Shengwei An,Xiaoxing Ma,Chun Cao,Ping Yu,Chang Xu

DOI: https://doi.org/10.1109/QRS.2015.33

2015-01-01

Abstract:Dynamic Software Update (DSU) is a technique to upgrade running programs without shutting them down. DSU can improve system availability and maintenance flexibility. However, its adoption in practice is still limited due to the risk of system misbehavior that careless DSU may bring. To reduce this risk we propose a formal framework for the specification and verification of DSU. Different from previous approaches where DSU is described from the viewpoint of program's internal state transitions, our framework focuses on program's external behavior and its effect on its environment. This more abstract view avoids over specification of DSU and allows for better DSU flexibility. Based on this framework, we also devise a mechanism that automatically synthesizes runtime monitors to improve DSU timeliness without compromising its safety.

Gang Chen,Hai Jin,Deqing Zou,Zhenkai Liang,Bing,Hao Wang

DOI: https://doi.org/10.1109/tpds.2015.2430854

IF: 5.3

2016-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Dynamic software updating (DSU) enables a program to be patched on the fly without being shutdown. This paper addresses the practicality problem of the recent research on DSU systems, and presents Replus, a new DSU system that balances practicality and functionality. Replus aims to retain backward binary compatibility and support multi-threaded programs. In addition, it does not require customers to have developer-level software knowledge. More importantly, without specific compiler support, Replus can patch programs that are difficult to be updated at runtime, as well as programs that may incur an indefinite delay in DSU. The key technique of our solution is to update the stack elements for the patched program using two new mechanisms: Immediate Stack Updating, which immediately updates the stack of a thread, and timely stack updating, which only updates the stack frames of the necessary functions without affecting others. Replus also develops an Instruction Level Updating mechanism, which is more efficient for certain security patches. We used popular server applications as test suites to evaluate the effectiveness of Replus. The experimental results demonstrated that Replus can successfully update all the test suites with negligible impact on application performance.

Tianxiao Gu,Zelin Zhao,Xiaoxing Ma,Chang Xu,Chun Cao,Jian Lu

DOI: https://doi.org/10.1109/apsec.2016.044

2016-01-01

Abstract:Dynamic software updating (DSU) is a technique that can update running software systems without stopping them. Most existing approaches require programmer participation to guarantee the correctness of dynamic updating. However, manually preparing dynamic updating is error-prone and time-consuming. Therefore, other approaches prefer to aggressively perform updating without programmer intervention, which may definitely lead to unanticipated runtime errors. To reduce human effort and enhance the reliability for dynamic updating, we leverage automatic runtime recovery (ARR) techniques to recover runtime errors caused by improper dynamic updating. This paper presents ADSU, a fully automatic DSU system using ARR. We evaluate ADSU with real updates from widely used open source software systems, i.e., Apache Tomcat, Apache FTP Server and jEdit. The preliminary results have shown that ADSU succeeds in automatically applying 11 of 16 real-world updates that existing counterparts cannot.

Zelin Zhao,Xiaoxing Ma,Chang Xu,Wenhua Yang

2004-01-01

Abstract:Due to the demand for bugs fixing and features enhancements, developers inevitably need to update in-use software systems. Instead of shutting down a running software before updating, it is often desirable and sometimes mandatory to patch the running software system on the fly, with a mechanism generally referred as dynamic software updating (DSU). Practical DSU strategies often require manual specification of update points in the program for performing dynamic updates. At these points DSU systems will update the program code, and also migrate the program state to the new version program (using state transformer functions). However, finding appropriate update points is non-trivial because the choice of update points has great influence on two competing factors: the timeliness of DSU and the complexity of state transformer functions; and to strike a good balance between them requires a deep understanding of both versions of the program. In this paper, we propose a technique that automates the recommendation of update points. We carried out a preliminary study about the feasibility and effectiveness of this technique. By conducting a set of experiments based on an actual DSU case, we found that our technique is automatic, wide-covered and efficient.

Xinyu Feng,Zhong Shao,Yu Guo,Yuan Dong

DOI: https://doi.org/10.1007/978-3-540-87873-5_8

2008-01-01

Abstract:A major challenge for verifying completesoftware systems is their complexity. A complete software system consists of program modules that use many language features and span different abstraction levels (e.g. user code and run-time system code). It is extremely difficult to use one verification system (e.g. type system or Hoare-style program logic) to support all these features and abstraction levels. In our previous work, we have developed a new methodology to solve this problem. We apply specialized "domain-specific" verification systems to verify individual program modules and then link the modules in a foundational open logical framework to compose the verified complete software package. In this paper, we show how this new methodology is applied to verify a software package containing implementations of preemptive threads and a set of synchronization primitives. Our experience shows that domain-specific verification systems can greatly simplify the verification process of low-level software, and new techniques for combining domain-specific and foundational logics are critical for the successful verification of complete software systems.

Zelin Zhao,Xiaoxing Ma,Chang Xu,Wenhua Yang

DOI: https://doi.org/10.1145/2677832.2677853

2014-01-01

Abstract:Due to the demand for bugs fixing and feature enhancements, developers inevitably need to update in-use software systems. Instead of shutting down a running system before updating, it is often desirable and sometimes mandatory to patch the running software system on the fly, with a mechanism generally referred as dynamic software updating (DSU). Practical DSU strategies often require manual specification of update points in the program for performing dynamic updates. At these points DSU systems will update the program code, and also migrate the program state to the new version program (using transformation functions). However, finding appropriate update points is non-trivial because the choice of update points has great influence on two competing factors: the timeliness of DSU and the complexity of transformation functions; and to strike a good balance between them requires a deep understanding of both versions of the program. In this exploratory paper, we conceive an automated approach to the recommendation of update points for developers. We conduct a set of preliminary experiments with a real world software update case to examine the feasibility of the approach.

Yuhong Zhao,Franz J. Rammig

DOI: https://doi.org/10.1109/isorc.2012.28

2012-01-01

Abstract:This paper presents a lightweight verification technique, which is applicable to dependable real-time systems, provided that the (abstract) model and the (concrete) implementation of the system under test are given in advance. In addition to the usual quality assurance techniques at design time (e.g., formal verification) and at implementation time (e.g., testing), we provide a special form of model checking at run time. That is, we check the correctness of an actual system execution by means of exploring a partial model space covering the current execution trace. In doing so, concrete state information is observed from time to time while the system to be checked is running. This runtime information is used to guide model checking to reduce the model space to be explored. In this sense, we call this method online model checking. Since we do not directly check the execution trace itself, our online checking at model level is capable of checking a running system some steps ahead of the actual state of execution. In this paper, we describe online model checking as well as the underlying system architecture in general, explain the basic algorithm and its extension to improve performance, and provide experimental results.

Martin Kardos,Yuhong Zhao

DOI: https://doi.org/10.1007/1-4020-8149-9_3

2004-01-01

Abstract:System level design incorporating system modeling and formal specification in combination with formal verification can substantially contribute to the correctness and quality of the embedded systems and consequently help reduce the development costs. Ensuring the correctness of the designed system is, of course, a crucial design criterion especially when complex distributed (realtime) embedded systems are considered. Therefore, this paper aims at presenting a verification framework designated for formal verification and validation of UML-based design of embedded systems. It first introduces an approach of using the AsmL language for acquiring formal models of the UML semantics and consequently presents an on-the-fly model checking technique designed to run the formal verification directly over those semantic models.

Junrong Shen,Xi Sun,Gang Huang,Wenpin Jiao,Yanchun Sun,Hong Mei

DOI: https://doi.org/10.1145/1081706.1081720

2005-01-01

ACM SIGSOFT Software Engineering Notes

Abstract:The continuous requirements of evolving a delivered software system and the rising cost of shutting down a running software system are forcing researchers and practitioners to find ways of updating software as it runs. Dynamic update is a kind of software evolution that updates a running program without interruption. This paper covers the fundamental issues of the mechanisms of dynamic update theoretically. Based on a similarity analysis of many typical approaches to dynamic update during the past decades, we propose a unified formal model (namely, Dynamic Update Connector) to specify mechanisms of updating an architectural component, and reason about its properties. The model borrows the concept of connectors from software architecture community and is specified using process algebra CSP. We also demonstrate the applications of our DUC model.

Yu Zhou,Jidong Ge,Pengcheng Zhang,Weigang Wu

DOI: https://doi.org/10.1007/s11432-015-5332-8

2016-01-01

Science China Information Sciences

Abstract:Dynamic evolution is highly desirable for service oriented systems in open environments. For the evolution to be trusted, it is crucial to keep the process consistent with the specification. In this paper, we study two kinds of evolution scenarios and propose a novel verification approach based on hierarchical timed automata to model check the underlying consistency with the specification. It examines the procedures before, during and after the evolution process, respectively and can support the direct modeling of temporal aspects, as well as the hierarchical decomposition of software structures. Probabilities are introduced to model the uncertainty characterized in open environments and thus can support the verification of parameter-level evolution. We present a flattening algorithm to facilitate automated verification using the mainstream timed automata based model checker –UPPAAL(integrated with UPPAAL-SMC). We also provide a motivating example with performance evaluation that complements the discussion and demonstrates the feasibility of our approach.

Xiaohui Xu,Linpeng Huang,Dejun Wang,Junqing Chen

DOI: https://doi.org/10.48550/arXiv.1011.6496

2010-11-30

Abstract:It is important to enable reasoning about the meaning and possible effects of updates to ensure that the updated system operates correctly. A formal, mathematical model of dynamic update should be developed, in order to understand by both users and implementors of update technology what design choices can be considered. In this paper, we define a formal calculus $update\pi$, a variant extension of higher-order $\pi$ calculus, to model dynamic updates of component-based software, which is language and technology independent. The calculus focuses on following main concepts: proper granularity of update, timing of dynamic update, state transformation between versions, update failure check and recovery. We describe a series of rule on safe component updates to model some general processes of dynamic update and discuss its reduction semantics coincides with a labelled transition system semantics that illustrate the expressive power of these calculi.

Logic in Computer Science

Tang Shan,Peng Xin,Zhao Wen-yun,Liu Yi-ming

2006-01-01

Abstract:One of the urgent problems in software engineering is how to guarantee the correctness of software architecture evolution. Model checking is an approach which is used to verify properties of systems. Generally, it checks whether a given model satisfies some special property which are expressed by linear temporal logic through checking all of states of the target model. Since the complexity of the model checking mainly depends on the amount of number of the states, the most intractable problems of the approach are lack of memory and the state space explosion. There are few effective model checking approaches for large scale dynamic software architecture, this paper proposes a modular model checking strategy based on linear temporal logic. From two different levels: the component composing the system and the whole system, this paper discusses how to verify dynamic software architecture in detail, gives the corresponding algorithms and introduces an e-business case to illustrate the availability of our approach. Keyword: Dynamic Software Architecture, Model Checking, Linear Temporal Logic, Automaton

Weigang Ma,Xinhong Hei

DOI: https://doi.org/10.1109/ICCASM.2010.5620084

2010-01-01

Abstract:A modeling and verification methodology is presented for railway interlocking system which is regarded as a safety-critical system. The methodology utilizes UML (Unified Modeling Language) to model the function requirement and FSM (Finite State Machine) to verify the safety requirements of the specification. The device specifications of railway interlocking system are modeled with UML, and dynamic behaviors of the device and whole system are modeled with FSM, the safety specification is translated LTL (Linear Temporal Logic) and analyzed with NuSMV. We try to show the feasibility of improving the reliability and reducing revalidation efforts when designing and developing a decentralized railway signaling system.

Gang Ren,Pan Deng,Chao Yang,Jianwei Zhang,Qingsong Hua

DOI: https://doi.org/10.1007/978-3-319-38904-2_33

2015-01-01

Abstract:In recent year, distributed systems have become a mainstream paradigm in industry and how to ensure correctness and reliability is a great challenge for practicing engineers. Therefore, in this paper a formal approach is proposed for modelling and verification of distributed systems, which integrates UML sequence diagram, pi-calculus and NuSMV within one framework. Moreover, the practicality of the proposed approach is illuminated though a case study of scheduling road emergency service.

Zelin Zhao,Yanyan Jiang,Chang Xu,Tianxiao Gu,Xiaoxing Ma

DOI: https://doi.org/10.1109/icse-c.2017.96

2017-01-01

Abstract:Dynamic software updating (DSU) can upgrade a running program on-the-fly by directly replacing the in-memory code and reusing existing runtime state (e.g., heap objects) for the updated execution. Additionally, it is usually necessary to transform the runtime state into a proper new state to avoid inconsistencies that arise during runtime states reuse among different versions of a program. However, such transformations mostly require human efforts, which is time-consuming and error-prone. This paper presents AOTES, an approach to automating object transformations for dynamic updating of Java programs. AOTES tries to generate the new state by re-executing a method invocation history and leverages symbolic execution to synthesize the history from the current object state without any recording. We evaluated AOTES on software updates taken from Apache Tomcat, Apache FTP Server and Apache SSHD Server. Experimental results show that AOTES successfully handled 47 of 57 object transformations of 18 updated classes, while two state-of-the-art approaches only handled 11 and 6 of 57, respectively.

Junyan Qian,Baowen Xu

2007-01-01

Abstract:we present a methodology for automatically verifying programs against safety specifications based on finite state machine. Firstly, computing the abstract transition between abstract states is done by calling a theorem prover, and then an initial abstract model automatically is extracted from concrete program using predicate abstraction. However, the process of abstraction can be exponential in the number of predicates used. Program slicing, predicate inference and partitioning the set of candidate predicates into subsets make abstract model construction effective. By counterexample-guided abstraction refinement scheme, the abstraction refines incrementally until the specification is either satisfied or refuted. Finally, our methods can be extended to verifying concurrency programs by parallel composition.

Jun Shen,Rida A. Bazzi

DOI: https://doi.org/10.48550/arXiv.1503.07235

2015-03-24

Software Engineering

Abstract:We study the dynamic software update problem for programs interacting with an environment that is not necessarily updated. We argue that such updates should be backward compatible. We propose a general definition of backward compatibility and cases of backward compatible program update. Based on our detailed study of real world program evolution, we propose classes of backward compatible update for interactive programs, which are included at an average of 32% of all studied program changes. The definitions of update classes are parameterized by our novel framework of program equivalence, which generalizes existing results on program equivalence to non-terminating executions. Our study of backward compatible updates is based on a typed extension of W language.

Li Huang,Sophie Ebersold,Alexander Kogtenkov,Bertrand Meyer,Yinling Liu

2024-03-29

Abstract:The technology of formal software verification has made spectacular advances, but how much does it actually benefit the development of practical software? Considerable disagreement remains about the practicality of building systems with mechanically-checked proofs of correctness. Is this prospect confined to a few expensive, life-critical projects, or can the idea be applied to a wide segment of the software industry? To help answer this question, the present survey examines a range of projects, in various application areas, that have produced formally verified systems and deployed them for actual use. It considers the technologies used, the form of verification applied, the results obtained, and the lessons that the software industry should draw regarding its ability to benefit from formal verification techniques and tools. Note: this version is the extended article, covering all the systems identified as relevant. A shorter version, covering only a selection, is also available.

Software Engineering

Stefan Mitsch,Grant Olney Passmore,Andre Platzer

DOI: https://doi.org/10.1007/s11786-014-0176-y

2014-10-04

Abstract:Hybrid systems with both discrete and continuous dynamics are an important model for real-world cyber-physical systems. The key challenge is to ensure their correct functioning w.r.t. safety requirements. Promising techniques to ensure safety seem to be model-driven engineering to develop hybrid systems in a well-defined and traceable manner, and formal verification to prove their correctness. Their combination forms the vision of verification-driven engineering. Often, hybrid systems are rather complex in that they require expertise from many domains (e.g., robotics, control systems, computer science, software engineering, and mechanical engineering). Moreover, despite the remarkable progress in automating formal verification of hybrid systems, the construction of proofs of complex systems often requires nontrivial human guidance, since hybrid systems verification tools solve undecidable problems. It is, thus, not uncommon for development and verification teams to consist of many players with diverse expertise. This paper introduces a verification-driven engineering toolset that extends our previous work on hybrid and arithmetic verification with tools for (i) graphical (UML) and textual modeling of hybrid systems, (ii) exchanging and comparing models and proofs, and (iii) managing verification tasks. This toolset makes it easier to tackle large-scale verification tasks.

Logic in Computer Science,Software Engineering

YANG Xiao-hui,ZHOU Xue-hai,TIAN Jun-feng,LI Zhen

2010-01-01

Abstract:In order to improve current dynamic trusted evaluation theories and methods of software,the conceptions of behavior trace and checkpoint scene are proposed to depict the dynamic characteristics of software behaviors,the deviation degrees of behavior trace and checkpoint scene are measured by computing system call context values and formulating relationship constraint rules of system call arguments,and a dynamic trusted evaluation model is built based on software behavior automaton.Experimental results show that this novel model can accurately obtain information on software behavior and correctly detect attacks with lower overhead.