A Case Study on Formal Verification of Self-Adaptive Behaviors in a Decentralized System

Self-adaptation is a promising approach to manage the complexity of modern software systems. A self-adaptive system is able to adapt autonomously to internal dynamics and changing conditions in the environment to achieve particular quality goals. Our particular interest is in decentralized self-adaptive systems, in which central control of adaptation is not an option. One important challenge in self-adaptive systems, in particular those with decentralized control of adaptation, is to provide guarantees about the intended runtime qualities. In this paper, we present a case study in which we use model checking to verify behavioral properties of a decentralized self-adaptive system. Concretely, we contribute with a formalized architecture model of a decentralized traffic monitoring system and prove a number of self-adaptation properties for flexibility and robustness. To model the main processes in the system we use timed automata, and for the specification of the required properties we use timed computation tree logic. We use the Uppaal tool to specify the system and verify the flexibility and robustness properties.Comment: In Proceedings FOCLASA 2012, arXiv:1208.432

Basins of Attraction, Commitment Sets and Phenotypes of Boolean Networks

The attractors of Boolean networks and their basins have been shown to be highly relevant for model validation and predictive modelling, e.g., in systems biology. Yet there are currently very few tools available that are able to compute and visualise not only attractors but also their basins. In the realm of asynchronous, non-deterministic modeling not only is the repertoire of software even more limited, but also the formal notions for basins of attraction are often lacking. In this setting, the difficulty both for theory and computation arises from the fact that states may be ele- ments of several distinct basins. In this paper we address this topic by partitioning the state space into sets that are committed to the same attractors. These commitment sets can easily be generalised to sets that are equivalent w.r.t. the long-term behaviours of pre-selected nodes which leads us to the notions of markers and phenotypes which we illustrate in a case study on bladder tumorigenesis. For every concept we propose equivalent CTL model checking queries and an extension of the state of the art model checking software NuSMV is made available that is capa- ble of computing the respective sets. All notions are fully integrated as three new modules in our Python package PyBoolNet, including functions for visualising the basins, commitment sets and phenotypes as quotient graphs and pie charts

An algorithm and case study for the object oriented abstraction

Model checking of software systems becomes more effective each day. However it still can not handle huge state spaces of real software. Particularly, concurrent systems are hard to verify. Abstraction techniques are one of the solutions aimed at managing the complexity problem. This paper describes the object oriented abstraction algorithm. It allows semi-automatic abstraction of real (i.e. Java) programs. A novelty method for constructing class abstractions is shown. It uses additional program annotations expressed in a formal manner. Proposed techniques are shown in a context of algorithms used in the Bandera toolset. A short case study of this approach is also shown

A Domain Specific Language Based Approach for Generating Deadlock-Free Parallel Load Scheduling Protocols for Distributed Systems

In this dissertation, the concept of using domain specific language to develop errorree parallel asynchronous load scheduling protocols for distributed systems is studied. The motivation of this study is rooted in addressing the high cost of verifying parallel asynchronous load scheduling protocols. Asynchronous parallel applications are prone to subtle bugs such as deadlocks and race conditions due to the possibility of non-determinism. Due to this non-deterministic behavior, traditional testing methods are less effective at finding software faults. One approach that can eliminate these software bugs is to employ model checking techniques that can verify that non-determinism will not cause software faults in parallel programs. Unfortunately, model checking requires the development of a verification model of a program in a separate verification language which can be an error-prone procedure and may not properly represent the semantics of the original system. The model checking approach can provide true positive result if the semantics of an implementation code and a verification model is represented under a single framework such that the verification model closely represents the implementation and the automation of a verification process is natural. In this dissertation, a domain specific language based verification framework is developed to design parallel load scheduling protocols and automatically verify their behavioral properties through model checking. A specification language, LBDSL, is introduced that facilitates the development of parallel load scheduling protocols. The LBDSL verification framework uses model checking techniques to verify the asynchronous behavior of the protocol. It allows the same protocol specification to be used for verification and the code generation. The support to automatic verification during protocol development reduces the verification cost post development. The applicability of LBDSL verification framework is illustrated by performing case study on three different types of load scheduling protocols. The study shows that the LBDSL based verification approach removes the need of debugging for deadlocks and race bugs which has potential to significantly lower software development costs

Schedulability analysis of timed CSP models using the PAT model checker

Timed CSP can be used to model and analyse real-time and concurrent behaviour of embedded control systems. Practical CSP implementations combine the CSP model of a real-time control system with prioritized scheduling to achieve efficient and orderly use of limited resources. Schedulability analysis of a timed CSP model of a system with respect to a scheduling scheme and a particular execution platform is important to ensure that the system design satisfies its timing requirements. In this paper, we propose a framework to analyse schedulability of CSP-based designs for non-preemptive fixed-priority multiprocessor scheduling. The framework is based on the PAT model checker and the analysis is done with dense-time model checking on timed CSP models. We also provide a schedulability analysis workflow to construct and analyse, using the proposed framework, a timed CSP model with scheduling from an initial untimed CSP model without scheduling. We demonstrate our schedulability analysis workflow on a case study of control software design for a mobile robot. The proposed approach provides non-pessimistic schedulability results

Exploring Domain Specific Approaches to Software Model Checking

Model checking has proven to be an effective technology for verification and debugging in hardware domains and more recently in software domains. The major challenges in the application of model checking to software systems are: the mapping of software executables to model checker's input language and the intrinsic complexity of the ever growing software systems. This thesis explores the domain specific model checking approaches to large systems in order to optimize the state space storage for specific domains. Bogor [Bogor 2003] is an extensible, customizable, and highly modular model checking framework that supports general as well as domain specific software model checking. As a part of the thesis, domain specific extensions to Bogor's input language, called Bandera Intermediate Representation (BIR), were implemented by providing a plugin for Eclipse [Eclipse 2004]. Eclipse is a universal platform for tool integration and its plugin development environment facilitates addition of new plugins to the existing ones. Eclipse's extension mechanism is exploited by Bogor. Bogor was installed as an Eclipse plugin and with the help of Eclipse's Plugin Development Environment (PDE), new data types were integrated with the existing Bogor framework. Two case studies ('postfix calculator' using stack extension and 'resource allocation' using multiset extension) were investigated. Various metrics such as number of states, transitions, and maximum depth were analyzed. The complexity of the test cases was increased gradually to test the extensions for feasibility and scalability. The thesis also involves a comprehensive study of some of the well-known model checkers and their features, degree of automation, and input languages. It was observed that customizing the model checker as per domain specifications helped in achieving space reduction. The space reduction is prominent, especially in large domains where it contributes towards state space explosion solution. Although development of extensions is achievable, it requires a working knowledge of Eclipse and specific knowledge of model checking. In conclusion, a domain specific approach for software model checking was demonstrated to be a promising technology. Language extensions to BIR were successfully built and tested for accuracy and scalability.Computer Science Departmen

A model-driven approach to survivability requirements assessment for critical systems

Survivability is a crucial property for those systems – such as critical infrastructures or military Command and Control Information Systems – that provide essential services, since the latter must be operational even when the system is compromised due to attack or faults. This article proposes a model-driven method and a tool –MASDES– to assess the survivability requirements of critical systems. The method exploits the use of (1) (mis)use case technique and UML profiling for the specification of the survivability requirements and (2) Petri nets and model checking techniques for the requirement assessment. A survivability assessment model is obtained from an improved specification of misuse cases, which encompasses essential services, threats and survivability strategies. The survivability assessment model is then converted into a Petri net model for verifying survivability properties through model checking. The MASDES tool has been developed within the Eclipse workbench and relies on Papyrus tool for UML. It consists of a set of plug-ins that enable (1) to create a survivability system view using UML and profiling techniques and (2) to verify survivability properties. In particular, the tool performs model transformations in two steps. First, a model-to-model transformation generates, from the survivability view, a Petri net model and properties to be checked in a tool-independent format. Second, model-to-text transformations produce the Petri net specifications for the model checkers. A military Command and Control Information Systems has been used as a case study to apply the method and to evaluate the MASDES tool, within an iterative-incremental software development process

LTL-based verification of reconfigurable workflows

© 2014 Manuel Mazzara. Logics and model-checking have been successfully used in the last decades for modeling and verification of various types of hardware (and software) systems. While most languages and techniques emerged in a context of monolithic systems with a limited self-adaptability, modern systems require approaches able to cope with dynamically changing requirements and emergent behaviors. The emphasis on system reconfigurability has not been followed by an adequate research effort, and the current state of the art lacks logics and model checking paradigms that can describe and analyze complex modern systems in a comprehensive way. This paper describes a case study involving the dynamic reconfiguration of an office workflow. We state the requirements on a system implementing the workflow and its reconfiguration and we prove workflow reconfiguration termination by providing a compilation of generic workflows into LTL, using the Bound model checker Z{double-strok}ot. The objective of this paper is demonstrating how temporal logics and model checking are effective in proving properties of dynamic, reconfigurable and adaptable systems. This simple case study is just a "proof of concept" to demonstrate the feasibility of our ideas