analytic dependency loops in architectural models of cyber-physical systems
TRANSCRIPT
![Page 1: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/1.jpg)
Analytic Dependency Loops inArchitectural Models of Cyber-Physical Systems
8th International Workshop on Model-based Architecting of Cyber-Physical and Embedded Systems (ACES-MB)
September 28, 2015Ottawa, Canada
Ivan RuchkinBradley Schmerl
David Garlan
![Page 2: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/2.jpg)
2
Acknowledgments
● Collaborators: — Dionisio De Niz (SEI CMU)— Sagar Chaki (SEI CMU)— Ashwini Rao (ISR CMU)
● Sponsors: — NSF — DoD— NSA
![Page 3: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/3.jpg)
3
Agenda
● Dependency loops in cyber-physical systems ● Related work and background ● Fixpoints and cases of loops● Resolution techniques● Wrap-up
![Page 4: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/4.jpg)
4
Agenda
● Dependency loops in cyber-physical systems ● Related work and background ● Fixpoints and cases of loops● Resolution techniques● Wrap-up
![Page 5: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/5.jpg)
5
Driverless Cars
Image credit: telegraph.co.uk
![Page 6: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/6.jpg)
6
Braking Subsystem Architecture
![Page 7: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/7.jpg)
7
Analyses
![Page 8: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/8.jpg)
8
Analyses
![Page 9: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/9.jpg)
9
Analyses
![Page 10: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/10.jpg)
10
Analyses
![Page 11: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/11.jpg)
11
Analytic Dependencies
![Page 12: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/12.jpg)
12
Dependency Loop Example
![Page 13: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/13.jpg)
13
Dependency Loop
![Page 14: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/14.jpg)
14
Analytic Dependency Loops
● Appear in complex cyber-physical systems● Important to address
— Currently require expensive manual effort— May introduce subtle errors into designs
● No up-front, one-size-fits-all solution— Diverse disciplines and combinations of analyses— Different project scope and constraints
● Goal: develop concepts and methods for resolving such loops
![Page 15: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/15.jpg)
15
Agenda
● Dependency loops in cyber-physical systems ● Related work and background ● Fixpoints and cases of loops● Resolution techniques● Wrap-up
![Page 16: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/16.jpg)
16
Related Work
● Loops and dependencies in other contexts— Loop invariants in programming languages [1]
— Deadlocks in dataflow systems [2]
— Dependencies in design [3]
● Model evolution— Model transformations [4]
— Analysis contracts [5]
[1] P. Cousot and R. Cousot. Automatic synthesis of optimal invariant assertions, SIGART Bulletin 1977.[2] Y. Zhou and E. Lee. A Causality Interface for Deadlock Analysis in Dataflow, EMSOFT 2006. [3] A. Qamar. Model and Dependency Management in Mechatronic Design, PhD Thesis, 2013. [4] G. Bergmann, I. Rth, G. Varr, D. Varr. Change-driven model transformations, SoSyM 2011. [5] I. Ruchkin, D. De Niz, S. Chaki, D. Garlan. Contract-based Integration of Cyber-physical Analyses, EMSOFT 2014.
![Page 17: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/17.jpg)
17
Background
● Analysis contract C is a tuple (I, O, A, G): — Inputs I— Outputs O— Assumptions A— Guarantees G
● Analysis A1 depends on analysis A2 iff:
A1.I A∩ 2.O ≠ ∅
![Page 18: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/18.jpg)
18
Agenda
● Dependency loops in cyber-physical systems ● Related work and background ● Fixpoints and cases of loops● Resolution techniques● Wrap-up
![Page 19: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/19.jpg)
19
Fixpoints
● System model M is a fixpoint (FP)— For analysis A if: A(M) = M— For dependency loop A1..AN if: ∀i:1..N · Ai(M) = M
— “A solution to a loop”
● System model M is a candidate fixpoint (CFP) — For analysis A: M ⊨ A.G— For dependency loop A1..AN if: ∀i:1..N ∙ M ⊨ Ai.G— “Almost a solution to a loop”
![Page 20: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/20.jpg)
20
Cases of Dependency Loops
C1. Strong convergence— FP exists, and is reachable by any sequence of analyses
C2. Weak convergence— FP exists, and is reachable by some sequence of analyses
C3. Weak divergence— FP exists, but is not reachable by any sequence of analyses
C4. Divergence— FP does not exist, but CFP exists
C5. Strong divergence — Neither FP, nor CFP exist
![Page 21: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/21.jpg)
21
Example: Strong & Weak Convergence
![Page 22: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/22.jpg)
22
Example: Weak Divergence & Divergence
![Page 23: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/23.jpg)
23
Agenda
● Dependency loops in cyber-physical systems ● Related work and background ● Fixpoints and cases of loops● Resolution techniques● Wrap-up
![Page 24: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/24.jpg)
24
Approach
1. Use rich multi-view model2. Find a fixpoint (or candidate)3. Verify that a model is a fixpoint
![Page 25: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/25.jpg)
25
Multi-View Architecture
![Page 26: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/26.jpg)
26
Technique 1: Iterative Execution
● Execute analyses in some sequence— Random— Contract-guided— Model order-guided
● Applicability: strong and weak convergence● Pros:
— Simple, accessible— Can verify fixpoints
● Cons: — Computationally expensive— Heuristic, no guarantees
![Page 27: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/27.jpg)
27
Technique 2: Constraint Solving
● Generate a constraint satisfaction problem— Using architectural model and guarantees— Does not execute analyses
● Applicability:— Finds CFP in all cases except strong divergence— Demonstrates absence of CFP in strong divergence
● Pros: — Exhaustive search within bounds
● Cons: — Results need to be verified with a different method— Relies on model translation to a constraint language
![Page 28: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/28.jpg)
28
Technique 3: Genetic Search
● Derive hybrids of models— Crossover: M1 x M2 = M1 M⊕ 2 {∪ m Ɐ ⊆ M1 M∩ 2}
– E.g., AAB x ABB = {AB, AAB, ABB, AABB}● Applicable:
— Find FP in convergence and weak divergence— Find CFP in divergence
● Pros: — Can find FPs/CFPs beyond constraint solving bounds
● Cons: — Heuristic, no guarantees
![Page 29: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/29.jpg)
29
Summary of Resolution TechniquesCase Iterative Execution Constraint Solving Genetic Search
Find FP in strong conv.
✓ ✓ ✓
Verify FP in strong conv.
✓
Find FP in weak conv.
✓ ✓
Verify FP in weak conv.
✓
Find FP in weak div.
✓ ✓
Verify FP in weak div.
✓
Find CFP in div. ✓ ✓Verify CFP in div. ✓ ✓Detect absence
of CFP in str. div. ✓
![Page 30: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/30.jpg)
30
Agenda
● Dependency loops in cyber-physical systems ● Related work and background ● Fixpoints and cases of loops● Resolution techniques● Wrap-up
![Page 31: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/31.jpg)
31
Future Work
● Other techniques for loop resolution● Connect analysis contracts to system invariants
— Discharge assumptions with invariants— Discharge invariants with guarantees
● Experiments on realistic system models
![Page 32: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/32.jpg)
32
Summary
● Analytic dependency loops occur in complex systems— Contract specifications are insufficient to resolve
● This paper explored resolution techniques:— Iterative execution— Constraint solving— Genetic search
![Page 33: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/33.jpg)
33
References
● Analysis contracts methodology: — I. Ruchkin, D. De Niz, S. Chaki, D. Garlan. Contract-based
Integration of Cyber-physical Analyses, EMSOFT 2014.● ACTIVE tool for verifying contracts:
— I. Ruchkin, D. De Niz, S. Chaki, D. Garlan. ACTIVE: A Tool for Integrating Analysis Contracts, AVICPS 2014.
● Security and reliability analyses: — I. Ruchkin, A. Rao, D. De Niz, S. Chaki, D. Garlan.
Eliminating Inter-Domain Vulnerabilities in Cyber-Physical Systems: An Analysis Contracts Approach, CPS-SPC 2015.
![Page 34: Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems](https://reader035.vdocument.in/reader035/viewer/2022070606/58ad31261a28ab02268b5b6f/html5/thumbnails/34.jpg)
34
Q&A
● When to terminate the search?● What views to use for constraint generation?● What if no fixpoints/candidates found?
— Involve humans— Probably irreconcilable requirements
● Resolving vs. avoiding the loop?● Automated recognition of loop cases? ● General theorems about techniques?