1Verifying Distributed Adaptive Real-Time (DART) SystemsOctober 2016© 2016 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution.
SEI Research Review 2016
Verifying Distributed Adaptive Real-Time (DART) Systems© 2016 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution.
Verifying Distributed Adaptive Real-Time (DART) SystemsSagar ChakiDionisio de Niz
2Verifying Distributed Adaptive Real-Time (DART) SystemsOctober 2016© 2016 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution.
SEI Research Review 2016
Copyright 2016 Carnegie Mellon University
This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.
Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense.
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution.
This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at [email protected].
DM-0004128
3Verifying Distributed Adaptive Real-Time (DART) SystemsOctober 2016© 2016 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution.
SEI Research Review 2016
Distributed Adaptive Real-Time (DART) systems are key to many areas of DoD capability (e.g., autonomous multi-UAS missions) with civilian benefits.
However, achieving high assurance DART software is very difficult • Concurrency is inherently difficult to reason about• Uncertainty in the physical environment• Autonomous capability leads to unpredictable behavior• Assure both guaranteed and probabilistic properties• Verification results on models must be carried over to source
code
High assurance is unachievable via testing or ad-hoc analysis
Goal: Create a sound engineering approach for producing high-assurance software for Distributed Adaptive Real-Time (DART)
DART: Motivation
4Verifying Distributed Adaptive Real-Time (DART) SystemsOctober 2016© 2016 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution.
SEI Research Review 2016
Formal Description of System and Properties
Verification Code Generation
1. Use DMPL (a DSL we developed) and AADL2. Enables compositional and requirement specific verification3. Use proactive self-adaptation and mixed criticality to cope with uncertainty and changing context
Demonstrate on DoD-relevant model problem (DART prototype)
• Engaged stakeholders• Technical and operational validity
1. ZSRM Schedulability (Timing)2. Software Model Checking (Functional)3. Statistical Model Checking (Probabilistic)
Brings Assurance to Code1. Middleware for communication2. Scheduler for ZSRM3. Monitor for runtime assurance
DART Approach
https://github.com/cps-sei/darthttp://cps-sei.github.io/dart
5Verifying Distributed Adaptive Real-Time (DART) SystemsOctober 2016© 2016 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution.
SEI Research Review 2016
Constrain the system structure and behavior to facilitate tractable analysis and code generation
Program DART systems and specify properties in a precise manner
Repeatedly compute optimal adaptation strategies with bounded lookaheadEvaluate adaptation
strategy quality over mission lifetime
MADARA → efficient distributed shared variables with data consistency and quality of service. GAMS →Platform Interaction.
Ensures high-critical tasks meet their deadlines despite CPU overload
- Parameterized Verification- Combine model checking & hybrid analysis to ensure end-to-end CPS correctness
Sagar ChakiArie Gurfinkel
Dionisio de NizBjorn Andersson
James Edmondson
Gabriel Moreno
Jeffery Hansen
David KyleScott HissamBud HammonsJoseph Seibel
ZSRM Scheduling
Functional Verification Architecture
DMPLAADL
Proactive Self-Adaptation
Statistical Model Checking
Middleware & Platform
6Verifying Distributed Adaptive Real-Time (DART) SystemsOctober 2016© 2016 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution.
SEI Research Review 2016
High Hazard
Area
Adaptation: Formation change (loose ⇔ tight)Loose: fast but high leader exposureTight: slow but low leader exposure
Low Hazard
Area
Loose Formation
Tight Formation
Challenge: compute the probability of reaching end of mission in time 𝑻𝑻 while never reducing protection to less than 𝑿𝑿.Challenge: compare between different adaptation strategies.Solution: Statistical model checking (SMC)
Example: Self-Adaptive and Coordinated UAS Protection
7Verifying Distributed Adaptive Real-Time (DART) SystemsOctober 2016© 2016 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution.
SEI Research Review 2016
𝐿𝐿𝐿𝐿𝐿𝐿𝐿𝐿𝐿𝐿𝐿𝐿
WaypointCollision Avoidance
ZSRM Mixed-Criticality SchedulerOS/Hardware
MADARA Middleware
Adaptation Manager
Threads
𝑃𝑃𝐿𝐿𝑃𝑃𝑃𝑃𝐿𝐿𝑃𝑃𝑃𝑃𝑃𝑃𝐿𝐿
WaypointCollision Avoidance
ZSRM SchedulerOS/Hardware
MADARA Middleware
DART System
Nodes
Consists of
Can be
Roles
8Verifying Distributed Adaptive Real-Time (DART) SystemsOctober 2016© 2016 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution.
SEI Research Review 2016
node uav {
local input int x,y;
local int xp=x, yp=y;
global lock[X][Y] = {…}
role Leader {
thread COLLISION_AVOIDACE {…}
thread WAYPOINT {…}
thread ADAPTATION_MANAGER {…}
}
role Protector {
thread COLLISION_AVOIDACE {…}
thread WAYPOINT {…}
}
}
𝐿𝐿𝐿𝐿𝐿𝐿𝐿𝐿𝐿𝐿𝐿𝐿WaypointCollision Avoidance
Adaptation Manager
𝑃𝑃𝐿𝐿𝑃𝑃𝑃𝑃𝐿𝐿𝑃𝑃𝑃𝑃𝑃𝑃𝐿𝐿WaypointCollision Avoidance
Shared between threads on the same node. Used to communicate next waypoint.
Shared between threads on different nodes. Used for collision avoidance,
9Verifying Distributed Adaptive Real-Time (DART) SystemsOctober 2016© 2016 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution.
SEI Research Review 2016
DMPL file
MISSION file
DMPLC Compiler C++ file
g++ Binary
Platform (VREP)
Number of nodesRoles they playInitial values of input varsMission time …
DART System
10Verifying Distributed Adaptive Real-Time (DART) SystemsOctober 2016© 2016 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution.
SEI Research Review 2016
Demo
11Verifying Distributed Adaptive Real-Time (DART) SystemsOctober 2016© 2016 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution.
SEI Research Review 2016
DMPL file
MISSION file
DMPLC Compiler C++ file
g++Binary
Platform (VREP)
DART System
AADL
DMPL and MISSION files expressed in AADL as a sub-language (a.k.a. “annex”)
OSATE
OSATE performs parsing, syntax checking, etc. and invokes the rest of the tool chain
12Verifying Distributed Adaptive Real-Time (DART) SystemsOctober 2016© 2016 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution.
SEI Research Review 2016
ScenariosStage 0 – basic 3D collision avoidanceStage 1 – Navigation of “ensemble” from Point A to Point BStage 2 – Navigation of “ensemble” from Point A to Point B through intermediate waypointsStage 3: Add detection of solid objects, obstacles
Assume unobstructed path exists between Point A and Point BNavigation of “ensemble” from Point A to Point B
Stage 4: “Map” obstructions in a 3D regionStage 5
Add ability to detect location of potential “threats” (analogous to identifying IFF transponders)“Map” threats and obstructions in 3D region
Stage 6Add mobility to “threats”Maintain overwatch of region and keep track of location of “threats” that move in the environment
13Verifying Distributed Adaptive Real-Time (DART) SystemsOctober 2016© 2016 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution.
SEI Research Review 2016
Demo
14Verifying Distributed Adaptive Real-Time (DART) SystemsOctober 2016© 2016 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution.
SEI Research Review 2016
t=0
t=1
p3p2
T1
p1
T2 T1 T2 T1 T2
p3p2
T1
p1
T2 T1 T2 T1 T2
T1 T2
p3p2
T1
p1
T1 T2
T2
system
t=1
environment
t=0
non-deterministic
probabilistic
deterministic
PRISMstrategy synthesis
Resolves nondeterministic choices to maximize expected value of objective function
First choice independent of subsequent environment transitions
New work: replace probabilistic model checking with dynamic programming for speed.
Gabriel A. Moreno, Javier Cámara, David Garlan, Bradley R. Schmerl: Proactive self-adaptation under uncertainty: a probabilistic model checking approach. ESEC/SIGSOFT FSE 2015: 1-12
Efficient Decision-Making under Uncertainty for Proactive Self-Adaptation. Gabriel A. Moreno, Javier Camara, David Garlan, Bradley Schmerl. In proceedings of the 13th IEEE International Conference on Autonomic Computing, 2016.
15Verifying Distributed Adaptive Real-Time (DART) SystemsOctober 2016© 2016 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution.
SEI Research Review 2016
Estimate probability for each property via “Bernoulli Trials”Number of trials depends on
• desired “relative error” (st.dev. / mean)• true probability of the property
Running trials in parallel reduces required simulation time.• SMC Runner invokes V-Rep simulation on each node.• SMC Master collects results and determines if
precision is met.• Simulations run in “batches” to prevent simulation
time bias.Importance sampling (focuses simulation effort on faults)
Statistical Model Checker
DMPL Program ℳ with random inputs
Probabilistic Property 𝝓𝝓encoded in DMPL
Estimated Probability that ℳ ⊨ 𝝓𝝓 with relative error 𝑹𝑹𝑹𝑹
Target relative error 𝑹𝑹𝑹𝑹
node uav {
local input int x,y;
local int xp=x, yp=y;
role Leader {…}
role Protector {…}
double coverage() {…}
expect at_end (coverage() > 0.8);
}
3
16Verifying Distributed Adaptive Real-Time (DART) SystemsOctober 2016© 2016 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution.
SEI Research Review 2016
𝑅𝑅𝐿𝐿𝑅𝑅𝑅𝑅𝑅𝑅𝑃𝑃1log-
analyzelog-genlog-gen
log-genlog-
analyzelog-analyze
𝑅𝑅𝐿𝐿𝑅𝑅𝑅𝑅𝑅𝑅𝑃𝑃1𝑅𝑅𝐿𝐿𝑅𝑅𝑅𝑅𝑅𝑅𝑃𝑃𝑛𝑛
Update 𝑅𝑅𝐿𝐿𝑅𝑅𝑅𝑅𝑅𝑅𝑃𝑃and 𝑅𝑅𝑅𝑅
𝑅𝑅𝑅𝑅 acceptable?
𝑁𝑁𝑃𝑃
𝑌𝑌𝐿𝐿𝑅𝑅
𝑅𝑅𝐿𝐿𝑅𝑅𝑅𝑅𝑅𝑅𝑃𝑃
Batch Log and Analyze
SMC Runner
SMC Master
DART Distributed Statistical MC
17Verifying Distributed Adaptive Real-Time (DART) SystemsOctober 2016© 2016 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution.
SEI Research Review 2016
Goal: Develop parallel infrastructure for SMC of DART systemsAccomplishments:• Initial implementation with handwritten
scripts for managing multiple virtual machines
• Created master-client SMC architecture with web-based control- Each client runs a simulation managed by
master- Results stored in mysql database.
• Update SMC code generation to new DART/DMPL syntax
• DEMETER: More robust infrastructure using “docker”
SMCMaster
(Apache+PHP)
Results(MySQL)
SMCJob
SMCClient
(Firefox)
SMCRunner
Simulation
Docker Container
SMCRunner
Simulation
Docker Container
David Kyle, Jeffery P. Hansen, Sagar Chaki: Statistical Model Checking of Distributed Adaptive Real-Time Software. RV 2015: 269-274
Jeffery P. Hansen, Sagar Chaki, Scott A. Hissam, James R. Edmondson, Gabriel A. Moreno, David Kyle: Input Attribution for Statistical Model Checking Using Logistic Regression. RV 2016: 185-200
18Verifying Distributed Adaptive Real-Time (DART) SystemsOctober 2016© 2016 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution.
SEI Research Review 2016
Collaborative work with NREC• Part of ARL sponsored Robotics
Collaborative Technology Alliance (RCTA)
Evaluating quality of plans learned from verbal instructions by a robot using statistical model checking
19Verifying Distributed Adaptive Real-Time (DART) SystemsOctober 2016© 2016 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution.
SEI Research Review 2016
Overload – defer low-critical
2 1
2 ½ 2½
τLC =(2,2,4,4)
τHC =(2.5,5,8,8)
Normal Mode Critical ModeZero-Slack
2 1
2 ½
1τLC =(2,2,4,4)
τHC =(2.5,5,8,8)
Normal Mode Critical ModeZero-Slack
No overload – resume low critical
WCET may be uncertain in autonomous systems (e.g. more obstacles larger WCET).
ZSRM: if no overload all task meet deadlinesif overload critical tasks meet deadlines
How: 1. when to stop low-critical tasks (Z)2. stop them if not overload resume
DART: requires distributed tasks
Accomplishments:
ZSRM Pipelines: • Enforcement across processor• Higher utilization
2 1
2 ½ 2½
1τLC =(2,2,4,4)
τHC =(2.5,5,8,8)
Normal Mode Critical ModeZero-Slack
When to stop low-critical tasks (zero-slack)
Parallel execution Increased Utilization
20Verifying Distributed Adaptive Real-Time (DART) SystemsOctober 2016© 2016 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution.
SEI Research Review 2016
ZSRM Directed Acyclic Graph (DAG)• Wait for movement• Continuous movement:
- Start moving before empty cell in front
- Send early (half out) unlock to follower
- Verify if no uncertainty meet deadline
• Guarantee no crashes- If drone in front delays hard stop- Guarantee no crash even if
uncertainty
L
MV
CA
F0
MV
CA
next() lock() move3 done
next() lock() lock() mv3 done
xp,ypmove=1
LX,LY unlock()
move=2
arrived 2
xp,ypmove=1
move=2
arrived
arrived
RV r r
F1
MV
CA next() lock() lock() done
xp,ypmove=1
move=3arrived
RV r rLX,LY
unlock()
arrived
mv2
mv2
mv3
wait movement
arrive 1
wait for unlock
HARD DEADLINE: DON’T CRASH
SOFT DEADLINE: DON’T STOP FOLLOWER
LeaderFollower 0Follower 1
21Verifying Distributed Adaptive Real-Time (DART) SystemsOctober 2016© 2016 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution.
SEI Research Review 2016
Distributed Application
Safety Specification
Sequentialization (DMPLC)
Single-ThreadedC Program
Software Model Checking
Failure Success
DMPL Program
AssumeSynchronous
Model of Computation
Round Invariants
node uav {
local input int x,y;
local int xp=x, yp=y;
role Leader {…}
role Protector {…}
forall_distinct_nodes(i1,i2)
(x@i1 != x@i2 || y@i1 != y@i2);
forall_nodes(i)
(x@i == xp@i || y@i == yp@i);
}
22Verifying Distributed Adaptive Real-Time (DART) SystemsOctober 2016© 2016 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution.
SEI Research Review 2016
Bounded Model Checking can prove correct behavior up to a finite number of execution steps (e.g., rounds of synchronous computation.
Useful to find bugs.
But incomplete. Can miss bugs if we do not check up to sufficient depth.
Unbounded Model Checking can prove correct behavior up to a arbitrary number of execution steps.
Useful for complete verification. Will never miss bugs.
But can be expensive to synthesize inductive invariants. Cost can be managed by supplying invariants manually and checking that they are inductive. We have experimented with both approaches.
Parameterized Model Checking can prove correct behavior up to a arbitrary number of execution steps and an arbitrary number of nodes.
Useful for complete verification. Will never miss bugs even if you have very large number of nodes.
Very hard in general but we have developed a sound and complete procedure that works for programs written in a restricted style and for a restricted class of properties. This was sufficient to verify our collision avoidance protocol.
23Verifying Distributed Adaptive Real-Time (DART) SystemsOctober 2016© 2016 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution.
SEI Research Review 2016
No existing tools to verify (source code + hybrid automata)
• But each domain has its own specialized tools: software model checkers and hybrid reachability checkers
• Developing such a tool that combines the statespace 𝐴𝐴 and 𝐶𝐶 in a brute-force way will not scale
Insight: application and controller make assumptions about each other to achieve overall safe behavior
Approach:• Use “contract automaton” to express inter-
dependency between 𝐴𝐴 and 𝐶𝐶• Separately verify that 𝐴𝐴 and 𝐶𝐶 implement
desired behavior under the assumption that the other party does so as well
• Use an “assume-guarantee” style proof rule to show the 𝐴𝐴 ∥ 𝐶𝐶 ⊨ Φ
𝐴𝐴𝐴𝐴𝐴𝐴𝑅𝑅𝐴𝐴𝑃𝑃𝐿𝐿𝑃𝑃𝐴𝐴𝑃𝑃𝐴𝐴
𝐶𝐶𝑃𝑃𝐴𝐴𝑃𝑃𝐿𝐿𝑃𝑃𝑅𝑅𝑅𝑅𝐿𝐿𝐿𝐿
Shared Variables (Cyber & Physical)
API Function Parameters
Verifying Cyber-Physical Systems by Combining Software Model Checking with Hybrid Systems Reachability. Stanley Bak, Sagar Chaki. International Conference on Embedded Software (EMSOFT), 2016
24Verifying Distributed Adaptive Real-Time (DART) SystemsOctober 2016© 2016 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution.
SEI Research Review 2016
Other FY16 WorkVerification of Software with Timers and Clocks
(Real Time Schedulers and Enforcers,Distributed Timed Protocols, etc.)
Future WorkCertifiable Distributed Runtime Assurance
25Verifying Distributed Adaptive Real-Time (DART) SystemsOctober 2016© 2016 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution.
SEI Research Review 2016
Verifying Distributed Adaptive Real-Time (DART) Systems© 2016 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution.
QUESTIONS?
https://github.com/cps-sei/darthttp://cps-sei.github.io/dartPlease attend the poster session