Aaron Greenhouse - Academia.edu (original) (raw)
Papers by Aaron Greenhouse
The importance of security in computer and information systems is increasing as network-connected... more The importance of security in computer and information systems is increasing as network-connected computer systems become more ubiquitous. The objective of security is to verify that the computing platform is secured and that data and information are properly accessed and handled by users and applications, ensuring data confidentiality and integrity. To develop a framework for modeling and verifying security as a data quality attribute, designers need to identify parameters and variables with the expressive power to capture and represent security models and determine the type of analysis to enable. This report presents an approach for modeling and validating confidentiality based on the Bell–LaPadula security model using the Architecture Analysis and Design Language (AADL). The report describes the Bell–LaPadula security model and elaborates how security and Bell–LaPadula attributes are mapped to concepts and represented in AADL. It then describes modeling and validating security in...
Assuring and evolving concurrent programs requires understanding the concurrencyrelated design de... more Assuring and evolving concurrent programs requires understanding the concurrencyrelated design decisions used in their implementation. In Java-style shared-memory programs, these decisions include which state is shared, how access to it is regulated, and the policy that distinguishes desired concurrency from race conditions. Source code often does not reveal these design decisions because they rarely have purely local manifestations in the code, or because they cannot be inferred from code. Many programmers believe it is too difficult to explicate the models in ordinary practice. As a result, this design intent is usually not expressed, and it is therefore generally infeasible to assure that concurrent programs are free of race conditions. This thesis is about a practicable approach to capturing and expressing design intent, and, through the use of annotations and composable static analyses, assuring consistency of code and intent as both evolve. We use case studies from production Java code and a prototype analysis tool to explore the costs and benefits of a new annotationbased approach for expressing design intent. Our annotations express "mechanical" properties that programmers must already be considering, such as lock-state associations, uniqueness of references, and conceptual aggregations of state. Our analyses reveal race conditions in a variety of case study samples which were drawn from library code and production open source projects. We developed a prototype tool that embodies static analysis techniques for assuring consistency between code and models (expressed as code annotations). Our experience with the tool provides some preliminary evidence of the practicability of our approach for ordinary programmers on deadlines. The dominant design consideration for the tool was adherence to the principle of "early gratification"-some assurance can be obtained with minimal or no annotation effort, and additional increments of annotation are rewarded with additional increments of assurance. The novel technical features of this approach include (1) regions as flexible aggregations of state that can cross object boundaries, (2) a region-based object-oriented effects system; (3) analysis to track the association of locks with regions, (4) policy descriptions for allowable method interleavings, and (5) an incremental process for inserting, validating, and exploiting annotations. It's been a longer journey than I originally intended, but I'm finally done with my dissertation. This was not a solitary journey, and I owe thanks to the many people who gave me support along the way. Obviously, I would like to thank my advisor, Bill Scherlis, for his invaluable advice, guidance, encouragement, and enthusiasm. I'd like to thank my co-advisor, Thomas Gross, and the rest of my committee for their time and for the helpful feedback they have provided. My research wasn't performed in a vacuum, and without the research and engineering results of the other members of the Fluid Group, this dissertation would never have been possible. Thank you,
Senior honors Thesis--Brandeis University, 1996. Includes bibliographical references (leaves 26-27).
Proceedings of the 24th international conference on Software engineering - ICSE '02, 2002
Concurrency if (!anonymous) manager.checkAccess(); filter = newFilter; } public void log(LogRecor... more Concurrency if (!anonymous) manager.checkAccess(); filter = newFilter; } public void log(LogRecord record) { ... synchronized (this) { if (filter != null && !filter.isLoggable(record)) return; } ... } ... } Consider log() in isolation /** ... All methods on Logger are multi-thread safe. */ public class Logger { ... private Filter filter; /** ... * @param newFilter a filter object (may be null) */ public void setFilter(Filter newFilter) ... { if (!anonymous) manager.checkAccess();
ACM SIGSOFT Software Engineering Notes, 2003
We introduce a thread colors model as a way to express design intent concerning the relationships... more We introduce a thread colors model as a way to express design intent concerning the relationships between threads, executable code, and shared state. By expressing the model as annotations in code, it is possible to formally link the model with source code and to analyze the consistency of model and code in a composable manner. By using annotations as cut-points, APIs can be annotated and compliance with library threading policies can be evaluated. This is illustrated using case study examples from published code that show how thread coloring models can assist in assuring policy compliance and in identifying concurrency errors.
In this paper we discuss and demonstrate how to conduct validation of data quality attributes, e.... more In this paper we discuss and demonstrate how to conduct validation of data quality attributes, e.g., security, data accuracy, data confidence, and temporal correctness, can be modeled and validated using an architecture description language such as AADL. We focus on security, specifically confidentiality.
Lecture Notes in Computer Science, 1999
An effects systems describes how state may be accessed during the execution of some program compo... more An effects systems describes how state may be accessed during the execution of some program component. This information is used to assist reasoning about a program, such as determining whether data dependencies may exist between two computations. We define an effects system for Java that preserves the abstraction facilities that make objectoriented programming languages attractive. Specifically, a subclass may extend abstract regions of mutable state inherited from the superclass. The effects system also permits an object's state to contain the state of wholly-owned subsidiary objects. In this paper, we describe a set of annotations for declaring permitted effects in method headers, and show how the actual effects in a method body can be checked against the permitted effects.
Effort sponsored in part through the High Dependability Computing Program from NASA Ames cooperat... more Effort sponsored in part through the High Dependability Computing Program from NASA Ames cooperative agree-ment NCC-2-1298, in part by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Lab-oratory (AFRL), Air Force Materiel Command, USAF, under agreement number F30602-99-2-0522, and in part through the Carnegie Mellon School of Computer Science Siebel Scholars Program.
Science of Computer Programming, 2005
Evolving and refactoring concurrent Java software can be error-prone, resulting in race condition... more Evolving and refactoring concurrent Java software can be error-prone, resulting in race conditions and other concurrency difficulties. We suggest that there are two principal causes: Concurrency design intent is often not explicit in code and, additionally, consistency of intent and code cannot easily be established through either testing or inspection. We explore several aspects of this issue in this paper. First, we describe a toolassisted approach to modeling and assurance for concurrent programs. Second, we give an account of recent case-study experience on larger-scale production Java systems. Third, we suggest an approach to scalable co-evolution of code and models that is designed to support working programmers without special training or incentives. Fourth, we propose some concurrency-related refactorings that, with suitable analysis and tool support, can potentially offer assurances of soundness.
In languages such as Java and Ada, there are a number of significant concurrency-related design d... more In languages such as Java and Ada, there are a number of significant concurrency-related design decisions that may not be manifest locally in code. These include, for example, the identification of shared state, how that state is protected, which threads may visit that state, and so on. These decisions relate threads, code, and shared data. We describe new UML-style diagrams that can help make explicit some useful aspects of these relationships. In addition, by using lightweight annotations on source code, we can document how these decisions are realized. By combining diagrams and annotations, we can support both forward and reverse engineering, using tools and analyses to keep the diagrams consistent with the annotated code.
Proceedings of the 2003 OOPSLA workshop on eclipse technology eXchange - eclipse '03, 2003
Assuring and evolving concurrent programs requires understanding the concurrency-related design d... more Assuring and evolving concurrent programs requires understanding the concurrency-related design decisions used in their implementation. Source code often does not reveal these design decisions because they may not have purely local manifestations in the code, or because they cannot be inferred from code. As a result, this design intent is usually not expressed, and it is therefore generally infeasible to assure that concurrent programs are free of race conditions. We describe a prototype Eclipse-based tool developed as part of research toward a practicable approach to capturing and assuring design intent. Through the use of annotations and composable static analyses we can help assure consistency of code and intent as both evolve. The dominant design consideration for the tool is the principle of "early gratification"-some assurance can be obtained with minimal or no annotation effort, and additional increments of annotation or other effort are rewarded with additional increments of assurance. 1 /** @lock BufLock is this protects Instance */ 2 public class BoundedFIFO { 3 /** @aggregate [] into Instance 4
The importance of security in computer and information systems is increasing as network-connected... more The importance of security in computer and information systems is increasing as network-connected computer systems become more ubiquitous. The objective of security is to verify that the computing platform is secured and that data and information are properly accessed and handled by users and applications, ensuring data confidentiality and integrity. To develop a framework for modeling and verifying security as a data quality attribute, designers need to identify parameters and variables with the expressive power to capture and represent security models and determine the type of analysis to enable. This report presents an approach for modeling and validating confidentiality based on the Bell–LaPadula security model using the Architecture Analysis and Design Language (AADL). The report describes the Bell–LaPadula security model and elaborates how security and Bell–LaPadula attributes are mapped to concepts and represented in AADL. It then describes modeling and validating security in...
Assuring and evolving concurrent programs requires understanding the concurrencyrelated design de... more Assuring and evolving concurrent programs requires understanding the concurrencyrelated design decisions used in their implementation. In Java-style shared-memory programs, these decisions include which state is shared, how access to it is regulated, and the policy that distinguishes desired concurrency from race conditions. Source code often does not reveal these design decisions because they rarely have purely local manifestations in the code, or because they cannot be inferred from code. Many programmers believe it is too difficult to explicate the models in ordinary practice. As a result, this design intent is usually not expressed, and it is therefore generally infeasible to assure that concurrent programs are free of race conditions. This thesis is about a practicable approach to capturing and expressing design intent, and, through the use of annotations and composable static analyses, assuring consistency of code and intent as both evolve. We use case studies from production Java code and a prototype analysis tool to explore the costs and benefits of a new annotationbased approach for expressing design intent. Our annotations express "mechanical" properties that programmers must already be considering, such as lock-state associations, uniqueness of references, and conceptual aggregations of state. Our analyses reveal race conditions in a variety of case study samples which were drawn from library code and production open source projects. We developed a prototype tool that embodies static analysis techniques for assuring consistency between code and models (expressed as code annotations). Our experience with the tool provides some preliminary evidence of the practicability of our approach for ordinary programmers on deadlines. The dominant design consideration for the tool was adherence to the principle of "early gratification"-some assurance can be obtained with minimal or no annotation effort, and additional increments of annotation are rewarded with additional increments of assurance. The novel technical features of this approach include (1) regions as flexible aggregations of state that can cross object boundaries, (2) a region-based object-oriented effects system; (3) analysis to track the association of locks with regions, (4) policy descriptions for allowable method interleavings, and (5) an incremental process for inserting, validating, and exploiting annotations. It's been a longer journey than I originally intended, but I'm finally done with my dissertation. This was not a solitary journey, and I owe thanks to the many people who gave me support along the way. Obviously, I would like to thank my advisor, Bill Scherlis, for his invaluable advice, guidance, encouragement, and enthusiasm. I'd like to thank my co-advisor, Thomas Gross, and the rest of my committee for their time and for the helpful feedback they have provided. My research wasn't performed in a vacuum, and without the research and engineering results of the other members of the Fluid Group, this dissertation would never have been possible. Thank you,
Senior honors Thesis--Brandeis University, 1996. Includes bibliographical references (leaves 26-27).
Proceedings of the 24th international conference on Software engineering - ICSE '02, 2002
Concurrency if (!anonymous) manager.checkAccess(); filter = newFilter; } public void log(LogRecor... more Concurrency if (!anonymous) manager.checkAccess(); filter = newFilter; } public void log(LogRecord record) { ... synchronized (this) { if (filter != null && !filter.isLoggable(record)) return; } ... } ... } Consider log() in isolation /** ... All methods on Logger are multi-thread safe. */ public class Logger { ... private Filter filter; /** ... * @param newFilter a filter object (may be null) */ public void setFilter(Filter newFilter) ... { if (!anonymous) manager.checkAccess();
ACM SIGSOFT Software Engineering Notes, 2003
We introduce a thread colors model as a way to express design intent concerning the relationships... more We introduce a thread colors model as a way to express design intent concerning the relationships between threads, executable code, and shared state. By expressing the model as annotations in code, it is possible to formally link the model with source code and to analyze the consistency of model and code in a composable manner. By using annotations as cut-points, APIs can be annotated and compliance with library threading policies can be evaluated. This is illustrated using case study examples from published code that show how thread coloring models can assist in assuring policy compliance and in identifying concurrency errors.
In this paper we discuss and demonstrate how to conduct validation of data quality attributes, e.... more In this paper we discuss and demonstrate how to conduct validation of data quality attributes, e.g., security, data accuracy, data confidence, and temporal correctness, can be modeled and validated using an architecture description language such as AADL. We focus on security, specifically confidentiality.
Lecture Notes in Computer Science, 1999
An effects systems describes how state may be accessed during the execution of some program compo... more An effects systems describes how state may be accessed during the execution of some program component. This information is used to assist reasoning about a program, such as determining whether data dependencies may exist between two computations. We define an effects system for Java that preserves the abstraction facilities that make objectoriented programming languages attractive. Specifically, a subclass may extend abstract regions of mutable state inherited from the superclass. The effects system also permits an object's state to contain the state of wholly-owned subsidiary objects. In this paper, we describe a set of annotations for declaring permitted effects in method headers, and show how the actual effects in a method body can be checked against the permitted effects.
Effort sponsored in part through the High Dependability Computing Program from NASA Ames cooperat... more Effort sponsored in part through the High Dependability Computing Program from NASA Ames cooperative agree-ment NCC-2-1298, in part by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Lab-oratory (AFRL), Air Force Materiel Command, USAF, under agreement number F30602-99-2-0522, and in part through the Carnegie Mellon School of Computer Science Siebel Scholars Program.
Science of Computer Programming, 2005
Evolving and refactoring concurrent Java software can be error-prone, resulting in race condition... more Evolving and refactoring concurrent Java software can be error-prone, resulting in race conditions and other concurrency difficulties. We suggest that there are two principal causes: Concurrency design intent is often not explicit in code and, additionally, consistency of intent and code cannot easily be established through either testing or inspection. We explore several aspects of this issue in this paper. First, we describe a toolassisted approach to modeling and assurance for concurrent programs. Second, we give an account of recent case-study experience on larger-scale production Java systems. Third, we suggest an approach to scalable co-evolution of code and models that is designed to support working programmers without special training or incentives. Fourth, we propose some concurrency-related refactorings that, with suitable analysis and tool support, can potentially offer assurances of soundness.
In languages such as Java and Ada, there are a number of significant concurrency-related design d... more In languages such as Java and Ada, there are a number of significant concurrency-related design decisions that may not be manifest locally in code. These include, for example, the identification of shared state, how that state is protected, which threads may visit that state, and so on. These decisions relate threads, code, and shared data. We describe new UML-style diagrams that can help make explicit some useful aspects of these relationships. In addition, by using lightweight annotations on source code, we can document how these decisions are realized. By combining diagrams and annotations, we can support both forward and reverse engineering, using tools and analyses to keep the diagrams consistent with the annotated code.
Proceedings of the 2003 OOPSLA workshop on eclipse technology eXchange - eclipse '03, 2003
Assuring and evolving concurrent programs requires understanding the concurrency-related design d... more Assuring and evolving concurrent programs requires understanding the concurrency-related design decisions used in their implementation. Source code often does not reveal these design decisions because they may not have purely local manifestations in the code, or because they cannot be inferred from code. As a result, this design intent is usually not expressed, and it is therefore generally infeasible to assure that concurrent programs are free of race conditions. We describe a prototype Eclipse-based tool developed as part of research toward a practicable approach to capturing and assuring design intent. Through the use of annotations and composable static analyses we can help assure consistency of code and intent as both evolve. The dominant design consideration for the tool is the principle of "early gratification"-some assurance can be obtained with minimal or no annotation effort, and additional increments of annotation or other effort are rewarded with additional increments of assurance. 1 /** @lock BufLock is this protects Instance */ 2 public class BoundedFIFO { 3 /** @aggregate [] into Instance 4