Lecture Notes in Computer Science 6420 CommencedPublicationin1973 FoundingandFormerSeriesEditors: GerhardGoos,JurisHartmanis,andJanvanLeeuwen EditorialBoard DavidHutchison LancasterUniversity,UK TakeoKanade CarnegieMellonUniversity,Pittsburgh,PA,USA JosefKittler UniversityofSurrey,Guildford,UK JonM.Kleinberg CornellUniversity,Ithaca,NY,USA AlfredKobsa UniversityofCalifornia,Irvine,CA,USA FriedemannMattern ETHZurich,Switzerland JohnC.Mitchell StanfordUniversity,CA,USA MoniNaor WeizmannInstituteofScience,Rehovot,Israel OscarNierstrasz UniversityofBern,Switzerland C.PanduRangan IndianInstituteofTechnology,Madras,India BernhardSteffen TUDortmundUniversity,Germany MadhuSudan MicrosoftResearch,Cambridge,MA,USA DemetriTerzopoulos UniversityofCalifornia,LosAngeles,CA,USA DougTygar UniversityofCalifornia,Berkeley,CA,USA GerhardWeikum MaxPlanckInstituteforInformatics,Saarbruecken,Germany Antonio Casimiro Rogério de Lemos Cristina Gacek (Eds.) Architecting Dependable Systems VII 1 3 VolumeEditors AntonioCasimiro UniversityofLisbon FacultyofScience CampoGrande,BlocoC6,Piso3 1749-016Lisbon,Portugal E-mail:[email protected] RogériodeLemos UniversityofKent SchoolofComputing Canterbury,KentCT27NF,UK E-mail:[email protected] CristinaGacek CityUniversity,London CentreforSoftwareReliability NorthamptonSquare,LondonEC1V0HB,UK E-mail:[email protected] LibraryofCongressControlNumber:2010939153 CRSubjectClassification(1998):D.2,D.2.11,D.1,F.3,D.3,C.2.4 LNCSSublibrary:SL2–ProgrammingandSoftwareEngineering ISSN 0302-9743 ISBN-10 3-642-17244-XSpringerBerlinHeidelbergNewYork ISBN-13 978-3-642-17244-1SpringerBerlinHeidelbergNewYork Thisworkissubjecttocopyright.Allrightsarereserved,whetherthewholeorpartofthematerialis concerned,specificallytherightsoftranslation,reprinting,re-useofillustrations,recitation,broadcasting, reproductiononmicrofilmsorinanyotherway,andstorageindatabanks.Duplicationofthispublication orpartsthereofispermittedonlyundertheprovisionsoftheGermanCopyrightLawofSeptember9,1965, initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer.Violationsareliable toprosecutionundertheGermanCopyrightLaw. springer.com ©Springer-VerlagBerlinHeidelberg2010 PrintedinGermany Typesetting:Camera-readybyauthor,dataconversionbyScientificPublishingServices,Chennai,India Printedonacid-freepaper 06/3180 Foreword Today, in all kinds of systems, reaching from tiny devices to large global infrastruc- tures, software plays a central role. In addition, information technology supports us in many daily activities and we therefore rely on the provision of the software-based services that are required to fulfill them. Therefore, our society and daily life depend more and more on complex software and its proper operation. In particular, areas such as safety-critical systems, the critical role of software, and the need for dependable software systems have long been recognized. However, today the need for dependable software is no longer restricted to such special areas but has become a problem that has to be taken into account for many complex software sys- tems. These complex software systems can only be built when we architect them using existing as well as newly engineered parts that provide the required overall capabili- ties as a combination of the capabilities of its parts. During the development and evo- lution of such complex software, the software architecture therefore plays a crucial role in defining the relations between these parts: It permits us to decompose the software into manageable parts and to compose the software from existing or adapted parts and thus enables the cost-effective engineering of software by multiple teams. This book series addresses the question of how the interplay of software architec- ture and dependability has to be approached. The effort is driven by a very successful series of workshops that brought together the international communities working on dependability and software architecture. Six books have been published and this sev- enth volume continues this successful endeavor to report on results in this research direction combining both fields. During the last few years, architecting dependable software systems has gained more importance in sectors such as commerce, government, and industry. Not only dependability but also security issues have to be addressed during the development and evolution of the architecture. Furthermore, the dependability and security re- quirements cannot be considered in isolation, as architecting such systems essentially means finding the right trade-off among these attributes and the various other re- quirements imposed on the system. Therefore, the workshop series on Architecting Dependable Systems (WADS) has joined forces with the Workshop on the Role of Software Architecture for Testing and Analysis (ROSATEA) and the Workshop on Views on Designing Complex Architec- tures (VODCA) in form of the newly established International Symposium on Archi- tecting Critical Systems (ISARCS) that took place for the first time in June 2010 in Prague in the Czech Republic under my guidance as Program Committee Chair. In this seventh book on the subject this tendency is also already visible and we also have contributions that address security issues even though dependability clearly remains the main focus. The book includes parts addressing mobile and ubiquitous systems, architecting systems, fault management as well as experience and vision. VI Foreword In the mobile and ubiquitous systems part, there are contributions that approach self-healing pervasive computing systems and self-management of ad hoc networks as well as cooperative backup for mobile nodes. Papers on the identification of requirements in so–called systems of systems and the interaction on requirements and architectural pattern are contained in the part on architecting systems. In addition, some contributions address architecting dependable service-oriented embedded systems as well as robustness and timeliness for aerospace systems. The fault management part provides articles on architecting dependable systems ca- pable of proactive fault management and online diagnosis of performance problems. In the final part on experience and vision, several reports on experience and related vi- sions are presented. This includes discussions on collaborative QoS, software assumptions and failure tolerance, dependability and reflective computing and validation. The combination of the latest research results and more experience and visionary papers in the last part does not only provide a good coverage of the area but also gives a very inspiring outlook. It shows what we can expect to achieve and where the chal- lenges may lie in our future journey for more dependable complex software. September 2010 Holger Giese Preface This is the seventh book in a series on Architecting Dependable Systems. This series started eight years ago, and brings together issues related to software architectures and the dependability and security of systems. This book includes expanded and peer- reviewed papers based on the selected contributions of the Workshop on Architecting Dependable Systems (WADS), organized at the 2009 International Conference on Dependable Systems and Networks (DSN 2009), and a number of invited papers written by recognized experts in the area. Identification of the system structure (i.e., architecture) early in its development process makes it easier for the developers to make crucial decisions about system properties and to justify them before moving to the design or implementation stages. Moreover, the architectural level views support abstracting away from details of the system, thus facilitating the understanding of broader system concerns. One of the benefits of a well-structured system is the reduction of its overall complexity, which in turn leads to a more dependable and secure system. System dependability is de- fined as the reliance that can be justifiably placed on the service delivered by the system, while security can be defined as protecting the system and certain information it contains from unauthorized access and handling. Both have become essential as- pects of computer systems as everyday life increasingly depends on software. It is therefore a matter of concern that dependability and security issues are usually left until too late in the process of system development. Making decisions and reasoning about structure happen at different levels of ab- straction throughout the software development cycle. Reasoning about dependability at the architectural level has recently been in the focus of researchers and practitioners because of the complexity of emerging applications. From the perspective of software engineering, traditionally striving to build software systems that are fault-free, archi- tectural consideration of dependability requires the acceptance of the fact that system models need to reflect that it is impossible to avoid or foresee all faults. This requires novel notations, methods and techniques providing the necessary support for reason- ing about faults (including fault avoidance, fault tolerance, fault removal and fault forecasting) at the architectural level. Moreover, due to the inherent design trade-off between dependability and security attributes, security issues should also be taken into account at the architectural level. This book comes as a result of bringing together the research communities of soft- ware architectures, dependability and security, and addresses issues that are currently relevant to improving the state of the art in architecting dependable and secure sys- tems. The book consists of four parts: Mobile and Ubiquitous Systems, Architecting Systems, Fault Management, and Experience and Vision. The first part of this book is entitled “Mobile and Ubiquitous Systems” and con- tains three papers. The first paper of this part, authored by T. Bourdenas, M. Sloman and E. C. Lupu, and entitled "Self-Healing for Pervasive Computing Systems" pre- sents Starfish, a self-healing framework for wireless sensor networks that follows the VIII Preface Self-Managed Cell architectural paradigm. It includes an embedded policy system that allows reconfiguration of individual nodes as well as remote execution of actions by handling access control to remote resources, and supports adaptation of nodes allowing deployment of new strategies at run-time inside the network. The case stud- ies presented provide insight into the validity of the fault model adopted, and give preliminary results on the accuracy of detection techniques. D. Blough, G. Resta, P. Santi and M. Leoncini, in their paper “Self-Organization and Self-Maintenance of Mobile Ad Hoc Networks,” provide a set of topology control protocols that are de- signed for dynamic and failure-prone networks, relying on the explicit coordination of neighboring nodes for resource efficiency. The proposed solutions also account for the fact that transmission power levels range over discrete values. Extensive simula- tion results illustrate the potential benefits of these new protocols. The paper “Data Backup for Mobile Nodes: A Cooperative Middleware and an Experimentation Plat- form” by M.-O. Killijian and M. Roy presents a middleware architecture dedicated to the provision of cooperative data backup on mobile nodes. The proposed middleware relies on the belief that for building fast and reliable applications and services in a ubiquitous environment, local cooperation with neighboring nodes is the approach to follow in order to build fast and reliable applications and services. In addition to the middleware, the authors also present a platform for its experimental evaluation. Part 2 of the book is entitled “Architecting Systems” and includes four papers fo- cusing on dependability issues while architecting systems. In their paper, entitled “Identification of Security Requirements in Systems of Systems by Functional Secu- rity Analysis,” A. Fuchs and R. Rieke address the security requirements elicitation step for safety-critical systems of systems. They adopt a method tracing down func- tional dependencies over system component boundaries onto the origin of information as a functional flow graph. Such a graph is then used to derive sets of authenticity requirements for the given security and dependability objectives. The second paper in this part, “Implementing Reliability: The Interaction of Re- quirements, Tactics and Architecture Patterns,” is authored by N. B. Harrison and P. Avgeriou. In this paper, the authors address the issue of actually implementing the reliability tactics, as introduced by L. Bass et al.1, while architecting systems. The work focuses on the main factors affecting how, where, and the difficulty involved in adopting reliability tactics. The information presented can guide architects in their choices of patterns and tactics to use. The third paper, by S. Brennan, S. Fritisch, Y. Liu, A. Sterritt, J. Fox, É. Linehan, C. Driver, R. Meier, V. Cahill, W. Harrison and S. Clarke, is entitled “A Framework for Flexible and Dependable Service-Oriented Em- bedded Systems.” The paper presents a framework that enables dynamic service com- position for service-oriented embedded systems, based on model-driven development techniques. The framework considers the implications of dynamic composition and reconfiguration on temporal domain properties, as well as adverse feature interactions resulting from the service assemblies. In the final paper of this part, “Architecting Robustness and Timeliness in a New Generation of Aerospace Systems,” J. Rufino, J. Craveiro, and P. Verissimo describe the foundations of an architecture for robust temporal and spatial partitioning aimed at a new generation of spaceborne systems that include advanced dependability and timeliness adaptation/control mechanisms. 1L. Bass, P. Clements, R. Kazman, Software Architecture in Practice, Addison-Wesley, 2003. Preface IX The paper introduces a formal system model addressing temporal properties and ena- bling its verification, and it includes a prototype implementation to illustrate the ap- proach. Part 3 of the book is on “Fault Management” and includes two papers. The first paper written by F. Salfner and M. Malek, is entitled “Architecting Dependable Sys- tems with Proactive Fault Management.” The authors provide a comprehensive over- view of research in proactive fault management and methods for online failure predic- tion, and then they introduce a model to assess the effects of proactive fault manage- ment on system dependability metrics. Finally, the paper includes an architectural blueprint to illustrate how proactive fault management can be incorporated into sys- tem architecture. K. Bare et al. contribute to this part of the book with the paper “ASDF: An Automated, Online Framework for Diagnosing Performance Problems.” They focus on performance problems in large-scale distributed systems, by automat- ing problem localization so as to narrow down performance problems to a specific node or set of nodes. The viability of the approach is illustrated by discussions on its application to Hadoop. Part 4 of the book is on “Experience and Vision” and includes four papers. M. A. Hiltunen and R. D. Schlichting contribute to the book with the paper “Is Collaborative QoS the Solution to the SOA Dependability Dilemma?” The paper reviews the vision of SOAs, and discusses the characteristics that make them particularly challenging for dependability. It then discusses techniques that have been proposed for building de- pendable SOAs, and argues that any successful solution to implement dependability requires collaborative quality of service (QoS). In the second paper, entitled “Soft- ware Assumptions Failure Tolerance: Role, Strategies, and Visions,” V. De Florio shares his vision on a suitable approach to facilitate the design of fully autonomically resilient software systems. The author considers that increasing software complexity can be tackled through architectural and structuring techniques, but keeping a holistic view for addressing the problem of assumption failures. The paper provides strategies to achieve assumption failure-tolerant systems and discusses some practical tools that may be used for this purpose. The third paper authored by J.-C. Fabre and entitled "Architecting Dependable Systems Using Reflective Computing: Lessons Learnt and Some Challenges,” discusses how the separation of concerns supported by the reflec- tion paradigm is of interest for practical dependable systems, focusing in particular on fault–tolerance mechanisms. Based on his past experience, the author presents his perception on the use of reflective computing by identifying some lessons learned and listing some key challenges that should be addressed in the future. The paper entitled “Architecting and Validating Dependable Systems: Experiences and Visions” by A. Bondavalli, A. Ceccarelli and P. Lollini discusses the evolution of the challenges in architecting and validating critical systems with respect to the systems’ evolution from traditional embedded systems towards pervasive, dynamic and heterogeneous systems. The experience gained and the expected future trends are considered in the context of several research projects. Architecting dependable systems is now a well-recognized area, attracting the in- terest and contributions of many researchers. We are certain that this book will prove valuable for both developers designing complex applications and researchers building techniques supporting this. We are grateful to many people that made this book possi- ble. Our thanks go to the authors of the contributions for their excellent work, the X Preface DSN 2009 WADS participants for their active involvement in the discussions. We would also like to thank Alfred Hofmann and his team from Springer for believing in the idea of a series of books on this important topic and for helping us to get it pub- lished. Last but not least, we greatly appreciate the efforts of our reviewers who have helped us in ensuring the high quality of the contributions. They are Paris Avgeriou, Douglas Blough, Andrea Bondavalli, Walter Cazzola, João Craveiro, Vincenzo De Florio, Leonardo B. de Oliveira, Felicita Di Giandomenico, Jean-Charles Fabre, An- dreas Fuchs, Karl M. Goeschka, Swapna S. Gokhale, Neil Harrison, Matti Hiltunen, Paola Inverardi, Svilen Ivanov, Paolo Lollini, Emil C. Lupu, Miroslav Malek, Rene Meier, Edgar Nett, Roland Rieke, Roshanak Roshandel, Matthieu Roy, José Rufino, Paolo Santi, Rick Schlichting, Paulo Sousa, Massimo Tivoli, Jó Ueyama, Marco Vieira and several anonymous reviewers. September 2010 Antonio Casimiro Rogério de Lemos Cristina Gacek Table of Contents Part 1. Mobile and Ubiquitous Systems Self-healing for Pervasive Computing Systems ....................... 1 Themistoklis Bourdenas, Morris Sloman, and Emil C. Lupu Self Organization and Self Maintenance of Mobile Ad Hoc Networks through Dynamic Topology Control ................................ 26 Douglas M. Blough, Giovanni Resta, Paolo Santi, and Mauro Leoncini Data Backup for Mobile Nodes: A Cooperative Middleware and an Experimentation Platform ........................................ 53 Marc-Olivier Killijian and Matthieu Roy Part 2. Architecting Systems Identification of Security Requirements in Systems of Systems by Functional Security Analysis ...................................... 74 Andreas Fuchs and Roland Rieke Implementing Reliability:The InteractionofRequirements,Tactics and Architecture Patterns ............................................ 97 Neil B. Harrison and Paris Avgeriou A Framework for Flexible and Dependable Service-Oriented Embedded Systems ........................................................ 123 Shane Brennan, Serena Fritsch, Yu Liu, Ashley Sterritt, Jorge Fox, E´amonn Linehan, Cormac Driver, Ren´e Meier, Vinny Cahill, William Harrison, and Siobha´n Clarke Architecting Robustness and Timeliness in a New Generation of Aerospace Systems ............................................... 146 Jos´e Rufino, Jo˜ao Craveiro, and Paulo Verissimo Part 3. Fault Management Architecting Dependable Systems with Proactive Fault Management ... 171 Felix Salfner and Miroslaw Malek