deliverable d38 - resist.isti.cnr.itresist.isti.cnr.it/files/d38.pdf · courses of the second...

ReSIST: Resilience for Survivability in IST

A European Network of Excellence

Contract Number: 026764

Deliverable D38: Resilient Computing Courseware Report Preparation Date: May 2009 (initial version: December 2008) Classification: Public Contract Start Date: 1st January 2006 Contract Duration: 39 months Project Co-ordinator: LAAS-CNRS Partners: Budapest University of Technology and Economics City University, London Technische Universität Darmstadt Deep Blue Srl Institut Eurécom France Telecom Recherche et Développement IBM Research GmbH Université de Rennes 1 – IRISA Université de Toulouse III – IRIT Vytautas Magnus University, Kaunas Fundação da Faculdade de Ciencias da Universidade de Lisboa University of Newcastle upon Tyne Università di Pisa QinetiQ Limited Università degli studi di Roma "La Sapienza" Universität Ulm University of Southampton

3

Deliverable D38: Resilient Computing Courseware

Co-ordinator: Luca Simoncini Contributors in ReSIST: Roberto Baldoni, Cinzia Bernardeschi, Robin Bloomfield, Andrea Bondavalli, Christian Cachin, Miguel Correia, Marc Dacier, Felicita Di Giandomenico, Jean-Charles Fabre, Michael Harrison, Mohamed Kaâniche, Karama Kanoun, Chidung Lac, Giuseppe Lami, Jean-Claude Laprie, Istvan Majzik, Paolo Masci, Philippe Palanque, Andras Pataricza, Holger Pfeifer, Michel Raynal, Luca Simoncini, Lorenzo Strigini, Neeraj Suri, Guillame Urvoy-Keller, Paulo Verissimo, Friedrich von Henke, Helene Waeselynck, Marco Winckler. External contributors: Wolfgang Ahrendt, Paul Ammann, George Candea, Alan Dix, Michael Huth, Ricardo Jimenez-Peris, Johan Karlsson, Marta Patino-Martinez, Amir Pnueli, Luis Rodrigues, Mark Ryan, Kishor S. Trivedi, Udo Voges. Includes material from: Gregory Abowd, Rajeev Alur, Niels Andersen, R. Anderson, Michael Backes, D. Basin, Russell Beale, R. Beraldi, Jonathan P. Bowen, Giorgio Buttazzo, L. Buttyan, Edmund Clarke, Thierry Coquand, George Couloris, Patrick Cousot, Jean Dollimore, J. Finlay, B. Fisher, Emmanuel Fleury, Greg Gagne, Peter Baer Galvin, S. Goldwasser, Rachid Guerraoui, J. Hammerstein, T.A. Henzinger, J.P. Hubaux, J.C. Hunsaker, C. Johnson, N. Jones, J-P. Katoen, Tim Kindberg, D. Kroening, P. Ladkin, Julia Lawall, M. Lyu, Alberto Marchetti Spaccamela, J. Mattson, U. Maurer, C.J. May, A. Menezes, J. Musa, M.J. Neely, J. Offutt, P. van Oorschot, F. Panieri, Gary Perlman, Karlis Podnieks, Bart Preneel, I. Puaut, Ted Ralphs, R. L. Rivest, Kay Robbins, Larry Rudolph, K. Rush, Theo C. Ruys, Avi Silberschatz, D. Schmidt, Nigel Smart, S. Smith, S. Vanstone, Marcel Waldvogel, Laurie Williams. Comments: ReSIST EB Committee, ReSIST T&D Committee.

License: This work is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA.

5

Contents: 1. Introduction 7 2. Rationale of the Courseware 9 2.1 Style of the courseware 10 2.2 Organization of the courseware 10 3. Description of Courseware per course with the line of teaching and links to supporting material 13

Course 4.1 Advanced Probability and Statistics 13 Course 4.2 Cryptology and Information Security 14 Course 4.3 Logic in Computer Science 15 Course 4.4 Advanced Graph Theory 16 Course 4.5 Human Factors, Human and Organisational Behaviour 17 Course 4.6 Fundamentals of Real-Time Systems 18 Course 4.7 Fundamentals of Dependability 20 Course 4.8 Computer Networks Security 22 Course 4.9 Resilient Distributed Systems and Algorithms 23 Course 4.10 Dependability and Security Evaluation of

Computer-based Systems 24 Course 4.11 Testing, Verification and Validation 26 Course 4.12 Usability and User Centred Design for Dependable and

Usable Socio-technical Systems 28 Course 4.13 Management of Projects 30 Course 4.14 Middleware Infrastructures for Application Integration 31 Course 4.15 Software Reliability Engineering 32 Application Track on Resilience in Communication Networks 33 Course 4.16.1 IP Networks and Services Resilience 33 Course 4.17.1 Resilience of Mobile Applications 34 Application Track on Safety Critical Systems 36 Course 4.16.2 Development Process and Standards for Safety critical Applications 36 Course 4.17.2 Architectural Issues and Examples of Systems 37 Application Track on Resilience in e-Business 38 Course 4.16.3 Enterprise Security 38 Course 4.17.3 Computer and Network Forensics 38

4. Conclusions 41 Reference to textbooks 43 Appendix A. Freely available courseware material 47

1. Probability and Statistics 47 2. Cryptology and Cryptography 47

6

3. Mathematical Logic 49 4. Dependable Systems 50 5. Distributed Systems 50 6. Software Reliability Engineering 51 7. Security 52 8. Privacy 53 9. HCI and Interactive Systems 53 10. General Topics 54 11. Testing, Verification and Validation 54 12. Real-Time Systems 57 13. Mathematical Programming and Operations Research 57 14. Graph Theory 57 15. Stochastic Network Optimization 57 16. Pattern Recognition Resources 58

Appendix B. Exercises for selected Courses 59 Exercises for Course 4.1 Advanced Probability and Statistics 59 Exercises for Course 4.2 Cryptology and Information Security 61 Exercises for Course 4.3 Logic in Computer Science 63 Exercises for Course 4.4 Advanced Graph Theory 66 Exercises for Course 4.6 Fundamentals of Real-Time Systems 68 Exercises for Course 4.7 Fundamentals of Dependability 70 Exercises for Course 4.8 Computer Networks Security 71 Exercises for Course 4.9 Resilient Distributed Systems and Algorithms 74 Exercises for Course 4.10 Dependability and Security Evaluation of Computer-based Systems 76 Exercises for Course 4.11 Testing, Verification and Validation 80 Exercises for Course 4.12 Usability and User Centred Design for Dependable and Usable Socio-technical Systems 86 Exercises for Course 4.15 Software Reliability Engineering 100

Appendix C. License 103

7

1. Introduction This Deliverable describes the courseware in support to teaching Resilient Computing in a Curriculum for an MSc track following the scheme of the Bologna process. The development of the supporting material for such a curriculum has required a rather intensive activity that involved not only the partners in ReSIST but also a much larger worldwide community with the aim of identifying available updated support material that can be used to build a progressive and methodical line of teaching to accompany students and interested persons in a profitable learning process. The initial activity was related to interviewing all partners in ReSIST and collecting freely available material that could be of interest to the curriculum on Resilient Computing. The 54 collected forms that have been reported in Deliverable D16 contain links to freely available material and the constraints posed for its distribution and use. The 54 forms contained 20 pointers to courseware material, 6 of which are pointing to courseware on slides (in different languages English, French, Italian, Spanish and Hungarian); the majority points to textbooks. After this collection, a worldwide survey on freely available supporting material has started and has brought to the identification of a set of freely available supporting material mainly based on slides and related to courses offered in several Universities and/or International Organizations. An annotated list of such supporting material is in the Appendix. The extension to a wider community has brought to collaboration with EWICS TC7 Subgroup on Education and to the organization of a Joint Workshop on Teaching Resilient Computing, reported in Deliverable D16, and to an Open Training and Dissemination Committee Meeting held in Erlangen on May 3, 2007, explicitly dedicated to courseware. The courseware presented in this Deliverable is composed by the following sets: 1) The set of original ReSIST Courseware (in terms of comprehensive sets of slides) that covers the course of Fundamentals of Dependability in the first semester, all courses of the second semester and the three common courses in the third semester. Exercises to be taken in lab or as homework have been included for a subset of courses. 2) Freely available courseware material, gathered on the web, authorised by the individual authors, (in terms of sets of slides, textbooks and additional material) for the remaining basic courses in the first semester, and 3) Freely available courseware material gathered on the web, authorised by the individual authors, (in terms of sets of slides, textbooks and additional material) for complementing the material indicated in points 1) and 2). All this material is on-line on the official ReSIST web site http://www.resist-noe.org/, can be viewed and downloaded for use in a class and constitutes, at our knowledge, the first, almost comprehensive attempt, to build a database of support material related to Dependable and Resilient Computing. The large group of authors that have been contacted have agreed to maintain updated this material so that its value will not become obsolete with time.

9

2. Rationale of the Courseware The Training and Dissemination Committee and the Executive Board had several discussions on the best way of organizing the supporting material, on the style of presentation and on its profitable use for both types of audience: students in a MSc curriculum in Resilient Computing or interested persons that, through the ReSIST web site and the RKB, may wish to deepen his/her knowledge on specific fields in resilient computing. These discussions took large advantage by many contributions coming from lecturers not in ReSIST who have expertise in teaching topics in dependable and resilient computing and from valuable suggestions from the panel of reviewers of ReSIST. For the first type of users (students) there is a mediator (the lecturer of the single course), and the courses must be organized in a progressive teaching/learning process that requires a strong interaction between students and lecturer(s). In addition, each specific lecturer wishes to maintain his/her autonomy in organizing teaching on the basis of his/her expertise and research interests, still following the lines identified in the curriculum. For the second type of users (interested persons) there is no such mediation and, in absence of a critical selection of material, it is quite likely that he/she is not able to build an individual track of learning out of a huge mass of available material (papers, textbooks, etc.), with consequent difficulty in an effective and efficient individual learning. It was therefore finally decided to produce a full set of slides as original ReSIST support material for some of the most relevant courses in the curriculum. A total number of 1590 slides were produced. The courses identified and the slides producers are: Course 4.7 Fundamentals of Dependability (1st semester) – 111 slides by J-C. Laprie Course 4.8 Computer Networks Security (2nd semester) – 255 slides by P. Verissimo and M. Correia Course 4.9 Resilient Distributed Systems and Algorithms (2nd semester) – 200 slides by P. Verissimo and M. Correia Course 4.10 Dependability and Security Evaluation of Computer-based Systems (2nd semester) – 178 slides by M. Kaâniche, K. Kanoun and J-C. Laprie Course 4.11 Testing, Verification and Validation (2nd semester) – 218 slides by F. von Henke, C. Bernardeschi, P. Masci, H. Pfeifer and H. Waeselynck Course 4.12 Usability and User Centred Design for Dependable and Usable Socio-technical Systems (2nd semester) – 220 slides by P. Palanque, M. Harrison and M. Winckler Course 4.13 Management of Projects (3rd semester) – 74 slides by G. Lami Course 4.14 Middleware Infrastructures for Application Integration (3rd semester) – 201 slides by R. Baldoni, R. Beraldi, G, Lodi, L. Querzoni and S. Scipioni Course 4.15 Software Reliability Engineering (3rd semester) – 133 slides by K. Kanoun These courses take advantage of a comprehensive set of slides (original ReSIST support material), the indication of a set of relevant suggested readings, the identification of textbooks (where important) and a set of links to other complementary material useful to have a wider coverage of the topic. For the other 6 fundamental courses in the 1st semester, it was decided that the freely available material on the web was more than sufficient to cover the teaching needs of any lecturer, while the production of ReSIST material would have either been a mere

10

duplication of material. As well no material has been produced for the examples of Application tracks in the 3rd semester since these are very peculiar to the industrial environment of the country where the curriculum is offered and a greater flexibility has to be maintained, as well as for the possible additional courses and for the seminars in the 4th semester. In addition, exercises to be taken in lab or as homework have been included for a subset of courses. Exercises have been included for the following courses indicating also their producers or origin: Exercises for Course 4.1 Advanced Probability and Statistics (from Trivedi's book) Exercises for Course 4.2 Cryptology and Information Security (from Huth & Ryan's book) Exercises for Course 4.3 Logic in Computer Science (from Preenel's lectures) Exercises for Course 4.4 Advanced Graph Theory(from Even's book) Exercises for Course 4.6 Fundamentals of Real-Time Systems (from Kopetz's book) Exercises for Course 4.7 Fundamentals of Dependability (by Jean-Claude Laprie) Exercises for Course 4.8 Computer Networks Security (by Miguel Correia) Exercises for Course 4.9 Resilient Distributed Systems and Algorithms (by Miguel Correia) Exercises for Course 4.10 Dependability and Security Evaluation of Computer-based Systems (by Mohamed Kaâniche) Exercises for Course 4.11 Testing, Verification and Validation (by Fredrich von Henke, Holger Pfeifer and Helene Waeselynck) Exercises for Course 4.12 Usability and User Centred Design for Dependable and Usable Socio-technical Systems (by Philippe Palanque) Exercises for Course 4.15 Software Reliability Engineering (by Karama Kanoun) All this material is complemented by the other Deliverables developed in ReSIST, like D12 - Resilience-Building Technologies: State of Knowledge, D13 - From Resilience-Building to Resilience-Scaling Technologies: Directions, the set of slides presented at the Summer School in Porquerolles, D39 – Selected Current Practices document, D33- Resilient-Explicit Computing: final, D35 – Resilience Scaling Technologies: final. The integration between the web-site and the RKB adds value to navigation between different information, both educational and informative about the know-how of persons and sites. 2.1 Style of the courseware The common style identified for the courseware is based on: • Providing a short description per each course (textual, web-based and RKB-

based). These descriptions identify the progressive line of teaching/learning; • Providing such descriptions with links or pointers to supporting material (papers,

sections of textbooks, existing hand-outs or slides). The sequence of this material constitutes the most efficient and effective line for a proficient learning process, and is the most valuable added value that ReSIST provides.

2.2 Organization of the courseware With this courseware material produced for the entire curriculum in resilient computing (described also in Deliverable D37), the teaching/learning process can be organized as follows:

11

For students: • Each lecturer will have a comprehensive set of topics to be taught in each course,

and the connections among courses in each semester and between them, with the indication of what is the core material, where to retrieve it or a set of original material that can be directly used in a class;

• Each lecturer will have the autonomy of integrating this set of material with additional supporting material on the basis of his/her experience and/or research activity.

The courseware, in this case, can be organized on a “horizontal” line that is following the sequencing of courses in each semester and progressively span over all the several topics that are included in each semester in the curriculum, following the sequence of semesters. For interested persons on a specific topic: The courseware can also be organized “vertically” on the basis of the specific interests of the user. A possible “vertical” organization can be based on the three main areas of Fault Tolerance, Fault Removal and Fault Forecasting, or, if preferred, on more classical lines as Architectural Design, Verification and Validation, Assessment, etc., or on attributes like Security, Safety, Resilience, etc. In this way each person will be able to deepen his/her knowledge with an individual learning line that identifies the core material to walk through. At the end of the learning path, he/she will also be able to untangle the huge mass of available material that is already collected in the web site and use the references in the RKB to provide useful searches on expert sites or work by individuals in the field. An additional possibility will be the organization of the courseware material on the basis of short general courses for those interested persons who cannot follow a full curriculum, but are interested in the generalities of resilient computing. All the proposed courseware in this Deliverable has been produced by a joint effort of academic and industrial partners in ReSIST.

13

3. Description of Courseware per course with the line of teaching and links to supporting material As detailed in Deliverable D37, the curriculum in Resilient Computing is structured into four semesters over two years. The first semester covers Basics and Fundamentals, offering courses from 4.1 to 4.7 while the second semester covers Methods, Tools and Techniques, offering courses from 4.8 to 4.12. In the second year, the third semester includes three common courses from 4.13 to 4.15 plus two courses peculiar to each Application tracks. The line of teaching/learning for the courses from 4.1 to 4.15 are described in this Section, as well as those for the two courses for each of the three examples of Application tracks on Resilience in Communication Networks, on Safety Critical Systems and on Resilience in e-Business. Course 4.1 Advanced Probability and Statistics This course provides a comprehensive introduction to probability, stochastic processes, and statistics. The content of this course provides an introduction to probability theory, and can be used as the core material for a one-semester introductory course on applied probability theory. A major strength is the use of examples and problems as motivation for the probability concepts. Each part also includes sections on the application of the probability concepts to performance and reliability analysis. “Introduction” provides the motivation and covers the concepts of sample spaces, events and event algebra, probability axioms, combinatorial problems, Bayes rule and Bernoulli trials. On the application side, reliability analysis using block diagrams and fault trees is introduced. Methods of inclusion exclusion, sum of disjoint products and factoring are introduced. Reliability analysis of multistate systems is also presented. “Discrete Random Variables” covers the functions and distributions for discrete random variables. “Continuous Random Variables” covers the functions and distributions for continuous random variables. In addition to the exponential distribution, other continuous distributions, such as the Pareto, log-logistic and defective distributions that are used in reliability theory, are presented. A section on functions of normal random variables is given here which is used later on statistical inference. On the application side, there is a section on reliability and failure rate. “Expectation” covers the topics of moments, transform methods, and inequalities and limit theorems. On the application side, there is a section on computation of Mean Time to Failure for systems with different types of redundancy schemes. “ Conditional Distribution and Expectation” covers the topics of mixture distributions, conditional expectation and random sums. On the application side, there is a section introducing the concept of imperfect fault coverage and its impact on system reliability. “Stochastic Processes” introduces stochastic processes and then presents the following topics: classification of stochastic processes, Bernoulli process, Poisson process, and renewal processes. On the application side, there are sections devoted to availability analysis and a renewal model of program behaviour. Textbooks: The course is based mainly on the 6 first chapters of: K. S. Trivedi: Probability and Statistics with Reliability, Queuing, and Computer Science Applications, Second Edition, John Wiley & Sons, 2002

14

Other readings: S. Ross: Probability Models for Computer Science, Academic Press, 2002, San Diego, CA Links: The course book's webpage at http://www.ee.duke.edu/~kst/ include all material necessary to teach the course. Exercises: see Appendix B (exercises derived from Kishor Trivedi’s book). Course 4.2 Cryptology and Information Security The purpose of this course is to give an up-to-date treatment of the principles, techniques, and algorithms of interest in information security and cryptography. The course presents a broad introduction to information security and cryptology. It focuses on fundamental methods and the principles behind these areas, ranging from mathematical cryptology to formal modelling of security protocols. The basic concepts of modern cryptology are based on computational difficulty; they are modelled using the language of complexity theory. The course introduces one-way functions, pseudorandom functions and collision-free hash functions and shows some fundamental relations between them. Symmetric-key encryption methods like block-ciphers and stream-ciphers can be derived from these building blocks. The course also mentions practical implementations, like the AES block cipher and the SHA family of hash functions, but does not address their internal. The most important area of modern cryptology is public-key cryptosystems. The course presents them in an abstract formulation using trap-door one-way permutations and in concrete form using the RSA and ElGamal cryptosystems and the Diffie-Hellman key agreement protocol. In order to lay the foundation for presenting these cryptosystems, the course also introduces some basic notions of algebra and number theory, including the Euler function. Public-key encryption and hybrid encryption schemes, together with digital signature schemes form the most important part of the course. Methods for secure key distribution in a network, certificates, and public-key infrastructures are also part of the course. The students will gain a sound understanding of the cryptographic mechanisms used in today's computing infrastructure. The course also presents the intriguing concept of zero-knowledge proofs and their application to secure identification protocols and their role in supporting anonymous yet secure interactions in a network. Apart from these cryptographic concepts, the course also introduces the alternative approach to model security protocols using logic and formal-language methods (making the so-called Dolev-Yao abstraction). This part enables the students to reason about security protocols using higher-level abstractions than cryptographic proof methods. Textbooks: The course can be based on material from the following sources: N. Smart: Cryptography, An Introduction (Second Edition), McGraw-Hill, 2007.

15

http://www.cs.bris.ac.uk/~nigel/Crypto_Book/ A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone: Handbook of Applied Cryptography, CRC Press, 1996. http://www.cacr.math.uwaterloo.ca/hac/ Links: Course by Michael Backes at Saarland University, http://www.infsec.cs.uni-sb.de/teaching/SS08/Cryptography/ Course by David Basin at ETH Zürich, http://www.infsec.ethz.ch/education/ss08/infsec08 Course by Elisabeth Oswald and Nigel Smart at University of Bristol, http://www.cs.bris.ac.uk/Teaching/Resources/COMS30124/ Course by Ronald L. Rivest and Shafi Goldwasser at MIT, http://courses.csail.mit.edu/6.857/2008/lecture.html Exercises: see Appendix B (exercises derived from Bart Preenel lectures). Course 4.3 Logic in Computer Science The goal of the course is to present the fundamental notions of logic that are important in computer science. It presents propositional and predicate logic in a natural deduction style (which is used in many interactive theorem provers) with a suggestive box notation for proofs. Completeness theorems for propositional and predicate logic are discussed, but the proofs are sketched only, rather than given in detail. What is important is that the students understand well the meaning and consequences of these completeness theorems. On the other hand, undecidability of predicate logic is presented (using Post systems). The course also presents the basis of temporal logic (LTL and CTL) and model checking. Decidability results are mentioned only. The course discusses the fixed-point semantics of CTL, and the main idea behind checking of CTL formulae with fairness. Textbooks: The course is based mainly on the 3 first chapters of: M. Huth, M. Ryan: Logic in Computer Science, Cambridge University Press http://www.ewidgetsonline.com/cup/widget.aspx?bookid=51/3mLE/ColK5qnmfcLSyg==&buyNowLink=http://sec.ebooks.com/cambridge-add.asp?I=283471&f=3 As additional reading, one can point to the hypertext-book by V. Detlovs, K. Podnieks: Introduction to Mathematical Logic http://www.ltn.lv/~podnieks/mlog/ml.htm Links: The course book's webpage, http://www.cs.bham.ac.uk/research/projects/lics/ offers several materials, among them an interactive tutor for each chapter. A complete set of slides for the whole course, structured in 14 lectures, is available from the web page of the University of Copenhagen's instance of the course (teachers Julia Lawall & Neil Jones), see • http://www.diku.dk/

16

Other places where instances of this course are given, and from where additional teaching material can be downloaded, are: Chalmers University of Technology (teachers Thierry Coquand & Jan Smith) • http://www.cs.chalmers.se/Cs/Grundutb/Kurser/logcs University College London (teacher Jonathan P. Bowen) • http://www.cs.ucl.ac.uk/staff/J.Bowen/GS03/ Many more places where courses based on the book by Huth & Ryan are listed at • http://www.cs.bham.ac.uk/research/projects/lics/adoptions.html Exercises: see Appendix B (exercises derived from Huth and Ryan’s book). Course 4.4 Advanced Graph Theory The purpose of this advanced course is to present the aspects of graph theory beneficial for the design of resilient systems. "Advanced" means here that the basics of graph theory (such as paths, traversals, trees, maximum flow, planarity, basic graph NP-complete problems, etc.) are already known. So, "advanced" is here the "discovery" of concepts that have been recently (or not) introduced in computer science to model problems related to computability, efficiency, or fault-tolerance). Graph theory has long become recognized as one of the most useful mathematical subjects for the computer science student to master. The approach that is natural in computer science is the algorithmic one; the interest is not so much in existence proofs or enumeration techniques, as it is in finding efficient algorithms for solving relevant problems, or alternatively showing evidence that no such algorithms exist. The course is organized into six sections: • Connectivity and traversability: bounded connectivity, regularity, overlay

networks The aim of this section is for students to be able to bypass the notion of spanning tree when they have to build and manage a network that covers another one. • Graph coloring and graph NP-complete problems The notion of graph coloring is for students to better understand and capture optimality notions related to network structures and be able to know if the problem they have to solve is or is not intrinsically expensive (from a time complexity point of view). • Topological graph theory: embeddings, genus and maps The aim is here for the students to be able to associate meaningful “numbers” to the network that support their applications, and exploit these numbers to know noteworthy properties of that underlying network. • Analytic graph theory: random graphs, Ramsey graphs and the probabilistic

approach Random graphs are useful to model a lot of real networks. Knowing the base results associated with such graphs is consequently a prerequisite for mastering the behaviour of the applications running on such networks. • Small-world networks (on grid and uniform topology, Kleinberg's distribution) The small-world phenomenon constitutes now a basic knowledge for the researchers and engineers for whom the underlying network is the object they study. Gossip protocols are among the most famous example of protocols based on small-world results. Textbooks: S. Even: Graph Algorithms, Computer Science Press, 1979. J.L. Gross and J. Yellen (Eds.): Handbook of graph theory, CRC Press, 2003.

17

Links: • Excerpts of the book by Shimon Even can be downloaded at

http://www.wisdom.weizmann.ac.il/~oded/even-alg.html Exercises: see Appendix B (exercises derived from Shimon Even’s book). Course 4.5 Human Factors, Human and Organisational Behaviour The purpose of this course is to present fundamental human and organisational concepts and frameworks that contribute to the “human-in-the-loop” concept in socio-technical systems. This covers three layers of activities:

- Operator level: Human information processing, human perception and human motor capabilities. Human error and failures are also addressed.

- Collaboration level: Communication schemes, collaboration, task allocation and collaboration breakdowns.

- Management level: Organisational aspects of work, task allocation, decision making. Organisational failures and management failures are also covered.

Case studies are used to describe the various levels of failures and a special attention is paid to the notion of task migration and autonomy of systems (design, implementation and assessment of delegating operators’ tasks to a system). The introduction addresses the basic concepts of human factors and also positions these human factors aspects within the bigger picture of collaborative activities within an organisation. There is no pre-requisite for the students on this topic as, in most European countries, “licence” curriculum in computer science does not provide courses on this topic. The cognitive processes chapter presents the human cognitive capabilities for information processing and decision making. It is based on various models of human information processing such as [Wickens 99] [Norman 02] and Interacting Cognitive Subsystems (ICS) [Barnard 85]. It also presents modelling techniques for describing human knowledge and evolution of knowledge according to various activities like experience, training and inactivity. It deals with sensory/perception capabilities, decisions processes and memory functioning. The Skills-Rules-Knowledge (SRK) based model [Rasmussen et al. 94] is used to exemplify the impact of training on operators’ planning of actions. The human performance chapters (Human performance cognitive issues and Human performance physiological issues) address the issues of performance modelling and performance evaluation of operators/users of systems. The aim is to provide a basis for assessing the performance of the (user, system) couple. This addresses not only cognitive processes [Hick 52] but also motor capabilities such as Fitts’s law [Fitts 54] and other human movement prediction laws [Accot & Zhai 97]. The human error chapter presents the basics of human-error principles and human-error assessment techniques. This chapter is based on [Reason 90] and [Reason 97] books and presents several models (including the Domino and Swiss cheese models) and various notations and approaches for human-error assessment such as HEART (Human Error Assessment and Reduction Techniques) or IDA (Influence Diagram Approach). It also addresses management issues and errors that can be related to managerial aspects.

18

The chapter mode confusion and automation surprises makes the connection between human factors aspects introduced in this course and system behaviour at the core of other courses. It concludes this course by showing the importance of globally and systemically accounting for human behaviour and system behaviour. The notion of incident and accident analysis and reporting is introduced in this chapter as another connexion point between human factors aspects and system behaviour [Johnson 03]. Textbooks: [Johnson 03] C. W. Johnson: Failure in Safety-Critical Systems. A Handbook of Accident and Incident Reporting. Available on-line at: http://www.dcs.gla.ac.uk/~johnson/book/ [Norman 02] D. Norman: The design of everyday things, Basic books, 3rd edition, 2002. [Rasmussen 94] J. Rasmussen, M. A. Pejtersen, L. P. Goldstein: Cognitive Systems Engineering. New York, USA, John Wiley and Sons, 1994 [Reason 90] J. Reason: Human Error. 1990. Cambridge University Press. [Reason 97] J. Reason: Managing the Risks of Organizational Accidents, 1997, Aldershot, UK, Ashgate. [Wickens 99] C. D. Wickens and J. G. Hollands: Engineering Psychology and Human Performance. 3rd edition, 1999, Prentice Hall. Papers: [Barnard 85] Barnard, P.J. (1985). Interacting Cognitive Subsystems: A psycholinguistic approach to short term memory. In A. Ellis (Ed.), Progress in the Psychology of Language, Vol. 2, London: Lawrence Erlbaum Associates, 197-258. [Fitts 54] Paul M. Fitts (1954). The information capacity of the human motor system in controlling the amplitude of movement. Journal of Experimental Psychology, volume 47, number 6, June 1954, pp. 381-391. (Reprinted in Journal of Experimental Psychology: General, 121(3): 262--269, 1992). [Hick 52] W. E. Hick. On the rate of gain of information. Quarterly Journal of Experimental Psychology, 4:11-26, 1952. [Accot & Zhai 97] Johnny Accot and Shumin Zhai (1997). Beyond Fitts' law: models for trajectory-based HCI tasks. Proceedings of ACM CHI 1997 Conference on Human Factors in Computing Systems, pp. 295-302. Links: Links to places where parts of this course are taught: • University of Hawaii (US): Human error. See:

http://panko.cba.hawaii.edu/HumanErr/Index.htm • University of California San Diego (US): cognitive engineering. Syllabus

description through this page http://hci.ucsd.edu/102c/ • MIT (US): Human Memory and Learning. Fall 2002. See:

http://ocw.mit.edu/OcwWeb/Brain-and-Cognitive-Sciences/ • Ohio State University (US): An introduction to joint man-machine cognitive

systems. See courseware at http://csel.eng.ohio-state.edu/courses/ise573/ • MIT (US): Human Memory and Learning. See:

http://ocw.mit.edu/OcwWeb/Brain-and-Cognitive-Sciences/ Course 4.6 Fundamentals of Real-Time Systems The purpose of this course is to provide a large overview of fundamental aspects of real-time system architectures and development. This covers scheduling techniques,

19

scheduling analysis including WCET evaluation, design principles of distributed real-time embedded systems, programming distributed real-time applications. Fault tolerance aspects are also addressed, in particular regarding timing faults handling. Examples of real-time executive layers are also presented. The introduction addresses basic concepts concerning real-time applications, real-time environment, and basic notions for real-time task scheduling. Although we assume that students have some basic knowledge and practice in operating systems, a reminder of operating system features should be done, leading the students to acquire basic notions of real-time kernels and microkernels, basic services such as tasks scheduling, resource management, synchronisation, etc. Scheduling in real-time systems is the first major chapter of the course. Several very good textbooks are available and cover all aspects of real-time scheduling, like Giorgio Buttazzo’s book [Buttazzo 2005], but also [Cottet et al. 2002]. The sections of this chapter address the principles and the algorithms for aperiodic and periodic task scheduling, fixed-priority and dynamic priority approaches. This section includes the scheduling of independent tasks but also dependent tasks. Problems related to synchronisation and scheduling, i.e., tasks precedence relationship and tasks sharing critical resources, are part of this section together with solutions (e.g., PIP, PCP). WCET analysis (Worst Case Execution Time analysis) is a major issue to set up an important parameter of schedulability tests. Material can be found in particular in a Special Issue on worst-case execution-time analysis of the Real-Time System journal (May 2000) [RTS 2000]. Beyond the introduction and the objective of WCET evaluation, the chapter must cover both dynamic WCET analysis (including measures, explicit test cases, symbolic state space exploration) but also static WCET analysis (notion of basic blocks, control-flow graphs and call graphs, program flow analysis) [Colin et al. 2003]. Due to the complexity of today’s processor, low-level analysis must be addressed, i.e., caching effects, branch prediction [Colin & Puaut 2000], etc. Examples of measures and tools have to be presented. Design Principles for real-time application, in particular distributed embedded applications, are discussed in this chapter and based on Kopetz’s book [Kopetz 1997]. Clearly real-time systems are distributed (notion of real-time distributed environment). The notion of global time is thus a major issue to be addressed before all in this course. The subsection of this chapter should include modelling of real-time systems and then address fault tolerance issues. Another important part of this chapter concerns real-time communication and networks. Among other examples, the time-triggered protocols and architecture can be presented. Programming distributed real-time systems is clearly a major part of the course that certainly leads to practical classes and student projects. This chapter can usefully be based on several books from Alan Burns and Andy Wellings, e.g., [Burns & Wellings 2001, Wellings 2004]. Beyond, the requirements for programming real-time systems, the chapter addresses first of all concurrent programming. It also covers real-time facilities and deadline scheduling, facilities for interacting with special purpose hardware. Last but not least, it also addresses error-handling facilities in programming languages, and more generally reliability of real-time systems, including fault-tolerance, atomic actions, etc. In practice, illustration can be provided with Real-Time POSIX systems and Real-Time Java. Finally, Real time executive layers must be presented and to some extent used for practical classes and exercises. The students will discover major examples of real-time operating systems and kernels (like RT-LINUX, VxWorks, LynxOS, QNX, etc.), but also real-time middleware (like RT Java, RT-CORBA). Some short overview of open adaptive real-time executives should be addressed, i.e., ExoKernel, Think, 2K, etc.

20

Text books: [Silberschatz 2008] A. Silberschatz, P. Baer Galvin, G. Gagne: Operating Systems Concepts, John Wiley & Sons, 2008, ISBN 0-470-12872-0. [Buttazzo 2005] G. Buttazzo: Measuring the Performance of Schedulability Tests, Journal of Real-Time Systems, Springer Netherlands, Volume 30, N° 1-2, May, 2005, pp.129-154. [Kopetz 1997] H. Kopetz: Real-Time Systems: Design Principles for Distributed Embedded Applications, Series: The Springer International Series in Engineering and Computer Science, Vol. 395, 1997, 356 p., ISBN: 978-0-7923-9894-3. [Burns & Wellings 2001] A. Burns, A. Wellings: Real-Time Systems and Programming Languages (Third Edition): Ada 95, Real-Time Java and Real-Time POSIX, Addison Wesley, March 2001, 611 p., ISBN: 0201729881. [Wellings 2004] A. Wellings: Concurrent and Real-Time Programming in Java, John Wiley & Sons Inc., October 2004, 431 p., ISBN-13: 9780470844373.

Papers: [Colin & Puaut 2000] A. Colin, I. Puaut. Worst Case Execution Time Analysis for a Processor with Branch Prediction. Real-Time Systems, Special issue on worst-case execution time analysis, 18(2): 249-274, April 2000. [Colin et al 2003] A. Colin, I. Puaut, C. Rochange, P. Sainrat. Calcul de majorants de pire temps d'exécution: état de l'art. Techniques et Sciences Informatiques (TSI), 22(5): 651-677, 2003. [RTS 2000] Special issue on worst-case execution-time analysis, Real-Time Systems, Volume 18, Issue 2-3 (May 2000), ISSN:0922-6443, Editors John A. Stankovic (Univ. of Virginia, Charlottesville, USA), Wolfgang A. Halang (FernUniv. Hagen, Germany), Kim-Fung Man (City Univ. of Hong Kong, Hong Kong), Peter Puschner (Technische Univ. Wien, Vienna, Austria) and Alan Burns (Univ. of York, York, U.K.)

Links: Links to places where parts of this course are taught: • Yale University: operating systems concepts. Slides at:

http://www.os-book.com/ • University of York (UK): scheduling and programming. See. :

http://www.cs.york.ac.uk/MSc/Modules/rts.html • Scuola Superiore Santa Anna Pisa (Italy): scheduling and analysis. Courseware (in

Italian) through this page: http://feanor.sssup.it/~giorgio/srt.html • Universidad Politecnica de Madrid (Spain): real-time and applications. See.

http://polaris.dit.upm.es/~jpuente/strl/guia.html • University of Rennes (France): generic course on real-time. Courseware (in

French) through this page: http://www.irisa.fr/caps/people/puaut/puaut.html Exercises: see Appendix B (exercises derived from Hermann Kopetz’s book and Giorgio Buttazzo’s lectures). Course 4.7 Fundamentals of Dependability ReSIST Courseware (111 slides by Jean-Claude Laprie): http://resist.isti.cnr.it/files/corsi/courseware_slides/dependability_fundamentals.pdf The purpose of this course is to give a structured introduction to the concepts of Dependability and to the methods and techniques used for dependable design of

21

systems and for scaling to complex resilient systems. The course is composed of 8 chapters. The first chapter is devoted to the basic concepts and gives the corresponding definitions. The second chapter draws up the stete of the art via statistics. The third chapter addresses the threats to dependability. The three succeeding chapters address the means for dependability: fault removal, fault forecasting, and fault tolerance. The seventh chapter brings together the previous chapters into the development of dependable systems. The last chapter introduces resilience, in the context of ubiquitous computing systems. • Basic concepts and definitions. Attributes of, means for, threats to

dependability. Primary attributes: reliability, availability, safety, integrity, confidentiality, maintainability. Secondary attributes: robustness, survivability, resilience, accountability, authenticity, non-repudiability. Relationship between dependability and security, and between dependability and resilience.

• State of the art from statistics. Importance of dependability in current information infrastructures. Examples of widely publicised failures, evolution of dependability achievements over time, economic impact of failures.

• Threats to dependability. Faults, errors, failures. Definitions and classification. Failure pathology. Respective importances based on statistics (frequency, consequences) of the various classes (physical, development, interaction; accidental, malicious)

• Fault removal. Classification of verification approaches: reviews and inspections, abstract interpretation, theorem proving, model checking, symbolic execution, testing. The cost of verification. Statistics on classes of faults uncovered during development and during operation

• Fault forecasting. Stable vs. evolutive (growing, decreasing) dependability. Measures of dependability. Classification of evaluation approaches: modelling (FMECA, reliability diagrams, fault trees), measurements (operational testing). The case of safety-critical systems.

• Fault tolerance. Basic primitives: error detection (concurrent, pre-emptive), system recovery by error treatment (rollback, rollforward, compensation) and fault treatment (diagnosis, isolation, reconfiguration, reinitialization). Basic schemes: detection-and-recovery, masking-and-recovery. Solid vs. elusive and transient fault tolerance. Distributed fault tolerant systems, and the consensus problem. The notion of coverage and its importance. Examples of fault tolerant systems (Tandem families). Development fault tolerance. Validation of fault tolerance, especially via fault-injection.

• Development of dependable systems. Requirements and specifications. Risk analysis and criticality definition. Relationship between a) criticalities, and b) approaches and methods for dependability.

• From dependability to resilience. Fault and change tolerance. The ubiquitous systems context: dynamic componentisation. Technologies for resilience.

Textbooks: J-C. Laprie et al.: Guide de la sûreté de fonctionnement, Cepaduès Editions,1995 (in French) D. P. Siewiorek and R. Swartz: Reliable Computer Systems, Design and Evaluation, Third Edition, A K Peters, Ltd., 1998 N. Ferguson and B. Schneider: Practical Cryptography, John Wiley &Sons, 2003

22

Papers: A. Avizienis, J-C. Laprie, B. Randell and C. Landwehr: Basic Concepts and Taxonomy of Dependable and Secure Computing, IEEE Trans. On Dependable and Secure Computing, Vol.1, n.1, Jan.-March 2004 J.C. Laprie: From Dependability to Resilience, 38th IEEE/IFIP Int. Conf. On Dependable Systems and Networks, Anchorage, Alaska, June 2008, Sup. Vol., pp. G8-G9 Links: • At LAAS-CNRS, courseware available at http://www.laas.fr/TSF/courses/N6K-

ENAC_Global_2006.pdf from Jean-Claude Laprie, and • at http://www.laas.fr/TSF/courses/SEC2007-slides.pdf from Jean-Charles Fabre

offers digests covering the contents of the course. • At EPFL, slides can be found for Principles of Dependable Systems by G.

Candea: http://dslab.epfl.ch/courses/pods/winter06-07/index.html Exercises: see Appendix B (exercises by J-C. Laprie). Course 4.8 Computer Networks Security ReSIST Courseware (255 slides by Paulo Verissimo and Miguel Correia): http://resist.isti.cnr.it/files/corsi/courseware_slides/computer_network.pdf The purpose of the course is to offer a broad overview of computer network security, not only of security building blocks and approaches but also of the existing threats. The course is organized in four parts: fundamental security concepts, paradigms for secure computing and communication, models for secure computing, and secure systems and platforms. The course content follows a spiral of increasing difficulty and detail. The first part of the courses motivates the rest of the course. It starts by presenting why network security is a problem, what are the desirable security properties of a system, and the way a hacker can attack systems. Part 2 introduces the main security paradigms, or building blocks: the TCB, basic cryptography and authentication / key distribution (revision from the previous course on cryptography), access control, and secure communication. The cryptographic topics build on the basic mechanisms introduced in course 4.2. Part 3 uses the security paradigms introduced in part 2 to build more complex models of secure computing. It starts with a presentation of types of attacks and intrusions, introduces security strategies and follows with other topics up to architectural protection (e.g., with firewalls) and intrusion detection. The last part goes one step further the paradigms and models, and presents in detail two important security frameworks and protocols: SSL and IPSec. The courseware slides follow the sequence of the contents of the course. The main support text is Part IV of the book by Verissimo and Rodrigues. The other three recommended books provide additional material. Textbooks: P. Verissimo and L. Rodrigues: Distributed Systems for System Architects, Kluwer, 2001 C. Kaufman, R. Perlman, and M. Speciner: Network Security: Private Communication in a Public World, Second Edition, Prentice Hall W. Stallings: Cryptography and Network Security, (4th Edition), Prentice Hall

23

W. R. Cheswick, S. M. Bellovin, and A. D. Rubi: Firewalls and Internet Security: Repelling the Wily Hacker, Second Edition, Addison Wesley Links: • Institut Eurecom , Security applications in networking and distributed systems. R.

Molva http://www.eurecom.fr/util/coursdetail.fr.htm?id=23 • Institut Eurecom, Operational Network Security. M. Dacier.

http://www.eurecom.fr/util/coursdetail.fr.htm?id=19 Exercises: see Appendix B (exercises by M. Correia). Course 4.9 Resilient Distributed Systems and Algorithms ReSIST Courseware (200 slides by Paulo Verissimo and Miguel Correia): http://resist.isti.cnr.it/files/corsi/courseware_slides/resilient_distributed.pdf The purpose of this course is to prepare the students to understand and design resilient distributed systems and the algorithms underlying those systems. The course presents fault-tolerant systems and algorithms that tolerate not only accidental faults but also malicious faults, being resilient to a wide range of problems. The emphasis is put on systems that tolerate malicious faults. The slides provided as courseware follow the contents of the course. The main bibliography of the course includes two books that provide generic background on architecting and designing secure and fault-tolerant distributed systems and algorithms [Verissimo and Rodrigues 2001, Guerraoui and Rodrigues 2006] and two book chapters that are specifically about resilient distributed systems and algorithms [Verissimo et al 2008, Verissimo et al 2003]. The topics covered in the course can be clustered in four main parts. After a brief introduction (the case for resilience), the first part (introduction to fault and intrusion tolerance) deals with a set of fundamental concepts that are essential for the students to understand what are and how are architected resilient distributed systems. These notions are fundamental for the students to be able to understand and learn the topics in the other parts. The second part presents the main paradigms for resilience building: intrusion detection, self-enforcing vs. trusted third party protocols, threshold cryptography, Byzantine algorithms, resilience to attacks. This part goes beyond the mere concepts and introduces the building blocks of resilient systems. The third part goes one step further by presenting models of resilient systems. It takes the concepts and paradigms introduced in the two previous parts, uses them to present strategies for building resilient systems, and delves into the details of the two main strategies: the use of Byzantine algorithms on fail-uncontrolled models, and the use of Byzantine algorithms on hybrid system models. The final and fourth part puts together the contents of the three previous parts and presents some examples of resilient systems built using these strategies.

Text books: [Verissimo and Rodrigues 2001] P. Verissimo, L. Rodrigues: Distributed Systems for System Architects, Kluwer, 2001. [Guerraoui and Rodrigues 2006] R. Guerraoui, L. Rodrigues: Introduction to Reliable Distributed Programming, Springer, 2006. Papers: [Verissimo et al 2008] P. Verissimo, M. Correia, N. F. Neves, P. Sousa. Intrusion-Resilient Middleware Design and Validation. In Annals of Emerging Research in

24

Information Assurance, Security and Privacy Services, H. Raghav Rao and Shambhu Upadhyaya (eds.), Elsevier, to appear, 2008. [Verissimo et al 2003] P. Verissimo, N. F. Neves and M. Correia. Intrusion-Tolerant Architectures: Concepts and Design, In R. Lemos, C. Gacek, and A. Romanovsky, editors, Architecting Dependable Systems, volume 2677 of Lecture Notes in Computer Science, pages 3–36. Springer-Verlag, 2003.

Links: • Univ. Lisboa: site of the book [Verissimo and Rodrigues 2001]

http://www.navigators.di.fc.ul.pt/dssa/ • EPFL (Switzerland): slides related to the book [Guerraoui & Rodrigues 2006]:

http://www.di.fc.ul.pt/~ler/irdp/teaching.htm • ETH Zurich (Switzerland): slides on security and fault-tolerance in distributed

systems: http://www.zurich.ibm.com/~cca/sft08/ Exercises: see Appendix B (exercises by M. Correia). Course 4.10 Dependability and Security Evaluation of Computer-based Systems ReSIST Courseware (178 slides by Mohamed Kaâniche, Karama Kamoun and Jean-Claude Laprie): http://resist.isti.cnr.it/files/corsi/courseware_slides/dependability_and_security.pdf This course presents the main concepts and techniques that are commonly used to evaluate the dependability and security of computing systems. Both accidental and malicious threats are addressed considering model-based and experimental evaluation approaches. Examples of applications and case studies are presented for illustration. The course is structured into six chapters. The first chapter gives the motivation for evaluating the dependability and security of computing systems, using qualitative and quantitative evaluation approaches. The second chapter defines the metrics generally used for quantifying the dependability attributes (reliability, availability, safety, performability, MTTF, MTTR, MUT, MDT, etc.). The third chapter is devoted to the modelling techniques that are commonly used to evaluate system level dependability metrics based the knowledge of the system architecture and the failure and repair rates associated to its components. Two main modelling techniques are presented: combinatorial (Reliability block diagrams, fault trees) and state-based (Markov chains, Stochastic Petri nets and their extensions). The fourth chapter briefly discusses key issues related to the collection and analysis of the dependability data based on field measurements and controlled experiments (fault injection, etc.). The fifth chapter presents two real life case studies illustrating the application of model based-approaches to support the comparative assessment and selection of system architectures. Finally, the sixth chapter is devoted to the evaluation of computer systems with regards to malicious threats. In particular, it first presents the main challenges to be addressed and state-of-the art techniques and criteria that are traditionally used to assess the security of computer systems. Then, this chapter focuses on experimental

25

approaches based on honeypots that are aimed at collecting and analysing real life attacks observed on the Internet. Textbooks: General background D.P. Siewiorek and R. Swartz: Reliable Computer Systems, Design and Evaluation, Third Edition, A. K. Peters, Ltd, 1998 K. Trivedi: Probability and Statistics with Reliability, Queuing, and Computer Science Applications, 2nd Edition, John Wiley and Sons, New York, 2001. Slides available at http://www.ee.duke.edu/~kst/ M. Ajmone Marsan, G. Balbo, G. Conte, S. Donatelli and G. Franceschinis: Modelling with Generalized Stochastic Petri Nets, John Wiley and Sons. Freely available at: http://www.di.unito.it/~greatspn/bookdownloadform.html N. Provos, T. Holz: Virtual Honeypots — From Botnets Tracking to Intrusion Detection, Addison Wesley, 2007 Dependability modelling J. Arlat, K. Kanoun, J-C. Laprie: Dependability modelling and evaluation of software fault-tolerant systems, IEEE Transactions on Computers, Special Issue on Fault Tolerant Computing, 39 (4), pp.504-513, 1990. J. Bechta-Dugan, S. J. Bavuso and M. A. Boyd: Dynamic fault-tree models for fault-tolerant computer systems, IEEE Transactions on Reliability, 41, pp.363-377, 1992 J-C. Laprie, K. Kanoun: X-Ware reliability and availability modeling, IEEE Transactions on Software Engineering, 18 (2), pp.130-147, 1992 N. Fota, M. Kaâniche, K. Kanoun: Dependability Evaluation of an Air Traffic Control Computing System, 3rd IEEE International Computer Performance & Dependability Symposium (IPDS-98), (Durham, NC, USA), pp. 206-215, IEEE Computer Society Press, 1998. Published in. Performance Evaluation, Elsevier, 35(3-4), pp.253-73, 1999 K. Kanoun, M. Borrel, T. Morteveille and A. Peytavin: Modeling the Dependability of CAUTRA, a Subset of the French Air Traffic Control System, IEEE Transactions on Computers, 48 (5), pp.528-535, 1999 I. Mura and A. Bondavalli: Markov Regenerative Stochastic Petri Nets to model and evaluate the dependability of phased missions, IEEE Transactions on Computers, 50 (12), pp.1337-1351, 2001 W. H. Sanders and J. F. Meyer: Stochastic activity networks: Formal definitions and concepts, Lectures on Formal Methods and Performance Analysis. Lecture Notes in Computer Science 2090, pp.315-343, Springer-Verlag, 2001 M. Kaâniche, K. Kanoun and M. Rabah: Multi-level modelling approach for the availability assessment of e-business applications, Software: Practice and Experience, 33 (14), pp.1323-1341, 2003 C. Betous-Almeida and K. Kanoun: Construction and Stepwise Refinement of Dependability Models, Performance Evaluation, 56, pp.277-306, 2004 M. Kaâniche, P. Lollini, A. Bondavalli, K. Kanoun: Modelling the resilience of large and evolving systems, in International Journal on Performability engineering, vol.4, n°2, pp. 153-168, 2008. Experimental measurements J. Arlat, A. Costes, Y . Crouzet, J.-C. Laprie, D. Powell: Fault Injection for Dependability Evaluation of fault-tolerant systems”, IEEE Transactions on Computers, 42(8), pp. 443-455, 1993

26

P. Koopman, J. DeVale: The exception handling effectiveness of POSIX Operating Systems”, IEEE Trans. on Software Engineering, vol. 26, n°9, 2000 Eric Marsden, Jean-Charles Fabre, Jean Arlat: Dependability of CORBA Systems: Service Characterization by Fault Injection, SRDS-2002, pp. 276-85, 2002 R. Iyer, Z. Kalbarczyck : Measurement-based Analysis of System Dependability using Fault Injection and Field Failure Data, Performance 2002, LNCS 2459, pp.290-317, 2002 D. P. Siewiorek et al. : Reflections on Industry Trends and Experimental Research in Dependability, IEEE transactions on Dependable and Secure Computing, vol.1, n°2, April-June 2004. Security assessment B. Littlewood, S. Brocklehurst, N. Fenton, P. Mellor, S. Page, D. Wright, J. Dobson, J. McDermid and D. Gollmann: Towards Operational Measures of Computer Security, Journal of Computer Security, 2, pp.211-229, 1993 R. Ortalo, Y. Deswarte and M. Kaâniche: Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security, IEEE Transactions on Software Engineering, 25 (5), pp.633-650, 1999 D. M. Nicol, W. H. Sanders and K. S. Trivedi: Model-based Evaluation: From Dependability to Security, IEEE Transactions on Dependable and Secure Computing, 1 (1), pp.48-65, 2004. F. Pouget, M. Dacier, V.H. Pham: Leurré.com: on the advantages of deploying a large scale distributed honeypot platform, E-Crime and Computer Conference (ECCE’05),29-30 March 2005, Monaco E. Alata, V. Nicomette, M. Kaâniche, M. Dacier and M. Herrb: Lessons Learned from the Deployment of a High-Interaction Honeypot”, in Sixth European Dependable Computing Conference (EDCC-6), (Coimbra, Portugal), pp.39-44, IEEE Computer Society, 2006 Links: • The course book's webpage at http://www.ee.duke.edu/~kst/ include material

related to the course. • Another relevant link is to:

http://www.di.unito.it/~greatspn/bookdownloadform.html on modelling with generalized SPN.

Exercises: see Appendix B (exercises by M. Kaâniche, K. Kanoun, J.C. Laprie). Course 4.11 Testing, Verification and Validation ReSIST Courseware (218 slides by Friedrich von Henke, Holger Pfeifer, Cinzia Bernardeschi, Paolo Masci and Helene Waeselynck): http://resist.isti.cnr.it/files/corsi/courseware_slides/testing.pdf The purpose of this course is an introduction to testing, verification and validation in the design and analysis of systems, and to provide an advanced background on related methods and tools. The course stresses the development of practical skills based on a solid theoretical foundation. The methods and techniques to be presented in the course are those that have proved to be relevant in practice and successful in supporting modelling, specification, analysis and verification of software. These include practical formal techniques and methods for static analysis and validation as well as for testing software systems.

27

The model-checking chapter introduces temporal logics (CTL and LTL) and presents related techniques for model checking [BB et al. 01] [Alur]. The state space explosion problem and practical limits to model checking will be addressed. The theorem proving chapter [RV01] puts emphasis on a theorem prover tool. Additional background knowledge about the logic implemented in the chosen tool will be presented. The theoretical and practical aspects of the tool will be studied. The static program analysis chapter [HNN99] introduces students to classical data-flow analysis [ALSU06] and gives foundations of abstract interpretation theory [CC77, CC79]. The software-testing chapter provides an understanding of testing problems, and covers the major test design techniques. The course offers students a view of structural & functional approaches to testing, mutation analysis and probabilistic test approaches. In support of the course, [B90] [AO08] give a solid technical background on test approaches based on the coverage of models, and [CJ02] provides practical insights into process issues & test-related activities. Textbooks and other References: [ALSU06] A. V. Aho, M. S. Lam, R. Sethi, J. D. Ullman: Compilers: Principles, Techniques, and Tools, Addison-Wesley, 2006. [Alur] Lecture notes on Computer-Aided Verification by Rajeev Alur at University of Pennsylvania, Philadelphia, USA, http://www.cis.upenn.edu/cis673/ [AO08] P. Ammann, J. Offutt: Introduction to Software Testing, Cambridge University Press, 2008 [B90] B. Beizer: Software Testing Techniques, Van Nostrand Reinhold, 1990 (2nd edition) [BB et al 01] Part I of B. Berard, et al.: System and Software Verification – Model-Checking Techniques and Tools, Springer, 2001. [CC77] P. Cousot, R. Cousot: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints, POPL77, pages 238–252, Los Angeles, California, 1977. [CC79] P. Cousot, R. Cousot: Systematic Design of Program Analysis Frameworks, POPL79, pages 269–282, San Antonio, Texas, 1979. [CJ02] R. D. Craig, S. P. Jaskiel: Systematic Software Testing, Artech House, 2002 [K 99] T. Kropf: Introduction to Formal Hardware Verification, Springer, 1999. [HNN99] C. Hankin, F. Nielson, H. R. Nielson: Principles of Program Analysis, Springer, 1999. [RV01] A. Robinson, A. Voronkov (eds.): Handbook of Automated Reasoning, Volume I, North Holland, 2001 Links: • "Computer-Aided Verification", Rajeev Alur at University of Pennsylvania,

Philadelphia, USA, http://www.cis.upenn.edu/cis673/, Slides and draft textbook available

• "Deductive Verification of Reactive Systems", Amir Pnueli at The Weizmann Institute of Science, Rehovot, Israel http://www.wisdom.weizmann.ac.il/~amir/Course02a/header.html, Slides available

• "Test and Verification" Emmanuel Fleury, Kim G. Larsen, Brian Nielsen, Arne Skou at Aalborg University, Denmark http://www.cs.auc.dk/~kgl/TOV04/Plan.html, Slides available

• " Theorem Proving and Model Checking in PVS " Edmund M. Clarke and Daniel Kroening at CMU, Pittsburgh, USA http://www.cs.cmu.edu/~emc/15-820A/

28

Slides available • “System Validation” Theo C. Ruys at University of Twente

http://fmt.cs.utwente.nl/courses/systemvalidation/ Slides available • “Validation and Verification” J.P. Bowen at University College London

http://www.cs.ucl.ac.uk/staff/J.Bowen/GS03/ Slides available • “Abstract Interpretation” Patrick Cousot, Jerome Clarke Hunsaker at MIT

http://web.mit.edu/afs/athena.mit.edu/course/16/16.399/www Slides available • "Introduction to software testing " Paul Ammann and Jeff Offutt at George

Mason University http://www.cs.gmu.edu/~offutt/softwaretest/powerpoint/ Slides available

• " Abstract interpretation and static analysis ", David Schmidt at International Winter School on Semantics and Applications, Uruguay, 2003 http://santos.cis.ksu.edu/schmidt/Escuela03/home.html Slides available

Exercises: see Appendix B (exercises by F. von Henke, H. Pfeifer and H. Waeselynck). Course 4.12 Usability and User Centred Design for Dependable and Usable Socio-technical Systems ReSIST Courseware (220 slides by Philippe Palanque, Michael Harrison and Marco Winckler): http://resist.isti.cnr.it/files/corsi/courseware_slides/usability.pdf The purpose of this course is to present usability concepts and frameworks that contribute to the notion of usability of interactive systems [Dix et al. 03]. It also introduces techniques for usability evaluation and the notion of development processes that specifically aim to produce usable systems. Command and control systems are the main application area of this course but additional application domains such as web applications [Scapin et al. 2000a] or graphical user interfaces are also considered. The Introduction addresses the basic concepts of usability by providing definitions and examples as well as the principles underlying this concept. It also introduces the notion of affordances in user interfaces [Norman 02] and some examples of usability problems. The pre-requisite for the students for this topic is limited to the course 4.4. on Human Factors: Human and Organisational Behaviour delivered the first semester. The ergonomic rules and design guidelines chapter presents established theories regarding the ergonomics of user interfaces. It presents how such knowledge is gathered, structured and how tools [Vanderdonckt 95] support their access and organisation [Scapin et al. 2000b]. ISO standards on usability guidelines will also be presented and discusses [ISO 9241]. The chapter also introduces the basics of heuristic evaluation and how user testing is central to the evaluation of usability. The chapter on work analysis and task analysis is dedicated to introducing the notion of work and how users’ and operators’ activities can be analysed and modelled [Diapper & Stanton 04]. It introduces the notions of activity, tasks and scenarios that are critical elements for the understanding of operators at work. Task modelling approaches such as CTT (Concur Task Trees) [Paterno 97], UAN (User Action Notation) [Hix, Siochi & Hartson 90] or GOMS (Goals Operators Methods and Selection rules) [John & Kieras 96] are introduced. Tools, supporting task model edition, simulation and validation are also introduced and their usefulness is shown on various examples and case studies.

29

The chapter on usability evaluation will introduce methods, techniques and tools to support usability evaluation of interactive systems and user interfaces in particular. It will introduce the notion of usability testing and heuristic evaluations [Nielsen 94]. Functioning and setup of usability tests both ecological and within dedicated structures like usability labs will be presented in this chapter. The chapter User centred development processes proposes a broader perspective about usability by presenting the way in which usability-related activities can be related to computer systems. Cost-benefits analysis for usability evaluation [Bias & Mayhew 05] is also presented together with real examples from industrial applications both in the field of safety critical systems and in the field of walk-up and use systems. The last chapter Human factor engineering corresponds to the application of the concepts introduced in course 4.4. Human Factors: Human and Organisational Behaviour. It exploits also the elements from task analysis and task modelling presented in the current course. The objective here is the application of previous concepts with a specific emphasis on allocation of functions and organizational errors. Textbooks: [Norman 02] D. Norman: The design of everyday things, Basic books, 3rd edition, 2002. [Rasmussen et al. 94] J. Rasmussen, M. A. Pejtersen, L. P. Goldstein, (1994): Cognitive Systems Engineering, New York, USA, John Wiley and Sons [Reason 90] J. Reason: Human Error, Cambridge University Press, 1990. [Dix et al. 03] A. Dix, J. Finlay, G. Abowd, R. Beale: Human Computer Interaction, Prentice Hall, 2003 (3rd Edition) [Rosson & Carroll 02] M. B. Rosson, J. M. Carroll: Usability Engineering: Scenario-based Development of Human-Computer Interaction. New York: Morgan Kaufmann Publishers, 2002. [Diapper & Stanton 04] D. Diaper, N. A. Stanton (eds.): The Handbook of Task Analysis for Human-Computer Interaction, edited by Lawrence Erlbaum Associates, 2004 [Nielsen 94] J. Nielsen: Usability Engineering, Morgan Kaufmann, San Francisco, 1994. [Bias & Mayhew 05] R. G. Bias, D. J. Mayhew (eds.): Cost-Justifying Usability, Second Edition: An Update for the Internet Age, Second Edition Morgan Kaufman Papers: [Vanderdonckt 95] J. Vanderdonckt, Accessing Guidelines Information with SIERRA, in Proc. of 5th IFIP TC 13 Int. Conf. on Human-Computer Interaction INTERACT’95 (Lillehammer, 27-29 June 1995), K. Nordbyn, P.H. Helmersen, D.J. Gilmore & S.A. Arnesen (eds.), Chapman & Hall, Londres, 1995, pp. 311-316. [ISO 9241] ISO 9241-11:1998 Ergonomic requirements for office work with visual display terminals (VDTs) -- Part 11: Guidance on usability http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=16883 [Scapin et al. 2000a] D. Scapin, J. Vanderdonckt, CH. Farenc, R. Bastide, CH. Bastien, C. Leulier, C. Mariage, PH. Palanque, Transferring Knowledge of User Interfaces Guidelines to the Web, in Proc. of Int. Workshop on Tools for Working with Guidelines TFWWG'2000, Springer-Verlag, Londres, 2000, pp. 293-303.

30

[Scapin et al. 2000b] D. Scapin, C. Leulier, J. Vanderdonckt, C. Mariage, CH. Bastien, CH. Farenc, PH. Palanque, R. Bastide, A Framework for Organizing Web Usability Guidelines, in Proc. of 6th Conf. on Human Factors and the Web HFWeb'2000 Austin, Ph. Kortum & E. Kudzinger (eds.), University of Texas, Austin, 2000. [Paterno 97] F.Paterno', C.Mancini, S.Meniconi. ConcurTaskTrees: A Diagrammatic Notation for Specifying Task Models, Proceedings Interact'97, Chapman & Hall, July'97, pp. 362-369. [Hartson, Siochi & Hix 90] Hartson, H. R., Siochi, A. C., and Hix, D. 1990. The UAN: a user-oriented representation for direct manipulation interface designs. ACM Transactions on Office Information Systems, 8, 3 (Jul. 1990); [John & Kieras 96] John, B. E. and Kieras, D. E. 1996. Using GOMS for user interface design and evaluation: which technique? ACM Trans. Computer-Human Interaction 3, 4 (Dec. 1996), 287-319 Links: Links to places where parts of this course are taught: • University of Lancaster (UK): Human Computer Interaction. See. :

http://www.hcibook.com/e3/resources/ • ACL SIGCHI (US) Human Computer Interaction lectures. See list of lectures as

well as links to courseware at http://sigchi.org/cdg/index.html • MIT (US) Pervasive Human Centric Computing See courseware at:

http://ocw.mit.edu/OcwWeb/Electrical-Engineering-and-Computer-Science/6-883Spring-2006/CourseHome/index.htm

• Human Factors International (US) See certification packages and description. See syllabus at http://www.humanfactors.com/training/usability-training.asp

Exercises: see Appendix B (exercises by P. Palanque). Course 4.13 Management of Projects ReSIST Courseware (74 slides by Giuseppe Lami): http://resist.isti.cnr.it/files/corsi/courseware_slides/project_management.pdf This course has been conceived to be principally taught by frontal lectures in the class room. Some lab or demo sessions can be considered for the third part of the course to experience or show specific automatic tools (some mentioned in the slides). Part 1 of the course is introductive and it doesn’t need any specific comment on how to teach it. Part 2 of the course “Project Management as a Process”, contains the main concepts and the description of what project management is in practice (it contains the what). It should be taught by using an exemplar (real or realistic) project plan document in order to allow the students learn the different phases of a project by understanding the contents and the evolutions of the project plan. Part 3 describe techniques and methods to perform project management in practice (it contains the how). Some specific techniques for performance measurement can be detailed and possibly applied on sample case studies. Part 4 describes the principal activities the requirements engineering process is composed of. The teaching of these activities is to be made by taking into account the Project Management phases described in Part 2. To do that the specific schemes at the end of each requirements engineering phase description shall be used.

31

Textbooks: H. Eisner: Essentials of Project and System Engineering Management, Second Edition. John Wiley and Sons, 2002. J. Taylor: Managing Information Technology Projects, AMACOM Div American Mgmt Assn 2003. IEEE Standard 1490-2003: IEEE Guide Adoption of PMI Standard A Guide to the Project Management Body of Knowledge. M. B. Chrissis, M. Konrad, S. Shrum: CMMI Guidelines for Process Integration and Product Improvement, SEI Series in Software Engineering, 2004. I. Sommerville, P. Sawyer Requirements Engineering: A Good Practice Guide. John Wiley and Sons Ed. 1997. A. Aurum, C. Wohlin Engineering and Managing Software Engineering. Springer Ed. 2005. Links: • University of Sydney – Course “08PPM0334 : Project management - the complete

guide”. http://www.cce.usyd.edu.au/cce/subjectcategory.do?id=000223&subject=000236

• Open University – Course “M865: Project Management” http://www3.open.ac.uk/courses/pdfs/M865.pdf

Course 4.14 Middleware Infrastructures for Application Integration ReSIST Courseware (201 slides by Roberto Baldoni, Roberto Beraldi, Giorgia Lodi, Leonardo Querzoni and Sirio Scipioni): http://resist.isti.cnr.it/files/corsi/courseware_slides/middleware.pdf The purpose of this course is to offer a broad overview of synchronous and asynchronous middleware technologies that can be used to integrate complex software systems with special emphasis on how to guarantee quality of services in basic middleware operations such as event dissemination and service invocation. The course is organized in two parts: synchronous middleware technologies, including Web Services, J2EE and EJB, and asynchronous middleware technologies including publish-subscribe and data distribution service. The course content follows an increasing difficulty approach. The first part of the course shows how historically integration among software systems has been achieved following a synchronous paradigm. Then the focus goes on a key technology: Web Services. How to achieve reliability and security in web services is then considered. Then component based middleware platforms are introduced and the real cases of J2EE and EJB are investigated. At the end of the first part, web service stack on the top of J2EE will be shown to close the circle. The second part introduces students to the notion of asynchronous middleware platforms. Publish-subscribe mechanisms to disseminate events in a distributed system are thoroughly investigated. Particular attention will be devoted to different methods of event routing. Then the DDS technology, a specific publish-subscribe technology, is analyzed and the focus will be on how to guarantee QoS properties in event distribution such as persistence, timeliness and availability. The courseware slides follow the sequence of the contents of the course. The main support texts are the one from Alonso et al. and the one of Tanembaum. Additional material can be retrieved from the web sites of DDS.

32

Textbooks: A. Tanenbaum, M. Van Steen: Distributed Systems, (2nd Edition), Pearson Education, 2007 G. Alonso F. Casati H. Kuno V. Machiraju. Web services: concepts, architectures and applications, Springer Verlag W. Emmerich Engineering distributed objects, John Wiley, 2000 Links: • Università di Roma “La Sapienza”, Distributed System Platforms, (in Italian) R.

Beraldi http://www.dis.uniroma1.it/~beraldi/PSD0708/ • Università di Bologna, Middleware. F. Panzieri

http://courses.web.cs.unibo.it/SistemiMiddleware/MaterialeDiRiferimento Course 4.15 Software Reliability Engineering ReSIST Courseware (133 slides by Karama Kanoun): http://resist.isti.cnr.it/files/corsi/courseware_slides/software_reliability_eng.pdf As software systems are playing an increasing role in real life systems, there is an imperative need for improving software reliability in order to improve system dependability and reduce maintenance cost. Measurement is an important part of the software reliability engineering activities. It is essential for understanding the underlying phenomena, making correlation between observations, identifying weakness, controlling important issues and evaluating software reliability. The purpose of this course is to give a global overview of approaches to software reliability analysis, evaluation and improvement. The course is composed of five chapters. The first chapter gives the motivation for software reliability engeneering, during system development and operational life, including software maintenance. The second chapter is devoted to the methods for software reliability engineering, based essentially on failure and correction data collection, data validation and analysis, as well as descriptive statistics and reliability trend analysis. The third chapter addresses Software dependability evaluation. In particular, it presents a set of reliability growth models and some models in stable reliability, before giving an overview and an example of dependability benchmarks for Off-the-Shelf software components. The fourth chapter is concerned with software reliability improvement approaches and with the maturity of the software development process. Finally the fifth chapter shows the application of the approaches presented in the course to case studies. Textbooks: M. Lyu (Ed.): Handbook of Software Reliability Engineering, McGraw Hill, 1996 available on line: http://www.cse.cuhk.edu.hk/~lyu/book/reliability/ John Musa: Software Reliability Engineering: More Reliable Software Faster and Cheaper, 2nd Edition, September 2004. Papers: K Kanoun, M. R. Bastos Martini, J. Moreira de Souza: A method for software reliability analysis and prediction, application to the TROPICO-R switching system, IEEE Transactions on Software Engineering, N° 4, pp. 334-344, April 1991.

33

J. C. Laprie: For a product-in-a-process approach to software reliability evaluation, Third IEEE International Symposium on Software Reliability Engineering (ISSRE'92), Research-Triangle Park (USA), October 7-10 1992, pp.134-138. John Musa: Operational Profiles in Software-Reliability Engineering, IEEE Software 10 (2), pp. 4-32, 1993. K. Kanoun, M. Kaâniche, J. C. Laprie and S. Metge: SoRel: a tool for reliability growth analysis and prediction from statistical failure data, 23rd IEEE International Symposium on Fault-Tolerant Computing (FTCS'23), Toulouse, France, June 22-24, 1993, pp.654-659. M. Kaâniche, K. Kanoun: Software failure data analysis of two successive generations of a switching system, 12th Int. Conference on Computer Safety, Reliability and Security (SAFECOMP'93), Poznan, Poland, 27-29 October 1993, pp.230-239. K. Kanoun, J. C. Laprie: Software Reliability Trend Analyses: From Theoretical to Practical Considerations, IEEE Transactions on Software Engineering, Vol.20, N°9, pp.740-747, September 1994. K. Kanoun, J.-C. Laprie: Trend Analysis, in Handbook of Software Reliability Engineering, Ed. M. Lyu, Mc Graw Hill, Chapter 10, pp. 401-437, 1996. Freely available at: http://www.cse.cuhk.edu.hk/~lyu/book/reliability/ K. Kanoun: A measurement-based framework for software reliability improvement, Annals of Software Reliability, Vol.11, N°1, pp.89-106, November 2001. K. Kanoun, Y. Crouzet, A. Kalakech, A. E. Rugina: Windows and Linux Robustness Benchmarks With Respect to Application Erroneous Behaviour, in Dependability Benchmarking for Computer Systems, Chapter 12, pp. 277-254. Editors: Karama Kanoun and Lisa Spainhower, IEEE Computer Society and WILEY, August 2008. Links: • OpenSeminar, Software Reliability Engineering, John Musa, Laurie Williams

http://openseminar.org/se/courses/41/modules/206/index/screen.do Exercises: see Appendix B (exercises by K. Kanoun). Application Track on Resilience in Communication Networks Course 4.16.1 IP Networks and Services Resilience Todays' society unavoidably depends on Internet Protocol, the networking protocol suite used in most Internet sites. The large number of security issues and vulnerabilities threaten the confidence users need to have in the networks and services based on this technology, to which they entrust a growing portion of their daily activities' functioning, both in their private and in their professional life. An exhaustive presentation of basic services (e-mail, Web)' resilience (vulnerabilities' identification, countermeasures analysis, …) is the starting point of this course, followed by the description of FTP's threats (banner grabbing and enumeration, brute force password guessing, bounce attacks, …), IP network scanning and VPN security issues. An exploding IP service, VoIP, will be the focus of the second part of this lecture because of its widespread use, and the declared intention of Telcos to replace circuit-switched voice, known to be resilient, with packet-switched voice, a less secure but economical solution, both within the enterprise and at home. After a presentation of VoIP's protocols and architecture, the threats to this type of

34

communication systems will be detailed. This lecture ends with the description of techniques to validate and secure IP networks and services infrastructures. Textbooks: D.C. McNab: Network Security Assessment: Know Your Network, O'Reilly, 2004 T. Porter, J. Kanclirz Jr.: Practical VoIP Security, Syngress, 2006 Links: the contents of this course can be found scattered over the following URLs. • ETHZürich: http://www.infsecmaster.ethz.ch/courses/course_contents#system

"Network security" • University of Cambridge: http://ciutesting.com/ciu/msc-telecom.htm "Network Security" (in Semester 2)

http://www.cambridgeuniv.org.uk/msc_in_telecom.html "Security and optimisation" • University of Maryland: http://www.telecom.umd.edu/current/coursedescriptions - ENTS 650: Network Security - ENTS 689I: Network Immunity • Georges Mason University: http://telecom.gmu.edu/tcom_catalog.html#TCOM 501 - TCOM 545: Reliability and Maintainability of Networks - TCOM 548: Security and Privacy Issues in Telecommunications - TCOM 556: Cryptography and Network Security - TCOM 562: Network Security Fundamentals - TCOM 662: Advanced Secure Networking - TCOM 663: Operations of Intrusion Detection and Forensics - ECE 543: Cryptography and Computer Network Security - INFS 762: Information Security Protocols (formerly known as ISA 662 Internet

Security Protocols) - INFS 766: Internet Security Protocols - INFS 767: Secure Electronic Commerce • Queen Mary University of London: http://www.elec.qmul.ac.uk/study/courses/elem014.html "Security & Authentication" (ELEM014) • University of Sunderland: http://www.sunderland.ac.uk/study/course/867/msc_telecommunications_enginee ring.php"Advanced Network Security" • Swinburne University of Technology: http://courses.swinburne.edu.au/Subjects/ViewSubject.aspx?mi=300&id=5620 "Network Security and Resilience" (HET 317) Course 4.17.1 Resilience of Mobile Applications Security and privacy protection are strong requirements for the widespread deployment of wireless technologies for commercial applications. It is particularly true for mobile computing devices (PDAs, smartphones, …) with focus on multimedia applications. After the study of secure access to wireless networks, vulnerabilities of protocols such as IEEE 802.11 and Bluetooth will be described. It is followed by a presentation of (i) security requirements for mobile multimedia applications, and (ii) network protocols (SIP, SRTP) for secure multimedia streaming services. Due to the nature of wireless media, dynamic network topology, resource constraints, and lack of any base station or access point, security in ad-hoc networks is more challenging than with cabled networks, justifying the study of secure

35

protocols used for this purpose. By combining computing and communications with the surrounding physical environment through information collection using various sensors, pervasive computing eases their transparent use in day-to-day activities. The inherent disadvantages of slow, expensive connections, frequent line disconnections, limited host bandwidth, and location dependent data make this type of computing more vulnerable to various security-related threads: requirements and deployment techniques for pervasive computing form the last topic covered by this course. Textbooks: L. Buttyan, and J.-P. Hubaux, Security and cooperation in wireless networks, Cambridge University Press, 2007 – the corresponding slides can be found at http://secowinet.epfl.ch/index.php?page=slideshow.html K.N. De Randall, C.L. Panos (Eds.): Wireless Security: Models, Threats, and Solutions, McGraw-Hill Professional, 2002 G. Karmakar, L.S. Dooley (Eds.): Mobile Multimedia Communications: Concepts, Applications and Challenges, Idea Group Inc, 2007 Links: the contents of this course can be found scattered over the following URLs. • ETHZürich: http://www.syssec.ethz.ch/education/sown "Security of wireless

networks" • University of Cambridge: http://ciutesting.com/ciu/msc-telecom.htm "Network Security" (in Semester 2)

http://www.cambridgeuniv.org.uk/msc_in_telecom.html "Security and optimisation" • University of Maryland: http://www.telecom.umd.edu/current/coursedescriptions - ENTS 650: Network Security - ENTS 689I: Network Immunity • Georges Mason University: http://telecom.gmu.edu/tcom_catalog.html#TCOM 501 - TCOM 548: Security and Privacy Issues in Telecommunications - TCOM 556: Cryptography and Network Security - TCOM 662: Advanced Secure Networking - TCOM 663: Operations of Intrusion Detection and Forensics - ECE 543: Cryptography and Computer Network Security - INFS 762: Information Security Protocols (formerly known as ISA 662 Internet

Security Protocols) - INFS 766: Internet Security Protocols - INFS 767: Secure Electronic Commerce • Queen Mary University of London: http://www.elec.qmul.ac.uk/study/courses/elem014.html "Security & Authentication" (ELEM014) • University of Sunderland: http://www.sunderland.ac.uk/study/course/867/msc_telecommunications_enginee ring.php"Advanced Network Security" • Swinburne University of Technology: http://courses.swinburne.edu.au/Subjects/ViewSubject.aspx?mi=300&id=5620 "Network Security and Resilience" (HET 317)

36

Links to general telecoms courses: these URLs are provided to help the students following this application track who need a reminder of basic notions in communication systems. • Hong Kong University of Science & Technology: http://www.sengpp.ust.hk/~msc/telecom/05-07/courses.htm#top • Queen Mary U. of London: http://www.elec.qmul.ac.uk/study/msc/msctel.html • Stanford University: http://www.stanford.edu/class/ee360/ • Swinburne U. of Technology:

http://courses.swinburne.edu.au/Courses/ViewCourse.aspx?mi=100&id=21080 • Technical U. of Denmark:

http://www.fotonik.dtu.dk/English/Education/Int_Msc.aspx • Telecom Paris Tech: http://www.telecom-

paristech.fr/en/msci/mobile_communications/ • University College London:

http://www.ee.ucl.ac.uk/students/postgraduate/masters/msctelecoms/courses Application Track on Safety Critical Systems Course 4.16.2 Development Process and Standards for Safety Critical Applications Safety critical applications require special attention to the development process of the software and the system and also awareness of different standards, generic ones as well as application specific ones. Generally, the development process must follow certain rules. Still, different choices are possible. Applicable life cycle models should be introduced and compared. In most application areas, safety critical systems need to be approved by a licensing authority or similar. This requires a strict compliance with recommendations and rules, covering the complete life cycle and including documentation. All tools and methods presented must be in accordance with the related standards. These are first the generic ones, which give an introduction and state general rules. Depending on the application area for which the safety critical system is developed, the related application specific standards need to be used. Within the course, some available and accepted development processes will be described. The influence of licensing / certification on this process will be emphasized. Generic standards as the basic safety standards will be introduced. Depending on the anticipated application area, sector specific standards will be included. Examples of safety critical systems will presented. Textbooks: F. Redmill (ed.): Dependability of Critical Computer Systems - 1 and 2, ISBN 1-85166-203-0 and ISBN 1-85166-381-9. P. Bishop (ed.): Dependability of Critical Computer Systems – 3, Techniques Directory, ISBN 1-85166-544-7. BSI IT Security Guidelines, Bundesamt für Sicherheit in der Informationstechnik 2007. http://www.bsi.bund.de/gshb Generic standards: IEC 61508 “Functional safety of electrical/electronic/programmable electronic safety-related systems”, Parts 0 – 7 (especially Part 3: “Software requirements”) ISO/IEC 12207:1995 “Information technology – Software life cycle processes” IEC 61713:200006 “Software dependability through the software life-cycle processes – Application guide” ISO/IEC 27001:2005 “Information technology -- Security techniques -- Information

37

security management systems – Requirements” ISO/IEC 27002:2005 "Information Technology – Code of Practice for Information Security Management" ISO/IEC 27005:2008 “Information technology -- Security techniques -- Information security risk management ISO/IEC 15408-1:2005 “Information technology -- Security techniques -- Evaluation criteria for IT security -- Part 1: Introduction and general mode” ISO/IEC 15408-2:2008 “Information technology -- Security techniques -- Evaluation criteria for IT security -- Part 2: Security functional components” ISO/IEC 15408-3:2008 “Information technology -- Security techniques -- Evaluation criteria for IT security -- Part 3: Security assurance components” ISO/IEC 18045:2008 “Information technology -- Security techniques -- - Methodology for IT security evaluation” Sector specific standards: IEC 60880 Ed. 2.0: “Nuclear Power Plants - Instrumentation and control systems important to safety - Software aspects for computer-based systems performing category A functions” ISO 14971:2007 “Medical devices – Application of risk management to medical devices” IEC 60601-1-4:1996 “Medical electrical equipment – Part 1-4: General requirements for safety; Collateral standard: Programmable electrical medical systems IEC 62304:2006 “Medical device software -- Software life cycle processes” RTCA DO-178B “Software Considerations in Airborne Systems and Equipment Certification” UK MoD 00-55:1997 “Requirements for safety related software in defence equipment” EN 50128:2001 “Railway applications - Communications, signalling and processing systems - Software for railway control and protection systems” MISRA-C++: "Guidelines for the Use of the C++ Language in Critical Systems", ISBN 978-906400-03-3 (paperback), ISBN 978-906400-04-0 (PDF), June 2008. MISRA-C2: "Guidelines for the Use of the C Language in Critical Systems", ISBN 0 9524156 2 3 (paperback), ISBN 0 9524156 4 X (PDF), October 2004. MISRA: "Development Guidelines for Vehicle Based Software", ISBN 0 9524156 0 7, November 1994. Links: International Electrotechnical Commission (Standardisation body for all electrical, electronic and related technologies): www.iec.ch International Organisation for Standardisation (General standardisation body for business, government and society): www.iso.ch Course 4.17.2 Architectural Issues and Examples of Systems The design and the architecture of systems influence different resilience attributes. Therefore the architecture must be chosen carefully. Within this course, different architectures for systems shall be explained and their influence on the dependability shall be presented. This involves hardware as well as software issues and designs. Different architectures for fault tolerance and failure detection, with fail-safe and fail-operational feature, will be evaluated. Within a network, the communication, the protocols and their implementation are also essential factors. Examples of real systems and their implementation show the importance of architecture decisions.

38

Textbooks: J. L. Hennessy and D. A. Patterson: Computer Architecture: A Quantitative Approach, 2nd Edition, Morgan Kaufmann Publishing Co., Menlo Park, CA. D. A. Patterson and J. L. Hennessy: Computer Organization and Design. The Hardware - Software Interface,. Morgan Kaufmann Publishers, San Francisco, CA Application Track on Resilience in e-Business Course 4.16.3 Enterprise Security The purpose of this course is to offer a broad overview of network defense and countermeasures for E-Business and it is intended to give an introduction to the "best practices" associated with the aforementioned technologies and methodologies. This course addresses the security of e-business and cyber environments from an end-to-end perspective. The information security methodologies of inspection, protection, detection, reaction, and reflection are addressed in detail. Principle of survivability and information assurance will be presented in a technologically independent way. Layered network defence structures will be then illustrated. Methods of risk analysis/assessment and "best practices" associated with evaluating, implementing, and administering hardware and software-based firewalls and Intrusion Detection Systems (IDSes). The course will end describing the process of security in large enterprises to cope with the increasing complexity of regulations including certification, audits, risk management. The courseware slides follow the sequence of the contents of the course. The main support texts are the one from Newman and the one of Ortmeier. Material related to governance and compliance processes in IT enterprises can be found in web sites of major technology providers such as IBM. Additional material can be retrieved from the web sites of telco operators. Textbooks: R. C. Newman: Enterprise Security, Prentice Hall, 2002 P. J. Ortmeier: Security Management, Prentice Hall, 2004 Links: • University of Melbourne, Strategic Security Management. Atif Ahmad.

http://disweb.dis.unimelb.edu.au/staff//atif/home.htm • IBM research, Zurich: http://www.zurich.ibm.com/csc/security/compliance.html Course 4.17.3 Computer and Network Forensics The knowledge of computer and network forensics has become essential in securing today's network-centric computing environment. This new course will give the students both the fundamental knowledge and hands-on practice on computer and network forensics. The added exposure to forensics will enhance the marketability of our students and serve the students who carry the skills and knowledge forward into their future careers. Competence will be obtained in using established forensic methods in the handling of electronic evidence; rigorous audit/logging and date archival practices; prevention, detection, apprehension, and prosecution of security violators and cyber criminals.

39

Computer and network forensics studies cyber-attack prevention, planning, detection, and response with the goals of counteracting cybercrime, cyberterrorism, and cyberpredators, and making them accountable. The topics covered in this course include fundamentals of computer and network forensics, forensic duplication and analysis, network surveillance, intrusion detection and response, incident response, anonymity and pseudonymity, cyber law, computer security policies and guidelines, court report writing and presentation, and case studies. The main support texts are the one from Carrier and the one of Kruse-Heiser. The course will consist of a final project, a presentation of the project itself as well as a written exam. Textbooks: B. Carrier: File System Forensic Analysis, Addison-Wesley, 2005 C. Prosise, K. Mandia: Incident Response: Investigating Computer Crime, Berkeley, California: Osborne/McGraw-Hill, 2001 W. Kruse, J. Heiser: Computer Forensics: Incident Response Essentials, Addison-Wesley, 2002 Phillips, Nelson, Enfinger, Stuart: Guide to Computer Forensics and Investigations, Course Technology, 2006 Links: • Iowa State University, Network and computer forensics. Yong Guan.

http://home.eng.iastate.edu/~guan/course/CprE-536/index.html • University of Idaho Network and computer forensics. Jim Alves-Foss.

http://www.cs.uidaho.edu/CS447.html

41

4. Conclusions Deliverables D37 and D38 constitute the full shaping of a comprehensive MSc Curriculum in Resilient Computing that tackles one of the most challenging goals of ReSIST. In our knowledge it is the first attempt to provide a quite comprehensive database of material that can be used for starting an MSc track on this topic with the indication of the available support material for the best success in the teaching/learning process. Dissemination of the results of this effort to the largest possible number of European (and not only) Universities and promotion for its use will continue after the end of ReSIST. The large convergence on the usefulness of gathering the material and the dedication of people in the community of dependable and resilient computing to maintain updated the material is the best guarantee that this effort will have long lasting benefits to the entire European community of industrialists and academics working in the field. To this aim a Steering Committee has been nominated. It is composed by: Tom Anderson – Newcastle University, UK, Algirdas Avizienis – Vytautas Magnus University, Lithuania, Hugh Glaser – University of Southampton, UK, Jean-Claude Laprie – LAAS-CNRS, Toulouse, France, Brian Randell – Newcastle University, UK and Luca Simoncini – University of Pisa, Italy.

43

Reference to textbooks • V. Aho, M. S. Lam, R. Sethi, J. D. Ullman: Compilers: Principles, Techniques,

and Tools, Addison-Wesley, 2006. • M. Ajmone Marsan, G. Balbo, G. Conte, S. Donatelli and G. Franceschinis:

Modelling with Generalized Stochastic Petri Nets, John Wiley and Sons. Freely available at: http://www.di.unito.it/~greatspn/bookdownloadform.html

• G. Alonso F. Casati H. Kuno V. Machiraju. Web services: concepts, architectures and applications, Springer Verlag

• P. Ammann, J. Offutt: Introduction to Software Testing, Cambridge University Press, 2008

• A. Aurum, C. Wohlin Engineering and Managing Software Engineering. Springer Ed. 2005.

• B. Beizer: Software Testing Techniques, Van Nostrand Reinhold, 1990 (2nd edition)

• B. Berard, et al.: System and Software Verification – Model-Checking Techniques and Tools, Springer, 2001.

• R. G. Bias, D. J. Mayhew (eds.): Cost-Justifying Usability, Second Edition: An Update for the Internet Age, Second Edition Morgan Kaufman

• P. Bishop (ed.): Dependability of Critical Computer Systems – 3, Techniques Directory, ISBN 1-85166-544-7.

• A. Burns, A. Wellings: Real-Time Systems and Programming Languages (Third Edition): Ada 95, Real-Time Java and Real-Time POSIX, Addison Wesley, March 2001, 611 p., ISBN: 0201729881.

• G. Buttazzo: Measuring the Performance of Schedulability Tests, Journal of Real-Time Systems, Springer Netherlands, Volume 30, N° 1-2, May, 2005, pp.129-154.

• L. Buttyan, and J.-P. Hubaux, Security and cooperation in wireless networks, Cambridge University Press, 2007 – the corresponding slides can be found at http://secowinet.epfl.ch/index.php?page=slideshow.html

• B. Carrier: File System Forensic Analysis, Addison-Wesley, 2005 • W. R. Cheswick, S. M. Bellovin, and A. D. Rubi: Firewalls and Internet

Security: Repelling the Wily Hacker, Second Edition, Addison Wesley • M. B. Chrissis, M. Konrad, S. Shrum: CMMI Guidelines for Process

Integration and Product Improvement, SEI Series in Software Engineering, 2004.

• R. D. Craig, S. P. Jaskiel: Systematic Software Testing, Artech House, 2002 • V. Detlovs, K. Podnieks: Introduction to Mathematical Logic

http://www.ltn.lv/~podnieks/mlog/ml.htm • K.N. De Randall, C.L. Panos (Eds.): Wireless Security: Models, Threats, and

Solutions, McGraw-Hill Professional, 2002 • D. Diaper, N. A. Stanton (eds.): The Handbook of Task Analysis for Human-

Computer Interaction, edited by Lawrence Erlbaum Associates, 2004 • A. Dix, J. Finlay, G. Abowd, R. Beale: Human Computer Interaction, Prentice

Hall, 2003 (3rd Edition)S. Even: Graph Algorithms, Computer Science Press, 1979.

• H. Eisner: Essentials of Project and System Engineering Management, Second Edition. John Wiley and Sons, 2002.

• W. Emmerich Engineering distributed objects, John Wiley, 2000 • N. Ferguson and B. Schneider: Practical Cryptography, John Wiley &Sons,

2003 • J.L. Gross and J. Yellen (Eds.): Handbook of graph theory, CRC Press, 2003.

44

• Hankin, F. Nielson, H. R. Nielson: Principles of Program Analysis, Springer, 1999.

• J. L. Hennessy and D. A. Patterson: Computer Architecture: A Quantitative Approach, 2nd Edition, Morgan Kaufmann Publishing Co., Menlo Park, CA.

• M. Huth, M. Ryan: Logic in Computer Science, Cambridge University Press http://www.ewidgetsonline.com/cup/widget.aspx?bookid=51/3mLE/ColK5qnmfcLSyg==&buyNowLink=http://sec.ebooks.com/cambridge-add.asp?I=283471&f=3

• R. Guerraoui, L. Rodrigues: Introduction to Reliable Distributed Programming, Springer, 2006.

• W. Johnson: Failure in Safety-Critical Systems. A Handbook of Accident and Incident Reporting. Available on-line at: http://www.dcs.gla.ac.uk/~johnson/book/

• G. Karmakar, L.S. Dooley (Eds.): Mobile Multimedia Communications: Concepts, Applications and Challenges, Idea Group Inc, 2007

• C. Kaufman, R. Perlman, and M. Speciner: Network Security: Private Communication in a Public World, Second Edition, Prentice Hall

• H. Kopetz: Real-Time Systems: Design Principles for Distributed Embedded Applications, Series: The Springer International Series in Engineering and Computer Science, Vol. 395, 1997, 356 p., ISBN: 978-0-7923-9894-3.

• T. Kropf: Introduction to Formal Hardware Verification, Springer, 1999. • W. Kruse, J. Heiser: Computer Forensics: Incident Response Essentials,

Addison-Wesley, 2002 • J-C. Laprie et al.: Guide de la sûreté de fonctionnement, Cepaduès

Editions,1995 (in French) • M. Lyu (Ed.): Handbook of Software Reliability Engineering, McGraw Hill,

1996 available on line: http://www.cse.cuhk.edu.hk/~lyu/book/reliability/ • D.C. McNab: Network Security Assessment: Know Your Network, O'Reilly,

2004 • J. Menezes, P. C. van Oorschot, and S. A. Vanstone: Handbook of Applied

Cryptography, CRC Press, 1996. http://www.cacr.math.uwaterloo.ca/hac/ • J. Musa: Software Reliability Engineering: More Reliable Software Faster

and Cheaper, 2nd Edition, September 2004. • R. C. Newman: Enterprise Security, Prentice Hall, 2002 • J. Nielsen: Usability Engineering, Morgan Kaufmann, San Francisco, 1994. • D. Norman: The design of everyday things, Basic books, 3rd edition, 2002. • P. J. Ortmeier: Security Management, Prentice Hall, 2004 • A. Patterson and J. L. Hennessy: Computer Organization and Design. The

Hardware - Software Interface,. Morgan Kaufmann Publishers, San Francisco, CA

• Phillips, Nelson, Enfinger, Stuart: Guide to Computer Forensics and Investigations, Course Technology, 2006

• T. Porter, J. Kanclirz Jr.: Practical VoIP Security, Syngress, 2006 • C. Prosise, K. Mandia: Incident Response: Investigating Computer Crime,

Berkeley, California: Osborne/McGraw-Hill, 2001 • N. Provos, T. Holz: Virtual Honeypots — From Botnets Tracking to Intrusion

Detection, Addison Wesley, 2007 • J. Rasmussen, M. A. Pejtersen, L. P. Goldstein: Cognitive Systems Engineering.

New York, USA, John Wiley and Sons, 1994 • J. Reason: Human Error. 1990. Cambridge University Press. • J. Reason: Managing the Risks of Organizational Accidents, 1997, Aldershot,

UK, Ashgate.

45

• F. Redmill (ed.): Dependability of Critical Computer Systems - 1 and 2, ISBN 1-85166-203-0 and ISBN 1-85166-381-9.

• A. Robinson, A. Voronkov (eds.): Handbook of Automated Reasoning, Volume I, North Holland, 2001

• S. Ross: Probability Models for Computer Science, Academic Press, 2002, San Diego, CA

• M. B. Rosson, J. M. Carroll: Usability Engineering: Scenario-based Development of Human-Computer Interaction. New York: Morgan Kaufmann Publishers, 2002.

• D. P. Siewiorek and R. Swartz: Reliable Computer Systems, Design and Evaluation, Third Edition, A K Peters, Ltd., 1998

• A. Silberschatz, P. Baer Galvin, G. Gagne: Operating Systems Concepts, John Wiley & Sons, 2008, ISBN 0-470-12872-0.

• N. Smart: Cryptography, An Introduction (Second Edition), McGraw-Hill, 2007. http://www.cs.bris.ac.uk/~nigel/Crypto_Book/

• I. Sommerville, P. Sawyer: Requirements Engineering: A Good Practice Guide. John Wiley and Sons Ed. 1997.

• W. Stallings: Cryptography and Network Security, (4th Edition), Prentice Hall • A. Tanenbaum, M. Van Steen: Distributed Systems, (2nd Edition), Pearson

Education, 2007 • J. Taylor: Managing Information Technology Projects, AMACOM Div

American Mgmt Assn 2003. • K. S. Trivedi: Probability and Statistics with Reliability, Queuing, and

Computer Science Applications, Second Edition, John Wiley & Sons, 2002 • P. Verissimo and L. Rodrigues: Distributed Systems for System Architects,

Kluwer, 2001 • A. Wellings: Concurrent and Real-Time Programming in Java, John Wiley &

Sons Inc., October 2004, 431 p., ISBN-13: 9780470844373. • D. Wickens and J. G. Hollands: Engineering Psychology and Human

Performance. 3rd edition, 1999, Prentice Hall.

47

Appendix A. Freely available courseware material In this Appendix an annotated list of freely available courseware material is presented. It is the outcome of a survey made worldwide on the web. All material is on-line on the ReSIST web site http://www.resist-noe.org/. The material can be categorized into 16 groups: 1. Probability and Statistics 2. Cryptology and Cryptography 3. Mathematical Logic 4. Dependable Systems 5. Distributed Systems 6. Software Reliability Engineering 7. Security 8. Privacy 9. HCI and Interactive Systems 10. General Topics 11. Testing, Verification and Validation 12. Real-Time Systems 13. Mathematical Programming and Operations Research 14. Graph Theory 15. Stochastic Network Optimization 16. Pattern Recognition Resources 1. Probability and Statistics: Slides for ADVANCED PROBABILITY K. Trivedi: http://www.ee.duke.edu/~kst/ This set of slides is based on the well-known book Probability and Statistics with Reliability, Queuing, and Computer Science Applications, John Wiley and Sons, New York, 2001 by Kishor Trivedi of Duke University. This is the second edition of the book of the same author with the same title published by Prentice-Hall. The book provides a comprehensive introduction to probability, statistics and stochastic processes, and leads the reader to a natural understanding of how these concepts and related methods can be applied in the modelling, analysis and quantitative evaluation of the performance and reliability of systems. The major merit of the book is that its pages contain, in the same readable language, classic material together with recent advancements and achievements distilled from the author’s research activity and experience in the area of the modelling and evaluation of stochastic systems. 2. Cryptology and Cryptography: Slides for CRYPTOLOGY B. Preneel: http://homes.esat.kuleuven.be/~preneel/classes.html This set of slides provides an overview of the state of the art in the design of cryptographic algorithms. It reviews the different type of algorithms for encryption and authentication. The principles are explained of stream ciphers, block ciphers, hash functions, public key encryption algorithms and digital signature schemes. Subsequently the design and evaluation procedures for cryptographic algorithms are discussed. The slides present

48

also several exercises for the reader. The author requests a notification for using such material. Book HANDBOOK OF CRYPTOGRAPHY A. Menezes, P. van Oorschot, S. Vanstone: http://www.cacr.math.uwaterloo.ca/hac/ This site contains the downloadable book for personal use (courtesy of CRC, see copyright notice) Slides for CRYPTOGRAPHY (in Italian) A. Marchetti Spaccamela: http://www.dis.uniroma1.it/%7Ealberto/didattica/critto.html This set of slides is based on the book C Kaufman, R Perlman, M Speciner Network Security, private communication in a public world, 2nd edition, Prentice Hall, 2002. The slides present principle of Cryptography and their application to Network Security. Slides for CRYPTOGRAPHY AND SECURITY (some in German) M. Waldvogel: http://www.inf.uni-konstanz.de/disy/teaching/ss06/kryptographie/ In this site of Universitat Konstanz several presentations on Cryptography and Security can be found; they cover: Cryptographic checksums, Cryptoanalysis, WEP and WPA, VoIP Security, Why Cryptosystems fail, AES, Xbox Security and Trust and Reputation Slides for CRYPTOGRAPHY E. Oswald, N. Smart: http://www.cs.bris.ac.uk/Teaching/Resources/COMS30124/ These slides contain an introduction to cryptography, taught at University of Bristol, UK. Book CRYPTOGRAPHY, AN INTRODUCTION: SECOND EDITION N. Smart: http://www.cs.bris.ac.uk/~nigel/Crypto_Book/ This site contains the downloadable book for personal use (see copyright notice) Slides for CRYPTOGRAPHY M. Backes: http://www.infsec.cs.uni-sb.de/teaching/SS08/Cryptography/ This site contains the slides by Michael Backes of Saarland University. This course is an introduction to modern cryptography. It will introduce cryptography from scratch, i.e., no previous knowledge in cryptography or computer security is required. The list of topics comprises:

• Information-theoretic security and the One-time Pad • Symmetric encryption, stream ciphers, block ciphers, Data Encryption Standard

(DES), Advanced Encryption Standard (AES) • Asymmetric encryption, cryptosystems based on RSA and on the discrete

logarithm problem, Cramer-Shoup encryption • Digital signature schemes • Cryptographic hash functions • Selected cryptographic protocols and their security • Crypto in the "real world" • Basic concepts of advanced cryptographic primitives and current research

topics: bit commitment, zero-knowledge proofs, simulatability, linking formal verification and cryptography

49

Slides for INFORMATION SECURITY D. Basin : http://www.infsec.ethz.ch/education/ss08/infsec08 It is a survey of the principles and methods of information security, along with the discussion of selected applications. This includes the following topics: Foundations of Cryptography, Key Management and Trust, Security Protocols, Access Control and Security Policies, Anonymity and Privacy Access only through username and password Slides for CRYPTOGRAPHY U. Maurer : http://www.crypto.ethz.ch/teaching/lectures/Krypto06/ Access only through username and password Slides for COMPUTER AND NETWORK SECURITY R. L. Rivest, S. Goldwasser : http://courses.csail.mit.edu/6.857/2008/lecture.html Access only through username and password 3. Mathematical Logic: Book MATHEMATICAL LOGIC V. Detlovs, K. Podnieks: http://www.ltn.lv/~podnieks/mlog/ml.htm This is a hyper-textual book that contains all material on principle of mathematical logic, progressing from classical propositional and predicate logic to reach constructive propositional and predicate logic and Kripke semantics. Book LOGIC IN COMPUTER SCIENCE M. Huth, M. Ryan: http://www.ewidgetsonline.com/cup/widget.aspx?bookid=51/3mLE/ColK5qnmfcLSyg==&buyNowLink=http://sec.ebooks.com/cambridge-add.asp?I=283471&f=3 This site contains the online version of the book for personal use (see copyright notice) Slides for LOGIC IN COMPUTER SCIENCE M. Huth, M. Ryan: http://www.cs.bham.ac.uk/research/projects/lics/ It offers several materials, among them an interactive tutor for each chapter. Many more places where courses are based on the book by Huth & Ryan are listed at: http://www.cs.bham.ac.uk/research/projects/lics/adoptions.html Slides for LOGIC IN COMPUTER SCIENCE T. Coquand: http://www.cs.chalmers.se/Cs/Grundutb/Kurser/logcs/index.html The slides present mainly a set of exercises in logic. Slides for LOGIC IN COMPUTER SCIENCE Julia Lawall, N. Jones : http://www.diku.dk/undervisning/2005e/213/ Slides for LOGIC IN COMPUTER SCIENCE N. Adersen, J. Lawall: http://www.diku.dk/undervisning/2004f/202/ This course provides a sound basis in logic and an introduction to the logical frameworks used in modelling, specifying and verifying computer systems. Propositional and predicate logic are detailed, as well as some specialized logics used for reasoning about the correctness of computer systems. A carefully chosen core of

50

essential terminology is introduced; further technicalities are introduced only where they are required by the applications. Numerous examples are given, as well as a full exposition of a fast-growing technique for modelling and verifying computer systems, known as symbolic model checking. 4. Dependable Systems: Slides for PRINCIPLES OF DEPENDABLE SYSTEMS G. Candea: http://dslab.epfl.ch/courses/pods/winter06-07/index.html This course offers advanced students a holistic view of the principles that underlie dependable software-centric computing systems, with an emphasis on large-scale distributed systems and Internet services. Lectures cover techniques for high availability, fault tolerance, monitoring, diagnosis; the course looks at how to achieve high availability through fast recovery and graceful service degradation, as well as techniques that leverage redundancy and replication. The utopia of flawless software is discussed, as well as ways to cope with human operator errors, and metrics for evaluating dependability. Slides for DEPENDABILITY OF COMPUTING SYSTEMS JC. Laprie: http://www.laas.fr/TSF/courses/N6K-ENAC_Global_2006.pdf This set of slides of the master course offered at ENAC-ENSICA contains a full digest of the fundamentals of Dependability. Slides for DEPENDABILITY AND SECURITY JC. Fabre http://www.laas.fr/TSF/courses/SEC2007-slides.pdf This set of slides offers a digest of the concepts of dependability and security and of their interrelationships. 5. Distributed Systems: Slides for DISTRIBUTED SYSTEMS (in Spanish) R. Jimenez-Peris: http://lsd.ls.fi.upm.es/lsd/education/sistemas-distribuidos-fundamentos-y-tecnologia-libre-eleccion-ingenieria-distributed-systems-master-level/ This set of slides covers aspects of distributed computing mainly dedicated to interactive consistency, agreement algorithms, transaction processing, replication as well as presenting several case studies. Slides for DISTRIBUTED SYSTEMS R. Baldoni: http://www.dis.uniroma1.it/%7Ebaldoni/SD.html This set of slides covers the following topics: computational models, point-to-point communication channels, failure detectors, time and distributed algorithms, consensus, consistency and broadcast algorithms, software replication techniques, virtual synchrony. Slides for DISTRIBUTED SYSTEM PLATFORMS R. Beraldi: http://www.dis.uniroma1.it/~beraldi/PSD0708/ This set of slides covers the following topics: communication in distributed systems, introduction to CORBA , CORBA IDL, introduction to objects, publisher/subscriber systems, Java RMI, ambient computing. Slides for MIDDLEWARE SYSTEMS F. Panieri: http://courses.web.cs.unibo.it/SistemiMiddleware/MaterialeDiRiferimento Access only through username and password

51

Slides for DISTRIBUTED SYSTEMS N. Suri: http://www.deeds.informatik.tu-darmstadt.de/teaching/index.html The site of TU Darmstadt contains many slides related to courses offered during the semesters of different years. Book DISTRIBUTED SYSTEMS P. Verissimo, L. Rodrigues: http://www.navigators.di.fc.ul.pt/dssa/ This link points to the book that the authors use for their teaching and contains indirect pointers to interesting sites. Slides for DISTRIBUTED FAULT-TOLERANT ALGORITHMS R. Guerraoui: http://www.di.fc.ul.pt/~ler/irdp/teaching.htm This set of slides is mainly dedicated to extensive analysis of reliable, causal and total order broadcasts, as well as consensus and group membership and shared memory. Slides for DISTRIBUTED FAULT-TOLERANT AND SECURE ALGORITHMS C. Cachin: http://www.zurich.ibm.com/~cca/sft06/ These slides contain the lectures given at ETH Zurich on Security and Fault-Tolerance in Distributed Systems. Slides for DISTRIBUTED SYSTEMS G. Couloris, J. Dollimore, T. Kindberg: http://www.dcs.qmw.ac.uk/research/distrib/dsbook/ This site is based on the book Distribute Systems: Concept and Design, Addison-Wesley, 1994 by G. Couloris, J. Dollimore, T. Kindberg. The interesting thing is that the Instructors Guide, in addition to slides related to the book, includes a line of use of the material (Presentation points) that discuss the objectives of section, the points to emphasize, the possible difficulties and the teaching hints. 6. Software Reliability Engineering: Slides for SOFTWARE RELIABILITY ENGINEERING J. Musa: http://openseminar.org/se/courses/41/modules/206/index/screen.do Reliability is the probability that a system functions correctly, in a given environment over a given amount of time. Some aspects of reliability are availability, correctness, safety, operational usability, etc. Software reliability engineering is the study of operational profiles to determine the best areas to test by estimating the components that will be used the most by the customer and testing those components first.

There are several phases of software reliability engineering. The first is to define the product by looking at the customers, users, external suppliers, and certifying external software. The second step is to implement the operational profiles, which involves looking at system components and determining the probability of their use. Third, the failure intensity object is determined. Fourth, the test cases are created that fit the operation profile and are within the bounds of the failure intensity object. Lastly, reliability data is tracked so that future estimates will be more accurate. The set of slides and presentations covers all topics listed earlier. Book HANDBOOK OF SOFTWARE RELIABILITY ENGINEERING M. Lyu: http://www.cse.cuhk.edu.hk/~lyu/book/reliability/index.html This site contains the downloadable book for personal use (see copyright notice)

52

7. Security: Slides for SECURITY L. Williams, S. Smith: http://openseminar.org/se/modules/44/index/screen.do Software security is important, especially in distributed systems, to protect the integrity of the information stored and used by a software system. Questions about security requirements should be asked of the customers during requirements solicitation. The best practice for providing a secure system to customers is to ensure that security concerns are provided for upfront, and during all phases of development. Adding security features to an application, after development of the main functionality is complete, is difficult. The set of slides and presentations covers all topics listed earlier. Slides for SECURITY AND FAULT TOLERANCE C. Cachin: http://www.zurich.ibm.com/~cca/sft06/ http://www.zurich.ibm.com/~cca/sft08/ According to Lamport, a distributed system is one where the crash of a computer that you've never heard of stops you from getting any work done. This course presents methods for building dependable and secure distributed systems. The emphasis is on fault-tolerant and distributed cryptographic protocols. Topics include group communication, failure detectors, reliable broadcast protocols, distributed cryptography, threshold cryptosystems, Byzantine agreement, quorum systems, and replication. Applications to cluster computing, Internet services, and storage systems are also presented. The course introduces principles and fundamental methods, and shows how they are applied to real-world systems. Book DEFENCE IN DEPTH: FOUNDATIONS FOR SECURE AND RESILIENT IT ENTERPRISES C.J. May, J. Hammerstein, J. Mattson, K. Rush: http://www.sei.cmu.edu/pub/documents/06.reports/pdf/06hb003.pdf This site contains the downloadable book for personal use (see copyright notice) Book SECURITY ENGINEERING R. Anderson: http://www.cl.cam.ac.uk/~rja14/book.html This site contains the downloadable book for personal use (see copyright notice) Slides for DEPENDABILITY AND SECURITY JC. Fabre http://www.laas.fr/TSF/courses/SEC2007-slides.pdf This set of slides offers a digest of the concepts of dependability and security and of their interrelationships. Slides for SECURITY in WIRELESS NETWORKS L. Buttyan, J.P. Hubaux http://secowinet.epfl.ch/index.php?page=slideshow.html This set of slides is derived by the book of the same authors Security and Cooperation in Wireless Networks, Cambridge University Press, ISBN 9780521873710. Please note copyright notice.

53

8. Privacy: Slides for PRIVACY L. Williams, S. Smith: http://openseminar.org/se/modules/45/index/screen.do Privacy concerns can arise due to security problems or questions about why certain information is gathered by a website or application. Privacy issues for users of all levels must also be addressed as early in development as the requirements phase, with an emphasis on whom has access to certain information and what will be done with the information. A system should be created that only stores the minimal amount of personal information about a person required to complete a given function. The set of slides and presentations covers all topics listed earlier. 9. HCI and Interactive Systems: Slides for HUMAN-MACHINE INTERACTION (in French) P. Palanque: http://resist.ecs.soton.ac.uk/wiki/images/1/10/designrationale.pdf http://liihs.irit.fr/palanque/Ps/MasterHM-IntroHCIPalanque.pdf Learn how to systematically consider various options while analyzing, designing and implementing interactive systems. Learn the underlying concepts of rationalizing and structuring argumentation during the various phases of the development process of interactive systems Learn how to organize models and designs in order to provide traceability of the analysis, design and implementation choices. Slides for INTERACTIVE SYSTEMS (in French) P. Palanque: http://resist.ecs.soton.ac.uk/wiki/images/b/b9/interactivesystemsengineering.pdf Learn the specificities of the development of interactive systems. These specificities are explained with respect to the development process, the notation and the implementation. Basic introduction to Visual Basic 6.0 is given as it proves to be a very efficient tool for high fidelity prototyping of standard interactive systems. Slides for HUMAN-MACHINE INTERACTION ACM SIG on HCI: http://sigchi.org/cdg/index.html These slides gather a large set of lectures on HCI and human factors mainly in the US. This set of courses has been gathered and organised by the ACM Special Interest Group on HCI. Slides for HUMAN INTERFACES and USABILITY U. Texas at San Antonio: http://vip.cs.utsa.edu/classes/cs6693s2006/lectures/index.html The slides contain a set of lectures held at UTSA. Slides for HUMAN-COMPUTER INTERACTION A. Dix, J. Finlay, G. Abowd, R. Beale: http://www.hcibook.com/e3/resources/ This site contains the slides related to the content of the book Human-Computer Interaction, Prentice-Hall, 2004 by Alan Dix, Janet Finlay, Gregory Abowd and Russell Beale

54

Slides for PERVASIVE HUMAN CENTRIC COMPUTING MIT OpenCourseware: http://ocw.mit.edu/OcwWeb/Electrical-Engineering-and-Computer-Science/6-883Spring-2006/CourseHome/index.htm This course is broad, covering a wide range of topics that have to do with the post-pc era of computing. It is a hands-on project course that also includes some foundational subjects. Students will program iPAQ handheld computers, cell phones (series 60 phones), speech processing, vision, Cricket location systems, GPS, and more. Most of the programming will be using Python®, but Python® can be learned and mastered during the course. This course features a partial set of lecture notes and a list of readings. In addition, sample quiz questions are available in the exams section. Book FAILURE IN SAFETY-CRITICAL SYSTEMS: A HANDBOOK OF ACCIDENT AND INCIDENT REPORTING C. Johnson: http://www.dcs.gla.ac.uk/~johnson/book/ This site contains the downloadable book for personal use (see copyright notice) 10. General Topics: From the Computer Science Teaching Centre: http://csta.villanova.edu/CITIDEL/ CITIDEL, the Computing and Information Technology Interactive Digital Educational Library, now accesses over 480,000 entries. CSTC is one of CITIDEL's source collections. CITIDEL is the computing educational portal to the NSDL, the National Science Digital Library. It contains a huge repository of reviewed teaching material on all aspects of Computer Science, including topics related to resilient computing. It may be searched by alphabetical listing, by titles, by authors, by subjects, and by date. Videos from UC Berkeley: http://video.google.com/ucberkeley.html This site contains a set of videos of University of Berkeley. They cover many aspects of Science and Humanities. Of interest for this report what is presented at: http://video.google.com/videosearch?q=owner%3Aucberkeley+is141&page=1&so=1 on Information Systems. 11. Testing, Verification and Validation: Slides for COMPUTER-AIDED VERIFICATION R. Alur: http://www.cis.upenn.edu/cis673/ The course introduces the theory and practice of formal methods for the design and analysis of concurrent and embedded systems. The emphasis is on the underlying logical and automata-theoretic concepts, the algorithmic solutions, and heuristics to cope with the high computational complexity. Topics include: Models and semantics of reactive systems: states vs. events, nondeterminism vs. concurrency, synchrony vs. asynchrony, safety vs. liveness, refinement preorders, real-time and hybrid systems, open systems. Verification algorithms: temporal logic model checking, theory of omega automata, games, minimization. Verification techniques: symbolic model checking, on-the-fly model checking, state space reduction methods, compositional and hierarchical reasoning, abstraction and refinement.

55

Book COMPUTER-AIDED VERIFICATION R. Alur, T.A. Henzinger: http://www.cis.upenn.edu/~alur/CIS673/index.html This site contains the downloadable book for personal use (see copyright notice) Slides on Topics on VERIFICATION A. Pnueli: http://www.wisdom.weizmann.ac.il/~amir/ This course concentrates on methods for the verification of reactive systems. The course starts by reviewing the basic models and algorithmic processes for model checking of reactive systems. Next, the course extends the models and verification techniques to handle infinite-state systems, using the techniques of deductive verification. Slides for DEDUCTIVE VERIFICATION OF REACTIVE SYSTEMS A. Pnueli: http://www.wisdom.weizmann.ac.il/~amir/Course02a/header.html This course will present methods for the deductive verification of reactive systems, i.e., proving that reactive systems satisfy their specification, given by temporal logic formulas, using deductive (i.e., theorem proving) methods. Unlike model checking, deductive verification is not restricted to finite-state systems and can handle unrestricted programs with rich data-structures. On the other hand, these techniques are not fully automatic and require user interaction and ingenuity in the design of auxiliary constructs such as invariants and ranking functions and, at a later stage, the effective guidance of a theorem-proving tool. Slides for TEST AND VERIFICATION E. Fleury et al.: http://www.cs.auc.dk/~kgl/TOV04/Plan.html The focus of this course is on techniques and software-tools that can be used to assess the quality and correctness of software systems. The first part of the course considers tools and techniques for formal verification of system designs. The last part of the course considers tools and techniques for testing system implementations. Book CAUSAL SYSTEM ANALYSIS P. Ladkin: http://www.rvs.uni-bielefeld.de/publications/books/ComputerSafetyBook/index.html This site contains the downloadable book for personal use (see copyright notice) Book CONCEPTS, ALGORITHMS, AND TOOLS FOR MODEL CHECKING J-P. Katoen: http://www.cs.aau.dk/~kgl/VERIFICATION99/katoen2.ps This site contains the downloadable book for personal use (see copyright notice) Slides for VALIDATION AND VERIFICATION J. P. Bowen: http://www.cs.ucl.ac.uk/staff/J.Bowen/GS03/ The course will train students in the principles and techniques of validating and verifying complex software systems. The training will be at an intellectually demanding level and will cover not only the state-of-the practice in validation and verification, but also the most significant trends, problems and results in validation and verification research. These slides concentrate mainly on testing aspects and on formal methods aspects.

56

Slides for THEOREM PROVING AND MODEL CHECKING IN PVS E. Clarke, D. Kroening: http://www.cs.cmu.edu/~emc/15-820A/ This course will cover a number of techniques that have proven to be useful in verifying software and hardware systems including temporal logic, model checking, BDDs, fast SAT procedures, and theorem proving. The focus of the course will be on the PVS theorem prover / model checker developed at SRI (and widely regarded as the most powerful tool in its class). Students will learn how to use PVS for hardware and software verification. Some of the basic decision procedures used in PVS for theorem proving and model checking will be presented. The course will conclude with a discussion of the limitations of PVS for software and hardware verification and how a tool might be constructed that would be more powerful. Slides for SYSTEM VALIDATION T. C. Ruys: http://fmt.cs.utwente.nl/courses/systemvalidation/ The complexity of software and hardware systems is rapidly increasing and so is their vulnerability with respect to errors. This course is focused on validation techniques and methods to assess the correctness and dependability of information- and communication technology (ICT) systems. The emphasis is on model checking, an automated and very successful validation technique. Close attention will be paid to the model checker SPIN. The central theme of this course is model-checking algorithms for the automated analysis of concurrent software. Besides the basic algorithmic principles, considerable attention will be devoted to optimization techniques that make model checking a verification approach of industrial relevance. Finally, algorithms and software tools will be treated that are aimed at the verification of Java and C++ programs.

Slides for ABSTRACT INTERPRETATION P Cousot, J. C. Hunsaker http://web.mit.edu/afs/athena.mit.edu/course/16/16.399/www Abstract Interpretation is a theory of approximation of mathematical structures, in particular those involved in the semantic models of computer systems. Abstract interpretation can be applied to the systematic construction of methods and effective algorithms to approximate undecidable or very complex problems in computer science such that the semantics, the proof, the static analysis, the verification, the safety and the security of software or hardware computer systems. In particular, abstract interpretation-based static analysis, which automatically infers dynamic properties of computer systems, has been very successful these last years to automatically verify complex properties of real-time, safety critical, embedded systems. The course is an introduction to abstract interpretation with application to static analysis (the automatic, compile-time determination of run-time properties of programs) and software verification (conformance to a specification). Slides for ABSTRACT INTERPRETATION David Schmidt : http://santos.cis.ksu.edu/schmidt/Escuela03/home.html A static analysis finitely analyzes a program in advance of the program's execution and extracts information useful for program transformation or program-correctness proofs. Abstract interpretation is a foundational framework that can justify the correctness of a static analysis. Many elegant static analyses are synthesized from the abstract interpretations that justify their correctness. This series of lectures introduces abstract interpretation and applies it to static analysis. Standard formats of static analysis are presented, and abstract interpretations are used to synthesize both

57

abstract-operational- and abstract-denotational-semantics definitions and as well as logics and models for temporal-logic model checking.

Slides for SOFTWARE TESTING P. Ammann, J. Offutt: http://cs.gmu.edu/~offutt/softwaretest/powerpoint/ This course is about concepts and techniques for testing software and assuring its quality. Topics cover software testing at the unit, module, subsystem, and system levels, automatic and manual techniques for generating and validating test data, testing process, static vs. dynamic analysis, functional testing, inspections, and reliability assessment. The course makes it explicit that all test approaches fundamentally rely on four categories of models to be covered: graphs, logical expressions, input domain characterization and syntactic structures. 12. Real-Time Systems: Slides for OPERATING SYSTEMS CONCEPTS Avi Silberschatz, Peter Baer Galvin, Greg Gagne : http://www.os-book.com/ This set of slides covers the full topic of Operating Systems with a large part dedicated to real-time systems. Slides for REAL-TIME SYSTEMS (in Italian) G. Buttazzo: http://feanor.sssup.it/~giorgio/srt.html This set of lectures introduces the topic of real-time systems and the problems related to scheduling algorithms. Slides for REAL-TIME SYSTEMS (in French) I. Puaut: http://www.irisa.fr/caps/people/puaut/puaut.html These slides contain a generic course on real-time systems. 13. Mathematical Programming and Operations Research: Slides for INTRODUCTION TO MATHEMATICAL PROGRAMMING T. Ralphs: http://www.lehigh.edu/~tkr2/teaching/ie406/ This courseware from Ted Ralphs of Lehigh University offers a comprehensive material for optimization problems. Slides for OPERATIONS RESEARCH from tutOR U. Melbourne: http://www.tutor.ms.unimelb.edu.au/frame.html This site contains a collection of web-based, online tutorial modules. 14. Graph Theory: Book GRAPH ALGORITHMS S. Even: http://www.wisdom.weizmann.ac.il/~oded/even-alg.html This site contains downloadable excerpts of the book for personal use (see copyright notice) 15. Stochastic Network Optimization M.J. Neely: http://www-rcf.usc.edu/~mjneely/stochastic/ The page links to papers in the area, and is intended as a resource for researchers and practitioners.

58

16. Pattern Recognition Resources B. Fisher: http://homepages.inf.ed.ac.uk/rbf/IAPR/ This web site contains links to resources that can support students, researchers and staff. The most important resources are for students, researchers and educators. These include lists with URLs to: - Tutorials and surveys - Explanatory text - Online demos - Datasets - Book lists - Free code - Course notes - Lecture slides - Course reading lists - Coursework/homework - A list of course web pages at many universities

59

Appendix B. Exercises for selected Courses In this Appendix the exercises for a selected subset of courses are shown. Exercises for Course 4.1 Advanced Probability and Statistics (exercises derived from Kishor Trivedi’s book). Exercise 1 Use axioms of the algebra of events to prove the relations:

Α∪Α = Α A∪S = S A∩∅ = ∅ Α∩(Α∪Β) = Α

Exercise 2 Consider a pool of six I/O buffers. Assume that any buffer is just as likely to be available (or occupied) as any other. Compute the probabilities associated with the following events:

A = “at least 2 but no more than 5 buffers occupied” B = “at least 3 but no more than 5 occupied” C = “all buffers available or an even number of buffers occupied”

Also determine the probability that at least one of the events A, B, and C occurs. Exercise 3 Three couples (husbands and wives) must sit around a table in such a way that no husband is placed next to his wife. How many configurations exist? If seats are occupied at random, what is the probability of such a configuration? Exercise 4 A certain firm has plants A, B, and C producing respectively 35%, 15%, and 50% of the total output. The probabilities of a nondefective product are, respectively, 0.75, 0.95, and 0.85. A customer receives a defective product. What is the probability that it came from plant C? Exercise 5 An application requires that at least two processors in a multiprocessor system be available with more than 95% probability. The cost of a processor with 60% reliability is 1000 Euros, and each 10% increase in reliability will cost 800 Euros. Determine the number of processors (n) and the reliability (p) of each processor (assume that all processors have the same reliability) that minimizes the total system cost. Exercise 6 The probability of error in the transmission of a bit over a communication channel is p = 10-4. What is the probability of more than three errors in transmitting a block of 1000 bits? Exercise 7 Compute the pmf and the CDF of max{X,Y} where X and Y are independent random variables such that X and Y are both Poisson distributed with parameter α.

60

Exercise 8 The failure rate of a certain component is h(t) = λ0t, where λ0 > 0 is a given constant. Determine the reliability R(t), of the component. Repeat for h(t) = λ0t1/2. Exercise 9 Show that the failure rate h(t) of the hypoexponential distribution has the property

limt→+∞ h(t) = min {λ1, λ2}

Exercise 10 A system with three independent components works correctly if at least one component is functioning properly. Failure rates of the individual components are λ1 = 0.0001, λ2 = 0.0002, and λ3 = 0.0004 (assume exponential lifetime distributions).

(a) Determine the probability that the system will work for 1000 hours. (b) Determine the density function of the lifetime X of the system.

Exercise 11 The time to failure T of a device is known to follow a normal distribution with mean µ and σ = 10000 H. Determine the value of µ if the device is to have a reliability equal to 0.90 for a mission time of 50000 h. Exercise 12 A program has potentially N distinct input data sets indexed from 1 to N. Suppose the program is run on n randomly chosen data sets with repetition allowed. Let X be the largest index out of the n data sets used. Derive the pmf and the expected value of X. Assume that each of the N data sets is equally likely. Exercise 13 A CPU burst of a task is exponentially distributed with mean 1/m. At the end of a burst, the task requires another burst with probability p and finishes execution with probability 1- p. Thus the number of CPU bursts required for task completion is a random variable with the image {1, 2, …}. Find the distribution function of the total service time of a task. Also compute its mean and variance.

61

Exercises for Course 4.2 Cryptology and Information Security (exercises derived from Bart Preenel lectures). Exercise 1 Decrypt the following text from “The Diary of Samuel Marchbanks” by Robertson Davies (Hint F decrypts to w): EMGLOSUDCGDNCUSWYSFHNSFCYKDPUMLWGYICOXYSIPJCK QPKUGKMGOLICGINCGACKSNISACYKZSCKXECJCKSHYSXCG OIDPKZCNKSHICGIWYGKKGKGOLDSILKGOIUSIGLEDSPWZU GFZCCNDGYYSFUSZCNXEOJNCGYEOWEUPXEZGACGNFGLKNS ACIGOIYCKXCJUCIUZCFZCCNDGYYSFEUEKUZCSOCFZCCNC IACZEJNCSHFZEJZEGMXCYHCJUMGKUCY This ciphertext has been created with a substitution cipher, where each letter has been replaced by another letter in the alphabet (for example A decrypts to x, B to I, C to o, D to y, etc. - note that this is just an example; this exercise uses a different key). Exercise 1 (continued) Such a cipher can be broken by analyzing the frequency distribution of the characters in the ciphertext. For example, if an ‘e’ encrypts to a ‘Z’, one expects to see many more ‘Z’s in the ciphertext, because ‘e’ is a very common letter. One observes that in English: • the letter e has a probability of about 0.12 • t, a, o, i, n, s, h, r have a probability between 0.06 and 0.09 • d and l have a probability of about 0.04 • c, u, m, w, f, g, y, p, b have a probability between 0.015 and 0.028 • v, k, j, x, q, z have probabilities less than 0.01 One can also look at combinations of 2 letters (digrams) and 3 letters (trigrams). The 30 most common digrams in English are (in decreasing order): th, he, in, er, an, re, ed, on, es, st, en, at, to, nt, ha, nd, ou, ea, ng, as, or, ti, is, et, it, ar, te, se, hi, of. The twelve most common trigrams are (again in decreasing order): the, ing, and, her, ere, ent, tha, nth, was, eth, for, dth. Exercise 2 What happens if in CFB mode the encryptor box and the decryptor box (as a whole) are interchanged? Will the receiver be able to read the plaintext? What are the error propagation properties? Are patterns hidden? Exercise 3 You have a network with 1000 PC’s. Each PC can test a key for a block cipher in 0.4 microseconds. How long does it take (on average) to find a 40-bit key? A 56-bit key? A 64-bit key? An 80-bit key? Exercise 4 A home -banking scheme needs data authentication. Should it use MACs or digital signatures?

62

Exercise 5 Assume we have a network with 100 users, without a central trusted third party in which every party wants to communicate securely (secrecy and authentication) with each other party. How many keys are required if we use symmetric techniques, and how many keys are required if we use public key techniques? How will the numbers change if we introduce a central party (Key Distribution Center or Certification Authority)? Exercise 6 Discuss the system for user identification used by an ATM network. On what is it based? Analyze what the key management requirements of the system are. Could you propose a design? (note that designing protocols is very tricky, so do’ t try this in real life). Exercise 7 Design a system for escrow of session keys to be used in an email system. There are two escrow agents that have each a public key for encryption. Use 2 out of 2 secret sharing, such that the cooperation of the 2 agents is required to recover the session key. Exercise 8 Design a policy for key escrow in your company. Use the open questions on escrow to guide you.

63

Exercises for Course 4.3 Logic in Computer Science (exercises derived from Huth and Ryan’s book). Exercise 1 Which of the following propositional formulas represents the sentence, 'He will come on the 8:15 or the 9:15 train; if the former, he will have time to visit us', where p means 'He will come on the 8:15' q means 'He will come on the 9:15' r means 'He will have time to visit us' 1. ¬p → q ∨ r 2. p ∨ q → r 3. (p → q) ∧ (p ∨ r) 4. p ∨ ¬q → r 5. (p ∨ q) ∧ (p → r) Exercise 2 Which of the following sentences has the logical form (p ∧ q) → r 1. If you miss the party, then Jane, who is already upset, will be angry with you. 2. Handel is great, and the same goes for Vivaldi. 3. If inflation is up and an election is approaching, then public borrowing goes up. 4. He will come on the 8:15 or the 9:15 train; if the former, he will have time to visit

us. 5. Heavy traffic and rain have put him in a bad mood. Exercise 3 Which of the following propositional formulas is a tautology? Recall that a tautology is a formula that evaluates to T for all possible assignments of truth values. 1. (¬p ∨ r) → (p ∨ ¬r) 2. ¬(p → (p ∧ q)) 3. r → (p ∧ ¬r) 4. ¬p ∧ T 5. (p ↔ q) ∨ (p ↔ ¬q) Recall that p ↔ q is an abbreviation for (p → q) ∧ (q → p). Exercise 4 Assume the following predicate and constant symbols: W(x,y) : x wrote y L(x,y) : x is longer than y h : Hardy a : Austen j : Jude the Obscure p : Pride and Predjudice Which of the following represents the sentence, ''Jude the Obscure' is not longer than

64

'Pride and Predjudice'', in predicate logic? 1. W(h,j) ∧ W(a,p) 2. ¬∀x ∀y ¬L(x,y) 3. L(p,j) 4. ¬L(j,p) 5. L(h,a) Exercise 5 Which of the following sets of sentences is satisfiable? (Recall that a "sentence" is a predicate logic formula that has no free variables.) 1. {∃x Q(x), ∀x (Q(x) → R(x)), ∀x ¬R(x)}. 2. {∃y ∀x P(x,y), ∀x ¬P(x,x)}. 3. {∀x ∀y (P(x,y) → P(y,y)), ∀x ¬P(x,x), ∃x ∃y (P(x,y)}. 4. {∀x ∃y P(x,y), ∀x ¬P(x,x)}. 5. {∃x Q(x), ∀x ¬Q(x)}. Exercise 6 Assume the specifications below: The predicate symbols S(x,y) : x is y's sister B(x,y) : x is y's brother H(x,y) : x is y's husband and O(x,y) : x is older than y and the constant symbols j : John, c : Carl, and m : Monique. Which of the following formulas express the sentence 'Carl is Moniques brother-in-law'? 1. B(c,m) ∧ H(c,m). 2. B(c,m) ∨ H(c,m). 3. ∀x ∀y (S(x,m) ∧ H(c,y) → x = y). 4. ∃x ((S(x,m) ∧ H(c,x)) ∨ (H(x,m) ∧ B(c,x))). 5. None of the above. Exercise 7 Which of the specifications in plain English below convey the mathematical meaning of the CTL formula AG (p → A[q ∪ r]) ? 1. Any reachable state in which p is true has a path from it on which r is eventually

true, and until then q is true. 2. If p is true in every reachable state, then there is a path along which q is

continuously true, until r becomes true. 3. If p is true in every reachable state, then for any path along which q is continuously

65

true, r becomes true. 4. For any reachable state in which p is true, then, on any path from that state, q is

continuously true until r becomes true, and r is guaranteed to become true. 5. If p is true in every reachable state, then on every path there is a state at which r is

true, and q is true continuously until then. Exercise 8 Consider the Kripke model given thus: M = (W, R, L), where W = {a,b,c,d,e}, R = {(b,a), (a,d), (b,d), (d,d), (b,c), (b,e), (c,e), (d,e)}, and L(a) = {p,q,r}, L(b) = {p,r}, L(c) = {p,q}, L(d) = {}, L(e) = {r}, pictured as follows:

Which of the following formulas is satisfied at the world b? 1. (¬q ∧ r) 2. (p ∧ r) 3. (p ∨ q) 4. ⊥ 5. r

66

Exercises for Course 4.4 Advanced Graph Theory (exercises derived from Shimon Even’s book). Exercise 1 Prove that if a connected (undirected) finite graph has exactly 2k vertices of odd degree then the set of edges can be partitioned into k paths such that every edge is used exactly once. Is the condition of connectivity necessary or can it be replaced by a weaker condition? Exercise 2 Prove that the following graph has no Hamiltonian path or circuit.

Exercise 3 Prove that in every Completely connected directed graph (a graph in which every two vertices are connected by exactly one directed edge in one of the two possible directions) there is always a directed Hamiltonian path. (Hint: Prove by induction on the number of vertices). Exercise 4 Prove that a directed Hamiltonian circuit of Gσ,n corresponds to a directed Euler circuit of Gσ,n-1. Is it true that Gσ,n always has a direct Hamiltonian circuit? Exercise 5 In the following assume that G(V,E) is a finite undirected graph, with no parallel edges and no self-loops. (a) Describe an algorithm which attempts to find a Hamiltonian circuit in G by working with a partial simple path.If the path cannot be extended in either direction then try to close it into a simple circuit by the edge between its endpoints, if it exists, or by a switch, as suggested by the diagram, where edges a and b are added and c is deleted. Once a circuit is formed, look for an edge from one of its vertices to a new vertex, and open the circuit to a now longer path, etc.

(b) Prove that if for every two vertices u and v, d(u) + d(v) ≥ n, where n = |V |, then the algorithm will never fail to produce a Hamiltonian circuit.

67

Exercise 6 Describe an algorithm for finding the number of shorthest paths from s to t after the BFS algorithm has been performed. Exercise 7 Repeat the above, after the Dijkstra algorithm has been performed. Assume l(e) > 0 for every edge e. Why is this assumption necessary? Exercise 8 The transitive closure of a digraph G(V,E) is a digraph G’(V,E) such that there is an edge u → v in G’ if and only if there is a (non-empty) directed path from u to v in G. For the BFS, Dijkstra and Floyd’s algorithms, explain how they can be used to construct G’ for a given G, and compare the complexities of the resulting algorithms.

68

Exercises for Course 4.6 Fundamentals of Real-Time Systems (exercises derived from Hermann Kopetz’s book and Giorgio Buttazzo’s lectures). Exercise 1 Explain the difference between fast computing and real-time computing. Exercise 2 Which programming restrictions should be used in a programming language to permit the analysis of real-time applications? Suggest some extensions that could be included in a language for real-time systems. Exercise 3 Give the formal definition of a schedule, explaining the difference between preemptive and non-preemptive scheduling. Exercise 4 Given seven tasks, A, B, C, D, E, F, and G, construct the precedence graph from the following precedence relations: A → C B → C B → D C → E C → F D → F D → G Then, assuming that all tasks arrive at time t = 0, have deadline D = 25, and computation times 2, 3, 3, 5, 1, 2, 5, respectively, modify their arrival times and deadlines to schedule them by EDF. Exercise 5 Compute the maximum processor utilization that can be assigned to a Sporadic Server to guarantee the following periodic tasks under RM:

Ci Ti τ1 1 5 τ2 2 8

Exercise 6 Together with the periodic tasks illustrated in Exercise 5, schedule the following aperiodic tasks with a Polling Server having maximum utilization and intermediate priority.

ai Ci J1 2 3 J2 7 1 J3 17 1

Exercise 7 Compute the maximum processor utilization that can be assigned to a Dynamic Sporadic Server to guarantee the following periodic tasks, under EDF:

69

Ci Ti τ1 2 6 τ2 3 9

Exercise 8 Verify whether the following task set is schedulable by the Rate-Monotonic algorithm. Apply the processor utilization approach first, and then the Response Time Analysis:

Ci Ti Bi τ1 4 10 5 τ2 3 15 3 τ 3 4 20 0

Exercise 9 Consider three tasks τ1, τ2, and τ 3 which share three multi-unit resources A, B and C, accessed using the Stack Resource Policy. Resources A and B have three units, whereas C_ has two units. Compute the ceiling table for all the resources based on the following task characteristics:

Di µA µB µC τ1 5 1 0 1 τ2 10 2 1 2 τ 3 20 3 1 1

Exercise 10 Calculate the overhead of a trigger task if the WCET of the trigger task is 200 µsec and the laxity of an RT transaction is 10 msec. Discuss the advantages and disadvantages of an application-task activation by an interrupt versus that of a trigger task. Exercise 11 Assume that an instruction cache has a cycle time of 20 nsec. If an instruction resides in the cache the access time is one cycle, while the penalty of a cache miss is 8 extra cycles. The cache size is 256 instructions. What is the worst-case variability of the microarchitecture delay caused by cache reloading? Exercise 12 Calculate the latency jitter of a high level PAR protocol that allows three retries, assuming that the lower level protocol used for this implementation has a dmin of 2 msec and a dmax of 20 msec. Calculate the error detection latency at the sender.

70

Exercises for Course 4.7 Fundamentals of Dependability (exercises by J-C. Laprie). Exercise 1 In the following bullets, replace the suspension points with the words fault, error, failure, or the corresponding adjectives faulty, erroneous, failed:

a) The result of a programmer's … is a … in the written software (… instruction(s) or data); upon activation (invoking the component where the … resides and triggering the … instruction, instruction sequence or data by an appropriate input pattern), the … becomes active and produces an …; if and when the … data affect the delivered service (in value or in the timing of their delivery), a … occurs.

b) A short circuit occurring in an integrated circuit is a … (with respect to the specification of the circuit); the consequence (connection stuck at a Boolean value, modification of the circuit function, etc.) is a …

c) An inappropriate man-machine interaction performed by an operator during the operation of the system is a … (from the system viewpoint); the resulting altered processed data is an …

d) A maintenance or operating manual writer's … may result in a … in the corresponding manual (… directives)

Exercise 2 Checkpoints constitute one of the fault tolerance mechanisms, and they have several purposes. What are these purposes? Exercise 3 Out of the six verification approaches (reviews and inspections, static analysis, theorem proving, model-checking, symbolic execution, test), what are the two ones which are most used in practice? Exercise 4 The evolution of the number residual faults in a software under development is typically represented by the figure below. Comment this evolution: reasons for an increase followed by a decrease?

Num

ber

of re

sid

ual

faults

Development steps

71

Exercises for Course 4.8 Computer Networks Security (exercises by M. Correia). Exercise 1 Classify each of the following as a violation of confidentiality, of integrity, of availability, or of some combination thereof.

a. John copies Mary’s homework. b. Paul crashes Linda’s system. c. Carol changes the amount of Angelo’s check from $100 to $1,000. d. Gina forges Roger’s signature on a deed. e. Rhonda registers the domain name “AddisonWesley.com” and refuses to let

the publishing house buy or use that domain name. f. Jonah obtains Peter’s credit card number and has the credit card company

cancel the card and replace it with another card bearing a different account number. g. Henry spoofs Julie’s IP address to gain access to her computer.

Exercise 2 Give an example of a situation in which a compromise of confidentiality leads to a compromise in integrity. Exercise 3 The section on public key cryptosystems discussed non-repudiation of origin in the context of public key cryptosystems. Consider a secret key system (in which a shared key is used). Bob has a message that he claims came from Alice, and to prove it he shows both the cleartext message and the ciphertext message. The ciphertext corresponds to the plaintext enciphered under the secret key that Alice and Bob share. Explain why this does not satisfy the requirements of non-repudiation of origin. How might you modify a classical cryptosystem to provide non-repudiation? Exercise 4 Suppose Alice, Bob, and Carol want to use secret key technology to authenticate each other. If they all used the same secret key K, then Bob could impersonate Carol to Alice (actually, any of the three can impersonate the other to the third). Suppose instead that each other had their own secret key, so Alice uses KA, Bob uses KB, and Carol KC. This means that each one, to prove his or her identity responds to a challenge with a function of his or her secret key and the challenge. Is this more secure than having them all use the same secret key K. (Hint: what does Alice need to know in order to verify Carol’s answer to Alice’s challenge?) Exercise 5 Classify each of the following as an example of a mandatory, discretionary, or originator-controlled policy, or a combination thereof. Justify your answers.

a. The file access control mechanisms of the UNIX operating system b. A system in which no memorandum can be distributed without the author's

consent c. A military facility in which only generals can enter a particular room d. A university registrar's office, in which a faculty member can see the grades of

a particular student provided that the student has given written permission for the faculty member to see them.

72

Exercise 6 Given that the Internet is a shared network, discuss whether preventing denial of service attacks is inherently possible or not possible. Do systems connected to the Internet violate the principle of least common mechanism? Exercise 7 A system allows the user to choose a password with a length of one to eight characters, inclusive. Assume that 10,000 passwords can be tested per second. The system administrators want to expire passwords once they have a probability of 0.10 of having been guessed. Determine the expected time to meet this probability under each of the following conditions.

a. Password characters may be any ASCII characters from 1 to 127, inclusive. b. Password characters may be any alphanumeric characters ("A" through "Z,"

"a" through "z," and "0" through "9"). c. Password characters must be digits.

Exercise 8 Consider the following authentication protocol, which uses a classical cryptosystem. Alice generates a random message r¸ enciphers it with the key k she shares with Bob, and sends the enciphered message {r}k to Bob. Bob deciphers it, adds 1 to r, and sends {r + 1}k back to Alice. Alice deciphers the message and compares it with r. If the difference is 1, she knows that her correspondent shares the same key k and is therefore Bob. If not, she assumes that her correspondent does not share the key k and so is not Bob. Does this protocol authenticate Bob to Alice? Why or why not? Exercise 9 A computer system uses biometrics to authenticate users. Discuss ways in which an attacker might try to spoof the system under each of the following conditions.

a. The biometric hardware is directly connected to the system, and the authentication software is loaded onto the system.

b. The biometric hardware is on a stand-alone computer connected to the system, and the authentication software on the stand-alone computer sends a "yes" or "no" to the system indicating whether or not the user has been authenticated.

Exercise 10 A company wishes to market a secure version of the Swiss Cheese Operating System (SCOS), known as much for its advanced user and database management features as for its security vulnerabilities. The company plans to build a virtual machine to run SCOS and run that virtual machine on a second system, the Somewhat Secure Operating System (SSOS). The marketing literature claims that the VM running SCOS provides total isolation, thereby eliminating any potential security problems.

a. Does this arrangement provide total isolation? If your answer is not "yes," discuss what features the VM would need to include to provide total isolation, or show why this arrangement cannot provide total isolation.

b. The literature states that "the VM mediates all accesses to real system resources, providing an impenetrable barrier to any attacker trying to break out of the SCOS and attack other copies of SCOS running on the SSOS." Do you agree or disagree with this statement? Why? (If you would need more information in order to make a decision, state what information you would need and why.)

73

Exercise 11 A computer security expert contends that most break-ins to computer systems today are attributable to flawed programming or incorrect configuration of systems and products. If this claim is true, do you think design assurance is as important as implementation and operational assurance? Why or why not? Exercise 12 Requirements are often difficult to derive, especially when the environment in which the system will function, and the specific tasks it will perform, are unknown. Explain the problems that this causes during development of assurance. Exercise 13 Given that the Lamport hash value is sent in the clear over the network, why is it more secure than a password? Exercise 14 Name three main differences between a packet filter and a proxy, and explain what is the impact on the filtering ability. Exercise 15 What is the difference between 'secure channel' and 'secure tunnel'? Are they equivalent? One category is a subset of the other?

74

Exercises for Course 4.9 Resilient Distributed Systems and Algorithms (exercises by M. Correia). Exercise 1 What is the difference between intrusion tolerance and intrusion prevention? Give an example of a mechanism for each. Exercise 2 Compare the notions of:

a. resilience, b. intrusion detection, c. intrusion prevention and d. intrusion tolerance.

Exercise 3 Define the following properties and describe a method based on intrusion tolerance for enforcing each of them in distributed systems:

a. integrity b. confidentiality c. availability

Exercise 4 Describe thoroughly the main differences between behaviour-based intrusion detection systems and knowledge-based intrusion detection systems”. Exercise 5 What is the role of the monitor in an attack injection tool? What “things” can/should it monitor? Exercise 6 In traditional sense, define “Tamper-proof” and “tamper-resistant”. Do they make sense in a dependability perspective? (think in terms of coverage) Exercise 7 Compare the following two notions:

a. intrusion detection and b. failure detection.

Exercise 8 Consider the notion of threshold cryptography:

a. Why should it be consider an intrusion tolerance mechanism? b. Explain in detail how this mechanism might be used to implement a service

that signs (using public key cryptography) certain data items on behalf of a set of cooperating organizations that do not entirely trust each other.

Exercise 9 Do synchrony (timing) assumptions bring any problems from a malicious attack perspective? Yes, No, When.

75

Exercise 10 Compare the properties provided by a Byzantine Atomic Broadcast protocol and a Byzantine Reliable Broadcast protocol:

a. In what do they differ? b. Which of the two problems is more difficult to solve? Why? (think about

equivalence to consensus) c. What is the Fischer-Lynch-Patterson impossibility result? d. Which of the two problems involves circumventing the Fischer-Lynch-

Patterson impossibility result? Why?

Exercise 11 Explain in detail how Byzantine State Machine Replication works, explaining the properties that must be satisfied for it to operate correctly. Exercise 12 Consider the 3 classical properties of security: integrity, confidentiality, and availability. Which of these properties are enforced by Byzantine State Machine Replication? (consider for instance Castro and Liskov’s BFT protocol) Exercise 13 What do we mean by controlled failure assumptions in the context of resilience? Exercise 14 Explain why proactive resilience cannot be implemented in an asynchronous way (recall the notion of exhaustion safety). How can it be implemented using a hybrid system model (i.e., with wormholes)? Exercise 15 Suggest two ways in which wormholes can be implemented, one using additional hardware and the other just in software. Exercise 16 Compare the problem of vector consensus with the problem of multi-valued consensus. Exercise 17 Describe a simple Byzantine Atomic Broadcast protocol that uses as building blocks two existing protocols:

a. a Byzantine Reliable Broadcast protocol, called using function R_Broadcast(message)

b. a Byzantine Vector Consensus protocol, called using function Vector Consensus(valued, consensus_identifier)

76

Exercises for Course 4.10 Dependability and Security Evaluation of Computer-based Systems (exercises by M. Kaâniche). Exercise 1 Let us consider a system composed of n different components denoted 1, 2 ……n, with m identical replicas of each component. Two redundancy strategies are studied:

- GR, in which redundancy is applied globally at the system level: the architecture is composed of m identical copies of the system that are organized according to a parallel structure.

- LR, in which redundancy is applied locally at the level of each component.

GR architecture: Global Redundancy LR architecture: Local Redundancy

Let us denote by ri(t) the reliability function of component i. The components are assumed to fail according to independent stochastic processes.

1) Derive the system reliability functions RGR(t) and RLR(t) corresponding to the two considered redundancy strategies, as a function of ri(t).

2) Consider the case m = n = 2 and ri(t) = r(t)

Compare RGR(t) and RLR(t). Exercise 2 Let us study the two following architectures I and II.

Architecture I Architecture II 1) Build a Fault Tree describing the failure scenarios associated to each architecture. 2) The reliability functions r(t) associated to the components are assumed to be

identical and exponentially distributed with a constant failure rate λ.

For each architecture, derive the system failure rate and mean time to failure (MTTF).

77

Exercise 3 Let us consider a system’s architecture composed of n components and one majority voter. The components are assumed to be identical and fail according to independent stochastic processes. The system is operational when a majority of k components are not failed.

k out n majority voting system

r(t) denotes the reliability of a component and λ the associated failure rate assumed to

be constant. rv(t) is the reliability of the voter.

1) Derive the system reliability R(t) as a function of r(t) and rv(t).

2) Consider the case of a TMR architecture (n=3, k=2), with a perfect voter (rv(t) = 1) a) Plot the curve illustrating the evolution of R(t) and r(t) as a function of λt, and

analyse the system reliability compared to the reliability of a single component b) Derive the MTTF of system and Compare it with the MTTF of a single

component c) What can you conclude?

3) Consider the case of a TMR architecture (n=3, k=2), with an imperfect voter (rv(t) ≠ 1)

Determine the acceptable values for rv(t) that ensure a better reliability for a TMR system, compare with a simplex non-redundant architecture (i.e., composed of a single component)

Exercise 4 Let us consider a duplex system architecture composed of two redundant computing nodes interconnected through a local area network (LAN). Denote by λnet the failure rate of the communication LAN, assumed to be constant For each computing node, two types of failures may lead to the unavailability of the node:

- Software failures, with constant failure rate λsw - Hardware failures, with constant failure rate λhw

The system is operational when at least one computing node and the communication LAN are available.

The system reliability function is denoted as R(t). a) Build a reliability block diagram and a fault tree model for the system

c) Derive the system reliability R(t) as a function of λsw, λhw and λnet

78

Exercise 5 Consider a system architecture composed of two redundant processors (P1 et P2) and three identical shared memory blocks (M1, M2, M3). The system is operational when at least one processor and one memory block are available.

Bi-processor with shared memory architecture

Denote by rP(t) and rM(t) the reliability functions associated to a processor and a memory block, respectively. rP(t) and rM(t) are exponentially distributed functions with constant failure rates λP and λM, respectively.

a) Derive the system reliability R (t) as a function of rP(t) and rM(t)

b) Derive the system mean time to failure (MTTF) and the system failure λS(t) Exercise 6 Derive the reliability function of the system architecture described by the following reliability block diagram:

ri (t) : reliability of component i

Voter assumed to be perfect (rv(t) = 1) Exercise 7 Consider a duplex system composed of two redundant components using active dynamic redundancy fault tolerance strategy. The error detection and reconfiguration mechanisms to switch from the active component to the standby component are assumed to be imperfect with a coverage factor c. 1) Active redundancy – hot standby

a) Build a state graph describing the behaviur of the system b) Derive the system reliability R(t) as a function of the components’

reliability r(t) and the coverage factor c.

79

c) Derive the system reliability R(t) and the system MTTF when r(t) is described by an exponential distribution with a constant failure rate λ (r(t) = exp(-λt)).

2) Passive redundancy (warm standby)

Denote by ra(t) the reliability of the active component and rs(t) the reliability of the standby component.

a) Build a state graph describing the behaviour of the system

b) Derive the system reliability R(t) as a function of ra(t), rs(t) and the coverage factor c.

c) Denote by λa(t) and λs(t) the failure rates of the active and the standby component, respectively, and assume that λs(t) = k λa(t) (k≤1)

Derive the system reliability R(t) and the MTTF 3) Compare the two considered strategies

80

Exercises for Course 4.11 Testing, Verification and Validation (exercises by F. von Henke, H. Pfeifer and H. Waeselynck). Exercise 1 Consider a binary search function in an array of strings. It searches for a key word in the n elements of the array (array indexes are in the range [0..n-1]). If the word is found, the function returns the index of the corresponding element in the array, else it returns –1. For example, the search for "Bruno" in array {"Alice", "Bob", "Carol"} yields –1. The search for "Carol" in the same array yields 2. In order to apply binary search, it is assumed that the input array is already sorted, elements being in ascending alphabetical order. int binary (char *word, char *tab[], int n) { int low, high, mid, cond; low = 0; high = n-1; while (low <= high) { mid = (low+high)/2; cond = strcmp(word, tab[mid]); if (cond < 0) high = mid - 1; else if (cond > 0) low = mid + 1; else return (mid); } return (-1); } Note: Function strcmp is provided by the standard C library. User manual for this function: int strcmp(const char *s1, const char *s2); strcmp() compares two strings byte-by-byte, according to the ordering of your machine's character set. The function returns an integer greater than, equal to, or less than 0, if the string pointed to by s1 is greater than, equal to, or less than the string pointed to by s2 respectively. The sign of a non-zero return value is determined by the sign of the difference between the values of the first pair of bytes that differ in the strings being compared.

1. Build the control flow graph of binary(). Do you think that “All-Paths” is an achievable criterion for that function?

2. Devise a small functional test set based on the informal specification (for example, start from the two cases illustrating the expected behavior). Analyze the induced structural coverage: if necessary, supplement the test set by additional cases to cover all branches + all paths corresponding to 0, 1 loop iteration + at least one path with n>1 loop iterations.

Exercise 2 Consider a TRIANGLE program: given 3 integers A, B and C such that A ≥ B ≥ C > 0, TRIANGLE determines whether the triangle having sides of lengths A, B and C is equilateral, isosceles or scalene. An error message is issued whenever invalid inputs are supplied to the program (unordered input values, or values ≤0).

81

1. Build a decision table from the informal specification.

2. Devise a functional test set that covers all rules of the table.

3. Consider the following implementation of TRIANGLE:

start int A, B, C; string message; read(A, B, C); if ((A >= B) and (B >= C) and (C > 0)) then

if ((A = B) and (B = C)) then message = ‘equilateral’; else

if ((A = B) or (B = C)) then message = ‘isosceles’; else message = ‘scalene’;

else message = ‘input error’; print(message); stop

Does the previous functional test set cover all paths of the implementation?

4. Does the functional test set fulfill the Modified Condition / Decision Coverage criterion, defined as follows (where a condition is a Boolean expression containing no Boolean operators, and a decision is a branch predicate):

« every condition has taken all possible outcomes at least once; every decision has taken all possible outcomes at least once; each condition in a decision has been shown to independently affect that decision’s outcome (i.e., the decision changes by varying just that condition while holding fixed all other conditions) »

If necessary, supplement the test set by additional cases in order to achieve MC/DC coverage. In general, are the “All-Paths” and MC/DC criteria comparable?

5. The TRIANGLE implementation contains a fault. Which one? Is it revealed by the previous test sets?

Exercise 3 Consider a comment printer function. This function is part of a program analyzing source code files (e.g., analysis of C files). The function is called each time a new character is read in the file. It has to extract comments from the stream of read characters, and to print them out. A comment starts with /* and ends with */. Example: - input stream

… int my_var; /* declaration of my_var */ my_var = 0; /* initialization of my_var */

… the function must print out:

declaration of my_var initialization of my_var

We assume that comments cannot be nested: /* this /* is */ forbidden */ But a comment may contain ‘/*’:

/* this /* is possible */ and the function prints this /* is possible

82

The function works with a buffer that memorizes the content of the current comment. Whenever the beginning of a comment is recognized, the buffer is initialized to empty; then, the next input characters are successively stored in the buffer, until an end of comment is recognized; upon end of comment detection, the function prints out the content of the buffer (possibly truncated, so that ‘*/’ is not printed).

1. Formalize expected behavior as a finite state machine having the following input and output alphabets (respectively denoted by S and Ω) :

S = {*, /, φ} where * : character ‘*’ is read / : character ‘/’ is read φ : another character is read

Ω = {–, init_bf, mem, print_bf} where – : ignore current character init_bf: buffer initialization mem : buffer concatenated with current character print_bf: print buffer with rightmost character truncated

2. Devise a test set that covers all states.

3. Adopt two alternative strategies to cover all transitions: • minimize the size of the test (number of input characters to be supplied) ; • choose input sequences that are functionally “meaningful”.

Exercise 4 Which of the following expressions are syntactically correct CTL formulae?

1. X q 2. ¬AX q 3. p ∪ (AX ⊥) 4. E [AX q ∪ EG ¬p ∨ T ]

Exercise 5 Prove the validity of the following formula algebraically, that is, by gradually transforming it to T using the equivalence rules for CTL formulae.

((AF ¬ Φ ⇒ EG ¬ τ ) ∧ (EF Φ ⇒ ¬EX ¬ψ) ) ⇒ (AF τ ⇒ ψ) Exercise 6 Consider the following state transition system:

83

Determine, for which of the following formulae the depicted system constitutes a model.

(1) AG (t ⇒ r) (7) AG (q ⇒ AG (r ∨ q)) (2) AG (s ⇒ r) (8) AG EF p (3) A [⊥ U p] (9) EG EF p (4) E [⊥ U p] (10) EG (¬r ⇒ EG EF p) (5) AG E [⊥ U p] (11) EG (¬r ⇒ AG EF p) (6) AG (q ⇒ EG (r ∨ q))

Exercise 7 Which of the following graphs constitutes a reduced and ordered BDD of the formula (x �¬y) � z ?

Exercise 8

a) Using the variable ordering z < y < x, develop OBDDs Bf and Bg for the formulae

_ _ _ _ f = z + z x and g = xy + xy + xyz , respectively.

b) Compute the OBDD Bfg = apply(⋅,Bf , Bg ).

c) Compute the OBDD B∃ = exists(y, Bfg ). Exercise 9 Consider the following state transition system M:

For each of the following formulae Φi , determine a path of M starting at the initial state q3that satisfies Φi. Furthermore, determine for which of the formulae M, q3 |= Φi holds.

84

Exercise 10 Develop sequent calculus proofs for the following propositional formulae:

Exercise 11 Develop sequent calculus proofs for the following first-order formulae:

Exercise 12 Prove each of the formulae of exercises 1 and 2 with PVS. Exercise 13 a) Using β-reduction, reduce the following λ-term as far as possible:

(λf . λx. f (f x)) (λy.g y a) b

b) Using β-reduction, show that the following λ -terms M and N are equivalent modulo α-conversion.

M = λx.((λz.z x) ((λr.λs.s r) y f )) N = λw.((λz. λu. λv.u v z ) w f y)

Exercise 14 For the simply-typed λ-calculus, let σ, τ, ρ be basic types. Using the typing rules, derive the type of the following λ-term:

λx : (σ → τ → ρ). λy : (σ → τ). λz : σ. x(z) (y(z))

85

Exercise 15 Using the syntax of higher-order logics, define a function that reflects the transitive closure of a binary relation R over some basic type T. To this end, take the following steps:

a) Let BinRel := (T → T → Bool ) denote the type of binary relations over T. Define a predicate transitive? : BinRel → Bool such that transitive?(R) is true if and only if R is transitive. b) Define a predicate ≤ : BinRel → BinRel → Bool such that R ≤ S is true if and only if relation S contains relation R. c) Define a function intersect : (BinRel → Bool ) → BinRel such that intersect(P) reflects the intersection of all binary relations that satisfy the predicate P. d) Using the functions defined above, define the function transclosure : BinRel → BinRel such that transclosure(R) yields the transitive closure of R.

Hint: A pair (x, y) is a member of the transitive closure of R if it is a member of all binary relations that are transitive and that contain R. Exercise 16 Using PVS, define the following recursive functions and prove the corresponding facts.

a) Define a function sum(n:nat): RECURSIVE nat, which calculates the sum of all natural numbers from 0 to n:

Prove: sum(n) = ½n*(n+1) b) Define a function sumF(n:nat,f:[nat->nat]): RECURSIVE nat, which calculates the sum of the functions values of f from 0 to n:

Prove:

where id is the identity function (id(n) = n). c) Define the functions square(n:nat) : nat and cube(n:nat) : nat such that square(n) = n2 and cube(n) = n3. Prove:

d) Define a function exp2(n:nat): RECURSIVE nat, such that exp2(n) = 2n. Prove: sumF(n; exp2) = exp2(n + 1) - 1.

86

Exercises for Course 4.12 Usability and User Centred Design for Dependable and Usable Socio-technical Systems (exercises by P. Palanque). Exercise 1 Heuristic Evaluation For this assignment, you must have a group of 3-5 students. You will be preparing a usability test using the “Heuristic Evaluation” method on an application of your choice. For the purpose of this exercise, the group must determine the three most frequent user tasks with the application. In individual basis, each student should inspect the user interface. Every usability problem found whilst trying to perform the previously identified user tasks should be described and classified accordingly to one of the 10 heuristics proposed by Jakob Nielsen (slide 41). Please use the form below to describe usability problems. Once individual evaluations are completed, you should compare your results with the group identifying the most common problems. The group should provide a ranking of usability problems according to their severity (most severe first) and a suggestion for fixing the user interface or reducing the impact of every usability problem.

87

Form FOR DESCRIBING USABILITY PROBLEMS

1. Identification section

1.1 Evaluation code: _______________________________________________________

1.2 Evaluation code session: _________________________________________________ 1.3 Usability evaluation method employed: _____________________________________

1.4 Date: / / 1.5 Time used for evaluation: __h __ m. Start time: __h__m End time: __h __m

1.6 Evaluator1: ____________________________________________________________

2. List of problems

# Task2 Time3 Problem

description Scene4 Scenario5 Severity6 Usability Criteria

involved7 1

2

3

...

1 Name or code of evaluator conducting the test 2 Task, or its code used to identify a user task described away, being affected by the usability problem. 3 Time, (min:sec) used for accomplish (or not) a task. 4 Pointers to the data set showing the problem, ex: video session, screen snapshop, URL address for the pages and objects (text, link, image, etc.) when evaluating Web applications. 5 Scenario of use sequence of user action when the problem occurred 6 Severity: evaluators rating for the problem. Example of severity scale: critical = 3 /important = 2/ minor = 1. 7 Criteria used rating the test. Ex. H1: Simple and natural dialogue, H2: Speak the user’s language, etc.

88

Exercise 2 Automated Usability Evaluation The main goal of this exercise is to demonstrate how to employ automated tool to inspect the user interface. For the purpose of this exercise you select one of the tools recommended by the W3C (available at: http://www.w3.org/WAI/ER/tools/complete) for the inspection of Web sites. At first, you must employ an automated tool for inspecting a Web site of your choice. Then, you should analyze the report provided by the tool in particular identifying which kind of usability problems can be automatically inspected and which kind of problems requires a manual inspection. Exercise 3 Task modelling (1) Develop a task model in ConcurTaskTrees from the game TicTacToe for two players playing in a network (see example below).

Exercise 4 Task modelling (2) Develop a task model for an ATM. Think about: • Normal behaviours • Abnormal behaviours • Timing • Resources • Knowledge • Objects (system view) • Interfaces elements

89

Exercise 5 Task modelling (3) Provide and alternative task model for an ATM developed in exercise 4 by including tasks that can migrate from the user to the system (and vice-versa). Assess the relative performance of the system/tasks with and without the proposed migration. Exercise 6 Prototyping Provide a low fidelity prototype (paper-based) for an ATM. The prototype should support all the sequences of the tasks described in you task model. You must provide: the set of wireframes of the user interface and the storyboard describing the transitions between then as exemplified below.

Example of a wireframe.

90

Example of Storyboard.

Exercise 7 Evaluating your prototype with users In order to evaluate your prototype will request to a user (one of your colleague) to simulate cash withdraw using the method “magic of the oz”. You will provide the user with your wireframes and simulate the system actions on the paper-based prototype. You must observe: • If the user follows (or not) the scenarios supported in the task models; • If the user is able (or not) to accomplish the task following the storyboard; • Potential user’s errors or mistakes whilst executing the task (ex. forget to recover

the receipt); • User comments concerning the task execution. Exercise 8 Task modelling (4) Including user errors in a task model does not correspond to “standard” modelling practice. According to the task model presented in the course about the ATM (see below) propose a task model including user error.

1) Build that task model in CTTE environment, 2) Define a set of guidelines for a systematic modelling of errors 3) Propose an argumentation of why such task model including user error could

be useful

91

Final Student Project – at the end of the course

Nuclear Power Plant Case Study – project description

Based on the Dix et al Nuclear Case Study at http://www.hcibook.com/e3/scenario/nuclear/

NB: This is not representative of a real nuclear power plant in a number of ways although the sorts of design and use problems it illustrates do occur in real control rooms.

Figure 1 shows a sketch of the control panel of a nuclear reactor. The actual panel is very large covering an area of wall approximately 3 metres long and 1 metre high starting 1 metre above floor level.

Figure 1. Main control panel

The control panel contains many panels, sub-panels and controls. Of particular relevance to this case study are the 6 panels at the extreme left and right- hand sides of the wall as illustrated in figure 1. These are

• Alarm control panel • Emergency shutdown panel • Emergency confirm panel • Reactor targets display • Manual override panel • Numeric keypad for the manual override panel

These are illustrated in figures 2 and 3 below

92

Figure 2. Alarm control and emergency shutdown panels

Figure 3. Reactor targets display and manual override panel

In addition, there is reactor state panel (see figure 4), situated 1.8 metres above the floor in the centre of the wall (Not shown in figure 1) that indicates the current state of the reactor by displaying the three key parameters relevant to this case study. These are:

93

• The core temperature • The pressure of the coolant • The rate of flow of the coolant

Figure 4: Reactor state panel showing current values of key parameters

System model

The coolant circulates around the reactor core and maintains the temperature of the core within acceptable limits. Without coolant at sufficient pressure and rate of flow the temperature of the core will rise which can lead to a runaway and meltdown or explosion. On the other hand the temperature of the core falls too low, energy production cannot be maintained at the required level.

The target core temperature and coolant pressure and flow rate are set at the beginning of each shift by the supervisor. This is done according to a book of tables and in response to production demands. Once set, the automated processes monitor the coolant parameters and control them to match the target values.

There is a single operator on duty in the duty room at all times. The operator works an 8-hour shift. The supervisor is not generally in the control room but can be called if required. The operator has many tasks relating to checking, maintenance, and recording performance data, but for this case study we concentrate on the most important task which is monitoring the performance and safety of the reactor and intervening in the largely automated control loop in the event of over-temperature conditions.

Alert states

The system can be in one of three alert states; GREEN, AMBER and RED

GREEN is the normal operational state. This state holds when the core temperature is within +15% of the target value (the so-called green zone). In the Green state, the operator is required to check and note down in a logbook the core temperature every 20 minutes.

Occasionally, for various reasons the core temperature can exceed the green zone in which case hazardous conditions may occur.

The AMBER state holds when the core temperature is in the range 16-25% above the target temperature (called the ‘amber zone’). If this state is detected the operator must manually raise an AMBER alarm using the alarm control panel (see below), this warns workers and supervisors in the reactor area but no external emergency services are alerted. In this state the operator should make no interventions but check the core temperature every minute. Once the core temperature returns to the green zone the AMBER alarm is cancelled.

Amber states occur once or twice per day, but are usually self-rectifying.

325

7934

10256

Temp

Pres

F/r

325

7934

10256

Temp

Pres

F/r

94

The RED state holds when the core temperature is greater than 25% above the target (the ‘red zone’). All personnel in the reactor building are warned and external emergency services are contacted. In this state the operator must use the manual override panel (see below) to increase the target flow rate of coolant by 10%. This operation is repeated every minute until the GREEN state is attained. The operator must not alter the target core temperature or target coolant pressure. Once the core temperature is returned to the green zone, the RED alarm is cancelled. If the however the core temperature continues to rise and exceeds 50% of the target value, there will be an auditory warning and the emergency shutdown procedure must be initiated (see below).

Red states occur only a few times per year, and an emergency shutdown has never been required in the five-year history of the plant but remains a possibility. Raising a RED alarm unnecessarily causes significant expense and inconvenience to both the station staff and the external services. Emergency shutdown uses explosive bolts to force control rods into the reactor stopping the reaction. After an emergency shutdown it may take several weeks to repair damage and replace parts resulting in several millions of pounds of lost production.

The original design of the alarm control panel

When the plant was commissioned, five years ago, the alarm control panel worked as follows.

The current alarm state is indicated by which of the coloured lights on the alarm control panel is lit. If the alarm system is working properly, the colours of the lights correspond to the alert stated defined in terms of the core temperature as described above. Only one light can be on at a time. The ‘+’ and ‘-‘ buttons on this panel can be used to shift the alarm state manually. Figure 5 shows a state transition network for this original design.

Figure 5. State transition diagram of original alarm control panel

Revised alarm operation

Two months ago, a consultant suggested changing the operation of the ALARM CONTROL and the operation of the controls was revised in line with his recommendations. The physical layout of the displays and controls however, remains unchanged. The current design works as follows. Raising the alert state from GREEN to AMBER and back uses the ‘+’and ‘-‘ buttons as before. But raising from AMBER to RED now produces an intermediate state in which the ‘CONFIRM’ button on the emergency confirm panel glows red and the operator must also press this before the system will move into the RED state. Pressing the CANCEL button in this temporary state returns the system back to the AMBER state. Once in the RED state pressing the ‘-‘ button alarm control panel returns the system to an AMBER state directly. Figure 6 shows a state transition diagram for the revised system.

95

Figure 6 State transition diagram for Revised alarm operation

The Reactor Targets and manual override panel

The reactor targets information panel shows the target state of the core temperature, coolant pressure and coolant flow rate. These are checked and set at the beginning of each shift by the supervisor and cannot be changed by the operator unless a RED alert state has occurred. In a RED state the operator will need to adjust the flow rate parameter using the manual override panel. In the RED state the operator can adjust any of the three parameters by choosing the required parameter from the dropdown menu. The new target is then entered via the keyboard and displayed in the target display on the manual override panel but is does not become effective until the SET button is pressed whereupon it is also displayed in the reactor targets panel. (The SET button prevents partly typed values being accepted as new targets). When the system is in the GREEN and AMBER states this panel is inoperative, but parameters can still be selected and new data entered into the display but pressing the select button has no effect.

The Emergency shut down panel

An emergency shut down is initiated by pressing the large button on the emergency shutdown panel labelled, IMMEDIATE SHUTDOWN COMMENCE. This can only be activated when the operator has changed the alarm state to RED. The sequence will not start until the CONFIRM button has been pressed. This prevents accidental shutdown. This CONFIRM button is normally illuminated green and is ineffective until the IMMEDIATE SHUTDOWN COMMENCE button has been pressed whereupon it glows red.

Exercise - Analysing the Design and use of the power plant control system

Part 1 [Indicative length two pages]

1. Critically evaluate the detailed design of the control panels. Here are some questions to help you

a. Discuss the use of colour in the alarm control, emergency shutdown and emergency confirm panels. Is it a sensible use of colour?

b. Are there any design principles violated that make the system more error prone? If so which ones and where?

c. How good is the spatial layout of the panels? Explain your conclusion 2. Use hierarchical task analysis to describe what the operator must do to control the

reactor (based on the description given above).

96

3. Generate illustrative scenarios giving context to how an operator might fail to deal correctly with a state of the system. These scenarios should illustrate how the operator might deviate from required steps, how an operator might carry out an emergency shut down inadvertently or NOT carry out such a shutdown when it was necessary. Explain why the errors occur and how they might be avoided.

4. Suggest three most significant features of this system design that make it vulnerable to operator error (with explanation), and suggest how should they might be fixed cost-effectively.

Part 2 THEA analysis of an incident scenario [no indicative length]

We have generated a scenario in which the operator is unable to adjust the flow rate correctly, forcing an unnecessary emergency shutdown. The scenario is included overleaf. You may also find your HTA useful. Produce a table that summarises your answer to the question. For each line of the scenario description discuss whether there is vulnerability to error. If so is the vulnerability an error of :

omission (some action(s) not performed) commission (wrong action performed) sequence (right actions but in wrong order) qualitative (too much, too little) timing (too early too late)

For each line where you have identified an error, use a THEA question to identify a cause for the error and suggest how the error might have been avoided or mitigated against.

1. Reflect on whether there is a good fit between the THEA questions and the errors you identified. Were there other factors that weren’t captured by the question that you identified for each identified error?

97

Scenario Name: Goal/Subgoal/Item:

Question Causal Issues Consequences Design Issues

GOALS, TRIGGERING & INITIATION G1

(Is the task triggered by stimuli in the interface, environment, or

task?)

G2 (Does the user interface 'evoke'

or 'suggest' goals?)

G3 (Do goals come into conflict?)

G4 (Can a goal be achieved without

all its sub-goals being achieved?)

PLANS P1

(Are there well practiced and pre-determined plans?)

P2 (Can actions be selected in-situ,

or is pre-planning required?)

P3 (Are there plans or actions that are similar to one another? Are

some used more often than others?)

PERFORMING ACTIONS A1

(Is there physical or mental difficulty in executing the

actions?)

A2 (Are some actions made

unavailable at certain times?)

A3 (Is the correct action dependent

on the current mode?)

A4 (Are additional actions required

to make the right controls and information available at the right

time?)

98

PERCEPTION, INTERPRETATION, EVALUATION

I1 (Are changes - resulting either

from user action or autonomous system behaviour -

perceivable?)

I2 (Are the effects of actions

perceivable immediately?)

I3 (Does the item involve

monitoring, vigilance, or continuous attention?)

I4 (Can the user determine relevant

information about the state of the system?)

I5 (Is the relation of information to the plans and goals obvious?)

I6 (Is complex reasoning,

calculation, or decision making involved?)

I7 (Is the correct interpretation

dependent on the current mode?)

Scenario for use in THEA Exercise

Note this is a failure scenario. It is more usual to use THEA with success scenarios but here there are some elements of failure as well that may be used as triggers to consider how THEA relates to these failures.

Jenny, the Nuclear Power Plant operator has normal sight and no physical or perceptual impairments. Her shift started at 12am and it is now 5am in the morning. So far the plant has been operating within normal parameters and the current alarm state is therefore green.

1. Jenny notices the core temperature has risen very rapidly and is already in the red zone 2. she realises she must immediately increase flow rate to correct this 3. she goes to the Alarm Control Panel on the far right of the main reactor control panel and

presses '+' twice (as it is starting off in green state) 4. the Emergency Confirm button glows red 5. she moves across to the Manual Override panel on the far left of the main reactor control panel 6. she selects 'flow ' from the pull down on the Manual Override panel 7. she types the new value '11280' using the keypad 8. she notices that the number on the Reactor Targets panel has not changed 9. she realises she forgot to press the SET button on the Manual Override panel 10. she presses the SET button 11. the value still doesn't change 12. an automatic audio warning sounds "60 seconds to core meltdown" 13. she presses the SET button repeatedly 14. still the value doesn't change

99

15. she starts again, selects 'flow' from the pulldown, types 6000 and presses SET 16. still the value doesn't change 17. the audio warning says "30 seconds to core meltdown" 18. Jenny runs across the room to the Emergency Shutdown panel 19. "20 seconds to core meltdown" 20. she presses "Immediate Shutdown Commence" button 21. the emergency confirm button glows red 22. "10 seconds to core meltdown" 23. she presses the "Emergency Confirm" button which goes to green 24. Nothing happens. 25. she presses "Immediate Shutdown Commence" button again 26. "5 seconds to core meltdown" 27. she presses the "Emergency Confirm" button 28. she hears the crash of the explosive bolts sending the control rods into the reactor 29. the audio system announces "reactor shutdown successful"

Part 3 A HEART assessment

1. Carry out a HEART analysis to address the following scenario A male operator with normal vision, no physical disabilities and 5 years, experience comes on duty at 12 midnight after one day’s holiday. Prior to his day off he had been working for 10 days on the 8am-4pm shift. From 12am until 5am, the plant has been operating in the GREEN state with only a 2 percent variation from the target temperature. At 5am the operator checks the core temperature which has exceeded the green zone. At 5.10, there is an abrupt rise in the core temperature into the RED zone. In order for the system to return to the GREEN state, the operator will be required to intervene by increasing the flow coolant flow rate by 30 percent within 4 minutes. If he fails to achieve this the system will require and emergency shutdown. What is the likelihood that the system will require an emergency shutdown?

2. Critically review your analysis by:

Discussing the major difficulties you experienced deriving your HEART estimate. To what extent do you think these difficulties will affect the precision of your answer? What degree of agreement do you think there will be between the estimates of the different

individuals in the class If there are differences where in the process will they have emerged?

100

Exercises for Course 4.15 Software Reliability Engineering (exercises by K. Kanoun). Exercise 1 The table of Figure SRE.1 gives the successive inter-failure times observed during the validation test of a software system (read from left to right). Which trend tests can you apply to this data set? Apply at least one of them. Does this curve or the results of the trend test application reveal a possible abnormal behaviour? 12 10 16 13 6 7 6 5 7 9 8 9 7 5 6

3 5 3 7 9 8 10 9 12 10 14 12 15 13

Figure SRE.1 Exercise 2 Assuming that the table of Figure SRE.1 represents the observed failure intensity (number of failures per week), answer the same questions as in Exercise 1. Exercise 3 The Laplace factor calculated from the failure intensity data collected during testing is plotted in Figure SRE.2. Identify the various periods of reliability growth / decrease. Can you think of some reasons for this reliability decrease? Comment on this and recommend one or more reliability growth models that could be applied according to the trend.

Laplace factor

Unit of time

-2

-4

4

2

6

-6 Figure SRE.2

Exercise 4 After three months of software testing without specification changes, the observed failure intensity is given in Figure SRE.3.

1 2

month

3

Failure intensity

Figure SRE.3

101

Identify the period(s) of reliability decrease. What could be the reasons for this decrease (give some reasons which seem acceptable from a tester's point of view, and others that could help improve the validation procedures). Exercise 5 Same as Exercise 4, assuming two new versions of the software have been introduced due to specification changes. Locate approximately the times of the introduction of the new versions. Comment on this. Exercise 6 The observed failure intensity during the six last months of software testing is given in Figure SRE.4-a (number of failures per week). It is assumed that there are no quantified reliability objectives. Our aim in this exercise is to use qualitative and informal criteria from trend test results and the observed failure intensity to guide the development process. The informal criteria for software delivery is the following "the software has reached a stable reliability behaviour with a few failures per week, more precisely less than 10 failures per month" a) Plot the failure intensity and the corresponding Laplace factor. Delivery of the

software is planned for the end of the year. Does this aim seem reachable?

30 31 25 30 28 27 32 25 30 28

29 25 27 28 26 25 23 24 19 20

17 15 16 12 15 17

Figure SRE.4 -a-

12 15 13 12 9 12 10 11 9 13

10 14 15

Figure SRE.4 -b-

17 16 14 17 15 10 8 9 6 7

5 3 4

Figure SRE.4 -c- b) The failure intensity observed during the following 3 months (Months 7 to 9) is

given in Figure SRE.4-b (number of failures per week). Comment about the trend. Do you think that it is still reasonable to plan delivery for the end of the year?

c) The failure intensity observed during the following 3 months (months 10 to 12) is given in Figure SRE.4-c (number of failures per week). At the end of the 10-th month do you think that it is still reasonable to plan delivery for the end of the year? Plot the overall failure intensity and the Laplace factor. What could be the reasons for the failure intensity increase at the beginning of the last quarter?

Exercise 7 The average failure intensity observed during four weeks of testing is (assuming 7 working days):

102

- 5 failures per day, the first week, - 3 failures per day, the second week, - 2 failures per day, the third week, - 0.2 failures per day, the fourth week. Plot the failure intensity and the cumulative number of failures. Show that the latter is subadditive over the considered period. Plot the Laplace factor. Exercise 8 After 12 weeks of testing, the observed failure intensity can be approximated as follows: - for 0 ≤ t < 3 , h(t) = 2 + 3 t, - for 3 ≤ t < 7 , h(t) = 17 - 2 t, - for 7 ≤ t < 9 , h(t) = 10 - t, - for 9 ≤ t ≤ 12 , h(t) = 1. Plot the failure intensity and the cumulative number of failures. What about the subadditive property? Locate approximately the region of trend change. Plot the Laplace factor. Exercise 9 The failure intensity (i.e., the number of failures per week) observed during the validation of a software system is given in Figure SRE. 5 (read from left to right). Plot the failure intensity and the Laplace factor. What conclusions can be drawn for the trend? Partition the data according to the trend and plot the Laplace factor for the subset displaying reliability growth.

15 17 16 19 20 17 20 19 21 19

25 28 26 24 26 25 23 24 19 20

17 15 16 12 15 17 12 15 13 12

9 12 10 11 9 13 10 9 10 8

7 9 5 6

Figure SRE.5

103

Appendix C. License This work is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA. Under this license: You are free:

to Share — to copy, distribute and transmit the work to Remix — to adapt the work

Under the following conditions: . Attribution — You must attribute the work in the manner specified by the

author or licensor (but not in any way that suggests that they endorse you or your use of the work). What does "Attribute this work" mean? The page you came from contained embedded licensing metadata, including how the creator wishes to be attributed for re-use. You can use the HTML here to cite the work. Doing so will also include metadata on your page so that others can find the original work as well.

. Noncommercial — You may not use this work for commercial purposes. . Share Alike — If you alter, transform, or build upon this work, you may

distribute the resulting work only under the same or similar license to this one. . With the understanding that:

Waiver — Any of the above conditions can be waived if you get permission from the copyright holder.

Other Rights — In no way are any of the following rights affected by the license:

Your fair dealing or fair use rights; The author's moral rights; Rights other persons may have either in the work itself or in how the work is

used, such as publicity or privacy rights. Notice — For any reuse or distribution, you must make clear to others the license terms of this work. The best way to do this is with a link to this web page.

deliverable d38 - resist.isti.cnr.itresist.isti.cnr.it/files/d38.pdf · courses of the second...

Documents