Playing the Devil ’ s Advocate: Verifying Real-Time Systems Jan Jürjens Software & Systems Engineering TU Munich, Germany

Slides:



Advertisements
Similar presentations
Testing Workflow Purpose
Advertisements

Operating System Security
Formal Modelling of Reactive Agents as an aggregation of Simple Behaviours P.Kefalas Dept. of Computer Science 13 Tsimiski Str Thessaloniki Greece.
Chapter 2 – Software Processes
Software Processes Coherent sets of activities for specifying, designing, implementing and testing software systems.
Design Concepts and Principles
1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.
Term Paper OLOMOLA,Afolabi( ). Dependability Modellling.
Trusted Hardware: Can it be Trustworthy? Design Automation Conference 5 June 2007 Karl Levitt National Science Foundation Cynthia E. Irvine Naval Postgraduate.
CPSC 668Set 14: Simulations1 CPSC 668 Distributed Algorithms and Systems Spring 2008 Prof. Jennifer Welch.
Building Reliable Software Requirements and Methods.
1 Solution proposal Exam 19. Mai 2000 No help tools allowed.
SWE Introduction to Software Engineering
Recall The Team Skills 1. Analyzing the Problem (with 5 steps) 2. Understanding User and Stakeholder Needs 3. Defining the System 4. Managing Scope 5.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.
UML CASE Tool. ABSTRACT Domain analysis enables identifying families of applications and capturing their terminology in order to assist and guide system.
Design of Fault Tolerant Data Flow in Ptolemy II Mark McKelvin EE290 N, Fall 2004 Final Project.
HAS. Patterns The use of patterns is essentially the reuse of well established good ideas. A pattern is a named well understood good solution to a common.
1 Software Testing and Quality Assurance Lecture 30 – Testing Systems.
CSC 402, Fall Requirements Analysis for Special Properties Systems Engineering (def?) –why? increasing complexity –ICBM’s (then TMI, Therac, Challenger...)
Department of Computer Science & Engineering College of Engineering Dr. Betty H.C. Cheng, Laura A. Campbell, Sascha Konrad The demand for distributed real-time.
SWE Introduction to Software Engineering
©Ian Sommerville 2006Critical Systems Slide 1 Critical Systems Engineering l Processes and techniques for developing critical systems.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 2 Slide 1 Systems engineering 1.
Incorporating database systems into a secure software development methodology Eduardo B. Fernandez, Jan Jurjens, Nobukazu Yoshioka, and Hironori Washizaki.
Software Integration and Documenting
Software Dependability CIS 376 Bruce R. Maxim UM-Dearborn.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.
UML Unified Markup Language Ziya Karakaya Atılım University, Computer Engineering
J.H.Saltzer, D.P.Reed, C.C.Clark End-to-End Arguments in System Design Reading Group 19/11/03 Torsten Ackemann.
Model-based Security with UMLsec Software & Systems Engineering Informatics, Munich University of Technology Germany
1 Validation & Verification Chapter VALIDATION & VERIFICATION Very Difficult Very Important Conceptually distinct, but performed simultaneously.
Implementation Yaodong Bi. Introduction to Implementation Purposes of Implementation – Plan the system integrations required in each iteration – Distribute.
CMSC 345 Fall 2000 Unit Testing. The testing process.
Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.
Assessing the Suitability of UML for Modeling Software Architectures Nenad Medvidovic Computer Science Department University of Southern California Los.
1 Software Testing and Quality Assurance Lecture 33 – Software Quality Assurance.
1 Software testing. 2 Testing Objectives Testing is a process of executing a program with the intent of finding an error. A good test case is in that.
Reliable Design of Safety Critical Systems Dr. Abhik Roychoudhury School of Computing
Testing Workflow In the Unified Process and Agile/Scrum processes.
Using UML, Patterns, and Java Object-Oriented Software Engineering Chapter 4, Requirements Elicitation.
A language to describe software texture in abstract design models and implementation.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development 3.
Historical Aspects Origin of software engineering –NATO study group coined the term in 1967 Software crisis –Low quality, schedule delay, and cost overrun.
Secure Systems Research Group - FAU SW Development methodology using patterns and model checking 8/13/2009 Maha B Abbey PhD Candidate.
1 Capturing Requirements As Use Cases To be discussed –Artifacts created in the requirements workflow –Workers participating in the requirements workflow.
Chapter 2 – Software Processes Lecture 1 Chapter 2 Software Processes1.
Software Engineering1  Verification: The software should conform to its specification  Validation: The software should do what the user really requires.
Lecture 13.  Failure mode: when team understands requirements but is unable to meet them.  To ensure that you are building the right system Continually.
Smart Home Technologies
Analysis Yaodong Bi. Introduction to Analysis Purposes of Analysis – Resolve issues related to interference, concurrency, and conflicts among use cases.
SAFEWARE System Safety and Computers Chap18:Verification of Safety Author : Nancy G. Leveson University of Washington 1995 by Addison-Wesley Publishing.
1. Black Box Testing  Black box testing is also called functional testing  Black box testing ignores the internal mechanism of a system or component.
PI2134 Software Engineering IT Telkom.  Layered technology  Software Process  Generic Process (by Pressman)  Fundamental activities (by Sommerville)
Software Engineering Lecture 8: Quality Assurance.
21/1/ Analysis - Model of real-world situation - What ? System Design - Overall architecture (sub-systems) Object Design - Refinement of Design.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.
Requirement Elicitation Review – Class 8 Functional Requirements Nonfunctional Requirements Software Requirements document Requirements Validation and.
Toward a New ATM Software Safety Assessment Methodology dott. Francesca Matarese.
Copyright 1999 G.v. Bochmann ELG 7186C ch.1 1 Course Notes ELG 7186C Formal Methods for the Development of Real-Time System Applications Gregor v. Bochmann.
CS223: Software Engineering Lecture 25: Software Testing.
©Ian Sommerville 2000 Software Engineering, 6th edition. Chapter 10Slide 1 Chapter 5:Architectural Design l Establishing the overall structure of a software.
Testing Tutorial 7.
Definition CASE tools are software systems that are intended to provide automated support for routine activities in the software process such as editing.
Frequently asked questions about software engineering
Recall The Team Skills Analyzing the Problem (with 5 steps)
Baisc Of Software Testing
Presentation transcript:

Playing the Devil ’ s Advocate: Verifying Real-Time Systems Jan Jürjens Software & Systems Engineering TU Munich, Germany

Jan Jürjens, TU Munich: Critical Systems Development with UML2 Dependability Ability to deliver service that can justifiably be trusted. By definition issue supposed to include Reliability, Safety, Security attributes, the threats against them and the means to encounter the threats. (Although historically „security“ and „dependability“ communities have been largely disjoint.)

Jan Jürjens, TU Munich: Critical Systems Development with UML3 Safety Safety: software execution without contributing to hazards. Safety-critical systems: five failure condition categories: catastrophic, hazardous, major, minor, no effect. Corresponding safety levels A - E (DO- 178B standards in avionics).

Jan Jürjens, TU Munich: Critical Systems Development with UML4 Reliability For safety need sufficient level of reliability: probability of failure-free functioning of software component for specified period in specified environment. Reliability goals: via the maximum allowed failure rate. For high degree of reliability, testing not sufficient (1 failure per 100,000 years).

Jan Jürjens, TU Munich: Critical Systems Development with UML5 Embedded Systems In particular, embedded software increasingly used in safety-critical systems (flexibility): Automotive Avionics Aeronautics Robotics, Telemedicine … Our treatment of dependable systems in particular applies to embedded systems.

Jan Jürjens, TU Munich: Critical Systems Development with UML6 Fault-tolerance Redundancy model determines which level of redundancy provided. Goal: no hazards in presence of single- point failures. In the following treatment: focus on reliability, in particular for safety focus on fault-tolerance aspects of reliability

Jan Jürjens, TU Munich: Critical Systems Development with UML7 Faults vs. Failures Failures: perceived deviation of output values from expected values. Faults: possible cause of failures in hardware, code or other artefacts. For example, a faulty communication line may result in a communication failure. Failures relative to system requirements (real- time: inacceptable communication delay „failure“).

Jan Jürjens, TU Munich: Critical Systems Development with UML8 Faults vs. Failures II Faults in component cause failures of component. Are faults of subsystem containing component. Leads to failures of subsystem …  Faults / failures relative distinction. Can be both.

Jan Jürjens, TU Munich: Critical Systems Development with UML9 From UML sec to UML dep Reliability = „Security against stupid adversaries“ Security = „Reliability for paranoids“ Adversaries in security correspond to failures in reliability. Replace adversary model in UMLsec by failure model to get UMLdep.

Jan Jürjens, TU Munich: Critical Systems Development with UML10 Fault Semantics Modeling For redundancy model R, stereotype s ∊ {¿crash/performanceÀ, ¿valueÀ}, have set Faults R (s) ⊆ {delay(t), loss(p), corrupt(q)}, with interpretation: t: expected maximum time delay, p: probability that value not delivered within t, q: probability that value delivered in time corrupted (in each case incorporating redundancy). Or use ¿riskÀ stereotype with {fault} tag.

Jan Jürjens, TU Munich: Critical Systems Development with UML11 Example Suppose redundancy model R uses controller with redundancy 3 and fastest result. Then can define: delay(t): t delay of fastest controller, loss(p): p probability that fastest result not delivered within t, corrupt(q): q probability that fastest result is corrupted (each wrt. given fault semantics).

Jan Jürjens, TU Munich: Critical Systems Development with UML12 ¿guarantee À Describe guarantees required from communication dependencies resp. system components. Tags: {goal} with value subset of {immediate(t), eventual(p), correct(q)}, where t: expected maximum time delay, p: probability that value is delivered within t, q: probability that value delivered in time not corrupted.

Jan Jürjens, TU Munich: Critical Systems Development with UML13 Reliable Architecture Is this a reliable architecture ?

Jan Jürjens, TU Munich: Critical Systems Development with UML14 ¿reliable linksÀ Physical layer should meet reliability requirements on communication given redundancy model R. Constraint: For dependency d stereotyped ¿guaranteeÀ and each corresponding communication link l with stereotype s: if {goal} has immediate(t) as value then delay(t‘) 2 Faults R (s) implies t‘·t, if {goal} has eventual(p) as value then loss(p‘) 2 Faults R (s) implies p‘·1-p, and if {goal} has correct(q) as value then corruption(q‘) 2 Faults R (s) implies q‘·1-q.

Jan Jürjens, TU Munich: Critical Systems Development with UML15 Example ¿ reliable linksÀ Given redundancy model none, ¿reliable linksÀ fulfilled iff T ≥ t where delay(t) 2 Faults none (¿crash/performanceÀ).

Jan Jürjens, TU Munich: Critical Systems Development with UML16 Reliable Data Structure Assuming immediate(t)  goals(realtime), data structure reliable ?

Jan Jürjens, TU Munich: Critical Systems Development with UML17 ¿ reliable dependencyÀ Communication dependencies should respect reliability requirements on ¿ critical À data. For each reliability level {l} for ¿ critical À data, have goals(l)  {immediate(t), eventual(p), correct(q)}. Constraint: for each dependency d from C to D stereotyped ¿ guarantee À : Goals on data in D same as those in C. Goals on data in C that also appears in D met by guarantees of d.

Jan Jürjens, TU Munich: Critical Systems Development with UML18 Example ¿ reliable dependency À Assuming immediate(t)  goals(realtime), violates ¿reliable dependencyÀ, since Sensor and dependency do not provide realtime goal immediate(t) for measure() required by Controller.

Jan Jürjens, TU Munich: Critical Systems Development with UML19 ¿reliable behaviorÀ Ensures that system behavior in presence of failure model provides required reliability {goals}: For any execution trace h, any transmission of a value along a communication dependency stereotyped ¿guaranteeÀ, following constraints should hold, given the reliability goal: eventual(p): With probability at least p, … immediate(t): … every value is delivered after at most t time steps. correct(q): Probability that a delivered value is corrupted during transmission is at most 1-q.

Jan Jürjens, TU Munich: Critical Systems Development with UML20 Dependable Interference Acceptable interference between safe and unsafe data ?

Jan Jürjens, TU Munich: Critical Systems Development with UML21 ¿containmentÀ Prevent indirect corruption of data. Constraint: Value of any data element d may only be influenced by data whose requirements attached to ¿ critical À imply those of d. Make precise by referring to execution semantics (view of history associated with dependability level).

Jan Jürjens, TU Munich: Critical Systems Development with UML22 Example ¿containmentÀ Violates containment because a {safe} value depends on un{safe} value. Can check this mechanically.

Jan Jürjens, TU Munich: Critical Systems Development with UML23 Tool Support: Fault Models lq l n : messages on link l delayed further n time units. p h n : probability of fault at n th iteration in history h. For link l stereotyped s where loss(p)  Faults R (s), history may give lq l 0 :=  ; then append p to p h n, or no change, then append 1-p. For link l stereotyped s where corruption(q)  Faults R (s), history may give lq l 0 :={■}; then append q, or no change; append 1-q. For link l stereotyped s with delay(t)  Faults R (s), and lq l 0 , history may give lq l n :=lq l 0 for n·t; append 1/t. Then distribute lq l 0 ; for each n, lq l n :=lq l n+1.

Jan Jürjens, TU Munich: Critical Systems Development with UML24 Other Checks Have other consistency checks such as Is the software‘s response to out-of- range values specified for every input ? If input arrives when it shouldn't, is a response specified ? …and other safety checks from the literature.

Jan Jürjens, TU Munich: Critical Systems Development with UML25 Any Questions ?

Jan Jürjens, TU Munich: Critical Systems Development with UML26 Testing Real-Time Systems Very challenging. For high level of assurance, would need full coverage (test every possible execution). Usually infeasible (especially reactive systems). Have heuristics for trade-off between development effort and reliability. Need to ask yourself: How complete is the heuristic ? How can I validate it ?

Jan Jürjens, TU Munich: Critical Systems Development with UML27 Recent Trends in Academic Research Model-based Testing (e.g. based on Real-time UML). Advantages: Precise measures for completeness. Can be formally validated. Two complementary strategies: Conformance testing Testing for criticality requirements

Jan Jürjens, TU Munich: Critical Systems Development with UML28 Conformance Testing Classical approach in model-based test- generation (much literature). Can be superfluous when using code- generation [except to check your code- generator, but only once and for all]. Works independently of real-time requirements.

Jan Jürjens, TU Munich: Critical Systems Development with UML29 Conformance Testing: Caveats Complete test-coverage still infeasible (although can measure coverage). Can only test code against what is contained in model. Usually, model more abstract than code. May lead to „blind spots“. For both reasons, may miss critical test- cases. Want: „criticality testing“.

Jan Jürjens, TU Munich: Critical Systems Development with UML30 Criticality Testing: Strategies Internal: Ensure test-case selection from models does not miss critical cases: Select according to information on criticality. External: Test code against possible environment interaction generated from parts of the model (e.g. deployment diagram with information on physical environment).

Jan Jürjens, TU Munich: Critical Systems Development with UML31 Criticality Testing Shortcoming of classical model-based test-generation (conformance testing) motivates „criticality testing“. Goal: model-based test-generation adequate for critical real-time systems.

Jan Jürjens, TU Munich: Critical Systems Development with UML32 Internal Criticality Testing Need behavioral semantics of used specification language (precise enough to be understood by a tool). Here: semantics for simplified fragment of UML in „pseudo-code“ (ASMs). Select test-cases according to criticality annotations in the class diagrams. Test-cases: critical selections of intended behavior of the system.

Jan Jürjens, TU Munich: Critical Systems Development with UML33 External Criticality Testing Generate test-sequences representing the environment behaviour from the criticality information in the deployment diagrams.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.