This chapter presents the following content: Non-functional behaviors are difficult to handle in composition, ordinary (reliability) testing is not enough, SWIFI can be used for testing non-functional behaviors, IPA is a technique for predicting interoperability, IPA is not the answer, but a complement to other (traditional) testing techniques. | Chapter 10 Predicting System Trustworthiness Page Building Reliable Component-based Systems Chapter 10 - Predicting System Trustworthiness Overview Introduction What else can be done? Predicting component interoperability Summary Page Introduction Functional Composability (FC) and functional correctness: FC is concerned with whether f(a) x f(b) = f(a x B) is true. These concerns stem from the problem of composing "ilities". Reliability Safety Security Page The Problem The problem stems from our inability to know a priori, For example, that the security of a system composed of two components, A and B, can be determined from knowledge about the security of A and the security of B. Why? Because the security of the composite is based on more than just the security of the individual components. Page An Example As an example, suppose that: A is an operating system and B is an intrusion detection system. Operating systems have some level of built-in authentication security. | Chapter 10 Predicting System Trustworthiness Page Building Reliable Component-based Systems Chapter 10 - Predicting System Trustworthiness Overview Introduction What else can be done? Predicting component interoperability Summary Page Introduction Functional Composability (FC) and functional correctness: FC is concerned with whether f(a) x f(b) = f(a x B) is true. These concerns stem from the problem of composing "ilities". Reliability Safety Security Page The Problem The problem stems from our inability to know a priori, For example, that the security of a system composed of two components, A and B, can be determined from knowledge about the security of A and the security of B. Why? Because the security of the composite is based on more than just the security of the individual components. Page An Example As an example, suppose that: A is an operating system and B is an intrusion detection system. Operating systems have some level of built-in authentication security. Intrusion detection systems have some definition of the types of event patterns that warn of a possible attack. Thus, the security of the composition clearly depends on the security models of the individual components. Page The Example Continued But even if A has a worthless security policy or flawed implementation, the composite can still be secure. How? IF A has poor performance THEN no one can log in OR IF A's security mechanism not reliable THEN security is increased While these last 2 examples are clearly not a desirable way to attain higher levels of system security, both do actually decrease the likelihood that a system will be successfully attacked. Page Another Example A as an operating system and B as an intrusion detection system, AND We assume that A provides excellent security and B provides excellent security, WE MUST still accept the fact that the security of B is also a function of calendar time. So the question then comes down to: which "ilities", if any, are .
