Security is one of the biggest problems for the IoT right now
AdaCores Jamie Ayre talks Ada development, embedded, and the perils of the Internet of Things.
JAXenter: What are the origins of AdaCore?
Ayre: AdaCore was created approximately 20 years ago now. It was incorporated in September in 1994. The company came about because of a university project to create a toolset for the Ada 95 programming language. The project itself was sponsored by the Department of Defense who stipulated the toolset should be as available as freely as possible to as many people as possible.
It didn’t stipulate open source or free software. That’s what we came up with as a distribution license, so that people could access the technology, download it from the web, basically play with it and discover the technology without having to pay a fee. From the beginning of our company we’ve always had what we call the public version.
Alongside that we have a professional toolset, which comes with support, a certain type of license, and it’s tested nightly through a test suite. It’s basically the version that our industrial developers, the Ada programmers use.
And what about the origins of Ada? It’s a very old language compared to Java, C++ and so on, right?
In the seventies, the Department of Defense in the US looked at its legacy systems. It turned out it had something like 200 programming languages or subsets of programming languages which were being used in its systems – a nightmare from a maintainability point of view. They decided to find a programming language that would fulfil all the requirements they needed. They did a straw man competition, and there were three proposals for programming languages. The green proposal won. It was led by a Frenchman, Jean Ichbiah, who unfortunately passed away a couple of years ago. And it became Ada.
There wasn’t a big compiler market, so unfortunately you had two or three companies who pretty much milked the situation. The Department of Defense went to see a professor at NYU. They said to him: The compiler you will build – we want it available to as many people as possible, because we want people to use Ada. Hence that compiler was built.
What happened next?Since then Ada has gone on to become an ISO-standardized language. Roughly every five to ten years they release a new version of the language. Ada is not an easy language to program in because it will push problems in your program up before compile time. But of course in serious software development, that’s when you want to know about the issues, the bugs. If you discover them at runtime, it’s very expensive to fix them.
From the beginning Ada has been a language that’s particularly suitable for systems where a certain level of reliability is absolutely necessary, something in mission-critical, safety-critical and security-critical systems. So you find a lot of Ada in planes, in trains. It’s also very readable, so if you look at some code that was written 15 or 20 years ago, you will understand what the developer was trying to do.
How big is the Ada community?Difficult question. AdaCore currently has over 450 active customer accounts. To go to the other end of the spectrum, there are nearly two thousand in the LinkedIn Ada programming group. It’s certainly a niche language, it’s not C, it’s not Java.
How has Ada benefitted from the open source model?What’s been really interesting from a free software point of view is to see how the use of the technology has grown through an open source software business model. By that I mean the fact that our technology is available for download, for people to try out, play with, to contribute to, to patch – all the usual open-software, open-source elements.
We’ve saved millions and millions of dollars on marketing, as you can imagine. Quite honestly, without the Open Source nature of these toolsets, the Ada programming language wouldn’t be as popular as it is today. We’ve been involved a long time with the GCC community, so all the sources that we build are forked once a year when we release our public version. Nearly all the technology we build is fed back into the community.
We have of course benefitted enormously from the GCC community because there are lots of features that somebody else has built for other language compilers that we can take and use for Ada. So it’s a really solid kind of technology for our industrial uses.What about modularity? Is that provided?
Yes. And there are lots of other qualities. We were seeing some really interesting features being introduced in Ada 2012. Especially contract-based-programming, that’s very nice.
How big is AdaCore today?
We’re about 80 people worldwide now, and we have a turnover of between 15 and 20 Million Dollars. I think we’re probably one of the oldest companies in Europe that from the outset, 20 years ago, have had a free software business model. And I’m not sure there are many other companies that have that kind of pedigree.
Was that your plan when you started out, or did it just evolve naturally?
I think we were really lucky because the founders of the company, who are still with the company, thought long and hard about what was the best way to make sure they fulfilled the Department of Defence’s requirement of making the technology as available as possible.
They also then thought long and hard about how to make money from this. In fact it’s a very positive for the community because what we sell is a yearly subscription. So at any point, any of our customers can turn around and say: “Stop”. Our technology is a GPL-license, there are no locks in our technology, so anybody could say: “I’m not paying that subscription anymore but I’m going to keep the industrial version of your technology and not pay you one cent more”. So we must be very innovative in how we do business.
We’ve based that on several things: Firstly, there’s an exceptional support system. The kind of programs that these people are building, that our customers are building, and the kind of programs the Ada language is used in are usually quite long-lived: military, aerospace, satellite systems, railway systems – systems that need a certain amount of reliability but also have a certain longevity. And what these guys see is this: By purchasing our yearly support packages they are getting a kind of insurance. If something goes wrong, they can turn around to AdaCore and say “Help me!” and we will say: “Most definitely.”The other thing is that it’s forced us to be very innovative. We can’t just sit back and say “Right, there you go. There’s the technology, we’ll sit back now for five years and not do a thing.” We know very well that firstly there’s no incentive for the customer to continue subscribing to get the updates for the technology. Secondly people can build the sources – if they so wished – from the GCC tree and add any features that the AdaCore-technology doesn’t have, thus making it more attractive to customers. So what we’ve done is continue to innovate. We add huge amounts of new features each year trying to push customers to renew the yearly subscriptions.
Do you have any serious competitors in Ada?I would say, one of our biggest competitors is our own public version [laughs]. In the Ada market there are probably three of four players that provide Ada solutions. Our biggest competitors are other programming languages, so C, C++ and stuff like that.
It surprises me that I’ve never come across Ada. Lots of talk about C, C++, Java and so on, but not about Ada.
No, especially at this conference, a lot of people have a C or C++ solution. But what we’re starting to see, and this is interesting for AdaCore, because obviously we do a lot of language promotion: More and more customers are coming from non-traditional market sectors. Software is becoming really, really important in a lot of embedded systems.It’s eating the world, as people say…
… and this is the Internet of Things. But not only is it becoming more and more important: it has to work. In the past, if your cell phone failed, you just opened it up, rubbed the battery, put it back in and started it up again. But when a cell phone is used to call an ambulance or to manage your bank account, or a cell phone is used to direct somebody, the software that does that has to work.
A couple of years ago a guy stopped by [at embedded world]. He built systems for automated processing in a milk plant. He told us: “If our system fails, it may be that one of the bottles falls off the system. If that happens and milk gets spilled, certain sections of the plant have to get shut down for a week and get cleaned. That’s a million Euro exercise.”
We’re seeing more and more business in industrial automation. Customers coming to us because they need that reliability. One of our oldest customers has a massive real time system in a trading room algorithm. Of course if that fails, nobody dies, but they will lose massive amounts of money.
What about Ada’s interoperability with other languages?
We know full well that in a lot of the systems in which Ada is used a large part of it won’t be Ada. It’s just the critical parts of it. To give you a concrete example, when you’re on a flight over to New York and the video screen freezes, it’s probably because it’s built in Java!
What I’m saying is: Ada works very well in multilingual situations. We know there are certain parts, perhaps less critical, that don’t require the same kind of reliability that Ada offers and can be written in other languages. We actually have a tool where you can interface Ada and Java.
Very cool. What are the biggest challenges for the Internet of Things right now?I think one of the biggest challenges is security. A lot of systems that are going to be part of the Internet of Things are not up to scratch in terms of reliability, safety and security. This is my biggest fear. In many industries software can do incredible things. But when you sit down and think about it, do you really want that? And how do you prove that the software is going to do what it says it’s going to do? For example, one of those industries is the drone industry. We can see the benefits, and I’m not just talking about the big military ones, but also about the Amazon ones. They can bring a lot of good, but the problem is that these systems are flying in public airspaces, which not only means they can fall out of the sky and hit people, but they can also hit other things that are flying in these public airspaces and if the software is not up to scratch or at least of a certain quality it can get pretty scary. Is that something that can be addressed by standards or certificates or do you think every vendor has to have his own answers to that? I don’t know the answer to that. What I will say is that if you look at some of the industries where standards are required, where certification is required, there’s some pretty safe software there. If you look at the civil avionics industry, I still don’t believe there has been one loss of life due to a software failure. There have been software problems, don’t get me wrong, but there has never been a loss of life and that’s thanks in part to the very strict nature of the DO-178C civil avionics software guidelines. It’s no coincidence that in the rail industry there’s a lot of formal verification. These systems have to work, and we’ve seen the catastrophic results that can come about because of a system failure. As we move forward, we’re going to see more and more autonomy given to thesystem and taken away from the individual. If you look at the automotive industry, there’s these fantastic adverts of self-parking cars. When I see that, I immediately think to myself: But what happens if a young child jumps out behind them? Has this system been tested for that? Undoubtedly, I hope so, but is there a certification to prove that at least the software has been tested to a certain level and will do what it is supposed to do in certain situations? Is the Open Source model reconcilable with those security requirements?
Obviously we’ve worked on a lot of certified projects, and we’re seeing the evolution of the Open Source community. As a company we believe that for certain software developments the open source community should be very strongly considered, if not mandated. For various reasons. We’ve been involved with research projects with large civil avionic primes. These guys have benefitted from the mutualisation of effort in building certain tools. They got involved in a research project, in a community that is interested in building open source solutions. Of course their competitors join in, smaller companies like AdaCore join in, but it’s the overall outcome of the community that benefits every member of the community. You have seen what GCC has been for a lot of companies, and I honestly believe in the future this is going to help a lot of the guys that are building safe and secure systems.
To get safety certification, you often have to take an instance of your software and say: At this instance I can guarantee that the software will do what it is supposed to do. I’ve done tests to prove that this is the case. So what happens two years down the line when you want to change your platform, when you want to change your processes? Are there not certain elements, if open source, with which it’s easier to integrate hardware and still maintain the certification of the whole system? We believe yes. It’s what’s called the “big freeze”.
The second issue is security. We’ve always believed that many eyes can see more flaws. For example, If in some systems the source code was made available, many people could see where the potential places of security-breach are. A great example is the voting machine scandal in Florida. Nobody has any idea what happened, because the software was proprietary, so you can’t go in there and see and say: people can breach the software here.
We’re starting to see an adoption of the industrial customers that is economically viable for them because it allows them to really focus on what their core job is.