1 Luigi Logrippo SITE Feature Interactions as Inconsistencies [email protected] luigi
-
Upload
clare-owen -
Category
Documents
-
view
219 -
download
0
Transcript of 1 Luigi Logrippo SITE Feature Interactions as Inconsistencies [email protected] luigi
1
Luigi LogrippoSITE
Feature Interactionsas Inconsistencies
[email protected]://www.site.uottawa.ca/~luigi/
2
Development
Early research on FI was based on the idea that Fis were the result of complex interleavings of features
See Feature Interaction contexts
Later it became understood that, more simply, if features are logically inconsistent then they cannot coexist
3
Main idea
Many software flaws can be discovered by making the logic precise and thoroughly examining it by the use of logic tools
Formal methodsFeature interactions are the result of logic flaws
Inconsistency of specsApplication areas:
New VoIP and Web based systemsSecurityMany others
Do this Do that
4
Feature Interaction in Automotive
Electronic Stability Program (ESP) and Cruise Control (CC)
ESP: Break if wheels slip on wet roadCC: Increase speed until cruise speed is reached
FI detectable by the fact that the two features have contradicting requirements
5
Protection rings in Bell-LaPadula security model
High security personnel can use delegation to transfer access rights to lower security personnel
FI: Delegation defeats BLP
6
C3. A gets connected to C
1. A calls B 2. B forwards to C
A has C in OCS list
A
B has CF to C
B
FI: CF defeats OCS.
OCS: Originating Call ScreeningCF: Call Forward
FI in communications
7
Infinite loops FIsCompanies A, B and C have policies where each of them uses the next in a loop as suppliers of parts in excess of inventoryThis can start a chain reaction with potentially disastrous effects!
Send 1000 hockey pucks
Send 800 pucks
Send 600 pucks
Send 400 pucks
Send 400
FI: subcontractingdefeats itself
8
Infinite loops FIsCompanies A, B and C have policies where each of them uses the next in a loop as suppliers of parts in excess of inventoryThis can start a chain reaction with potentially disastrous effects!
Send 1000 hockey pucks
Send 800 pucks
Send 600 pucks
Send 400 pucks
Send 400
FI: subcontractingdefeats itself
9
Presence communications features 1
Alice: call Bob urgently about meeting cancellationBob’s policy: send to voice mail all calls that arrive when I am moving faster than 50Km/h
FI: Bob’s policy defeats Alice’s urgent call policy
10
Presence communications features 2
Alice: call Bob as soon as he arrives in buildingBob: call Alice as soon as she arrives in building
One of the two policies will be defeated by the other
11
FIs as inconsistencies
There is FI when there is inconsistency between:Two simultaneous actions of one agent
• ESP – CC example
Two simultaneous actions of two different agents• ‘Call as soon as gets in the building’ example
An action and the requirements of a userActions and systems requirements
• Infinite loop example
Inconsistency of actions is
12
This idea is explicit in
Within an explicit logic framework:Felty and Namjoshi, FIW 2000Various papers of Aiguier and LeGall, e.g. Formal Methods 2006 (LNCS 4085)
More generally talking about ‘conflicts’, ‘broken assumptions’, etc.
Kolberg, Magill, Wilson, IEEE Comm., 2003Gorse, Logrippo, Sincennes, originally in Gorse’s Master’s thesis of 2000 and eventually published in SoSym 2006Metzger et al., FIW 2003 and 2005Turner, Blair 2006Etc.
13
Interesting aside on logic
Not all inconsistencies we have identified are straight logical inconsistencies…
Some are infinite loopsOthers may be deadlocks
What is the logic interpretation of an infinite loop or a deadlock?What is the computational interpretation of a logical inconsistency?
Subject of ongoing work on the relationship between lambda calculus and logic
14
How do we know about the conflicts
This can be obvious, in cases where there is a straight contradiction
A and not A• But this is rarely the case
Most papers leave it to the systems designer to state whether two actions or requirements are in contradiction,
E.g. accept call contradicts disconnect
15
Determining more precisely inconsistency of actions
So action inconsistency is usually a symptomBased on knowledge of expected systems behaviorDetection is tentative Detection tool identifies possible conflict scenarios and interaction must be confirmed by human inspection
16
Next step of analysis:Considering pre- & post-conditions
Wu and Schulzrinne have moved forward with this ideaNot entirely new…
Introducing the idea of conflicts between pre- and post-conditions of actions
Whether actions conflict can be determined on the basis of their pre-and post-conditionsThis can provide information also on possible FI resolution
17
Use of pre- and post-conditionsEnable(A,B) (positive interaction)
The post-condition of A is implied by the pre-condition of B
Disable(A,B) (negative interaction)The post-condition of A is not implied by the pre-condition of B
Conflict of post-conditions: (negative interactions) The expected postconditions of two actions conflict directly
• Special case: they request the same resources
The expected postconditions of two actions conflict because of parameters
18
How to choose pre- and post-condition
Communications systems are very complex and every action is the result of, also produces, very complex conditionsOnly few elements can be expressed in pre- and post-conditions that are meant for analysisThese elements can only be chosen in terms of broad generalizationsThe choice of these elements is of course vital for producing a useful analysisIn terms of the characteristics of APPEL, we have chosen to focus on two elements:
Call statesState of the media
19
How to determine conflicts
Similarly, conflicts must be determined in terms of broad generalizations
E.g. if one action requests a resource of a certain type, then it might disable another action that requires the same type of resources
These generalizations can be made more specific when more information is available
20
Example 1
21
How to detect
Specifications must be made precise!Sometimes they are already sufficiently precise, e.g. in a XML-based language
• E.g.BPEL
Constraint Logic Programming Given a set of logic constraints, CPL tools can tell whether
• There is a solution, constraints are satisfiable• There is no solution, in fact there is a counterexample
22
How to solve
Solution is a more complex problem, will depend from
User intentions,• Try to identify user goals
May require an interactive systemSolution methods will vary according to the application domain
23
Conclusions
Complex designs require the composition of complex features
With a lot of user control on what will happen in different situation (user policies)
Introduction of these features will require sophisticated methods to control different situations of feature conflicts