Re: [fw-wiz] Proverbial appliance "Its software, Jim!"

From: Stephen D. B. Wolthusen (wolt@igd.fhg.de)
Date: 10/17/02


To: firewall-wizards@honor.icsalabs.com
From: wolt@igd.fhg.de (Stephen D. B. Wolthusen)
Date: Thu Oct 17 14:12:01 2002

Hi,

Mike Frantzen <frantzen@w4g.org> writes:

> There are two applicable difference between a hardware firewall and a
> software firewall. In hardware, everything happens in parrallel (well,
> every stage, you'll latch between stages to produce a sequential
> pipeline). And the other difference, is that hardware testing standards
> are orders of magnitude better than software testing standards.
>
> The first person who tells me VHDL or Verilog is software gets labeled
> a dumbass.

Then call me dumb***, but I've been called worse. Your argumentation is a
bit disingenuous. An ASIC is a piece of software where I have to consider
some additional constraints for signal pathways and
suchlike. Fundamentally, there's nothing different from ``soft'' software,
except for a few more things that can go wrong.

Hardware developers traditionally have a higher standard for design,
development, and testing methods than the software crowd. Mainly because
even bean counters can understand that fixing bugs downstream in
custom/full custom design is hideously expensive. Reprogrammable
architectures, microcode patches etc. may well erode this barrier to sloppy
work.

To quote Mike Feldman, the motto of the software industry is ``We never
have time to do it right, but we always have time to do it over.'' Always
has been, still is.

> > It
> > doesn't matter if you're design tool is back-of-the-envelope or the best
> > that Rational has to offer. You're still human and fallible.

That's why you try to eliminate the human factor as much as possible.

Use formal methods for your design and specification. Fancy UML diagrams
still leave enough ambiguity to be mostly a feel-good exercise.

Refine this as far down to actual code as you can afford (getting
``executable'' FM specifications is frequently too expensive both in terms
of computational efficiency and actual monetary cost), in some cases such
as control systems for weapons systems and avionics, it can be justified to
go to the level of program proofs (with tools such as Z/EVES or the SPARK
suite, that can be managed).

Depending on the level of rigor with which formal methods are used, defect
rate reductions have been reported in case studies ranging from 5x to
around 100x.

Use a programming language that assists the programmer, and doesn't permit
him to overwrite arbitrary storage six ways from Sunday. Plus, use a
language that is well-defined in its syntax and semantics (Hint: neither C
nor C++ nor Java nor... is).

For Ada 95 it is hard to get compilers that have not been evaluated for
conformance to the ISO standard with a torture test suite; the rigid
semantics were one of the reasons why it was chosen as a basis for VHDL. In
case of C/C++ I can't even be sure what the semantics of an operation is.

Again, case studies have shown that all else being equal, Ada programs have
a defect rate about 10x lower than C, so it's *not* just a matter of a
different syntax as some people are likely to claim.

Now an exercise for the reader: How many projects (OK, anyone who uses
``DO-178B'' and similar acronyms in conversation won't count) you know of
use formal methods for design and specification and derive their code by
rigorous correspondence argument or proof in a language with well-defined
semantics.

OK, that was my rant for this month.

-- 
	later,
	Stephen
Fraunhofer-IGD                 | mailto:
Stephen Wolthusen              | wolt@igd.fhg.de
Fraunhoferstr. 5  	       | swolthusen@acm.org
64283 Darmstadt                | swolthusen@ieee.org
GERMANY                        | stephen@wolthusen.com
			       | 
Tel +49 (0) 6151 155 539       | Fax: +49 (0) 6151 155 499 
    +49 (0) 172 916 9883       |      +49 (0) 6245 905 366 


Relevant Pages

  • Re: Security and EOL issues
    ... OS software resources are designed that reserved ram and disk space among other resources, to reflect what current hardware size is available. ... (There was a security patch a few years ago that could not be applied to NT4 as it required more resources then NT4 could provide. ... Installing air bags requires that the automobile manufacturer design, test, ... Computer Emergency Response Teams, and Digital Investigations. ...
    (Security-Basics)
  • Re: Now THIS is Meshuga - Do NOT bring your IPad to Israel
    ... can't write applications for the iPad without having one. ... When you write a novel, you would prepare and outline, design how ... wrote the specs for the next product while the developers where still ... So as I said before, you don't need the hardware to write code, you ...
    (soc.culture.jewish.moderated)
  • Staff HW Engineer ~ Lead Us to ATCA & Beyond in Your End-to-End Board-Level HW Desig
    ... The senior level hardware engineer looking for the product realization ... and true ownership that comes with full end-to-end board-level hardware ... help us retain dominance in the design of high performance switching ...
    (comp.arch.embedded)
  • Re: 10khz DBSK decoder
    ... In an AVR, you may want to come closer to the 'hardwareish' thing: run the whole thing as a Costas loop or as a signal-square-and-PLL, and do integrate-and-dump. ... In retrospect, the ISR should have just taken ADC samples and shoved them into a queue, then set a flag. ... But I had never seen that design pattern, so it just ran with that big bloated ISR... ... You'll get more consistent timing if you can trigger your ADC from hardware and interrupt on the end of conversion pulse. ...
    (comp.dsp)
  • Re: Signed and unsigned integer literals
    ... plenty of computing in the old days with bytes of other lengths. ... Convince hardware vendors to scrap the microcontrollers (most ... hardware protocols are on-chip). ... This is the semantics of ABS? ...
    (comp.lang.misc)