Air Vehicle c coding standards compete with Ada

4.8: news.adda/av c++ coding standards:

stn vol3#1 p36/c can be safe too!
. while Ada is the technically superior
and more robust language compared to C,
-- where anything can be type-cast into anything,
type-casting was a problem with
hiring college students for Ada coding:
it was seen as an unmarketable experience base .
. reliability issues with C
have been due only to
the way in which it was used;
however,
another possible problem with C
comes at the time of inspection,
when some code reviewers may find Ada
to be more self-documenting .

. the auto industry had a safe-subset standard for c;
and the F-22 used static code analyzer (SCA) tools
to enforce restriction to a safe-subset of Ada 83 .
. with the same idea in mind,
the F-35 Joint Strike Fighter found a safe subset
of both C and C++ for the safety critical systems
developed by the team of Lockheed Martin Aeronautics,
Northrop Grumman Aerospace, BAE Systems
and the F-35 supplier team.
. the F-16 had safety-critical software
that was all assembly coded,
and some of their team helped the F-35 team with
deploying a safe subset of c
-- both c and asm are similarly low-level lang's .

. an SCA tool's analyzer is like an observer
in a pair programming operation:
a much faster way of getting up to speed
than learning a new language like Ada .
--. after reading that,
I wondered how many C cowboys from college
were still banging their head on restricted C ?
(either the 216 new rules in the form of compiler spit,
or a 140 more pages of manual ...).

air vehicle c++ coding standards (doc) (google's cache)

. less-critical portions of Air Vehicle (AV) code
will be developed in C++
(safety-critical portions are to be in C);
the air vehicle c++ coding standards
provide safe, reliable, testable, and maintainable
C++ programming .
. these rules are required for all
Air Vehicle C++ development
and recommended for any
non-Air Vehicle C++ development.
Vehicle Systems Safety Critical Coding Standards for C,
is based on:
MISRA Guidelines (Motor Industry Software Reliability Assoc)
For The Use Of The C Language In Vehicle Based Software,
but is providing a more comprehensive set
of language restrictions
applied more uniformly across
all Vehicle Systems safety critical applications.
. AV Coding Standards build on the
Vehicle Systems Safety Critical Coding Standards for C,
by including:
C++ language-specific guidelines and standards.

. unit testing with full structural coverage
is typically done only at the source level
for non-critical code .
. but since compilation to object code
will result in some structural changes
as high-level control structures
are translated to a maze of goto's,
safety-critical code is also
unit-tested at the object level .
. that precaution has even found
some compiler bugs!

. it may seem more efficient to do Ada's practice
of validating one compiler per platform,
rather than unit-testing every translation;
in fact,
Ada compiler validation
has been for language enforcement only:
any safety-critical code for
military, aviation, [or medical?]
is routinely unit-tested at the object level
regardless of what language (Ada, C, ...)
the compiler was translating .

. from seeing how things went on the F-35 project,
the F-22 maint crew, when switching to new cpu's,
decided to convert their code base from Ada 83 to C .

soon-to-be-Dr. Robb at lockheedmartin.com
--. watch the F-35 do its first vertical landing(video) .

soa (service oriented architectures)

3.22: web.addx/soa/openware options:
. I was really impressed by the bright ideas
in the book "(soa for dummies);
is there any openware project that embodies
or further documents those ideas? .

3.22 .. 3.23:
bk.addx/soa/Its Role in Your Connected Systems Strategy 2004:

. this 2004 article assumes soa starts with
a common language that we agree on in advance .
. we've seen businesses on the internet
agree on xml,
but that language should be used
only for the handshake,
which asks:
"(what binary language do you speak;
something more efficient than wordy xml? ) .

. reviewing what I learned in "(soa for dummies),
you design an soa sytem by arbitrarily choosing
a common binary language for your messaging system .
. then you provide a converter for each of your programs
that will translate between their command language
and your system messages language .
. a fundamental requirement of soa
is token-based (smart-carded) logged messaging,
where every interaction leaves a paper trail
so that while maleware can happen
it is always discovered, and the source known .


3.24: bk.addx/soa/token-based security

. make web services secure:

"(. use token-based security:
an STS [Security Token Service] that emits
SAML tokens that can be cached on the client
(like kerberos token but with open standards).
Your webservices can be secured with
the wsFederationBinding
and you can do access checks based on
saml assertions that contain claims.
. here's a post that shows a web client
but it applies to smart clients as well .)

. wiki`Security_token .

Web Services Trust Language:

"(Web Services Trust Language (or WS-Trust)
defines extensions that build on Web Services Security
to provide a framework for
requesting and issuing security tokens,
and to broker trust relationships.
WS-Trust describes:
1. Methods for issuing, renewing, and validating security tokens.
2. Ways to establish, access the presence of, and broker
trust relationships.
CICS supports the February 2005 version of the specification )

WS-Trust specification:

CICS can interoperate with
a Security Token Service (STS),
to provide more advanced authentication:
An STS is a Web service that acts as a
trusted third party
to broker trust relationships between
a Web service requester and provider.
In a similar manner to a
certificate authority in an SSL handshake,
the STS guarantees that the requester and provider
can "trust" the credentials
that are provided in the message.
This trust is represented through the
exchange of security tokens.
CICS acts as a Trust client
and can send two types of requests to an STS.
* validate the security token
in the WS-Security message header;
* exchange the security token for a different type,
enabling CICS to send and receive
from a wide variety of trust domains,
such as SAML assertions and Kerberos tokens.
. use SSL to secure the connection
between CICS and the STS.

. the meat: an open soa security std .


3.24: addx/soa/efficiency and accountability:

. security is slow because it involves
carding for permissions and logging uses;
therefore, the os applies security only to
accesses of obj's it deems are
critically in need of protection .
. the dev' too, can be asking for protection
of particular obj's, types, or type classes .
[3.26:
. the os`security is protecting the user,
while the dev`security is asking the os
for help with organizing large projects;
security helps find where the bugs originate .]
. logging interactions and param's
can determine a crash's cause
amidst multiple authors or products .

. copying is minimized to make logging cheap:
msg's from task queues are
requeued on the log's queue,
so then only a ptr is copied per instruction .

logging timestamps:
. in a strictly modular system,
a concurrent system may not need
to log a msg's {creation, executed} timestamps
in order to assign blame during a system problem;
[3.26: but,
it might be helpful, so it should be optional .]

3.25: sci.addx/soa/saas (sw as a service):
. may be keyword for soa token:
security done at the local level
rather than the web (where each process
also has its own processor) .

3.26: lib.addx/soa:
docs.oasis-open.org/ws-sx/
www.oasis-open.org/committees/tc_cat.php?cat=soa
www.oasis-open.org/committees/tc_cat.php?cat=security
. SCA Client and Implementation Model for C language.
. Service Component Architecture (SCA)
defines a biz model using a soa,
based on the concept of Service Components .

3.27: addx/gemini kernels:
look at this viral load:
> I just received a notification
> that I have used over 10GB of data this billing cycle,
> which is unusual (as I haven't been doing anything ...)
--. there should be
even in a monolithic system like linux
a gemini system, where a supervisor system would be
untouchable even by root
and this sup' would give you an honest reading
of things like the traffic you're generating .