analytic dependency loops in architectural models of cyber-physical systems

Analyc Dependency Loops in Architectural Models of Cyber-Physical Systems 8th Internaonal Workshop on Model-based Architecng of Cyber-Physical and Embedded Systems (ACES-MB) September 28, 2015 Oawa, Canada Ivan Ruchkin Bradley Schmerl David Garlan

Upload: ivan-ruchkin

Post on 22-Jan-2018




0 download


Page 1: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems

Analytic Dependency Loops inArchitectural Models of Cyber-Physical Systems

8th International Workshop on Model-based Architecting of Cyber-Physical and Embedded Systems (ACES-MB)

September 28, 2015Ottawa, Canada

Ivan RuchkinBradley Schmerl

David Garlan

Page 2: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems



● Collaborators: — Dionisio De Niz (SEI CMU)— Sagar Chaki (SEI CMU)— Ashwini Rao (ISR CMU)

● Sponsors: — NSF — DoD— NSA

Page 3: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems



● Dependency loops in cyber-physical systems ● Related work and background ● Fixpoints and cases of loops● Resolution techniques● Wrap-up

Page 4: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems



● Dependency loops in cyber-physical systems ● Related work and background ● Fixpoints and cases of loops● Resolution techniques● Wrap-up

Page 5: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems


Driverless Cars

Image credit:

Page 6: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems


Braking Subsystem Architecture

Page 7: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems



Page 8: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems



Page 9: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems



Page 10: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems



Page 11: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems


Analytic Dependencies

Page 12: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems


Dependency Loop Example

Page 13: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems


Dependency Loop

Page 14: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems


Analytic Dependency Loops

● Appear in complex cyber-physical systems● Important to address

— Currently require expensive manual effort— May introduce subtle errors into designs

● No up-front, one-size-fits-all solution— Diverse disciplines and combinations of analyses— Different project scope and constraints

● Goal: develop concepts and methods for resolving such loops

Page 15: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems



● Dependency loops in cyber-physical systems ● Related work and background ● Fixpoints and cases of loops● Resolution techniques● Wrap-up

Page 16: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems


Related Work

● Loops and dependencies in other contexts— Loop invariants in programming languages [1]

— Deadlocks in dataflow systems [2]

— Dependencies in design [3]

● Model evolution— Model transformations [4]

— Analysis contracts [5]

[1] P. Cousot and R. Cousot. Automatic synthesis of optimal invariant assertions, SIGART Bulletin 1977.[2] Y. Zhou and E. Lee. A Causality Interface for Deadlock Analysis in Dataflow, EMSOFT 2006. [3] A. Qamar. Model and Dependency Management in Mechatronic Design, PhD Thesis, 2013. [4] G. Bergmann, I. Rth, G. Varr, D. Varr. Change-driven model transformations, SoSyM 2011. [5] I. Ruchkin, D. De Niz, S. Chaki, D. Garlan. Contract-based Integration of Cyber-physical Analyses, EMSOFT 2014.

Page 17: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems



● Analysis contract C is a tuple (I, O, A, G): — Inputs I— Outputs O— Assumptions A— Guarantees G

● Analysis A1 depends on analysis A2 iff:

A1.I   A∩ 2.O ≠ ∅

Page 18: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems



● Dependency loops in cyber-physical systems ● Related work and background ● Fixpoints and cases of loops● Resolution techniques● Wrap-up

Page 19: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems



● System model M is a fixpoint (FP)— For analysis A if: A(M) = M— For dependency loop A1..AN if: ∀i:1..N · Ai(M) = M

— “A solution to a loop”

● System model M is a candidate fixpoint (CFP) — For analysis A: M ⊨ A.G— For dependency loop A1..AN if: ∀i:1..N ∙ M ⊨ Ai.G— “Almost a solution to a loop”

Page 20: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems


Cases of Dependency Loops

C1. Strong convergence— FP exists, and is reachable by any sequence of analyses

C2. Weak convergence— FP exists, and is reachable by some sequence of analyses

C3. Weak divergence— FP exists, but is not reachable by any sequence of analyses

C4. Divergence— FP does not exist, but CFP exists

C5. Strong divergence — Neither FP, nor CFP exist

Page 21: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems


Example: Strong & Weak Convergence

Page 22: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems


Example: Weak Divergence & Divergence

Page 23: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems



● Dependency loops in cyber-physical systems ● Related work and background ● Fixpoints and cases of loops● Resolution techniques● Wrap-up

Page 24: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems



1. Use rich multi-view model2. Find a fixpoint (or candidate)3. Verify that a model is a fixpoint

Page 25: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems


Multi-View Architecture

Page 26: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems


Technique 1: Iterative Execution

● Execute analyses in some sequence— Random— Contract-guided— Model order-guided

● Applicability: strong and weak convergence● Pros:

— Simple, accessible— Can verify fixpoints

● Cons: — Computationally expensive— Heuristic, no guarantees

Page 27: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems


Technique 2: Constraint Solving

● Generate a constraint satisfaction problem— Using architectural model and guarantees— Does not execute analyses

● Applicability:— Finds CFP in all cases except strong divergence— Demonstrates absence of CFP in strong divergence

● Pros: — Exhaustive search within bounds

● Cons: — Results need to be verified with a different method— Relies on model translation to a constraint language

Page 28: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems


Technique 3: Genetic Search

● Derive hybrids of models— Crossover: M1 x M2 = M1   M⊕ 2   {∪ m Ɐ ⊆ M1   M∩ 2}

– E.g., AAB x ABB = {AB, AAB, ABB, AABB}● Applicable:

— Find FP in convergence and weak divergence— Find CFP in divergence

● Pros: — Can find FPs/CFPs beyond constraint solving bounds

● Cons: — Heuristic, no guarantees

Page 29: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems


Summary of Resolution TechniquesCase Iterative Execution Constraint Solving Genetic Search

Find FP in strong conv.

✓ ✓ ✓

Verify FP in strong conv.

Find FP in weak conv.

✓ ✓

Verify FP in weak conv.

Find FP in weak div.

✓ ✓

Verify FP in weak div.

Find CFP in div. ✓ ✓Verify CFP in div. ✓ ✓Detect absence

of CFP in str. div. ✓

Page 30: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems



● Dependency loops in cyber-physical systems ● Related work and background ● Fixpoints and cases of loops● Resolution techniques● Wrap-up

Page 31: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems


Future Work

● Other techniques for loop resolution● Connect analysis contracts to system invariants

— Discharge assumptions with invariants— Discharge invariants with guarantees

● Experiments on realistic system models

Page 32: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems



● Analytic dependency loops occur in complex systems— Contract specifications are insufficient to resolve

● This paper explored resolution techniques:— Iterative execution— Constraint solving— Genetic search

Page 33: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems



● Analysis contracts methodology: — I. Ruchkin, D. De Niz, S. Chaki, D. Garlan. Contract-based

Integration of Cyber-physical Analyses, EMSOFT 2014.● ACTIVE tool for verifying contracts:

— I. Ruchkin, D. De Niz, S. Chaki, D. Garlan. ACTIVE: A Tool for Integrating Analysis Contracts, AVICPS 2014.

● Security and reliability analyses: — I. Ruchkin, A. Rao, D. De Niz, S. Chaki, D. Garlan.

Eliminating Inter-Domain Vulnerabilities in Cyber-Physical Systems: An Analysis Contracts Approach, CPS-SPC 2015.

Page 34: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems



● When to terminate the search?● What views to use for constraint generation?● What if no fixpoints/candidates found?

— Involve humans— Probably irreconcilable requirements

● Resolving vs. avoiding the loop?● Automated recognition of loop cases? ● General theorems about techniques?