classification schemes to aid in the analysis of real-time systems
DESCRIPTION
Paul Z. Kolano Trusted Systems Laboratories paul.kolano@ trustedsyslabs.com. Richard A. Kemmerer University of California, Santa Barbara [email protected]. Classification Schemes to Aid in the Analysis of Real-Time Systems. Outline of Presentation. Introduction Brief ASTRAL overview - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/1.jpg)
Classification Schemes to Aid in the Analysis of Real-Time Systems
Paul Z. Kolano
Trusted Systems
Laboratories
paul.kolano@
trustedsyslabs.com
Richard A. Kemmerer
University of California,
Santa Barbara
![Page 2: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/2.jpg)
Outline of Presentation
Introduction Brief ASTRAL overview Property classifications Process classifications Transition classifications Conclusion
![Page 3: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/3.jpg)
Real-Time Systems
Untimed
+ Concurrency
+ Asynchrony
+ Time
+ Nondeterminism
+ Reactivity
= Difficult to analyze
![Page 4: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/4.jpg)
Proof Assistance Is Needed
Model checkers Automatically check state space for violations
Theorem provers Keep reasoning sound, finish off proof details
Need simplifications and manual abstractions
Need human guidance and intuition Systematic analysis guidance
How analysis can be performed based on previous experience
How each approach can be used most effectively How results from different approaches can be
combined
![Page 5: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/5.jpg)
How Can Analysis Be Systematized?
Identify distinct proof patterns Identify distinguishing features of system
specifications that result in each pattern Divide and conquer
Separate specifications with different patterns Separate individual proofs into simpler pieces
![Page 6: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/6.jpg)
Testbed Systems
Bakery algorithm Cruise control Elevator control system Olympic boxing scoring system Phone system Production cell Railroad crossing Stoplight control system
Small/Large Simple/Complex Open/Closed Deterministic/
Nondeterministic Assumptions not needed/
Assumptions needed
![Page 7: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/7.jpg)
Classification Schemes
Distinct proof styles Statically recognizable
ASTRAL classifications Property classifications Process classifications Transition classifications
![Page 8: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/8.jpg)
Outline of Presentation
Introduction Brief ASTRAL overview Property classifications Process classifications Transition classifications Conclusion
![Page 9: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/9.jpg)
Railroad Crossing
sensors
I
R
trains
![Page 10: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/10.jpg)
ASTRAL Specification One or more process type specifications
Each defines an abstract state machine A global specification
Defines types, constants, etc. shared among process types
Defines number of statically generated instances of each process type in the system
Example: Railroad Crossing specification Process types Process instances
Gate 1 Gate instance Sensor N_Tracks Sensor instances
![Page 11: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/11.jpg)
Process Type Specification
Types Variables
Define state of process Initialization
Defines initial values Transitions
Define changes to variable values
TYPEgate_position: (raised, raising,
lowered, lowering)
VARIABLEposition: gate_position
INITIALposition = raised
TRANSITION lowerENTRY [TIME: lower_dur] ~ ( position = lowering | position = lowered ) & EXISTS s: sensor_id (s.train_in_R) EXIT position = lowering
![Page 12: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/12.jpg)
Process Interactions
Sensor 1
enter_R
train_in_R
Gate
position
Sensor n_tracks
enter_R
train_in_R
...
Environment
Railroad Crossing System
![Page 13: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/13.jpg)
Specification of Properties INVARIANT Change(train_in_R, now) & ~train_in_R FORALL t: time ( now - ((dist_R_to_I + dist_I_to_out) / max_speed - response_time) t & t < now past(train_in_R, t))
ENVIRONMENT Call(enter_R, now) & EXISTS t: time ( 0 t & t now & Call2(enter_R, t)) Call(enter_R) - Call2(enter_R) > (dist_R_to_I + dist_I_to_out) / min_speed
Requirements Invariants Schedules
Assumptions Environment Imported variable
environmentassumptions
imported variableassumptions
P1 P2
![Page 14: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/14.jpg)
Outline of Presentation
Introduction Brief ASTRAL overview Property classifications Process classifications Transition classifications Conclusion
![Page 15: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/15.jpg)
Property Classifications
Untimed properties Timed liveness properties
Forward Backward
Timed safety properties Forward Backward
![Page 16: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/16.jpg)
Context and Requirement Times
General form of a property context requirement
Context times are times referenced in the timed operator expressions of the context
Requirement times are times referenced in the timed operator expressions of the requirement
![Page 17: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/17.jpg)
Example of Context and Requirement Times
FORALL t: time, s: sensor_id ( Change(s.train_in_R, now - dist_R_to_I / max_speed + response_time) & past(s.train_in_R, now - dist_R_to_I / max_speed + response_time) EXISTS t: time ( now - dist_R_to_I / max_speed + response_time t & t now & past(position, t) = lowered))
Context times = {now - dist_R_to_I / max_speed +
response_time} Requirement times = {t}
![Page 18: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/18.jpg)
Untimed Properties
Context times and requirement times can only be the current time
With only local state variablesFORALL d: direction
( Circle(d) = green Arrow(opp(d)) = red)
With timed operators/imported variables Change(number, now)& Number = 0
~In_critical
![Page 19: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/19.jpg)
Untimed Properties With Only Local State Variables
State variables only change when transitions end
These properties hold if the exit assertion of each transition preserves the property
maintaining_speed cruise_on
TRANSITION maintain_speed
ENTRY [TIME: input_dur]
cruise_on
& ~maintaining_speed
EXIT
cruise_throttle = throttle & desired_speed = speedometer.speed
& maintaining_speed
![Page 20: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/20.jpg)
Forward vs. Backward
ForwardEXISTS ct: context time
FORALL rt: requirement time
ct rt
BackwardEXISTS rt: requirement time
FORALL ct: context time
rt ct
FORALL t: time, s: sensor_id ( Change(s.train_in_R, now - dist_R_to_I / max_speed + response_time) & past(s.train_in_R, now - dist_R_to_I / max_speed + response_time) EXISTS t: time ( now - dist_R_to_I / max_speed + response_time t & t now & past(position, t) = lowered))
Change(train_in_R, now) & ~train_in_R FORALL t: time ( now - ((dist_R_to_I + dist_I_to_out) / max_speed - response_time) t & t < now past(train_in_R, t))
![Page 21: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/21.jpg)
Forward vs. Backward
The execution tree of a process
time
![Page 22: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/22.jpg)
Safety vs. Liveness
Safety properties Must hold at all times in an interval
Liveness properties Must hold at least once in an interval
Can abstract away details of execution
Must derive exact executions
![Page 23: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/23.jpg)
Safety Properties
Change(train_in_R, now) & ~train_in_R FORALL t: time ( now - ((dist_R_to_I + dist_I_to_out) / max_speed - response_time) t & t < now past(train_in_R, t))
now - ((dist_R_to_I + dist_I_to_out)/ max_speed - response_time)
now
exit_I
~train_in_Rchange to
TRANSITION exit_I ENTRY [TIME: exit_dur] train_in_R & now - Start(enter_R) (dist_R_to_I + dist_I_to_out) / min_speed - exit_dur EXIT ~train_in_R
enter_R
train_in_Rchange to~train_in_R
![Page 24: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/24.jpg)
Liveness PropertiesFORALL t: time, s: sensor_id ( Change(s.train_in_R, now - dist_R_to_I / max_speed + response_time) & past(s.train_in_R, now - dist_R_to_I / max_speed + response_time) EXISTS t: time ( now - dist_R_to_I / max_speed + response_time t & t now & past(position, t) = lowered))
firing
up
raise
lower down
lower down
lower down
down
idle with position =
raised
raising
lowering
lowered
lower down
lower down
down
now - dist_R_to_I / max_speed+ response_time
now
s.train_in_Rchange to position
lowered=
![Page 25: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/25.jpg)
Property Classifications ofTestbed Systems
System Requirements Assumptions Total U FS FL BS BL U FS FL BS BL Bakery Algorithm 11 1 0 0 1 3 1 0 0 1 18 Cruise Control 5 0 2 0 0 0 0 0 0 0 7 Elevator 8 0 8 0 3 2 9 0 0 3 33 Olympic Boxing 8 2 0 0 1 1 5 0 0 0 17 Phone 26 14 0 0 0 0 8 0 0 7 55 Production Cell 32 3 6 0 8 0 1 4 0 4 58 Railroad Crossing 0 7 0 1 0 0 2 0 1 0 11 Stoplight 17 4 0 0 2 0 0 0 0 0 23 Total 107 31 16 1 15 6 26 4 1 15 222
![Page 26: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/26.jpg)
Outline of Presentation
Introduction Brief ASTRAL overview Property classifications Process classifications Transition classifications Conclusion
![Page 27: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/27.jpg)
Process Classifications
Multi-threaded process Iterative single-threaded process Simple single-threaded process
![Page 28: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/28.jpg)
Multi-Threaded Process
Multiple independent threads interleaved on a single process
GDT
PD
PD
PD
PD
PD
PD
PD
PC
ERB
DRBP
ERB
DRBP
ST
TC
PD PD PD PD ERB ERB ST
GDT PD PD PD PC DRBP DRBP TC
thread 1
thread 2
central control
![Page 29: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/29.jpg)
Liveness Properties in a Multi-Threaded Process
Must take scheduling policy into account Example: fixed priority scheduling
...
max p1
max response timecontext holds requirement holds
max
max p1 transitions
... ...durationduration
max p2duration
...
* max p1 duration
max p2 transitions* max p2 duration
max pn transitions* max pn duration
propertythreadtransition
max pnduration
max p3-pn transitions* max p3-pn durations
![Page 30: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/30.jpg)
Iterative Single-Threaded Process
Cyclic behavior with stored iteration count
floor button panel
elevator button panel
elevator
![Page 31: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/31.jpg)
Liveness Properties in anIterative Single-Threaded Process
Properties may need to be proved between arbitrary values of the iteration count
...max iteration time
max iterations * max iteration time
max response timecontext holds requirement holds
time from lastfull iterationto requirementfrom context
time to firstfull iteration
![Page 32: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/32.jpg)
Simple Single-Threaded Process
May have cyclic behavior, but iteration count not stored
Properties usually need to be proved over only a single full cycle
sensors
I
R
trains
![Page 33: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/33.jpg)
Process Classifications of Testbed Systems
Multi-threaded processes (2/25) Central_Control (phone system) Controller (stoplight control system)
Iterative single-threaded processes (4/25) Elevator (elevator control system) Proc (bakery algorithm) Timer and Tabulate (Olympic boxing system)
Simple single-threaded processes (19/25)
![Page 34: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/34.jpg)
Outline of Presentation
Introduction Brief ASTRAL overview Property classifications Process classifications Transition classifications Conclusion
![Page 35: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/35.jpg)
Transition Classifications
Transition enablement Local state (L) External environment (E) Imported state (O) Current time (T)
Eight classifications based on these factors L, E, O, T, EO, ET, OT, EOT
TRANSITION lowerENTRY [TIME: lower_dur] ~ ( position = lowering | position = lowered ) & EXISTS s: sensor_id (s.train_in_R) EXIT position = lowering
![Page 36: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/36.jpg)
Determining Transition Delays
e.g., L transitions Local state only changes when transitions end Must immediately follow previous transition
e.g., T transitions Delayed from some local state/event e.g., now – End(trans1) delay1
Other transition types Examine relevant clauses
![Page 37: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/37.jpg)
Transition Classifications of Testbed Systems
System L E O T EO ET OT EOT Total
Bakery Algorithm 4 0 1 1 0 0 0 0 6
Cruise Control 2 9 2 1 0 0 0 0 14
Elevator 0 3 4 3 0 0 2 0 12
Olympic Boxing 0 0 2 2 0 0 1 1 6
Phone 0 2 16 0 7 0 5 0 30
Production Cell 14 0 11 20 0 0 10 1 56
Railroad Crossing 0 1 2 3 0 0 0 0 6
Stoplight 0 2 4 0 0 0 18 0 24
Total 20 17 42 30 7 0 36 2 154
![Page 38: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/38.jpg)
Outline of Presentation
Introduction Brief ASTRAL overview Property classifications Process classifications Transition classifications Conclusion
![Page 39: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/39.jpg)
Conclusions
Three classification schemes were developed from existing specifications Property classifications Process classifications Transition classifications
Statically recognizable Each aids in the proof process
![Page 40: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/40.jpg)
Future Work
Examine more real-time systems Are there additional classification schemes
that are useful? Examine other specification languages
Are the existing classification schemes applicable to many specification languages?
![Page 41: Classification Schemes to Aid in the Analysis of Real-Time Systems](https://reader035.vdocument.in/reader035/viewer/2022062720/568134b1550346895d9bcd43/html5/thumbnails/41.jpg)
The End
For complete details, see dissertation...
http://www.cs.ucsb.edu/~kolano