david greaves - sensorcom08 - france. using a.net checkability profile to limit interactions between...
TRANSCRIPT
David Greaves - SENSORCOM08 - France.
Using a .net Checkability Profile to Limit Interactions
between Embedded Controllers.
David Greaves, Atif AlviTope Omitola, Daniel Gordon.
University of CambridgeComputer Laboratory
David Greaves - SENSORCOM08 - France.
A Vision of Evolution for UbiComp
– A myriad of devices connected to the network.
– All devices are connected and share a common, all-pervasive, middleware.
– Devices contain controllable and controlling components.
David Greaves - SENSORCOM08 - France.
Rules of the Domain• No rule should issue a command under the same circumstances where
another rule issues the counter-rule.
• Inlet and outlet valves must not both be open at once.
• Fire Alarm must mute all music sources.
• The front gates must always be remotely openable by some method or other.
David Greaves - SENSORCOM08 - France.
Feature Interaction Detection
• Can we define a framework for code management in a UbiComp or Sensor/Actuator network that enables proof of safety and liveness ?
• We propose using a .net bytecode framework and evaluate its cost and flexibility.
David Greaves - SENSORCOM08 - France.
Component Architecture
• We partition all devices and services in to– Pebbles (sensors, actuators, software processes)– Applications (heating control, burglar alarm, CD
player control...)
• Further, we partition application code so it contains no device drivers, dynamic storage, dynamic binding and uses simple network I/O to all pebbles.
David Greaves - SENSORCOM08 - France.
1. The following separate devices, each of which can be individually useful in a networked home:
Lets look at what a modern TV set contains:
A Device: A collection of Pebbles and a Canned App
2. A canned application that joins the components.
• RF Tuner
• Colour Display
• Ni-Cam Audio Decoder
• Power Amplifier
• Surround Sound Decoder
• IR Receiver
• Teletext Decoder
• MPEG Decoder
• Programming Memory
• Front Panel User Interface
David Greaves - SENSORCOM08 - France.
Automated Directory Systems Work
• Devices register in an ad hoc database– eg. UPnP’s SSDP, INS and O2S Oxygen system
• Devices can be found by service offered– eg. A colour printer on floor 3 west.
• Retrieval by conjunction of predicates
(Few successful deployments.
Unexpected behaviours.
Load balancing/path finding unsupported.)
David Greaves - SENSORCOM08 - France.
Controllers Vs The Controlled• API Reflection is now a Mature Technology
• It will be further deployed (?)– X-by-wire, Field Busses, Sensor Networks, CAN.– EDDL, XDDL, Embedded Systems
• Code Reflection has seen virtually no work!– i.e. how do devices describe their embedded
behaviour– and how is reactive behaviour between actuators
and sensors captured ?
David Greaves - SENSORCOM08 - France.
Code Reflection• A device must expose the proactive behaviour
of its canned application(s)– Actual source code (constrained language)– Proof carrying actual source code– Summary of behaviour
– E.G. I will not send control messages when I am in standby mode.
– E.G. I am always off between 1:00 and 5:00.
• Device is banned from full operation within domain unless proof obligations are met.
David Greaves - SENSORCOM08 - France.
An Example .net CD player.
• We built a CD/DVD player according to our component architecture.
• The application code was implemented in a pair of .net code bundles.
• The bytecode can be read out by a domain controller and checked, along with the other participating applications in the domain, against the rules of the domain.
David Greaves - SENSORCOM08 - France.
David Greaves - SENSORCOM08 - France.
Pebbles ProjectGeneral
Flow
David Greaves - SENSORCOM08 - France.
CD/DVD Player Components
David Greaves - SENSORCOM08 - France.
CD/DVD Player Block Diagram
David Greaves - SENSORCOM08 - France.
Software Costs
• Embedded devices have limited capabilities, especially RAM, but ROM is not so critical.
• XML parsing is expensive in RAM use.• We have implemented .net interpreter,
HTTP server and XML output all at 'reasonable' cost.
David Greaves - SENSORCOM08 - France.
David Greaves - SENSORCOM08 - France.
Heap and Stack Ram Use
David Greaves - SENSORCOM08 - France.
Checkability Classes ?• We have imposed a checkability profile on the .net
bundles.• Current profile is finite-state and strictly limited in IO
libraries used.
• All participating applications in the domain must correspond to our profile.
• In the future, can define a richer class, based on linear integer programming, Presburg and so on.
David Greaves - SENSORCOM08 - France.
Conclusions
• Running a 'complex' software stack is not a real obstacle, but don't parse too much XML.
• Using .net bytecode in embedded systems can be fast and compact enough, otherwise reflect your behaviour in .net while executing something else.
• We need to explore incremental model checking.• We need to formally define our checkability class.
David Greaves - SENSORCOM08 - France.
The End
• www.cl.cam.ac.uk/Research/SRG/HAN/Pebbles
• The Pebbles, AutoHAN and Oxygen O2S Teams