December 12 – 17 , 2004, Dagstuhl Seminar 04511

Architecting Systems with Trustworthy Components


Ralf H. Reussner (Universität Oldenburg, DE)
Judith A. Stafford (Tufts University – Medford, US)
Clemens A. Szyperski (Microsoft Research – Redmond, US)

For support, please contact

Dagstuhl Service Team


Dagstuhl Seminar Proceedings DROPS
List of Participants
Dagstuhl's Impact: Documents available

Motivation and Goals

Component software technologies attract much attention for their promise to enable scaling of our software industry to new levels of flexibility, diversity, and cost efficiency. Yet, these hopes collide with the reality that assemblies typically suffer from the proverbial "weakest link" phenomenon. If a component is used in a new compositional variation, then it will likely be stressed in a new way. Asserting useful properties of assemblies based on the used composition schema and theory requires a firm handle on the properties of the components being composed. For such assertions to hold, components need to meet their advertised properties, even if used under circumstances not explicitly envisaged by their developers. A component that fails to do so becomes a weak link of its hosting assembly and may cause the entire assembly to not meet its advertised properties.

In contrast, components that promise to be a strong link in their assemblies can be called 'trustworthy' and ways to get to the construction and proper use of such components are the subject of this seminar. Transitively, the seminar is also after trustworthy assemblies: assemblies that reliably meet their requirements based on trustworthy components and solid composition methods.

None of the weakest link phenomenon is a new observation, but the recent trend to move to dynamic and late composition of non-trivial components exasperates the problem. A concrete example promising deep wide-spread relevance are web services. The problem space is complex and multi-faceted. Practical solutions will have to draw on combined insights from a diverse range of disciplines, including component software technology, software engineering, software architecture, dependable systems, formal methods, as well as areas such as type systems and proof-carrying code.

A lot of good and sometimes even groundbreaking work has been performed in the focus area of this seminar, but much remains open. Bringing together many of the key minds in the various contributing areas to engage in this week-long seminar of mingling and discussions promises to spark some new key ideas and insights, ideally leading to new collaborative efforts.

To spark discussions, the seminar organizers propose a small set of core problems:

  • measurement and normalization of non-functional properties,
  • modular reasoning over non-functional properties,
  • capture of component requirements in interfaces and protocols
  • interference and synergy of top-down and bottom-up aspects,
  • duality of componentization and architecture,
  • system properties (non deadlocks, liveness, fairness, etc.)
  • opportunities for correctness by construction/static checking

All of these are considered hard today and yet, all of them, if solved appropriately, promise the creation of key stepping stones towards an overall approach yielding trustworthy components as well as trustworthy compositions. It is likely that any such approach supports a multitude of more specialized disciplines and methods, targeting different requirement profiles at the assembly level. Examples would include cases that require tight resource management or real-time characteristics.

Outcomes of the seminar will likely shape closer characterizations or answers to questions such as:

  • Depending on the system-property to reason about, what are suitable techniques, and
  • what component interface information do they require?
  • Where are principal limitations of reasoning over a given system-property (depending on the reasoning technique)?
  • Do certain system-properties conflict (e.g., performance - security)? For those pairs of conflicting properties, how can one find tradeoffs systematically?


In the series Dagstuhl Reports each Dagstuhl Seminar and Dagstuhl Perspectives Workshop is documented. The seminar organizers, in cooperation with the collector, prepare a report that includes contributions from the participants' talks together with a summary of the seminar.


Download overview leaflet (PDF).

Dagstuhl's Impact

Please inform us when a publication was published as a result from your seminar. These publications are listed in the category Dagstuhl's Impact and are presented on a special shelf on the ground floor of the library.


Furthermore, a comprehensive peer-reviewed collection of research papers can be published in the series Dagstuhl Follow-Ups.