Post on 26-Jun-2015
description
A Framework for Contract-Based Composition of CPS Analyses
Ivan RuchkinIn collaboration the SEI:
Sagar Chaki,
Dionisio De Niz,
and Mark Klein.
ISR Software SeminarOctober 14, 2013
Outline
● Composition of architectural analyses– SEI modeling ecosystem– Composition problem
● Framework for contract-based analysis composition– Analysis contracts– Design– Future work
2
Outline
● Composition of architectural analyses– SEI modeling ecosystem– Composition problem
● Framework for contract-based analysis composition– Analysis contracts– Design– Future work
3
Deadlock model
Control model
Physical model
Hybrid model
4
CPS Modeling Ecosystem
?
??
Cyber-Physical System
AADL in One Slide
● ADL for avionics, embedded, and real-time systems.– Fixed architectural style.
● Modularity: – Types and instances.– Interfaces and implementations.
● Annexes– Language extensions for analyses.
5
Error behavior modelScheduling model
Security modelFrequency scaling
model
6
SEI Modeling Ecosystem
AADL system model
Frequency scalinganalysis
Erroranalysis 1
Securityanalysis
Schedulinganalysis
Erroranalysis 2
Example: Security Analysis
● Goal: determine which threads can be collocated on the same processor
● Security model: – a data type “security class,” – a thread type with a security class field.
● Analysis interface:– Inputs: processes, threads, and thread security levels.– Outputs: description of which threads cannot be
collocated.
● Analysis body: the algorithm of transforming inputs into outputs.
7
Securityanalysis
Error behavior modelScheduling model
Security modelFrequency scaling
model
8
SEI Development Ecosystem
AADL system model
Frequency scalinganalysis
Erroranalysis 1
Securityanalysis
Schedulinganalysis
Erroranalysis 2
?
Analysis Composition Problem
● Analyses have semantic interdependencies – how to not violate them? – E.g., scheduling needs collocation restrictions
● Analyses rely on each other to work correctly – how to ensure correct composition?– E.g., frequency scaling relies on correct scheduling
9
Securityanalysis
Schedulinganalysis
Frequency scalinganalysis
Related Work
● Software verification– Does not address architectural analyses
● OCL for UML & SysML– Does not allow verification of assumptions
● Equation-based OO (Modelica) – Signal-flow equations, not discrete behavior
● Other toolkits (VEST, …)– Do not allow separation of models and analyses
10
Outline
● Composition of architectural analyses– SEI modeling ecosystem– Composition problem
● Framework for contract-based analysis composition– Analysis contracts– Design– Future work
11
A Framework for Contract-Based Analysis Composition
12
a.k.a. virtual integration for open runtime analytic models
● Framework to specify the dependencies and assumptions of analyses
● Relies on analysis contracts● Builds on top of the AADL design environment● Uses third party tools to perform analyses
Analysis Contracts
● Inputs: what parts of the model the analysis accesses.
● Output: what parts of the model the analysis updates.
● Assumptions: what has to true about the model for the analysis to be applicable.
● Guarantees: what does the analysis guarantee about the model after its execution.
13M.-Y. Nam, D. de Niz, L. Wrage, and L. Sha, “Resource allocation contracts for open analytic runtime models,”, 2011.
Example of Analyses
● Security (confidentiality) analysis– Based on security levels of threads, determine which threads
can be collocated on one processor.
● Bin packing (real-time allocation) analysis– Allocate processes to processors.
● Frequency scaling (power efficiency) analysis– Minimize the processor frequency to meet the task deadlines.
● Model checking (safety) analysis– Assuming the threads are scheduled correctly, check if the
system is safe.
14
Example of Analyses: Dependency Graph
15
Security analysis
Bin packing
Frequency scalingModel checking
In: processes and threads with security classesOut: collocation info Execution
order
In: threads with collocation info, processes, and processorsOut: allocation to processors
In: processes allocated to processorsOut: processor frequencies
In: processes allocated to processorsOut: deadlock safety
Example of Analyses: assumptions and guarantees
16
Security analysis
Bin packing
Frequency scalingModel checking
Pre: truePost: not collocated with what is prohibited
Execution order
Pre: not collocated with what is prohibitedPost: true
Pre: no preemption for shorter deadlinesPost: true
Pre: deadlines are equal to periodsPost: true
Contracts Verification Use Cases
● Model-specific: – Applicability check: assumptions and guarantees
satisfied by a concrete model.
● Model-independent: – Feasibility check: intersection of all assumptions
and guarantees should satisfiable.– Implication check: guarantees might imply the
assumptions.– Variant replacement: replacing analysis variants in
existing graphs requires weaker assumptions and stronger guarantees.
17
Framework Design
18
Eclipse
OSATEAnalyses
contracts and source
Concrete model source
GraphConstructor
Graph of analyses
DB Constructor
…
Z3
Spin
Model DB
(SQL)
DB assumption checker
Analysis executor
Logical compiler
Data flow
Future Work
● Theory: – Verifying formulas in different logics: FOPL & LTL– Looking for patterns in formulas
● Application: – Include other analyses, e.g., error behavior analysis– Include other verification engines: UPPAAL, Alloy
19
Summary
● CPS modeling requires analysis composition support.
● Analysis contracts capture semantic dependencies between analyses.
● The analysis composition framework allows to create and verify AADL analyses.
20
References
● M.-Y. Nam, D. de Niz, L. Wrage, and L. Sha, “Resource allocation contracts for open analytic runtime models,” in Proc. of the 9th ACM international conference on Embedded software, 2011.
● M.-Y. Nam, D. de Niz, L. Wrage, and L. Sha, "Open Analytic Runtime Models," in Proc. of the Workshop on Architectures for CPS, 2011.
21