David Greaves - SENSORCOM08 - France. Using a.net Checkability Profile to Limit Interactions between Embedded Controllers. David Greaves, Atif Alvi Tope.

David Greaves - SENSORCOM08 - France.

Using a .net Checkability Profile to Limit Interactions

between Embedded Controllers.

David Greaves, Atif AlviTope Omitola, Daniel Gordon.

University of CambridgeComputer Laboratory

David Greaves - SENSORCOM08 - France.

A Vision of Evolution for UbiComp

– A myriad of devices connected to the network.

– All devices are connected and share a common, all-pervasive, middleware.

– Devices contain controllable and controlling components.

David Greaves - SENSORCOM08 - France.

Rules of the Domain• No rule should issue a command under the same circumstances where

another rule issues the counter-rule.

• Inlet and outlet valves must not both be open at once.

• Fire Alarm must mute all music sources.

• The front gates must always be remotely openable by some method or other.

David Greaves - SENSORCOM08 - France.

Feature Interaction Detection

• Can we define a framework for code management in a UbiComp or Sensor/Actuator network that enables proof of safety and liveness ?

• We propose using a .net bytecode framework and evaluate its cost and flexibility.

David Greaves - SENSORCOM08 - France.

Component Architecture

• We partition all devices and services in to– Pebbles (sensors, actuators, software processes)– Applications (heating control, burglar alarm, CD

player control...)

• Further, we partition application code so it contains no device drivers, dynamic storage, dynamic binding and uses simple network I/O to all pebbles.

David Greaves - SENSORCOM08 - France.

1. The following separate devices, each of which can be individually useful in a networked home:

Lets look at what a modern TV set contains:

A Device: A collection of Pebbles and a Canned App

2. A canned application that joins the components.

• RF Tuner

• Colour Display

• Ni-Cam Audio Decoder

• Power Amplifier

• Surround Sound Decoder

• IR Receiver

• Teletext Decoder

• MPEG Decoder

• Programming Memory

• Front Panel User Interface

David Greaves - SENSORCOM08 - France.

Automated Directory Systems Work

• Devices register in an ad hoc database– eg. UPnP’s SSDP, INS and O2S Oxygen system

• Devices can be found by service offered– eg. A colour printer on floor 3 west.

• Retrieval by conjunction of predicates

(Few successful deployments.

Unexpected behaviours.

Load balancing/path finding unsupported.)

David Greaves - SENSORCOM08 - France.

Controllers Vs The Controlled• API Reflection is now a Mature Technology

• It will be further deployed (?)– X-by-wire, Field Busses, Sensor Networks, CAN.– EDDL, XDDL, Embedded Systems

• Code Reflection has seen virtually no work!– i.e. how do devices describe their embedded

behaviour– and how is reactive behaviour between actuators

and sensors captured ?

David Greaves - SENSORCOM08 - France.

Code Reflection• A device must expose the proactive behaviour

of its canned application(s)– Actual source code (constrained language)– Proof carrying actual source code– Summary of behaviour

– E.G. I will not send control messages when I am in standby mode.

– E.G. I am always off between 1:00 and 5:00.

• Device is banned from full operation within domain unless proof obligations are met.

David Greaves - SENSORCOM08 - France.

An Example .net CD player.

• We built a CD/DVD player according to our component architecture.

• The application code was implemented in a pair of .net code bundles.

• The bytecode can be read out by a domain controller and checked, along with the other participating applications in the domain, against the rules of the domain.

David Greaves - SENSORCOM08 - France.

David Greaves - SENSORCOM08 - France.

Pebbles ProjectGeneral

Flow

David Greaves - SENSORCOM08 - France.

CD/DVD Player Components

David Greaves - SENSORCOM08 - France.

CD/DVD Player Block Diagram

David Greaves - SENSORCOM08 - France.

Software Costs

• Embedded devices have limited capabilities, especially RAM, but ROM is not so critical.

• XML parsing is expensive in RAM use.• We have implemented .net interpreter,

HTTP server and XML output all at 'reasonable' cost.

David Greaves - SENSORCOM08 - France.

David Greaves - SENSORCOM08 - France.

Heap and Stack Ram Use

David Greaves - SENSORCOM08 - France.

Checkability Classes ?• We have imposed a checkability profile on the .net

bundles.• Current profile is finite-state and strictly limited in IO

libraries used.

• All participating applications in the domain must correspond to our profile.

• In the future, can define a richer class, based on linear integer programming, Presburg and so on.

David Greaves - SENSORCOM08 - France.

Conclusions

• Running a 'complex' software stack is not a real obstacle, but don't parse too much XML.

• Using .net bytecode in embedded systems can be fast and compact enough, otherwise reflect your behaviour in .net while executing something else.

• We need to explore incremental model checking.• We need to formally define our checkability class.

David Greaves - SENSORCOM08 - France.

The End

• [email protected]

• www.cl.cam.ac.uk/Research/SRG/HAN/Pebbles

• The Pebbles, AutoHAN and Oxygen O2S Teams