170 likes | 303 Views
An Open Logical Programming Environment. Stuart Allen Mark Bickford Robert Constable (PI) Christoph Kreitz Lori Lorigo Robbert Van Renesse. Programming. Logic. Communications. Secure software infrastructure. Department of Computer Science, Cornell University Contract # F30602-98-0198.
E N D
An OpenLogical Programming Environment Stuart Allen Mark Bickford Robert Constable (PI) Christoph KreitzLori Lorigo Robbert Van Renesse Programming Logic Communications Secure software infrastructure Department of Computer Science, Cornell University Contract #F30602-98-0198
Problem Description Build and apply formal method tools to increase assurance, adaptability, and performance of networked embedded systems • Formally relate mechanisms for composing program modules to mechanisms for composing specifications • Prove system properties • Add aspects while preservingproperties • Generate code modules from service specifications • Build adaptive protocols for embedded applications • Support real-time constraints in large networks
Objectives & Approach Organize tools for verification, optimization, and formal design into anopen Logical ProgrammingEnvironment • Extend logical language to support compositional design and verification (Class Theory), property-preserving code transformations, and real-time issues (Reflection) • Build formal model of networked embedded systems Build formal knowledge and tailored reasoning strategies • Introduce aspects via “composition” of micro-protocols • Use LPE to increase confidence, flexibility & efficiency of key applications (Ensemble, Spinglass, Bold Stroke, ...)
Contribution to PCES goals The overarching goal of PCES is novel technology … that can reduce efforts to program embedded systems while increasing confidence in the … product Confidence requires proof • LPE will provide • Infrastructure for assuring system properties • - e.g.safety, fault tolerance + synchronization, timing, … • Support for error-free code reuse • - Library of reusable specifications and related code • - Mechanisms for composing designs and specs • -Property-preserving transformations that combine • aspects in code and specifications • Verified mechanisms for increasing adaptability • Support for real-time guarantees
Contribution to DoD Application LPE will provide assurance for desired properties, support rapid configuration of high-confidence systems and adaptability to changing situations • Possible applications through Ensemble & Spinglass • Reliable infrastructure for large scale sensor networks that can provide real time intelligence to ground troops (Army) • Support for communication infrastructure in Joint Battlespace Infosphere(In discussion with Air Force, Rome) • Support for software systems like HiperD used in AEGIS battle control software (Navy) • More through work on Boeing OEP
Fall 2000 Winter 2000 Spring 2001 Summer 2001 Fall 2001 ongoing Spring/ Summer 2002 2002 Release tools for optimization of protocol stacks Complete formal verification of Ensemble VS protocol Develop new adaptive communication protocol using the LPE in design and verification Specify and model event-driven embedded system module from PCES project partner (BoldStroke, …) Develop web-based presentation mechanisms for knowledge base of software and specifications Enhance automatic tools to increase pace of formal developments (decision procedures, tailored tactics,…) Explore probabilistic embedded protocols with LPE technology developed for adaptive protocols Incrementally deploy logical reflection mechanisms as basis for program composition / reconfiguration Project Tasks & Schedule
Progress & Accomplishments • Theoretical basis for efficient reflection mechanism • reasoning about intensional properties: time, resources, synch…. • Class theory supports code & design reuse through composition and weaving • Developed LPE technology for formal design of verifiably correct adaptive systems • Formal documentation, publications, Nuprl LPE and large database of algorithmic knowledge available at our web site http://www.cs.cornell.edu/Info/Projects/NuPrl
Class Theory provides expressive type constructs-Union, Intersection, Subtyping, Records, Modules • Supports compositional verification- Intersecting modules preserves safety properties • (MAP) (MA MBP) • - Intersecting modules is a form of composition • MA MBintersects states, actions, constraints = = Verified Program Composition A method for property-preserving composition But intersection is more than just functional composition
Communication state q: Msg List action SEND: Msg effect SEND(m): q := enqueue m q Logging state log: Msg List action SEND: Msg effect SEND(m): if sensitive(m) then log := append log m Intersection weaves code-pieces together Weaving as Combining Effects : property-preserving weaving of aspects CommunicationwithLogging state q,log: Msg List action SEND: Msg effect SEND(m): q := enqueue m q if sensitive(m) then log := append log m Intersection is proven to combine all safety properties of code Reflection needed to prove semantical effects of purely syntactical transformations (renaming, ….)
Switching protocol prot1 prot2 Designing Adaptive Systems • Make system adapt safely to run-time dynamics • - upgrades, higher security, performance • Building block approach • - generic switching protocolconstructs • hybrid protocolsfrom simpler ones Correctness Issues - what protocols are switchable at all? - what code invariant preserves switchable properties? Technique applies to event-driven architectures
6 Meta-Properties are sufficient for protocols to work correctly under a switch switch spec spec spec network } Safety network Asynchrony Layered Architecture Delayable Send-enabled Memoryless } Protocol Switching Composable Verifying Adaptive Systems Verification reveals hidden assumptions & limitations of applicability Verification yields code invariants MP’s simplify design and verification MP’s characterize environmental prerequisites for correct behavior Abstract approach supports reliable adaptability beyond communication
Next Milestones • Package adaptive LPE tools and make available on web, including formal documentation • Model components from Bold Stroke event channel -Investigate how to provideadaptive technology, optimization techniques, and check properties • Illustrate how to weave probabilistic aspects into an existing protocol • Develop prototype probabilistic real time embedded protocol with LPE
Applying the LPE to Bold Stroke • Bold Stroke is layered event-channel architecture • - some similarity to protocol stacks in communication • Develop formal model of architecture and modules • Investigate how to provide formal assistance for • - assuring system properties (particularly after changes) • - safe switching between schedules • - dynamic reconfiguration (using adaptive technology) • - improving performance for specific scenarios • Analysis tools for OEP application components
Bimodal Multicast 10-12 fail 1% fail Unreliable Probabilistic embedded protocols Provide properties with extremely high probability Elegant for dealing with real-time constraints in large networks • Scales well • Same real-time guarantees as deterministic approaches • Less vulnerable (weaker assumptions, more realistic) • Simpler to design and analyze • use MP technology developed for adaptive protocols • + formal probabilistic communication model • + reflection (for timing issues and probability analysis) • Applications: Air traffic control, embedded sensor networks
Collaborations • BBN (old ties: Ensemble in Aqua/Quo projects) • (planned: Ensemble in A/V transmission) • Boeing(in preparation: apply LPE to Bold Stroke) • Vanderbilt (planned: analyze synthesized software) • ORA (ongoing: LPE verifications) • (planned: formal RT Java semantics) • AFRL Rome (joint Information Assurance Institute) • Others ?
Technology Transfer • LPE already provides direct support of Ensemble and Spinglass systems (DoD + commercial use) • AFRL people are being trained to use the LPE(AFLR/Cornell Information Assurance Institute) • Connections to BBN and Boeing offer new transition paths for future results
Program Issues • Which PCES application is best to demonstrate • major impact of formal tools? • Balance between long-term and short-term goals? • (better formal tools vs pushing application with today’s tools) • Project is part of PCES only until Sept. 2002 • Meaningful collaboration beyond 2002?