[1] Adrian Hilton, Gemma Townson, and Jon G. Hall and. Fpgas in critical hardware/software systems. Technical Report 2003.01, 2003. [ bib | .pdf ]
FPGAs are being used in increasingly more complex roles in critical systems, interacting with conventional critical software. Established safety standards require rigorous justification of safety and correctness of the conventional software in such systems. Newer standards now make similar requirements for safety-related electronic hardware, such as FPGAs, in these systems. In this paper we examine the current state-of-the-art in programming FPGAs, and their use in conventional (low-criticality) hardware/software systems. We discuss the impact that the safety standards requirements have on the codevelopment of hardware/software combinations. and suggest adaptations of existing best practice in software development that could discharge them. We pay particular attention to the development and analysis of high-level language programs for FPGAs designed to interact with conventional software.

[2] Adrian J. Hilton and Jon G. Hall. Mandated requirements for hardware/software combination in safety-critical systems. Technical Report 2003/02, 2003. [ bib | .pdf ]
Safety-critical systems are an important subset of high-assurance systems. Higher performance requirements have led to the increased use of combined hardware/software systems therein, with hardware devices taking processing load off software.As might be expected, safety-critical systems have many requirements made of them by established standards. By implication, and now by emerging safety standards, such requirements must be discharged over hardware/software combinations, with important rami_cations for best practice.In this paper we discuss the impact that such requirements have on the co-development of hardware/software combinations, and suggest adaptations of existing best practice that could discharge them.

[3] Simon Holland, David R. Morse, and Henrik Gedenryd. The application of direct combination to mobile and ubiquitous human computer interaction. Technical Report 2003/03, 2003. [ bib ]
-

[4] Jon G. Hall and Andres Silva. A requirements-based framework for the analysis of socio-technical system behaviour. Technical Report 2003/04, 2003. [ bib | .pdf ]
Requirements Engineering's theoretical and practical developments typically look forward to the future (i.e. a system to be built). Under certain conditions, however, they can also be used for the analysis of problems related to actual systems in operation. Building on the Jackson/Zave reference model [2] for requirements and specifications, this paper presents a framework useful for the prevention, analysis and communication of designer and operator errors and, importantly, their subtle interactions, so typical in complex socio-technical systems.

[5] Jon G. Hall and Lucia Rapanotti. Towards a semantics of problem frames. Technical Report 2003/05, 2003. [ bib | .pdf ]
This paper presents a framework for understanding Problem Frames [5, 6], their components, their frame concerns, and the flexibility that is inherent in their definition.Problem Frames classify software development problems. Of particular utility is their intuitive graphical notation that facilitates communication between software designer and problem owner. This provides costs as well as benefits and, as is the case with many such graphical notations, a (formal) semantics is needed to underpin meaning. To the best of our knowledge a semantics of Problem Frames is missing from the literature. In this paper we begin the definition of such a semantics.Our semantics places Problem Frames within the framework for Requirements Engineering of Zave and Jackson and its subsequent formalization in the Reference Model of Gunter et al.

[6] Jon G. Hall and Lucia Rapanotti. A reference model for requirements engineering. Technical Report 2003/06, 2003. [ bib | .pdf ]
The Reference Model of Gunter et al., 2000, provides a framework for describing and analyzing key software engineering artifacts and their properties. In this paper we propose a reification of this framework in which behaviour is explicitly trace-based. We find that this benefits the formalism in adding structure in ways which are meaningful and practical from an engineering viewpoint. In particular, we develop notions of points of introduction and reachability in the new framework, and show how they strengthen the properties of the Reference Model.

[7] Robert Logie, Jon G. Hall, and Kevin G. Waugh. Beliefs, desires and intentions in a hybrid coached agent architecture. Technical Report 2003/07, 2003. [ bib | .pdf ]
This paper introduces a proposed research project, Patchworld, which is intended to investigate norm guided emergent behaviour in heterogeneous agent systems. Patchworld has two novel features; localised agent coaching and a flat hybrid agent architectural model Patchworld aims to address a number of problem areas, most notably those of adaptive behaviour, learning transfer, truly decentralised systems and peer level agent architecture. Modal logic is used to provide a common thread through these problem areas and between the agent's architectural modules. Patchworld agents will look forwards, attempting to achieve their goals, using normal and non-normal modal logic. They will also look backwards, attempting to understand and improve their behaviour, using a logic with deontic modalities. This paper has two purposes, firstly to describe the proposed research project and, secondly, to indicate where and how modal logic will be used in the proposed agent's operation. Other aspects mentioned above will be addressed in future work.

[8] Lucia Rapanotti, Jon G. Hall, Michael Jackson, and Bashar Nuseibeh. Architecture-driven problem decomposition. Technical Report 2003/08, 2003. [ bib | .pdf ]
Jackson's Problem Frames provide a means of analyzing and decomposing problems. They emphasise the world outside of the computer helping the developer to focus on the problem domain instead of drifting into inventing solutions. The intention is to delay consideration of the solution space until a good understanding of the problem is gained.In contrast, early consideration of a solution architecture is common practice in software development. Software is usually developed by including existing components and/or reusing existing frameworks and architectures. This has the advantage of shortening development time though reuse, and increasing the robustness of a system through the application of tried and tested solutions.In this paper, we show how these two views can be reconciled and demonstrate how a choice of architecture can facilitate problem analysis and decomposition within the Problem Frames framework. In particular, we introduce Architectural Frames - combinations of architectural styles and Problem Frames - and illustrate their use in problem decomposition by applying them to a well-known problem from the literature.

[9] Lucia Rapanotti and Jon G. Hall. Problem frames for socio-technical systems. Technical Report 2003/09, 2003. [ bib | .pdf ]
-

[10] Lun-Cheng Lin, Bashar Nuseibeh, Darrel Ince, Michael Jackson, and Jonathan Moffett. Analysing security threats and vulnerabilities using abuse frames. Technical Report 2003/10, 2003. [ bib | .pdf ]
In this paper, we present an approach using problem frames to analyse security problems in order to determine security threats and vulnerabilities. We use problem frames to capture and bound the base system that is to be protected. We consider threats to this base problem frame from the point of view of the attacker. For each class of threats, their successful realisation is regarded as the anti-requirement in an abuse frame. Antirequirements are quantified existentially: that is, the attacker succeeds by realising the threat in any one instance. For a threat to be realised, its abuse frame must be composed with the base problem frame in the sense that the asset attacked in the abuse frame must overlap, or be identified with, a domain of the base problem frame. We explain the process of composition and some of its variations. We illustrate and assess our approach using a case study of a medical information system, and suggest how abuse frames can provide a means for bounding the scope of and reasoning about security problems in order to analyse security threats and identify vulnerabilities. We conclude with an agenda for future work.

[11] Charles B. Haley, Robin C. Laney, and Bashar A. Nuseibeh. Deriving security requirements from crosscutting threat descriptions. Technical Report 2003/11, 2003. [ bib | .pdf ]
It is generally accepted that early determination of the stakeholder requirements assists in the development of systems that better meet the needs of those stakeholders. General security requirements frustrate this goal because it is difficult to determine how they affect the functional requirements of the system.This paper illustrates how representing threats as crosscutting concerns aids in determining the effect of security requirements on the functional requirements. Assets (objects that have value in a system) are first enumerated, and then threats on these assets are listed. The points where assets and functional requirements join are examined to expose vulnerabilities to the threats. Security requirements, represented as constraints, are added to the functional requirements to reduce the scope of the vulnerabilities. These requirements are used during the analysis and specification process, thereby incorporating security concerns into the functional requirements of the system.

[12] Trevor Cockram, Pat A.V. Hall, and Darrel C. Ince. A model for inspection efficiency prediction. Technical Report 2003/12, 2003. [ bib | .pdf ]
While inspections are a valuable tool for software quality assurance, inspection models are labour intensive, require knowledge of all errors in a software product, make questionable assumptions, and do not capture the experience of inspectors. In this paper we describe a novel inspection model based on Bayesian belief networks that overcomes many of these problems. We describe the problems which affect the inspection process, outline how Bayesian belief network are able to provide a powerful mechanism and describe data taken from a large number of inspections which provide a validation of the model.

[13] Robin C. Laney, Janet van der Linden, and Pete Thomas. Evolving legacy system security concerns using aspects. Technical Report 2003/13, 2003. [ bib | .pdf ]
This paper shows how aspects can be successfully employed in the support of system evolution. The context is a case study on migrating a legacy client-server application to overcome the security problems associated with 'message tampering' attacks. The focus is on authorization issues in which aspects are used to add a security mechanism based on digital signatures.The approach provides for future evolution of the system. In particular, it is shown how factoring of aspectual concerns allows the scope of the security boundary to be varied, illustrating reuse of the aspects.Whilst the aspects are added non-intrusively, it is demonstrated how aspects can modify the control-flow behaviour of a server. An extension to AspectJ's exception mechanism that conforms to design by contract is proposed to facilitate this form of aspect.

[14] Judith Segal. When software engineers met research scientists: a field study. Technical Report 2003/14, 2003. [ bib | .pdf ]
In this paper, we describe a field study in which software engineers, following a traditional, staged, document-led development methodology, provided research scientists with a library of software components with which to drive a scientific instrument. Our data indicate two problems. The first of these is the clash between an upfront statement of requirements as needed by the traditional methodology and the emergence of requirements as occurs naturally in a research laboratory; the second is the fact that certain project documents do not seem to fully support the construction of a shared understanding between the scientists and the software engineers. We discuss whether the adoption of certain agile practices might ameliorate these problems.

[15] Max Garagnani. Planning with analogical and hybrid representations. Technical Report 2003/15, 2003. [ bib | .pdf ]
This report illustrates how new methods and techniques from the area of knowledge representation and reasoning can be adopted and exploited in planning to produce new, more efficient domain-description languages. Planning domain description formalisms should be expressive and customisable, and yet be able to produce domain encodings that allow the planner to concentrate all of the computational effort on the search for a solution, rather than on calculating the trivia of the problem. This paper argues that most of the modern, 'sentential' domain-modelling languages do not meet the latter requirement and, when applied to realistically complex domains, produce encodings that are subject to the inefficiencies of the ramification problem. The solution proposed here consists of adopting non-sentential domain representations in planning. In particular, recent experimental evidence (Garagnani and Ding 2003) indicates that the adoption of analogical descriptions can lead to significant planning speed-ups. However, although more efficient, when compared to sentential languages these representations tend to be less expressive and less universally applicable. The main aim of this paper is to provide a theoretical basis for hybrid planning, in which analogical and sentential domain representations can be seamlessly integrated and used interchangeably, thereby overcoming the limitations and exploiting the advantages of both paradigms. The first part of the document clarifies the nature of analogical representations and illustrates how they can avoid the frame and the ramification problems, which afflict all sentential languages. The central section presents an expressive analogical representation (based on the structure of -setGraph) and a formal framework for hybrid planning built on it, while the last section discusses related work, limitations and future directions.

[16] John Dyke. Issues in creating html pages with welsh or bilingual content. Technical Report 2003/16, 2003. [ bib | .pdf ]
Using utf-8 encoding web pages in HTML, XHTML or XML can contain all the letters used in Welsh including all of the diacritical marks used. These pages are rendered and display correctly on Microsoft's Internet Explorer from version 4 onwards and Netscape's browser from version 4. Opera supports all of the characters correctly from version 6 albeit with font substitution occurring for some of the less frequently used diacritical marks on w and y: the acen grom, the most frequently used diacritical mark, is rendered correctly. Opera's version 5.12 provides a reasonably good coverage. It displays the vowels a,e,i,o and u correctly with all diacritical marks but renders w, W, y and Y without an acen grom but produces blanks for the other less frequently used diacritical marks used over these characters. For wider support on older browsers, named character entities should be used for the characters a, e, i, o and u with diacritical marks. The remaining vowels w and y should coded either without diacritical marks or by some other representation e.g. the character followed by the diacritical mark (w^ in place of ŵ)The language used on a page should be denoted by using the lang attribute in the HTML mark up. Bilingual pages should have appropriate lang attributes set on section of code (div and span tags can be used to host these attributes if needed).

[17] David R. Morse, Nozomi Ytow, David McL. Roberts, and Akira Sato. Comparison of multiple taxonomic hierarchies using taxonote. Technical Report 2003/17, 2003. [ bib | .pdf ]
Recent work on modelling taxonomic names and the relationshipsbetween them has highlighted the need for capturing the multiple names and hierarchies that exist in taxonomic nomenclature. In this paper we describe TaxoNote Comparator, a tool for visualising and comparing multiple classification hierarchies. In order to align the hierarchies, the Comparator creates an integrated hierarchy containing all the taxa in the hierarchies to be compared, so that alignment of the hierarchies can be maintained. In addition, a table of assignments reports the taxonomic names that are common to all hierarchies and the differences between them, which facilitates structural comparisons between the hierarchies.

[18] Charles B. Haley, Michael A. Jackson, Robin C. Laney, and Bashar Nuseibeh. An example using problem frames: Analysis of a lighting control system. Technical Report 2003/18, 2003. [ bib | .pdf ]
A reasonably complex lighting control system is decomposed using problem frames. The merits of various decompositions are examined. The paper concludes with a discussion of unresolved problem concerns exposed by the decomposition.

[19] Charles B. Haley, Robin C. Laney, Jonathan D. Moffett, and Bashar Nuseibeh. Picking battles: the impact of trust assumptions on the elaboration of security requirements. Technical Report 2003/19, 2003. [ bib | .pdf ]
Assumptions made during analysis of the requirements for a system-to-be about the trustworthiness of its various components (including human components) can have a significant effect on the specifications derived from the system's requirements. These trust assumptions can affect the scope of the analysis, derivation of security requirements, and in some cases how functionality is realized. This paper presents trust assumptions in the context of analysis of security requirements. A running example shows how trust assumptions are used by a requirements engineer to help define and limit the scope of analysis and to document the decisions made during the process.

[20] Robert Logie, Jon G. Hall, and Kevin G. Waugh. Using safety and liveness properties to drive learning in a multi-agent system. Technical Report 2003/20, 2003. [ bib | .pdf ]
One of the strongest results in temporal logic is Chang,Manna and Pnueli's partitioning of reactive system properties into the classes of safety and liveness[1]. Safety and liveness properties state, intuitively and respectively, that something bad will not happen and that something good will eventually happen. In this paper we show how, in a multi-agent world, this safety/liveness partitioning can be used to drivelearning. If an agent is introduced to a world and given a set of descriptions of system safety an liveness properties then how is it to discover how to behave in such a way as to satisfy them? Safety and liveness properties will influence agent behaviour, safety properties are cast as system norms exerting a restraining influence whilst liveness properties are cast as desires which exert a driving influence. Agents will randomly gather a set of atomic behaviours - simple actions which may be used individually, in combination or in conjunction with other agents. In order to discover behaviours which satisfy these system properties agentsmust have a -mischevious element in their behaviour. Future worlds are given a preference ordering, when this ordering fails to provide clear guidance an agent may -mischeviously select any available action not proscribed by safety norms. Undesirable world states are described by these safety norms and agents will be obliged to prevent these states by either refraining from actions which are known to bring them about or acting so as to attempt to clear these states if they are detected. A small number of dedicated coaching agents will assist -normal agents in refining any behaviours they have developed. Coaches will also try toensure that successful behaviours are propagated as quickly as possible.The mechanism for achieving these combined behaviours is a novel combination of belief update and belief revision. This arrangement provides a belief management framework which is capable of identifying factors governing the behaviour of the agent's world with no requirement for prior knowledge. The resulting set of beliefs will be filtered by an agent's desires and intentions so as to produce a partially ordered set of plausible worlds and, hence, a partial order on sets of available actions to control the agent's behaviour.

[21] Patrick Hill, Simon Holland, and Robin C. Laney. Using aspects to help composers. Technical Report 2003/21, 2003. [ bib | .pdf ]
Current AOP and related research has largely focussed on thedevelopment of technologies that assist software engineeringpractitioners in the separation and composition of variousdimensions of concern across a range of software engineeringtasks. In this paper we argue that the principles of AOP might alsobe usefully applied in supporting user interaction with softwaresystems that aim to support multidimensional, non-linear, creativeprocesses such as music composition. We support our argumentwith two concrete examples of AOP approaches applied to amusical context.


This file was generated by bibtex2html 1.98.