A Framework for Contract-Based Composition of CPS Analyses

A Framework for Contract-Based Composition of CPS Analyses

Ivan RuchkinIn collaboration the SEI:

Sagar Chaki,

Dionisio De Niz,

and Mark Klein.

ISR Software SeminarOctober 14, 2013

Outline

● Composition of architectural analyses– SEI modeling ecosystem– Composition problem

● Framework for contract-based analysis composition– Analysis contracts– Design– Future work

2

Outline



3

Deadlock model

Control model

Physical model

Hybrid model

4

CPS Modeling Ecosystem

?

??

Cyber-Physical System

AADL in One Slide

● ADL for avionics, embedded, and real-time systems.– Fixed architectural style.

● Modularity: – Types and instances.– Interfaces and implementations.

● Annexes– Language extensions for analyses.

5

Error behavior modelScheduling model

Security modelFrequency scaling

model

6

SEI Modeling Ecosystem

AADL system model

Frequency scalinganalysis

Erroranalysis 1

Securityanalysis

Schedulinganalysis

Erroranalysis 2

Example: Security Analysis

● Goal: determine which threads can be collocated on the same processor

● Security model: – a data type “security class,” – a thread type with a security class field.

● Analysis interface:– Inputs: processes, threads, and thread security levels.– Outputs: description of which threads cannot be

collocated.

● Analysis body: the algorithm of transforming inputs into outputs.

7

Securityanalysis

Error behavior modelScheduling model

Security modelFrequency scaling

model

8

SEI Development Ecosystem

AADL system model


Erroranalysis 1

Securityanalysis

Schedulinganalysis

Erroranalysis 2

?

Analysis Composition Problem

● Analyses have semantic interdependencies – how to not violate them? – E.g., scheduling needs collocation restrictions

● Analyses rely on each other to work correctly – how to ensure correct composition?– E.g., frequency scaling relies on correct scheduling

9

Securityanalysis

Schedulinganalysis


Related Work

● Software verification– Does not address architectural analyses

● OCL for UML & SysML– Does not allow verification of assumptions

● Equation-based OO (Modelica) – Signal-flow equations, not discrete behavior

● Other toolkits (VEST, …)– Do not allow separation of models and analyses

10

Outline



11

A Framework for Contract-Based Analysis Composition

12

a.k.a. virtual integration for open runtime analytic models

● Framework to specify the dependencies and assumptions of analyses

● Relies on analysis contracts● Builds on top of the AADL design environment● Uses third party tools to perform analyses

Analysis Contracts

● Inputs: what parts of the model the analysis accesses.

● Output: what parts of the model the analysis updates.

● Assumptions: what has to true about the model for the analysis to be applicable.

● Guarantees: what does the analysis guarantee about the model after its execution.

13M.-Y. Nam, D. de Niz, L. Wrage, and L. Sha, “Resource allocation contracts for open analytic runtime models,”, 2011.

Example of Analyses

● Security (confidentiality) analysis– Based on security levels of threads, determine which threads

can be collocated on one processor.

● Bin packing (real-time allocation) analysis– Allocate processes to processors.

● Frequency scaling (power efficiency) analysis– Minimize the processor frequency to meet the task deadlines.

● Model checking (safety) analysis– Assuming the threads are scheduled correctly, check if the

system is safe.

14

Example of Analyses: Dependency Graph

15

Security analysis

Bin packing

Frequency scalingModel checking

In: processes and threads with security classesOut: collocation info Execution

order

In: threads with collocation info, processes, and processorsOut: allocation to processors

In: processes allocated to processorsOut: processor frequencies

In: processes allocated to processorsOut: deadlock safety

Example of Analyses: assumptions and guarantees

16

Security analysis

Bin packing

Frequency scalingModel checking

Pre: truePost: not collocated with what is prohibited

Execution order

Pre: not collocated with what is prohibitedPost: true

Pre: no preemption for shorter deadlinesPost: true

Pre: deadlines are equal to periodsPost: true

Contracts Verification Use Cases

● Model-specific: – Applicability check: assumptions and guarantees

satisfied by a concrete model.

● Model-independent: – Feasibility check: intersection of all assumptions

and guarantees should satisfiable.– Implication check: guarantees might imply the

assumptions.– Variant replacement: replacing analysis variants in

existing graphs requires weaker assumptions and stronger guarantees.

17

Framework Design

18

Eclipse

OSATEAnalyses

contracts and source

Concrete model source

GraphConstructor

Graph of analyses

DB Constructor

…

Z3

Spin

Model DB

(SQL)

DB assumption checker

Analysis executor

Logical compiler

Data flow

Future Work

● Theory: – Verifying formulas in different logics: FOPL & LTL– Looking for patterns in formulas

● Application: – Include other analyses, e.g., error behavior analysis– Include other verification engines: UPPAAL, Alloy

19

Summary

● CPS modeling requires analysis composition support.

● Analysis contracts capture semantic dependencies between analyses.

● The analysis composition framework allows to create and verify AADL analyses.

20

References

● M.-Y. Nam, D. de Niz, L. Wrage, and L. Sha, “Resource allocation contracts for open analytic runtime models,” in Proc. of the 9th ACM international conference on Embedded software, 2011.

● M.-Y. Nam, D. de Niz, L. Wrage, and L. Sha, "Open Analytic Runtime Models," in Proc. of the Workshop on Architectures for CPS, 2011.

21

A Framework for Contract-Based Composition of CPS Analyses

Technology

analysis interface

analysis variants

analysis contractsbuilds

safety analysis

analysis updates

analysis accesses

analysis guarantee

security analysis goal