News

The Return of Ada

• By Joab Jackson
• April 14, 2008

The project, dubbed the En Route Automation Modernization System (ERAM), involved writing more than 1.2 million lines of code and had been labeled by the Government Accountability Office (GAO) as a high-risk effort. The GAO worried that many bugs in the program would appear, which would delay operations and drive up development costs.

Although the project's success can be attributed to a lot of factors, Jeff O'Leary, an FAA software development and acquisition manager who oversaw ERAM, attributed at least part of it to the use of the Ada programming language. About half the code in the system is Ada, according to O'Leary, and it provided a controlled environment that allowed programmers to develop secure, solid code.

Today, when most people refer to Ada, it's usually as a cautionary tale. The Defense Department commissioned the programming language in the late 1970s.

The idea was that mandating its use across all the services would stem the proliferation of many programming languages and even a greater number of dialects. Despite the mandate, few programmers used Ada, and the mandate was dropped in 1997. Developers and engineers claimed it was difficult to use.

Military developers stuck with the venerable C programming language they knew well, or they moved to the up-and-coming C++. A few years later, Java took hold, as did Web application languages such as JavaScript.

However, Ada never vanished completely. In fact, in certain communities -- notably aviation software -- it has remained the programming language of choice.

"It's interesting that people think that Ada has gone away. In this industry, there is a technology du jour. And people assume things disappear. But especially in the Defense Department, nothing ever disappears," said Robert Dewar, president of AdaCore and a professor emeritus of computer science at New York University. Dewar has been working with Ada since 1980.

Last fall, the faithful gathered at the annual SIGAda 2007 conference in Fairfax, Va., where O'Leary and others spoke about Ada's promise.

This decades-old language can solve a few of today's most pressing problems -- most notably security and reliability.

"We're seeing a resurgence of interest," Dewar said. "I think people are beginning to realize that C++ is not the world's best choice for critical code."

Tough Requirements
ERAM is the latest component in a multi-decade plan to upgrade the country's air traffic control system. Not surprisingly, the system had some pretty stringent development requirements, according to O'Leary.

The system could never lose data. It had to be fault-tolerant. It had to be easily upgraded. It had to allow for continuous monitoring. Programs had to be able to recover from a crash. And the code that runs the system must "be provably and test-ably free" of errors, O'Leary said.

And such testing should reveal when errors occur and when the correct procedures fail to occur. "If I get packet 218, but not 217, it would request 217 again," he said.

Ada can offer assistance to programmers with many of these tasks, even if it does require more work on the part of the programmer.

"The thing people have always said about Ada is that it is hard to get a program by the compiler, but once you did, it would always work," Dewar said. "The compiler is checking a lot of stuff. Unlike a C program, where the C compiler will accept pretty much anything and then you have to fight off the bugs in the debugger, many of the problems in Ada are found by the compiler."

That stringency causes more work for programmers, but it will also make the code more secure, Ada enthusiasts say.

When the DOD commissioned the language in 1977 from the French Bull Co., it required that it have lots of checks to ensure the code did what the programmer intended, and nothing more or less.

For instance, unlike many modern languages and even traditional ones such as C and C++, Ada has a feature called strong typing. This means that for every variable a programmer declares, he or she must also specify a range of all possible inputs. If the range entered is 1-100, for instance, and the number 102 is entered, then the program won't accept that data. This ensures that a malicious hacker can't enter a long string of characters as part of a buffer overflow attack or that a wrong value won't later crash the program.

Ada allows developers to prove security properties about programs. For instance, a programmer might want to prove that a variable is not altered while it is being used through the program. Ada is also friendly to static analysis tools. Static analysis looks at the program flow to ensure odd things aren't taking place -- such as making sure the program always calls a certain function with the same number of arguments.

"There is nothing in C that stops a program from doing that," Dewar said. "In Ada, it is impossible."

According to O'Leary, Ada was not perfect for the ERAM job. There are more than a few things that are still needed. One is better analysis tools.

"We're not exploiting the data" to the full extent that it could be used, he said. The component interfaces could be better. There should also be tools for automatic code generation and better cross-language support.

Nonetheless, many observers believe the basics of Ada are in place for wider use.

Use Cases
Who uses Ada? Not surprisingly, the DOD still uses the language, particularly for command and control systems, according to Dewar. About half of AdaCore's sales are to the DOD. AdaCore offers an integrated developer environment called GnatPro, and an Ada compiler.

"There [are] tens of millions of lines of Ada in Defense programs," Dewar said.

NASA and avionics hardware manufacturers are also heavy users of Ada, he said. Anything mission-critical would be suitable for Ada. For instance, embedded systems in the Boeing 777 and 787 run Ada code. In all these cases, the component manufacturers are "interested in highly reliable mission-critical programs. And that is the niche that Ada has found its way into," Dewar said.

In addition to AdaCore, IBM Rational and Green Hills Software offer Ada developer environments.

It also works well as a teaching language. The Air Force Academy found it to be a good language that inexperienced programmers could use to build robust programs. At the SigAda conference, instructor Leemon Baird III showed how a student used Ada to build an artificial-intelligence function for a computer to play a game called Connect4 against human opponents.

"A great part of his success was due to Ada's features," Baird said.

Although it was only 2,000 lines, the language allowed the student to write robust code.

"It had to be correct," he said. The code flowed easily between Solaris and Windows, and could be run across different types of processors with minimal porting.

Programs written in an extension of Ada, called Spark, will be used to run the next-generation U.K. ground station air traffic control system, called Interim Future Area Control Tools Support (IFacts). Praxis, a U.K. systems engineering company, is providing the operating code for IFacts.

In 2002, England's busiest airport terminal, London Heathrow Airport, suffered a software-based breakdown of its airplane routing system. Praxis is under a lot of pressure to ensure its code is free from defects.

Praxis also used Spark for a 2006 National Security Agency-funded project, called the Tokeneer ID Station, said Rod Chapman, an engineer at Praxis. The idea was to create software that would meet the Common Criteria requirements for Evaluation Assurance Level 5, a process long thought to be too challenging for commercial software.

To do this, the software code that was generated had to have a low number of errors. The program itself was access control software. Someone wishing to gain entry to a secure facility and use a workstation would need the proper smart card and provide a fingerprint. By using Spark, a static check was made of the software before it was run, to ensure all the possible conditions led to valid outcomes. In more than 9,939 lines of code, no defects were found after the testing and remediation process was completed.

Although the original language leaned heavily toward strong typing and provability, subsequent iterations have kept Ada modernized, Dewar said. Ada 95 added object-oriented programming capabilities, and Ada 2005 tamped down on security requirements even further. The language has also been ratified as a standard by the American National Standards Institute and by the International Organization of Standards (ISO/IEC 8652).

Incidentally, Ada was named for Augusta Ada King, Countess of Lovelace, daughter of Lord Byron. In the early 19th century, she published what is considered by most to be the world's first computer program, to be run on a prototype of a computer designed by Charles Babbage, called the Analytical Engine. But don't let the language's historical legacy fool you -- it might be just the thing to answer tomorrow's security and reliability challenges.