... view 1 view 2 view n. implementation

Similar documents
Thesis work and research project

Verifying Semantic of System Composition for an Aspect-Oriented Approach

Quotes from Object-Oriented Software Construction

programming languages, programming language standards and compiler validation

Chap 1. Introduction to Software Architecture

Aerospace Software Engineering

Questions? Assignment. Techniques for Gathering Requirements. Gathering and Analysing Requirements

Component visualization methods for large legacy software in C/C++


Modular Communication Infrastructure Design with Quality of Service

A B C. Decomposition I Y

Applying 4+1 View Architecture with UML 2. White Paper

Cedalion A Language Oriented Programming Language (Extended Abstract)

Managing Variability in Software Architectures 1 Felix Bachmann*

The Consequences of Process Modeling For Compliance

Common Criteria For Information Technology Security Evaluation

Aspect-Oriented Programming

Handbook for the Computer Security Certification of Trusted Systems


Algorithms, Flowcharts & Program Design. ComPro

Software Quality Factors OOA, OOD, and OOP Object-oriented techniques enhance key external and internal software quality factors, e.g., 1. External (v

Decomposition into Parts. Software Engineering, Lecture 4. Data and Function Cohesion. Allocation of Functions and Data. Component Interfaces

IAI : Expert Systems

French Scheme CSPN to CC Evaluation

ISF: A Visual Formalism for Specifying Interconnection Styles. for Software Design. Drexel University Chestnut Street,


An Approach to Software Architecture Description Using UML

Data Flow-based Validation of Web Services Compositions: Perspectives and Examples

PS engine. Execution

UML TUTORIALS THE COMPONENT MODEL


The CVS-Server Case Study: A Formalized Security Architecture

Project VIDE Challenges of Executable Modelling of Business Applications

Challenges and Opportunities for formal specifications in Service Oriented Architectures

CHAPTER 2 MODELLING FOR DISTRIBUTED NETWORK SYSTEMS: THE CLIENT- SERVER MODEL

From Control Loops to Software

Transforming security audit requirements into a software architecture

EVALUATION BY PARTS OF TRUSTED. Ravi S. Sandhu. George Mason University, Fairfax, VA

Minimizing technical complexities in emerging cloud computing platforms

Appendix B Data Quality Dimensions

ACM SIGSOFT SOFTWARE ENGINEERING NOTES vol 17 no 4 Oct 1992 Page 40. Foundations for the Study of Software Architecture

A Framework of Model-Driven Web Application Testing

Managing large sound databases using Mpeg7

An Algebra for Feature-Oriented Software Development

CONDIS. IT Service Management and CMDB

New Generation of Software Development

Spécication et analyse formelle des politiques de sécurité dans le cloud computing

How to Design and Maintain a Secure ICS Network

A Tool for Enterprise Architecture Analysis using the PRM formalism

Requirements Analysis through Viewpoints Oriented Requirements Model (VORD)

Example EET: request(car, from, to) offer(price) confirmation(card_no)

Automated Test Approach for Web Based Software

Karunya University Dept. of Information Technology

Keywords Aspect-Oriented Modeling, Rule-based graph transformations, Aspect, pointcuts, crosscutting concerns.

An Automatic Tool for Checking Consistency between Data Flow Diagrams (DFDs)

Enterprise Architecture: Practical Guide to Logical Architecture

A UML Introduction Tutorial

Software Development in the Fields of Embedded Systems, Safety, and Security

Introduction to Service Oriented Architectures (SOA)

Discussing Implicit Parallelism and Its Applications

Consistency Management for Multiple Perspective Software Development

Architecture Definitions

The Service Revolution software engineering without programming languages

Edited by: Juan Bicarregui. With contributions from: Sten Agerholm. Bart Van Assche. John Fitzgerald. Jacob Frost. Albert Hoogewijs.

Software Engineering. System Models. Based on Software Engineering, 7 th Edition by Ian Sommerville

How To Develop Software

INTEROPERABILITY IN DATA WAREHOUSES

The Role of the Software Architect

Viewpoint Modeling. Agenda. 1. Viewpoint Modeling 2. ODS, Enterprise Architecture, Viewpoints, Models 3. Modeling approaches and standards

A Systematic Approach. to Parallel Program Verication. Tadao TAKAOKA. Department of Computer Science. Ibaraki University. Hitachi, Ibaraki 316, JAPAN

Composing Concerns with a Framework Approach

CHAPTER 1: OPERATING SYSTEM FUNDAMENTALS

Object Oriented Design


An eclipse-based Feature Models toolchain

Object-Oriented Software Specification in Programming Language Design and Implementation


SYSTEMS AND SOFTWARE REQUIREMENTS SPECIFICATION (SSRS) TEMPLATE. Version A.4, January 2014 FOREWORD DOCUMENT CONVENTIONS

Verication Techniques for LOTOS [ISO:8807] was a collaborative project, from 1989 to 1993, funded by the UK SERC/IED research program.

SIMPLE NETWORKING QUESTIONS?

A Foolish Consistency: Technical Challenges in Consistency Management

Introduction to CORBA. 1. Introduction 2. Distributed Systems: Notions 3. Middleware 4. CORBA Architecture

An Approach for Generating Concrete Test Cases Utilizing Formal Specifications of Web Applications

Normative Ontologies to Define Regulations Over Roles in Open Multi- Agent Systems

BUSINESS RULES AS PART OF INFORMATION SYSTEMS LIFE CYCLE: POSSIBLE SCENARIOS Kestutis Kapocius 1,2,3, Gintautas Garsva 1,2,4


UML-based Test Generation and Execution

Software Testing Strategies and Techniques

Software development process

Development. Boston MA Murray Hill, NJ [CMU/SEI-95-SR-024]. A rational design process should address. software reuse.

A methodology for secure software design

KWIC Exercise. 6/18/ , Spencer Rugaber 1

An Overview of Distributed Databases

Towards Verified Automotive Software

Rose/Architect: a tool to visualize architecture

Efficient Agent Based Testing Framework for Web Applications

Teaching Methodology for 3D Animation

Goal-Driven Adaptable Software Architecture for UAVs

KNOWLEDGE ORGANIZATION

TAOS: Testing with Analysis and Oracle Support. Debra J. Richardson. University of California

Transcription:

1 MULTIPLE VIEWS IN SOFTWARE ARCHITECTURE: CONSISTENCY AND CONFORMANCE POSITION PAPER D. Le Metayer and M. Perin MULTIPLE VIEWS: SIGNIFICANCE AND PROBLEMS The study of software architectures has grown as an autonomous discipline recently. A widely accepted, and very general, characterisation of software architectures can be sketched as follows [Shaw and Garlan, 1995]: \Software architecture is the level of software design that addresses the overall structure and properties of software systems". The success of this trend of work is based on two major assumptions: Much benet has to be gained from the description of software systems at a high level of abstraction: pay-os are expected in terms of quality of design, maintenance, analysis, verication, testing, communication between developers, etc. Software architectures involve specic concepts which require specic languages, techniques and tools. Irisa/Inria, Campus de Beaulieu, 35042 Rennes, France. Email: lemetayer/mperin@irisa.fr 1

2 The rst assumption is hardly arguable in principle even if better tools and architecture development environments are still needed to really assess the practical signicance of the whole approach. The second assumption is sometimes questioned outside the emerging \software architecture community" because a number of issues related to software architectures have been studied in dierent contexts in the past. Abstract (and even nite state) models of real systems have been used for a long time and the notions of abstract interpretation [Cousot and Cousot, 1979] and property preserving abstraction [Loiseaux et al., 1995] have been formalised and studied extensively for various classes of programming languages (concurrent, sequential, functional, logic, etc.). Furthermore, as far as formalisms are concerned, process calculi such as CSP or the -calculus provide concurrency and synchronisation features that can also be used to specify the communication protocols between components in an architecture [Allen and Garlan, 1994, Radestock and Eisenbach, 1996]; sophisticated facilities for modularity are oered by functional languages of the ML family (SML, CAML, etc.) [MacQueen, 1985]; also synchronous languages provide formal semantics of box and line drawings used for describing real-time systems [Benveniste and Berry, 1991]. So it is legitimate at this stage to put the specicity of software architectures under scrutiny and discuss whether it justies the development of a new research area. First, as far as abstract interpretation is concerned, it should be noticed that it has mainly been used in a bottom-up rather than a top-down fashion so far. In other words, it has mostly been concerned with (a posteriori) analysis rather than design and renement. So one interesting issue in the context of software architecture would be the application of the abstract interpretation framework to the renement of global properties. This would lead, strictly speaking, to a \concrete interpretation" process. Second, and more importantly, we believe that the doubts mentioned above have been fuelled by the fact that the range of works published in this area so far does not reect the generality of the approach. It turns out that most of them are concerned with communication and synchronisation which is just one of the aspects of a software architecture. In particular, non functional properties such as security, performance, reliability and extensibility have not received enough attention. But the study of each of these properties may require a dierent kind of decomposition of the software. For this reason, we believe that the notion of \view" is crucial and deserves more consideration in the context of software architectures. A number of variants of the notion of view have been proposed in dierent areas of computer science: In development methods: for example RM-ODP descriptions [Bourgois et al., 1998] include ve viewpoints (enterprise, information, computational, engineering and technology); [Finkelstein et al., 1992] proposes a framework supporting the denition and use of multiple viewpoints in system development; UML also promotes the use of multiple views (as collections of diagrams such as static structure, statechart, component and deployment diagrams) to describe complex systems.

MULTIPLE VIEWS IN SOFTWARE ARCHITECTURE 3 In programming languages: Aspect Oriented Programming [Kiczales, 1996] puts forward a technique for the development of programs as collections of aspects (such as synchronisation, communication, failure handling, memory allocation) which isolate important design decisions that would otherwise be scattered throughout the code. In programming language semantics: the \action semantics" framework [Mosses, 1996] denes the meaning of a program using a number of \facets" (such as control ow, functional, declarative, imperative, communicative, etc.), each of them focussing on one specic kind of information (control ow, data ow, scoping, memory, communications, etc.). In database systems: most database management systems provide a facility for dening and querying views which can be seen as abstractions of the actual database [Ullman, 1988]. Views are typically used to ensure that specic elds of the database are not accessible to certain classes of users or to provide information that is not explicit in the actual database (but can be derived from it). The relevance of the notion of view for software architectures has already been advocated in [Kruchten, 1995] but, to our best knowledge, no existing ADL really supports the notion of multiple views. A major issue that must be addressed before introducing multiple views in an ADL is the specication of the correspondences between the dierent views. Ideally, a form of consistency should be dened and automatic tools should be provided to help in the design of an overall consistent architecture. The conformance of a system with respect to a given architecture is another signicant issue. Although not specic to the notion of view, this problem is compounded by the introduction of multiple views. There may bea great diversity of views and it is unlikely that one single technique can be appropriate to ensure conformance with respect to each of them. None of the works on the variants of views mentioned above provides solutions to the consistency and the conformance problems for software architecture views, either because they do not rely on rm theoretical foundations or because they cannot be transposed to the general notion of view that is required in the context of software architectures. We believe that the study of these problems is a research direction of prime importance for software architectures. In the rest of this position paper, we mainly focus on consistency and summarise a preliminary approach that we are currently experimenting through two case studies: the specication of security properties of an information system and the design of a train control system. CONSISTENCY AND HETEROGENEITY OF MULTIPLE VIEWS In order to get the greatest benets of the approach, the decomposition into multiple views should be chosen in such a way that it minimises the dependencies between views (otherwise little has to be gained from their separation). However all the views ultimately relate to the implemented system and they

4 can rarely be completely independent. For example, the distribution view can have some impact on the security view and the fault-tolerance view. Dierent views may even correspond to conicting requirements: for instance adding a communication link can improve fault tolerance but also have a negative eect on security (because it may give rise to unwanted information ows). The consistency problem is compounded by the inherent heterogeneity of multiple view architectures: since there can be a great diversity of views, each of them should be expressed in the framework (model, specication language, notation, etc.) that is best suited to its specic purpose. It is dicult to imagine a general and semantics based solution to the consistency problem in this context. Previous work on consistency across specication languages [Zave and Jackson, 1993, Bowman et al., 1996] has considered either an intermediate language or a common underlying implementation. For example [Bowman et al., 1996] states that \n specications are consistent if and only if there exists a physical implementation which is a realisation of all the specications, ie. all the specications can be implemented in a single system". This implementation consistency is pictured in Figure 1.1.... view 1 view 2 view n implementation Figure 1.1 Implementation consistency So in all cases mappings have to be dened from each view specication language to a single formalism. This solution may be appropriate when the formalisms used to describe the views are not of a too dierent nature (like Z and LOTOS considered in [Bowman et al., 1996]), which is precisely not the case for software architectures. So we believe that this \single formalism mapping approach" would defeat the very purpose of the introduction of views in software architecture. In other words, little would be gained, in terms of verication, if, to decide upon their consistency, all the views had to be merged into a single all embracing specication. We believe that the issues of consistency and conformance should better be decoupled for a better separation of concerns and an increased tractability. The approach that we are currently experimenting can be sketched as follows: Consistency: each view is represented as an uninterpreted labelled graph. Graphs are widely used representations of software architectures and all the views that we have considered so far (functional, distribution, physical, security, etc.) can be expressed naturally in terms of graphs. The fact that a view dened in a specic framework has rst to be ex-

MULTIPLE VIEWS IN SOFTWARE ARCHITECTURE 5 pressed as a graph may be seen as a limitation of the approach. Note however that the versatile nature of graphs and the fact that they are uninterpreted makes this translation easier. The uninterpreted nature of our graphs is a major departure with respect to previous work on consistency across specication languages: even if all the views are expressed as graphs, each of these graphs may convey very dierent kind of semantic information. The only restrictions on graphs are expressed through a collection of structural constraints (also called internal consistency rules), which bear, for example on the number of nodes with a given label or the number of edges (or paths) from (and/or to) a given node, etc. We consider inter-view consistency as a local relation between two views 2. This relation is dened using a correspondence relation between the nodes (and edges) of the two views plus structural constraints similar to the internal consistency rules. Our approach, which introduces a clear separation between consistency and conformance, is depicted in Figure 1.2. The potential shortcoming of this local approach (as opposed to the \single formalism mapping approach") is that the number of correspondence relations may grow quadratically (in the worst case) with the number of views. We envision that the number of views will remain low though and the expected benet is a lower complexity and a better understandability of correspondence relations. inter-view concistency relations view 1 view 2... view n internal consistency conformance relations implementation Figure 1.2 Separation of local consistency and conformance Conformance: in our approach, heterogeneity issues are isolated from the denition of consistency for a better separation of concerns. We believe that heterogeneity is better handled as a conformance problem between each view and the actual system. By denition, there is no general solution to this problem since the set of possible frameworks for the denition of view is open-ended and potentially varied. Just to take an example, there is very little in common between the proof that a program satises a given data-ow property and the verication that the 2 Consistency relations involving more than two views can be dened as well, but they didn't turn out to be useful on the examples that we have treated so far.

6 bandwidth of a hardware bus is greater than a given threshold. Furthermore, it should be noted that this conformance process can either be bottom-up (recovering aspects of the architecture from the actual code) or top-down and prescriptive (when a view can be compiled into executable code, thus ensuring, by construction, that the actual system conforms to the view). We have followed the latter approach in the work described in [Holzbacher et al., 1997], which shows how the communication view can be implemented as an eective coordinator. The ideas put forward in this paper are still preliminary and we are currently experimenting them on two case studies: The specication of the security aspects (condentiality, integrity) of the information system of a research center: the dierent views in this case correspond to the services provided by the system: web server, rlogin server, ftp server, etc. The consistency constraints are used to ensure a global coherency of the security policy: for example, \if there is an edge with security level l between two nodes (or sites) n 1 and n 2, there should not exist any path between n 1 and n 2 in which all the edges have a security level strictly less than l". The design of a train control system: the relevant views are the functional view, the distribution view and the physical view. An example of consistency constraint is that the distribution view preserves the data ow of the functional view (which is a path property between the related nodes). It is too early to draw any conclusion from these ongoing experiences but we feel that the approach sketched here is suciently practical to provide useful help in the design of multiple view architectures. Further interesting issues have emerged from these studies; among them let us just mention briey software architecture analysis. The analysis of a software architecture gets more complicated when the properties of interest are non functional. The reason is that they can usually not be characterised by a predicate (they may even be subjective). Instead of providing a yes/no answer, we must return a concise and understandable piece of information that the user can estimate by himself. For example, in the case of a security property, the output of the analysis can be \for such a security breach to be possible, the intruder must be able to spy network N and have access to machine M". References [Allen and Garlan, 1994] Allen, R. and Garlan, D. (1994). Formalizing architectural connection. In Proceedings of the 16th International Conference on Software Engineering, pages 71{80. IEEE Computer Society Press. [Benveniste and Berry, 1991] Benveniste, A. and Berry, G. (1991). The synchronous approach to reactive and real{time systems. IEEE Trans. Autom. Control, 9(79):1270{1282.

MULTIPLE VIEWS IN SOFTWARE ARCHITECTURE 7 [Bourgois et al., 1998] Bourgois, M., Franklin, D., and Robinson, P. (1998). Applying RM-ODP to the Air Trac Management Domain. EATCHiP Technical Document (CSD/architecture), Eurocontrol, Brussels. [Bowman et al., 1996] Bowman, H., Boiten, E., Derrick, J., and Steen, M. (1996). Viewpoint consistency in ODP, a general interpretation. In Najm, E. and Stefani, J.-B., editors, First IFIP International Workshop on Formal Methods for Open Object-Based Distributed Systems, pages 189{204. Chapman & Hall. [Cousot and Cousot, 1979] Cousot, P. and Cousot, R. (1979). Systematic design of program analysis frameworks. In Conference Record of the Sixth Annual ACM Symposium on Principles of Programming Languages, pages 269{282. [Finkelstein et al., 1992] Finkelstein, A., Kramer, J., Nuseibeh, B., Finkelstein, L., and Goedicke, M. (1992). Viewpoints: A framework for integrating multiple perspectives in systems development. International Journal of Software Engineering and Knowledge Engineering, 1(2):31{58. [Holzbacher et al., 1997] Holzbacher, A. A., Perin, M., and Sudholt, M. (1997). Modeling railway control systems using graph grammars: a case study. In Proceedings of the Second Conference on Coordination Models, Languages and Applications, volume 1282 of LNCS, pages 172{186, Berlin. [Kiczales, 1996] Kiczales, G. (1996). Aspect-oriented programming. ACM Computing Surveys, 28(4es):154{154. [Kruchten, 1995] Kruchten, P. B. (1995). The 4 + 1 view model of architecture. IEEE Software, 12(6):42{50. [Loiseaux et al., 1995] Loiseaux, C., Graf, S., Sifakis, J., Bouajjani, A., and Bensale, S. (1995). Property preserving abstractions for the verication of concurrent systems. Formal Methods in System Design, 6(1):1{35. [MacQueen, 1985] MacQueen, D. (1985). Modules for standard ML. Dept. Computer Science, University of Edinburgh. [Mosses, 1996] Mosses, P. D. (1996). A tutorial on action semantics. Technical report, BRICS. Tutorial notes for FME'94 and FME'96. [Radestock and Eisenbach, 1996] Radestock, M. and Eisenbach, S. (1996). Semantics of a Higher-Order Coordination Language. In Ciancarini, P. and Hankin, C., editors, Proceedings of the Conference oncoordination Models, Languages and Applications, volume 1061 of LNCS, pages 339{356. [Shaw and Garlan, 1995] Shaw, M. and Garlan, D. (1995). Formulations and Formalisms in Software Architecture. In Computer Science Today, Recent Trends and Developments, volume 1000 of LNCS, pages 307{323. [Ullman, 1988] Ullman, J. D. (1988). Principles of database and knowledge-base systems, Vol. I. Computer Science Press, Inc., Rockville, MD, USA. [Zave and Jackson, 1993] Zave, P. and Jackson, M. (1993). Conjunction as composition. ACM Transactions of Software Engineering and Methodology, 2(4):379{411.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information