Communications - October 2012

As another example, hardware architectures that enabled trustworthy layered enforcement of fine-grained least-privilege access policies are no longer in the mainstream, which tends to limit the trustworthiness that can be achieved in software. Also, problematic hardware instructions tend to survive, again for backward compatibility.

The resulting shortfalls with respect to desired system, network, and enterprise behavior can be very serious. That has been noted repeatedly in the preceding 227 Inside Risks columns (including a similarly titled column5), and does not need much further elaboration here.

Some inspiration for writing this column came from the ACM Turing Centenary Celebration this past June, which attempted to look back at the past and to consider what might happen in the future. The talks by the Turing laureates and other invited participants ranged from near to far into both the past and the future— reminding us of some of the laureates’ important past contributions, while at the same time giving diverse perspectives on the future.

Consider some of the general guidance that has emerged from our collective pasts. This may seem similar to earlier Inside Risks columns, but bears repeating because it is not widely observed in practice.

Requirements. We should anticipate the long-term needs that a system or network of systems must satisfy, and plan the development to overcome potential obstacles that might arise, even if the initial focus is on only short-term needs. This might seem to be common wisdom, but is in reality quite rare. Common requirements for security, reliability, fault tolerance, resilience, diagnostic ability, adaptability, human safety, interoperabil-ity, long-term evolvability, trustworthiness, and assurance evaluations are generally much too weak. Furthermore, highly distributed control with highly networked or cloud-dependent systems demands much greater foresight. Also, refining requirements on the fly often causes serious development problems.

System development. We can gain significantly by using effective de-

there is much
to be gained
from farsighted
thinking that also
enables short-term
achievements.

sign methodologies, basic principles, well-reasoned system/network architectures, horizontal (modular) and vertical (layered) abstraction with encapsulation and strong typing, predictable composability, use of formal methods for assurance where most effective, suitable choices of languages for requirements, specifications, programming, and so on—compatible with the sophistication of the requirements and the expertise of the developers.

Research. Solving problems more generally with preplanned evolution, rather than just barely attaining short-term requirements, can be very advantageous. With some foresight and care, this can be done without losing much efficiency. Often a slightly more general solution can prove to be more effective in the long run. There is much to be gained from farsighted thinking that also enables short-term achievements. Thus, it seems most wise not to focus on one without the other. Some new clean-slate approaches are emerging in response to the needs for much greater system and enterprise trustworthiness, as are executable hardware-software co-design languages (for example, see Dave1). Such efforts have long-term goals, but can also have significant short-term results— especially in an ongoing formally based hybrid capability-based hardware-software architecture, 6, 7 which allows legacy software to coexist securely with newly developed highly trustworthy hardware-software.

Roles of science and engineering.
Computer science has evolved into
a very useful collection of scientific
principles and methods, with sig-
nificant advances in many areas—al-
though the use of systemwide metrics
and evaluations of trustworthiness
still have significant room for advanc-
es. On the other hand, the so-called
field of software engineering is still
sorely lacking in engineering founda-
tions and discipline, and therefore
unlike well-established engineering
fields. Theoretical bases and sup-
porting tools can be very helpful to
engineering practice, in simplifying
and analyzing complex systems, and
especially when it comes to long-term
thinking. Metatheories enhancing the
predictable composition of require-
ments, subsystems, and measures of
trustworthiness enabling evaluations
of emergent properties of entire sys-
tems would be extraordinarily valu-
able in facilitating long-term thinking.