As another example, hardware architectures that enabled trustworthy
layered enforcement of fine-grained
least-privilege access policies are
no longer in the mainstream, which
tends to limit the trustworthiness
that can be achieved in software.
Also, problematic hardware instructions tend to survive, again for backward compatibility.
The resulting shortfalls with respect
to desired system, network, and enterprise behavior can be very serious.
That has been noted repeatedly in the
preceding 227 Inside Risks columns
(including a similarly titled column5),
and does not need much further elaboration here.
Some inspiration for writing this
column came from the ACM Turing
Centenary Celebration this past June,
which attempted to look back at the
past and to consider what might happen in the future. The talks by the
Turing laureates and other invited
participants ranged from near to far
into both the past and the future—
reminding us of some of the laureates’
important past contributions, while at
the same time giving diverse perspectives on the future.
Consider some of the general guidance that has emerged from our collective pasts. This may seem similar to
earlier Inside Risks columns, but bears
repeating because it is not widely observed in practice.
Requirements. We should anticipate
the long-term needs that a system or
network of systems must satisfy, and
plan the development to overcome
potential obstacles that might arise,
even if the initial focus is on only
short-term needs. This might seem to
be common wisdom, but is in reality
quite rare. Common requirements for
security, reliability, fault tolerance,
resilience, diagnostic ability, adaptability, human safety, interoperabil-ity, long-term evolvability, trustworthiness, and assurance evaluations
are generally much too weak. Furthermore, highly distributed control with
highly networked or cloud-dependent
systems demands much greater foresight. Also, refining requirements on
the fly often causes serious development problems.
System development. We can gain
significantly by using effective de-
there is much
to be gained
from farsighted
thinking that also
enables short-term
achievements.
sign methodologies, basic principles,
well-reasoned system/network architectures, horizontal (modular) and
vertical (layered) abstraction with encapsulation and strong typing, predictable composability, use of formal methods for assurance where most effective,
suitable choices of languages for requirements, specifications, programming, and so on—compatible with the
sophistication of the requirements and
the expertise of the developers.
Research. Solving problems more
generally with preplanned evolution, rather than just barely attaining short-term requirements, can
be very advantageous. With some
foresight and care, this can be done
without losing much efficiency. Often a slightly more general solution
can prove to be more effective in the
long run. There is much to be gained
from farsighted thinking that also
enables short-term achievements.
Thus, it seems most wise not to focus
on one without the other. Some new
clean-slate approaches are emerging
in response to the needs for much
greater system and enterprise trustworthiness, as are executable hardware-software co-design languages
(for example, see Dave1). Such efforts
have long-term goals, but can also
have significant short-term results—
especially in an ongoing formally
based hybrid capability-based hardware-software architecture,
6, 7 which
allows legacy software to coexist securely with newly developed highly
trustworthy hardware-software.
Roles of science and engineering.
Computer science has evolved into
a very useful collection of scientific
principles and methods, with sig-
nificant advances in many areas—al-
though the use of systemwide metrics
and evaluations of trustworthiness
still have significant room for advanc-
es. On the other hand, the so-called
field of software engineering is still
sorely lacking in engineering founda-
tions and discipline, and therefore
unlike well-established engineering
fields. Theoretical bases and sup-
porting tools can be very helpful to
engineering practice, in simplifying
and analyzing complex systems, and
especially when it comes to long-term
thinking. Metatheories enhancing the
predictable composition of require-
ments, subsystems, and measures of
trustworthiness enabling evaluations
of emergent properties of entire sys-
tems would be extraordinarily valu-
able in facilitating long-term thinking.