Developing and Maintaining the Assurance of Software with Open-Source Components: Challenges and Tools   

Today, Open-Source Software (OSS) is often being used in business-critical systems, including software for Cyber-Physical Systems. The current practice of relying on OSS for components or infrastructure makes business sense, but that is not sufficient for safety-critical or high-security applications. Clearly, OSS needs to be curated before integration into critical systems. Curation involves the evaluation and validation of the software for the larger project's purpose(s). Once curated, the OSS repository is often ‘forked’, and a local copy is used by the developers. 

The assurance of large-scale, critical software systems is complicated not only by their reliance on OSS, but by their sheer size and complexity as well. Software is constructed and supported by a team of developers and testers that use multiple software engineering tools and source code repositories, each of which plays a role in the assurance of the overall software system. Hence, even if the OSS is curated, it must become the subject of the software assurance process. The assurance activities rely on various assurance artifacts: proofs, verification tool logs, test results, human review results, etc. The challenge is the management and tracking of such artifacts in the context of a highly dynamic, agile development process, executed by distributed teams and helped by many, version-controlled repositories of specifications, models, source code, and other engineering products. 

The project described here has developed an approach and a suite of supporting tools that enable such dynamic assurance of a software product. The approach relies on the construction and continuous evolution of structured assurance arguments, which are linked to evidence artifacts that support assurance claims. These evidence artifacts are linked, in turn, to ‘implementation’ artifacts, including source, test code, test cases, etc., which are, in turn, linked design artifacts, including models, specification, etc. For the assurance argument a domain-specific language was designed, from which a visual presentation of the argument is generated. The links connecting the artifacts described above are managed and supported by a dependency tracking system, that is integrated with conventional IDE-s, modeling tools, and the source code management (git). This toolsuite allows the creation and maintenance of complex dependency chains; i.e., the management of the ‘assurance provenance’. 

The talk will highlight the challenges of assurance of complex software systems that incorporate OSS, and present the proposed solution, as well as tools to support the continuous development, integration, and assurance process.

Dr. Gabor Karsai is Distinguished Professor of Computer Science and Electrical and Computer Engineering at Vanderbilt University and Senior Research Scientist at the Institute for Software-Integrated Systems. He has over thirty years of experience in research on systems and software engineering. He conducts research in the model-based design and implementation of cyber-physical systems, domain-specific languages, programming tools for visual programming environments, and the theory and practice of model-integrated computing. He has worked on several DARPA projects in the past on scheduling, faultadaptive control, and distributed resilient embedded systems. Recently he has led an ARPA-E project on a Resilient Information Architecture Platform for Smart Grid that is currently used in a DOD project that is building a reusable, open-source microgrid control system. Since 2018 he is leading a DARPA project on the assurance-driven development of cyber-physical systems with learning-enabled software components.