A Reallocation Approach for Software Trustworthiness Based on Trustworthy Attributes

Abstract

Software trustworthiness is an important research field in software engineering. In order to appropriately evaluate it, some different measurement approaches have been proposed, which have important guiding significance for improving software trustworthiness. Recently, we have investigated attributes-based approaches. That is, how to maximize trustworthy degree of some software satisfying a given threshold by adjusting every attribute value such that the cost is minimal, i.e., the sum of all attribute values is as small as possible. The work is helpful to improve the software quality under the same cost. This paper continues this work and considers a reallocation approach to dealing with the problem that the threshold and the minimal constraints of every attribute values dynamically increase. In this process, the costs of trustworthiness improvement should be ensured to be minimal. For this purpose, we firstly define a reallocation model by mathematical programming. Then we introduce the notion of growth function. Based on this, a polynomial reallocation algorithm is designed to solve the above reallocation model. Finally, we verify our work on spacecraft softwares and the results show that this work is valid.

1. Introduction

Software trustworthiness is the ability of software to satisfy user expectation with its behaviors and results and to still provide continuous services by disturbances [1]. It can be characterized by many software attributes [1,2,3,4,5,6,7], which are called trustworthy attributes. Software trustworthiness measurement depicts how to calculate the trustworthy degree of software based on the given trustworthy attributes’ values and their weight values. It can provide a basis for guiding and improving the trustworthiness of design and implementation of software. Therefore, software trustworthiness measurement becomes one of the core scientific problems in researching software trustworthiness [1]. Many measures based on trustworthy attributes are established. In view of the use of more rigorous methods to evaluate software trustworthiness and theoretical validation of models, Tao et al. apply axiomatic approaches to assess software trustworthiness, present the desirable properties of software trustworthiness measures and establish a series of measures complying with these properties [8,9,10,11,12,13,14]. Ding et al. combine utility theory and evidence theory to measure software trustworthiness [15]. They use the utility values of expert scoring to assess the trustworthy attributes, and merge these values according to the Dempster synthesis rule in the evidence theory as software trustworthiness measurement result [15]. Hauke et al. present the requirements for robust probabilistic trust assessment by use of supervised learning, and apply a selection of estimators to a real-world data set to show the effectiveness of supervised methods [16]. Muhammad et al. use the scoring upon the completion of system testing execution to rate software trustworthiness. The rating strategy is based on multiple level calculations that produce a final rating, including test strategies imposed, completeness of system test execution, test iterations, test case priority and test case result for each iteration [17]. Based on trust theory in the field of humanities and sociology, Yang et al. propose a measurable Social-to-Software software trustworthiness framework, and present a whole metric solution for software trustworthiness, namely, the advanced J-M model based on power function, the time-loss rate for ability trustworthiness measurement and the fuzzy comprehensive evaluation model [18]. Wang et al. design and implement TRUSTIE to balance the crowd wisdom and software trustworthiness in a well-controlled way, and evaluate the trustworthiness of software development activities by considering different kinds of software evidences, such as development evidences, sharing evidences and application evidences. These evidences can directly or indirectly reflect trustworthiness attributes which include not only objective quality attributes like correctness, security, but also subjective attributes for example user evaluations [19]. The authors of Cho et al. propose a system-level trustworthiness metric framework that accommodates four submetrics, referred to as STRAM (Security, Trust, Resilience, and Agility Metrics), which gives a hierarchical ontology structure. Moreover, they proposes developing and incorporating metrics describing key assessment tools, including Vulnerability Assessment, Risk Assessment and Red Teaming, to provide additional evidence into the measurement and quality of trustworthy systems [20]. The research on trustworthiness evaluation for specific types of software or intermediate software products by attributes has also achieved fruitful results. Davide et al. elicit the factors that affect the open source software (OSS) trustworthiness through carrying out a survey, collect the objective measures on a sample of 22 Java and 22 C/C++ OSS products by means of the self-developed tool MacXim and subjective evaluations by means of more than 500 questionnaires, and correlate the objective measures to subjective evaluations with a multivariate regression model [21,22]. Han constructs a formal model for the workflow management system trustworthiness measurement and proposes a measurement algorithm from the software behaviour entropy of calculus operators through the principle of maximum entropy and the data mining method [23]. In consideration of the lack of the research on the trustworthiness measurement for software architecture, Jiang et al. establish a trustworthy attribute model of software architecture, and use the Principle of Maximum Entropy and Grey Decision-making Method as the trustworthiness evaluation method of a software architecture [24]. Gene et al. lay out a heuristic systematic model for assessing trust in code. The proposed model describes a five step process of how programmers perceive trust in computer code, including (1) acquisition, (2) initial viewing, (3) in depth look, (4) incorporation, and (5) reevaluation [25]. Wang et al. propose an updating model of software component trustworthiness, they compute the trustworthy degree of the software component based on users’ feedback, and determine the weight of updating by the number of users [26].

Software trustworthiness allocation is the reverse of the software trustworthiness measurement, which refers to the process of determining the trustworthy attribute values according to the minimum trustworthy degree $T_0$ that a given software must achieve, the minimum value $y_0$ which the trustworthy attributes must reach, and the trustworthy attribute weight values of the software. Software trustworthiness allocation is useful to increase the software trustworthiness by adjusting the trustworthy attribute values at the same cost. We have investigated the software trustworthiness allocation approach based on trustworthy attributes which allocates software trustworthiness to trustworthy attributes [27], and the software attribute trustworthiness allocation approach based on sub-attributes which allocates software attribute trustworthiness to sub-attributes [28]. Due to actual needs, the minimum trustworthy degree $T_0$ and the minimum value $y_0$ may be increased, then the software trustworthiness needs to be reallocated to improve the original trustworthy attribute values. Since the trustworthy attribute value is positively correlated with the software research and development cost. Therefore, it is hoped that the software trustworthiness reallocation can minimize the sum of the increases of all the trustworthy attribute values when the trustworthy degree of software is greater than or equal to $T_0$ and each trustworthy attribute value is more than or equal to $y_0$. In order to resolve the above problem, in this paper we build a mathematical programming (MP) model to reallocate the trustworthy degree of software to its attributes appropriately, present a trustworthy attribute value growth function, and propose a reallocation algorithm for solving this MP based on the growth function. Moreover, trustworthiness reallocation of 11 spacecraft softwares are taken as research objects to show the significance and effectiveness of our work. ISO/IEC DIS 30754 standard aims to provide a consensus specification for software trustworthiness by collating good practice from the five main facets of trustworthiness, namely safety, reliability, availability, resilience and security [29]. They can enable an organization to improve operational effectiveness and efficiency. In addition to the trustworthy attributes mentioned in the ISO/IEC DIS 30754 standard, in our reallocation approach they can also contain other required facets; for example, maintainability. Our reallocation approach can determine the optimal degree of each trustworthy attribute value to be increased with the software trustworthiness improvement requirements satisfied, meanwhile, the trustworthy attribute value is positively correlated with the costs of R & D. Therefore, the adoption of our approach is beneficial to the improvement of enterprise efficiency and the reduction of cost, which is consistent with the goal of ISO/IEC DIS 30754 standard.

The rest of the paper is organized as follows. In Section 2, we describe the materials and methods, including reallocating procedure, software trustworthiness measurement model proposed in [14], a reallocation model for software trustworthiness, a reallocation algorithm and an example based on the trustworthiness reallocation of 11 spacecraft softwares. We present the discussion in Section 3. The conclusions and future work come in the last section.

2. Materials and Methods

The reason for software trustworthiness reallocation is that the software trustworthiness requirement is improved, therefore the software attribute value after reallocation should not be less than the corresponding software attribute value before reallocation. Either the software trustworthiness allocation method [27] or software attribute trustworthiness allocation method [28] can not deal with the above problem. Therefore, they can not be applied for software trustworthiness reallocation. For this reason, we establish a reallocation model based on mathematical programming, and give a polynomial time algorithm to solve the model.

2.1. Reallocating Procedure

The procedure for software trustworthiness reallocation consists of four steps as shown in Figure 1. In order to reallocate the software trustworthiness to attributes, we first need to give a software trustworthiness measurement model. It is used to determine the trustworthy degree of software based on the trustworthy attributes’ values and their weight values. Then the software trustworthiness improvement requirements are captured. They should include the minimum trustworthy degree that a given software must achieve and the minimum value which the trustworthy attributes must reach. The trustworthy attribute values and their weight values before reallocation are definitive in this requirements. In Step 3 a software trustworthiness reallocation model is established. It is applied to describe how to model the reallocation of software trustworthiness to trustworthy attributes according to the measurement model built in Step 1 and the requirements presented in Step 2. Finally, software trustworthiness reallocation algorithm is designed to resolve the reallocation model. Since the elements that need to be included in the software trustworthiness improvement requirements are specified in the Step 2, in the following of this section we will focus on the constructions of software trustworthiness measurement mode and software trustworthiness reallocation model and the design of the software trustworthiness reallocation algorithm.

2.2. Software Trustworthiness Measurement Model

We applied axiomatic approaches to measure software trustworthiness in the view of trustworthy attributes and presented four properties that software trustworthiness measures are required to have, including monotonicity, acceleration, sensitivity and substitutivity [8]. Three new properties were put forward to perfect the property set, i.e., expectability, non-negativity and proportionality [11,12]. And we constructed a software trustworthiness measurement model that satisfies the above properties [13]. Considering the particularities of spacecraft software, a simplified version as shown in Definition 1 was used to measure the spacecraft software trustworthiness [14].

Definition 1.

(Simplified Software Trustworthiness Measurement Model Used in [14])

$$T=\prod _{i=1}^n{y}_i^{{\alpha }_i},$$

where

1. 

T is the trustworthy degree of software;

2. 

n is the number of trustworthy attributes;

3. 

$y_i$ is the value of the $i-th$ trustworthy attribute such that $1\le y_0\le y_i\le 10$, of which $y_0$ is the specified value that all of the trustworthy attributes must reach;

4. 

${\alpha }_i$is the weight value of the$i-th$attribute, with$0\le {\alpha }_i\le 1$,${\displaystyle \sum _{i=1}^n}{\alpha }_i=1$.

This simplified measurement model not only complies with the properties mentioned above, but is also in agreement with the idea of Cannikin Law. Meanwhile, its effectiveness is validated by applying it to assess the trustworthiness of 23 spacecraft softwares whose total code is about 300,000 lines. The measurement results show that it is suitable for evaluating the spacecraft software trustworthiness, and can accurately detect the weak links in the development process, which is very important for the improvement of the development level of this type of software. In the next subsection, we will build a reallocation model for software trustworthiness according to this.

2.3. Reallocation Model for Software Trustworthiness

As previously described, software trustworthiness reallocation should not only minimize the sum of the increases of all the trustworthy attribute values, but also make sure that the trustworthy degree of software is not less than the required minimum degree and each trustworthy attribute value is more than or equal to the required minimum value. Therefore, a mathematical programming model is constructed as a reallocation model for software trustworthiness on the basis of the simplified measurement model given in the Definition 1.

Definition 2 (Reallocation Model for Software Trustworthiness).

Mathematical Programming (MP)

$$min\sum _{i=1}^n\Delta y_i$$

$$subject to:\left\{\begin{array}{c}T=\prod _{i=1}^n{y}_i^{{\alpha }_i}\ge T_0,\hfill \\ 1\le y_0\le y_i\le 10,\hfill & \hfill 1\le i\le n,\\ 1\le y_i^{\prime }\le y_i,\hfill & \hfill 1\le i\le n,\end{array}\right.$$

where

1. 

T is the trustworthy degree of software after reallocation;

2. 

$T_0$is the new trustworthy degree that the software must achieve after reallocation;

3. 

n is the number of trustworthy attributes;

4. 

$y_i(1\le i\le n)$are the trustworthy attribute values after reallocation;

5. 

$y_i^{\prime }(1\le i\le n)$are the trustworthy attribute values before reallocation;

6. 

$y_0$is the new value that all of the trustworthy attributes must reach after reallocation;

7. 

$\Delta y_i=y_i-y_i^{\prime }$is the increased value of the$i-th$attribute after reallocation;

8. 

${\alpha }_i$is the weight value of the$i-th$attribute, with$0\le {\alpha }_i\le 1$,${\displaystyle \sum _{i=1}^n}{\alpha }_i=1$.

Sensitivity is used to describe the percentage change of the degree of software trustworthiness caused by the percentage changes of the values of trustworthy attributes. We perform a sensitivity analysis on the simplified software trustworthiness measurement model given in the Definition 1, it follows that for $1\le i\le n$,

$$\frac{\frac{\partial T}{T}}{\frac{\partial y_i}{y_i}}=\frac{\partial T}{\partial y_i}\frac{y_i}{T}={\alpha }_i.$$

Sensitivity analysis of this simplified model shows that the greater the attribute weight value is, the more important it is to improve the software trustworthiness. Therefore, it is necessary to increase the value of attribute with the most important weight value as much as possible. At the same time, considering that the trustworthy attribute value after reallocation should be greater than or equal to the trustworthy attribute value before reallocation and the reallocation process should be as simple as possible, the following trustworthy attribute value growth function is defined.

Definition 3 (Trustworthy Attribute Value Growth Function).

$$y_i=max\{y_0,y_i^{\prime }\}+k\times ({\alpha }_i-{\alpha }_{min}),1\le i\le n,$$

where

1. 

n is the number of trustworthy attributes;

2. 

$y_i(1\le i\le n)$are the trustworthy attribute values after reallocation;

3. 

$y_i^{\prime }(1\le i\le n)$are the trustworthy attribute values before reallocation;

4. 

$y_0$is the new value that all of the trustworthy attributes must reach after reallocation;

5. 

${\alpha }_i$is the weight value of the$i-th$attribute with$0\le {\alpha }_i\le 1$,${\displaystyle \sum _{i=1}^n}{\alpha }_i=1$,${\alpha }_{min}=\underset{1\le i\le n}{min}\left\{{\alpha }_i\right\}$;

6. 

k is the growth rate of the trustworthy attribute value, which follows$0\le k$.

Since for a given software, $y_0$, ${\alpha }_i(1\le i\le n)$, $y_i^{\prime }(1\le i\le n)$ are fixed, substituting the trustworthy attribute value growth function into the objective function in the reallocation model for software trustworthiness, it follows that

$$\begin{array}{cc}& min\sum _{i=1}^n\Delta y_i\hfill \\ \hfill \iff & min\sum _{i=1}^n(y_i-y_i^{\prime })\hfill \\ \hfill \iff & min\sum _{i=1}^n[(max\{y_0,y_i^{\prime }\}-y_i^{\prime })+k({\alpha }_i-{\alpha }_{min})]\hfill \\ \hfill \iff & min\sum _{i=1}^n\left[k({\alpha }_i-{\alpha }_{min})\right]\hfill \\ \hfill \iff & mink\hfill \end{array}$$

Therefore, by substituting the trustworthy attribute value growth function into the reallocation model for software trustworthiness, we can obtain the following reallocation model for software trustworthiness based on trustworthy attribute value growth function.

Definition 4 (Reallocation Model for Software Trustworthiness Based on Trustworthy Attribute Value Growth Function).

Mathematical Programming (MP)

$$mink$$

$$subject to:\left\{\begin{array}{c}\prod _{i=1}^n{[max\{y_0,y_i^{\prime }\}+k\times ({\alpha }_i-{\alpha }_{min})]}^{{\alpha }_i}\ge T_0,\hfill \\ 1\le max\{y_0,y_i^{\prime }\}+k\times ({\alpha }_i-{\alpha }_{min})\le 10,\hfill \end{array}\right.$$

where

1. 

k is the growth rate of the trustworthy attribute value, which follows$0\le k$;

2. 

n is the number of trustworthy attributes;

3. 

$y_0$is the new value that all of the trustworthy attributes must reach after reallocation, of which$1\le y_0\le 10$;

4. 

$y_i^{\prime }(1\le i\le n)$are the trustworthy attribute values before reallocation such that$1\le y_i^{\prime }\le 10$;

5. 

${\alpha }_i$is the weight value of the$i-th$attribute with$0\le {\alpha }_i\le 1$,${\displaystyle \sum _{i=1}^n}{\alpha }_i=1$,${\alpha }_{min}=\underset{1\le i\le n}{min}\left\{{\alpha }_i\right\}$;

6. 

$T_0$is the new trustworthy degree that the software must achieve after reallocation.

2.4. Reallocation Algorithm for Software Trustworthiness

Let $N=\{1,2,\cdots ,n\}$, $M^{=10}=\{j|y_j^{\prime }=10,j\in N\}$, $P=\{j|{\alpha }_j=\underset{1\le i\le n}{min}\left\{{\alpha }_i\right\}\}$, ${\alpha }_{max}=\underset{1\le i\le n}{max}\left\{{\alpha }_i\right\}$. For the reallocation model for software trustworthiness based on trustworthy attribute value growth function:

• Since for $1\le i\le n$, $1\le y_i^{\prime }$, ${\alpha }_{min}\le {\alpha }_i$ and $1\le y_0$, then for any $0\le k$, it follows that

  $$1\le max\{y_0,y_i^{\prime }\}+k\times ({\alpha }_i-{\alpha }_{min}).$$
• (1)

  For $i\in P$, notice that $y_0,y_i^{\prime }\le 10$ and ${\alpha }_i-{\alpha }_{min}=0$, then for any $0\le k$, we can derive

  $$max\{y_0,y_i^{\prime }\}+k\times ({\alpha }_i-{\alpha }_{min})\le 10.$$

  (2)

  For $i\in (N-P)$, since $0\le k$ and $0<{\alpha }_i-{\alpha }_{min}$, then from the inequality $max\{y_0,y_i^{\prime }\}+k\times ({\alpha }_i-{\alpha }_{min})\le 10$, we have

  $$0\le k\le \underset{i\in (N-P)}{min}\left\{\frac{10-max\{y_0,y_i^{\prime }\}}{{\alpha }_i-{\alpha }_{min}}\right\}.$$

In summary, from the inequality constraint in the reallocation model presented in Definition 4

$$1\le max\{y_0,y_i^{\prime }\}+k\times ({\alpha }_i-{\alpha }_{min})\le 10,$$

we can obtain

$$0\le k\le \underset{i\in (N-P)}{min}\left\{\frac{10-max\{y_0,y_i^{\prime }\}}{{\alpha }_i-{\alpha }_{min}}\right\}.$$

Software trustworthiness allocation allocates trustworthiness to trustworthy attributes according to weight values of trustworthy attributes, so does software trustworthiness reallocation. On the other hand, since $y_i^{\prime }=10(i\in M^{=10})$, then they are already the maximum value that the trustworthy attribute can take and cannot be increased in the process of trustworthiness reallocation. Therefore, software trustworthiness reallocation based on trustworthy attribute value growth function is actually to find the minimum k satisfying ${\prod }_{i=1}^n{[max\{y_0,y_i^{\prime }\}+k\times ({\alpha }_i-{\alpha }_{min})]}^{{\alpha }_i}\ge T_0$ within $[0,\underset{i\in (N-P-M^{=10})}{min}\left\{\frac{10-max\{y_0,y_i^{\prime }\}}{{\alpha }_i-{\alpha }_{min}}\right\}]$, where ${\displaystyle \sum _{i=1}^n}{\alpha }_i=1,0\le {\alpha }_i\le 1$.

The solution process of the MP given in Definition 4:

• When $y_0\ge T_0$, it is easy to prove that $k=0$ is the optimal solution, and all of the trustworthy attribute values $y_i(1\le i\le n)$ after the reallocation are equal to $max\{y_0,y_i^{\prime }\}$.
• When $y_0<T_0$,

  (1)

  if $T_0\le {\prod }_{i\in N}{y_i^{\prime }}^{{\alpha }_i}$, it is easy to show that $k=0$ is the optimal solution, and all of the trustworthy attribute values $y_i(1\le i\le n)$ after the reallocation are equal to $max\{y_0,y_i^{\prime }\}$ too.

  (2)

  if $T_0>{\prod }_{i\in N}{y_i^{\prime }}^{{\alpha }_i}$, let

  $$f\left(k\right)=\prod _{i\in (N-M^{=10})}{[max\{y_0,y_i^{\prime }\}+k\times ({\alpha }_i-{\alpha }_{min})]}^{{\alpha }_i}\prod _{i\in M^{=10}}{y_i^{\prime }}^{{\alpha }_i}-T_0.$$

  Taking $k=0$ as the initial value of the iteration, Newton iteration method is used to find the approximate root k that satisfies $f\left(k\right)=0$. If $k\in [0,\underset{i\in (N-P-M^{=10})}{min}\left\{\frac{10-max\{y_0,y_i^{\prime }\}}{{\alpha }_i-{\alpha }_{min}}\right\}]$, then the trustworthy attribute values are calculated by substituting k into the trustworthy attribute value growth function. For different $T_0$, $y_0$ and $y_i^{\prime },{\alpha }_i(1\le i\le n)$, k solved by Newton iteration method satisfying $f\left(k\right)=0$ may be out of the above range. In this case, bringing k into the trustworthy attribute value growth function will cause some trustworthy attribute values to exceed 10. To solve this problem, $f\left(k\right)$ is modified to

  $$f\left(k\right)=\prod _{i\in (N-M^{>10}-M^{=10})}{[max\{y_0,y_i^{\prime }\}+k\times ({\alpha }_i-{\alpha }_{min})]}^{{\alpha }_i}\prod _{i\in M^{>10}}{y_i}^{{\alpha }_i}\prod _{i\in M^{=10}}{y_i^{\prime }}^{{\alpha }_i}-T_0$$

  where $M^{>10}$ is a set whose initial value is the empty set ⌀. Substituting the k obtained by the Newton iteration method into the trustworthy attribute value growth function, if there exist trustworthy attribute values which are more than 10, the set of the subscripts of the trustworthy attributes whose values exceed 10 is incorporated into $M^{>10}$, and the newly obtained set is still recorded as $M^{>10}$. The trustworthy attributes whose subscripts are in $M^{>10}$ are sorted in descending order according to their weight values, and the values of the attributes with the largest weight value are set to $10.00$, the values of the attributes with the second largest weight value are set to $9.90$, the values of the attributes with the third largest weight value are set to $9.80$, and so on. However, it is necessary to ensure that the trustworthy attribute values satisfy $\underset{1\le i\le n}{max}\{y_0,y_i^{\prime }\}\le y_i(i\in M^{>10})$ in the process of setting the trustworthy attribute values. Because the software trustworthiness is reallocated according to the weight values of trustworthy attributes, the smaller the attribute weight value is, the smaller the trustworthy attribute value is reallocated. Therefore, the step size is set to $0.10$ for decreasing values, and the step size can be modified according to the specific situation. The initial value of the attribute with the largest weight value can also be changed as needed. In the next round of calculation, Newton iterative method is used to find the new approximate root k that satisfies $f\left(k\right)=0$, and the similar method is applied to update the value of $M^{>10}$ and the values of trustworthy attributes whose subscripts are in $M^{>10}$. When the set $M^{>10}$ is no longer updated, values of trustworthy attributes whose subscripts are in $N-M^{>10}-M^{=10}$ are calculated by the trustworthy attribute value growth function, values of trustworthy attributes whose subscripts are in $M^{>10}$ are obtained according to the above setting rules, and values of trustworthy attributes whose subscripts are in $M^{=10}$ are equal to 10.00. At this time, the trustworthy attribute values obtained are the reallocation results.

The reallocation algorithm for software trustworthiness is shown in Algorithm 1. Steps 6–7 are used to find the approximate root k satisfying $f\left(k\right)=0$ by the Newton iteration method. It takes $O\left(m\right)$, where m represents the maximum number of iterations that the designer wishes to perform. Steps 5–32 are a triple nested loop, which are used to reallocate software trustworthiness to trustworthy attributes whose subscripts are in $N-M^{>10}-M^{=10}$. Since $|N-M^{>10}-M^{=10}|\le n$, of which n is the number of trustworthy attributes, the number of loops in the outmost loop is $O\left(n\right)$. Steps 9–14 are a for loop, which calculate the values of trustworthy attributes whose subscripts are in $N-M^{>10}-M^{=10}$ according to the trustworthy attribute value growth function. Similarly, because $|N-M^{>10}-M^{=10}|\le n$, the number of loops in this for loop is $O\left(n\right)$. Steps 19–30 are a double nested loop, which are applied to set the values of trustworthy attributes whose subscripts are in $M^{>10}$. Since $M\subseteq N$, it follows that $\left|M\right|\le \left|N\right|=n$, then the number of loops in this double nested loop is $O\left(n^2\right)$. Step 33 is used to reallocate software trustworthiness to trustworthy attributes whose subscripts are in $M^{=10}$. Due to $|M^{=10}|\le n$, Step 33 takes $O\left(n\right)$. Thus, the time complexity of Algorithm 1 is $O(n\ast m+n^3)$. m is usually set to a constant, such as $m=1000$, hence the time complexity of Algorithm 1 is $O\left(n^3\right)$.

Algorithm 1 Algorithm for reallocating software trustworthiness: for given trustworthy attribute values $y_1^{\prime },\cdots ,y_n^{\prime }$ before reallocation, trustworthy attribute weight values ${\alpha }_1,\cdots ,{\alpha }_n$, $T_0$ that the software must achieve after reallocation and $y_0$ that all of the trustworthy attributes must reach after reallocation, output the reallocated trustworthy attribute values $y_1,\cdots ,y_n$

Input:  $y_1^{\prime },\cdots ,y_n^{\prime }$, ${\alpha }_1,\cdots ,{\alpha }_n$, $T_0$, $y_0$ Output:  Reallocation result: $y_j(j=1,2,\cdots ,n)$ 1: Initialize $N=\{1,2,\cdots ,n\}$, $M^{>10}=⌀$, $\Delta =0$, and let $M^{=10}=\{j|y_j^{\prime }=10,j\in N\}$ 2: if$y_0\ge T_0$ or ${\prod }_{i\in N}{y_i^{\prime }}^{{\alpha }_i}\ge T_0$ then 3:  return $y_j=max\{y_0,y_j^{\prime }\}(j=1,2,\cdots ,n)$ 4: else 5:  while $(N-M^{>10}-M^{=10})\ne ⌀$do 6:   $f\left(k\right)={\displaystyle \prod _{i\in (N-M^{>10}-M^{=10})}}{[max\{y_0,y_i^{\prime }\}+k\times ({\alpha }_i-{\alpha }_{min})]}^{{\alpha }_i}{\displaystyle \prod _{i\in M^{>10}}}{y}_i^{{\alpha }_i}{\displaystyle \prod _{i\in M^{=10}}}{y_i^{\prime }}^{{\alpha }_i}-T_0$ 7:   Taking $k=0$ as the initial value of the iteration, $m=1000$ as the maximum number of iterations, $1\times {10}^{-10}$ as the error, the Newton iteration method is used to find the approximate root k that satisfies $f\left(k\right)=0$ 8:   $M=⌀$ 9:   for $i\in N-M^{>10}-M^{=0}$ do 10:    $y_i=max\{y_0,y_i^{\prime }\}+k\times ({\alpha }_i-{\alpha }_{min})$ 11:    if $y_i>10$ then 12:     $M=M\cup \left\{i\right\}$ 13:    end if 14:   end for 15:   $M^{>10}=M^{>10}\cup M$ 16:   if $M==⌀$ then 17:    break 18:   else 19:    while $M\ne ⌀$ do 20:     ${\alpha }_0=0,j=0$ 21:     for $k\in M$ do 22:      if ${\alpha }_k>{\alpha }_0$ then 23:       ${\alpha }_0={\alpha }_k,j=k$ 24:      end if 25:     end for 26:     $y_j=10.00-\Delta \ast 0.10,\Delta =\Delta +1,M=M-\left\{j\right\}$ 27:     if $y_j<max\{y_0,y_j^{\prime }\}$ then 28:      $y_j=max\{y_0,y_j^{\prime }\}$ 29:     end if 30:    end while 31:   end if 32:  end while 33:  $y_j=10.00,j\in M^{=10}$ 34:  return $y_j(j=1,2,\cdots ,n)$ 35: end if

2.5. Example of Software Trustworthiness Reallocation

The simplified software trustworthiness measurement model given in Definition 1 was applied to evaluate the trustworthiness of 23 spacecraft softwares [14]. The trustworthy attributes of spacecraft software are composed of 9 attributes, including (1) overall planning and implementation, (2) analysis and design, (3) test verification, (4) reliability and safety, (5) software technology status change, (6) quality problem close loop, (7) configuration management, (8) software development environment, (9) third party evaluation situation, and their values before reallocation are respectively denoted by $y_1^{\prime },y_2^{\prime },y_3^{\prime },y_4^{\prime },y_5^{\prime },y_6^{\prime },y_7^{\prime },y_8^{\prime },y_9^{\prime }$. The weight values of these 9 attributes are $0.05,0.17,0.20,0.15,0.09,0.09,0.11,0.05,0.09$, which are calculated by the method presented in [9]. The spacecraft software’s trustworthy degree before reallocation computed on the basis of the simplified model is denoted by $T^{\prime }$. The trustworthy attribute values, trustworthy degrees and trustworthy ranks of 11 representative spacecraft softwares are shown in

Table 1. Trustworthy attribute values, trustworthy degrees and trustworthy ranks of 11 representative spacecraft softwares.

	${\mathit{y}}_1^{\prime }$	${\mathit{y}}_2^{\prime }$	${\mathit{y}}_3^{\prime }$	${\mathit{y}}_4^{\prime }$	${\mathit{y}}_5^{\prime }$	${\mathit{y}}_6^{\prime }$	${\mathit{y}}_7^{\prime }$	${\mathit{y}}_8^{\prime }$	${\mathit{y}}_9^{\prime }$	${\mathit{T}}^{\prime }$	Rank
No. 2	8.28	7.61	6.13	8.26	8.28	8.37	9.00	9.00	9.65	7.90	III
No. 4	7.66	7.61	4.76	7.61	8.26	8.37	9.00	4.24	9.37	7.09	II
No. 6	7.66	7.87	5.90	7.00	8.26	8.37	7.00	7.00	9.65	7.36	III
No. 7	7.66	7.87	6.15	4.63	8.26	8.37	7.62	7.00	9.65	7.04	III
No. 9	7.66	7.87	7.94	7.00	8.26	7.93	8.28	7.94	9.64	7.97	III
No. 18	8.33	7.61	8.41	9.00	8.28	9.49	10.00	9.00	8.26	8.61	IV
No. 19	8.33	7.61	9.16	8.28	8.26	8.37	9.66	9.00	9.00	8.58	IV
No. 20	7.00	7.61	8.28	7.61	7.61	8.37	8.59	9.49	9.00	8.08	III
No. 21	8.33	7.87	8.20	7.00	9.00	8.37	8.59	9.00	8.56	8.17	III
No. 22	8.33	7.87	5.99	7.00	9.00	8.37	8.59	9.00	10.00	7.76	III
No. 23	9.00	7.61	8.40	9.00	8.58	8.37	10.00	9.00	8.26	8.57	IV

[14]. The ranks of 11 representative spacecrafts are obtained according to the software trustworthiness classification model, as shown in the

Table 2. Software trustworthiness classification model.

	Rank V	Rank IV	Rank III	Rank II	Rank I
Lowest trustworthy degree of software $T_0$	9.50	8.50	7.00	4.50	0.00
Lowest trustworthy value of software attribute $y_0$	8.50	7.00	4.50	0.00	0.00

[14]. In this classification model, software trustworthiness is divided into five ranks. Rank V is the highest level, which requires that the trustworthy degree of software is at least $T_0=9.50$, and the trustworthy attribute value is at least $y_0=8.50$. Rank I is the lowest level, which requires that the trustworthy degree of software is at least $T_0=0.00$, the trustworthy attribute value is at least $y_0=0.00$.

We have implemented our reallocation algorithm on a PC with Intel(R) Core (TM) i7-6500 CPU @ 2.50 GHz 2.59 GHz and 8 GB of main memory running Windows 10 64-bit operating system. The IDE is PyCharm with Python 3.6.1. Assuming that the trustworthy rank of each of these 11 representative softwares needs to be improved by one level, in the following we will show how to use Algorithm 1 to reallocate their trustworthiness according to the classification model given in Table 2.

The process of trustworthiness reallocation of software no. 4 from rank II to rank III is as follows. Because ${\prod }_{i\in N}{y_i^{\prime }}^{{\alpha }_i}=7.09\ge T_0=7.00$, then let $k=0$. Substituting $k=0$ into the trustworthy attribute value growth function $y_i=max\{y_0,y_i^{\prime }\}+k\times ({\alpha }_i-{\alpha }_{min})(1\le i\le 9)$, we can get the following reallocation result

$$(y_1,y_2,y_3,y_4,y_5,y_6,y_7,y_8,y_9)=(7.66,7.61,4.76,7.61,8.26,8.37,9.00,4.50,9.37).$$

The change of each attribute value caused by trustworthiness reallocation of spacecraft software from rank II to rank III is shown in the

Table 3. Changes of trustworthy attribute values caused by trustworthiness reallocation of spacecraft software from rank II to rank III.

	No. 4
$y_1^{\prime }\to y_1$	$7.66\to 7.66$
$y_2^{\prime }\to y_2$	$7.61\to 7.61$
$y_3^{\prime }\to y_3$	$4.76\to 4.76$
$y_4^{\prime }\to y_4$	$7.61\to 7.61$
$y_5^{\prime }\to y_5$	$8.26\to 8.26$
$y_6^{\prime }\to y_6$	$8.37\to 8.37$
$y_7^{\prime }\to y_7$	$9.00\to 9.00$
$y_8^{\prime }\to y_8$	$4.24\to 4.50$
$y_9^{\prime }\to y_9$	$9.37\to 9.37$
$T^{\prime }\to T$	$7.09\to 7.12$
${\sum }_{i=1}^9(y_i-y_i^{\prime })$	$0.26$

.

The following is the process of trustworthiness reallocation of software whose number is 7 from rank III to rank IV. First, initialize $N=\{1,2,\cdots ,9\}$, $M^{>10}=⌀$, $\Delta =0$, and $M^{=10}=⌀$ is obtained.

Because $y_0=7.00<T_0=8.50$ and ${\prod }_{i\in N}{y_i^{\prime }}^{{\alpha }_i}=7.04<T_0=8.50$, the first outermost loop of the outermost else part is executed, it follows that

$$\begin{array}{cc}\hfill f\left(k\right)=& {7.66}^{0.05}\times {(7.87+12/100\times k)}^{0.17}\times {(7.00+15/100\times k)}^{0.20}\times \hfill \\ & {(7.00+1/10\times k)}^{0.15}\times {(8.26+4/100\times k)}^{0.09}\times {(8.37+4/100\times k)}^{0.09}\times \hfill \\ & {(7.62+6/100\times k)}^{0.11}\times {7.00}^{0.05}\times {(9.65+4/100\times k)}^{0.09}-8.5.\hfill \end{array}$$

Taking $k=0$ as the initial iterative value, $m=1000$ as the maximum number of iterations and $1\times {10}^{-10}$ as the error, the approximate solution $k=9.70$ of $f\left(k\right)=0$ is obtained by Newton iterative method, which exceeds the range of $[0,\underset{i\in (N-P-M^{=10})}{min}\left\{\frac{10-max\{y_0,y_i^{\prime }\}}{{\alpha }_i-{\alpha }_{min}}\right\}]=[0,8.75]$. Bringing $k=9.70$ into the trustworthy attribute value growth function $y_i=max\{y_0,y_i^{\prime }\}+k\times ({\alpha }_i-{\alpha }_{min})(1\le i\le 9)$, we can get

$$(y_1,y_2,y_3,y_4,y_5,y_6,y_7,y_8,y_9)=(7.66,9.03,8.45,7.97,8.65,8.76,8.20,7.00,10.04),$$

of which $y_9>10$, update $M^{>10}=\left\{9\right\}$ and let $y_9=10.00$.

Since $N-M^{>10}-M^{=10}\ne ⌀$, the second outermost loop of the outermost else part is executed, it follows that

$$\begin{array}{cc}\hfill f\left(k\right)=& {7.66}^{0.05}\times {(7.87+12/100\times k)}^{0.17}\times {(7.00+15/100\times k)}^{0.20}\times \hfill \\ & {(7.00+1/10\times k)}^{0.15}\times {(8.26+4/100\times k)}^{0.09}\times {(8.37+4/100\times k)}^{0.09}\times \hfill \\ & {(7.62+6/100\times k)}^{0.11}\times {7.00}^{0.05}\times {10.00}^{0.09}-8.50.\hfill \end{array}$$

Taking $k=0$ as the initial iterative value, $m=1000$ as the maximum number of iterations and $1\times {10}^{-10}$ as the error, the approximate solution $k=9.83$ of $f\left(k\right)=0$ is obtained by Newton iterative method. Bringing $k=9.83$ into the trustworthy attribute value growth function $y_i=max\{y_0,y_i^{\prime }\}+k\times ({\alpha }_i-{\alpha }_{min})$ to calculate the values of attributes whose subscripts are in $N-M^{>10}-M^{=10}=\{1,2,3,4,5,6,7,8\}$, the values of attributes whose subscripts are in $M^{>10}=\left\{9\right\}$ are obtained from the settings in the previous round of outermost loop of the outermost else part, then we have

$$(y_1,y_2,y_3,y_4,y_5,y_6,y_7,y_8,y_9)=(7.66,9.04,8.46,7.97,8.65,8.76,8.20,7.00,10.00).$$

All of the trustworthy attribute values are less than or equal to $10.00$, the set $M^{>10}$ is no longer updated, the outmost loop is jumped out of and the algorithm is stopped. The above trustworthy attribute values are the reallocation result.

Similarly, the trustworthiness of the rest of rank III softwares and rank IV softwares which need to be improved by one level can be reallocated to trustworthy attributes by Algorithm 1. The reallocation results are shown in

Table 4. Changes of trustworthy attribute values caused by trustworthiness reallocation of spacecraft softwares from rank III to rank IV.

	No. 2	No. 6	No. 7	No. 9	No. 20	No. 21	No. 22
$y_1^{\prime }\to y_1$	$8.28\to 8.28$	$7.66\to 7.66$	$7.66\to 7.66$	$7.66\to 7.66$	$7.00\to 7.00$	$8.33\to 8.33$	$8.33\to 8.33$
$y_2^{\prime }\to y_2$	$7.61\to 8.15$	$7.87\to 9.15$	$7.87\to 9.04$	$7.87\to 8.64$	$7.61\to 8.21$	$7.87\to 8.37$	$7.87\to 8.58$
$y_3^{\prime }\to y_3$	$6.13\to 7.67$	$5.90\to 8.60$	$6.15\to 8.46$	$7.94\to 8.90$	$8.28\to 9.03$	$8.20\to 8.82$	$5.99\to 7.88$
$y_4^{\prime }\to y_4$	$8.26\to 8.71$	$7.00\to 8.07$	$4.63\to 7.97$	$7.00\to 7.64$	$7.61\to 8.11$	$7.00\to 7.42$	$7.00\to 7.59$
$y_5^{\prime }\to y_5$	$8.28\to 8.46$	$8.26\to 8.69$	$8.26\to 8.65$	$8.26\to 8.52$	$7.61\to 7.81$	$9.00\to 9.17$	$9.00\to 9.24$
$y_6^{\prime }\to y_6$	$8.37\to 8.55$	$8.37\to 8.80$	$8.37\to 8.76$	$7.93\to 8.19$	$8.37\to 8.57$	$8.37\to 8.54$	$8.37\to 8.61$
$y_7^{\prime }\to y_7$	$9.00\to 9.27$	$7.00\to 7.64$	$7.62\to 8.20$	$8.28\to 8.66$	$8.59\to 8.89$	$8.59\to 8.84$	$8.59\to 8.94$
$y_8^{\prime }\to y_8$	$9.00\to 9.00$	$7.00\to 7.00$	$7.00\to 7.00$	$7.94\to 7.94$	$9.49\to 9.49$	$9.00\to 9.00$	$9.00\to 9.00$
$y_9^{\prime }\to y_9$	$9.65\to 9.83$	$9.65\to 10.00$	$9.65\to 10.00$	$9.64\to 9.90$	$9.00\to 9.20$	$8.56\to 8.73$	$10.00\to 10.00$
$T^{\prime }\to T$	$7.90\to 8.50$	$7.36\to 8.50$	$7.04\to 8.50$	$7.97\to 8.50$	$8.08\to 8.50$	$8.17\to 8.50$	$7.76\to 8.50$
${\sum }_{i=1}^9(y_i-y_i^{\prime })$	3.23	6.89	8.35	3.53	2.74	2.28	4.01

and

Table 5. Changes of trustworthy attribute values caused by trustworthiness reallocation of spacecraft softwares from rank IV to rank V.

	No. 18	No. 19	No. 23
$y_1^{\prime }\to y_1$	$8.33\to 8.50$	$8.33\to 8.50$	$9.00\to 9.00$
$y_2^{\prime }\to y_2$	$7.61\to 9.54$	$7.61\to 9.76$	$7.61\to 9.62$
$y_3^{\prime }\to y_3$	$8.41\to 9.80$	$9.16\to 10.00$	$8.40\to 9.91$
$y_4^{\prime }\to y_4$	$9.00\to 9.86$	$8.28\to 9.55$	$9.00\to 9.94$
$y_5^{\prime }\to y_5$	$8.28\to 8.85$	$8.26\to 8.92$	$8.58\to 8.95$
$y_6^{\prime }\to y_6$	$9.49\to 9.84$	$8.37\to 8.92$	$8.37\to 8.87$
$y_7^{\prime }\to y_7$	$10.00\to 10.00$	$9.66\to 9.90$	$10.00\to 10.00$
$y_8^{\prime }\to y_8$	$9.00\to 9.00$	$9.00\to 9.00$	$9.00\to 9.00$
$y_9^{\prime }\to y_9$	$8.26\to 8.85$	$9.00\to 9.42$	$8.26\to 8.87$
$T^{\prime }\to T$	$8.61\to 9.50$	$8.58\to 9.50$	$8.57\to 9.50$
${\sum }_{i=1}^9(y_i-y_i^{\prime })$	5.84	6.31	5.95

.

The last rows of Table 3, Table 4 and Table 5 separately give the sum of the increases of all the trustworthy attribute values of 11 representative spacecraft softwares. Since we assume that the trustworthy attribute values are positively correlated with the software development costs, these rows reflect to some extent the research and development costs required to improve the software trustworthiness by one level. From Table 4, it can be found that the trustworthy degrees of all of software no. 2, no. 6, no.7, no. 9, no. 20, no. 21 and no. 22 after reallocation calculated by the model presented in the Definition 1 are $8.50$, which is exactly the lowest trustworthy degrees required for rank IV. The reason is that all of their trustworthy degrees before reallocation satisfy ${\prod }_{i\in N}{y_i^{\prime }}^{{\alpha }_i}\le 8.50$ and $y_0=7.00<T_0=8.50$. It can be found from Table 5 that all of software no. 18, no. 19 and no.23 have similar results.

3. Discussion

We defined an allocation model for software trustworthiness based on the simplified model as shown in Definition 1 [27] and an allocation model for software attribute trustworthiness based on a model that used the same computational model as the simplified model [28]. The allocation model for software trustworthiness gives the procedure of determining the value of each attribute with the given trustworthy degree of a software. It requires a feasible solution that minimizes the sum of all the trustworthy attribute values when the software trustworthiness requirements are satisfied. We provide an attribute-based allocation algorithm to get the allocation results using Newton iterative method. The allocation model for software attribute trustworthiness describes the process of computing the value of each sub-attribute according to the given value of trustworthy attribute. It requires a solution that not only maximizes the value of the attribute but also minimizes the sum of all its sub-attribute values. We design a sub-attribute-based allocation algorithm to obtain the allocation results by solving a group of indefinite equations. The reallocation mode for software trustworthiness presents how to reallocate software trustworthiness to attributes with the improvement requirements of software trustworthiness satisfied. It requires a solution that minimizes the sum of the increases of all the trustworthy attribute values. We also give an attribute-based reallocation algorithm to get the reallocation results with the help of Newton iterative method. Compared with the allocation models, the reallocation model has different objective functions and more constraints. The reallocation model needs to ensure that each software attribute value after reallocation is not less than the corresponding software attribute value before reallocation. The software trustworthiness allocation method and software attribute trustworthiness allocation method given by us can not guarantee this, so neither of them can be used for software trustworthiness reallocation.

4. Conclusions and Future Work

In this paper, we have established a mathematical programming model to reallocate the trustworthy degree of software to its attribute appropriately. In order to solve this mathematical programming, a trustworthy attribute value growth function is given. A polynomial time algorithm is designed to compute the optimal solution of this mathematical programming based on the trustworthy attribute value growth function. In addition, this algorithm is implemented and its effectiveness is validated by applying it to reallocate the trustworthiness of 11 spacecraft softwares which need to be improved by one level. We also highlight how the time line of our research has evolved from the findings of our previous study and explain their differences. The results obtained here are useful to minimize the costs of software trustworthiness improvement.

There are several problems that are worthy of further study. First, for the sake of simplicity, we assume that all attributes have the same trustworthy growth rate in the trustworthy attribute value growth function. If their trustworthy growth rates are not the same, the question of how to solve the corresponding reallocation model is important. Furthermore, in this paper, it is assumed that the trustworthy attribute value growth function is a linear function. If it is another type of function, how should the corresponding reallocation model be solved? Third, we will extend the reallocation approach given in this paper to reallocate software trustworthiness based on other software trustworthiness measurement models, and study the reallocation approach for software attribute trustworthiness on the basis of the reallocation approach proposed here. We will also research how to select the trustworthy attributes by implementing a learning approach based on reinforcement learning method. Finally, we will study the quantitative relationship between trustworthy attribute values and the costs of R & D to further evaluate the economic benefits of our approach.