This is a collaboration between the Institute for Software Research and the Software Engineering Institute, also known as Virtual Integration of CPS Analyses.
These slides were presented at an SSSG @ ISR.
The Codex of Business Writing Software for Real-World Solutions 2.pptx
A Framework for Contract-Based Composition of CPS Analyses
1. A Framework for Contract-Based
Composition of CPS Analyses
Ivan Ruchkin
In collaboration the SEI:
Sagar Chaki,
Dionisio De Niz,
and Mark Klein.
ISR Software Seminar
October 14, 2013
2. Outline
●
Composition of architectural analyses
–
–
●
SEI modeling ecosystem
Composition problem
Framework for contract-based analysis composition
–
Analysis contracts
–
Design
–
Future work
2
3. Outline
●
Composition of architectural analyses
–
–
●
SEI modeling ecosystem
Composition problem
Framework for contract-based analysis composition
–
Analysis contracts
–
Design
–
Future work
3
5. AADL in One Slide
●
ADL for avionics, embedded, and real-time systems.
–
●
Fixed architectural style.
Modularity:
–
–
●
Types and instances.
Interfaces and implementations.
Annexes
–
Language extensions for analyses.
5
7. Example: Security Analysis
●
●
Goal: determine which threads can be collocated on
the same processor
Security model:
–
–
●
Analysis interface:
–
–
●
a data type “security class,”
a thread type with a security class field.
Inputs: processes, threads, and thread security levels.
Outputs: description of which threads cannot be
collocated.
Security
analysis
Analysis body: the algorithm of transforming inputs
into outputs.
7
9. Analysis Composition Problem
●
Analyses have semantic interdependencies – how to
not violate them?
–
●
E.g., scheduling needs collocation restrictions
Analyses rely on each other to work correctly –
how to ensure correct composition?
–
E.g., frequency scaling relies on correct scheduling
Security
analysis
Scheduling
analysis
Frequency scaling
analysis
9
10. Related Work
●
Software verification
–
●
OCL for UML & SysML
–
●
Does not allow verification of assumptions
Equation-based OO (Modelica)
–
●
Does not address architectural analyses
Signal-flow equations, not discrete behavior
Other toolkits (VEST, …)
–
Do not allow separation of models and analyses
10
11. Outline
●
Composition of architectural analyses
–
–
●
SEI modeling ecosystem
Composition problem
Framework for contract-based analysis composition
–
Analysis contracts
–
Design
–
Future work
11
12. A Framework for Contract-Based
Analysis Composition a.k.a. virtual integration for open
runtime analytic models
●
Framework to specify the dependencies and
assumptions of analyses
●
Relies on analysis contracts
●
Builds on top of the AADL design environment
●
Uses third party tools to perform analyses
12
13. Analysis Contracts
●
●
●
●
Inputs: what parts of the model the analysis
accesses.
Output: what parts of the model the analysis updates.
Assumptions: what has to true about the model for
the analysis to be applicable.
Guarantees: what does the analysis guarantee about
the model after its execution.
M.-Y. Nam, D. de Niz, L. Wrage, and L. Sha, “Resource allocation contracts for
open analytic runtime models,”, 2011.
13
14. Example of Analyses
●
Security (confidentiality) analysis
–
●
Bin packing (real-time allocation) analysis
–
●
Allocate processes to processors.
Frequency scaling (power efficiency) analysis
–
●
Based on security levels of threads, determine which threads
can be collocated on one processor.
Minimize the processor frequency to meet the task deadlines.
Model checking (safety) analysis
–
Assuming the threads are scheduled correctly, check if the
system is safe.
14
15. Example of Analyses: Dependency Graph
In: processes
allocated to
processors
Out: processor
frequencies
Frequency scaling
In: threads with
collocation
info, processes, and
processors
Out: allocation to
processors
In: processes and
threads with
security classes
Out: collocation
info
In: processes
allocated to
processors
Out: deadlock
safety
Model checking
Bin packing
Security analysis
Execution order
15
16. Example of Analyses: assumptions and guarantees
Pre: no
preemption
for shorter
deadlines
Post: true
Frequency scaling
Pre: not collocated
with what is
prohibited
Post: true
Pre: true
Post: not
collocated with
what is prohibited
Pre: deadlines
are equal to
periods
Post: true
Model checking
Bin packing
Security analysis
Execution order
16
17. Contracts Verification Use Cases
●
Model-specific:
–
●
Applicability check: assumptions and guarantees
satisfied by a concrete model.
Model-independent:
–
–
–
Feasibility check: intersection of all assumptions and
guarantees should satisfiable.
Implication check: guarantees might imply the
assumptions.
Variant replacement: replacing analysis variants in
existing graphs requires weaker assumptions and
stronger guarantees.
17
19. Future Work
●
Theory:
–
–
●
Verifying formulas in different logics: FOPL & LTL
Looking for patterns in formulas
Application:
–
Include other analyses, e.g., error behavior analysis
–
Include other verification engines: UPPAAL, Alloy
19
20. Summary
●
●
●
CPS modeling requires analysis composition
support.
Analysis contracts capture semantic dependencies
between analyses.
The analysis composition framework allows to
create and verify AADL analyses.
20
21. References
●
●
M.-Y. Nam, D. de Niz, L. Wrage, and L.
Sha, “Resource allocation contracts for open analytic
runtime models,” in Proc. of the 9th ACM
international conference on Embedded
software, 2011.
M.-Y. Nam, D. de Niz, L. Wrage, and L. Sha, "Open
Analytic Runtime Models," in Proc. of the Workshop
on Architectures for CPS, 2011.
21
Editor's Notes
Sequences of analysesHow to ensure they plug well together – what is it is in next slide.
Support for analysis writers: detect dependencies and verify contracts.Support for model engineers: sequentialize analyses and check applicability.
Allows to do: Control sequence of executionCheck if assumptions are metCheck if an analysis is correctly implemented via checking guarantees