| Summary: | This dissertation attempts to make a contribution within the fields of distributed systems, security,
and formal verification. We provide a way to formally assess the impact of a given change in
three different contexts. We have developed a logic based on Lewiss Counterfactual Logic. First
we show how our approach is applied to a standard sequential programming setting. Then, we
show how a modified version of the logic can be used in the context of reactive systems and sensor
networks. Last but not least we show how this logic can be used in the context of security systems.
Traditionally, change impact analysis has been viewed as an area in traditional software engineering.
Software artifacts (source code, usually) are modified in response to a change in user
requirements. Aside from making sure that the changes are inherently correct (testing and verification),
programmers (software engineers) need to make sure that the introduced changes are
coherent with those parts of the systems that were not affected by the artifact modification. The
latter is generally achieved by establishing a dependency relation between software artifacts. In
rough lines, the process of change management consists of projecting the transitive closure of the
this dependency relation based on the set of artifacts that have actually changed and assessing how
the related artifacts changed.
The latter description of the traditional change management process generally occurs after the
affected artifacts are changed. Undesired secondary effects are usually found during the testing
phase after the changes have been incorporated. In cases when there is certain level of criticality,
there is always a division between production and development environments. Change management
(either automatic, tool driven, or completely manually done) can introduce extraneous defects
into any of the changed software life-cycle artifacts. The testing phase tries to eradicate a
relatively large portion of the undesired defects introduced by change. However, traditional testing
techniques are limited by their coverage strength. Therefore, even when maximum coverage is
guaranteed there is always the non-zero probability of having secondary effects prior to a change.
|
|---|
