CN115062463A

CN115062463A - Modeling system based on proof-demonstrating structure modeling language

Info

Publication number: CN115062463A
Application number: CN202210651164.5A
Authority: CN
Inventors: 王栓奇; 宇航; 盛珂; 武秀华; 李之博; 王宇龙; 武伟; 刘钊
Original assignee: Information Central Of China North Industries Group Corp
Current assignee: Information Central Of China North Industries Group Corp
Priority date: 2022-06-09
Filing date: 2022-06-09
Publication date: 2022-09-16
Anticipated expiration: 2042-06-09
Also published as: CN115062463B

Abstract

The invention discloses a modeling system based on an attestation structure modeling language, which forms the attestation structure modeling language by describing core concepts, related attributes and semantics required by constructing a software credibility attestation structure through a meta-model, establishes the software credibility attestation structure modeling system based on the attestation structure modeling language, solves the problem of insufficient expression of the attestation structure modeling language, associates, fuses and integrates a software credibility attestation meta-model and a software life cycle process package, promotes interaction and interoperation of software credibility attestation structure construction and software process information, visually creates and edits an attestation structure model, and improves the automation level of the attestation structure construction.

Description

Modeling system based on demonstration structure modeling language

Technical Field

The invention relates to the technical field of software credibility engineering, in particular to a modeling system based on a proof structure modeling language.

Background

At present, computer systems have become the most widely used artificial information system, penetrating into all aspects of political, economic, military, cultural and social life. Software is the soul of computer systems, the core of informatization systems, and the cornerstone of internet applications. With the increasing demand for functions, software systems become increasingly large, complex, difficult to manipulate, and have inevitable defects and vulnerabilities. Meanwhile, due to the fact that uncontrollable performance and uncertainty exist in the behavior of the computing entity, a software system is more and more fragile, does not work in a mode expected by people for many times, and is not always trusted, and therefore the problem of software credibility is solved.

At present, the research on software credibility becomes a research hotspot of academia, software credibility assessment is an extremely important direction, and a plurality of domestic and foreign well-known research institutions take the software credibility assessment technology as a research focus in the field of credible software. How to determine whether a software resource is credible and how to evaluate the credibility of the software resource is a core scientific problem in the direction, and many scholars at home and abroad have intensively studied on the problem, including a credibility measurement method based on integrity, a credibility measurement method of software behavior and the like. However, in general, the current methods are still in the exploring stage and are not mature, and the effective measurement methods are deficient and have large differences and have many problems.

Compared with the prior art, the demonstration technology has stronger applicability, and has more obvious advantages and research prospects. It demonstrates the implementation of the argumentation objective through a powerful and reasonable argumentation structure and emphasizes the tight integration with the software development process. It has been studied for many years and is mature in the field of system security, and has been clearly specified in some foreign military and civil standards, and has been expanded from security to the fields of reliability, information security, and the like. However, the method is still in an exploration phase when applied to the credibility field (particularly the software credibility field), and some problems to be solved exist when a software credibility proof structure is constructed and developed: the unified knowledge of the credibility connotation of the software is lacked; proving that the structural modeling language expression is insufficient; proving that the construction effectiveness of the structure is not enough; proof structure construction lacks interaction with the software development process.

Therefore, how to describe the demonstration structure, improve the effectiveness of the demonstration structure, and promote the interaction between the demonstration structure construction and the software development process is a problem that needs to be solved by those skilled in the art.

Disclosure of Invention

In view of the above, the invention provides a modeling system based on a proving structure modeling language, which forms the proving structure modeling language by describing core concepts, relevant attributes and semantics required for constructing a software credibility proving structure through a meta-model, establishes the software credibility proving structure modeling system based on the proving structure modeling language, and solves the problem of insufficient expression of the proving structure model caused by insufficient expression of the proving structure modeling language. Meanwhile, the software credibility evidence-demonstrating meta-model is associated, fused and integrated with the software life cycle process package, so that the information interaction and interoperation between the software credibility evidence-demonstrating structure construction and the software process are promoted, and the evidence-demonstrating structure model can be visually created and edited through the modeling system, so that the automation level of the evidence-demonstrating structure construction is improved.

In order to achieve the purpose, the invention adopts the following technical scheme:

a modeling system based on a demonstration structure modeling language comprises a model editing module, a tool panel module, an attribute area module, a thumbnail area module and a model storage module;

the tool panel module is used for providing GSN basic model elements, evidence showing mode extension elements and corresponding tool items of the evidence showing module extension elements according to the evidence showing structure modeling language; the tool panel module comprises a tool panel and a floating tool bar; transmitting the selected model element tool item to a model editing module through operations such as clicking, dragging and dropping and the like so as to create a corresponding model element; calling and displaying GSN basic element symbols, GSN mode extension symbols and GSN module extension symbols in the proving structure modeling language;

the model editing module calls a model element tool item of the tool panel module, adds model elements through a floating tool bar and a tool panel, inputs and edits model element identifiers and corresponding element attributes, and creates and generates an evidence demonstration structure model; editing and associating model elements according to the proving structure modeling language to form a proving structure module and generate a proving structure model;

the attribute area module is used for modifying and displaying the attribute of the elements of the proof structure model according to the proof structure modeling language; these properties are defined by a proof structure modeling language;

the thumbnail area module displays the local content or the whole content of the model editing module;

and the model storage module is used for storing the engineering information of the proof structure model into a model file and a model chart file.

Preferably, the proof structure modeling language comprises abstract syntax, concrete syntax and semantics; the abstract syntax comprises a building block and a constraint rule, wherein the building block is represented by a software credibility testification meta-model, and the general rule adopts an OCL expression; the specific grammar adopts graphical symbols, and is expanded on the basis of GSN basic element symbols, wherein the GSN basic element symbols, the GSN mode expansion symbols and the GSN module expansion symbols are included; the semantics comprises two implementation modes of software credibility demonstration meta-model text description and instantiation transformation rules.

Preferably, the software credibility evidence meta-model includes an AMG meta-model package and an SDM meta-model package (software credibility meta-model package), and a relationship is established between the AMG meta-model package, the SDM meta-model package and an existing software development process meta-model, so as to conveniently obtain a software credibility engineering process package and related information of a software lifecycle process package required by the credibility evidence of the software, wherein the software credibility engineering process package mainly includes a dam (a Profile for dependency Analysis and modeling), and the software lifecycle process package mainly includes software process engineering meta-models of OMG, such as SPEM 2.0, UML 2.0, MARTE Profile and U2 TP;

the AMG meta-model package and the SDM meta-model package both comprise a plurality of meta-classes, meta-class attributes, meta-class semantics and association relations among the meta-classes; the AMG meta-model package is used for expressing and describing basic demonstration elements such as targets, strategies, evidences and the like in the demonstration structure and the relationship among the basic demonstration elements, and comprises demonstration modes and demonstration module related elements; the AMG meta-model Package defines the demonstration related concepts into corresponding meta-classes to instantiate related elements such as Class, Package and the like of MOF of OMG organization, and describes the incidence relation among the meta-classes;

the SDM meta-model package is set according to MOF specifications, and the specific relation among meta-classes is expressed through association modification, wherein the association modification comprises role names, multiplicity and the like.

Preferably, the access and reference between the AMG meta-model and the SDM meta-model package are realized in a meta-model package combination mode, un-instantiated variables such as damage, credibility requirement and safety key function required in the proof structure element are obtained, and meta-class association and data interaction between the AMG meta-model and the SDM meta-model package are realized.

Preferably, the constraint rules comprise general rules, constraint conditions and proving structure model element marking rules; and constructing a general rule and a constraint condition by using an OCL expression, wherein the general rule comprises identifier uniqueness, demonstration relation element constraint, demonstration content element constraint and demonstration mode related constraint, and the constraint condition comprises single-class demonstration elements and demonstration global structure.

Preferably, the GSN schema extension symbol comprises a structure abstraction and an element entity abstraction, wherein the structure abstraction supports the GSN element diversity, selectivity and other relationships, and the element entity abstraction represents the element is not developed and instantiated;

the GSN module extension symbol comprises a demonstration module symbol, a guest element symbol, an extension demonstration relationship symbol and the like.

Preferably, the instantiation transformation rules comprise a content rule set and a structure rule set, the top-down construction sequence is kept in the construction process of the evidence-taking structure model, the concrete evidence-taking mode GSN structure is instantiated and transformed according to the instantiation change rules to obtain a corresponding evidence-taking module, and a complete evidence-taking structure model example is obtained by assembling GSN module extension symbols; specifically assigning values to variables in un-instantiated elements of the GSN structure of the proof mode according to a content rule set, collecting and quoting information required in the upper and lower contexts of the proof mode, and collecting and sorting evidence information; and expanding the GSN diversity symbols in the proof mode and selecting the GSN selective expansion according to the structure rule set.

Compared with the prior art, the modeling system based on the proof structure modeling language is characterized in that a graphical domain-specific modeling language, namely the proof structure modeling language pASML, is described through a meta model, and the proof mode specification definition is supported. The building blocks of the modeling language abstract syntax are represented by meta-model building blocks, the general rules are described by OCL expressions, the representation rules use GSN and extended graphic symbols, and the semantics are a mode of combining text description and instantiation transformation rules. The invention takes GMF as a meta modeling tool, realizes the proving structure modeling system in an Eclipse platform, and can realize the construction of a software credibility proving structure model according to the proving structure modeling language. The invention solves the problem of insufficient modeling expressive force of the proof structure in the prior art, and simultaneously promotes the information interaction and interoperation between the credibility proof structure construction of the software and the software process by associating, fusing and integrating the proof structure element model and the software life cycle process package, and graphically displays the proof structure model, so that the modeling process is simpler and more convenient, and the effect is intuitive.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.

FIG. 1 is a schematic structural diagram of a modeling system based on a testimony modeling language according to the present invention;

FIG. 2 is a schematic diagram of a proof structure modeling language construction process provided by the present invention;

FIG. 3 is a schematic diagram illustrating a software credibility demonstration meta-model structure provided by the present invention;

FIG. 4 is a diagram illustrating the structure of an SDM meta-model package according to the present invention;

FIG. 5 is a schematic diagram of a GSN mode extension symbol provided by the present invention;

FIG. 6 is a schematic diagram of GSN module extension symbols provided by the present invention;

FIG. 7 is a schematic diagram of a proof structure modeling system construction framework provided by the present invention;

FIG. 8 is a schematic illustration of a process for establishing an exemplary proof of authenticity provided by the present invention;

fig. 9 is a schematic diagram of an overall structure of an exemplary embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The embodiment of the invention discloses a modeling system based on a testimony proving structure modeling language, which defines a graphical and visual testimony proving structure modeling language (named pASML) by using a meta-model method, is a field-specific modeling language with strict grammar and semantics for constructing the testimony proving structure model, is used for supporting activities such as model establishment, model conversion and the like, constructs a software credibility testifying structure model through the modeling system, displays the testifying structure in a graphic mode and improves the automation level of the construction of the software credibility testifying structure.

Example 1

The invention strictly describes the building blocks of the abstract syntax of the modeling language by proving a relevant meta-model, describes the general rules by using an OCL expression, uses graphic symbols including GSN basic structure diagrams, modes and module expansion graphs for concrete language rules, and uses semantic definition and semantic constraint to standardize and realize semantics by adopting a mode of combining text description and instantiation conversion rules. The important steps are described below:

(1) software credibility demonstration meta-model

The software credibility proving meta-model is provided for describing core concepts, related attributes and semantics and proper relevance and constraint conditions required for constructing a software credibility proving structure model, and promoting consistent understanding of the concepts and terms by different stakeholders. The meta-model is specifically structured as shown in fig. 3 below.

The software credibility proving meta-model describes basic elements of a software credibility proving structure and relations and constraints among the basic elements, and provides a modeling framework and an expression schema for describing the software credibility proving structure. In order to reflect a complete software credibility proving structure, the proving structure and related concepts of software credibility are required to be associated and integrated, including key concepts such as failure, danger and the like, so as to form a concrete structure of the meta-model; it is also desirable to associate the meta-model with a software trustworthiness process meta-model and existing software development process meta-models to facilitate obtaining information about software trustworthiness engineering processes and software lifecycle processes required for software trustworthiness validation (especially process validation).

The AMG meta-model package in the meta-model is used for expressing and describing basic demonstration elements such as targets, strategies, evidences and the like in the demonstration structure and the relationship among the basic demonstration elements, including demonstration modes and module related elements, and preliminarily describing and describing the abstract syntax of the demonstration structure modeling language pASML. The AMG meta-model Package defines the demonstration related concepts into corresponding meta-classes to instantiate related elements of Class, Package and the like of the MOF, and describes the association relationship among the meta-classes. Each meta class definition, attribute, semantic description, etc. is specifically shown in table 1.

TABLE 1 Meta model AMG Primary meta class definitions

Three meta-classes, namely, Impatiment, DependabilityReq and SafetCriFunction, associated with the UninstatatedValue meta-class in the meta-model come from an SDM meta-model package (namely, a software credibility meta-model), access and reference are realized in a meta-model package combination mode, unexplained variables such as damage, credibility requirements and security key functions required in the evidence-raised structural elements are obtained, and element association and data interaction between two meta-model packages, namely, an AMG (advanced metering management system) and an SDM (software development framework) in an ESDCM (electronic service management system) are realized. Meanwhile, on the basis of an access mode introduced by the meta-model package, the UninstatatedValue meta-class also associates the Activity structure type of the meta-model SPEM 2.0 and the Resource structure type of MARTE in the external software lifecycle process package, respectively corresponds to information such as process activities in the software process demonstration structure, software product components and function modules in the product demonstration structure, and realizes model element association and information interaction between the meta-model ESDCM and the software development related meta-model and the UML Profile.

The invention provides a software credibility meta-model according to MOF specification, and describes main concepts and terms of software credibility and relations among the concepts, particularly related concepts closely related to evidence-demonstrating structures, and further establishes a relation with the AMG meta-model package at the meta-model level to form a complete structure of the software credibility evidence-demonstrating meta-model (ESDCM). The software credibility meta-model structure is specifically shown in fig. 4.

The meta-model characterizes the concepts of errors (Error), defects (Fault), failures (Failure) and hazards (Hazard), which are related threats to software hazards (thread), wherein failures reflect software reliability and hazards reflect software security. The meta-model defines these concepts as meta-classes, where meta-class impairments (impartiments) are used to abstractly represent failures and hazards. The propagation and propagation of defects are represented by FailtPropagation element classes, FailureMode element classes represent failure modes and DependabilityReq element classes represent software trustworthiness requirements including software security requirements and software reliability requirements. The concrete relationship between these meta-classes is described by associated modification such as role name, multiplicity, etc., mainly the cause-effect relationship, for example, an error is one of the essential causes causing defects and damages, and the damages further affect the normal use of software components (SWComponent) and software functions (SWFunction), including safety critical function, namely SafeCriFunction.

The meta-model cannot fully represent all the syntactic and semantic contents of the modeling language pASML, and some domain-related business rules and constraints cannot be fully and accurately expressed in the meta-model structure. The Object Constraint Language (OCL) just solves the problem as a supplement to the meta-model, can strictly describe the constraint of model elements and depict general rules in the abstract syntax of the modeling language.

(2) General rules of proof of construction modeling language pASML

And further strictly describing relevant semantic constraints of elements of the proof structure model by using an OCL expression, and describing general rules and constraint conditions of the abstract syntax of the proof structure modeling language pASML. According to specific constraint objects, the rules can be divided into four rule sets including identifier uniqueness, demonstration relationship element constraint, demonstration content element constraint, demonstration mode correlation constraint and the like, and 15 constraint rules are counted in total and comprise two types of single-class demonstration elements and demonstration global structures.

These rules are described by creating specific OCL invariants, where a certain meta-class invariant is in the format "context [ meta-class name ] inv [ invariant name ]: invariants", where context and inv are keys defined by the OCL, where context is used to specify the model element to which the constraint is attached, and inv specifies that the expression type is invariants. This expression is used to describe the static structural constraints of the system, indicating that this condition is required to hold at all times for all instances of the element classes, i.e., the model elements.

The constraint rule set of the argument relationship element respectively explains two related constraint rules of 'under this constraint' (InContextof) and 'supported' (SupportedBy) in the argument structure model, and specifically constructs a corresponding OCL invariant for two meta-classes of InContextof and SupportedBy in the meta-model AMG. The method comprises the following specific steps:

rule 5-InContextof Source and destination element constraints

context InContextof

inv InCofSourceConstraint:self.sourceRole->forAll(s|s.oclIsTypeOf(MainConElement))

inv InCofTargetConstraint:self.targetRole->forAll(t|t.oclIsTypeOf(AuxConElement))

Specification of the rules: the source end elements of the incontext relationship must be primary content elements, i.e., targets, policies, and evidence, and the destination end elements must be secondary content elements, i.e., context, assumptions, and justification.

Rule 6- "inconextof" Source and destination elements extension constraints

context InContextof

inv InCofSourceConstraintExd:self.sourceRole->forAll(s|s.oclIsTypeOf(Context)or(s.oclIsTypeOf(Solution)or s.oclIsTypeOf(Strategy)))

inv InCofTargetConstraintExd:self.targetRole->forAll(t|t.oclIsTypeOf(Goal))

Specification of the rules: the system is used for describing an InContextof constraint relation of extension in an attestation module to realize supporting attestation (Backing attestation), namely a source end element must be a context, evidence and a strategy, and a destination end element must be a target (including a guest target).

Rule 7-SupportedBy Source and destination element constraints

context SupportedBy

inv SupBySourceConstraint:self.sourceRole->forAll(s|s.oclIsTypeOf(Goal)or s.oclIsTypeOf(Strategy))

inv SupByTargetConstraint:self.targetRole->forAll(t|t.oclIsTypeOf(MainConElement))

Specification of the rules: the source end element of the SupportedBy relationship must be the target and policy in the main content element, but cannot include evidence, and the destination end element can have all three.

When the structure model is proved through meta-model definition, identifiers of the demonstration content element, the demonstration mode and the demonstration module are declared through attributes of an identifier, a Pattern ID and a ModuleID respectively. In order to uniquely identify and effectively manage the model elements, the invention sets an evidence structure model element marking rule to encode and assign the identifier attributes, which is a basis and a criterion for marking the elements of the evidence structure model instance and is used as an assistant and a supplement of the general rule.

(3) Presentation method of proof structure modeling language pASML

In order to graphically express the evidence demonstration mode and the evidence demonstration module, the invention correspondingly expands on the basis of GSN basic content to obtain the representation methods of the GSN basic content and the GSN basic content, and finally forms the representation method which is the specific grammar of the evidence demonstration structure modeling language pASML. The GSN element symbol needs to add a structure abstraction and an element entity abstraction, wherein the former supports the diversity, selectivity and other relations of the GSN element, the latter represents that the element is not developed and instantiated, and the GSN mode extension symbol is shown in figure 5.

The GSN module extension symbol mainly includes a proof module symbol, a guest element symbol, an extended demonstration relationship symbol, and the like, and the shapes and descriptions thereof are specifically shown in fig. 6.

(4) Instantiation transformation rule of proof structure modeling language pASML

In practical application, on the basis of developing software credibility engineering, engineering personnel need to combine application field background and knowledge to specifically make an evidence demonstration structure example construction scheme, including construction purpose, requirement, stage, range and the like, and determine an evidence demonstration mode subset or all to be used, such as product evidence or process evidence, reliability evidence or safety evidence and the like. During specific implementation, a top-down construction sequence is required to be maintained, instantiation transformation is performed on a specific demonstration mode GSN structure step by step to obtain a corresponding demonstration GSN module, and a complete demonstration structure model example is obtained by assembling extension symbols of the demonstration GSN module.

The instantiation rule of the proof mode language specifically comprises a rule set with two aspects of content and structure, wherein the content instantiation mainly carries out specific assignment on variables with symbols '{ }' in unexplained elements of the proof mode GSN structure, collects and refers information required by the context in the proof mode, and collects and arranges evidence information. The structure instantiation mainly expands the GSN diversity symbols in the proof-matching mode, selects the GSN selective extension and the like.

Example 2

A modeling system based on evidence-taking structure modeling language is characterized in that GMF of an Eclipse platform is used as a meta modeling tool to realize the meta models, the modeling system of the evidence-taking structure modeling language pASML is automatically generated, and visual establishment, editing and management of the evidence-taking structure model are realized so as to improve the automation level of evidence-taking structure construction. The overall architecture of the modeling system construction process is shown in fig. 7.

And adopting an Eclipse plug-in development form, expressing a proving structure meta-model by using EMF and GMF frameworks, carrying out model definition on aspects such as graphs and tools and the like to automatically generate a graphical editor, and finally finishing the design and implementation of a modeling system. And designing and realizing a field model, a graphic definition model, a tool definition model, a mapping definition model, a generator model and the like of the modeling system according to EMF and GMF frameworks through corresponding menu and attribute setting operation on the Eclipse platform, respectively obtaining corresponding model files, and operating and generating the modeling system. The specific description is as follows:

and creating an Ecore meta model corresponding to the AMG by EMF, and editing and modifying by an Ecore graphical editor of the GMF to obtain a modeling system field model, a corresponding Ecore model file and the like.

According to GMF graph definition model construction rules and graph requirements of a modeling language pASML representation method (namely a GSN method and an extension), the invention defines a graph definition model of a modeling system, is used for defining concrete graph elements of GSN demonstration elements, and defines graph elements such as nodes, connections and the like displayed in an editor. The logic structure can be divided into three levels, wherein the first level is the basic definition of the graph, and the basic definition comprises four basic graphs of nodes, Connection lines (Connection), Diagram labels (Diagram Label) and compartments (Compartment), and each basic graph comprises attributes such as names and graphs (Figure); a Figure Descriptor (Figure Descriptor) for describing the concrete implementation of the Figure, such as shape, layout, etc., and being referred by the Figure attribute in the basic Figure; and thirdly, GMF basic elements including layout, rectangle, ellipse and other atom elements which are the basis of the graph descriptor.

The tool definition model is used for defining a tool option board of the editor, modeling elements are created in the canvas of the editor by clicking the icons on the tool option board, and general tools such as zooming in and zooming out are included. For convenience of management, the modeling device tool definition model is specifically divided into three tool groups, namely a GSN basic element and an extended demonstration element, wherein the GSN basic element tool group mainly comprises tool options of the GSN basic element and defines a specific icon of each tool option, and the other two tool groups respectively define a refined relation element and a tool option corresponding to the extended demonstration element.

The mapping definition model is the definition of the mutual mapping relation among the field model, the graph definition model and the tool definition model, and the binding and the association of the three models are the key links for constructing the editor. The model establishes mapping of a modeling language pASML abstract syntax and a representation method, maps content elements such as Goal, Strategy and the like in the Ecore meta model into nodes in a graph structure of a final model through node mapping, and maps relation elements such as InContextof and the like into connection in the graph structure through connection mapping. The mapping type of the mapping definition model can be divided into canvas mapping, node mapping, connection mapping and the like, wherein the canvas mapping specifies the binding relationship between the top-level elements of the three models and the nodes, the node mapping associates the element classes of the Ecore model, the node patterns of the graph definition model and the tool options of the tool definition model, the connection mapping maps the connection type elements of the three models, and the attribute setting is similar to the node mapping.

The GMF generator model (. gmfgen) can be directly obtained by converting the four models including the EMF generator model (. genmodel) such as the mapping definition and the graphic definition, so as to synthesize the model information and configure the relevant code generation attributes. In generating a GMF generator model of a modeling system through wizards, relevant settings, including selection of a "generate RCP application" option, are required so that the final modeling apparatus can operate in an RCP (rich client) manner.

The modeling system mainly comprises a model editing module, a tool panel module, an attribute zone module, a thumbnail zone module, a model storage module and the like, and specifically comprises the following modules:

the tool panel module provides basic model elements such as targets and strategies, evidence-taking mode extension elements and corresponding tool items of the evidence-taking module extension elements, and comprises a tool panel and a floating tool bar, wherein the selected tool items of the model elements are transmitted to the model editing module through clicking, dragging and dropping and other operations on the tool panel or the floating tool bar so as to create corresponding model elements in the model editing area, and the tool items comprise tools such as amplification, reduction and the like;

the model editing module is a main area for carrying out visual design of the evidence-raising structure model, model elements are added through a floating tool bar and a tool panel, the model elements are edited and associated, the model elements are dragged, dropped and stretched to form the evidence-raising structure module, and the evidence-raising structure model is generated;

the attribute area module is used for setting and displaying attributes of the proving structure model element, such as elements of identifiers, descriptions and the like of the model element, whether instantiation and disclosure are needed or not, supporting GSN (generic schema extension) and module extension, and setting lines, fonts, colors and the like of the model element;

the thumbnail region module is a miniature of the whole model editing region, local contents of the model editing region can be displayed by moving the upper gray rectangle, and the operation of the evidence-demonstrating structural model with large scale is facilitated.

The model storage module is used for storing the engineering information of the proof structure model into a model file (XML file) and a model chart file (picture format) so as to realize the storage, exchange and sharing of model data.

The modeling system is a modeling editor of a demonstration structure, has a friendly operation interface, and has the following main functions:

the testifying structure model defined by the modeling language pASML can be visually created, edited and operated;

the method realizes the evidence-making structure model related constraint rules, such as the source and destination element constraints of the relation elements of 'InContexttof' and the like, and supports the OCL rule description;

opening and editing a plurality of chart files through a plurality of label pages in the same window, and describing attributes such as whether demonstration elements are disclosed or not to support establishment of an evidence-presenting module;

by setting the relevant attributes of the content demonstration elements and the relation demonstration elements, the construction of a demonstration mode can be semantically supported, including supporting the diversity, the selectivity and the like of GSN elements;

the engineering information of the proof structure model is saved through a model file and a model chart file, wherein the former is XML description of the model, the latter is visual representation of the model file, and the two are automatically and synchronously updated. In addition, the proof structure can be saved into a picture file through a right-click menu.

Therefore, the modeling system stores the proof structure model in two modes of a picture format and an XML format, wherein the XML provides a standard format for describing structure data, which is beneficial to data representation, exchange and sharing and is beneficial to information interaction and fusion of the proof structure model and other models of software.

Example 3

In order to verify the effectiveness and the practicability of the proving structure modeling language and the modeling device, the method is implemented by taking certain safety key embedded software in an actual model as an object to construct a software safety product proving example. Due to the content sensitivity of model items, specific technical details are hidden, and only the general parts of the model items are described.

(1) Example software profiles

The software of the embodiment is the core control software of the normal and standby brake control systems of the landing gear of a certain type of airplane and is key software for ensuring the safe operation of the airplane. The airplane wheel speed sensor signal acquisition device is embedded software programmed by using C language, mainly adopts redundancy design ideas, comprises normal control software and standby control software, and is used for acquiring airplane wheel speed sensor signals, brake instruction signals, brake pressure signals, automatic brake selection switch signals, wheel-mounted signals, undercarriage upper handle receiving signals, bus signals and the like. The airplane brake anti-skid device outputs airplane brake anti-skid signals through comprehensive calculation, is used for realizing the airplane brake function, the anti-skid function, the wheel-to-wheel protection function, the grounding protection function, the water slip protection function, the undercarriage rotation stopping function, the airplane automatic brake function, the redundancy switching function with a standby brake control unit and the information exchange function with an EMS electromechanical comprehensive system in the airplane anti-skid brake process, and sends brake instructions and brake pressure signals to accident recording equipment.

(2) Example construction schemes and procedures

According to the demonstration structure modeling language and the modeling system, a demonstration example structure construction scheme is designed mainly from the following aspects:

the software life cycle stage is as follows: software development and implementation are completed;

relationship to the upper system: because the actual conditions of the project are limited, the requirements and design information of an upper layer system are unknown, and the software is mainly discussed to avoid, control and relieve the system-level danger;

type and scope of demonstration: aiming at the life cycle stage of the software, the product-based proof is mainly carried out;

the demonstration construction method comprises the following steps: on the basis of developing safety engineering activities such as risk analysis, failure mode analysis and the like, modeling is carried out in a modeling device to obtain a corresponding demonstration structure model example, and the corresponding demonstration structure model example is stored into an XML file;

demonstration of structural organization: the demonstration structure modeling language pASML is utilized and organized and expressed in the form of demonstration modules, the demonstration modules are divided according to each danger and function, different demonstration modules are connected and cooperated through a guest target, and the demonstration elements are numbered by using a marking rule. The specific overall construction process of the demonstration example is shown in fig. 8.

The following brief description of the main steps in the construction of the flow chart:

s1: on the basis of analyzing documents such as brake control software requirement specifications, design specifications and the like, a top-level demonstration target of a demonstration example is made according to software project condition conditions, and the top-level demonstration target is a basis and a key for constructing a whole demonstration structure;

s2: selecting a proper danger analysis method, and identifying and analyzing possible dangers, including the degree of danger, the risk size caused by the danger and the like, of the brake control software to an upper-layer system, namely a landing gear brake control system and an aircraft system by combining relevant knowledge and prior experience in the field;

s3: aiming at each danger in S2, analyzing the corresponding software safety key function, analyzing possible failure modes causing the danger to occur and corresponding countermeasures of the software for the function module;

s4: based on S2 and S3, instantiation transformation, decomposition and expansion are carried out in the modeling system according to the demonstration mode and instantiation rules, and corresponding demonstration modules are expressed according to danger and function lists according to GSN module expansion;

s5: analyzing detailed design documents and source codes of the brake control software, and acquiring evidence information of the software in terms of coping methods and handling measures for coping with the failure mode of S3;

s6: conclusion analysis, comprehensively evaluating the safety level of the software on the basis of S2-S5, particularly the risk of possible danger, and analyzing the defects and problems of software implementation to give corresponding improvement measures.

On the basis of system danger identification and software failure mode analysis, specific evidence-taking structural modeling is carried out in a modeling system according to instantiation rules, and organization and presentation are carried out in the form of evidence-taking modules. The overall structure is shown in fig. 9.

This demonstration example content specifically includes the top layer target layer, dangerous demonstration layer and the three layer of proving of function demonstration layer, handles the failure mode of expandes demonstration to top layer target, specific dangerous processing and safety key function respectively to carry out the specific decomposition of successive layer and expansion from the top down, the upper strata module of proving provides support by the lower floor, finally obtains 11 modules of proving, wherein the figure of higher authority is the module serial number, comes as the only sign of the module of proving. These proof modules are graphically represented using the modeling language pASML and are connected and organized by the target-object elements. The specific introduction of the GSN structure and the XML description of the demonstration module do not expand the introduction.

(3) Conclusion analysis of proof examples

The invention utilizes the provided demonstration structure modeling language and modeling system to construct a relatively complete demonstration example of the safety product of the brake control software, demonstrates whether the software product meets the software safety requirement or not, and shows, confirms and evaluates the safety level of the software product. The following conclusions can be drawn:

the brake control software basically meets the research requirements and the overall task, realizes the safety key functions of braking, cut-off valve control, ground protection, tire pressure monitoring, skid resistance and the like, considers and realizes corresponding treatment and relieving measures for most of failure modes of the functions, avoids the failure of the safety key functions, can effectively deal with and treat the main system-level dangers of 'incapability of braking and decelerating the airplane', 'tire burst' and 'sideslip and deviation of the airplane' and the like, greatly reduces the safety risks in the aspect of braking and skid resistance of an airplane system caused by the dangers, and ensures the credible operation of the airplane.

However, in the process of establishing an evidence demonstration example, the brake control software is found to have some problems, specifically including that some failure modes of safety key functions lack effective processing measures, some safety key functions have potential safety hazards, interface error processing is weak, and complete software safety engineering activities are lacked.

The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.

The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims

1. A modeling system based on a proof structure modeling language is characterized by comprising a model editing module, a tool panel module, an attribute area module, a thumbnail area module and a model storage module;

the tool panel module is used for providing GSN basic model elements, evidence showing mode extension elements and corresponding tool items of the evidence showing module extension elements according to the evidence showing structure modeling language;

the model editing module calls the model element tool items of the tool panel module, inputs and edits the model element identifiers and the corresponding element attributes and generates the proof structure model;

the attribute area module is used for modifying and displaying the attribute of the elements of the evidence-demonstrating structure model according to the evidence-demonstrating structure modeling language;

2. The modeling system based on an attestation-structured modeling language of claim 1, wherein the attestation-structured modeling language includes abstract syntax, concrete syntax, and semantics; the abstract syntax comprises a building block and a constraint rule, wherein the building block is represented by a software credibility testification meta-model, and the general rule adopts an OCL expression; the specific grammar adopts graphical symbols, and is expanded on the basis of GSN basic element symbols, wherein the GSN basic element symbols, GSN mode expansion symbols and GSN module expansion symbols are included; the semantics comprise software credibility evidence meta-model text description and instantiation transformation rules.

3. The modeling system based on an attestation structure modeling language of claim 2, wherein the software credibility attestation meta-model includes an AMG meta-model package and an SDM meta-model package, and a link is established between the AMG meta-model package, the SDM meta-model package and the software development process meta-model;

the AMG meta-model package and the SDM meta-model package both comprise a plurality of meta-classes, meta-class attributes, meta-class semantics and association relations among the meta-classes; the AMG meta-model package is used for expressing and describing basic demonstration elements in the demonstration structure and the relationship between the basic demonstration elements, and comprises demonstration modes and demonstration module related elements;

the SDM meta-model package is set according to MOF specifications, and the specific relation between meta-classes is expressed through association modification.

4. The modeling system based on the testimony structure modeling language as claimed in claim 3, wherein the AMG meta-model package and the SDM meta-model package are accessed and referenced by the way of meta-model package combination, obtain the un-instantiated variables needed in the testimony structure element, and realize the meta-class association and data interaction between the AMG meta-model package and the SDM meta-model package.

5. The modeling system based on an attestation-structure modeling language of claim 2, wherein the constraint rules include general rules, constraint conditions and attestation-structure model element markup rules; and constructing a general rule and a constraint condition by using an OCL expression, wherein the general rule comprises identifier uniqueness, demonstration relation element constraint, demonstration content element constraint and demonstration mode related constraint, and the constraint condition comprises single-class demonstration elements and demonstration global structure.

6. The modeling system based on an attestation structural modeling language of claim 2, wherein the GSN schema extension notation includes structural abstractions and element entity abstractions, the structural abstractions supporting GSN element diversity relationships and selectivity relationships, the element entity abstractions representing elements undeveloped and un-instantiated;

the GSN module extension symbol comprises an evidence-taking module symbol, a guest element symbol and an extension demonstration relationship symbol.

7. The modeling system based on the testifying-structure modeling language according to the claim 2, characterized in that the instantiation transformation rules comprise a content rule set and a structure rule set, the top-down construction sequence is kept in the testifying-structure model construction process, the concrete testifying-mode GSN structure is instantiated and transformed according to the instantiation transformation rules to obtain a corresponding testifying module, and the GSN module extension symbols are used for assembling to obtain a complete testifying-structure model example; specifically assigning values to variables in un-instantiated elements of the GSN structure of the proof mode according to a content rule set, collecting and quoting information required in the upper and lower contexts of the proof mode, and collecting and sorting evidence information; and expanding the GSN diversity symbols in the proof mode and selecting the GSN selective expansion according to the structure rule set.