Torsten Bandyszak

Maintaining trustworthiness of socio-technical systems at run-time

Trustworthiness of dynamical and distributed socio-technical systems is a key factor for the success and wide adoption of these systems in digital businesses. Different trustworthiness attributes should be identified and accounted for when such systems are built, and in order to maintain their overall trustworthiness they should be monitored during run-time. Trustworthiness monitoring is a critical task which enables providers to significantly improve the systems’ overall acceptance. However, trustworthiness characteristics are poorly monitored, diagnosed and assessed by existing methods and technologies. In this paper, we address this problem and provide support for semi-automatic trustworthiness maintenance. We propose a trustworthiness maintenance framework for monitoring and managing the system’s trustworthiness properties in order to preserve the overall established trust during run-time. The framework provides an ontology for run-time trustworthiness maintenance, and respective business processes for identifying threats and enacting control decisions to mitigate these threats. We also present use cases and an architecture for developing trustworthiness maintenance systems that support system providers.

Common Threats and Mitigation Strategies in Requirements Engineering Experiments with Student Participants

[Context and motivation] Experiments are an important means to evaluate research results in the field of requirements engineering. Researchers often conduct such experiments with student participants. [Question/problem] The use of student participants evokes a multitude of potential threats to validity, which must be properly addressed by the chosen experiment design. In practice, attention is mostly given to threats to the generalizability of the findings. However, current experiment reports often lack a proper discussion of further threats, for example, which are caused by the recruitment of student participants. [Principle ideas/results] To provide mitigation strategies for student specific threats to validity, these threats must be known. We analyzed student experiments from published experiment reports to identify student specific threats and to analyze adequate mitigation strategies. [Contribution] This paper contributes a detailed analysis of the threats to validity to be considered in student experiments, and possible mitigation strategies to avoid these threats. In addition, we report on an experiment conducted in a university requirements engineering course, where we considered student specific threats and applied the proposed mitigation strategies.

Supporting Coordinated Maintenance of System Trustworthiness and User Trust at Runtime

In addition to design-time considerations, user trust and the trustworthiness of software-intensive socio-technical systems (STS) need to be maintained during runtime. Especially trust can only be monitored based on the actual usage of the system in operation. Service providers should be able to make informed decisions about runtime adaptation based on trust and trustworthiness, as well as respective essential relations. In this paper we present a unified approach to support the coordination of trust and trustworthiness maintenance. Trustworthiness maintenance is based on measuring objective system qualities, while trust maintenance considers two complementary measures of trust, i.e., the user behavior, and an estimation of the perceived system trustworthiness. A prototype tool demonstrates the feasibility of our approach. Furthermore, we illustrate specific functionalities of the tool by means of an application example.

Extending Development Methodologies with Trustworthiness-By-Design for Socio-Technical Systems

Socio-Technical Systems STS include humans, organizations, and the information systems that they use to achieve certain goals [1]. They are increasingly relevant for society, since advances in ICT technologies, such as cloud computing, facilitate their integration in our daily life. Due to the difficulty in preventing malicious attacks, vulnerabilities, or the misuse of sensitive information, users might not trust these systems. Trustworthiness in general can be defined as the assurance that the system will per-form as expected, or meets certain requirements cf., e.g. [2]. We consider trustworthiness as a multitude of quality attributes. As a means of constructive quality assurance, development methodologies should explicitly address the different challenges of building trustworthy software as well as evaluating trustworthiness, which is not supported by development methodologies, such as User-Centered Design UCD [3].

Trust and trustworthiness maintenance: From architecture to evaluation

Embedded systems, by their nature, often run unattended with opportunistic rather then scheduled software upgrades and, perhaps most significantly, have long operational lifetimes, and, hence, provide excellent targets for massive and remote exploitation. Thus, such systems mandate higher assurances of trust and cyber-security compared to those presently available in State-of-the-Art ICT systems. In this poster we present some techniques we utilize in the SHARCS project to ensure a higher level of security for embedded systems.In recent years, low-end embedded devices have been used increasingly in various scenarios, ranging from consumer electronics to industrial equipment. However, this evolution made embedded devices profitable targets for software piracy and software manipulation. Aggravating this situation, low-end embedded devices typically lack secure hardware to effectively protect against such attacks. In this work, we present a novel software protection scheme, which is particularly suited for already deployed low-end embedded devices without secure hardware. Our approach combines techniques based on self-checksumming code with Physically Unclonable Functions (PUFs) to establish a hardwareassisted software protection. In this way, we can tie the execution of a software instance to a specific device and protect its program code against manipulations. We show that our software protection scheme offers a high level of security against static adversaries and demonstrate that dynamic adversaries require considerable resources to perform a successful attack. To explore the feasibility of our solution, we implemented the protection scheme on an ARM-based low-end commodity microcontroller. A further performance evaluation shows that the implemented solution exhibits a fair overhead of ten percent.

Technology Transfer Concepts

In software engineering, transferring innovative concepts, techniques and methods into the practice of existing organizations is an expensive and complex task. This chapter gives an overview on the transfer of the SPES XT modeling framework to different organization.

Supporting the Validation of Structured Analysis Specifications in the Engineering of Information Systems by Test Path Exploration

Requirements validation should be carried out early in the development process to assure that the requirements specification correctly reflects stakeholderâ??s intentions, and to avoid the propagation of defects to subsequent phases. In addition to reviews, early test case creation is a commonly used requirements validation technique. However, manual test case derivation from specifications without formal semantics is costly, and requires experience in testing. This paper focuses on Structured Analysis as a semi-formal technique for specifying information systems requirements, which is part of latest requirements engineering curricula and widely accepted practices in business analysis. However, there is insufficient guidance and tool support for creating test cases without the need for using formal extensions in early development stages. Functional decomposition as a core concept of Structured Analysis, and the resulting distribution of control flow information complicates the identification of dependencies between system inputs and outputs. We propose a technique for automatically identifying test paths in Structured Analysis specifications. These test paths constitute the basis for defining test cases, and support requirements validation by guiding and structuring the review process.