Safe Dynamic Adaptation Department of Computer Science & Engineering Ji Zhang and Zhenxiao Yang Advisor: Prof. Betty H.C. Cheng Software Engineering and Network Systems (SENS) Laboratory Motivation Dynamic adaptation is the trend : Increasingly, computer software systems and applications must adapt to changing con- ditions in both the supporting computing and communication infrastructure, as well as in the surrounding physical environ- ment. Examples warranting dynamic adaptations  Dynamic introductions of new strategies.  Quick responses to security threats.  Switching to certain execution mode to save battery life.  Insertions of encryption layers to network protocol stack. Existing research efforts include: Supports in programming languages Framework supporting adaptation Adaptive middleware Adaptable and extensible operating systems Separation of concerns: These techniques separates the adaptation behavior from the base program behavior. Safe dynamic adaptation Unless adaptive software mechanisms are grounded in for- malisms that codify invariants and other properties that must hold during adaptation, the resulting systems will be prone to errant behavior. Safe dynamic adaptation further separates the correctness issue from the adaptation mechanism, and thus provides the basis for formal reasoning of the adaptation behavior. Video Streaming Example MetaSocket (background) MetaSockets are created from existing Java socket classes. A MetaSocket can be modeled as a chain of filters that manipulate the passing data stream, and a multicast socket attached to the end of the chain Filters can perform encryption, decryption, forward error correction, compression, and so forth. Video Streaming Example (Figure 1) On the server, a web camera captures video input and a video processor encodes the stream and delivers the data stream through a MetaSocket. Two clients (a handheld computer and a laptop computer) On each client the packets are processed by a chain of decoder filters in a receiving MetaSocket and passed to the video processor, where they are decomposed into video. The server and the clients are connected with wireless net- works. May. 10, 2004 Filter schemas: Two forward error correction schemes are available for data processing: DES 64-bit encoding/decoding, and DES 128-bit enco- ding/decoding. The server has two components: E1 ( a DES 64-bit encoder) and E2 ( a DES 128-bit encoder). The hand-held client has three components: D1 ( a DES 64-bit de- coder), D2 ( a DES 128/64-bit compatible decoder), and D3 (a DES 128-bit decoder). The laptop client has two components: D4 (a DES 64-bit decoder) and D5 (a DES 128-bit decoder). Adaptations and adaptive actions The overall adaptation objective is to reconfigure the system from running the DES 64-bit encoder/decoders to running the DES 128-bit encoder/decoders to "harden" security at run time. Available adaptation actions are inserting, removing, and replacing filter(s) Cases of unsafe adaptation Replacing the encoder when it is in the process of encoding a packet: Interrupting the encoding process causes unexpected program behavior. Replacing the encoder and the decoders at the same time: The in-flight packets will not be able to be decoded, causing packet loss. Removing the 64-bit DES encoders/decoders then insert the 128-bit DES encoders/decoders: creating security breach during adaptation. Causes of unsafe adaptation Interrupting atomic communication. (case 1) Violating dependency invariants. (case 2, 3) Safe Definition System modeling: A distributed system is modeled as set of communicating components running on one or more processes. Atomic communication: an interaction either within a component or between components that cannot be interrupted. Otherwise, it would potentially yield erroneous or unexpected results. Dependency invariants : The relationships among the components that should be held true throughout the programs execution. A system configuration is safe if the configuration does not violate any dependency invariants. Safe adaptation process definition: The process does not interrupt atomic communication. The process does not violate dependency invariants. Safe Adaptation Process Constructing minimum adaptation path (Figure 2) Construct safe configuration set: The set of safe configurations. Construct safe adaptation graph: Vertices are safe confi- gurations and arcs are adaptive actions. Each action is as- signed a application specific cost value. Search for minimum adaptation path (MAP): The path with minimum cost from one configuration (source) to another (target). Managing adaptation process It is achieved by an adaptation manager and multiple agents (one on each process) The manager and agents communicate with messages. The adaptation actions are synchronized and the components are blocked when and only when it is necessary to ensure safeness. Acknowledgements: This work has been supported in part by the following grants: NSF EIA , CDA , CCR , EIA , Department of the Navy, and Office of Naval Research under Grant No. N , and in cooperation with Siemens Automotive and Detroit Diesel Corporation. In the example, we use a 7-bit vector (D5,D4,D3,D2,D1,E2,E1) to represent a configuration. The source configuration is ( ) and the target configuration is ( ).