Ph.D. - geht es zur Homepage der Informatik des Fachbereiches 3 ...
Ph.D. - geht es zur Homepage der Informatik des Fachbereiches 3 ...
Ph.D. - geht es zur Homepage der Informatik des Fachbereiches 3 ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Chapter 1. Introduction<br />
MontiCore MontiCore [50, 51] is a framework that is specialised for the development of<br />
text-based domain-specific languag<strong>es</strong> [35]. A typical task during the development of th<strong>es</strong>e is<br />
the definition of the concrete and abstract syntax. In textual languag<strong>es</strong>, the concrete syntax is<br />
also called grammar. While the definition of the grammar is mostly related to the development<br />
of the available textual constructs and elements, the abstract syntax is needed for parsing<br />
concrete text instanc<strong>es</strong> that conform to the grammar.<br />
Therefore, both syntax typ<strong>es</strong> must be held synchronised or rather must be modified together.<br />
Normally, the concrete syntax / grammar is in the main focus during the development of the<br />
textual language. Thus, modifications in the grammar ren<strong>der</strong> nec<strong>es</strong>sary adaptations of the<br />
abstract syntax. To avoid this often recurring task, MontiCore provid<strong>es</strong> an own grammar<br />
format for the ANTLR [69] parser generator, from which an abstract syntax (tree) can be<br />
generated automatically. Accordingly, the manual update and development of the abstract<br />
syntax can be omitted.<br />
Although MontiCore seems to be an excellent starting point for the development of textual<br />
languag<strong>es</strong>, the case study in Part III developed in this work us<strong>es</strong> a graphical modelling formalism,<br />
which is motivated in Chapter 3.<br />
Open Proofs The development of safety-critical software as re-usable open source is one of<br />
the basic ideas that supports this dissertation. A similar concept called Open Proofs [65] also<br />
addr<strong>es</strong>s<strong>es</strong> this idea because the term “open proofs” refers to the public proofs of correctn<strong>es</strong>s of<br />
a certain software. Open Proofs requir<strong>es</strong><br />
• the entire implementation,<br />
• automatically-verifiable proof(s) of at least one key property, and<br />
• required tools (for use and modification)<br />
to be free/libre open source software (FLOSS) [95]. Open Proofs demands that in such a<br />
publicly developed tool-chain faults can be found more easily and eliminated due to a big<br />
community using them. Neverthel<strong>es</strong>s, currently there exist only few exampl<strong>es</strong> of software that<br />
implement the Open Proofs principle.<br />
In contrast to the contributions of this dissertation, Open Proofs is only a concept that can<br />
be applied to the software development for safety-critical systems.<br />
openETCS The openETCS [38, 37] initiative of German Railways (Deutsche Bahn) is based<br />
on the Open Proofs idea [40, 39]. Reviewing evidence, where security threats have been<br />
purposefully integrated into closed-source commercial software products, the initiators argued<br />
that open source software could be useful – perhaps even mandatory in the future – to ensure<br />
safety and security of railway control systems. Even though the standards applicable for<br />
safety-critical systems software development in the railway domain [11, 10] require independentthird-party<br />
verification and validation, the complexity of the source code on the one hand<br />
and the limited budget available for V&V on the other hand can only mitigate the threat of<br />
safety and security vulnerabiliti<strong>es</strong>. A guarantee to uncover all compromising code fragments<br />
inadvertently or purposefully injected into the code cannot be given. As a consequence, in<br />
4