; to information processes whether automated, manual, or both; to procedures whether automated or manual; and, particularly, it should be applied to people.”
3In the Component and Connection View diagram, there are several components and connections besides these two components—we should be able to decompose the C&C View [Logical] operationalizing softgoal into all its constituent softgoals—however, during subsequent tasks, the two softgoals included in the decomposition were sufficient to explain the use of the NFR Approach and therefore the other constituents are not shown. This policy is used when decomposing other operationalizing softgoals in this section.