B
Panelist Biographies

PANEL A: THE STRENGTHS AND LIMITATIONS OF PROCESS

Isaac Levendel is an executive technology leader with 30 years of experience in managing large teams responsible for developing software and hardware products in telecommunications and computing. He has held leadership positions in all product development phases from the front-end to factory level and in customer support. His work has focused on on-time delivery of quality products to outside customers. Levendel has achieved international recognition in hardware and software quality assessment and prediction, fault tolerance and dependability, and software technologies. He has authored numerous publications and books and has earned several patents, awards, and honors. Levendel spent many years at Lucent and Motorola. Currently he works as an independent consultant on company start-up and delivers concentrated workshops on software development cost-effectiveness. Levendel earned a B.S. in hardware engineering from Technion Israel, an M.S. in computer science from the Weitzman Institute of Science, and a Ph.D. in computer engineering from the University of Southern California.


Gary McGraw is chief technology officer at Cigital (formerly Reliable Software Technologies). Working with Cigital Professional Services and Cigital Labs, McGraw sets software quality management technology strategy and oversees the Cigital technology transfer process. His aim is to bridge the gap between cutting-edge science and real-world applicability and to transfer advanced technologies for use in the field. In addition to consulting with major commercial software vendors and consumers, he founded Cigital’s Software Security Group and chairs the Cigital Corporate Technology Council. He has written more than 50 peer-reviewed technical publications and functions as principal investigator on grants from the Air Force Research Laboratory, DARPA, National Science Foundation, and NIST's Advanced Technology Program. He serves on the advisory boards of Authentica, Counterpane, Fortify, and Indigo Security as well as advising the Computer Science Department at the University of California at Davis. He writes a monthly column on software security for Software Development magazine and is a department editor for IEEE Security and Privacy magazine. McGraw is coauthor of five popular books: Exploiting Software; Java Security: Hostile Applets, Holes, & Antidotes; Software Fault Injection: Inoculating Programs against Errors; Securing Java: Getting Down to Business with Mobile Code; and Building Secure Software. McGraw holds a B.A. in philosophy from the University of Virginia and a dual Ph.D. in cognitive science and computer science from Indiana University.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 31
Summary of a Workshop on Software Certification and Dependability B Panelist Biographies PANEL A: THE STRENGTHS AND LIMITATIONS OF PROCESS Isaac Levendel is an executive technology leader with 30 years of experience in managing large teams responsible for developing software and hardware products in telecommunications and computing. He has held leadership positions in all product development phases from the front-end to factory level and in customer support. His work has focused on on-time delivery of quality products to outside customers. Levendel has achieved international recognition in hardware and software quality assessment and prediction, fault tolerance and dependability, and software technologies. He has authored numerous publications and books and has earned several patents, awards, and honors. Levendel spent many years at Lucent and Motorola. Currently he works as an independent consultant on company start-up and delivers concentrated workshops on software development cost-effectiveness. Levendel earned a B.S. in hardware engineering from Technion Israel, an M.S. in computer science from the Weitzman Institute of Science, and a Ph.D. in computer engineering from the University of Southern California. Gary McGraw is chief technology officer at Cigital (formerly Reliable Software Technologies). Working with Cigital Professional Services and Cigital Labs, McGraw sets software quality management technology strategy and oversees the Cigital technology transfer process. His aim is to bridge the gap between cutting-edge science and real-world applicability and to transfer advanced technologies for use in the field. In addition to consulting with major commercial software vendors and consumers, he founded Cigital’s Software Security Group and chairs the Cigital Corporate Technology Council. He has written more than 50 peer-reviewed technical publications and functions as principal investigator on grants from the Air Force Research Laboratory, DARPA, National Science Foundation, and NIST's Advanced Technology Program. He serves on the advisory boards of Authentica, Counterpane, Fortify, and Indigo Security as well as advising the Computer Science Department at the University of California at Davis. He writes a monthly column on software security for Software Development magazine and is a department editor for IEEE Security and Privacy magazine. McGraw is coauthor of five popular books: Exploiting Software; Java Security: Hostile Applets, Holes, & Antidotes; Software Fault Injection: Inoculating Programs against Errors; Securing Java: Getting Down to Business with Mobile Code; and Building Secure Software. McGraw holds a B.A. in philosophy from the University of Virginia and a dual Ph.D. in cognitive science and computer science from Indiana University.

OCR for page 31
Summary of a Workshop on Software Certification and Dependability Peter Neumann is principal scientist at SRI International’s Computer Science Laboratory. He is concerned with computer systems and networks, security, reliability, survivability, safety, and many risk-related issues such as voting-system integrity, crypto policy, social implications, and human needs including privacy. He moderates the ACM Risks Forum, edits CACM's monthly Inside Risks column, chairs the ACM Committee on Computers and Public Policy, cofounded People for Internet Responsibility (PFIR), and cofounded the Union for Representative International Internet Cooperation and Analysis (URIICA). Neumann is a fellow of the ACM, IEEE, and AAAS, and is also an SRI fellow. He is a member of the U.S. General Accounting Office Executive Council on Information Management and Technology and of the California Office of Privacy Protection advisory council. Prior to joining SRI International, Neumann was at Bell Labs, during which time he was heavily involved in the Multics development jointly with MIT and Honeywell. In addition, he has served on the faculties at Stanford University, the University of California at Berkeley, and the University of Maryland. He is the 2002 recipient of the National Computer System Security Award. He received a Ph.D. from Harvard University and the Technical University of Darmstadt. PANEL B: LOOKING FORWARD: NEW CHALLENGES, NEW OPPORTUNITIES Robert Harper is a professor of computer science at Carnegie Mellon University, where he has been a member of the faculty since 1988. From 1985 to 1988 he was a research fellow in the Laboratory for Foundations of Computer Science at Edinburgh University. His research is concerned with the development and application of type theory to computer programming. As a graduate student he was a charter member of the PRL Project, which pioneered the mechanization of constructive type theory as a foundation for a comprehensive proof and program development system. While at Edinburgh, Harper collaborated with Robin Milner on the design, semantics, and implementation of Standard ML. He designed and built the first implementation of the Standard ML module system, and he coauthored (with Milner and Mads Tofte) The Definition of Standard ML, which consists of the static and dynamic semantics of the language. Also at Edinburgh he collaborated with Gordon Plotkin on the design of the LF Logical Framework. At Carnegie Mellon, Harper, together with Peter Lee and Frank Pfenning, directed the Fox Project, which sought to apply fundamental programming language theory and advanced compiler technology to the practice of building systems. His work on the Fox Project includes fundamental research on type systems for modular programming, the development of typed intermediate languages, type-directed translation to support efficient compilation methods, and the construction of certifying compilers. Harper’s current research interests are type refinements for programming languages, applications of language technology to grid computing, and the use of self-adjusting computation to implement incremental and dynamic algorithms. Harper earned a Ph.D. from Cornell University in 1985. Shriram Krishnamurthi is an assistant professor of computer science at Brown University. His research lies at the confluence of programming languages, software engineering, and computer-aided verification. His recent work has focused on the semantics, verification, and use of new forms of software composition and interaction. He is a coauthor of the DrScheme programming environment, the FASTLINK genetic linkage analysis package, and the book How to Design Programs. He has more recently written the text Programming Languages: Application and Interpretation. He also coordinates the TeachScheme! high school computer science outreach program. Krishnamurthi earned his Ph.D. from Rice University.

OCR for page 31
Summary of a Workshop on Software Certification and Dependability James Larus is an assistant director of Microsoft Research. In his career, he has applied programming languages and compiler technology and techniques to many areas of computer science. From 1989 until 1999, Larus was a professor of computer science at the University of Wisconsin-Madison. His research covered a number of areas: new and far more efficient techniques for measuring and recording executing programs’ behavior, tools for analyzing and manipulating compiled and linked programs, new programming languages, tools for verifying program correctness, and techniques for compiler analysis and optimization. In addition, he also comanaged the DARPA-and NSF-sponsored Wisconsin Wind Tunnel research project, which developed new computer architectures and programming techniques for shared-memory parallel computing. After a sabbatical at Microsoft Research, Larus decided to stay and establish the Software Productivity Tools (SPT) research group in Microsoft Research. This group has developed, built, and demonstrated advanced tools that improve the design, development, debugging, and testing of software. Larus received an A.B. from Harvard College and an M.S. and a Ph.D. from the University of California, Berkeley. André van Tilborg is director of the Information Systems Directorate in the Office of the Deputy Under Secretary of Defense (Science and Technology). He has oversight responsibility for the information technology research programs of the military services and agencies, including DARPA. Prior to assuming this position in 2002, van Tilborg served, starting in 1994, as director of the Mathematical, Computer, and Information Sciences and Technology Division at the Office of Naval Research. He joined ONR in 1987 and was promoted to director of the Computer Science Division in 1989. From 1984 to 1986, he was employed as a research faculty member in the Computer Science Department at Carnegie Mellon University. His specialized areas of research included decentralized resource management of distributed computing systems and networks, and real-time embedded computing systems. In 1983-1984, van Tilborg was employed as principal computer systems scientist at Honeywell Systems and Research Center, where he was program manager of the Secure Ada Target trusted computer project. Prior to working at Honeywell, he was principal computer scientist at Cornell Aeronautical Laboratory, where he served as head of the Distributed Computing Division. He is the author of approximately 30 open-literature refereed technical publications and the editor of two books on real-time computing systems. He has served as conference chair and program chair for numerous international symposia, conferences, and workshops, particularly in the distributed and real-time computing systems technical areas. He holds a Ph.D. in computer science from the State University of New York. PANEL C: CERTIFICATION AND REGULATORY EXPERIENCE AND ISSUES Brent Goldfarb is an assistant professor of management and entrepreneurship at the Robert H. Smith School of Business at the University of Maryland. Goldfarb studies how the production and exchange of technology differ from those for more traditional economic goods, and the implications of these differences for both business and public policy. Goldfarb’s research has focused on government procurement of research at universities and the sale of and subsequent commercial development of their technologies. In particular, he has asked how research funds and incentives of knowledge producers are structured, and when the uncertainty inherent in producing and describing new technologies leads to poor market outcomes. A key result of this research is that while markets are problematic mediums for technology exchange, key institutions often evolve to mitigate problems. Goldfarb earned an undergraduate degree in computer science and economics from Tel-Aviv University in 1996 and earned his Ph.D. in economics from Stanford University in 2002.

OCR for page 31
Summary of a Workshop on Software Certification and Dependability Mats Heimdahl is currently a McKnight Presidential Fellow and an associate professor of computer science and engineering at the University of Minnesota. In addition, he is the director of the University of Minnesota Software Engineering Center (UMSEC). His research interests are in software engineering, safety critical systems, software safety, testing, requirements engineering, formal specification languages, and automated analysis of specifications. He is currently pursuing his interest in the following areas: static analysis of system and software requirements, for example, through model checking and theorem proving; how dynamic methods (e.g., simulation and testing) can be used to validate requirements specifications; model-based software development; automated test case generation; and software certification. Heimdahl is the recipient of the NSF CAREER award, a McKnight Land-Grant Professorship, and the McKnight Presidential Fellow award at the University of Minnesota. He earned an M.S. in computer science and engineering from the Royal Institute of Technology in Stockholm, Sweden, and a Ph.D. in information and computer science from the University of California at Irvine. Charles Howell is a consulting engineer for software assurance in the Center for Innovative Computing and Informatics at the MITRE Corporation. The center focuses on exploring, evaluating, and applying advanced information technologies in critical systems for a wide range of organizations. His current interests include tools and notations to support the development, review, and maintenance of assurance cases for software-intensive systems, and approaches to make large networked information systems more robust (i.e., less fragile). He is the principal investigator for a MITRE research project on high-confidence software. He recently chaired a DARPA panel developing a research agenda for building trustworthy systems and led an effort for the Office of the Deputy Undersecretary of Defense for Science and Technology evaluating science and technology requirements for software-intensive systems. Howell is the author of the article “Dependability” in John Wiley & Sons’ second edition of the Encyclopedia of Software Engineering and coauthor of the book Solid Software. He is a senior member of the IEEE and holds an active Top Secret/SCI clearance. Howell holds a B.S. in mathematical sciences from Virginia Commonwealth University. Robert Noel is a lead software systems engineer with MITRE’s Center for Air Force C2 Systems. Noel has been working in military Air Traffic Control, Landing Systems, and Avionics certification programs since 1989. Most recently, he has been supporting the Battle Control System programs, which are modernizing the equipment used in the U.S. Air Defense Sectors for Air Battle Management. Prior to that, Noel was the lead software engineer for the USAF office responsible for Global Air Traffic Management (GATM) and Navigation Safety certification of USAF aircraft (1997-2002). Noel received a B.S. in math from the University of Lowell in 1984 and an M.S. in system engineering from Boston University in 1994. PANEL D: ORGANIZATIONAL CONTEXT, INCENTIVES, SAFETY CULTURE, AND MANAGEMENT Richard Cook is a physician, educator, and researcher at the University of Chicago. His current research interests include the study of human error, the role of technology in human expert performance, and patient safety. Cook graduated from Lawrence University in Appleton, Wisconsin, where he was a Scholar of the University. He then worked in the computer industry in supercomputer system design and engineering applications. He received the M.D. degree from the University of Cincinnati in 1986, where he was a general surgery intern. Between 1987 and 1991 he was a researcher on expert human performance in anesthesiology and industrial and systems engineering at the Ohio State University. He completed an anesthesiology residency at Ohio State in 1994. Since

OCR for page 31
Summary of a Workshop on Software Certification and Dependability November 1994 he has been a faculty member in the Department of Anesthesia and Intensive Care of the University of Chicago. He is an associate director for the GAPS (Getting At Patient Safety) project sponsored by the Veterans Health Administration. Cook has been involved with the National Patient Safety Foundation since its inception and sits on the foundation’s board. He is internationally recognized as a leading expert on medical accidents, complex system failures, and human performance at the sharp end of these systems. He has investigated a variety of problems in such diverse areas as urban mass transportation, semiconductor manufacturing, and military software systems. He is often a consultant for not-for-profit organizations, government agencies, and academic groups. Cook’s most often cited publications are “Gaps in the Continuity of Patient Care and Progress in Patient Safety,” “Operating at the Sharp End: The Complexity of Human Error,” “Adapting to New Technology in the Operating Room,” and the report A Tale of Two Stories: Contrasting Views of Patient Safety. Gene Rochlin received his Ph.D. in physics from the University of Chicago in 1966. Following his retraining in political science at MIT and Harvard in 1973-1974, his research interests in the cultural, social, political, and organizational implications and consequences of technology have extended to studies of nuclear power and nuclear proliferation, advanced information technologies, and the politics and political economy of energy and environmental policy. He was a principal of the Berkeley High Reliability Project, a multidisciplinary team that has studied the organizational aspects of safety-critical systems such as nuclear power operations and air traffic control. His recent book about the short-term effects and long-term consequences of the increasingly widespread “embedding” of computers as structural elements or organization, and the attendant creation of new modes of dependence and vulnerability, has led to a growing involvement in studies of potential threats not only to IT systems per se, but also to the many critical systems in society that have come to depend on them for operational reliability and security. He also teaches courses on the principles, theories, and methods of social studies of science and technology, as well as courses on social theories of risk. William Scherlis is a professor in the School of Computer Science at Carnegie Mellon University and a member of CMU’s International Software Research Institute (ISRI). He is the founding director of CMU’s Ph.D. program in software engineering. He is a co-principal investigator of the 5-year High Dependability Computing Project (HDCP) with NASA, in which CMU leads a collaboration with five universities to help NASA address long-term software dependability challenges. His research relates to software assurance, software evolution, and technology to support software teams. Scherlis is involved in a number of activities related to technology and policy, recently testifying before Congress on innovation, government information technology, and roles for a federal CIO. He interrupted his career at CMU to serve at DARPA for 6 years, departing as a senior executive responsible for the coordination of software research. While at DARPA he had responsibility for research and strategy in computer security, high-performance computing, information infrastructure, and other topics. Scherlis chaired a National Research Council study on information technology, innovation, and e-government, and has led or participated in national studies related to crisis response, analyst information management, Department of Defense software management, and health care informatics infrastructure. He has served as program chair for a number of technical conferences, including the ACM Foundations of Software Engineering Symposium. Scherlis received an A.B. from Harvard University and a Ph.D. in computer science from Stanford University.

OCR for page 31
Summary of a Workshop on Software Certification and Dependability PANEL E: COST-EFFECTIVENESS OF SOFTWARE ENGINEERING TECHNIQUES: WHAT EVIDENCE EXISTS? Kent Beck is the founder and director of Three Rivers Institute (TRI). His career has combined the practice of software development with reflection, innovation, and communication. His contributions to software development include patterns for software, the rediscovery of test-first programming, the xUnit family of developer testing tools, and Extreme Programming. He currently divides his time between writing, programming, and coaching. Beck is the author or coauthor of Contributing to Eclipse, Test-Driven Development: By Example, Extreme Programming Explained, Planning Extreme Programming, The Smalltalk Best Practice Patterns, and the forthcoming JUnit Pocket Guide. He received his B.S. and M.S. in computer science from the University of Oregon. Matthias Felleisen is a professor at Northeastern University’s College of Computer Sciences. His areas of interest include PLT Scheme (DrScheme and friends), How to Design Programs (HtDP), and How to Use Scheme (HtUS). Their development drives the analysis of current versions of Scheme (the language) and DrScheme (the programming environment). The goal is to support the entire spectrum of program development, from scripting to large complex systems. When problems are noticed, the language or the environment (or both) are modified. Changes are evaluated with respect to language design, analysis, and implementation as well as software engineering. Results are modeled and published so that others in the PL and SE community can adapt them as desired. Felleisen’s primary educational project is the TeachScheme! project. Its purpose is to change the introductory curriculum at the high school and college levels. Instead of students being exposed to languages with a heavy syntax and commercial programming environments, they are introduced instead to a series of simple languages (small subsets of Scheme with a few additional constructs) and a programming environment tailored to beginners. This project thus creates a pool of users who stress-test our languages and environment. Anthony Hall is a principal consultant with Praxis Critical Systems Ltd. He is a specialist in requirements and specification methods and the development of software-intensive systems. He has worked for many years on the development of critical operational systems. During this time he has pioneered the application of formal methods to industrial practice. He was chief designer on CDIS, a successful air traffic information system, and a certification authority developed to ITSEC E6 standards. Together with colleagues in Praxis Critical Systems, Hall has brought together extensive practical experience and the latest research findings to develop REVEAL, a principled yet practical approach to requirements engineering, and Correctness by Construction, a process for cost-effective development of critical software. Hall received an M.A. and a Ph.D. from Oxford University. He is a fellow of the Royal Academy of Engineering, a chartered engineer, and a fellow of the British Computer Society. PANEL F: CASE STUDY: ELECTRONIC VOTING David Dill is a professor of computer science and, by courtesy, electrical engineering at Stanford University. He has been on the faculty at Stanford since 1987. His primary research interests relate to the theory and application of formal verification techniques to system designs, including hardware, protocols, and software. He also has an interest in voting technology and related policy issues and has done research in asynchronous circuit verification and synthesis, and in verification methods for hard real-time systems. He was the chair of the Computer-Aided Verification Conference held at Stanford University in 1994. From July 1995 to September 1996, he was chief scientist at 0-In Design

OCR for page 31
Summary of a Workshop on Software Certification and Dependability Automation. Dill’s Ph.D. thesis, “Trace Theory for Automatic Hierarchical Verification of Speed Independent Circuits,” was named as a Distinguished Dissertation by ACM and published as such by MIT Press in 1988. He was the recipient of a Presidential Young Investigator award from the National Science Foundation in 1988, and a Young Investigator award from the Office of Naval Research in 1991. He has received Best Paper awards at the International Conference on Computer Design in 1991 and the Design Automation Conference in 1993 and 1998. He was named a fellow of the IEEE in 2001 for his contributions to verification of circuits and systems. Dill served on the California Secretary of State’s Ad Hoc Task Force on Touch Screen Voting in 2003, and he is currently on the IEEE P1583 Voting Standards Committee and the Santa Clara County DRE Citizens Oversight Committee. Dill holds an S.B. in electrical engineering and computer science from Massachusetts Institute of Technology and an M.S. and a Ph.D. from Carnegie Mellon University. Douglas Jones is currently an associate professor of computer science at the University of Iowa, where his teaching focuses on the intersection of computer architecture and operating systems. He is a member of the Association for Computing Machinery (ACM), the U.S. Public Policy Committee of the ACM, the National Committee on Voting Integrity, the American Association for the Advancement of Science, and Computer Professionals for Social Responsibility. Jones is currently vice president and chief technical officer of the Open Voting Consortium and a member of the Advisory Board of VerifiedVoting.org, and he has served for a decade on Iowa's Board of Examiners for Voting Machines and Electronic Voting Systems, of which he is past chair. In the wake of the 2000 election, he testified before the U.S. Commission on Civil Rights and the House Science Committee. He also gave the keynote address at the Second Interamerican Conference on Voting Technology, and he contributed Chapter 1 to the book Secure Electronic Voting. He received his B.S. in physics from Carnegie Mellon University in 1973 and his M.S. and Ph.D. in computer science from the University of Illinois at Urbana-Champaign in 1976 and 1980. Avi Rubin is a professor of computer science as well as technical director of the Information Security Institute at Johns Hopkins University. Prior to joining Johns Hopkins he was a research scientist at AT&T Labs. Rubin is the author or coauthor of several books, including Firewalls and Internet Security, second edition (with Bill Cheswick and Steve Bellovin, Addison-Wesley, 2003), White-Hat Security Arsenal (Addison-Wesley, 2001), and Web Security Sourcebook (with Dan Geer and Marcus Ranum, John Wiley & Sons, 1997). He is associate editor of ACM Transactions on Internet Technology and an Advisory Board member of Springer's Information Security and Cryptography Book Series. Rubin serves on the board of directors of the USENIX Association and on the DARPA Information Science and Technology Study Group. He received his B.S. (computer science), M.S.E., and Ph.D. in computer science and engineering from the University of Michigan. Ted Selker, at the MIT Media and Arts Technology Laboratory, is the director of the Context Aware Computing Lab, which strives to create a world in which people’s desires and intentions cause computers to help them. This work creates environments that use sensors and artificial intelligence to create so-called “virtual sensors,” adaptive models of users to create keyboardless computer scenarios. Selker is also director of a counterintelligence special-interest group on design and domestic life, a forum for discussing kitchens and domestic technology, lifestyles, and supply changes as a result of technology. He is creating an industrial design intelligence forum to discuss the need to understand cognitive science and quantitative experiments in doing product design. As part of the Caltech/MIT voting project, Selker has contributed important papers that have been useful to creating legislation. He has also helped the Carter/Ford voting project and is part of the IEEE voting standards committee. A large part of Selker’s work in voting concerns inventing and testing new technology for voting. Examples include new approaches to user interfaces, registration database

OCR for page 31
Summary of a Workshop on Software Certification and Dependability testers, ballot design systems, secure online architectures, and new approaches for using simulation to evaluate political platforms. Prior to joining MIT’s faculty in November 1999, Selker directed the User Systems Ergonomics Research Lab at the IBM Almaden Research Center, where he became an IBM Fellow in 1996. He has served as a consulting professor at Stanford University, taught at Hampshire, the University of Massachusetts at Amherst, and Brown University, and worked at Xerox PARC and Atari Research Labs. His research has contributed to products ranging from notebook computers to operating systems. His work takes the form of prototype concept products supported by cognitive science research. He is known for the design of the “TrackPoint III” in-keyboard pointing device now found in Compaq, Fujitsu, HP, IBM, Sony, TI, and other computers; for creating the “COACH” adaptive agent that improves user performance (Warp Guides in OS/2); and for the design of the 755CV notebook computer that doubles as an LCD projector. He is the author of numerous patents and papers in refereed journals and conference proceedings. He received his B.S. in applied mathematics from Brown University, his M.S. in computer/information sciences from the University of Massachusetts at Amherst, and a Ph.D. in computer science from the City University of New York.