Min Zhang,Kazuhiro Ogata,Kokichi Futatsugi

DOI: https://doi.org/10.1109/apsec.2015.28

2015-01-01

Abstract:Even though software systems in some domains are expected to provide continuous services, most of them must undergo some form of changes. It leads to the emergence of dynamic software updating, a technique for updating a running software system without incurring any downtime. One of the challenges of designing a correct dynamic update is to identify a set of update points where the update can be safely applied to a running system. In this paper, we present a formal approach to modeling dynamic software updates and use the formal model to identify safe update points. In our approach, we formalize dynamic updates as state machines, and verify by model checking a set of desired properties which the running system is expected to satisfy after being updated. If counterexamples are found, we exclude those states that cause the counterexamples, and do model checking again. The process is iterated until all desired properties are successfully verified. We then finally obtain a set of safe update points. A case study is also presented to demonstrate the feasibility of the proposed approach.

Min Zhang,Kazuhiro Ogata,Kokichi Futatsugi

DOI: https://doi.org/10.1016/j.entcs.2013.02.013

2013-01-01

Electronic Notes in Theoretical Computer Science

Abstract:Dynamic Software Updating (DSU) is a technique of updating running software systems on-the-fly. Whereas there are some studies on the correctness of dynamic updating, they focus on how to deploy updates correctly at the code level, e.g., if procedures refer to the data of correct types. However, little attention has been paid to the correctness of the dynamic updating at the behavior level, e.g., if systems after being updated behave as expected, and if unexpected behaviors can never occur. We present an algebraic methodology of specifying dynamic updates and verifying their behavioral correctness by using off-the-shelf theorem proving and model checking tools. By theorem proving we can show that systems after being updated indeed satisfy their desired properties, and by model checking we can detect potential errors. Our methodology is general in that: (1) it can be applied to three updating models that are mainly used in current DSU systems; and (2) it is not restricted to dynamic updates for certain programming models.

Min Zhang,Kazuhiro Ogata,Kokichi Futatsugi

DOI: https://doi.org/10.1109/apsec.2012.100

2012-01-01

Abstract:Dynamic Software Updating (DSU) is a promising software maintenance technique, which aims at updating running software systems on the fly without incurring any downtime. The systems that require dynamic updating usually require high reliability assurance. Incorrect updating may cause them to behave erratically and/or even crash, and hence results in dreadful loss. However, there are few approaches to the study of the correctness of dynamic updating. In this paper, we systematically discuss the correctness of dynamic updating from a formal perspective, and present a first algebraic approach to formal analysis of it. The basic idea is to formalize dynamic updating systems as rewrite systems, with which we can analyze dynamic updates e.g. verifying their desired properties, or detecting incorrect update points, etc. The formal analysis helps us understand the behaviors of updated systems before we apply updates to the running systems, and hence improves the reliability of the systems after being updated.

Jiaqi Qian,Min Zhang,Yi Wang,Kazuhiro Ogata

DOI: https://doi.org/10.1007/978-3-030-16722-6_17

2019-01-01

Abstract:Dynamic Software Updating (DSU) is a useful technique for updating running software without incurring any downtime. Its correctness must be guaranteed because updating a running software is a complicated and safety-critical process. In this paper, we present a formal tool called KupC for modeling and verifying dynamic updating of C programs. The tool is built on (mathbb {K})–a formal semantic framework for programming languages. We formalize a patch-based dynamic updating mechanism in (mathbb {K}) based on the formal executable operational semantics of C. The formalization automatically yields an interpreter and several verification tools, which can be used to formally analyze the correctness of dynamic updating for C programs. To our knowledge, KupC is the first formal tool for code-level verification of dynamic software updating.

Shengwei An,Xiaoxing Ma,Chun Cao,Ping Yu,Chang Xu

DOI: https://doi.org/10.1109/QRS.2015.33

2015-01-01

Abstract:Dynamic Software Update (DSU) is a technique to upgrade running programs without shutting them down. DSU can improve system availability and maintenance flexibility. However, its adoption in practice is still limited due to the risk of system misbehavior that careless DSU may bring. To reduce this risk we propose a formal framework for the specification and verification of DSU. Different from previous approaches where DSU is described from the viewpoint of program's internal state transitions, our framework focuses on program's external behavior and its effect on its environment. This more abstract view avoids over specification of DSU and allows for better DSU flexibility. Based on this framework, we also devise a mechanism that automatically synthesizes runtime monitors to improve DSU timeliness without compromising its safety.

Zelin Zhao,Yanyan Jiang,Chang Xu,Tianxiao Gu,Xiaoxing Ma

DOI: https://doi.org/10.1109/icse-c.2017.96

2017-01-01

Abstract:Dynamic software updating (DSU) can upgrade a running program on-the-fly by directly replacing the in-memory code and reusing existing runtime state (e.g., heap objects) for the updated execution. Additionally, it is usually necessary to transform the runtime state into a proper new state to avoid inconsistencies that arise during runtime states reuse among different versions of a program. However, such transformations mostly require human efforts, which is time-consuming and error-prone. This paper presents AOTES, an approach to automating object transformations for dynamic updating of Java programs. AOTES tries to generate the new state by re-executing a method invocation history and leverages symbolic execution to synthesize the history from the current object state without any recording. We evaluated AOTES on software updates taken from Apache Tomcat, Apache FTP Server and Apache SSHD Server. Experimental results show that AOTES successfully handled 47 of 57 object transformations of 18 updated classes, while two state-of-the-art approaches only handled 11 and 6 of 57, respectively.

Tianxiao Gu,Xiaoxing Ma,Chang Xu,Yanyan Jiang,Chun Cao,Jian Lu

DOI: https://doi.org/10.4230/lipics.ecoop.2018.19

2018-01-01

Abstract:Dynamic software updating (DSU) is a technique to upgrade a running software system on the fly without stopping the system. During updating, the runtime state of the modified components of the system needs to be properly transformed into a new state, so that the modified components can still correctly interact with the rest of the system. However, the transformation is non-trivial to realize due to the gap between the low-level implementations of two versions of a program. This paper presents AOTES, a novel approach to automating object transformations for dynamic updating of Java programs. AOTES bridges the gap by abstracting the old state of an object to a history of method invocations, and re-invoking the new version of all methods in the history to get the desired new state. AOTES requires no instrumentation to record any data and thus has no overhead during normal execution. We propose and implement a novel technique that can synthesize an equivalent history of method invocations based on the current object state only. We evaluated AOTES on software updates taken from Apache Commons Collections, Tomcat, FTP Server and SSHD Server. Experimental results show that AOTES successfully handled 51 of 61 object transformations of 21 updated classes, while two state-of-the-art approaches only handled 11 and 6 of 61, respectively.

Tianxiao Gu,Zelin Zhao,Xiaoxing Ma,Chang Xu,Chun Cao,Jian Lu

DOI: https://doi.org/10.1109/apsec.2016.044

2016-01-01

Abstract:Dynamic software updating (DSU) is a technique that can update running software systems without stopping them. Most existing approaches require programmer participation to guarantee the correctness of dynamic updating. However, manually preparing dynamic updating is error-prone and time-consuming. Therefore, other approaches prefer to aggressively perform updating without programmer intervention, which may definitely lead to unanticipated runtime errors. To reduce human effort and enhance the reliability for dynamic updating, we leverage automatic runtime recovery (ARR) techniques to recover runtime errors caused by improper dynamic updating. This paper presents ADSU, a fully automatic DSU system using ARR. We evaluate ADSU with real updates from widely used open source software systems, i.e., Apache Tomcat, Apache FTP Server and jEdit. The preliminary results have shown that ADSU succeeds in automatically applying 11 of 16 real-world updates that existing counterparts cannot.

Zelin Zhao,Xiaoxing Ma,Chang Xu,Wenhua Yang

2004-01-01

Abstract:Due to the demand for bugs fixing and features enhancements, developers inevitably need to update in-use software systems. Instead of shutting down a running software before updating, it is often desirable and sometimes mandatory to patch the running software system on the fly, with a mechanism generally referred as dynamic software updating (DSU). Practical DSU strategies often require manual specification of update points in the program for performing dynamic updates. At these points DSU systems will update the program code, and also migrate the program state to the new version program (using state transformer functions). However, finding appropriate update points is non-trivial because the choice of update points has great influence on two competing factors: the timeliness of DSU and the complexity of state transformer functions; and to strike a good balance between them requires a deep understanding of both versions of the program. In this paper, we propose a technique that automates the recommendation of update points. We carried out a preliminary study about the feasibility and effectiveness of this technique. By conducting a set of experiments based on an actual DSU case, we found that our technique is automatic, wide-covered and efficient.

Shi Zhang,LinPeng Huang

DOI: https://doi.org/10.1109/qsic.2006.30

2006-01-01

Abstract:Dynamic software updating enables running programs to be updated while executing. In this paper, a simple formal system is established with the goal of understanding the underlying foundations of updating classes, for the purpose of understanding how to best build reliable updatable programs. The update calculus is built for O-O software with a precise mathematical semantics. It is formulated as an extension of a core calculus for Featherweight Java, and supports updating technology similar to that of the programming language Java and C++. The calculus also presents what kind of update can be made dynamically. At the end of the paper, we proof that these update is type safety

Zelin Zhao,Xiaoxing Ma,Chang Xu,Wenhua Yang

DOI: https://doi.org/10.1145/2677832.2677853

2014-01-01

Abstract:Due to the demand for bugs fixing and feature enhancements, developers inevitably need to update in-use software systems. Instead of shutting down a running system before updating, it is often desirable and sometimes mandatory to patch the running software system on the fly, with a mechanism generally referred as dynamic software updating (DSU). Practical DSU strategies often require manual specification of update points in the program for performing dynamic updates. At these points DSU systems will update the program code, and also migrate the program state to the new version program (using transformation functions). However, finding appropriate update points is non-trivial because the choice of update points has great influence on two competing factors: the timeliness of DSU and the complexity of transformation functions; and to strike a good balance between them requires a deep understanding of both versions of the program. In this exploratory paper, we conceive an automated approach to the recommendation of update points for developers. We conduct a set of preliminary experiments with a real world software update case to examine the feasibility of the approach.

Gang Chen,Hai Jin,Deqing Zou,Zhenkai Liang,Bing,Hao Wang

DOI: https://doi.org/10.1109/tpds.2015.2430854

IF: 5.3

2016-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Dynamic software updating (DSU) enables a program to be patched on the fly without being shutdown. This paper addresses the practicality problem of the recent research on DSU systems, and presents Replus, a new DSU system that balances practicality and functionality. Replus aims to retain backward binary compatibility and support multi-threaded programs. In addition, it does not require customers to have developer-level software knowledge. More importantly, without specific compiler support, Replus can patch programs that are difficult to be updated at runtime, as well as programs that may incur an indefinite delay in DSU. The key technique of our solution is to update the stack elements for the patched program using two new mechanisms: Immediate Stack Updating, which immediately updates the stack of a thread, and timely stack updating, which only updates the stack frames of the necessary functions without affecting others. Replus also develops an Instruction Level Updating mechanism, which is more efficient for certain security patches. We used popular server applications as test suites to evaluate the effectiveness of Replus. The experimental results demonstrated that Replus can successfully update all the test suites with negligible impact on application performance.

Min Zhang,Toshiaki Aoki

DOI: https://doi.org/10.1109/DCIT.2015.18

2015-01-01

Abstract:Formalization and verification of a system usually are not one time tasks, particularly when the system to be formalized and verified is complicated. The relation between formalization and verification should not be sequential but iterative in that verification follows formalization and in turn helps validate and refine formalization. The iteration is a spiral process with a formal model being incrementally developed and more and more properties being verified. In this paper, we present a case study to demonstrate how we formalize and verify in the spiral way a scheduling mechanism and Priority Ceiling Protocol of an industrial automobile standard, i.e. OSEK/VDX, in OTS/CafeOBJ method, an algebraic approach to modeling and verifying systems by interactive theorem proving in CafeOBJ. We start with a prototypical model of the scheduling mechanism, validate and refine it based on verification results. By theorem proving, it reinforces the specifier's understanding of the specifications and their relationship with the specified problem domains. The formal model is refined until all these properties are successfully proved. We then incrementally extend it to cover more complicated part and verify more properties such as exclusion, deadlock freedom, priority inversion freedom.

Junqing Chen,Linpeng Huang,Siqi Du,Wenjia Zhou

DOI: https://doi.org/10.1109/apsec.2010.35

2010-01-01

Abstract:The continuous requirements of evolving a service-oriented application and the rising cost of shutting down services at runtime are forcing researchers to find ways of updating services while they run. Dynamic service update can solve the problem of such applications and is becoming a challenging issue. This paper presents a formal model for supporting dynamic update framework based on OSGi. The process of dynamic service update is specified using Finite State Process (FSP) and then the Labelled Transition System Analyzer (LTSA) tool for formal property verifications. We also formally analyze and prove type-safe update of such frameworks, and finally demonstrate that our model works well in practical cases.

Fei Shen,Siqi Du,Linpeng Huang

DOI: https://doi.org/10.1007/978-3-642-11842-5_48

2010-01-01

Abstract:Dynamic software update is very meaningful for the downtime-critical applications to reduce the downtime during the software evolution phase. Nowadays more and more complicated applications are developed on the OSGi platform. In this paper, we present a dynamic software update framework for OSGi applications, known as DSUF. DSUF can provide component-level dynamic update. It works automatically and programmers do not need to change many codes for the existing codes to fit in the framework. Experiments show that DSUF will only cost reasonable extra computer resources.

Feng Chen,Weizhong Qiang,Hai Jin,Deqing Zou,Duoqiang Wang

DOI: https://doi.org/10.1109/compsac.2015.130

2015-01-01

Abstract:Softwares usually need to be updated to fix bugs or add new features. On the other hand, some critical softwares, such as cloud applications, need to provide service continuously, thus should be updated without downtime. Conventional Dynamic Software Updating (DSU) systems try to update programs while running, but they hardly consider the communication of the program to be updated with other programs, which may lead to some inconsistency problems. We handle the problem with an improved DSU system by using multi-version execution. When a new update arrives, instead of updating the application to the new version, we fork a new process of the old version and dynamically update it to the new version, then make these two versions run concurrently until the update finishes. We implement a prototype system called MUC (Multi-vesion for Updating of Cloud) on Linux. To verify our prototype, we apply MUC to cloud applications Redis and Ice cast, and evaluate the overhead of MUC at runtime.

CHEN Feng,LI Weihua,CHEN Hao,L(U) Zheng

2011-01-01

Abstract:In order to improve the analysis and design of software safety,on the basis of current researches on safety model and verification technology,a modeling and checking method is proposed for object-oriented software safety.Establishing non-formal UML models of software safety,safety extended deterministic finite automata and linear temporal logic are used to create the formal models and describe the safety properties separately.Through a model checker,we get the verification result.This approach realizes the combination of software safety model and verification technology.Experimental results show that the method can analyze and verify the safety properties effectively in the early stage of software design.

Haibo Chen,Jie Yu,Chengqun Hang,Binyu Zang,Pen-Chung Yew

DOI: https://doi.org/10.1109/tse.2010.79

IF: 7.4

2010-01-01

IEEE Transactions on Software Engineering

Abstract:Software is inevitably subject to changes. There are patches and upgrades that close vulnerabilities, fix bugs, and evolve software with new features. Unfortunately, most traditional dynamic software updating approaches suffer some level of limitations; few of them can update multithreaded applications when involving data structure changes, while some of them lose binary compatibility or incur nonnegligible performance overhead. This paper presents POLUS, a software maintenance tool capable of iteratively evolving running unmodified multithreaded software into newer versions, yet with very low performance overhead. The main idea in POLUS is a relaxed consistency model that permits the concurrent activity of the old and new code. POLUS borrows the idea of cache-coherence protocol in computer architecture and uses a ”bidirectional write-through” synchronization protocol to ensure system consistency. To demonstrate the applicability of POLUS, we report our experience in using POLUS to dynamically update three prevalent server applications: vsftpd, sshd, and Apache HTTP server. Performance measurements show that POLUS incurs negligible runtime overhead on the three applications-a less than 1 percent performance degradation (but 5 percent for one case). The time to apply an update is also minimal.

Weifeng Lv,Xiaochuan Zuo,Lei Wang

DOI: https://doi.org/10.1109/ISdea.2012.579

2012-01-01

Abstract:Dynamic software updating for onboard software maintains platform's stability, enables onboard regression test, supports dynamic software reconstruction. It enhances satellite reliability and usability. In this paper, we discuss dynamic software updating for onboard software, present a dynamic software updating system.

Junrong Shen,Xi Sun,Gang Huang,Wenpin Jiao,Yanchun Sun,Hong Mei

DOI: https://doi.org/10.1145/1081706.1081720

2005-01-01

ACM SIGSOFT Software Engineering Notes

Abstract:The continuous requirements of evolving a delivered software system and the rising cost of shutting down a running software system are forcing researchers and practitioners to find ways of updating software as it runs. Dynamic update is a kind of software evolution that updates a running program without interruption. This paper covers the fundamental issues of the mechanisms of dynamic update theoretically. Based on a similarity analysis of many typical approaches to dynamic update during the past decades, we propose a unified formal model (namely, Dynamic Update Connector) to specify mechanisms of updating an architectural component, and reason about its properties. The model borrows the concept of connectors from software architecture community and is specified using process algebra CSP. We also demonstrate the applications of our DUC model.