Among the joy of being an expatriate is that you do not have to go in your family and take advantage of this holiday period to rest, do some personal projects and dedicate time to things you wanted to do.
Since the last couple of days, I am trying to use SeL4, a security-oriented kernel that has been formally proven. Sounds sexy, right? For now, I am not quite sure to fully understand how it works and the development environment is huge. It reminds me my old days, when working on taste that requires a full virtual machine just to work. Ah, the joy of development environments that are designed like a Russian jail, so convenient and easy to use!
The goal of this project is to be able to generate SeL4 secure applications from architecture models (mostly AADL). The high-level security requirements would be verified at the model level and would ultimately be transformed into code. This is what I am trying to do during this holiday period.
I am also trying to train for Worlds Ends 100 that will take place in May. Some friends have been there last week-end and told me the course is challenging and intense. As there is an aggressive 19 hours cut-off, I need to work my ass right now in order to finish the race on time. Unfortunately, I do not have the opportunity to train on the course and all I can do is mimic the elevation profile in the parks around Pittsburgh.
On a side note, I am now an official pacer for the Pittsburgh Half-Marathon. If you are running the half and plan to finish in 1:45, I will be around you.
The weather in Pittsburgh is still surprisingly hot. More than 16C.
A Fault-Tree Analysis (or FTA) is a popular safety analysis recommended by several well-known practices and standards, such as ARP4761. A FTA shows the relation between a fault and its potential contributors (error events) using a simple binary logic (and/or gates). This is nothing else than a convenient representation of the relation between error events. In case you are not familiar with the notation, you can have a look at the related wikipedia page, it explains it in more details. When working with collaborators in safety-critical industries during the last months (avionics, automotive, aerospace, medical), I faced the same issue: most of FTA tools are commercial and there is no good open-source/free alternative. This is not completely true, there is one: OpenFTA. If this is pretty cool to have a FTA open-source program but the graphical interface looks like Windows 3.1 and the code is clearly no longer maintained and outdated. OpenFTA also relies on old image processing libraries (jpeg), which makes it very difficult to compile with the last JDK. Last thing: this is a standalone tool and as most of our modeling tools (i.e. OSATE) are running under Eclipse, it would be cool to have an Eclipse-based tool.
So, in fact, there was a real need for a good integrated Fault Analysis Tool. I had a good project to work on then.
So, one night, I decided to put my brain at work and design a new FTA tool, EMFTA (which is a joke – EMF stands for Eclipse Modeling Framework). This is an Eclipse-based Fault-Tree Analysis tool that relies on Sirius, a framework to represent EMF models. The nice aspect of Sirius is it allows you to have several representations of an EMF model while maintaining their consistency: if you change one representation, it will then modify the model and the changes will be reflected in the other representations. For example, in EMFTA, there are two representations: the graphical tree (good to see the decomposition of error events – see above) and table (to edit events information – see below). When you change one representation (e.g. the table), it automatically update the graphical representation (e.g. the tree). Synchronizing the same model across different tools/framework can be challenging and Sirius do a good work for that.
In a nutshell, EMFTA is nothing else than a EMF model to represent a Fault-Tree and its different components (gates, events) associated with a Sirius project to provide the graphical representation. Actually, the current version rely on the latest stable version of Sirius. In addition to providing a viewer and editor for Fault-Tree, EMFTA provides the following capabilities:
Generation of cutset from the FTA: it creates a CSV reports containing the different cutset of your Fault Tree
Generation of FTA model from AADL models annotated with the EMV2 annex: creating the Fault Tree from an architecture model associated with an EMV2 annex. There was already a bridge for OpenFTA, the plugin now supports the export to EMFTA
Installation and Bugreport
As the project is still starting, the documentation is still minimal. But you have general installation instruction on the general github project page here: https://github.com/juli1/emfta. Use also the github project to submit a bug. If you want to contribute to the source code, submit a pull request or even contact me (I promise I won’t bite).
This tool is yet still a prototype but I plan to improve it during the following months. It could be a first step to a real open-source Fault-Tree Analysis tool. Looking forward, I plan to make it more user-friendly but also introduce a simulation tool that would then produce probability of error occurence (e.g. what is the probability of an error occurrence considering the different cutset and associated probabilities). Also, having this technology connected with AADL, we can leverage such a notation for a security perspective and generate an Attack Tree, which would re-use the Fault-Tree notation for to describe the different attack vector that would then contribute to an attack.
Recently, I authored a post on the Software Engineering Institute blog about the use of the Architecture and Analysis Design Language. The purpose was to show the usability of the AADL toolset for evaluating safety aspect of a system architecture. The post details an user-experience from new AADL users for making safety evaluation of a system. If you are not familiar with the AADL language, this post can provide a good overview of the technology, especially for acquiring the basics and use the safety analysis tools integrated in the Open Source AADL Tool Environment (OSATE).
On another note, the Software Engineering Institute also published a podcast which is an interview made by Suzanne Miller. The podcast is available on the SEI website but also on iTunes. It details some of the work I am currently involved for connecting several annexes of the AADL language together (the Behavior Annex and the Error-Model Annex). While being a little bit more technical than the blog post, it provides a good information about what is going on in the development of the AADL language.