350 likes | 492 Vues
Software Aspects of Strategic Defense Systems. Team Turkey Joe Kim Senthil Smitha. President Reagan’s SDI. In March 1983, President Reagan called for a “Strategic Defense Initiative” (SDI).
E N D
Software Aspects of Strategic Defense Systems Team Turkey Joe Kim Senthil Smitha
President Reagan’s SDI In March 1983, President Reagan called for a “Strategic Defense Initiative” (SDI). “I call upon the scientific community … to give us the means of rendering these nuclear weapons impotent and obsolete.” The SDI program came to be popularly called “Star Wars.”
Parnas’ Background • Doesn’t object to weapons development in general • 8yrs experience working on military aircraft • 20yrs in the software engineering field • June 28, 1985 - Parnas resigns from the $1,000 / day panel
Reasons for resignation • Software is unreliable • Unattainable goal due to SDI properties • Software techniques inadequate • SE improvements will be insufficient • AI and Automatic Programming won’t help • Problems with Proofs • Research is inefficient and ineffective
Software is Unreliable • Software often produced with “bugs” • Problems persist for several versions and sometimes worsen with upgrades • Digital computers have large # of states but made from redundant subsystems (which can be exhaustively tested but the whole system can’t) • # of possible states too high in Software • Functions describing their behavior not continuous and can’t be mathematically verified • Logical expressions often harder to understand than the program itself • Most Programmers don’tknow the tools of the trade
Can’t Trust that SDI Character • Target and decoys have unknown characteristics, (need to identify, track, and direct weapons towards them) • Fatal errors will occur if developed without knowledge of characteristics or with characteristics that can be changed by an attacker on day of battle • Attackers countermeasures make network of sensors and weapons unreliable • Fail-soft only successful when: failures predicted from past history, component failures unlikely and statically independent, system has excess capacity, real-time deadlines can be missed • None true for SDI system • Impossible to test under real conditions • No faith without extensive tests
Most massive, costly software ever attempted • Service period too short for humans to debug and modify programs • Debugger’s notes on army truck in Vietnam – not possible in 30-90 minute war • Real-time computation deadlines – worst case amount of resources can’t be predicted • Efficiency and predictability require some preruntime scheduling, need worse case real-time schedule • Large variety of sensors and weapons each requiring complex software, suite will grow during development and after deployment (subject to independent modification) • Difficulties increase with: size of the system, # of independent subsystems, and # of interfaces
One Shot at the Title • Flow chart approach – “think like a computer” • Improved with larger steps • Leads to confusion as data has different meaning under different circumstances • Concurrency – program appear to be doing more than one thing at a time • Multiprocessing – program DOES more than one thing at a time • Yes, Professional Programmers use this conventional approach • Trial and Error – software released when rate of finding new errors slows down
New SE Techniques • Research aimed at reducing amount of information needed to test and maintain • Structured programming and formal program semantics • Use of formally specified abstract interfaces (information hiding) • Use of cooperating sequential processes • Gap between theory and practice • Good software engineering can be done, it’s just far from easy • It reduces, NOT ELIMINATES, errors thus there is still a need testing
Improvements in SE • New languages and environments will help but they are not a major impediment to our work. • AI makes big claims but can offer no help • Automatic Programming is just a euphemism for programming in a higher-level language. • Still need to specify an algorithm • No breakthroughs • The fault lies not in our tools but in ourselves and in the nature of our product.
Artificial Flowers and Intelligence • AI-1 - Solving problems which previously could only be done with human intelligence • This definition changes over time • Best work in this area makes no attempt to mimic people’s problem solving techniques • Mostly problem specific, requires abstraction and creativity to transfer the work • AI-2 - Heuristic or Rule Based Programming/Expert Systems • Approach is dangerous and misleading • Rules obtained are inconsistent, incomplete, and inaccurate • Evolutionary approach results in poorly understood behavior which is hard to predict • Spectacular behavior on small # of obvious cases
Prove it • Can’t use exhaustive case analysis • No prolonged, realistic, testing • Use Mathematical analysis • Don’t have exact specifications to which one can apply a proof • Proofs themselves may contain errors • Concurrency adds difficulty to proofs • No techniques to prove programs robust enough to operate with unknown hardware failures or input errors
Getting what you’ve paid for • Those who make purchasing decisions don’t know what they’re buying • Most difficult and crucial step in research is to identify and define the problem • Practical considerations restrict important theoretical problems • Research should be judge by teams of successful researchers and experienced system engineers • These people considered to valuable to spend time reviewing proposals
Some other perspectives on SDI A Debate on the feasibility of SDI was sponsored by CSPR & MIT in 1985 The debate was moderated by Michael L. Dertouzos PhD '64 of MIT Parnas and Joseph Weizenbaum of MITagainst SDI Charles L. Seitz '65 of Caltech and Danny Cohen of the University of Southern California USC spoke in for SDI. Parnas presented his argument based on the papers he has submitted to SDIO at the time of is resignation from the panel.
Parnas’ Argument Since: • Specifications not known in advance, • Realistic testing is not possible, • No chance to fix software during use, • No foreseeable technology changes this, Therefore – It is not possible to construct SDI software that you could trust to work.
Seitz’ Argument Since • A hierarchical architecture seems best, (because more natural, used in nature, understood by military, allows abstraction up levels …) • Physical organization should follow logical organization, (simplest choice, natural) • Tradeoffs to make software problem tractable are in the choice of system architecture (not in new / radical methods) this makes software problems tractable.
Seitz’ Argument • Loose coordination allows us to infer system performance (assume stat. independence, …) allows system reliability estimates. Therefore it is possible to create reliable SDI battle management software.
From the debate…… • Parnas says “We can’t test it” • Seitz then replies “We can build it.” • Cohen mentions the space shuttle as an example of a system requiring large and complex software. • Parnas’ response is that whereas NASA can delay a launch up until the last second, the president cannot call up the USSR to delay a nuclear war.
From the debate…… • Seitz argues that SDI will be much better than the existing ABM systems. In essencnce he says something useful could be built but doesnt really address the issue of testing it. • Parnas argues that it doesn’t make any difference what is built or how it is built, because there won’t be any means of testing that it meets requirements. • While people for SDI keep coming with arguments to support SDI, they fail to provide anwers to the specific issues raised by Parnas
Patriot Missile performance in the Gulf war • The Patriot system has 7.4 ft long missile powered by a single stage solid propellant rocket motor that runs at mach 3 speeds • The missile weighs 2200 lbs and its range is 43 miles • The patriot is armed with a 200 lb high explosive war head detonated by a proximity fuse that causes shrapnel to destroy the intended target • The system is built around radar and fast computers
Operation: • The missile is launched and guided to the target in three phases: • First, the missiles guidance system turns the patriot toward the incoming missile as the missile flies into the Patriot’s radar beam • Then the Patriot’s computer guides the missile toward the incoming scud missile • Finally, the patriot Missile’s internal radar receiver guides it toward the interception of the incoming missile • During the Gulf war the Patriot was assigned to shoot down incoming Iraqi Scud or Al-Hussein missiles launched at Israel and Saudi Arabia
Statistical analysis of the Patriot’s performance during the Gulf war: • The U.S. Army which was in charge of the Patriot claimed an initial success rate of 80% in Saudi Arabia and 50% in Israel • Those claims were scaled back to 70% and 40% respectively • Part of the reason the success rate was 30% higher in Saudi Arabia than in Israel is that in Saudi Arabia the patriots merely had to push the incoming scud missile away from military targets in the desert or disable the war head • In Israel the scuds were aimed directly at cities and civilian populations (Lager targets)
…Analysis continued • The Patriot’s success rate in Israel was examined by the Israel Defense Forces (I.D.F) • The IDF counted any scud that exploded on the ground (regardless of whether or not it was diverted) as a failure of the patriot • A 10 month investigation by the House Government Operations subcommittee on legislation and national security concluded that there was little evidence to prove that the Patriot hit more than a few Scuds
Patriot missile software problem • As reported by the U.S. General Accounting office, On 02/25/1991, a Patriot failed to track and intercept a Scud missile because of a software problem in the system’s weapons control computer, the scud subsequently hit an Army barracks, killing 28 Americans • This problem led to inaccurate tracking calculation that became worse the longer the system operated • The patriot had never before been used to defend against Scud missiles nor was it expected to operate continuously for long periods of time
A look at current missile defense scenario • Some dreams never die. Do they? • SDI , which was envisioned by President Regan continues to live. • The concept of missile defense remains the same but the bounds of the dream keeps changing. • This can be attributed to the change in the sophistication and the geographical location of the hypothesized enemy.
A look at current missile defense scenario • In the early 90’s SDI gets reincarnated, but this time with a new name “ BMD” • BMDO unlike SDIO has a string of projects with relatively smaller goals. • The projects under BMDO can be classified broadly under these categories, Terminal Defense Midcourse Defense Segment Boost Defense Segment
A look at current missile defense scenario • Further classification of these categories • Terminal Defense Segment THAAD, NTMD, PATRIOT – PAC3, etc.. • Midcourse Defense Segment NMD – GMD, SMD, etc… • Boost Defense Segment Airborne Laser, Space Based Laser, etc ..
A look at current missile defense scenario • Well how is the “BMD” Doing? • An estimated amount of 100 billion dollars have been spent on Missile defense. • The goals of each of the subsystem is small compared to SDI due to the current scenarios • “This is a sharp change from the Reagan years, perhaps because the technology used is closer at hand and the threats are smaller.” (Mosher, page 39, IEEE Spectrum, 1997)
A look at current missile defense scenario • Smaller anticipated mission: “protect the U.S. … against an attack by a rogue state using a handful of warheads outfitted with … simple countermeasures.” “also provide protection against an accidental launch of a few warheads by Russia or China.” “… no more than 100 hit-to-kill interceptors based at old ABM site near Grand Forks, ND.” (Mosher, page 37, IEEE Spectrum, 1997)
A look at current missile defense scenario • How do these smaller anticipated missions affect Parnas’s argument about SDI wont be able to produce a trustworthy missile defense software? • Fundamentally not as you can see from the “Test” facts below, • “In the last 15 years, the U.S. has conducted 20 hit-to-kill intercepts, …. Six intercepts were successful; 13 of those test were done in the last five years, and among them three succeeded.”
Test Facts …… • “No real attempts have been made to intercept uncooperative targets – those that make use of clutter, decoys, maneuver, anti-simulation, and other countermeasures.” (Mosher, page 39, IEEE Spectrum, 1997) • In 1996, ex TRW engineer Nira Schwartz filed a “False Claims Act” suit, alleging that results of tests to distinguish warheads and decoys were falsified by TRW. (featured on “60 Minutes II” in January 2001)
Test Facts …… • Lt. General Kadish – “Right now, from what I see, there is no reason to believe that we can’t make this work. But there’s a lot more testing to be done.” • Secretary of Defense Donald Rumsfeld said, “We are going to deploy a minimal Missile Defense System, in the near future even if the system has not been tested completely.”
Conclusions • A trustworthy SDI Software seems highly impossible. • The arguments by others supporting SDI doesn’t seem to answer the issues raised by Parnas. • The newer scenarios of missile defense does not change Parnas’s argument fundamentally • The systems for limited mission seems to be more tractable than SDI
References: • http://www.cse.nd.edu/~kwb/nsf-ufe/star-wars/ • Broad, W.J., "Scientist at work: Philip E. Coyle III; words of caution on missile defense", New York Times, January 16, 2001. • DOD Ballistic Missile Defense Organization (BMDO). Web site http://www.acq.osd.mil/bmdo/ • http://www.clw.org/nmd/bmdfuzzylogic.html