CS575 - Software Design SDI: A Violation of Professional Responsibility A presentation by: Rong Gu...

CS575 - Software Design

SDI: A Violation of Professional SDI: A Violation of Professional ResponsibilityResponsibility

A presentation by:A presentation by:

Rong GuRong Gu

Cincy FrancisCincy Francis

Amitkumar DhamejaAmitkumar Dhameja


SDI: A Violation of Professional SDI: A Violation of Professional ResponsibilityResponsibility

Contents:Contents:1.1. SDI – An OverviewSDI – An Overview2.2. Parnas & SDIParnas & SDI3.3. The Role of The Role of

ComputersComputers4.4. The Decision to ActThe Decision to Act5.5. Some Critical IssuesSome Critical Issues6.6. Broader QuestionsBroader Questions7.7. Parnas’ AdviceParnas’ Advice8.8. QuestionsQuestions9.9. Our OpinionOur Opinion


SDI - An OverviewSDI - An Overview

Strategic Defense Initiative:Strategic Defense Initiative: A U.S. government program responsible for research A U.S. government program responsible for research and development of a space-based system to defend and development of a space-based system to defend the nation from attack by strategic ballistic missilesthe nation from attack by strategic ballistic missiles

Popularly referred to as “Star Wars”Popularly referred to as “Star Wars”

Announced by President Ronald Reagan in a speech Announced by President Ronald Reagan in a speech in March of 1983in March of 1983



Strategic Defense Initiative:Strategic Defense Initiative: Administered by the Strategic Defense Administered by the Strategic Defense Initiative Organization (renamed Ballistic Initiative Organization (renamed Ballistic Missile Defense Organization, 1993)Missile Defense Organization, 1993)

Under Department of Defense, assisted by Under Department of Defense, assisted by NASANASA



SDI Aims:SDI Aims: To develop a network of satellites carrying To develop a network of satellites carrying sensors, weapons and computerssensors, weapons and computers To detect ICBMs and intercept them in mid-To detect ICBMs and intercept them in mid-airair To free us from the fear of nuclear weapons, To free us from the fear of nuclear weapons, and make nuclear strategic missiles impotent and make nuclear strategic missiles impotent and obsolete and obsolete



““Some say it will bring war to the Some say it will bring war to the heavens. But its purpose is to heavens. But its purpose is to deter war in the heavens and on deter war in the heavens and on earth. Now some say the research earth. Now some say the research would be expensive. Perhaps, but would be expensive. Perhaps, but it could save millions of lives, it could save millions of lives, indeed, humanity itself.”indeed, humanity itself.”

- President Ronald Reagan- President Ronald Reagan


SDI – A Software ClassificationSDI – A Software Classification

Four Classes of UsageFour Classes of Usage

1.1. Man-rated:Man-rated: Software so important and Software so important and critical that lives may depend on it. critical that lives may depend on it. Examples: SDI, ATC, Medical device Examples: SDI, ATC, Medical device softwaresoftware

2.2. Enterprise-rated:Enterprise-rated: Software critical to the Software critical to the uninterrupted operation of an enterprise. uninterrupted operation of an enterprise. Examples: ATMs, Web-commerce software.Examples: ATMs, Web-commerce software.


SDI – A Software ClassificationSDI – A Software Classification

Four Classes of UsageFour Classes of Usage

3.3. Good-enough:Good-enough: Business software not Business software not critical but maybe used frequently. critical but maybe used frequently. Examples: Personal productivity Examples: Personal productivity applications, much client & single user applications, much client & single user softwaresoftware

4.4. Don’t-care:Don’t-care: Non-critical, business or Non-critical, business or personal entertainment software. personal entertainment software. Examples: Games, seldom used utilitiesExamples: Games, seldom used utilities


Parnas & SDIParnas & SDI

Parnas’ Involvement in SDI :Parnas’ Involvement in SDI :

Approached by the SDIO in May of 1985Approached by the SDIO in May of 1985

$1000/day SDIO Panel on Computing in $1000/day SDIO Panel on Computing in

Support of Battle ManagementSupport of Battle Management

Resigned 2 months laterResigned 2 months later



Professional Responsibility:Professional Responsibility:A professionalA professional Is responsible for his own actions and cannot rely on Is responsible for his own actions and cannot rely on any external authority to make his decisions for himany external authority to make his decisions for him Cannot ignore ethical and moral issuesCannot ignore ethical and moral issues Must make sure that he is solving the real problem, Must make sure that he is solving the real problem, not simply providing short-term satisfaction to his not simply providing short-term satisfaction to his supervisorsupervisor Shouldn’t hesitate to “blow the whistle”Shouldn’t hesitate to “blow the whistle”



Parnas’ Early Doubts:Parnas’ Early Doubts: Whether any such system could meet the Whether any such system could meet the requirementsrequirements Possible conflict of interestsPossible conflict of interests Whether such a system would be Whether such a system would be trustworthytrustworthy Would it be useful to build a system we Would it be useful to build a system we did not trustdid not trust



Why trustworthiness is essential:Why trustworthiness is essential:

If the system is not trustworthyIf the system is not trustworthy

US will not abandon deterrence and nuclear missilesUS will not abandon deterrence and nuclear missiles

Seeing both a “shield” and missiles, USSR would Seeing both a “shield” and missiles, USSR would

feel impelled to improve its offensive forcesfeel impelled to improve its offensive forces

US not trusting its defense, would join in, in the US not trusting its defense, would join in, in the

arms racearms race

Result – a more dangerous world, instead of a safer Result – a more dangerous world, instead of a safer

oneone


The Role of ComputersThe Role of Computers

Computers must:Computers must: Process and analyze vast amounts of data produced Process and analyze vast amounts of data produced by the sensorsby the sensors Detect missile firings, determine source, compute Detect missile firings, determine source, compute trajectoriestrajectories Discriminate between warheads and decoysDiscriminate between warheads and decoys Aim and fire the weaponsAim and fire the weapons

Software is the glue that holds the system Software is the glue that holds the system together, if software is not trustworthy, the together, if software is not trustworthy, the system isn’t either!system isn’t either!


The Role of ComputersThe Role of Computers

Limits of Software Technology:Limits of Software Technology:

Lack of validation methods mean we cannot Lack of validation methods mean we cannot

expect a real program to work properly the first expect a real program to work properly the first

time it’s usedtime it’s used

Tests/simulations fail to uncover all serious Tests/simulations fail to uncover all serious

problemsproblems

ReliabilityReliability & trustworthiness & trustworthiness – only through – only through

extensive use.extensive use.


WhyWhy Software for Software forSDI is DifficultSDI is Difficult

Based on assumptions about target Based on assumptions about target

and decoy characteristics controlled by and decoy characteristics controlled by

attackerattacker

Espionage could render it worthless, so Espionage could render it worthless, so

could overloadingcould overloading

Dependence on communicating Dependence on communicating

computers in satellites makes it computers in satellites makes it

vulnerablevulnerable


A satellite will require data from other A satellite will require data from other satellites to assist in tracking, satellites to assist in tracking, discrimination & countering noisediscrimination & countering noise Realistic testing of hardware & Realistic testing of hardware & software through “practice” nuclear wars software through “practice” nuclear wars impossibleimpossible MUST WORK THE FIRST TIMEMUST WORK THE FIRST TIME

Why Software forWhy Software forSDI is DifficultSDI is Difficult


The The Decision to ActDecision to Act

Some reasons Parnas got iSome reasons Parnas got inn sup suppport ort of SDI:of SDI: Research money would advance the Research money would advance the state of computer science!state of computer science! The money was going to be spent The money was going to be spent anyway and Parnas should help to see it anyway and Parnas should help to see it well spent!well spent! There could be 100,000 errors in the There could be 100,000 errors in the software and it would still work properly!software and it would still work properly!



Some reasons Parnas got iSome reasons Parnas got inn sup suppport ort of SDI:of SDI: There was no fundamental law of There was no fundamental law of computer science that said the problem computer science that said the problem could not be solved!could not be solved! Parnas – and other SDI critics – are Parnas – and other SDI critics – are demanding perfection!demanding perfection!



Parnas Resigns…Parnas Resigns… Found no scientist who disagreed with his Found no scientist who disagreed with his

conclusionsconclusions Every reply argued with statements other Every reply argued with statements other

than those Parnas had publishedthan those Parnas had published “ “Taking money allocated for a shield against Taking money allocated for a shield against

nuclear missiles, while knowing that such a nuclear missiles, while knowing that such a

shield was impossible, seemed like fraud to shield was impossible, seemed like fraud to

me” – Parnasme” – Parnas


Some Critical IssuesSome Critical Issues

The “90%” DistractionThe “90%” Distraction 3 layers, each 90% effective – overall 3 layers, each 90% effective – overall leakage is less than 1% as effectiveness leakage is less than 1% as effectiveness multipliesmultiplies

Parnas revealsParnas reveals 90% figure picked for illustration90% figure picked for illustration Assumes performance of each layer is Assumes performance of each layer is independent of othersindependent of others Percentage???Percentage???


The “Loose Coordination” The “Loose Coordination” Distraction (Eastport Group, Dec. Distraction (Eastport Group, Dec. 1985)1985) Phase I architectures – excessively Phase I architectures – excessively tight coordination between “battle tight coordination between “battle stations”stations” Software difficulties could be overcome Software difficulties could be overcome with loose coordinationwith loose coordination New Phase I studies be startedNew Phase I studies be started



The “Loose Coordination” The “Loose Coordination” DistractionDistraction

Parnas ArguesParnas Argues Loose coordination???Loose coordination??? Loose coordination – reduced Loose coordination – reduced communication between stationscommunication between stations Later sections discuss need for Later sections discuss need for extensive communication – extensive communication – InconsistencyInconsistency

Critical IssuesCritical Issues


Eastport Group’s Unstated Eastport Group’s Unstated AssumptionsAssumptions Battle stations do not need data from Battle stations do not need data from other satellites to perform their functionsother satellites to perform their functions

False!!!False!!! Data from other satellites is essential Data from other satellites is essential for accurate tracking and discrimination for accurate tracking and discrimination between warheads & decoysbetween warheads & decoys



Eastport Group’s Unstated Eastport Group’s Unstated AssumptionsAssumptions An simple battle station is a small An simple battle station is a small software project that will not run into software project that will not run into software difficulties described beforesoftware difficulties described before

False!!!False!!! Each battle station is unlikely to work, Each battle station is unlikely to work, impossible to test, impossible to trustimpossible to test, impossible to trust



Eastport Group’s Unstated Eastport Group’s Unstated AssumptionsAssumptions The only interaction between the The only interaction between the stations is by explicit communicationstations is by explicit communication

False!!!False!!! Communication through weapons, Communication through weapons, sensors and through shared targets. sensors and through shared targets. Weapons, destruction of targets creates Weapons, destruction of targets creates noise.noise.



Eastport Group’s Unstated Eastport Group’s Unstated AssumptionsAssumptions A collection of communicating systems A collection of communicating systems differs in fundamental ways from a single differs in fundamental ways from a single systemsystem

False!!!False!!! A collection of communication programs A collection of communication programs is mathematically equivalent to a single is mathematically equivalent to a single program. In practice, distribution makes the program. In practice, distribution makes the problem harder, not easierproblem harder, not easier




1985 CPSR-MIT 1985 CPSR-MIT Debate:Debate:

David Parnas, David Parnas,

Joseph WeinazenbaumJoseph Weinazenbaum

(Against SDI)(Against SDI)

v.s.v.s.

Charles Seitz, Charles Seitz,

Danny Cohen Danny Cohen

(In favor of SDI)(In favor of SDI)



Parnas’ arguments:Parnas’ arguments: Specifications cannot be known in advanceSpecifications cannot be known in advance Realistic testing is essentially impossibleRealistic testing is essentially impossible Hard real-time deadlines do not allow repair Hard real-time deadlines do not allow repair during useduring use No foreseeable advance in software tech changes No foreseeable advance in software tech changes thisthis Therefore – It is not possible to construct SDI Therefore – It is not possible to construct SDI software that you could trust to worksoftware that you could trust to work



Steitz’s arguments:Steitz’s arguments: The current objective of SDI is to conduct the The current objective of SDI is to conduct the vigorous research necessary to build a defense vigorous research necessary to build a defense systemsystem Such a system can be written using conventional Such a system can be written using conventional software techniques coupled with radical hardware software techniques coupled with radical hardware architecturearchitecture This will greatly aid in the testing, simulation and This will greatly aid in the testing, simulation and modification of SDImodification of SDI


Some Data on SDISome Data on SDI

TOP 10 SDI contractors 1983-1986:($Thousand)TOP 10 SDI contractors 1983-1986:($Thousand)

Source: Council on Economic Priorities 1987

720,961

612,698

375,433 373,697 373,117 360,300 338,224 327,542285,588

260,797

0

100,000

200,000

300,000

400,000

500,000

600,000

700,000

800,000

Lockheed* GeneralMotors

DOELawrenceLivermoreNat'l Lab*

Boeing TRW EG&G* McDonnellDouglas

MIT LincolnLab

DOE LosAlamos Nat'l

Lab*

GeneralElectric

Company

Val

ue

of c

on

trac

ts


Some Data on SDI Some Data on SDI

Distribution of requested SDI funding in Distribution of requested SDI funding in major research areas in major research areas in FY1985:($ Million)FY1985:($ Million)

Source: Waller et al. 1986: 15

Total: $ 1357.299

Kinetic energy

weapons19%

Directed-energy

weapons25%

Systems concepts &

battle management

7%

Management HQ, SDI

1%

Survivability, lethality & key

support technology

8%

Surveillance, acquisition,

tracking & kill assessment

40%


Broader QuestionsBroader Questions

Is Is SDIO sponsored work of good qualitySDIO sponsored work of good quality?? Phase I studies – Eastport vs. SDIO Phase I studies – Eastport vs. SDIO contractors/evaluatorscontractors/evaluators Big promises, low qualityBig promises, low quality Bypasses scientific review processes, no real Bypasses scientific review processes, no real scientific contributionscientific contribution



Do those who take SDIO funds really Do those who take SDIO funds really disagree with Parnas?disagree with Parnas? Remember the reasons Parnas got in support Remember the reasons Parnas got in support of SDI?of SDI?

The blind led by those with their eyes The blind led by those with their eyes shutshut Often people indulge in unprofessional Often people indulge in unprofessional behavior just to not displease the customerbehavior just to not displease the customer



The role of academic institutionsThe role of academic institutions Institutional pressures in favor of accepting Institutional pressures in favor of accepting research funds from any sourceresearch funds from any source A researcher judged on his ability to attract A researcher judged on his ability to attract fundsfunds DoD is a major administrator of research DoD is a major administrator of research funds – consequently many institutions are funds – consequently many institutions are working on SDIOworking on SDIO



Should we pursue SDI for other Should we pursue SDI for other reasons?reasons?

Parnas saysParnas says““Good research stands on its own merits; Good research stands on its own merits; poor research must masquerade as poor research must masquerade as something else”something else”““Over funded research is like heroin, it Over funded research is like heroin, it leads to addiction, weakens the mind, and leads to addiction, weakens the mind, and leads to prostitution” – Prof. Janusz leads to prostitution” – Prof. Janusz MakowskiMakowski


Parnas’ Advices Parnas’ Advices

Determine participation in defense Determine participation in defense projects by:projects by: Considering effectiveness of projectConsidering effectiveness of project Prioritizing legitimate defense interests Prioritizing legitimate defense interests of the countryof the country Emphasizing individual responsibilityEmphasizing individual responsibility


Our Opinion Our Opinion

Is SDI really impossible???Is SDI really impossible??? As our technologies evolve the system becomes more As our technologies evolve the system becomes more realisticrealistic Present systems show some signs of successPresent systems show some signs of success Reliability/trustworthiness can be achieved through Reliability/trustworthiness can be achieved through testingtesting Testing can be done via computer simulations (e.g. Testing can be done via computer simulations (e.g. Nuclear Tests are no longer necessary)Nuclear Tests are no longer necessary) Changes in hardware (Sensors, weapon delivery systems, Changes in hardware (Sensors, weapon delivery systems, etc.) can compensate for no advances in Software etc.) can compensate for no advances in Software technologytechnology Better algorithms should be developed to counter noise, Better algorithms should be developed to counter noise, detect decoys, etc.detect decoys, etc. “ “SDI is the way to go” – Amit, Cincy, RongSDI is the way to go” – Amit, Cincy, Rong


QuestionsQuestions

CS575 - Software Design SDI: A Violation of Professional Responsibility A presentation by: Rong Gu...

Documents

Transcript of CS575 - Software Design SDI: A Violation of Professional Responsibility A presentation by: Rong Gu...