Academic Marginalia

"Unboxing responsible requirements engineering" In December 2023, I attended the ESEC/FSE conference in San Francisco, and in addition to hearing about lots of interesting work relating to human aspects of software engineering, and security, I also enjoyed listening to the keynote talks delivered at the event. I already shared some reflections on one of these keynotes in a previous blog post ( GenAI for Software Engineering ) and in this one I cover my notes on another keynote which was delivered by Professor Margaret Burnett, a University Distinguished Professor from Oregon State.  Her talk was titled " Getting outside the Bug Boxes " and highlighted the importance of distinguishing between the goals (or policies) of software engineering from the mechanisms (or tools and methods) used to engineer software. The central thesis was that, too often, software engineers constrain themselves inside a box that is based on the latter and therefore miss important aspects of ...

Will AI agents become integral members of software engineering teams? I recently attended the ESEC/FSE conference in San Francisco, where one of the keynote talks was titled " Towards AI-driven software development: challenges and lessons from the field " and delivered by Professor Eran Yahav from Technion. This post summarises my notes on the key messages of the talk. Part of the context for the talk was a recognition that generative artificial intelligence (GenAI) technologies are seeing increasing usage across all stages of the software development lifecycle. Of course, the extent to which they are used is not uniform across all stages, with the most significant usage being for code and test generation. However, as demonstrated by some of the papers presented in other sessions of the conference, the step change in capability realised by the public release of LLMs over the past year has led to researchers exploring the use of GenAI in deployment and maintenance scenarios, f...

I was invited to deliver a presentation to the Institute of Engineering & Technology's EC3 Group on "Dealing with the Internet of Insecure Things".  My talk provided an overview of the security challenges of the Internet of Things and argued that we should adopt human-centric engineering approaches to address these challenges. Abstract:  We are in an age of the ‘Internet of Everything’ where boundaries between citizens, governments, media, and societal organisations are becoming increasingly fuzzy as interconnected digital devices enable the collection and exchange of vast amounts of information across the globe. The availability of data gathered by these devices, coupled with advances in channels of digitally mediated communication, has created a host of new systems that are embedded into a range of human activities, including agriculture, energy, transportation, healthcare, policing, and education – creating the potential for a ‘smarter planet’. However, these cy...

I recently delivered a talk at the Symposium on Software Engineering for Smart Systems, on the importance of considering the role of people in various aspects of software engineering for smart systems.  In addition to discussing the challenges that people face when designing, building and using smart systems, I presented some of the approaches we have been developing to help software engineers and users overcome these challenges.  The slides from the talk are provided below, and the abstract is as follows: People in the Machine:  Human-centred Software Engineering for Smart Systems The growth in ubiquitous computing technologies has created ever greater opportunities to use the data gathered by these technologies to develop ‘smart systems’ that enhance a range of human activities, from health and wellbeing to transportation, agriculture, and sustainable living.  These 'smart systems' depend on software as the thread that weaves together a variety of underlying...

IOT-2016 7-9 September, 2016, Stuttgart, Germany from Charith Perera Recent DDoS attacks on key internet services, like the attack that affected the Dyn domain name service , highlighted the security challenges associated with the proliferation of insecure Internet of Things (IoT) systems.  This attack exploited common vulnerabilities like the use of default administration passwords on IoT devices such as internet-enabled CCTV cameras, internet-enabled appliances and smart home devices, to recruit over hundreds of thousands of nodes into a botnet.   This capability highlights the cyber security threats associated with the IoT and brings into sharp relief the importance of considering both security and privacy when designing these systems. In recent work, presented at the Internet of Things Conference, we describe a privacy-by-design framework for assessing the privacy capabilities of IoT applications and platforms.  Building on more general design strategies for...

View of the Alps from Workshop on "Engineering Adaptive Systems" Ubiquitous computing systems are creating the potential of a smarter but more complex world. One way of managing this complexity is to develop adaptive systems that can react to changes in their operating environment. In such environments security is an important consideration because the assets, threats, attacks and vulnerabilities can all change at runtime.  Adaptive security can help but it is important to have assurances about: Validation:  (Have we built the right system?) Will the system protect the assets from security threats? Verification:  (Have we built the system right?) Has the system been correctly configured to protect the assets from security threats?
; and Explanation:
 Can we understand the behaviour of the adaptive security system? This is the subject of a recent talk I delivered at a workshop on Engineering Adaptive Systems in Bra, Italy.  The photograph above shows a ...

Adaptive security demo, extracted from Collaborative Security video  produced by Amel Bennaceur Our world is increasingly being pervaded by connected digital devices that make up the Internet of Things, making it important to ensure that the security of these devices and the functionality they provide.  We are working on techniques to support adaptive information security, where the security mechanisms used to protect these pervasive computing systems can change as the value of the assets being protected and the threats that arise in the environment change.  A key challenge in any adaptive system is to ensure that users understand why the behaviour of the system is changing at runtime. This is particularly true of security adaptations because in many situations they are likely to prevent users from accessing functionality. In recent work, we have focussed on software engineering techniques that support this through traceability for explaining adaptive security de...

Tools for making sure that "Sparks will Fly" This year's Royal Institution Christmas Lectures, titled " Sparks will Fly " were all about 'hacking' everyday objects to make them part of the Internet of Everything.  Presented by Prof. Danielle George from University of Manchester, they were a great showcase of how engineers tackle challenging problems by extending the capabilities of technologies like the light bulb, the telephone and the motor. Across the three lectures, the audience got to take part in building systems that used internet connected lights to play Tetris on a London skyscraper, to holographic communications and a robotic orchestra.  Through this process, we understood how to build solutions to complex problems by: decomposing them into simpler sub-problems; identifying technologies that could help us solve the sub-problems, using techniques like abstraction and  analogical reasoning ; building prototypes to test our hypotheses...

Privacy Distilation for Mobile Applications from Arosha Bandara I had the opportunity to present our research on Privacy Distillation for Mobile Applications at the British Computer Society Requirements Engineering Specialist Group's Best of RESG Research 2014 event .  The slides above are based on those originally presented by Keerthi Thomas at ICSE 2014. Some interesting questions were discussed following my presentation, including: How does the distillation process cope with the overall mobile software eco-system? At the moment we have only considered the peer-to-peer information flows between the end users of the mobile application.  However, it should be possible to use the Privacy Facets Framework to consider the information, information flows and actors in the overall mobile software eco-system.  Of course some extensions will be required, for example to capture factors such the legal and regulatory aspects of privacy associated with the plac...

Collaborative Adaptive Security scenario As part of our work on Adaptive Security and Privacy ( http://asap-project.info ) we are exploring the role of collaboration between different components in a ubiquitous computing environment in order to maximise the satisfaction of security requirements.  The intuition behind this is that the highly dynamic, heterogeneous device ecosystem of ubiquitous computing environments creates the need to satisfy different security requirements depending on the particular context.  The above video presents an early (and very rough!) example of the type of situation we are thinking about.  In this scenario, it is not possible for a single device in the environment to deliver all the required security functionality but if multiple devices collaborate, then the security requirement can be satisfied. Some of our initial ideas of how to engineer a system to exploit a collaborative adaptation for security will be presented at the upcoming...

Facebook vs. Whatsapp The acquisition of WhatsApp by Facebook has raised a number of interesting privacy debates, with the latest being a legal challenge to the deal on the grounds that WhatsApp's existing user privacy agreement will be violated if Facebook starts using the data to deliver targeted advertising.  It raises the question of whether the difference in the privacy agreements between WhatsApp and Facebook was part of the analysis when the acquisition was planned. Questions that could (arguably should) have been part of the decision to value WhatsApp at ~£11bn (~US$16bn) include: if isolating WhatsApp from Facebook (as proposed in the above article) would limit the possibility of creating new revenue streams (e.g., through advertising), from WhatsApp users? would users leave WhatsApp in droves if Facebook changed the privacy policy to allows user data to be used for advertising? whether hardly any users will care about the potential use of personal informatio...

I don't always have a lot of time to keep up with what is going on in the 'Blog-o-sphere', but there are a a few blogs that I try to read whenever possible.  In an effort to increase the frequency of my own blogging I thought it would be a good idea to write a post about my 'unmissable blogs': Prof.so - written by Anthony Finkelstein, provides some excellent insights into software engineering research and academia in general, with some great humour thrown in. Check out some of the excellent '10 Top ...' lists! Geek Prof - written by Ian Sommerville, is a blog I've only recently been introduced to but found to be a really good read.  Wise words about the state of academia and research, as well as insights on a range of topics that range from cybersecurity to software and systems engineering. Crypto-gram - written by Bruce Schneier, the content of which can be accessed in multiple forms, including a podcast and a email newsletter.  This is one ...