Resilient Software Research Articles

On the Way to SBOMs: Investigating Design Issues and Solutions in Practice

The increase of software supply chain threats has underscored the necessity for robust security mechanisms, among which the Software Bill of Materials (SBOM) stands out as a promising solution. SBOMs, by providing a machine-readable inventory of software composition details, play a crucial role in enhancing transparency and traceability within software supply chains. This empirical study delves into the practical challenges and solutions associated with the adoption of SBOMs through an analysis of 4,786 GitHub discussions across 510 SBOM-related projects. Through repository mining and analysis, this research delineates key topics, challenges, and solutions intrinsic to the effective utilization of SBOMs. Furthermore, we shed light on commonly used tools and frameworks for SBOM generation, exploring their respective strengths and limitations. This study underscores a set of findings, for example, there are four phases of the SBOM life cycle, and each phase has a set of SBOM development activities and issues; in addition, this study emphasizes the role SBOM play in ensuring resilient software development practices and the imperative of their widespread adoption and integration to bolster supply chain security. The insights of our study provide vital input for future work and practical advancements in this topic.

Responding to platform owner moves: A 14‐year qualitative study of four enterprise software complementors

AbstractIntegrating the competition and the cooperation perspectives on value co‐creation in platform ecosystems, this study explores complementor responses to platform owner moves that adversely affect the complementor's positioning. Our primary focus is to discern dynamic patterns of complementor responses and to understand their role in the process of re‐stabilising the complementor's positioning. To this end, we conducted a 14‐year longitudinal study, analysing 21 move‐response instances across four platform partnerships. Our findings reveal three distinct complementor response archetypes: insist, pivot, and detach. Over time, complementors combine these archetypes into three unique response patterns. Through progressive diverging, complementors sidestep platform owner moves by diversifying their offer beyond the focal ecosystem. Although this can entail substantial multi‐homing costs, it reduces dependence on the platform owner and bolsters resilience against future moves. Through adaptive oscillating, complementors use platform owner moves as opportunities to gradually diversify their offer within the focal ecosystem. This stepwise market expansion makes them resilient against future moves, while mitigating costs and efforts related to multi‐homing. Through persistent insisting, complementors can re‐establish their previous positioning, but at the cost of increased dependence on the platform owner, leaving the complementor vulnerable to future moves. We synthesise these findings in our process model of complementor positioning. Emphasising the importance of complementor responses in fostering resilient software ecosystems, this model bears important implications for research on platform governance and platform‐dependent entrepreneurship.

Community-Led Development and Participatory Design in Open Source: Empowering Collaboration for Sustainable Solutions

This whitepaper delves into the active role of community-led development (CLD) and participatory design (PD) in open source software, highlighting how these complementary approaches bring stakeholders from various backgrounds together to create a cooperative atmosphere for developing stable solutions. It emphasizes the importance of these methodologies in enabling communities to tackle real-world issues effectively and robustly, thus influencing the expansion of open-source development. Integrating CLD and PD within open-source projects fosters a more inclusive collaborative development environment, driving innovation and user-centric solutions. Through case studies like Kubernetes and Konveyor, it is evident that these methodologies significantly contribute to project success by enhancing adaptability, ensuring broad community engagement, and addressing diverse user needs. The findings underscore the vital role of these strategies in creating sustainable and resilient software solutions, highlighting their potential to transform the technology development landscape.

Protecting Synchronization Mechanisms of Parallel Big Data Kernels via Logging

With the growing effort to reduce power consumption in machines, fault tolerance becomes more of a concern. This holds particularly for large-scale computing, where execution failures due to soft faults waste excessive time and resources. These large-scale applications are normally parallel in nature and rely on control structures tailored specifically for parallel computing, such as locks and barriers. While there are many studies on resilient software, to our knowledge none of them focus on protecting these parallel control structures. In this work, we present a method of ensuring the correct operation of both locks and barriers in parallel applications. Our method tracks the memory locations used within parallel sections and detects a violation of the control structures. Upon detecting any violation, the violating thread is rolled back to the beginning of the structure and reattempts it, similar to rollback mechanisms in transactional memory systems. We test the method on representative samples of the BigDataBench kernels and find it exhibits a mean error reduction of 93.6% for basic mutex locks and barriers with a mean 6.55% execution time overhead at 64 threads. Additionally, we provide a comparison to transactional memory methods and demonstrate up to a mean 57.5% execution time overhead reduction.

English

Introduction of DevOps into the software development life cycle represents a cultural shift in the IT culture, amalgamating development and operations to improve delivery speed in a rapid and maintainable manner. At the same time, security threats and breaches are expected to grow as more enterprises move to new agile frameworks for rapid product delivery. Meanwhile, DevSecOps is a mindset change that revolutionizes software development by embedding security at each step of the software cycle, leading to resilient software. This paper discusses a framework organization can use to embed DevSecOps swiftly and efficiently into the general IT culture.

Special issue on resilient software and software-controlled systems

Special issue on resilient software and software-controlled systems

A Component Model with Verifiable Composition for the Construction of Emergency Management Systems

Construction of critical systems (e.g. disaster/emergency management systems) demands extra efforts from the developers as compared to non-critical systems. A critical system may be comprised of hardware communication infrastructure and the management system software. Many of hardware failures or in-capabilities can be handled by the resilient software components. The management software’s main tasks are to continuously collect data (from distributed sensors), to predict possible threats, and to intimate the right authorities for timely action to avoid/reduce the damages of the threats. For the construction of such systems, by reusing existing reliable software components, a verifiable software composition mechanism is highly desired. In this paper, we select a component model (EX-MAN) from the component-based development approaches for providing pre-defined exogenous connectors. In this paper, at the methodological level, we define an approach to verify the correctness of exogenous connectors. To evaluate our approach, we design an emergency management system in EX-MAN and implement the system in our tool for EX-MAN.

Employing resilience engineering in eliciting software requirements for complex systems: experiments with the functional resonance analysis method (FRAM)

Resilience engineering provides concepts and methods for assessing the ability of socio-technical systems to adjust their functioning before, during, or after changes or disturbances. As such, this field of study has great potential to contribute to software engineering—particularly for the requirements specification for information systems—that deals with variability, unpredictability, and adaptation in complex contexts. Despite software engineers’ efforts, the requirements phase is still challenging, especially in complex socio-technical systems. In these systems, the software must be more resilient and adaptable to deal with uncertain situations. Thus, this study aimed to investigate the contributions of resilience engineering to requirements engineering to identify software requirements for complex systems. Two experiments were performed with software professionals to produce requirements specifications in healthcare. The participants used information from the functional resonance analysis method (FRAM) compared to business process modeling notation (BPMN). Both experiments were supported by a systematic approach called MacKnight. This study indicates innovative strategies to gather resilient software requirements from FRAM models for complex systems.

Speculation of Software Reusability Estimation using CK (Chidamber and Kemerer) Metrics

In today’s software community the most interesting topic is software reusability because of its immense benefits that comprise of decreased product schedule, cost and increase in product quality. Most of the time, software is not built from scratch since it is costly and time-consuming process. Therefore, existing software documents (source code, documents, design, etc.) are used to develop the new application according to user requirements. But still the software reusability is not being followed as a standard approach in the process of software development. Till now initiating the software reuse process there is a need to analyze and properly understand the user requirements in spite of considerable upfront investments for software reusability. We have studied various aspects of software reusability along with software metrics and are being presented in this article. Efficient software designs can be enabled by assessing the software reusability extent. The aging resilient software design could be of paramount significance to enable faultiness software system. The estimation of software reusability plays an important part in software’s cost reduction and quality improvement, in an object-oriented programming. In this paper the idea about the designing the CK metrics suite along with metrics’ evaluation is presented that can help for object-oriented based systems in reflecting the accurate results.

Enhanced evolutionary computing based artificial intelligence model for web-solutions software reusability estimation

Ensuring the aging resilient software design can be of paramount significance to enable faultless software system. Particularly assessing reusability extent of the software components can enable efficient software design. The probability of aging proneness can be characterized based on key OO-SM like cohesion, coupling and complexity of a software component. In this paper, aging resilient software reusability prediction model is proposed for object oriented design based Web of Service (WoS) software systems. This work introduces multilevel optimization to accomplish a novel reusability prediction model. Considering coupling, cohesion and complexity as the software characteristics to signify aging proneness, six CK metrics; WMC, CBO, DIT, LCOM, NOC, and RFC are obtained from 100 WoS software. The extracted CK metrics are processed for min–max normalization that alleviates data-unbalancing and hence avoids saturation during learning. The 10-fold Cross-validation followed by outlier detection is considered to enrich data quality for further feature extraction. To reduce computational overheads RSA algorithm is applied. SoftAudit tool is applied to estimate reusability of each class, while binary ULR estimates calculates (reuse proneness) threshold. Applying different classification algorithms such as LM, ANN algorithms, ELM, and evolutionary computing enriched ANN reuse-proneness prediction has been done. The performance assessment affirms that AGA based ANN model outperforms other techniques and hence can be used for earlier aging-resilient reusability optimization for WoS software design.

MTD 기법이 적용된 SDR 통신 시스템의 성능 분석

최근 이동 단말의 급격한 증가와 함께 통신망 구축의 용이성, 단말의 자유로운 이동성 및 세션의 연속성, 유선에 비견되는 데이터 전송 대역폭 등을 제공하는 무선통신 기술에 대한 수요가 급증하고 있다. 그러나 이러한 무선 통신은 신호전달 특성상 도청이나 DOS 공격, 세션 하이재킹, 재밍 등과 같은 악의적 무선 사이버 공격에 취약하다는 단점을 갖는다. 이와 같은 무선 사이버 공격을 막는 다양한 방법 중 최근 많은 연구가 이루어지고 있는 MTD(Moving Target Defense) 기술은 시스템이 공격 받을 수 있는 요소들을 지속적으로 변경시킴으로써 방어 시스템의 보안 능력을 향상시키는 기법이다. 본 논문에서는 자가 방어 및 복원력이 있는 무선 통신 시스템 구축을 위해 변복조 방법, 동작 주파수, 전송 패킷 길이 등을 동적으로 변화시키는 MTD 기법이 적용된 SDR(Software Defined Radio) 무선통신 테스트베드를 개발하고, 악의적 사용자의 공격 성공률에 대한 성능분석 수식을 제안하고, 시뮬레이션을 통해 성능분석 결과의 타당성을 검증하였다. With the rapid increase in the number of mobile terminals, demand for wireless technologies has sharply increased these days. While wireless communication provides advantages such as ease of deployment, mobility of terminals, continuity of session, and almost comparable transmission bandwidth to the wired communication, it has vulnerability to malicious radio attacks such as eavesdropping, denial of service, session hijacking, and jamming. Among a variety of methods of preventing wireless attacks, the MTD(Moving Target Defense) is the technique for improving the security capability of the defense system by constantly changing the ability of the system to be attacked. In this paper, in order to develop a resilient software defined radio communication testbed system, we present a novel MTD approach to change dynamically and randomly the radio parameters such as modulation scheme, operating frequency, packet size. The probability of successful attack on the developed MTD-based SDR communication system has been analysed in a mathematical way and verified through simulation.

A combined energy-bandwidth approach to allocate resilient virtual software defined networks

The Internet supports many applications for millions of users every day and will enable the creation of even more innovative services for all participants. However, there is still no Quality of Service (QoS) guarantee for the users. In order to specify requirements, clients establish Service Level Agreements (SLAs) with their Internet Service Providers (ISPs), where resilience and available bandwidth are key requirements for the success of Internet services. On the other hand, the ISPs aim to maximize their profit by establishing as many SLAs as possible and decrease the energy consumption to deliver their services. The mixing of Software Defined Networks (SDNs) and Virtual Networks (VNs), called Virtual Software Defined Network (VSDN), improves the flexibility and manageability of networks, arising it as an option to achieve these goals. Within this context, this paper presents two algorithms to allocate VSDNs: (i) the Bandwidth and Reliability According to Redundancy (BRAR) algorithm to achieve resilience; and (ii) the Bandwidth and Energy Efficiency Focus (BEE-Focus) algorithm to find paths taking into account bandwidth availability and energy efficiency. The results show the benefits of the proposed algorithms in deploying resilient VSDNs regarding energy efficiency, while improving bandwidth availability in the network infrastructure.

A resiliency framework for an enterprise cloud

This paper presents a systematic approach to develop a resilient software system which can be developed as emerging services and analytics for resiliency. While using the resiliency as a good example for enterprise cloud security, all resilient characteristics should be blended together to produce greater impacts. A framework, cloud computing adoption framework (CCAF), is presented in details. CCAF has four major types of emerging services and each one has been explained in details with regard to the individual function and how each one can be integrated. CCAF is an architectural framework that blends software resilience, service components and guidelines together and provides real case studies to produce greater impacts to the organizations adopting cloud computing and security. CCAF provides business alignments and provides agility, efficiency and integration for business competitive edge. In order to validate user requirements and system designs, a large scale survey has been conducted with detailed analysis provided for each major question. We present our discussion and conclude that the use of CCAF framework can illustrate software resilience and security improvement for enterprise security. CCAF framework itself is validated as an emerging service for enterprise cloud computing with analytics showing survey analysis.

SETER

The quality of software systems strongly depends on their architecture. For this reason, taking into account security requirements at the architecture level is crucial for the success of secure software development. Today, systems are permanently evolving due to customer needs, technology evolution or maintenance constraints. Thus, a resilient secure system is expected to evolve towards more satisfaction of its security requirements (Guelfi 2011). In particular, such evolution process should identify and eliminate faults and vulnerabilities during the development process or runtime. This study focuses on the design phases and aims to propose a resilient software engineering process guaranteeing the development of secure systems that satisfy their critical requirements. During the development process, the system is expected to evolve until reaching satisfactory compliance against its requirements. The satisfaction computation is based on the quantification of failures and degradations. In this paper, the authors propose a novel architecture model-based security testing approach for identifying faults and vulnerabilities. The originality of the proposal resides in the usage of the architecture model for security testing and in coupling security requirements with threat model for generating both security functional test cases and malicious test cases. The assessment of the security requirements’ satisfaction and the overall system resilience is based on the test traces analysis. Throughout this study, a client-server system is used as a running example for illustrating the approach.

Software for the LHCb experiment

LHCb is an experiment for precision measurements of CP-violation and rare decays in B mesons at the LHC collider at CERN. The LHCb software development strategy follows an architecture-centric approach as a way of creating a resilient software framework that can withstand changes in requirements and technology over the expected long lifetime of the experiment. The software architecture, called GAUDI, supports event data processing applications that run in different processing environments ranging from the real-time high-level triggers in the online system to the final physics analysis performed by more than 100 physicists. The major architectural design choices and the arguments that lead to these choices will be outlined. Object oriented technologies have been used throughout. Initially developed for the LHCb experiment, GAUDI has been adopted and extended by other experiments. Several iterations of the GAUDI software framework have been released and are now being used routinely by the physicists of the LHCb collaboration to facilitate their development of data selection algorithms. The LHCb reconstruction (Brunel), the digitization (Boole) and analysis (DaVinci) applications together with the simulation application (Gauss), also based on Geant4, and event and detector visualization program (Panoramix) are all based on the GAUDI framework. All these applications are now in production.

Reconstruction and analysis software environment of LHCb

The LHCb software development strategy follows an architecture-centric approach as a way of creating a resilient software framework that can withstand changes in requirements and technology over the expected long lifetime of the experiment. The software architecture, called GAUDI, supports event data processing applications that run in different processing environments ranging from the real-time high-level triggers in the on-line system to the final physics analysis performed by more than one hundred physicists.

Part 2: Evaluation of Subgrade Resilient Modulus: Resilient Modulus Estimation System for Fine-Grained Soils

A software tool was developed to estimate the resilient modulus of fine-grained subgrade soils. The subgrade resilient modulus is a key factor for use in mechanistic-empirical pavement design methods. However, for routine design use, the test method is too expensive and difficult to perform. Resilient modulus estimation software was developed with expert system approaches. Information entered by the user is first examined for reasonableness and accuracy. Then, data searching processes are initiated, and more than 30 estimation models can be invoked, depending on the availability of input data. All results were evaluated on the basis of certainty rules, such as how well data meet limitations existing during the model's original development environment. The user is given four alternate methods on which to base the choice of a resilient modulus that is most appropriate for the site: one based on certainty rules and three based on statistical methods.

Resilient Modulus Estimation System for Fine-Grained Soils

A software tool was developed to estimate the resilient modulus of finegrained subgrade soils. The subgrade resilient modulus is a key factor for use in mechanistic–empirical pavement design methods. However, for routine design use, the test method is too expensive and difficult to perform. Resilient modulus estimation software was developed with expert system approaches. Information entered by the user is first examined for reasonableness and accuracy. Then, data searching processes are initiated, and more than 30 estimation models can be invoked, depending on the availability of input data. All results were evaluated on the basis of certainty rules, such as how well data meet limitations existing during the model's original development environment. The user is given four alternate methods on which to base the choice of a resilient modulus that is most appropriate for the site: one based on certainty rules and three based on statistical methods.

GAUDI — A software architecture and framework for building HEP data processing applications

We present a software architecture and framework that can be used to facilitate the development of data processing applications for High Energy Physics experiments. The development strategy follows an architecture-centric approach as a way of creating a resilient software framework that can withstand changes in requirements and technology over the long lifetimes of experiments. The software architecture, called GAUDI, supports event data processing applications that run in different processing environments, from the high level triggers in the on-line system to the final physics analysis. We present our major architectural design choices and outline the arguments that led to these choices. Several iterations of a software framework based on this architecture have been released and the framework is now being used by the physicists of the collaboration to facilitate the development of data processing algorithms. Object oriented technologies have been used throughout.