Engineering High- Assurance Software for Distributed Adaptive Real- Time Systems

Similar documents
Modeling, Verifying, and Generating Software for Distributed Cyber- Physical Systems using DMPL and AADL

Verifying Distributed Adaptive Real-Time (DART) Systems

Model-Driven Verifying Compilation of Synchronous Distributed Applications

Collaborative Autonomy with Group Autonomy for Mobile Systems (GAMS)

SEI/CMU Efforts on Assured Systems

Verifying Periodic Programs with Priority Inheritance Locks

Semantic Importance Sampling for Statistical Model Checking

Model-Driven Verifying Compilation of Synchronous Distributed Applications

Modeling the Implementation of Stated-Based System Architectures

Effecting Large-Scale Adaptive Swarms Through Intelligent Collaboration (ELASTIC)

Providing Information Superiority to Small Tactical Units

Inference of Memory Bounds

Fall 2014 SEI Research Review Verifying Evolving Software

OSATE Analysis Support

Foundations for Summarizing and Learning Latent Structure in Video

Advancing Cyber Intelligence Practices Through the SEI s Consortium

ARINC653 AADL Annex. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Julien Delange 07/08/2013

Defining Computer Security Incident Response Teams

Analyzing 24 Years of CVD

ARINC653 AADL Annex Update

Be Like Water: Applying Analytical Adaptability to Cyber Intelligence

COTS Multicore Processors in Avionics Systems: Challenges and Solutions

Design Pattern Recovery from Malware Binaries

Panel: Future of Cloud Computing

Causal Modeling of Observational Cost Data: A Ground-Breaking use of Directed Acyclic Graphs

The CERT Top 10 List for Winning the Battle Against Insider Threats

Denial of Service Attacks

Cyber Threat Prioritization

Automated Provisioning of Cloud and Cloudlet Applications

Software, Security, and Resiliency. Paul Nielsen SEI Director and CEO

Julia Allen Principal Researcher, CERT Division

Roles and Responsibilities on DevOps Adoption

Investigating APT1. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Deana Shick and Angela Horneman

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Flow Analysis for Network Situational Awareness. Tim Shimeall January Carnegie Mellon University

Time-Bounded Analysis of Real- Time Systems

Investigation of System Timing Concerns in Embedded Systems: Tool-based Analysis of AADL Models

Situational Awareness Metrics from Flow and Other Data Sources

Engineering Improvement in Software Assurance: A Landscape Framework

SEI Research Review Project Summaries and Posters

2013 US State of Cybercrime Survey

Smart Grid Maturity Model

Encounter Complexes For Clustering Network Flow

Prioritizing Alerts from Static Analysis with Classification Models

Complexity-Reducing Design Patterns for Cyber-Physical Systems. DARPA META Project. AADL Standards Meeting January 2011 Steven P.

Information Security Is a Business

ICCPS On Resource Overbooking in an Unmanned Aerial Vehicle. Dionisio de Niz, 1 Lutz Wrage, 2 Nathaniel Storer, 2

Software Assurance Education Overview

Model Checking with Automata An Overview

Static Analysis Alert Audits Lexicon And Rules David Svoboda, CERT Lori Flynn, CERT Presenter: Will Snavely, CERT

NO WARRANTY. Use of any trademarks in this presentation is not intended in any way to infringe on the rights of the trademark holder.

Cyber Hygiene: A Baseline Set of Practices

10 Years of FloCon. Prepared for FloCon George Warnagiris - CERT/CC #GeoWarnagiris Carnegie Mellon University

Passive Detection of Misbehaving Name Servers

Flow Latency Analysis with the Architecture Analysis and Design Language (AADL)

Components and Considerations in Building an Insider Threat Program

Researching New Ways to Build a Cybersecurity Workforce

AirTight: A Resilient Wireless Communication Protocol for Mixed- Criticality Systems

The Need for Operational and Cyber Resilience in Transportation Systems

Model-based Architectural Verification & Validation

Goal-Based Assessment for the Cybersecurity of Critical Infrastructure

Using CERT-RMM in a Software and System Assurance Context

Current Threat Environment

Priya Narasimhan. Assistant Professor of ECE and CS Carnegie Mellon University Pittsburgh, PA

Tools for Formally Reasoning about Systems. June Prepared by Lucas Wagner

Software verification for ubiquitous computing

Pattern-Based Analysis of an Embedded Real-Time System Architecture

An Information Model for High-Integrity Real Time Systems

Using DidFail to Analyze Flow of Sensitive Information in Sets of Android Apps

Model checking Timber program. Paweł Pietrzak

Cover Page. The handle holds various files of this Leiden University dissertation

Elements of a Usability Reasoning Framework

Pharos Static Analysis Framework

Predictable Interrupt Management and Scheduling in the Composite Component-based System

Test and Evaluation of Autonomous Systems in a Model Based Engineering Context

QuartzV: Bringing Quality of Time to Virtual Machines

Programmable Peer-to-Peer Systems

Dr. Kenneth E. Nidiffer Director of Strategic Plans for Government Programs

The Montana Toolset: OSATE Plugins for Analysis and Code Generation

An Advanced Graph Processor Prototype

Industrial Multicore Software with EMB²

Program Verification (6EC version only)

The Insider Threat Center: Thwarting the Evil Insider

Cloud Computing. Grace A. Lewis Research, Technology and Systems Solutions (RTSS) Program System of Systems Practice (SoSP) Initiative

Providing Real-Time and Fault Tolerance for CORBA Applications

ENABLING AND (IN MY HUMBLE OPINION) ESSENTIAL TECHNOLOGIES FOR DEPENDABILITY BENCHMARKING. William H. Sanders

! Use of formal notations. ! in software system descriptions. ! for a broad range of effects. ! and varying levels of use. !

Parallel Scheduling for Cyber-Physical Systems: Analysis and Case Study on a Self-Driving Car

An Incident Management Ontology

Mixed Critical Architecture Requirements (MCAR)

The ComFoRT Reasoning Framework

Carnegie Mellon University Notice

Self-Adaptive Middleware for Wireless Sensor Networks: A Reference Architecture

F6 Model-driven Development Kit (F6MDK)

The Priority Ceiling Protocol: A Method for Minimizing the Blocking of High-Priority Ada Tasks

MURPHY S COMPUTER LAWS

AADL Fault Modeling and Analysis Within an ARP4761 Safety Assessment

Multiprocessor and Real-Time Scheduling. Chapter 10

Five Keys to Agile Test Automation for Government Programs

This project has received funding from the European Union s Horizon 2020 research and innovation programme under grant agreement No

Transcription:

Engineering High- Assurance Software for Distributed Adaptive Real- Time Systems Sagar Chaki, Dionisio de Niz, Mark Klein Software Solutions Conference 2015 November 16 18, 2015

Copyright 2015 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. [Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-us Government use and distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. DM-0003053 2

Motivation Distributed Adaptive Real-Time (DART) systems are key to many areas of DoD capability (e.g., autonomous multi-uas missions) with civilian benefits. However achieving high assurance DART software is very difficult Concurrency is inherently difficult to reason about. Uncertainty in the physical environment. Autonomous capability leads to unpredictable behavior. Assure both guaranteed and probabilistic properties. Verification results on models must be carried over to source code. High assurance unachievable via testing or ad-hoc formal verification Goal: Create a sound engineering approach for producing highassurance software for Distributed Adaptive Real-Time (DART) 3

DART Approach 1. Enables compositional and requirement specific verification 2. Use proactive self-adaptation and mixed criticality to cope with uncertainty and changing context 1. ZSRM Schedulability (Timing) 2. Software Model Checking (Functional) 3. Statistical Model Checking (Probabilistic) System + Properties (AADL + DMPL) Verification Code Generation Brings Assurance to Code 1. Middleware for communication 2. Scheduler for ZSRM 3. Monitor for runtime assurance Demonstrate on DoD-relevant model problem (DART prototype) Engaged stakeholders Technical and operational validity 4

Example: Self-Adaptive and Coordinated UAS Protection High Hazard Area Loose Formation Tight Formation Adaptation: Formation change (loose tight) Loose: fast but high leader exposure Tight: slow but low leader exposure Challenge: compute the probability of reaching end of mission in time while never reducing protection to less than. Challenge: compare between different adaptation strategies. Solution: Statistical model checking (SMC) Low Hazard Area 5

Example: Self-Adaptive and Coordinated UAS Protection High Hazard Area Loose Formation Tight Formation Adaptation: Formation change (loose tight) Loose: fast but high leader exposure Video Low Hazard Area Tight: slow but low leader exposure 6

Combine model checking & hybrid analysis to ensure end-to-end CPS correctness Constrain the system structure and behavior to facilitate tractable analysis and code generation Functional Verification Architecture Ensures high-critical tasks meet their deadlines despite CPU overload ZSRM Scheduling DMPL AADL Program DART systems and specify properties in a precise manner Efficient middleware provides distributed shared variables with well-defined data consistency MADARA Statistical Model Checking Evaluate adaptation strategy quality over mission lifetime Proactive Self- Adaptation Use probabilistic model checker to repeatedly compute optimal adaptation strategies with bounded lookahead 7

Software for guaranteed requirements, e.g., collision avoidance protocol must ensure absence of collisions Software for probabilistic requirements, e.g., adaptive pathplanner to maximize area coverage within deadline High Critical Threads (HCTs) Low Critical Threads (LCTs) MADARA Middleware ZSRM Mixed-Criticality Scheduler OS/Hardware Baked into the programming languages used Sensors & Actuators Environment network, sensors, atmosphere, ground etc. Distributed Shared Memory H C T L C T MADARA Sched OS/HW Design constraint enables analysis tractability 8

System Architecture for Demo Leader Threads Protector Threads Collision Avoidance Waypoint Adaptation Manager Collision Avoidance Waypoint MADARA Middleware ZSRM Mixed-Criticality Scheduler OS/Hardware MADARA Middleware ZSRM Scheduler OS/Hardware 9

AADL : Architecture Analysis and Description Language DMPL : DART Modeling and Programming Language AADL : High level architecture + threads + real-time attributes Perform ZSRM schedulability via OSATE Plugin Generate appropriate DMPL annotations DMPL : Behavior Roles : leader, protector Functions : mapped to real-time threads Period, priority, criticality (generated from AADL) C-style syntax. Invoke external libraries and components Functional properties (safety) : software model checking Probabilistic properties (expectation) : statistical model checking AADL and DMPL supports the right level of abstraction at architecture and code level to formally reason about DART systems 10

https://github.com/cps-sei/dart DART Modeling and Programming Language (DMPL) Domain-Specific Language for DART programming and verifying C-like syntax Balances expressivity with precise semantics Supports formal assertions usable for model checking and probabilistic model checking Physical and logical concurrency can be expressed in sufficient detail to perform timing analysis Can invoke external libraries and components Generates C++ targeted at a variety of platforms Developed syntax, semantics, and compiler AADL and DMPL supports the right level of abstraction at architecture and code level to formally reason about DART systems 11

Proactive Self-Adaptation via MAPE-K Analyze Plan Monitor Knowledge Execute Target system MAPE-K Emerged from Autonomic Computing Community [Kephart 2003] 12

Self-Adaptation in DART Some aspects of the environment are unknown before the mission execution for example, the threat level of different areas the environment conditions are discovered as the mission progresses it s not possible to plan everything in advance Need for proactive adaptation Adaptations may take time (e.g., formation change), so they have to be started proactively Decisions taken at any point impact future outcomes (e.g., higher fuel consumption reduces range) Current solution based on constructing a MDP and using probabilistic model checking to find the best strategy at each adaptation point Exploring integration with Machine Learning techniques 13

Adaptation using a Markov Decision Process Stochastic model of the environment updated at run time Time over the decision horizon environment High-level system properties relevant to computing objective function tactic 1 tactic 1 _end clock tick... system tactic N tactic N _end self-adaptive system Starting tactic or not is a nondeterministic choice module System model reflects effect of tactic when tactic completes shared action 14

t=0 T 1 T 2 system environment p 1 p 2 p 3 p 1 p 2 p 3 t=1 non-deterministic T 1 T 2 T 1 T 2 T 1 T 2 T 1 T 2 T 1 T 2 T 1 T 2 probabilistic deterministic t=0 PRISM strategy synthesis T 2 Resolves nondeterministic choices to maximize expected value of objective function t=1 First choice independent of subsequent environment transitions T 1 p 1 p 2 p 3 T 1 T 2 Ongoing work: replace probabilistic model checking with dynamic programming for speed. 15

DMPL Program with random inputs Probabilistic Property encoded in DMPL Statistical Model Checker Target relative error Estimated Probability that with relative error Probability estimate for each property evaluated via Bernoulli Trials Number of trials required to estimate probability of a property depends on desired relative error (ratio of standard deviation to mean) true probability of the property Running trials in parallel reduces required simulation time. SMC Client invokes Vrep simulation on each node. SMC Aggregator collects results and determines if precision is met. Simulations run in batches to prevent simulation time bias. Importance sampling (focuses simulation effort on faults) Statistical MC Overview 16

(DMPL) (DMPL) DMPL Compiler dmplc DART Statistical MC Workflow Executable Log Generator Log Analyzer SMC Client Log (1 per node) One Bernoulli Trial SMC Aggregator Result 17

Statistical Model Checking of Distributed Adaptive Real-Time Software. David Kyle, Jeffery Hansen, Sagar Chaki. In Proc. of Runtime Verifcation 2015 SMC Client Batch Log and Analyze log-gen log-gen log-gen loganalyze log- loganalyzanalyze SMC Aggregator DART Distributed Statistical MC Future Work: Importance Sampling to reduce number of simulations needed for rare events. acceptable? Update and Each run of log-generator and loganalyzer occurs on a Virtual Machine. Multiple such VMs run in parallel on HPC platform. Clients can be added and removed on-the-fly. 18

Statistical MC Results Total Coverage Protected Area Leader Protectors Single Protector Coverage 19

MADARA: A Middleware for Distributed AI More information at http://madara.sourceforge.net OS/file Native User Functions Legend Logger User OS/file System Calls Filters KaRL Transport User Code Knowledge Base Transport Network Threads Bandwidth Monitor Packet Scheduler MADARA Architecture 20

GAMS: Group Autonomy for Mobile Systems 1. Built directly on top of MADARA (https://github.com/jredmondson/gams) 2. Utilizes MAPE loop (IBM autonomy construct) 3. Provides extensible platform, sensor, and algorithm support 4. Uses new MADARA feature called Containers, which support object-oriented programming of the Knowledge Base GAMS Architecture 21

Zero-Slack Rate Monotonic (ZSRM) software stack ZSRM Schedulability Analysis as AADL/OSATE Plugin ZSRM Scheduler as Linux Kernel Module ZSRM Priority & Criticality Ceiling Mutexes Pipelined ZSRM Based on pipelines that allows parallel execution of multiple tasks in different stages. Avoids assuming all tasks start together in all stages Reduces the end-to-end response time and improves utilization Paper submitted to RTAS 16 CPU1 CPU2 task1 task2 task1 Parallel execution task2 22

Verifying cyber & physical behavior Combining model checking of collision-avoidance protocol with reachability analysis of control algorithms via assume-guarantee reasoning Prove application-controller controller contract for unbounded time Application Assume- Guarantee Contract Previously limited to bounded verification only Prove controller-platform contract via hybrid reachability analysis Controller Proof of collision avoidance Done by AFRL Working on automation and asynchronous model of computation Platform DART Node Assume- Guarantee Contract 23

Distributed Application Assume Synchronous Model of Computation DMPL Program Safety Specification Sequentialization Single-Threaded C Program Software Model Checking (CBMC, BLAST etc.) Round Invariants Interactive Verification of at Source Code Level Generated C Program // INVAR : inductive invariant void main() { INIT(); // initialization assert(invar); // base case HAVOC(); // assign all variable ND CPROVER_assume(INVAR); // IH ROUND_NODE_1(); ROUND_NODE_k(); assert(invar); // inductive check } Failure Success Ongoing work: more automation, moving to asynchronous model of computation. 24

Transition and application to realistic systems Logical Isolation between Verified and Unverified Code Big Trusted Computing Base (Compilers, Operating Systems, Middleware) Discovered more complexity and nuances about mixed-criticality scheduling (end-to-end) Importance sampling for distributed systems Longer term: Ultra-Large Scale, Fault-Tolerance, Runtime Assurance, Security 25

Summary Distributed Adaptive Real-Time (DART) systems promise to revolutionize several areas of DoD capability (e.g., autonomous systems). We want to create a sound engineering approach for producing high-assurance software for DART Systems, and demonstrate on stakeholder guided examples. Team Bjorn Andersson Bud Hammons Gabriel Moreno Jeffery Hansen Scott Hissam Sagar Chaki Mark Klein Arie Gurfinkel David Kyle James Edmondson Dionisio de Niz https://github.com/cps-sei/dart QUESTIONS? 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback