Date post: | 22-Jan-2018 |
Category: |
Technology |
Upload: | ivan-ruchkin |
View: | 328 times |
Download: | 0 times |
Analytic Dependency Loops inArchitectural Models of Cyber-Physical Systems
8th International Workshop on Model-based Architecting of Cyber-Physical and Embedded Systems (ACES-MB)
September 28, 2015Ottawa, Canada
Ivan RuchkinBradley Schmerl
David Garlan
2
Acknowledgments
● Collaborators: — Dionisio De Niz (SEI CMU)— Sagar Chaki (SEI CMU)— Ashwini Rao (ISR CMU)
● Sponsors: — NSF — DoD— NSA
3
Agenda
● Dependency loops in cyber-physical systems ● Related work and background ● Fixpoints and cases of loops● Resolution techniques● Wrap-up
4
Agenda
● Dependency loops in cyber-physical systems ● Related work and background ● Fixpoints and cases of loops● Resolution techniques● Wrap-up
5
Driverless Cars
Image credit: telegraph.co.uk
6
Braking Subsystem Architecture
7
Analyses
8
Analyses
9
Analyses
10
Analyses
11
Analytic Dependencies
12
Dependency Loop Example
13
Dependency Loop
14
Analytic Dependency Loops
● Appear in complex cyber-physical systems● Important to address
— Currently require expensive manual effort— May introduce subtle errors into designs
● No up-front, one-size-fits-all solution— Diverse disciplines and combinations of analyses— Different project scope and constraints
● Goal: develop concepts and methods for resolving such loops
15
Agenda
● Dependency loops in cyber-physical systems ● Related work and background ● Fixpoints and cases of loops● Resolution techniques● Wrap-up
16
Related Work
● Loops and dependencies in other contexts— Loop invariants in programming languages [1]
— Deadlocks in dataflow systems [2]
— Dependencies in design [3]
● Model evolution— Model transformations [4]
— Analysis contracts [5]
[1] P. Cousot and R. Cousot. Automatic synthesis of optimal invariant assertions, SIGART Bulletin 1977.[2] Y. Zhou and E. Lee. A Causality Interface for Deadlock Analysis in Dataflow, EMSOFT 2006. [3] A. Qamar. Model and Dependency Management in Mechatronic Design, PhD Thesis, 2013. [4] G. Bergmann, I. Rth, G. Varr, D. Varr. Change-driven model transformations, SoSyM 2011. [5] I. Ruchkin, D. De Niz, S. Chaki, D. Garlan. Contract-based Integration of Cyber-physical Analyses, EMSOFT 2014.
17
Background
● Analysis contract C is a tuple (I, O, A, G): — Inputs I— Outputs O— Assumptions A— Guarantees G
● Analysis A1 depends on analysis A2 iff:
A1.I A∩ 2.O ≠ ∅
18
Agenda
● Dependency loops in cyber-physical systems ● Related work and background ● Fixpoints and cases of loops● Resolution techniques● Wrap-up
19
Fixpoints
● System model M is a fixpoint (FP)— For analysis A if: A(M) = M— For dependency loop A1..AN if: ∀i:1..N · Ai(M) = M
— “A solution to a loop”
● System model M is a candidate fixpoint (CFP) — For analysis A: M ⊨ A.G— For dependency loop A1..AN if: ∀i:1..N ∙ M ⊨ Ai.G— “Almost a solution to a loop”
20
Cases of Dependency Loops
C1. Strong convergence— FP exists, and is reachable by any sequence of analyses
C2. Weak convergence— FP exists, and is reachable by some sequence of analyses
C3. Weak divergence— FP exists, but is not reachable by any sequence of analyses
C4. Divergence— FP does not exist, but CFP exists
C5. Strong divergence — Neither FP, nor CFP exist
21
Example: Strong & Weak Convergence
22
Example: Weak Divergence & Divergence
23
Agenda
● Dependency loops in cyber-physical systems ● Related work and background ● Fixpoints and cases of loops● Resolution techniques● Wrap-up
24
Approach
1. Use rich multi-view model2. Find a fixpoint (or candidate)3. Verify that a model is a fixpoint
25
Multi-View Architecture
26
Technique 1: Iterative Execution
● Execute analyses in some sequence— Random— Contract-guided— Model order-guided
● Applicability: strong and weak convergence● Pros:
— Simple, accessible— Can verify fixpoints
● Cons: — Computationally expensive— Heuristic, no guarantees
27
Technique 2: Constraint Solving
● Generate a constraint satisfaction problem— Using architectural model and guarantees— Does not execute analyses
● Applicability:— Finds CFP in all cases except strong divergence— Demonstrates absence of CFP in strong divergence
● Pros: — Exhaustive search within bounds
● Cons: — Results need to be verified with a different method— Relies on model translation to a constraint language
28
Technique 3: Genetic Search
● Derive hybrids of models— Crossover: M1 x M2 = M1 M⊕ 2 {∪ m Ɐ ⊆ M1 M∩ 2}
– E.g., AAB x ABB = {AB, AAB, ABB, AABB}● Applicable:
— Find FP in convergence and weak divergence— Find CFP in divergence
● Pros: — Can find FPs/CFPs beyond constraint solving bounds
● Cons: — Heuristic, no guarantees
29
Summary of Resolution TechniquesCase Iterative Execution Constraint Solving Genetic Search
Find FP in strong conv.
✓ ✓ ✓
Verify FP in strong conv.
✓
Find FP in weak conv.
✓ ✓
Verify FP in weak conv.
✓
Find FP in weak div.
✓ ✓
Verify FP in weak div.
✓
Find CFP in div. ✓ ✓Verify CFP in div. ✓ ✓Detect absence
of CFP in str. div. ✓
30
Agenda
● Dependency loops in cyber-physical systems ● Related work and background ● Fixpoints and cases of loops● Resolution techniques● Wrap-up
31
Future Work
● Other techniques for loop resolution● Connect analysis contracts to system invariants
— Discharge assumptions with invariants— Discharge invariants with guarantees
● Experiments on realistic system models
32
Summary
● Analytic dependency loops occur in complex systems— Contract specifications are insufficient to resolve
● This paper explored resolution techniques:— Iterative execution— Constraint solving— Genetic search
33
References
● Analysis contracts methodology: — I. Ruchkin, D. De Niz, S. Chaki, D. Garlan. Contract-based
Integration of Cyber-physical Analyses, EMSOFT 2014.● ACTIVE tool for verifying contracts:
— I. Ruchkin, D. De Niz, S. Chaki, D. Garlan. ACTIVE: A Tool for Integrating Analysis Contracts, AVICPS 2014.
● Security and reliability analyses: — I. Ruchkin, A. Rao, D. De Niz, S. Chaki, D. Garlan.
Eliminating Inter-Domain Vulnerabilities in Cyber-Physical Systems: An Analysis Contracts Approach, CPS-SPC 2015.
34
Q&A
● When to terminate the search?● What views to use for constraint generation?● What if no fixpoints/candidates found?
— Involve humans— Probably irreconcilable requirements
● Resolving vs. avoiding the loop?● Automated recognition of loop cases? ● General theorems about techniques?