Presentation is loading. Please wait.

Presentation is loading. Please wait.

Feature Interactions as Inconsistencies

Published byNickolas Bradford Modified over 5 years ago

Similar presentations

Presentation on theme: "Feature Interactions as Inconsistencies"— Presentation transcript:

1 Feature Interactions as Inconsistencies
Luigi Logrippo

2 What are feature interactions?
Feature interaction occurs when one feature modifies or subverts the operation of another one.

3 Changing views of FI Process-based view: Logic-based view:
Early research on FI was based on the idea that Fis were the result of complex interleavings of features See Feature Interaction contexts Logic-based view: Later it became understood that many or most FIs are the result of logical inconsistencies in the specification of features we are composing

4 User Policies With the flexibility provided by IP, features will increasingly be directed by user policies In a policy directed system, process is controlled by logic Hence the logic-based view becomes dominant

5 Main idea Many design flaws can be discovered by making the logic precise and thoroughly examining it by the use of logic tools Formal methods Feature interactions are the result of logic flaws Inconsistency of specs Application areas: New VoIP and Web based systems Security Whenever any functionalities of any kind are composed Do this Do that

6 Feature Interaction in Automotive
Electronic Stability Program (ESP) and Cruise Control (CC) ESP: Break if wheels slip on wet road CC: Increase speed until cruise speed is reached FI detectable by the fact that the two features have contradicting requirements

7 Protection rings in Bell-LaPadula security model
High security personnel can use delegation to transfer access rights to lower security personnel FI: Delegation defeats BLP

8 FI in communications A C B FI: CF defeats OCS .
A has C in OCS list A 3. A gets connected to C C 2. B forwards to C 1. A calls B B has CF to C B OCS: Originating Call Screening CF: Call Forward

9 Infinite loops FIs Companies A, B and C have policies where each of them uses the next in a loop as suppliers of parts in excess of inventory This can start a chain reaction with potentially disastrous effects! Send 800 pucks Send 1000 hockey pucks Send 400 Send 600 pucks Send 400 pucks FI: subcontracting defeats itself

10 Infinite loops FIs Companies A, B and C have policies where each of them uses the next in a loop as suppliers of parts in excess of inventory This can start a chain reaction with potentially disastrous effects! Send 800 pucks Send 1000 hockey pucks Send 400 Send 600 pucks Send 400 pucks FI: subcontracting defeats itself

11 Presence communications features 1
Alice: call Bob urgently about meeting cancellation Bob’s policy: send to voice mail all calls that arrive when I am moving faster than 50Km/h FI: Bob’s policy may defeat Alice’s urgent call policy

12 Presence communications features 2
Alice: call Bob as soon as he arrives in building Bob: call Alice as soon as she arrives in building One of the two policies will be defeated by the other

13 FIs as inconsistencies
There is FI when there is inconsistency between: Two simultaneous actions of one or several agents ESP – CC example ‘Call as soon as gets in the building’ example An action and a following action Where the first makes the second impossible Or the second contradicts the first An action and the requirements of a user Actions and systems requirements Inconsistency of loops with system requirement that there be no loops Inconsistency of actions may be visible only after complex domain-dependent considerations It is usually a fact provided as human input to FI detection tools

14 This idea is present in a number of works
Within an explicit logic framework: Felty and Namjoshi, FIW 2000 Various papers of Aiguier and Le Gall, e.g. Formal Methods 2006 (LNCS 4085) More generally talking about ‘conflicts’, ‘broken assumptions’, etc. Kolberg, Magill, Wilson, IEEE Comm., 2003 Gorse, Logrippo, Sincennes, originally in Gorse’s Master’s thesis of 2000 and eventually published in SoSym 2006 Metzger et al., FIW 2003 and 2005 Turner, Blair 2006 Etc.

15 In fact, from the beginning
Seminal paper by Cameron et al. identifies as main causes of FI: Violation of assumptions a clear case of inconsistency Limitation of network support inconsistency between concurrent claims of resources

16 FI symptoms according to Gorse, Logrippo, Sincennes
Basic cases of FI: Features leading to different results Non-contradicting ones (non-determinism) Contradicting ones A feature enables another, with contradicting results A feature enables another, which directly or indirectly enables the first (infinite loop)

17 Connections… Considerable work exists on
Consistency in software requirements Consistency of viewpoints in requirements These connections have not yet been fully exploited within FI research

18 Interesting aside on logic
Not all inconsistencies we have identified are straight logical inconsistencies… Some are infinite loops Others may be deadlocks What is the logic interpretation of an infinite loop or a deadlock? What is the computational interpretation of a logical inconsistency? Subject of ongoing work on the relationship between lambda calculus and logic Curry-Howard isomorphism: programs as proofs

19 How do we know about the conflicts
This can be obvious, in cases where there is a straight contradiction A and not A But this is rarely the case In many cases, contradiction is revealed as a result of domain-dependent considerations E.g. accept call contradicts disconnect

20 Symptoms of conflicts Due to the inability to formalize all elements of a domain, action inconsistency is usually a symptom Based on knowledge of expected systems behavior Detection is tentative Detection tool identifies possible conflict scenarios and interaction must be confirmed by human inspection

21 Next step of analysis: Considering pre- & post-conditions
Wu and Schulzrinne have moved forward with Introducing the idea of conflicts between pre- and post-conditions of actions Determining action conflicts on the basis of their pre-and post-conditions This can provide information also on possible FI resolution

22 Interactions of pre- and post-conditions
Enable(A,B) (positive interaction) the post-condition of A implies the pre-condition of B Disable(A,B) (negative interaction) The post-condition of A does not imply the pre-condition of B Conflict of post-conditions: (negative interactions) The expected postconditions of two actions conflict directly Special case: they request the same resources The expected postconditions of two actions conflict because of parameters A post(A) pre(B) B A B post(A) post(B)

23 How to choose pre- and post-condition: APPEL case study
Software systems are complex and every action is the result of, also produces, complex conditions Only few elements can be expressed in logic statements that are meant for analysis These elements must be chosen in terms of broad generalizations The choice of these elements is vital for producing a useful analysis In terms of the characteristics of APPEL, we have chosen to focus on two elements: Call states State of the media

24 How to determine conflicts
Similarly, conflicts must be determined in terms of broad generalizations E.g. if one action requests a resource of a certain type, then it might disable another action that requires the same type of resources

25 APPEL Example 1 AddCaller concurrent with ForkTo
Resulting media state by AddCaller: DefaultReserved Resulting media state by ForkTo: Resource conflict of these two actions

26 APPEL Example 2 AddCaller followed by ForwardTo
Resulting call state by AddCaller vs precondition call state by ForwardTo: LegAddedToCall vs CallSetup OK Resulting media state by AddCaller vs precondition media state by ForwardTo: DefaultReserved vs DefaultAvailable Problem

27 APPEL Example 3 RemoveParty followed by ForwardTo
Resulting call state by RemoveParty vs precondition call state by ForwardTo CallLegReleased vs CallSetup Conflict MediaAvailable vs DefaultAvailable Possible conflict

28 Pre- and post-conditions of call actions
Preconditions Postconditions Connection State Media State addCaller CallExists DefaultAvailable LegAddedToCall DefaultReserved addMedium MediumAvailable MediumReserved addParty forkTo CallSetup connectTo NotCallExists forwardTo NotCallExists, CallSetup DefaultAvailable, DefaultReserved rejectCall Any MediaAvailable removeMedium removeParty CallLegReleased disconnect

29 State-related inconsistencies
CallExists CallSetup NotCallExists i.e. at any time, the system can be in only one of these call states

30 Media-related inconsistencies
MediumReserved MediumReserved FOLLOWED BY Medium available

31 Inconsistency of postconditions
Actions Preconditions Postconditions Connection State Media State addCaller CallExists DefaultAvailable LegAddedToCall DefaultReserved addMedium MediumAvailable MediumReserved addParty forkTo CallSetup connectTo NotCallExists forwardTo NotCallExists, CallSetup DefaultAvailable, DefaultReserved rejectCall Any MediaAvailable removeMedium removeParty CallLegReleased disconnect

32 Postconds vs preconds Actions Preconditions Postconditions
Connection State Media State addCaller CallExists DefaultAvailable LegAddedToCall DefaultReserved addMedium MediumAvailable MediumReserved addParty forkTo CallSetup connectTo NotCallExists forwardTo NotCallExists, CallSetup DefaultAvailable, DefaultReserved rejectCall Any MediaAvailable removeMedium removeParty CallLegReleased disconnect

33 Granularity This analysis has very coarse granularity
We are at the beginning…

34 FI Resolution This approach provides little immediate help for FI resolution However, it might eventually, because the more information is available regarding the reasons for interaction, the more we can address it appropriately Research topic…

35 How to detect Specifications must be precise!
Sometimes they are already sufficiently precise, e.g. in a XML-based language Constraint Logic Programming Given a set of logic constraints, CPL tools can tell whether There is a solution, constraints are satisfiable There is no solution, in fact there is a counterexample First order model checking A related technique

36 Alloy Formal language and related tool developed at MIT
Daniel Jackson Tool is a first-order logic model checker Note difference wrt temporal logic model checkers Alloy’s front end: A logic-based language Alloy’s engine: an efficient Constraint Satisfaction (SAT) algorithm Alloy includes many interesting concepts, and it would not be possible to present it well in few minutes

37 Alloy specifications Alloy allows to specify a set of constraints in any of, or a combination of Logical style (1st order pred calculus) Relational style ‘Navigational’ style Very expressive user language

38 Some elements of Alloy Facts, Predicates, Functions: describe the system, in terms of constraints Assertions: state properties that are believed to be true of the system Check: checks a given assertion, trying to find a counterexample Run: runs a given predicate, trying to find an example Run and check have to specify how many instances should be created for each type

39 How Alloy works Alloy expresses the constraints in terms of boolean expressions and then tries to solve these by invoking off-the-shelf SAT solvers This problem is exponential, however improvements in efficiency of SAT solvers allows many non-trivial problems to be treated Current solvers can handle thousands of boolean vars, hundreds of expressions But much depends on the type of the expressions

40 Feasible part of the curve

41 Conclusions Complex designs require the composition of complex features With user control of what will happen in different situation (user policies) Introduction of these features requires sophisticated methods to detect different situations of feature conflicts Model checkers and constraint logic programming provide tools to detect potential conflicts

42 Thanks Work in collaboration with Prof. Ken Turner
Ahmed Layouni, Master’s student

Download ppt "Feature Interactions as Inconsistencies"

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Design by Contract.

Design by Contract.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
1 Luigi Logrippo SITE Feature Interactions as Inconsistencies

1 Luigi Logrippo SITE Feature Interactions as Inconsistencies
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
Software Testing and Quality Assurance

Software Testing and Quality Assurance
Software Requirements

Software Requirements
Software Testing and Quality Assurance

Software Testing and Quality Assurance
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
EXPERT SYSTEMS Part I.

EXPERT SYSTEMS Part I.
Feb. 23, 2004CS 509 - WPI1 CS 509 Design of Software Systems Lecture #5 Monday, Feb. 23, 2004.

Feb. 23, 2004CS WPI1 CS 509 Design of Software Systems Lecture #5 Monday, Feb. 23, 2004.
Formal methods Basic concepts. Introduction  Just as models, formal methods is a complement to other specification methods.  Standard is model-based.

Formal methods Basic concepts. Introduction  Just as models, formal methods is a complement to other specification methods.  Standard is model-based.
Describing Syntax and Semantics

Describing Syntax and Semantics
Katanosh Morovat.   This concept is a formal approach for identifying the rules that encapsulate the structure, constraint, and control of the operation.

Katanosh Morovat.   This concept is a formal approach for identifying the rules that encapsulate the structure, constraint, and control of the operation.
1 BTEC HNC Systems Support Castle College 2007/8 Systems Analysis Lecture 9 Introduction to Design.

1 BTEC HNC Systems Support Castle College 2007/8 Systems Analysis Lecture 9 Introduction to Design.
8.1.2003Software Engineering 2003 Jyrki Nummenmaa 1 REQUIREMENT SPECIFICATION Today: Requirements Specification Requirements tell us what the system should.

Software Engineering 2003 Jyrki Nummenmaa 1 REQUIREMENT SPECIFICATION Today: Requirements Specification Requirements tell us what the system should.
Topics Covered: Software requirement specification(SRS) Software requirement specification(SRS) Authors of SRS Authors of SRS Need of SRS Need of SRS.

Topics Covered: Software requirement specification(SRS) Software requirement specification(SRS) Authors of SRS Authors of SRS Need of SRS Need of SRS.
1 Luigi Logrippo Kamel Adi Inconsistency and incompleteness in security policies

1 Luigi Logrippo Kamel Adi Inconsistency and incompleteness in security policies
Features, Policies and Their Interactions Joanne M. Atlee Department of Computer Science University of Waterloo.

Features, Policies and Their Interactions Joanne M. Atlee Department of Computer Science University of Waterloo.

Similar presentations

Ads by Google