Modular verification of dynamically adaptive systems

Cyber-physical systems increasingly rely on dynamically adaptive programs to respond to changes in their physical environment; examples include ecosystem monitoring and disaster relief systems. These systems are considered high-assurance since errors during execution could result in injury, loss of life, environmental impact, and/or financial loss. In order to facilitate the development and verification of dynamically adaptive systems, we separate functional concerns from adaptive concerns. Specifically, we model a dynamically adaptive program as a collection of (non-adaptive) steady-state programs and a set of adaptations that realize transitions among steady state programs in response to environmental changes. We use Linear Temporal Logic (LTL) to specify properties of the non-adaptive portions of the system, and we use A-LTL (an adapt-operator extension toLTL) to concisely specify properties that hold during the adaptation process. Model checking offers an attractive approach to automatically analyzing models for adherence to formal properties and thus providing assurance. However, currently, model checkers are unable to verify properties specified using A-LTL. Moreover, as the number of steady-state programs and adaptations increase, the verification costs (in terms of space and time) potentially become unwieldy. To address these issues, we propose a modular model checking approach to verifying that a formal model of an adaptive program satisfies its requirements specified in LTL and A-LTL, respectively.

[1]  Matti A. Hiltunen,et al.  Constructing adaptive software in distributed systems , 2001, Proceedings 21st International Conference on Distributed Computing Systems.

[2]  George S. Avrunin,et al.  Breaking up is hard to do: an investigation of decomposition for assume-guarantee reasoning , 2006, ISSTA '06.

[3]  Betty H. C. Cheng,et al.  Modular Model Checking of Dynamically Adaptive Programs , 2006 .

[4]  Bengt Jonsson,et al.  Assumption/Guarantee Specifications in Linear-Time Temporal Logic , 1996, Theor. Comput. Sci..

[5]  Ji Zhang,et al.  Using temporal logic to specify adaptive program semantics , 2006, J. Syst. Softw..

[6]  J. Magree,et al.  Behavioral analysis of software architectures using LTSA , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[7]  D. L. Parnas,et al.  On the criteria to be used in decomposing systems into modules , 1972, Software Pioneers.

[8]  Orna Kupferman,et al.  Modular Model Checking , 1997, COMPOS.

[9]  Ji Zhang,et al.  Enabling Safe Dynamic Component-Based Software Adaptation , 2004, WADS.

[10]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[11]  Heather Goldsby,et al.  AMOEBA-RT: Run-Time Verification of Adaptive Software , 2008, MoDELS.

[12]  Amir Pnueli,et al.  Checking that finite state concurrent programs satisfy their linear specification , 1985, POPL.

[13]  Joseph Y. Halpern,et al.  Decision procedures and expressiveness in the temporal logic of branching time , 1982, STOC '82.

[14]  Thomas A. Henzinger,et al.  Extreme Model Checking , 2003, Verification: Theory and Practice.

[15]  Pierre Wolper,et al.  An Automata-Theoretic Approach to Automatic Program Verification (Preliminary Report) , 1986, LICS.

[16]  Cormac Flanagan,et al.  Thread-Modular Model Checking , 2003, SPIN.

[17]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.

[18]  Betty H. C. Cheng,et al.  Model-based development of dynamically adaptive software , 2006, ICSE.

[19]  Kathi Fisler,et al.  Verifying cross-cutting features as open systems , 2002, SIGSOFT '02/FSE-10.

[20]  Kathi Fisler,et al.  Verifying aspect advice modularly , 2004, SIGSOFT '04/FSE-12.

[21]  V. Stavridou,et al.  Abstraction and specification in program development , 1988 .

[22]  Dilma Da Silva,et al.  Enabling autonomic behavior in systems software with hot swapping , 2003, IBM Syst. J..

[23]  Sandeep S. Kulkarni,et al.  Correctness of Component-Based Adaptation , 2004, CBSE.

[24]  David Garlan,et al.  Specifying and Analyzing Dynamic Software Architectures , 1998, FASE.

[25]  Kathi Fisler,et al.  Modular verification of collaboration-based software designs , 2001, ESEC/FSE-9.

[26]  Cliff B. Jones,et al.  Tentative steps toward a development method for interfering programs , 1983, TOPL.

[27]  Jeff Magee,et al.  Analysing dynamic change in software architectures: a case study , 1998, Proceedings. Fourth International Conference on Configurable Distributed Systems (Cat. No.98EX159).

[28]  Grigore Rosu,et al.  Monitoring Java Programs with Java PathExplorer , 2001, RV@CAV.

[29]  Rajeev Alur,et al.  Model checking of hierarchical state machines , 1998, TOPL.

[30]  Gary T. Leavens,et al.  Observers and Assistants: A Proposal for Modular Aspect-Oriented Reasoning , 2002 .

[31]  Susan S. Owicki,et al.  Modular verification of concurrent programs , 1982, POPL '82.

[32]  Pierre Wolper,et al.  Memory-efficient algorithms for the verification of temporal properties , 1990, Formal Methods Syst. Des..

[33]  Howard Bowman,et al.  A Tableau Method for Interval Temporal Logic with Projection , 1998, TABLEAUX.

[34]  Jeff Magee,et al.  Behavioral analysis of software architectures using LTSA , 1999, ICSE '99.