Timed Automata Models for Principled Composition of Middleware

Middleware for Distributed Real-time and Embedded (DRE) systems has grown more and more complex in recent years due to the varying functional and temporal requirements of complex real-time applications. To enable DRE middleware to be configured and customized to meet the demands of different applications, a body of ongoing research has focused on applying model-driven development techniques to developing QoS-enabled middleware. While current approaches for modeling middleware focus on easing the task of as-assembling, deploying and configuring middleware and middleware-based applications, a more formal basis for correct middleware composition and configuration in the context of individual applications is needed. While the modeling community has used application-level formal models that are more abstract to uncover certain flaws in system design, a more fundamental and lower-level set of models is needed to be able to uncover more subtle safety and timing errors introduced by interference between application computations, particularly in the face of alternative concurrency strategies in the middleware layer. In this research, we have examined how detailed formal models of lower-level middle-ware building blocks provide an appropriate level of abstraction both for modeling and synthesis of a variety of kinds of middleware from these building blocks. When combined with model checking techniques, these formal models can help developers in composing correct combinations of middleware mechanisms, and configuring those mechanisms for each particular application

A Generative Programming Framework for Adaptive Middleware

Historically, many distributed real-time and embedded (DRE) systems were developed manually from scratch, leading to stove-piped solutions that while correct in both functional and QoS properties were very expensive to develop and difficult to maintain and extend. First-generation middleware technologies such as CORBA 2.x [1], XML [2], and SOAP [3], served to shield application developers from low-level platform details, thus raising the level of abstraction at which distributed systems are developed and supporting reuse of infrastructure to amortize development costs over the lifetime of a system. However, interdependencies between services and object interfaces resulting from these programming models significantly limited the degree of reuse that could be achieved in practice. Component middleware technologies such as the CORBA Component Model (CCM) [4], J2EE [5], and .NET [6], were developed to address many of these limitations. In CCM, for example, standardization of component containers, ports, and homes offered a framework within which reuse of server as well as client infrastructure was facilitated. Component-oriented middleware has addressed a wide range of application domains, but unfortunately for DRE systems, the focus of these technologies has been primarily on functional and not QoS properties. For example, although CCM supports configuration of functional component attributes like their interconnections, key QoS attributes for DRE systems, such as execution times and invocation rates are inadequately configurable through conventional CCM [7]. Research on QoS-aware component models such as the CIAO project [8, 7] is showing significant promise in making QoS configuration a first-class part of the component pro-gramming model, thus further reducing accidental complex-ities of building DRE systems. However, it is important to note a fundamental difference between configuration of functional and QoS properties even within such a unified compo-nent model: the dominant decomposition of functional properties is essentially object-oriented, while the dominant decomposition of QoS properties is essentially aspect-oriented. That is, functional properties tend to be stable with respect to component boundaries and configuration lifecycle stages, while QoS properties tend to cross-cut component boundaries, and may be revised as more information is known in later configuration stages [7]. In this paper, we describe how a focus on aspect frameworks for configuring QoS properties both com-plements and extends QoS-aware component models. This paper makes three main contributions to the state of the art in DRE systems middleware. First, it describes a simple but representative problem for configuring QoS aspects that cross-cut both architectural layers and system lifecycle boundaries, which motivates our focus on aspect frameworks. Second, it provides a formalization of that problem using first order logic, which both guides the design of aspect configuration infrastructure, and offers a way to connect these techniques with model-integrated computing [9] approaches to further reduce the programming burden on DRE system developers. Third, it describes alternative mechanisms to ensure correct configuration of the aspects involved, and notes the phases of the DRE system lifecycle at which each such configuration mechanism is most appropriate

Scheduling Induced Bounds and the Verification of Preemptive Real-Time Systems

Distributed real-time and embedded (DRE) systems have stringent constraints on timeliness and other properties whose assurance is crucial to correct system behavior. Our previous research has shown that detailed models of essential middleware mechanisms can be developed, composed, and for constrained examples verified tractably, using state of the art timed automata model checkers. However, to apply model checking to a wider range of real-time systems, particularly those involving more general forms of preemptive concurrency, new techniques are needed to address decidability and tractability concerns. This paper makes three contributions to research on formal verification and validation of DRE systems. First, it describes how bounded fair scheduling policies introduce a quasi-cyclic structure in the state space of multi-threaded real-time systems. Second, it shows that bounds on the divergence of threads\u27 execution can be determined for that quasi-cyclic structure, which then can be exploited to reduce the complexity of model checking. Third, it presents a case study involving progress-based fair scheduling of multi-threaded processing pipelines, with which the approach is evaluated

Towards a Performance Model for Special Purpose ORB Middleware

General purpose middleware has been shown effective in meeting diverse functional requirements for a wide range of distributed systems. Advanced middleware projects have also supported single quality-of-service dimensions such as real-time, fault tolerance, or small memory foot-print. However, there is limited experience supporting multiple quality-of-service dimensions in middleware to meet the needs of special purpose applications. Even though general purpose middleware can cover an entire spectrum of functionality by supporting the union of all features required by each application, this approach breaks down for distributed real-time and embedded sys-tems. For example, the breadth of features supported may interfere with small memory footprint requirements. In this paper, we describe experiments comparing application-level and mechanism-level real-time perfor-\mance of a representative sensor-network application running on three middleware alternatives: (1) a real-time object request broker (ORB) for small-footprint networked embedded sensor nodes, that we have named nORB, (2) TAO, a robust and widely-used general-purpose Real-Time CORBA ORB, and (3) ACE, the low-level middleware framework upon which both nORB and TAO are based. This paper makes two main contributions to the state of the art in customized middleware for distributed real-time and embedded applications. First, we present mechanism-level timing measurements for each of the alternative middleware layers and compare them to the observed performance of the sensor-network application. Second, we provide a preliminary performance model for the observed application timing behavior based on the mechanism-level measurements in each case, and suggest further potential performance optimizations that we plan to study as future work

Composable Timed Automata Models for Real-Time Embedded Systems Middleware

Middleware for distributed real-time embedded (DRE) systems has grown more and more complex in recent years, to address functional and temporal requirements of complex real-time applications. While current approaches for modeling middleware have eased the task of assembling, deploying and configuring middleware and applications, a more formal, fundamental and lower-level set of models is needed to be able to uncover subtle safety and timing errors introduced by interference between computations, particularly in the face of alternative concurrency strategies in the middleware layer. In this paper, we examine how formal models of lower-level middleware building blocks provide an appropriate level of abstraction for both modeling and synthesis of a variety of kinds of middleware from these building blocks. When combined with model checking techniques, these formal models can help developers in constructing correct combinations and configurations of middleware mechanisms, for each particular application

Reusable Models for Timing and Liveness Analysis of Middleware for Distributed Real-Time and Embedded Systems

Distributed real-time and embedded (DRE) systems have stringent constraints on timeliness and other properties whose assurance is crucial to correct system behavior. Formal tools and techniques play a key role in verifying and validating system properties. However, many DRE systems are built using middleware frameworks that have grown increasingly complex to address the diverse requirements of a wide range of applications. How to apply formal tools and techniques effectively to these systems, given the range of middleware configuration options available, is therefore an important research problem. This paper makes three contributions to research on formal verification and validation of middleware-based DRE systems. First, it presents a reusable library of formal models we have developed to capture essential timing and concurrency semantics of foundational middleware building blocks provided by the ACE framework. Second, it describes domain-specific techniques to reduce the cost of checking those models while ensuring they remain valid with respect to the semantics of the middleware itself. Third, it presents a verification and validation case study involving a gateway service, using our models

The Design, Modeling, and Implementation of Group Scheduling for Isolation of Computations from Adversarial Interference

To isolate computations from denial of service (DoS) attacks and other forms of adversarial interference, it is necessary to constrain the effects of interactions among computations. This paper makes four contributions to research on isolation of computations from adversarial interference: (1) it describes the design and implementation of a kernel level scheduling policy to control the effects of adversarial attacks on computations’ execution; (2) it presents formal models of the system components that are involved in a representative DoS attack scenario; (3) it shows how model checking can be used to analyze that example scenario, under default Linux scheduling semantics and under our scheduling policy design; and (4) it presents empirical studies we have conducted to validate our scheduling policy implementation. Our results show that, with careful design, scheduling and detailed monitoring of computations’ behavior can be combined effectively to mitigate interference of attacks with computations’ execution