trustworthy self assembly a use case for distributed
play

Trustworthy Self-Assembly: A Use-Case for Distributed Runtime - PowerPoint PPT Presentation

Jul 31, 2023 •184 likes •491 views

Trustworthy Self-Assembly: A Use-Case for Distributed Runtime Verification John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I Self-Integrating Systems 1 Introduction: Systems of Systems

  1. Trustworthy Self-Assembly: A Use-Case for Distributed Runtime Verification John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I Self-Integrating Systems 1

  2. Introduction: Systems of Systems • We’re familiar with systems built from components • But increasingly, we see systems built from other systems ◦ Systems of Systems • The component systems have their own purpose ◦ Maybe at odds with what we want from them • And they generally have vastly more functionality than we require ◦ Provides opportunities for unexpected behavior ◦ Bugs, security exploits etc. (e.g., CarShark) • Difficult when trustworthiness required ◦ May need to wrap or otherwise restrict behavior of component systems ◦ So, traditional integration requires bespoke engineering John Rushby, SR I Self-Integrating Systems 2

  3. Accidental Systems of Systems • Whether intended or not, systems necessarily interact with their neighbors through the effect each has on the environment of the others ◦ Stigmergic interactions ◦ Particularly those involving the “plant” • Unmanaged interactions can be deleterious • Get emergent misbehavior • So better if systems are open (to interactions) and adaptive • Not all interactions can be pre-planned • So systems need to self-integrate at runtime John Rushby, SR I Self-Integrating Systems 3

  4. Self-Assembling/Self-Integrating Systems • Imagine systems that recognize each other and spontaneously integrate ◦ Possibly under the direction of an “integration app” ◦ Examples on next several slides • As noted, systems often interact through shared “plant” whether we want it or not (stigmergy) ◦ Separate medical devices attached to same patient ◦ Car and roadside automation (autonomous driving and traffic lights) And it would be best if they “deliberately” integrated • These systems need to “self integrate” or “self assemble” • And we want the resulting system to be trustworthy • That’s a tall order • Note that desirable system properties can break local ones through downward causation John Rushby, SR I Self-Integrating Systems 4

  5. Scenarios • I’ll describe some scenarios, mostly from medicine • And most from Dr. Julian Goldman (Mass General) ◦ “Operating Room of the Future” and ◦ “Intensive Care Unit of the Future” • There is Medical Device Plug and Play (MDPnP) that enables basic interaction between medical devices • And the larger concept of “Fog Computing” to provide relaible, scaleable infrastructure for integration • But I’m concerned with what the systems do together rather than the mechanics of their interaction John Rushby, SR I Self-Integrating Systems 5

  6. Anesthesia and Laser • Patient under general anesthesia is generally provided enriched oxygen supply • Some throat surgeries use a laser • In presence of enriched oxygen, laser causes burning, even fire • Want laser and anesthesia machine to recognize each other • Laser requests reduced oxygen from anesthesia machine • But. . . ◦ Need to be sure laser is talking to anesthesia machine connected to this patient ◦ Other (or faulty) devices should not be able to do this ◦ Laser should light only if oxygen really is reduced ◦ In emergency, need to enrich oxygen should override laser John Rushby, SR I Self-Integrating Systems 6

  7. Other Examples • I’ll skip the rest in the interests of time • But they are in the slides (marked SKIP) John Rushby, SR I Self-Integrating Systems 7

  8. Heart-Lung Machine and X-ray SKIP • Very ill patients may be on a heart-lung machine while undergoing surgery • Sometimes an X-ray is required during the procedure • Surgeons turn off the heart-lung machine so the patient’s chest is still while the X-ray is taken • Must then remember to turn it back on • Would like heart-lung and X-ray mc’s to recognize each other • X-ray requests heart-lung machine to stop for a while ◦ Other (or faulty) devices should not be able to do this ◦ Need a guarantee that the heart-lung restarts • Better: heart lung machine informs X-ray of nulls John Rushby, SR I Self-Integrating Systems 8

  9. Patient Controlled Analgesia and Pulse Oximeter SKIP • Machine for Patient Controlled Analgesia (PCA) administers pain-killing drug on demand ◦ Patient presses a button ◦ Built-in (parameterized) model sets limit to prevent overdose ◦ Limits are conservative, so may prevent adequate relief • A Pulse Oximeter (PO) can be used as an overdose warning • Would like PCA and PO to recognize each other • PCA then uses PO data rather than built-in model • But that supposes PCA design anticipated this • Standard PCA might be enhanced by an app that manipulates its model thresholds based on PO data • But. . . John Rushby, SR I Self-Integrating Systems 9

  10. PCA and Pulse Oximeter (ctd.) SKIP • Need to be sure PCA and PO are connected to same patient • Need to cope with faults in either system and in communications ◦ E.g., if the app works by blocking button presses when an approaching overdose is indicated, then loss of communication could remove the safety function ◦ If, on the other hand, it must approve each button press, then loss of communication may affect pain relief but not safety ◦ In both cases, it is necessary to be sure that faults in the blocking or approval mechanism cannot generate spurious button presses • This is hazard analysis and mitigation at integration time John Rushby, SR I Self-Integrating Systems 10

  11. Blood Pressure and Bed Height SKIP • Accurate blood pressure sensors can be inserted into intravenous (IV) fluid supply • Reading needs correction for the difference in height between the sensor and the patient • Sensor height can be standardized by the IV pole • Some hospital beds have height sensor ◦ Fairly crude device to assist nurses • Can imagine an ICU where these data are available on the local network • Then integrated by monitoring and alerting services • But. . . John Rushby, SR I Self-Integrating Systems 11

  12. Blood Pressure and Bed Height (ctd.) SKIP • Need to be sure bed height and blood pressure readings are from same patient • Needs to be an ontology that distinguishes height-corrected and uncorrected readings • Noise- and fault-characteristics of bed height sensor mean that alerts should be driven from changes in uncorrected reading • Or, since, bed height seldom changes, could synthesize a noise- and fault-masking wrapper for this value • Again, hazard analysis and mitigation at integration time John Rushby, SR I Self-Integrating Systems 12

  13. What’s the Problem? • Could build all these as bespoke systems • More interesting is the idea that the component systems discover each other, and self integrate into a bigger system • Initially will need an extra component, the integration app to specify what the purpose should be • But later, could be more like the way human teams assemble to solve difficult problems ◦ Negotiation on goals, exchange information on capabilities, rules, and constraints • I think this is how the Internet of Things will evolve John Rushby, SR I Self-Integrating Systems 13

  14. What’s the Problem? (ctd. 1) • Since they were not designed for it • It’s unlikely the systems fit together perfectly • So will need shims, wrappers, adapters etc. • So part of the problem is the “self ” in self integration • How are these adaptations constructed during self integration? John Rushby, SR I Self-Integrating Systems 14

  15. What’s the Problem? (ctd. 2) • In many cases the resulting assembly needs to be trustworthy ◦ Preferably do what was wanted ◦ Definitely do no harm • Even if self-integrated applications seem harmless at first, will often get used for critical purposes as users gain (misplaced) confidence ◦ E.g., my Chromecast setup for viewing photos ◦ Can imagine surgeons using something similar (they used Excel!) • So how do we ensure trustworthiness? John Rushby, SR I Self-Integrating Systems 15

  16. Aside: System Assurance • State of the art in system assurance is the idea of a safety case (more generally, an assurance case) ◦ An argument that specified claims are satisfied, based on evidence (e.g., tests, analyses) about the system • System comes with machine-processable online rendition of its assurance case ◦ Not standard yet, but Japanese DEOS project does it ◦ Essentially a proof, built on premises justified by evidence (see my AAA15 paper, cf. ones on Ontological Argument) • Ideally: when systems self integrate, assurance case for the overall system is constructed automatically from the cases of the component systems • Hard because safety often does not compose ◦ E.g., because there are new hazards ◦ Recall laser and anesthesia John Rushby, SR I Self-Integrating Systems 16

  17. What’s the Problem? (ctd. 3) • While building the assurance case at self-integration time • Likely must eliminate or mitigate some hazards • May be able to do this by wrappers, or by monitoring • Aside: the power of monitors ◦ A monitor can be very simple ◦ Can make a claim that it is probably fault-free ⋆ This is the claim that verification delivers ◦ Prob. of failure of system is then ⋆ prob. of failure of operational component times prob. monitor is fault-free ◦ Nb. cannot multiply probs. of failure ◦ See TSE 2012 paper by Littlewood and me • How do these wrappers and monitors get built? John Rushby, SR I Self-Integrating Systems 17

Recommend

Towards Distributed Trustworthy Traceability and Accountability Jrn Erbguth a and Jean-Henry

Towards Distributed Trustworthy Traceability and Accountability Jrn Erbguth a and Jean-Henry

Towards Distributed Trustworthy Traceability and Accountability Jrn Erbguth a and Jean-Henry Morin a b a University of Geneva, CUI - ISS, 1227 Carouge, Switzerland Tel: +41 787256027, E-mail: erbguth@unige.ch - Tel: +41 22 379 02 55, E-mail:

177 views • 3 slides
TCIPG TECHNICAL CLUSTERS AND THREADS Trustworthy Trustworthy Technologies for Wide Technologies

TCIPG TECHNICAL CLUSTERS AND THREADS Trustworthy Trustworthy Technologies for Wide Technologies

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G TCIPG TECHNICAL CLUSTERS AND THREADS Trustworthy Trustworthy Technologies for Wide Technologies for Local Responding To and Trust Assessment Area Monitoring and Area

291 views • 8 slides
Distributed File Systems Issues in Distributed File Service Case Studies: Sun

Distributed File Systems Issues in Distributed File Service Case Studies: Sun

CPSC-662 Distributed Computing Distributed File Systems Distributed File Systems Issues in Distributed File Service Case Studies: Sun Network File System Coda File System Web Reading: Coulouris: Distributed

318 views • 12 slides
Trustworthy Technologies for Local Area Management, Monitoring, and Control Tom Overbye Number

Trustworthy Technologies for Local Area Management, Monitoring, and Control Tom Overbye Number

Trustworthy Technologies for Local Area Management, Monitoring, and Control Tom Overbye Number of Activities: 5 2012 Industry Workshop October 30, 2012 | 1 TCIPG Technical Clusters and Threads Trustworthy Technologies Trustworthy

419 views • 10 slides
Trustworthy Computing * Reverse engineers agree on that! Trustworthy Computing Trustworthy

Trustworthy Computing * Reverse engineers agree on that! Trustworthy Computing Trustworthy

Trustworthy Computing * Reverse engineers agree on that! Trustworthy Computing Trustworthy Computing Trustworthy Computing Trustworthy Computing Trustworthy Computing Trustworthy Computing *

753 views • 63 slides
Distributed Systems Lecture 13 Case study: CORBA Josva Kleist Unit for Distributed Systems and

Distributed Systems Lecture 13 Case study: CORBA Josva Kleist Unit for Distributed Systems and

Distributed Systems Lecture 13 Case study: CORBA Josva Kleist Unit for Distributed Systems and Semantics Aalborg University DS E02 Lec13 1 CORBA main points CORBA consists of generic services as well as a language- independent RMI

351 views • 33 slides
Trustworthy Technologies for Wide Area Monitoring and Control Carl Hauser Number of Activities:

Trustworthy Technologies for Wide Area Monitoring and Control Carl Hauser Number of Activities:

Trustworthy Technologies for Wide Area Monitoring and Control Carl Hauser Number of Activities: 9 2012 Industry Workshop October 30, 2012 | 1 TCIPG Technical Clusters and Threads Trustworthy Technologies Trustworthy Technologies Responding

249 views • 12 slides
Building Trustworthy Systems on seL4 Ihor Kuz seL4 Summit:

Building Trustworthy Systems on seL4 Ihor Kuz seL4 Summit:

Building Trustworthy Systems on seL4 Ihor Kuz seL4 Summit: 25 September 2019 www.data61.csiro.au Overview What is a Trustworthy System? What does

747 views • 26 slides
stakeholders involvement Case USA Africa Regional Standards Organization General Assembly

stakeholders involvement Case USA Africa Regional Standards Organization General Assembly

Development of standards and stakeholders involvement Case USA Africa Regional Standards Organization General Assembly Durban, South Africa June 20, 2018 Unofficial Document for Presentation Purposes Only International Trade

422 views • 15 slides
Analysis of path exclusions at the assembly level 7th Int'l Workshop on Worst-Case Execution

Analysis of path exclusions at the assembly level 7th Int'l Workshop on Worst-Case Execution

Analysis of path exclusions at the assembly level 7th Int'l Workshop on Worst-Case Execution Time (WCET) Analysis Ingmar Stein, Florian Martin ingmar@absint.com The Goal A Jump conditions B C are equivalent 10 100 D E F 200 110

411 views • 24 slides
Does Distributed Development Affect Software Quality? An Empirical Case Study of Windows Vista

Does Distributed Development Affect Software Quality? An Empirical Case Study of Windows Vista

Does Distributed Development Affect Software Quality? An Empirical Case Study of Windows Vista By C. Bird, N. Nagappan, P. Devanbu, H. Gall, B. Murphy Presented by Tanja Werthmller 1 Overview 1.What is distributed development - What does

412 views • 12 slides
Invited talk, 12th International Conference on Distributed Computing and Internet Technology

Invited talk, 12th International Conference on Distributed Computing and Internet Technology

Invited talk, 12th International Conference on Distributed Computing and Internet Technology (ICDCIT), Bhubaneswar, India, January 2016 Trustworthy Self-Integrating Systems John Rushby Computer Science Laboratory SRI International Menlo Park,

482 views • 27 slides
NFS Heterogeneous systems must be supported Different HW, OS, underlying file system

NFS Heterogeneous systems must be supported Different HW, OS, underlying file system

Distributed File Systems Distributed Systems Case Studies NFS AFS CODA DFS SMB CIFS Distributed File Systems Dfs WebDAV GFS Gmail -FS ? xFS Paul Krzyzanowski pxk@cs.rutgers.edu Except as otherwise noted,

430 views • 19 slides
HATS: Highly Adaptable & Trustworthy Software Using Formal Models Reiner H ahnle

HATS: Highly Adaptable & Trustworthy Software Using Formal Models Reiner H ahnle

Titlepage HATS: Highly Adaptable & Trustworthy Software Using Formal Models Reiner H ahnle Chalmers University of Technology, Gothenburg, Sweden Sophia-Antipolis, 23 October 2008 R. H ahnle HATS: Adaptable & Trustworthy

563 views • 28 slides
Presentations TCIP: Trustworthy Cyber Infrastructure for Power y y Overview Presented by:

Presentations TCIP: Trustworthy Cyber Infrastructure for Power y y Overview Presented by:

Trustworthy Cyber Infrastructure for the Power Grid Presentations TCIP: Trustworthy Cyber Infrastructure for Power y y Overview Presented by: William H. Sanders TCIP Industry Workshop, October 17, 2007 University of Illinois

303 views • 9 slides
Use Case for Distributed Data Center in SUPA draft-cheng-supa-ddc-use-cases Y. Cheng, L. M.

Use Case for Distributed Data Center in SUPA draft-cheng-supa-ddc-use-cases Y. Cheng, L. M.

Use Case for Distributed Data Center in SUPA draft-cheng-supa-ddc-use-cases Y. Cheng, L. M. Contreras, JF. Tremblay, J. Bi draft-xie-inter-dc-traffic-optimization C. Xie Q. Sun IETF 92, Dallas, March 2015 Sub-use case 1:

360 views • 9 slides
Gaining Confidence in the Correctness of Robotic and Autonomous Systems Kerstin Eder Trustworthy

Gaining Confidence in the Correctness of Robotic and Autonomous Systems Kerstin Eder Trustworthy

Gaining Confidence in the Correctness of Robotic and Autonomous Systems Kerstin Eder Trustworthy Systems Laboratory Verification and Validation for Safety in Robots, Bristol Robotics Laboratory Designing Trustworthy Systems Create flawless

898 views • 65 slides
Presentations Power Grid TCIP: Trustworthy Cyber Infrastructure for Power Quantitative &

Presentations Power Grid TCIP: Trustworthy Cyber Infrastructure for Power Quantitative &

Trustworthy Cyber Infrastructure for the Presentations Power Grid TCIP: Trustworthy Cyber Infrastructure for Power Quantitative & Qualitative Evaluation Presented by David Nicol TCIP Year 1 Review, December 11, 2006 University of

274 views • 13 slides
Winstronics ELECTRONIC ASSEMBLY MANUFACTURING 2016 PRESENTATION W W W . W I N S T R O N I C S .

Winstronics ELECTRONIC ASSEMBLY MANUFACTURING 2016 PRESENTATION W W W . W I N S T R O N I C S .

Winstronics ELECTRONIC ASSEMBLY MANUFACTURING 2016 PRESENTATION W W W . W I N S T R O N I C S . C O M Winstronics Assembly Offering Wire Harness Assembly Overmolded Cables/USB/HDMI Coil Cords Printed Circuit Board Assembly

814 views • 32 slides
Assembly Language Introduction Learning Objectives Explain what assembly language is

Assembly Language Introduction Learning Objectives Explain what assembly language is

Assembly Language Introduction Learning Objectives Explain what assembly language is Define Registers Instruction Operands Produce assembly from C 9/22/2015 CS61 Fall 2015 1 What is assembly? Yet another layer

450 views • 7 slides
Presentations Power Grid TCIP: Trustworthy Cyber Infrastructure for Power Secure and Reliable

Presentations Power Grid TCIP: Trustworthy Cyber Infrastructure for Power Secure and Reliable

Trustworthy Cyber Infrastructure for the Presentations Power Grid TCIP: Trustworthy Cyber Infrastructure for Power Secure and Reliable Computing Base Presenters: Sean Smith, Ravi Iyer, and Carl Gunter TCIP Year 1 Review, December 11, 2006

346 views • 17 slides
enterprise REST a case study twitter:@BrandonByars the eight fallacies of distributed

enterprise REST a case study twitter:@BrandonByars the eight fallacies of distributed

enterprise REST a case study twitter:@BrandonByars the eight fallacies of distributed programming the network is reliable topology doesnt change latency is zero there is one administrator bandwidth is infinite

659 views • 48 slides
Distributed Systems CS425/ECE428 05/01/2020 Todays agenda Distributed key-value stores

Distributed Systems CS425/ECE428 05/01/2020 Todays agenda Distributed key-value stores

Distributed Systems CS425/ECE428 05/01/2020 Todays agenda Distributed key-value stores Intro to key-value stores Design requirements and CAP Theorem Case study: Cassandra Acknowledgements: Prof. Indy Gupta Recap Cloud

840 views • 44 slides
Presentations Trustworthy Cyber Infrastructure for Power (TCIP) Protection Detection and

Presentations Trustworthy Cyber Infrastructure for Power (TCIP) Protection Detection and

Trustworthy Cyber Infrastructure for the Power Grid Presentations Trustworthy Cyber Infrastructure for Power (TCIP) Protection Detection and Response Mechanisms Klara Nahrstedt , Illinois , Zbigniew Kalbarczyk , Illinois University of

256 views • 15 slides

More recommend