Biographical Sketch. Jan Jurjens is a researcher at TU Munich (Germany). He is the author of a book on Secure Systems Development with UML (Springer-Verlag, due in 2003) and over 20 papers in international refereed journals and conferences, mostly on computer security and software engineering, and has given 4 invited talks at international conferences. He has created and lectured a course on secure systems development at the University of Oxford and 15 tutorials on his research at leading international conferences. He is the initiator and current chair of the working group on Formal Methods and Software Engineering for Safety and Security (FoMSESS) within the German Society for Informatics (GI). He is a member of the executive board of the Division of Safety and Security within the GI, a member of the advisory board of the Bavarian Competence Center for Safety and Security, and a member of the IFIP Working Group 1.7 "Theoretical Foundations of Security Analysis and Design". He has been leading various security-related projects with industry.

Tutorial Abstract. The high quality development of critical systems (be it dependable, security-critical, real-time, performance-critical, or hybrid systems) is difficult. Many critical systems are developed, fielded, and used that do not satisfy their criticality requirements, sometimes with spectacular failures. Part of the difficulty of critical systems development is that correctness is often in conflict with cost. Where thorough methods of system design pose high cost through personnel training and use, they are all too often avoided. UML offers an unprecedented opportunity for high-quality critical systems development that is feasible in an industrial context. As the de-facto standard in industrial modeling, a large number of developers is trained in UML. Compared to previous notations with a user community of comparable size, UML is relatively precisely defined. A number of analysis, testing, simulation, transformation and other tools are developed to assist the every-day work using UML. However, there are some challenges one has to overcome to exploit this opportunity, which include the following: adaptation of UML to critical system application domains, correct use of UML in the application domains, conflict between flexibility and unambiguity in the meaning of a notation, improving tool-support for critical systems development with UML.

The tutorial aims to give background knowledge on using UML for critical systems development and to contribute to overcoming these challenges. In particular, we consider model-based testing, where test sequences are generated from an abstract system specification to provide confidence in the correctness of an implementation. For critical systems, finding tests likely to detect possible failures or vulnerabilities is particularly difficult, as they usually involve subtle and complex execution scenarios (and sometimes the consideration of domain-specific concepts such as cryptography and random numbers). The tutorial presents the current academic research and industrial best practice by addressing the following main subtopics: UML basics, including extension mechanisms; Applications of UML to dependable systems security-critical systems, real-time systems, embedded systems; Extensions of UML (UML-RT, UMLsec, . . . ); Using UML as a formal design technique for the development of critical systems; Critical systems development methods; Case studies; Modeling, synthesis, code generation, testing, validation, and verification of critical systems using UML, in particular using the standard model interchange formats (XMI) for tool integration and to connect to validation engines. Existing tools; Model-based testing.

As an example application domain, we focus on security-critical systems. We also show how to generalize the approach to the other application domains mentioned above. The tutorial includes a demo of a prototypical tool for the formal analysis of UML models for critical requirements, which is based on XMI. By the end of the tutorial, the participants will have knowledge on how to use the UML and model-based testing for a methodological approach to critical systems development. They will be able to use this approach when developing or analyzing critical systems, by making use of existing solutions and of sound methods of critical systems development.

The tutorial addresses practitioners and researchers in critical systems development interested in using UML and model-based testing (in particular for dependable, security-critical, or real-time systems). Basic knowledge of object-oriented software is assumed. No specific knowledge of UML or the various application domains is assumed.

Biographical Sketch. Bjørn Axel Gran has a PhD in industrial mathematics within the field of software reliability at the Norwegian Institute of Technology (NTNU), Trondheim 2002. In 1995 he joined Institutt for energiteknikk, which is hosting the OECD Halden Reactor Project. He is now employed as principal research scientist in the section for Safety and Reliability of Computerised Systems. His work has consisted of research within software dependability, and the main interest has been on the use of Bayesian Belief Networks for combining disparate sources of information in the safety assessment of software-based systems. Since 2001 he has been leading the work-package on Risk Analysis in CORAS (IST-2000-25031), where the main focus has been on the combination of risk analysis methods and semi-formal modelling. Gran is also an active member of EWICS TC7 (European Workshop on Industrial Computer Systems Reliability, Safety and Security). He has authored a number of papers and reports, of which one paper achieved a best paper award at the ESREL’98 conference. Since 1996 he has also been treasurer for Scandinavian Reliability Engineers.

Tutorial Abstract. The concept of model based risk assessment (MBRA) has been a research topic since the 1980-ies, and builds on the concept of utilising system modelling when specifying and describing the systems to be assessed as an integrated part of the risk assessment. However, fewer approaches link the concept to all the stages of a risk analysis, assessment and management process. Furthermore, the methodology is specialised towards assessment of security critical systems. The EU-funded project CORAS (IST-20002-25031) has developed a novel framework based on model-based risk assessment using a trial-based empirical strategy within the telemedicine and e-commerce domain.

The CORAS methodology for MBRA bases itself on the standard AS/NZS 4360 “Risk Management” and makes use of the de facto standard modelling technique UML for system modelling. Furthermore, the CORAS methodology is founded on the standards ISO/IEC 17799-1: “Code of Practice for Information Security Management”, and the Reference Model for Open Distributed Processing (RM-ODP). In particular it takes the risk management process in AS/NZS 4360 and refine the sub-processes into activities. For each activity CORAS provides guidelines and recommendations on how to perform the activity in the sub processes. As in other approaches for MBRA, the CORAS methodology for MBRA incorporates adaptations and refinements of broadly used, generic risk analysis methodologies, and provides recommendations on how to apply these methodologies on systems models expressed using UML. The latter eases the communication of the risk assessment results and emphasis the fact that risk assessment is a human intensive activity. The guideline is made layered. For each activity there is given a short description of the objective of the activity and a criteria for when the activity terminates. This layer addresses a decision maker or a client applying the guideline. For each activity the tasks are divided into tasks on an “entry level” and tasks on a “full CORAS” level. The “entry level” addresses projects where there are reduced RA-competence, while the full version assumes the users to have a higher competence and experience within both Risk Management as well as the application of risk analysis methods. The entry level could also be applied for smaller projects, or projects with few resources for risk assessment. The results are strongly influenced by the experiences and feedback gathered during a series of six trials within the e-commerce and telemedicine domains. The tutorial presents the content of the CORAS methodology for MBRA with focus on the use of the methodology. The first part concentrates on choosing a layer and the requirements the users of the methodology should meet. The second part focuses on the recommendations and guidelines by applying examples from the CORAS trials.

Biographical Sketch. Pradip K Srimani received his Ph. D. degree in computer science from University of Calcutta, Calcutta, India in 1978. He has served the faculty of Indian Statistical Institute, Calcutta, GMD, Bonn, West Germany, Indian Institute of Management, Calcutta, India and Southern Illinois University, Carbondale, Illinois, and Colorado State University in Ft. Collins, Colorado. Since 2000, he has been a professor and chair of computer science at Clemson University, South Carolina. His research interests include reliable systems, parallel algorithms, fault-tolerant computing. He is a Fellow of IEEE and a member of ACM. He has served in the past as the Editor-in-Chief of IEEE Computer Society Press and is a member of the Editorial Boards of IEEE Software Magazine and IEEE Transactions on Knowledge and Data Engineering. He has served as a Distinguished Visiting Speaker and Chapter Tutorial Speaker for IEEE Computer Society for the past several years. He has guest edited special issues for IEEE Trans. Comput., IEEE Trans. Software Eng., JPDC, Parallel Computing, IEEE Computer, Software, Journal of Systems Software, VLSI Design, International Journal of Systems Science etc.; he has also served many conferences in various capacities.

Tutorial Abstract. Robustness is one of the most important requirements of modern distributed systems. Different types of faults are likely to occur at various parts of the system. These systems go through the transient states because they are exposed to constant change of their environment. In a distributed system the computing elements or nodes exchange information only by message passing; the processors do not have a shared memory. Any practical distributed system should be able to recover from transient faults of the processors and communication links. Ideally, the recovery process should automatically start as soon as a fault is detected and must not rely on the assumption that it is possible to start the system from a well defined state. It is at least not practical, if not plain impossible to power cycle all processors simultaneously. However, we can make the assumption that the code of the program executed by every processor is not altered by transient faults. This code may be stored in a read-only memory or may be reloaded from a non-volatile memory after a transient fault. A distributed self-stabilizing system is a system that satisfies the previous requirement, i.e. it can start from any possible initial state, and reaches a set of legitimate states in finite time; if the initial state is already a legitimate state all subsequent states are legitimate states.

Self-stabilization is a different way of looking at distributed system fault tolerance; it provides a ``built-in-safeguard" against ``transient failures" that might corrupt the data in a distributed system; self-stabilization enables systems to recover from failures automatically without any interference by any external agency. Stabilizing algorithms are optimistic in the sense that the distributed system may temporarily behave inconsistently but a return to correct system behavior is guaranteed in finite time while traditional robust distributed algorithms follow a pessimistic approach in that it protects against the worst possible scenario which demands an assumption of the upper bound on the number of faults. The purpose of this tutorial is to familiarize the participants with the basic concepts and related issues; the objective is that one can then pursue further research in the area and/or explore practical applications of the concept. We will use the following outline:

• Distributed Systems and Algorithms
• Self-Stabilization & Distributed Fault Tolerance
• Requirements of Self-Stabilization
• Design of Self-Stabilizing Algorithms
• Classifications of Self-Stabilizing Systems
• Protocols: Spanning tree, Leader Election, dominating sets, coloring and matching
• Limitations of Self-Stabilizing Algorithms
• Implementation issues, Run time Environments
• Future Directions and Applications in real life

Who should attend: Engineers, scientists, software developers, faculty members, graduate and undergraduate students who want to get familiar with the newest paradigm of fault tolerant distributed computing. No mathematical sophistication or prior knowledge in distributed computing theory is assumed. You should have reasonable experience in computer programming and know basics of algorithm design and distributed systems.