ISRI Seminar Series CyLab and the PhD. Program in Computation, Organizations & Society present: Prospects for Direct Assurance for Applications Software Professor Bill Scherlis Director, ISRI (Institute for Software Research International) Director, PhD Program in Software Engineering School of Computer Science Carnegie Mellon University Monday, March 13, 2006, 12pm, CIC Dec (Collaborative Innovation Center, First Floor) Abstract: The Fluid Project is creating practicable tools for programmers to assure and evolve Java software at scale. The focus of the project is on the those "mechanical" program properties that tend to defy traditional testing and inspection regimes. Typically, these difficult properties have a non-local character--there may be no single place in the code where errors are manifest--and the errors may involve non-determinism and intermittent manifestations. Examples include race conditions (using both locks and policy to manage access), regulation of access to critical shared data, deadlocks, etc. One of the challenges of building analysis-based software assurance tools is that information is missing regarding design intent. Code is not self-documenting. When intent is not provided explicitly, analysis tools must guess this intent. This can trigger additional false positive warnings -- i.e., warning of defects when there are none. Additionally, when tools embody insufficiently deep understanding of code, analysis results will be incomplete and there will be false negatives -- i.e., defects that lurk in the code that are not identified by the tool. Addressing these challenges in at-scale production code has proven difficult in practice. There is the business-case difficulty of creating a cost-benefit case for extracting design intent from developers working on deadline. There is the technical difficulty of developing semantics-based tools that can operate effectively at scale, including addressing the realities of modern software application frameworks. The Fluid Project takes the approach of (1) focusing on particular assurance attributes in code, including critical aspects of engaging with APIs and frameworks, (2) developing new analyses especially designed for composition-based scalability, and (3) driving major decisions regarding the user experience from the perspective of costs and benefits to individual developers and their managers. The talk sets context and presents a summary of results including a demonstration of the tool, case study results from field trials, and lessons learned regarding market and measurement issues associated with practicable software assurance. Bio: William L. Scherlis is a full Professor in the School of Computer Science at Carnegie Mellon. He is the founding director of CMU's PhD Program in Software Engineering and director of CMU's International Software Research Institute (ISRI). His research relates to software assurance, software evolution, and technology to support software teams. Dr. Scherlis joined the CMU faculty after completing a PhD in Computer Science at Stanford University, a year at the University of Edinburgh (Scotland) as a John Knox Fellow, and an A.B. at Harvard University. He is lead Principal Investigator of the five-year High Dependability Computing Project (HDCP), in which CMU leads a collaboration with five universities to help NASA address long-term software dependability challenges. He is also co-Principal Investigator (with two colleagues) of a new four-year project with NASA and diverse industry and laboratory subcontractors focused on dependable real-time and embedded software systems. Scherlis is involved in a number of activities related to technology and policy, recently testifying before Congress on innovation and information technology, and, previously, on roles for a Federal CIO. He interrupted his career at CMU to serve at DARPA for six years, departing in 1993 as senior executive responsible for coordination of software research. While at DARPA he had responsibility for research and strategy in computer security, aspects of high performance computing, information infrastructure, and other topics. Scherlis is a member of the National Research Council (NRC) study committee on cybersecurity and the DARPA Information Science and Technology Study Group (ISAT). He recently completed chairing a NRC study on information technology, innovation, and e-government. He has led or participated in national studies related to cybersecurity, crisis response, analyst information management, Department of Defense software management, and health care informatics infrastructure. He has been an advisor to major IT companies. He has served as program chair for a number of technical conferences, including the ACM Foundations of Software Engineering (FSE) Symposium. He has more than 70 scientific publications.