Fault Prevention
Fault prevention aims to prevent the occurrence or the introduction of faults.
It consists in developing systems in such a way as to avoid design and implementation
faults, and to prevent faults from occurring during operation. In this context,
we are developing methods for defining security policies, which is a fundamental
step in the design and implementation of dependable information systems.
The definition of a security policy consists in identifying the properties
that must be satisfied and the rules that applications and organizations must
obey in order to satisfy them. In complex information systems, the properties
to be satisfied may be contradictory, for example, confidentiality and availability
properties. The definition of the policy attempts to minimize such conflicts.
Moreover, the rules embodied in the policy must be verifiable by protection
mechanisms.
Our current work is focussed on security policies for healthcare applications,
which are characterized by their strong requirements regarding not only confidentiality,
integrity and availability, but also responsibility. Moreover, the wide diversity
of organizations involved (hospitals, clinics, medical and paramedical offices,
pharmacies, health insurance agencies, etc.) imposes a similar diversity in
security policies. The methods that we are developing should be able to define
policies adapted to these different contexts.
Fault Tolerance
Fault-tolerance techniques aim to ensure that a system provides a service
fulfilling the system function despite faults. Our work is centered on distributed
software techniques for tolerating physical faults, design faults and deliberately
malicious faults. Our current research concerns the protection of large-scale
distributed applications (e.g., e-commerce applications over the Internet),
wrapping techniques for commercial off-the-shelf operating systems aimed at
mastering their behavior in the presence of faults and the implementation
of fault-tolerance by reflective objet-oriented approaches.
Concerning the protection of large-scale distributed applications, we are
studying authorization schemes based on vouchers and capabilities, implemented
by Javacards and servers tolerating accidental and deliberately malicious
faults (Figure 1).
Figure 1 Protection architecture tolerating accidental
and
deliberately malicious faults
Our approach for wrapping commercial off-the-shelf operating systems uses
on-line checking of a model of the kernel behavior in the absence of faults.
Wrapper implementation is based on the notion of a reflective microkernel.
Reflection and object technology can simplify the use of fault-tolerance
mechanisms and facilitate their reuse in different operational contexts. Recent
research has been directed at compile-time reflection for CORBA applications.
Currently, we are investigating the possible advantages of reflective middleware.
Fault Removal
Fault removal aims to reduce the number or the severity of faults. Our research
focuses on the removal of software design faults through testing.
Several quite diverse research directions are being explored in this wide
problem area. They have in common that they all target critical industrial
software systems for which current verification techniques are insufficient.
We are concentrating our research effort on: the role of testing in formal
development (as a complement to proof techniques), testing with respect to
safety properties (as a complement to proof and model-checking techniques),
testing of object-oriented software, and testing of metaobject protocols,
which are the cornerstone of reflective systems.
These research activities are enabling us, in particular, to extend the field
of application of statistical testing, which is a method for probabilistic
generation of test inputs that has been defined and applied with success in
our earlier work. All our theoretical results are supported by their application
to critical software systems, supplied in part by industrial partners.
Fault Forecasting
Fault forecasting is concerned with the estimation of the presence, the creation
and the consequences of faults. Our work is focussed on evaluation of the
consequences of physical faults, design faults and deliberately malicious
faults on system dependability. Both analytical and experimental evaluation
techniques are considered.
Our current work on analytical evaluation is aimed at defining a method for
mastering the construction of complex models based on generalized stochastic
Petri nets. Starting with a high-level functional model, the dependability
model is established by successive refinements, taking into account the system
architecture and the required level of modeling detail. Our applications concern
instrumentation and control systems for nuclear power plants, and large-scale
systems (systems of systems).
Part of our work on experimental evaluation concerns distributed,
interconnected heterogeneous systems with, as a concrete example, the LAAS
computer network (Figure 2). The aim of our work is to develop and apply methods
for evaluating system dependability from operational data.
Figure 2 Failure data analysis from the LAAS computer network
Another research direction on experimental evaluation is concerned with the
characterization of commercial off-the-shelf executives by fault injection.
The targeted executives are real-time microkernels and, more recently, middleware
of the CORBA type.
The combined application of analytical and experimental evaluation methods
can be used for benchmarking systems from the dependability viewpoint. Our
current work is aimed at defining suitable such dependability benchmarks.
System suppliers should thus be able to publicize dependability measures that
are meaningful to future system users. Furthermore, system purchasers should
be able to compare alternative solutions objectively.
|
|
|
