Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems

Analytic Dependency Loops inArchitectural Models of Cyber-Physical Systems

8th International Workshop on Model-based Architecting of Cyber-Physical and Embedded Systems (ACES-MB)

September 28, 2015Ottawa, Canada

Ivan RuchkinBradley Schmerl

David Garlan

Acknowledgments

● Collaborators: — Dionisio De Niz (SEI CMU)— Sagar Chaki (SEI CMU)— Ashwini Rao (ISR CMU)

● Sponsors: — NSF — DoD— NSA

Agenda

● Dependency loops in cyber-physical systems ● Related work and background ● Fixpoints and cases of loops● Resolution techniques● Wrap-up

Agenda

Driverless Cars

Image credit: telegraph.co.uk

Braking Subsystem Architecture

Analyses

Analytic Dependencies

Dependency Loop Example

Dependency Loop

Analytic Dependency Loops

● Appear in complex cyber-physical systems● Important to address

— Currently require expensive manual effort— May introduce subtle errors into designs

● No up-front, one-size-fits-all solution— Diverse disciplines and combinations of analyses— Different project scope and constraints

● Goal: develop concepts and methods for resolving such loops

Agenda

Related Work

● Loops and dependencies in other contexts— Loop invariants in programming languages [1]

— Deadlocks in dataflow systems [2]

— Dependencies in design [3]

● Model evolution— Model transformations [4]

— Analysis contracts [5]

[1] P. Cousot and R. Cousot. Automatic synthesis of optimal invariant assertions, SIGART Bulletin 1977.[2] Y. Zhou and E. Lee. A Causality Interface for Deadlock Analysis in Dataflow, EMSOFT 2006. [3] A. Qamar. Model and Dependency Management in Mechatronic Design, PhD Thesis, 2013. [4] G. Bergmann, I. Rth, G. Varr, D. Varr. Change-driven model transformations, SoSyM 2011. [5] I. Ruchkin, D. De Niz, S. Chaki, D. Garlan. Contract-based Integration of Cyber-physical Analyses, EMSOFT 2014.

Background

● Analysis contract C is a tuple (I, O, A, G): — Inputs I— Outputs O— Assumptions A— Guarantees G

● Analysis A1 depends on analysis A2 iff:

A1.I A∩ 2.O ≠ ∅

Agenda

Fixpoints

● System model M is a fixpoint (FP)— For analysis A if: A(M) = M— For dependency loop A1..AN if: ∀i:1..N · Ai(M) = M

— “A solution to a loop”

● System model M is a candidate fixpoint (CFP) — For analysis A: M ⊨ A.G— For dependency loop A1..AN if: ∀i:1..N ∙ M ⊨ Ai.G— “Almost a solution to a loop”

Cases of Dependency Loops

C1. Strong convergence— FP exists, and is reachable by any sequence of analyses

C2. Weak convergence— FP exists, and is reachable by some sequence of analyses

C3. Weak divergence— FP exists, but is not reachable by any sequence of analyses

C4. Divergence— FP does not exist, but CFP exists

C5. Strong divergence — Neither FP, nor CFP exist

Example: Strong & Weak Convergence

Example: Weak Divergence & Divergence

Agenda

Approach

1. Use rich multi-view model2. Find a fixpoint (or candidate)3. Verify that a model is a fixpoint

Multi-View Architecture

Technique 1: Iterative Execution

● Execute analyses in some sequence— Random— Contract-guided— Model order-guided

● Applicability: strong and weak convergence● Pros:

— Simple, accessible— Can verify fixpoints

● Cons: — Computationally expensive— Heuristic, no guarantees

Technique 2: Constraint Solving

● Generate a constraint satisfaction problem— Using architectural model and guarantees— Does not execute analyses

● Applicability:— Finds CFP in all cases except strong divergence— Demonstrates absence of CFP in strong divergence

● Pros: — Exhaustive search within bounds

● Cons: — Results need to be verified with a different method— Relies on model translation to a constraint language

Technique 3: Genetic Search

● Derive hybrids of models— Crossover: M1 x M2 = M1 M⊕ 2 {∪ m Ɐ ⊆ M1 M∩ 2}

– E.g., AAB x ABB = {AB, AAB, ABB, AABB}● Applicable:

— Find FP in convergence and weak divergence— Find CFP in divergence

● Pros: — Can find FPs/CFPs beyond constraint solving bounds

● Cons: — Heuristic, no guarantees

Summary of Resolution TechniquesCase Iterative Execution Constraint Solving Genetic Search

Find FP in strong conv.

✓ ✓ ✓

Verify FP in strong conv.

Find FP in weak conv.

✓ ✓

Verify FP in weak conv.

Find FP in weak div.

✓ ✓

Verify FP in weak div.

Find CFP in div. ✓ ✓Verify CFP in div. ✓ ✓Detect absence

of CFP in str. div. ✓

Agenda

Future Work

● Other techniques for loop resolution● Connect analysis contracts to system invariants

— Discharge assumptions with invariants— Discharge invariants with guarantees

● Experiments on realistic system models

Summary

● Analytic dependency loops occur in complex systems— Contract specifications are insufficient to resolve

● This paper explored resolution techniques:— Iterative execution— Constraint solving— Genetic search

References

● Analysis contracts methodology: — I. Ruchkin, D. De Niz, S. Chaki, D. Garlan. Contract-based

Integration of Cyber-physical Analyses, EMSOFT 2014.● ACTIVE tool for verifying contracts:

— I. Ruchkin, D. De Niz, S. Chaki, D. Garlan. ACTIVE: A Tool for Integrating Analysis Contracts, AVICPS 2014.

● Security and reliability analyses: — I. Ruchkin, A. Rao, D. De Niz, S. Chaki, D. Garlan.

Eliminating Inter-Domain Vulnerabilities in Cyber-Physical Systems: An Analysis Contracts Approach, CPS-SPC 2015.

● When to terminate the search?● What views to use for constraint generation?● What if no fixpoints/candidates found?

— Involve humans— Probably irreconcilable requirements

● Resolving vs. avoiding the loop?● Automated recognition of loop cases? ● General theorems about techniques?

Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems

Technology

Dependency Parsing - Oregon State Universityclasses.engr.oregonstate.edu/.../notes/dependency-parsing-lecture.pdf · Outline Introduction Dependency Parsing Formal definition Parsing

Lecture 19: Dependency Grammars and Dependency Parsing

Lecture 4: Routing...Routing Loops Persistent Routing Loops u 10 persistent routing loops in D1 u 50 persistent routing loops in D2 Temporary Routing Loops u 2 loops in D1 u 21 in

Bunny Eat Broccoli Repetition – Simple loops and Conditional loops

Dependency in Dependency Injection

Arches, Loops, & Whorls Loops, & Whorls bsapp.com. bsapp.com. bsapp.com

Dependency Injection - 101books.ru · 1.3 Embracing dependency injection 13 The Hollywood Principle 13 Inversion of Control vs. dependency injection 15 1.4 Dependency injection in

Optimizing control ﬂow in loops using interval and ...givargis/pubs/J18.pdfwith loop dependency information is used to partition the iteration space of the nested loop. In such cases,

1 karel_part5_loops Iteration (Loops) Loops repeat a set of instructions Two types of loops: –Definite loops ( for ) perform instructions explicit (known)

ARM Assembler - rigwit.co.ukrigwit.co.uk/ARMBook/slides/slides06.pdfARM Assembler Structure / Loops Structure / Loops – p. 1/12. Loops

Tutorial_ for Loops and While Loops - National Instruments

Conditional loops while do while Counting loops for loops Arrays Recursion

Prague Dependency Treebankufal.mff.cuni.cz/~lopatkova/2017/docs/1-intro-trees.pdf · 1,n. 2} connected no cycles, no loops no more than 1 edge between any two different nodes ⇔

Introduction to Dependency Grammar [0.2cm] and Dependency ...ufal.mff.cuni.cz/~bejcek/parseme/prague/Nivre1.pdf · Introduction to Dependency Grammar and Dependency Parsing Joakim

1.6 Loops academy.zariba.com 1. Lecture Content 1.While loops 2.Do-While loops 3.For loops 4.Foreach loops 5.Loop operators – break, continue 6.Nested

1 Chapter 6 – Repetition 6.1 Do Loops 6.2 For...Next Loops 6.3 List Boxes and Loops

External Dependency Risk Managementchapters.acp-international.com/images/northtexas/documents... · Dependency Concepts and Terminology External dependency risk management – aka

Cool loops, transequatorial loops and coronal waves

Dependency Tree-to-Dependency Tree Machine Translation

Escaping Dependency Hell: Finding Build Dependency Errors ... › assets › papers › veribuild.pdf · Escaping Dependency Hell: Finding Build Dependency Errors with the Unified