12. – 17. Dezember 2004, Dagstuhl Seminar 04511
Architecting Systems with Trustworthy Components
Auskunft zu diesem Dagstuhl Seminar erteilt
Motivation and Goals
Component software technologies attract much attention for their promise to enable scaling of our software industry to new levels of flexibility, diversity, and cost efficiency. Yet, these hopes collide with the reality that assemblies typically suffer from the proverbial "weakest link" phenomenon. If a component is used in a new compositional variation, then it will likely be stressed in a new way. Asserting useful properties of assemblies based on the used composition schema and theory requires a firm handle on the properties of the components being composed. For such assertions to hold, components need to meet their advertised properties, even if used under circumstances not explicitly envisaged by their developers. A component that fails to do so becomes a weak link of its hosting assembly and may cause the entire assembly to not meet its advertised properties.
In contrast, components that promise to be a strong link in their assemblies can be called 'trustworthy' and ways to get to the construction and proper use of such components are the subject of this seminar. Transitively, the seminar is also after trustworthy assemblies: assemblies that reliably meet their requirements based on trustworthy components and solid composition methods.
None of the weakest link phenomenon is a new observation, but the recent trend to move to dynamic and late composition of non-trivial components exasperates the problem. A concrete example promising deep wide-spread relevance are web services. The problem space is complex and multi-faceted. Practical solutions will have to draw on combined insights from a diverse range of disciplines, including component software technology, software engineering, software architecture, dependable systems, formal methods, as well as areas such as type systems and proof-carrying code.
A lot of good and sometimes even groundbreaking work has been performed in the focus area of this seminar, but much remains open. Bringing together many of the key minds in the various contributing areas to engage in this week-long seminar of mingling and discussions promises to spark some new key ideas and insights, ideally leading to new collaborative efforts.
To spark discussions, the seminar organizers propose a small set of core problems:
- measurement and normalization of non-functional properties,
- modular reasoning over non-functional properties,
- capture of component requirements in interfaces and protocols
- interference and synergy of top-down and bottom-up aspects,
- duality of componentization and architecture,
- system properties (non deadlocks, liveness, fairness, etc.)
- opportunities for correctness by construction/static checking
All of these are considered hard today and yet, all of them, if solved appropriately, promise the creation of key stepping stones towards an overall approach yielding trustworthy components as well as trustworthy compositions. It is likely that any such approach supports a multitude of more specialized disciplines and methods, targeting different requirement profiles at the assembly level. Examples would include cases that require tight resource management or real-time characteristics.
Outcomes of the seminar will likely shape closer characterizations or answers to questions such as:
- Depending on the system-property to reason about, what are suitable techniques, and
- what component interface information do they require?
- Where are principal limitations of reasoning over a given system-property (depending on the reasoning technique)?
- Do certain system-properties conflict (e.g., performance - security)? For those pairs of conflicting properties, how can one find tradeoffs systematically?