Embedded, Everywhere A Research Agenda for Networked Systems of Embedded Computers (2001) / Chapter Skim
Currently Skimming:
4. Building Trustworthy Networked Systems of Embedded Computers
4. Building Trustworthy Networked Systems of Embedded Computers
Pages 119-146
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 119... ...
Testing mechanisms that apply to standard networks of computing devices may well fail to apply in the context of EmNets, where components may shut down to conserve power or may be limited in computing power or available bandwidth. These and other reliability questions will need to be studied if EmNets of the future are to be trusted.
|
From page 120... ...
New designs may be needed that allow untrained users to operate these systems safely and effectively. Accidents related to software already are starting to increase in proportion to the growing use of software to control potentially dangerous systems (Leveson, 1995~.
|
From page 121... ...
It is not at all clear that these models apply to EmNets, in which the individual components are assumed to be easily and inexpensively replaceable, and the usual mechanisms for detecting faults (such as a request for a keep-alive message) may be prohibitively expensive in terms of power or bandwidth or may generate false failure notifications (in the case of components that shut down occasionally to conserve power.)
|
From page 122... ...
, it is an extremely difficult task that already consumes a large fraction of the overall expense, schedule, and labor of an engineering project. Microprocessor design teams typically allocate one validation person for every two designers, and the trend is toward parity with future designs.
|
From page 123... ...
will not present significant safety problems even if they fail, although such failures might frustrate or inconvenience users. Other failures may raise significant safety issues.
|
From page 124... ...
Like the other desirable characteristics addressed in this chapter, safety cannot effectively be added onto a completed design, nor can it be tested or measured "into" a design. Safety constraints need to be identified early on in the design process so that the system can be designed to satisfy them.
|
From page 125... ...
, increased pilot workload during emergencies and high stress periods, automation and pilots fighting over control of the aircraft, increased amounts of typing, and pilot distraction. Human factors experts have tried to overcome clumsy automation by changing the human interface to the automation, changing user training, or designing new operational procedures to eliminate the new human errors resulting from poor automation design.
|
From page 126... ...
New design techniques will be required to enforce adherence to system safety constraints in EmNet behavior and eliminate or minimize critical user errors. In addition, designers often make claims about the independence of components and their failure modes to simplify the design process and make systems more amenable to analysis, but they lack adequate tools and methodologies for ensuring independence or generating alerts about unknown interdependencies.
|
From page 127... ...
Each change will require assurances that safety has not been compromised, but because it will not be practical to redo a complete software system safety analysis for every change, new techniques will be needed to minimize the amount of effort required to verify safety when potential system and software design changes are proposed and to cope with the consequences of safety failures. Users can be expected to extend the system in ways unanticipated in the original design, adding new components, trying out new functions, and so on.6 In addition, the system and software design may become unsafe if there are unanticipated changes in the environment in which the 6Further complicating the situation is the fact that backup safety features, meant to be invoked only in emergencies, are often discovered by human operators and used as primary resources.
|
From page 128... ...
Their close connection to the physical world and interconnection with larger networks accessible by more people with unknown motives will make lapses of security potentially more damaging, increasing the risks associated with EmNets. In a military context, of course, the compromise of even fairly prosaic devices (such as food storage equipment or asset monitoring systems)
|
From page 129... ...
Risk management is also required for EmNets; however, calculating the risk is extremely challenging and variable because there are so many unknowns in these systems. The physical isolation of a network, together with extremely rigid and secure protocols for attaching terminals, is the only highly reliable method for protecting networked information systems from external threats (that is, attacks from outside hackers and others without access privileges)
|
From page 130... ...
, land, and ocean (seabed and submarines) , between large numbers of vehicles, or spread throughout a large battleship, the difficulties of developing and implementing robust access controls will only grow.
|
From page 131... ...
The virtual world remains difficult to contain. Although cryptographic techniques enable engineers to build arbitrarily secure system components, assembling such elements into secure systems is a great challenge, and the computing research community does not yet understand the principles or possess the fundamental knowledge necessary to build secure systems of the magnitude necessitated by EmNets.
|
From page 132... ...
In some cases this process will be straightforward, but in other others it will be far more complex. An automobile manufacturer, for instance, may be able to deploy tools comparatively easily that assure that code updates originate from the manufacturer.
|
From page 133... ...
Certainly, operating-system-level techniques may be employed to thwart such denial-of-service attacks, but it remains to be seen how effective they will be. Security Research Topics Deserving Attention The security issues discussed above raise a number of research issues that need to be addressed, including the following: · Network access policies and controls.
|
From page 134... ...
The technical challenges lie in designing systems that facilitate support of the policies once they are decided.ll l2 Consideration of the privacy implications of EmNets cannot be limited to these systems alone but must extend to the larger networks of more powerful computers to which EmNets connect. Information about transactions and events collected through networks of simple computers and sensors can be and is analyzed for links and correlations in much more powerful computers, both online and offline.
|
From page 135... ...
If so, how can people extract value from their own personal data in an equitable fashion? What is practical and enforceable in systems in which interactions are fleeting and take place very quickly?
|
From page 136... ...
. Disclosure is often provided in privacy policies for Web sites, but EmNets often involve more passive interactions in which disclosure is less convenient.
|
From page 137... ...
In the context of EmNets, it more often has to do with the right or intention of a person to keep certain personal information confidential. A breach of security may result in breach of privacy by someone without proper credentials who gains access to private information; a breach of privacy may also occur when information that is freely shared over a network is abused or when EmNets are deployed into various environments without notification, consent, or full disclosure.
|
From page 138... ...
Privacy issues may be somewhat more challenging to deal with than security issues because they entail varying expectations and values and because access control practices often call for conveying personal information. Privacy seems far more malleable than security, because what counts as private is socially negotiated; privacy violations may occur when individuals have different understandings about the boundaries and contexts of privacy (this will be especially true with new technologies and where the technology moves information across multiple social contexts)
|
From page 139... ...
Research into possible legal requirements for the protection of personal information may be needed to ensure adequate accountability. The goal should be to ensure that specific individuals or agents, probably those who deploy EmNets and will use the information gained therefrom, are deemed responsible and accountable for the protection of an individual's private information collected on those networks.l8 Privacy and/or anonymity preservation techniques need to factor in accountability.
|
From page 140... ...
One way to address this might be to devise a data encoding scheme that uses error correcting and detecting codes. This would allow detecting simple data entry errors of the sort known to be most common by humans (for example, transposition of adjacent items or missed elements)
|
From page 141... ...
when complexity that must be exposed is exposed according to an underlying cohesive, understandable, conceptual model that maximizes the predictability of the system's behavior, supports the user's efforts to generalize about those behaviors, and minimizes special cases and arbitrary actions. Creating Mental Models Mental models are a convenient concept for examining problems of usability.
|
From page 142... ...
Usability may also be enhanced by designs based on standard metaphors. A familiar example is the desktop metaphor used in the design of graphical user interfaces for personal computers.
|
From page 143... ...
What is the source of global coherence in a system that may be spatially distributed, incrementally designed, and implemented using heterogeneous and independently developed components? Although the existence of such system-level behavior, as a superset of the behavior of the individual components, is not new, it is nonetheless 2lThe relationship between implementation models and user models is discussed at length by Cooper (1995)
|
From page 144... ...
shift the focus of design from devices as such to the information that those devices mediate. Examples of research topics in this area include architectures for universal identity of data objects, replication architectures, techniques for maintaining perceived constancy of identity across heterogeneous display media, tangible interface techniques (Ishii and Ullmer, 1997)
|
From page 145... ...
1 997. "Analyzing requirements specifications for mode confusion errors," Workshop on Human Error, Safety, and System Development, Glasgow.
|
From page 146... ...
1990. "Heuristic evaluation of user interfaces." Proceedings of ACM CHI '90 Conference on Human Factors in Computing Systems.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.