An Approach of Trustworthy Measurement Allocation Based on Sub-Attributes of Software

Measurement of software trustworthiness is an important research field in the software engineering, which is very useful for analyzing the software quality. In this paper, we propose a mathematical programming approach to allocate the trustworthy degree to each sub-attribute of some software attribute appropriately and then to make the trustworthy degree of this attribute maximize under some constraint conditions. Some sufficient or necessary conditions for analyzing this mathematical programming problem are investigated. Moreover, a polynomial allocation algorithm is given for computing the optimal solution of this mathematical programming. Finally, an example is given in order to show the significance of this work. The results obtained here are useful for improving the software quality by adjusting the trustworthy degree of each sub-attribute under the same cost.


Introduction
Due to the increasing dependence on software, people pay more and more attention to the research into software trustworthiness.One of the core scientific problems in this research is the software trustworthiness measurement [1].Software trustworthiness measurement is the quantification of software trustworthiness, which can provide evidence for increasing the trustworthiness of the implementation of software.The software trustworthiness can be characterized by many attributes [2][3][4][5], which are called trustworthy attributes in this paper.Trustworthy attributes are separated into critical attributes and non-critical attributes [6].Critical attributes are the attributes that trustworthy software must have and the other trustworthy attributes are referred to as non-critical attributes [6].Trustworthy attributes are normally at too high of a level to be measurable directly; hence, they are further subdivided into sub-attributes.Many software trustworthiness measurement models based on the decompositions of trustworthy attributes are proposed.Typical ones include ISO/IEC 25010: 2011 [7], classification model [8], Bayesian networks [9], weakness analysis [10], questionnaires and statistical analysis [11,12], evidence theory [13], dynamic statistical analysis [14], data mining [15], fuzzy theory [16], rough set theory [17], and user feedback [18].Weights of different attributes play key roles in obtaining accurate trustworthiness measurement; Ref. [19] proposes an approach for determining weights based on the subjective and objective integration; it gets the subjective weights by aggregating the positive reciprocal matrices given by the evaluations of different experts and acquires objective weights based on the trustworthy degrees of the attributes and the subjective weights.However, few researchers pay attention to using more rigorous approaches to software trustworthiness measurement.In order to make the software trustworthiness measure more rigorous, axiomatic approaches are applied to measure software trustworthiness by us [6,[20][21][22][23][24].
The software trustworthiness measurement approach describes the procedure of determining the trustworthy degree of a software program with given trustworthy degrees of attributes.The allocation of software trustworthiness, which determines degrees of trustworthy attributes with given trustworthy degree of a software program, is very important too.It is useful for improving the software trustworthiness by adjusting the degree of each trustworthy attribute under the same cost.Ma et al. [25] have investigated the reverse of the software trustworthiness measurement approach proposed in [24].However, as we mentioned above, trustworthy attributes are normally at too high a level to be measurable directly, and they are further subdivided into sub-attributes.In this paper, based on the trustworthy attribute measurement model built in [24], we deal with the problem of how to determine trustworthy degrees of sub-attributes with given trustworthy degree of a trustworthy attribute.We build a mathematical programming (MP) model to allocate the trustworthy degree of a trustworthy attribute to its sub-attributes appropriately, and discuss some sufficient or necessary conditions for analyzing this MP.Moreover, an allocation algorithm is proposed for solving this MP.Finally, a concrete example is presented in order to state the significance of our work.The results obtained here are useful for guiding and controlling the software quality by adjusting the trustworthy degree of each sub-attribute under the same cost.
The rest of the paper is organized as follows.In Section 2, we describe the trustworthy attribute measurement model proposed in [24].An allocation model for software attribute trustworthiness defined as a mathematical programming model MP is introduced in Section 3 and some sufficient or necessary conditions for analyzing this MP are also discussed in this section.An allocation algorithm for solving the MP built in Section 3 is given in Section 4 and an example is presented in Section 5.The conclusions and future works are presented in the last section.

Software Attribute Trustworthiness Measurement Model
Axiomatic approaches formalize the empirical understandings of software attributes by the definitions of desirable measure properties [26][27][28].They can provide precise and formal terms for the quantification of software attributes.We once used the axiomatic approaches to measure software trustworthiness based on attributes.Four desirable properties of the software trustworthiness measurement based on attributes were first given by us in [6], that is, monotonicity, acceleration, sensitivity and substitutivity.Considering the software trustworthiness related to user expectation, we putted forward the expectability property in [21].We further improved the above property set and added three new properties: non-negativity, nullability and appropriateness of the ratio of trustworthy attributes [23].In Ref. [22], we extended the above works to apply axiomatic approaches to measure software trustworthiness based on the decompositions of trustworthy attributes, proposed the desirable measure properties in the view of the decompositions of trustworthy attributes, established a software trustworthiness measurement model based on the decompositions of attributes as described in Definition 1, and validated this model from the theory by proving that it complied with the properties given in [22].Definition 1 (Software trustworthiness measurement model established in [22]). is used to control the effect of the minimum critical attribute on the software trustworthiness; 5.
0 < ρ is a parameter related to the substitutivity between critical and non-critical attributes; The benefits of using the exponential model rather than the model of linear combination (i.e., y = ∑ n j=1 α i y i ) for computing the trustworthy degree have been stressed in [20] in detail.The spacecraft software trustworthiness is one of the key factors to ensure the space mission's success.However, the evaluation of spacecraft software trustworthiness is only qualitative heretofore.In order to make the spacecraft software trustworthiness measurement more rigorous, axiomatic approaches are used to measure spacecraft software trustworthiness based on the decompositions of trustworthy attributes by us [24].The trustworthy degree of spacecraft software is obtained by aggregating the trustworthy degree of each attribute; furthermore, the trustworthy degree of each attribute is computed by using the trustworthy degrees of its sub-attributes.Considering the particularities of spacecraft softwares, we think that all of their trustworthy attributes are critical and let = 0; then, the measurement model given in Definition 1 is simplified, as shown in Definition 2 [24].
The simplified software trustworthiness measurement model not only satisfies the set of properties given in [22] but also is in agreement with the idea of Cannikin Law.In Ref. [24], the trustworthy attribute measurement model uses the same computational model as the software trustworthiness measurement model described in Definition 2, which is depicted in Definition 3 [24].Definition 3 (Software attribute trustworthiness measurement model given in [24]).
y is the trustworthy degree of some attribute; 2.
n is the number of trustworthy sub-attributes that comprises this trustworthy attribute; 3.
α j is the weight value of the j-th sub-attribute, with Meanwhile, an empirical validation is carried out by applying the measurement models given in Definitions 2 and 3 to measure 23 spacecraft software programs [24].The critical attributes of spacecraft software are composed of nine attributes and these nine attributes consist of 28 sub-attributes.The expert panel that consists of 10 experts grade the 28 sub-attributes and finally measure the trustworthiness of the 23 spacecraft softwares from bottom to up.The distributions of trustworthy degrees of software attributes and sub-attributes of 11 representative software programs are shown in Figures 1 and 2, respectively.The trustworthy degrees of software attributes and sub-attributes are consistent with the actual situations of software product development [24], which truly reflect the spacecraft software attribute and sub-attribute trustworthiness.On the one hand, from Figures 1  and 2, we can easily find the weak links in the progress of software development [24].Therefore, the measurement models described in Definitions 2 and 3 are reasonable and effective.Ma et al. [25] have studied the allocation of software trustworthiness based on the software trustworthiness measurement model presented in Definition 2. Since the ranges of the free variables of the software trustworthiness measurement model given in Definition 2 are different from that of the software attribute trustworthiness measurement model described in Definition 3, the allocation approach of software trustworthiness proposed in [25] is not suitable for the allocation of software attribute trustworthiness.

Allocation Model for Software Attribute Trustworthiness
According to the trustworthy attribute measurement model described in Definition 2, we define an allocation model for software attribute trustworthiness as the following mathematical programming model.

Definition 4 (Allocation Model for Software Attribute Trustworthiness).
Mathematical Programming (MP) where 1. y is the trustworthy degree of some attribute; 2.
n is the number of trustworthy sub-attributes that comprise this trustworthy attribute; 3.
x j is the trustworthy degree of the j − th sub-attribute of this trustworthy attribute; 4.
t is the specified trustworthy degree that this attribute must reach with 0 ≤ t ≤ 1.
The main differences between the allocation of software attribute trustworthiness and the allocation of software trustworthiness proposed in [25] are as follows.The allocation of software trustworthiness describes the process of determining the trustworthy degree of each software attribute with the given trustworthy degree of a software [25], the range of each attribute value is [0,1].The allocation of software attribute trustworthiness describes the process of determining the trustworthy degree of each software sub-attribute according to the given software attribute trustworthiness, the trustworthy degrees of the sub-attributes come from the set {1, 0.9, 0.8, 0.7, 0.6, 0.5, 0.4, 0.3, 0.2, 0.1}.Moreover, the allocation model given in [25] only requires finding the feasible solution of the allocation of software trustworthiness; however, the allocation model created above requires finding the optimal solution of the allocation of software attribute trustworthiness.
x j is monotonic non-increasing with respect to the subscript j.Then, y will be non-increasing when we exchange any x i and x j such that i < j.That is, suppose that Then, y ≥ y . Proof.
This proposition shows that the value of y is non-decreasing when the trustworthy degree assigned to x i satisfies the least subscript i, the largest value of x i .Furthermore, we have the following corollary.
, where α j−1 ≥ α j and δ j−1 ≥ δ j for any j = 2, 3 • • • , n.Then, y will be non-increasing when we exchange δ i and δ j in y for any i < j. (2) Given an assignment set {a , where α j−1 ≥ α j for any j = 2, 3 • • • , n, and then y takes maximal value if and only if the assignments satisfy the least subscript j, the largest assignment of x j .Corollary 1 will be useful for the latter algorithm that allocates a trustworthy degree to each sub-attribute.Now, we give an example.
However, it should be pointed out that the maximal value of y is affected by the weights even if ∑ n j=1 x j keeps unchanged, which is witnessed by the following example.
This example shows that the weights, in particular, degree of proximity between weights will affect the order between y and ȳ.Hence, under the condition of ∑ n j=1 x j being unchanged, if there is only an assignment set, then y takes maximal value when assignments satisfy the least subscript j, the largest value of x j ; whereas, if there are two assignment sets, then the maximal value is taken by comparing the values of y under these two assignments such that the least subscript j, the largest value of x j .
Obviously, the MP (1) has an optimal solution when t 1 = 1 ∈ A. In this case, we can give a coarse estimate of ∑ n j=1 x j .For this purpose, we first make a little preparation.
) and c i c j ≥ 0 for any i, j.Then, Proposition 2. Suppose that the MP (1) has an optimal solution.Then, ∑ n j=1 x j ≥ t n + (n − 1) implies y ≥ t.
Proof.Let y = ∏ n j=1 x α j j and a ∈ (0, 1).Then, Clearly, log a x j ≥ 0 for any j = 1, 2, • • • , n.Furthermore, the MP (1) has an optimal solution that implies that x j−1 ≥ x j by Corollary 1 (2) and then log a x j−1 ≤ log a x j for any j = 2, • • • , n.Hence, It follows that y n ≤ ∏ n j=1 x j .Furthermore, by Bernoulli inequality, we have that Consequently, y n ≤ ∑ n j=1 x j − (n − 1).Thus, when ∑ n j=1 x j ≥ t n + (n − 1) holds, y ≥ t must hold.The proof is completed.
The significance of this proposition is that sometimes it is convenient to find the least ∑ n j=1 x j close to t n + (n − 1).

Allocation Algorithm
Note that each t j takes value from the set {0.1, 0.2, 0.3, 0.4, 0.5, 0.6, 0.7, 0.8, 0.9, 1}.Suppose ∆ Since we are asked to obtain the largest y under the least ∑ n j=1 x j and y ≥ t, we first let where n is the number of sub-attributes.On one hand, we need to add ∆ i ∈ ∆A to each x j = t k , on the other hand, in order to keep ∑ n j=1 x j minimal, we add 0.1 to t k every time.This process ends until min ∑ n j=1 x j and y ≥ t hold at the same time.Hence, the problem becomes how many times we need to add 0.1 to t k in order to get that y ≥ t.Furthermore, it is reduced to compute the nonnegative integer solutions of the following indefinite equations: where z i (i = 1, 2, • • • , k) mean the numbers of ∆ i , l is the number of 0.1 and n is the number of sub-attributes.It is not difficult to find all nonnegative integer solutions of Equation ( 2).This is because the first equation of Equation ( 2) has C k−1 n+k−1 nonnegative integer solutions that can be obtained by an ergodic approach; this step is O(n k ).Then, we verify these solutions to the second equation of Equation ( 2); this step is O(1).In the end, we can get all nonnegative integer solutions of Equation (2) in O(n k ).
By Corollary 1 (2), in order to obtain the largest y in the MP (1), we need to allocate ∆ i to each x j while satisfying Equation ( 2) according to the following principle: P : the smaller subscript j of x j , the larger ∆ i .
The allocation algorithm is given in Algorithm 1. Step 2 is used to find the set of all nonnegative integer solutions of Equation ( 2), denoted as S, and we have obtained that Step 2 takes O(n k ).Steps 8-20 are a triple nested loop, which equals allocating ∆ i to each x j while satisfying Equation ( 2) according to the principle P. Since the number of all nonnegative integer solutions of Equation ( 2) is O(n k ), the number of loops in the outermost loop are O(n k ).Because, for any (z the total number of loops in the second and the third layer loop is O(n), Steps 6-18 are O(n k+1 ).Thus, the time complexity of Algorithm 1 is O(n k+1 ).
Algorithm 1 For a given positive integer l, allocating ∆ i to each x j while satisfying Equation ( 2) according to the principle P The set of allocation results B 1: Initialize Find the set of all nonnegative integer solution of Equation ( 2), denote it as x j = t k + ∆ r ; 13: j = j + 1;  Example 4. Letting y = x 0.4 1 x 0.2 2 x 0.19 3 x 0.11 4 x 0.1 5 and x j (j = 1, • • • , 5) be taken from the set A = {1, 0.9, 0.7, 0.5} and n = 5, i.e., some attributes have five sub-attributes.For a given positive integer l = 13, ∆A = {0.5, 0.4, 0.2, 0} and initially x j = 0.5(j = 1, • • • , 5).We can get the following indefinite equations: After a simple calculation, we obtain two nonnegative integer solutions: (z 1 , z 2 , z 3 , z 4 ) = (1, 2, 0, 2) and (1, 0, 4, 0).The first solution means that we need one 0.5, two 0.4, zero 0.2 and two 0 in order to reach 1.3, a similar meaning in the second solution.According to principle P, for the first solution, we add 0.5 to x 1 , 0.4 to x 2 and x 3 , respectively, keep x 4 and x 5 unchanged.Thus, we obtain (x 1 , x 2 , x 3 , x 4 , x 5 ) = (1, 0.9, 0.9, 0.5, 0.5), whereas, for the second solution, we add 0.5 to x 1 , 0.2 to x 2 , x 3 , x 4 , x 5 and then obtain (x 1 , x 2 , x 3 , x 4 , x 5 ) = (1, 0.7, 0.7, 0.7, 0.7).Furthermore, we give Algorithm 2 for computing the maximal value and the optimal solution of the MP (1).For simplicity, we suppose t 1 = 1, which implies that MP (1) must have an optimal solution.For a given l, Step 4 of the Algorithm 2 is used to call Algorithm 1 to allocate ∆ i to each x j , and the set of allocation results is denoted as B. Steps 5-10 is equal to computing then the algorithm terminates, and we can get the optimal solution and the maximal value of the MP (1) are x max and y max separately.
Algorithm 2 Computing the maximal value and the optimal solution of the MP (1) The maximal value y max and the optimal solution x max of the MP (1) 1: Initialize Call Algorithm 1 to allocate ∆ i to each x j and denote the set of allocation results as B; 5: y max = ∏ n j=1 x α j j ; 8: end if 10: end for 11: until y max ≥ t; 12: return x max and y max ; Because, for any nonnegative integer solution of Equation ( 2 Therefore, the maximum value of l is 10nk∆ 1 and the outermost loop of Algorithm 2 repeats up to 10nk∆ 1 times.Meanwhile, the time complexity of Algorithm 1 is O(n k+1 ), and we can obtain that Step 4 takes O(n k+1 ).Since the number of nonnegative integer solutions of Equation ( 2) is O(n k ), the number of loops in the innermost loop is O(n k ).Hence, the time complexity of Algorithm 2 is O(k∆ 1 n k+2 ).
In the next section, we will give a concrete example to state the significance of our work and show how Algorithm 1 and Algorithm 2 work.

An Example
The algorithms given in the last section can be used to allocate software trustworthiness to sub-attributes for any software trustworthiness measurement model based on the decompositions of trustworthy attributes-for example, the model presented in ISO/IEC 25010: 2011 [7].As mentioned previously, we once used axiomatic approaches to measure spacecraft software trustworthiness based on the decompositions of trustworthy attributes [24].Therefore, in this section, we take the models given in [24] as an example to demonstrate the effectiveness of the allocation algorithms for software attribute trustworthiness.We first allocate spacecraft software trustworthiness designed to reach Rank V and Rank IV to attributes with the algorithm given in [25], and then allocate spacecraft software attribute trustworthiness to sub-attributes with the algorithms presented in this paper.

Allocating Procedure
The procedure for allocating software trustworthiness to sub-attributes contains three steps as shown in Figure 3.The software trustworthiness requirements are first captured.They should include software trustworthy attribute model, trustworthiness classification model and a specified trustworthy level that the software must reach.The trustworthy attributes, trustworthy sub-attributes and their weight values in the trustworthy attribute model are definitive.Then, for the specified trustworthy level, the software trustworthiness is allocated to trustworthy attributes by using the algorithm given in [25] in Step 2. In Step 3, based on the allocation result of Step 2, the attribute trustworthiness is allocated to sub-attributes with the algorithms presented in this paper.In the end, we get an allocation result about the trustworthy degrees of the sub-attributes; meanwhile, the trustworthiness requirements are satisfied.

Spacecraft Software Trustworthy Attribute Model and Trustworthiness Classification Model
The critical attributes of spacecraft software are composed of nine attributes: (1) overall planning and implementation, (2) analysis and design, (3) test verification, (4) reliability and safety, (5) software technology status change, (6) quality problem close loop, (7) configuration management, (8) software development environment, and (9) third party evaluation situation.The weight values of these nine attributes are 0.05, 0.17, 0.20, 0.15, 0.09, 0.09, 0.11, 0.05, 0.09 decided by the experts [24].The trustworthy degrees of spacecraft software attributes range from 0 to 1.These nine attributes are divided into 28 sub-attributes, and the 28 sub-attributes consist of 103 metric elements.However, due to the large number of metric elements, if the method of scoring each metric element is adopted, the cost of time is very excessive.Therefore, we divide the sub-attribute trustworthiness into four levels: A, B, C and D. For example, software technology status change consists of three sub-attributes: (1) the basis, demonstration and approval of technical status change, (2) tests and verifications after changes, and (3) implementations after changes.The weight values of these three sub-attributes are 0.35, 0.33, 0.32.The meanings of A, B, C and D corresponding to the first sub-attributes are as follows: A: The basis and necessity of changes are clear; there is a comprehensive analysis of change impact field and a sufficient demonstration of the changes; technology status changes are accepted by all parties and the approval of changes is complete and meets the requirements.B: The basis of changes is clear; there is a comprehensive analysis of change impact field and a sufficient demonstration of the changes; the approval of changes is complete and meets the requirements.C: Has the basis of changes, make demonstrations of technology status changes, the approval of changes is complete and meets the requirements.D: No the basis of changes, or no demonstration of technology status changes, or the approval of changes does not meet requirements.
In order to calculate the trustworthy degrees of attributes, the trustworthy levels of sub-attributes should be converted to specific values.The relationship between the trustworthy levels of software sub-attributes and trustworthy degrees of the software sub-attributes are shown in Table 1 [24].In order to make people learn the software trustworthiness better, we present the software trustworthiness classification model as shown in Table 2 [24].The range of the trustworthy degree of software sub-attribute x j {1.0, 0.9} {1.0, 0.9, 0.7} {1.0, 0.9, 0.7, 0.2} {1.0, 0.9, 0.7, 0.2} {1.0, 0.9, 0.7, 0.2}

Allocation for Software Trustworthiness
The allocation algorithm presented in [25] is used to allocate the software trustworthiness designed to reach the Rank V and Rank IV to attributes.The allocation results are given in Table 3 [25].The second column is the weight values of the nine attributes; the third and fourth column are the allocation results when the software trustworthiness reaches Rank V and Rank IV. degree to each sub-attribute directly and simplify the computation.Second, associate with the first problem and Example 2, we will study how the weight values of sub-attributes affect the trustworthy degree of some software attribute.In particular, whether we can compute the maximal value of MP (1) directly under some assignment set of x j even if there are different assignment sets of x j .Third, we will extend the allocation approach given in this paper to allocate software trustworthiness based on other software trustworthiness measurement models.Finally, we will study the reallocation approach based on the allocation approach presented here.

Figure 1 .
Figure 1.Distribution of trustworthy degrees of software sub-attributes of 11 representative software programs.

Figure 2 .
Figure 2. Distribution of trustworthy degrees of software attributes of 11 representative software programs.

21 :
return B; 22: end ifNow, we give an example to explain Algorithm 1.
are used to distinguish the contributions of critical attributes and non-critical attributes to the software trustworthiness, which satisfy that α + β = 1, α 1 , • • • , α m are the weight values of critical attributes and β m+1 , • • • , β m+1 express the relative importance of the non-critical attributes; 4.

Table 1 .
The relationship between trustworthy level of software sub-attribute and trustworthy degree of software sub-attribute.

Table 2 .
Software trustworthiness classification model.

Table 3 .
[25]allocation results of trustworthy level V and IV to attributes[25].