Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems

Analytic Dependency Loops inArchitectural Models of Cyber-Physical Systems

8th International Workshop on Model-based Architecting of Cyber-Physical and Embedded Systems (ACES-MB)

September 28, 2015Ottawa, Canada

Ivan RuchkinBradley Schmerl

David Garlan

2

Acknowledgments

● Collaborators: — Dionisio De Niz (SEI CMU)— Sagar Chaki (SEI CMU)— Ashwini Rao (ISR CMU)

● Sponsors: — NSF — DoD— NSA

3

Agenda

● Dependency loops in cyber-physical systems ● Related work and background ● Fixpoints and cases of loops● Resolution techniques● Wrap-up

4

Agenda


5

Driverless Cars

Image credit: telegraph.co.uk

6

Braking Subsystem Architecture

7

Analyses

8

Analyses

9

Analyses

10

Analyses

11

Analytic Dependencies

12

Dependency Loop Example

13

Dependency Loop

14

Analytic Dependency Loops

● Appear in complex cyber-physical systems● Important to address

— Currently require expensive manual effort— May introduce subtle errors into designs

● No up-front, one-size-fits-all solution— Diverse disciplines and combinations of analyses— Different project scope and constraints

● Goal: develop concepts and methods for resolving such loops

15

Agenda


16

Related Work

● Loops and dependencies in other contexts— Loop invariants in programming languages [1]

— Deadlocks in dataflow systems [2]

— Dependencies in design [3]

● Model evolution— Model transformations [4]

— Analysis contracts [5]

[1] P. Cousot and R. Cousot. Automatic synthesis of optimal invariant assertions, SIGART Bulletin 1977.[2] Y. Zhou and E. Lee. A Causality Interface for Deadlock Analysis in Dataflow, EMSOFT 2006. [3] A. Qamar. Model and Dependency Management in Mechatronic Design, PhD Thesis, 2013. [4] G. Bergmann, I. Rth, G. Varr, D. Varr. Change-driven model transformations, SoSyM 2011. [5] I. Ruchkin, D. De Niz, S. Chaki, D. Garlan. Contract-based Integration of Cyber-physical Analyses, EMSOFT 2014.

17

Background

● Analysis contract C is a tuple (I, O, A, G): — Inputs I— Outputs O— Assumptions A— Guarantees G

● Analysis A1 depends on analysis A2 iff:

A1.I A∩ 2.O ≠ ∅

18

Agenda


19

Fixpoints

● System model M is a fixpoint (FP)— For analysis A if: A(M) = M— For dependency loop A1..AN if: ∀i:1..N · Ai(M) = M

— “A solution to a loop”

● System model M is a candidate fixpoint (CFP) — For analysis A: M ⊨ A.G— For dependency loop A1..AN if: ∀i:1..N ∙ M ⊨ Ai.G— “Almost a solution to a loop”

20

Cases of Dependency Loops

C1. Strong convergence— FP exists, and is reachable by any sequence of analyses

C2. Weak convergence— FP exists, and is reachable by some sequence of analyses

C3. Weak divergence— FP exists, but is not reachable by any sequence of analyses

C4. Divergence— FP does not exist, but CFP exists

C5. Strong divergence — Neither FP, nor CFP exist

21

Example: Strong & Weak Convergence

22

Example: Weak Divergence & Divergence

23

Agenda


24

Approach

1. Use rich multi-view model2. Find a fixpoint (or candidate)3. Verify that a model is a fixpoint

25

Multi-View Architecture

26

Technique 1: Iterative Execution

● Execute analyses in some sequence— Random— Contract-guided— Model order-guided

● Applicability: strong and weak convergence● Pros:

— Simple, accessible— Can verify fixpoints

● Cons: — Computationally expensive— Heuristic, no guarantees

27

Technique 2: Constraint Solving

● Generate a constraint satisfaction problem— Using architectural model and guarantees— Does not execute analyses

● Applicability:— Finds CFP in all cases except strong divergence— Demonstrates absence of CFP in strong divergence

● Pros: — Exhaustive search within bounds

● Cons: — Results need to be verified with a different method— Relies on model translation to a constraint language

28

Technique 3: Genetic Search

● Derive hybrids of models— Crossover: M1 x M2 = M1 M⊕ 2 {∪ m Ɐ ⊆ M1 M∩ 2}

– E.g., AAB x ABB = {AB, AAB, ABB, AABB}● Applicable:

— Find FP in convergence and weak divergence— Find CFP in divergence

● Pros: — Can find FPs/CFPs beyond constraint solving bounds

● Cons: — Heuristic, no guarantees

29

Summary of Resolution TechniquesCase Iterative Execution Constraint Solving Genetic Search

Find FP in strong conv.

✓ ✓ ✓

Verify FP in strong conv.

✓

Find FP in weak conv.

✓ ✓

Verify FP in weak conv.

✓

Find FP in weak div.

✓ ✓

Verify FP in weak div.

✓

Find CFP in div. ✓ ✓Verify CFP in div. ✓ ✓Detect absence

of CFP in str. div. ✓

30

Agenda


31

Future Work

● Other techniques for loop resolution● Connect analysis contracts to system invariants

— Discharge assumptions with invariants— Discharge invariants with guarantees

● Experiments on realistic system models

32

Summary

● Analytic dependency loops occur in complex systems— Contract specifications are insufficient to resolve

● This paper explored resolution techniques:— Iterative execution— Constraint solving— Genetic search

33

References

● Analysis contracts methodology: — I. Ruchkin, D. De Niz, S. Chaki, D. Garlan. Contract-based

Integration of Cyber-physical Analyses, EMSOFT 2014.● ACTIVE tool for verifying contracts:

— I. Ruchkin, D. De Niz, S. Chaki, D. Garlan. ACTIVE: A Tool for Integrating Analysis Contracts, AVICPS 2014.

● Security and reliability analyses: — I. Ruchkin, A. Rao, D. De Niz, S. Chaki, D. Garlan.

Eliminating Inter-Domain Vulnerabilities in Cyber-Physical Systems: An Analysis Contracts Approach, CPS-SPC 2015.

34

Q&A

● When to terminate the search?● What views to use for constraint generation?● What if no fixpoints/candidates found?

— Involve humans— Probably irreconcilable requirements

● Resolving vs. avoiding the loop?● Automated recognition of loop cases? ● General theorems about techniques?

Technology

Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems