MÓDULO TRANSCEPTOR AT-XTR-903-A4

After the top-level goals have been refined into subcharacteristics in the first tran- sition of the Goal Solution Scheme, they are more specific. But, they are still of a qualitative nature and still cannot be implemented directly. In the next step, the transition from the subcharacteristics to the design principles is performed, as introduced with the general concept of the GSS.

As a step from the problem space to the solution space, in the second transition, properties and principles and guidelines for good architectural design are assigned to the subcharacteristics. These principles and guidelines give hints or advice for the functional solutions. Of course, lots of principles exist and even more relations between quality goals and these principles are imaginable. Therefore, the designer has to analyze the subcharacteristics and to decide on suitable principles. It is always the case that there are different quality goals having symbiotic relations or, in contrary, competing with each other. In order to resolve conflicts, knowledge about the interdependencies between the different subcharacteristics is important. A goal model contains these dependencies and the trade-offs.

For illustration an example for a decision is discussed here. The principle of high encapsulation supports changeability. On the other hand, a strong encapsulation has

a negative influence on testability, because inaccessible attributes are hard to control. Because of the refinement from the first step, both changeability and testability are known to be subcharacteristics of maintainability and contribute to it. Now, by assigning encapsulation to these subcharacteristics the conflict becomes visible and can be considered. Frequently, multiple different principles contribute to the same subcharacteristic. In these cases a decision can be made, which principle is applicable or how to prioritize them.

Conflicting interdependencies between different quality subcharacteristics and ar- chitectural principles often are still not tangible enough. Then, they have to be elab- orated further on the solution instrument level of the Goal Solution Scheme. This is necessary to be able to decide with clear rationale, which principle to choose to achieve the highest degree of goal fulfillment. Therefore, the principles are mapped further to solution instruments and the decision-making on how to resolve the con- flict is postponed to the next step, when the criteria for adequate solution instru- ments are more precise than those for the principles. Based on the contributions of the solution instruments to the principles and the quality goals, the different al- ternatives can be weighed and the decisions, which alternatives to choose, can be made. For the GORE approaches also some evaluation techniques exist, which could be applied. Anyway, it is always reasonable to decide as soon as possible to reduce further effort.

Discussion for the Case Study For the cut-out from the case study, the second transition of the Goal Solution Scheme is shown in Figure 5.4. The subcharac- teristics result from the refinement in the previous transition step. Starting from the higher prioritized subcharacteristics, appropriate principles are chosen. For the subcharacteristics replaceability and modifiability, we decide in favor of the archi- tectural design principles encapsulation, modularization, and loose coupling. These principles are well known to support changes. Already Parnas [Par72] discussed the importance of modularization for changeability and flexibility, which is one of the most important quality goals here. Moreover, service orientation was identified to support encapsulation, modularization, and loose coupling. A service-oriented architecture obviously can help in this scenario, because loose coupling is one of its core principles. It further helps encapsulation and modularization. In Figure 5.4 the mentioned principles are related to the subcharacteristics replaceability and modi-

fiability by contribution links, denoting a positive influence. For those principles explicitly chosen by the architect, traceability links of the type realize can be es- tablished as well. This type of links is established, because the principles represent a step towards the solution of the quality goals, and to document the design decisions for choosing service orientation.

Subcharacteristics

Design Principles

Modularization

Encapsulation Loose Coupling Tamper-

proofness Total Mediation Verifiability

Replaceability Modifiability

Extendability Performance Integrity Confidentiality Availability

Help

Help Help

Help

Help Help Help

Help Help Help Help

Help _Hurt

Hurt Hurt

Isolation Minimal TCB

Make Make Make

Help Help

Help

Service Orientation

Figure 5.4: Second transition of the Goal Solution Scheme for the case study

The security subcharacteristics integrity and confidentiality are discussed as an- other example. To achieve the system’s security goals, security policies have to be applied, as a comprehensive set of rules that are designed [GM82]. Security policies are applied to determine a so-called trusted computing base (TCB) [LABW92]. The TCB comprises the functional parts of a system that enforce and protect the secu- rity policy. For the implementation of a security policy and a trusted computing base, there are fundamental principles that refer to the so-called reference monitor concept [And72]. A reference monitor must be tamperproof, always invoked and small enough to be analyzable and verifiable, which is represented by the principles tamperproofness, total mediation, and verifiability. These reference monitor princi- ples are further supported by isolation and a minimal TCB as principles for the architectural design. Isolation of the security relevant functions in the security ar- chitecture of a system is a necessary consequence to be able to realize a tamperproof reference monitor that cannot be bypassed [Gas88]. Correctness and completeness are additional necessary properties not further discussed here [Dep85]. These de- cisions and the causes again can be documented by traceability links of the type realize.

and the subcharacteristic modifiability were identified as well. They are shown as hurt-contribution links. Modifications in the software architecture can negatively influence the minimality of the trusted computing base and vice versa. The other security principles are affected by changes as well. Tamperproofness can easily be breached if a modification is performed in a wrong way. Therefore, changes should only be made on those architectural parts that have not to be isolated due to security reasons.

These conflicting relations confirm the earlier assumption that security is in con- flict with flexibility and scalability. However, at the principles level their interde- pendencies have been clarified and a much better understanding of the conflict is achieved than on the goal or the subcharacteristic level. Anyway, the conflict be- tween the fundamental security principles and the subcharacteristic modifiability cannot be resolved in this transition of the Goal Solution Scheme. The conflict reso- lution has to be postponed to the next design step, when related solution instruments can be analyzed more precisely than the principles.