Abstract: Software and software-controlled technical sys- tems play an increasing role in our daily lives. In cyber- physical systems, which connect the physical and the dig- ital world, software does not only influence how we per- ceive and interact with our environment but software also makes decisions that influence our behavior. Therefore, the ability of softwaresystems to explain their behavior and decisions will become an important property that will be crucial for their acceptance in our society. We call soft- ware systems with this ability explainable software sys- tems. In the past, we have worked on methods and tools to design explainable softwaresystems. In this article, we highlight some of our work on how to design explain- able softwaresystems. More specifically, we describe an ar- chitectural framework for designing self-explainable soft- ware systems, which is based on the MAPE-loop for self- adaptive systems. Afterward, we show that explainabil- ity is also important for tools that are used by engineers during the development of softwaresystems. We show ex- amples from the area of requirements engineering where we use techniques from natural language processing and neural networks to help engineers comprehend the com- plex information structures embedded in system require- ments.
In the second EvoSpaces approach called CodeCity (, figure 2.19(b)), software decomposition and artifacts are mapped onto city districts and buildings, respec- tively. Building size is derived from basic size measures using a boxplot-based map- ping technique . Code Cities serve as platform that is enriched with more sophisticated analysis data to support the identification of design problems (), and to gain insight into the structural evolution of softwaresystems (). They present a set of techniques to visualize evolutionary data on both a fine and a coarse grained abstraction level. A time traveling technique allows for stepping backwards and forwards in time and thus allows for visualizing the software system at its dif- ferent development stages. As shown in figure 2.20, for this purpose each software artifact is uniquely assigned a fixed area in the city. As a result, this approach yields stable layout sequences, which, however, can only be achieved because all versions of the software system are known in advance. As soon as new versions become available, new visualization sequences must be computed, which in turn can differ significantly from the original sequence and the mental models constructed by its users so far.
s a m p l i n g Utilizing CoPTA facilitates precise formalization of analysis tech- niques for configurable real-time softwaresystems. However, we cannot apply product-based approaches anymore due to the (possibly) infinite number of prod- ucts. Nonetheless, product-based analyses can be performed indirectly by first applying sampling, describing the derivation of a representative subset of variants of an SPL. Unfortunately, CIT techniques for sampling, as described before, only cover finite configuration spaces. Hence, these techniques are not applicable to infinite configuration spaces as applying CIT would result in an infinite number of configurations. However, we consider infinite configuration spaces in case of PTA and CoPTA (see above), both utilizing (possibly) unbounded numeric parameters. Hence, we introduce a sampling approach specifically tailored to product lines having configurable real-time behavior. In particular, we consider boundary be- havior of real-time systems in terms of best-case execution times and worst-case execution times (BCET/WCET), respectively . This idea stems from the area of boundary-value testing, having the goal to cover boundary values for each variable [165, 81]. The rationale behind this is the fact that problems often occur at these boundary values. For instance, this approach may reveal off-by-one timing errors , where boundary-value behavior w.r.t. delays is faulty. Therefore, we have the goal to adapt sampling strategies to product lines with a (potentially) infinite number of configurations in general, and we instantiate these product lines with CoPTA (i.e., our novel modeling formalism as described above). Note, that our sampling approach is sound (i.e., the generated sample covers BCET/WCET behavior) but incomplete (i.e., the algorithm for generating the sample does, in general, not terminate). In addition to sampling, we also introduce family-based (black-box and white-box) analysis techniques which we directly apply on CoPTA as explained in the following.
TodayŠs softwaresystems are complex. They comprise an immense number of distributed hardware and software components to deliver desired functionalities. Failures during production are inevitable despite successful approaches for quality assurance during software development. A failure in one component, e.g., a memory leak or slow response times, can create a chain of failures propagating to other components and the users [Av04]. Online failure prediction [SLM10] aims to foresee imminent failures by making predictions based on system parameters from monitoring data. Existing approaches employ prediction models that predict failures either for the whole system or for individual components without considering the software architecture.
The results of this study show that dependencies between vehicle features pose a great challenge for the development of automotive softwaresystems. Al- most every vehicle feature depends on or influences another vehicle function. We have also seen that describing the dependencies solely on the level of imple- menting components is insufficient for analyzing them, leading to a 50% chance that a developer is not aware of a specific dependency. Our results empirically underpin the challenges mentioned by Broy et al. [1, 43], where the authors state that “functions [of a vehicle] do not stand alone, but exhibit a high de- pendency on each other so that a vehicle becomes a complex system where all functions act together”. Dependencies should rather be specified on the levels of features, which demands a clear definition of feature interfaces. We have proposed a dependency-based refactoring approach for components that shows the potential of considering feature dependencies for a more modular system architecture.
Anomaly detection is used for failure detection and diagnosis not only in large softwaresystems. A common approach for detecting anomalies is building a model of a system’s “normal behavior” in terms of monitored parameters, and comparing this model with the respective current behavior to uncover deviations. The data being monitored can be obtained from different levels, e.g. network-, hardware-, or application-level. Failures may be detected proactively but at least quickly after they occur. Repair times can be reduced, by taking appropriate steps immediately, thus increasing availability.
Dynamic routines have been suggested as a simple yet powerful concept to achieve horizontal and behavioural extensibility of softwaresystems in a very general and flexible way. Concrete spe- cializations of the general concept have been designed and imple- mented as precompiler-based language extensions for C++, Obe- ron-2, and Java in order to gain immediate practical experience with the concept in different programming languages. Together with a complementary concept called open types, which provides horizontally extensible data structures, the concept of dynamic routines has been successfully employed so far to implement an interaction manager synchronizing concurrent workflows  and a graphical editor for interaction graphs . Additional projects are planned, especially to compare source code implementing the same functionality with and without dynamic routines, respec- tively, reg arding its length, readability, extensibility, and run time efficiency.
Changes are required to evolve softwaresystems in order to meet the requirements emerging from technological advances, changes in operating platforms, end user needs, and demands to fix errors and bugs. Studies have shown that about one third of a project’s budget is spent to test these changes to ensure the system correctness. To minimize the testing cost and effort, model-based regression testing approaches se- lect a subset of test cases earlier by tracing the changes in analysis and design models to the tests. However, modeling of complex softwaresystems demands to cover var- ious views, such as structural view and behavioral view. Dependency relations exist between these views due to overlapping and reuse of various concepts. These depen- dency relations complicate regression testing by propagating the changes across the models of different views and tests. Change impact analysis across the models and tests is required to identify the potentially affected test cases by analyzing the change propagation through dependency relations.
Software is eating the world is a common saying nowadays, paraphrasing the fact that software influences almost all parts of industry or our daily life. This makes software subject to mass production while at the same time, there is an increasing demand for customization of softwaresystems to adhere to specific requirements of users or envi- ronments. As a result, a software system is developed in many similar, yet di↵erent variants, thus, constituting a variant-rich software system. To enable development of such variant-rich systems, two approaches are commonly used: First, structured reuse by means of integrated variability allows to specify the di↵erences between variants on domain and implementation level. Second, adhoc reuse by means of clone-and-own, which reuses existing variants by copying them and afterwards, apply the required mod- ifications (e.g., code changes) to achieve the desired variant. While both are commonly used, they raise challenges to the evolution of variant-rich system for aspects such as maintainability, testability, extensibility or reliability.
These results are important in several ways: First, they demonstrate that one learning approach can be used for different real-world application sce- narios, which is crucial for practicality. Second, they demonstrate that the domain of configurable softwaresystems exhibit specific properties (e.g., the distribution of interactions) that make circumventing the tradeoff problem possible, allowing researchers and practitioners to develop efficient learning approaches by concentrating on a few important configuration options and their low-order interactions (i.e., interactions involving only a small number of configuration options, in our case, two or three). Third, we confirm that the learning approach that we use effectively identifies real interactions in configurable systems. Finally, the identified interaction patterns can be used as anti-patterns and help prevent or at least to anticipate the possible presence of performance interactions already in the early stages of the configurable systems development when architectural decisions are made. In total, these results contribute to the goals of our dissertation by providing insights into the nature and properties of feature interactions that may help in detecting or preventing feature interactions.
Dieser Standard stellt eine Alternative zu „klassischen” Zeichensätzen wie z.B. US- ASCII (mit 127 Zeichen) oder den 8-Bit ISO-Zeichensätzen (mit jeweils 256 Zeichen) dar, die im überwiegenden Teil der Fälle für genau ein Schriftsystem entworfen wor- den sind. Da der Unicode-Standard viele verschiedene Schriftsysteme unterstützt, stellt sein Einsatz einen wichtigen Grundstein bei der Internationalisierung von Software dar. Dies wird durch eine breite Unterstützung des Unicode-Standards von Betriebs- systemen, Internet-Browsern, Datenbanksystemen und Programmiersprachen gezeigt. Es gibt heute, Stand 2012, noch viele Software-Systeme, die meist aus historischen Gründen Zeichensätze verwenden, die nur für ein Schriftsystem entworfen worden sind. Handelt es sich bei Anwendern solch eines Software-Systems um Unternehmen mit einer internationalen Ausrichtung, kann eine so deutliche Einschränkung bei der Zeichenkodierung einen Grund darstellen, zu einem Konkurrenzprodukt zu wech- seln, das Unicode unterstützt. Für potentielle neue Anwender stellt sich das Software- System schon im voraus als nicht attraktiv dar.
Finally, there is a need for a method to retrieve the best set of components given metrics and descriptions. Component selection has been shown to be NP com- plete [Petty et al.2003] while more recently, a polynomial time approximation al- gorithm for component selection was discovered [Fox et al.2004]. For the selection and identification of components most approaches are based on system functionali- ties or system architecture [Haghpanah et al.2008, Vescan et al.2008]. Sugumaran and Storey propose a semantic-based approach for the retrieval of components in [Sugumaran and Storey2003]. Other methods include formal methods like model checking [Xie], artificial neural networks [Merkl et al.1994], information retrieval [Maarek et al.1991], decision and utility theory [Alves et al.2005] and genetic algo- rithms. For the latter Haghpanah et. al [Haghpanah et al.2008] adapted a greedy approach and a genetic algorithm to approximate the component selection prob- lem. Hoover et. al proposed in [Hoover and Khosla1996, Hoover et al.1999] an analytical approach for the design and the change of the design of reusable real- time software. In this approach a combination of genetic and simulated annealing algorithms was used to measure the impact of change to the reusable system. While this method could also be used to partition software to reusable parts no informa- tion about the quality of components is taken into account and therefore does not qualify for the problem at hand.
The automotive safety standard ISO 26262 strongly recommends the use of fault injection (FI) for the assessment of safety mechanisms that typically span composite dependability and real-time operations. However, with the standard providing very limited guidance on the actual design, implementation, and execution of FI experiments, most AUTOSAR FI approaches use standard fault models (e.g., bit flips and data type based corruptions), and focus on using simulation environ- ments. Unfortunately, the representation of timing faults using stan- dard fault models, and the representation of real-time properties in simulation environments are hard, rendering both inadequate for the comprehensive assessment of AUTOSAR’s safety mechanisms. The actual development of ISO 26262 advocated FI is further hampered by the lack of representative software fault models and the lack of an openly accessible AUTOSAR FI framework. We address these gaps by (a) adapting the open source FI framework GRINDER [ WPS+15 ] to AUTOSAR and (b) showing how to effectively apply it for the assess- ment of AUTOSAR’s safety mechanisms. The FI process presented in this chapter advances and builds upon the instrumentation approach that we developed in Chapter 2 . The content of this chapter is based on a conference paper accepted at EDCC 2015 [ PWS+15b ].
Keywords: cyber security, CPS, MES, SDN, OPC UA
The concept of Cyber-Physical System (CPS) (Baheti, 2015) is rapidly reshaping the manufacturing sector. CPSs interconnects (cyber) computational assets with physical assets through devices with computational and communication capabilities. These devices turn physical objects into smart components conforming distributed and autonomous ecosystems that can sense and interact with the physical word, as well as with other softwaresystems. Thus, CPSs are feedback systems that fuse the real world and the cyber world, providing new knowledge from connected devices. Because of the endless possibilities and expandability of CPSs, their applications have been explored in various research fields, including manufacturing (Lee, Bagheri & Kao, 2015). Indeed, the implementation of CPSs in manufacturing factories provides many advantages, from advanced fault detection for maintenance operations to work and waste reductions for lean manufacturing operations. For this reason, CPS is regarded as one of the core elements of the next generation paradigm for the manufacturing industry, Industry 4.0 (Kagermann, Wahlster & Helbig, 2013).
Given the rapid innovations in software and technology, many complex systems are becoming software intensive. Software-intensive systems are systems in which software interacts with other software, systems, devices, sensors and with people [Wir+08]. Software has become an indispensable part of many modern systems and often performs the main safety-critical functions. Software safety as stated in [Alb+99] is practically concerned with the software causal factors that are linked to individual hazards and ensured that the mitigation of each causal factor is traced from software requirements to design, implementation, and test. An unexpected behavior of software may lead to catastrophic results such as injury or loss of human life, damaged property or environmental disturbances. Therefore, it becomes essential to test the software components for unexpected behavior before using them in practice [Min91]. The Toyota Prius, the General Motors airbag and the loss of the Mars Polar Lander (MPL) mission [JPL00] are well-known software problems in which the software played an important role in the loss, although the software had been successfully verified against all functional requirements. Recently, Google’s self-driving car and Tesla autopilot are the two latest software-related accidents in the automotive domain.
has to be either planned ahead explicitly in the system or the underlying platform has to provide means to eectuate software changes dynamically. Recent trends in software engineering research put the evolution as one of the most vivid and topical direction. Approaches and techniques endowed with tools are promised to produce softwaresystems able to adapt themselves to environmental changes by adding new and/or modifying existing functionalities. Among these topical evolution-centered mechanisms for getting software adaptability ready for working we cite mainly computational reection [74, 17]. Computational reection is a technique that allows a system to maintain information about itself (meta-information) and to use these data for changing (adapting) its behav- ior. This is done through the casual connection between the base- (i.e., the controlled system) and the meta-level (the evolutionary system). Reection is the ability of a system to watch its own computation and possibly change the way it is performed. Observation and modication imply an underlay that will be observed and modied. Since the system reasons about itself, the "underlay" is itself, i.e. the system has a self-representation . A reective architecture logically models a system in two lay- ers, called base-level and meta-level. In the sequel, for simplicity, we refer to the "part of the system working in the base-level or in the meta-level" respectively as base-level and meta-level. The base-level realizes the functional aspect of the system, whereas the meta-level realizes the nonfunctional aspect of the system. Functional and nonfunctional aspects discriminate among features, respectively, essential or not for committing with the given system requirements. Security, fault tolerance, and evolution are examples of nonfunctional requirements 1 . The meta-level is causally connected to the base-level,
In Chapter 2, we were concerned with the isolation of faults or defects that may be activated once software is deployed. However, testing activities during software development are essential for identifying potential issues even before deploy- ment. Software Fault Injection (SFI) is a widely used dynamic testing technique to experimentally assess the dependability of softwaresystems. To allow for a comprehensive view on the dependability of an increasingly complex software, SFI typically requires large numbers of experiments with potentially long execu- tion times, which overall leads to long test latencies. To handle the increasing complexity, we propose (1) to exploit the parallel hardware resources, which have become available in virtually all desktop and server systems, for concurrent test execution and (2) to avoid redundant work between multiple executions. To that end, we investigate the efficiency and feasibility of conducting OS-level FI experi- ments in parallel separate virtual machines (VMs) using our PAIN (PArallel fault INjection) SFI framework. Moreover, leveraging the lessons learned from our PAIN experiences, we propose FastFI, a novel SFI framework for efficient parallel SFI experiments at higher levels of the software stack. Aiming at software levels above the OS level, FastFI is suitable for SFI on system libraries as well as applications and executes experiments in processes rather than VMs. The idea of parallel execu- tion of experiments underlies the assumption that individual experiments do not interfere with each other in ways that change or even invalidate the experimental results. Consequently, in addition to providing increased SFI throughput, we investigate if this assumption is justified and analyze the trade-off between result accuracy and throughput increase for parallel SFI. We conduct our experiments using real-world systems and applications. For PAIN, we conduct SFI experiments in an Android OS scenario. For FastFI, we conduct experiments with PARSEC applications. The contents of this chapter are, in parts verbatim, based on material from [Sch+18a] and [Win+15b].
• [A.E. Hassan, Zhen Ming Jiang, and R.C. Holt. Source versus object code extraction for recovering software architecture. 12th Working Conference on Reverse Engineering, page 10, 2005] To support developers maintaining and evolving under (or un-) documented systems, an up to date view of the architecture could be recovered from the system’s implementation. Source code or object code extractors may be used to recover the architecture. This paper explores using two types of extractors (source code and object code extractors) to recover the architecture of several large open source systems. It investigates the differences between the results produced by these extractors to gain a better understanding of the benefits and limitations of each type of extractor. Results show that both types of extractors have their benefits and limitations. For example, an object code extractor is easier to implement while a source code extractor recovers more dependencies that exist in the source code as seen by developers [ HJH05 ]. (conference paper) • [L. Moonen, PhD thesis, The University of Amsterdam. Exploring SoftwareSystems. 2002] In the disser- tation, the author investigates approaches and tools that help remedy the knowledge degradation about a system during its evolution by supporting the exploration of a software system and improving its legibility. He examines an analogy with urban exploration and present approaches for the extraction, abstraction, and presentation of information needed for understanding software [ Moo02 ]. (PhD thesis)
The simultaneous explosion of information and integration of technology and the continuous evolution from software intensive systems to systems of systems to ULS systems requires new and innovative approaches for building, running and managing softwaresystems. A consequence of this continuous evolution is that softwaresystems must become more versatile, flexible, resilient, dependable, robust, continuously available, energy-efficient, recoverable, customizable, self-healing, configurable, or self- optimizing by adapting to changing contexts and environments. One of the most promising approaches to achieving such properties is to equip softwaresystems with self-adaptation mechanisms.