Robustification of Behavioral Designs against Environmental Deviations
Authors: 
Changjian Zhang, Tarang Saluja, Rômulo Meira-Góes, Matthew Bolton, 
David Garlan, Eunsuk KangAuthors Info & Claims
Changjian Zhang, Tarang Saluja, Rômulo Meira-Góes, Matthew Bolton, David Garlan, Eunsuk KangAuthors Info & ClaimsPages 423 - 434
Abstract
Modern software systems are deployed in a highly dynamic, uncertain environment. Ideally, a system that is robust should be capable of establishing its most critical requirements even in the presence of possible deviations in the environment. We propose a technique called behavioral robustification, which involves systematically and rigorously improving the robustness of a design against potential deviations. Given behavioral models of a system and its environment, along with a set of user-specified deviations, our robustification method produces a redesign that is capable of satisfying a desired property even when the environment exhibits those deviations. In particular, we describe how the robustification problem can be formulated as a multi-objective optimization problem, where the goal is to restrict the deviating environment from causing a violation of a desired property, while maximizing the amount of existing functionality and minimizing the cost of changes to the original design. We demonstrate the effectiveness of our approach on case studies involving the robustness of an electronic voting machine and safety-critical interfaces.
References
[1]
M. Jackson, "The world and the machine," in 17th International Conference on Software Engineering (ICSE), 1995, pp. 283--292.
[2]
C. A. Gunter, E. L. Gunter, M. Jackson, and P. Zave, "A reference model for requirements and specifications," IEEE Software, vol. 17, no. 3, pp. 37--43, 2000.
[3]
N. G. Leveson and C. S. Turner, "An investigation of the therac-25 accidents," Computer, vol. 26, no. 7, pp. 18--41, 1993.
[4]
D. Gage and J. McCormick, "We did nothing wrong: Why software quality matters," Baseline Magazine, 2004.
[5]
H. W. Thimbleby, "Ignorance of interaction programming is killing people," Interactions, vol. 15, no. 5, pp. 52--57, 2008.
[6]
R. Wang, Y. Zhou, S. Chen, S. Qadeer, D. Evans, and Y. Gurevich, "Explicating sdks: Uncovering assumptions underlying secure authentication and authorization," in Proceedings of the 22th USENIX Security Symposium, Washington, DC, USA, August 14--16, 2013, 2013, pp. 399--314.
[7]
S. Sun and K. Beznosov, "The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems," in the ACM Conference on Computer and Communications Security, CCS'12, Raleigh, NC, USA, October 16--18, 2012, 2012, pp. 378--390.
[8]
C. Zhang, D. Garlan, and E. Kang, "A behavioral notion of robustness for software systems," in ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE), 2020, p. 1--12.
[9]
Y. Collette and P. Siarry, Multiobjective Optimization: Principles and Case Studies, ser. Decision Engineering. Springer Berlin Heidelberg, 2013.
[10]
C. G. Cassandras and S. Lafortune, Introduction to Discrete Event Systems, 3rd ed. Springer, Cham, 2021.
[11]
U.S. Attorney's Office Eastern District of Kentucky, "Clay county officials and residents convicted on racketeering and voter fraud charges," Mar 2010. [Online]. Available: https://archives.fbi.gov/archives/louisville/press-releases/2010/lo032510.htm
[12]
T. T. Tun, A. Bennaceur, and B. Nuseibeh, "OASIS: Weakening user obligations for security-critical systems," in 2020 IEEE 28th International Requirements Engineering Conference (RE), 2020, pp. 113--124.
[13]
L. Lamport, "Proving the correctness of multiprocess programs," IEEE Transactions on Software Engineering, vol. SE-3, no. 2, pp. 125--143, 1977.
[14]
E. M. Clarke, O. Grumberg, and D. A. Peled, Model checking. MIT Press, 2001.
[15]
J. Reason, Human Error. New York: Cambridge University Press, 1990.
[16]
J. Bergstra, A. Ponse, and S. Smolka, Eds., Handbook of Process Algebra. Amsterdam: Elsevier Science, 2001.
[17]
J. Magee and J. Kramer, Concurrency: State Models and Java Programs, 2nd Edition. London: Wiley, 2006.
[18]
M. Harman, S. A. Mansouri, and Y. Zhang, "Search-based software engineering: Trends, techniques and applications," ACM Comput. Surv., vol. 45, no. 1, Dec. 2012.
[19]
J. N. Tsitsiklis, "On the control of discrete-event dynamical systems," in 26th IEEE Conference on Decision and Control, vol. 26, 1987, pp. 419--422.
[20]
A. Pnueli and R. Rosner, "On the synthesis of a reactive module," in Proceedings of the 16th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, ser. POPL '89. New York, NY, USA: Association for Computing Machinery, 1989, p. 179--190. [Online].
[21]
R. Su and W. M. Wonham, "Supervisor reduction for discrete-event systems," Discrete Event Dynamic Systems, vol. 14, no. 1, pp. 31--53, 2004.
[22]
R. Malik, K. Åkesson, H. Flordal, and M. Fabian, "Supremica-an efficient tool for large-scale discrete event systems," IFAC-PapersOnLine, vol. 50, no. 1, pp. 5794--5799, 2017, 20th IFAC World Congress.
[23]
M. L. Bolton and E. J. Bass, "Evaluating human-automation interaction using task analytic behavior models, strategic knowledge-based erroneous human behavior generation, and model checking," in 2011 IEEE International Conference on Systems, Man, and Cybernetics, 2011, pp. 1788--1794.
[24]
R. Bloem, B. Jobstmann, N. Piterman, A. Pnueli, and Y. Sa'ar, "Synthesis of reactive(1) designs," Journal of Computer and System Sciences, vol. 78, no. 3, pp. 911--938, 2012, in Commemoration of Amir Pnueli.
[25]
A. Pnueli and R. Rosner, "On the synthesis of a reactive module," in ACM Symp. POPL, 1989.
[26]
S. Maoz and J. O. Ringert, "GR(1) synthesis for LTL specification patterns," in Proceedings of Joint Meeting on Foundations of Software Engineering (ESEC/FSE), 2015, pp. 96--106.
[27]
F. Buccafurri, T. Eiter, G. Gottlob, and N. Leone, "Enhancing model checking in verification by ai techniques," Artificial Intelligence, vol. 112, no. 1, pp. 57--104, 1999.
[28]
M. V. de Menezes, S. do Lago Pereira, and L. N. de Barros, "System design modification with actions," in Advances in Artificial Intelligence - SBIA 2010, A. C. da Rocha Costa, R. M. Vicari, and F. Tonidandel, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2010, pp. 31--40.
[29]
G. Chatzieleftheriou, B. Bonakdarpour, S. A. Smolka, and P. Katsaros, "Abstract model repair," in NASA Formal Methods, A. E. Goodloe and S. Person, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2012, pp. 341--355.
[30]
Y. Ding and Y. Zhang, "A logic approach for LTL system modification," in Foundations of Intelligent Systems, M.-S. Hacid, N. V. Murray, Z. W. Raś, and S. Tsumoto, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2005, pp. 435--444.
[31]
T. A. Henzinger, J. Otop, and R. Samanta, "Lipschitz robustness of finite-state transducers," in 34th International Conference on Foundation of Software Technology and Theoretical Computer Science, FSTTCS 2014, December 15--17, 2014, New Delhi, India, 2014, pp. 431--443.
[32]
R. Bloem, K. Chatterjee, K. Greimel, T. A. Henzinger, and B. Jobstmann, "Specification-centered robustness," in Industrial Embedded Systems (SIES), 2011 6th IEEE International Symposium on, SIES 2011. Vasteras, Sweden, June 15--17, 2011, 2011, pp. 176--185.
[33]
P. Tabuada, A. Balkan, S. Y. Caliskan, Y. Shoukry, and R. Majumdar, "Input-output robustness for discrete systems," in International Conference on Embedded Software, *EMSOFT). ACM, 2012, pp. 217--226.
[34]
R. Bloem, K. Chatterjee, K. Greimel, T. A. Henzinger, and B. Jobstmann, "Robustness in the presence of liveness," in Computer Aided Verification (CAV), vol. 6174. Springer, 2010, pp. 410--424.
[35]
T. Kobayashi, R. Salay, I. Hasuo, K. Czarnecki, F. Ishikawa, and S. Katsumata, "Robustifying controller specifications of cyber-physical systems against perceptual uncertainty," in International Symposium on NASA Formal Methods (NFM), 2021, pp. 198--213.
[36]
U. Topcu, N. Ozay, J. Liu, and R. M. Murray, "On synthesizing robust discrete controllers under modeling uncertainty," in Proceedings of the 15th ACM International Conference on Hybrid Systems: Computation and Control, ser. HSCC '12. Association for Computing Machinery, 2012, p. 85--94.
[37]
R. Meira-Góes, E. Kang, S. Lafortune, and S. Tripakis, "On tolerance of discrete systems with respect to transition perturbations," arXiv:2110.04200 [eess.SY], 2021.
[38]
R. de Lemos, D. Garlan, C. Ghezzi, H. Giese, J. Andersson, M. Litoiu, B. Schmerl, D. Weyns, L. Baresi, N. Bencomo, Y. Brun, J. Camara, R. Calinescu, M. B. Cohen, A. Gorla, V. Grassi, L. Grunske, P. Inverardi, J.-M. Jezequel, S. Malek, R. Mirandola, M. Mori, H. A. Müller, R. Rouvoy, C. M. F. Rubira, E. Rutten, M. Shaw, G. Tamburrelli, G. Tamura, N. M. Villegas, T. Vogel, and F. Zambonelli, "Software engineering for self-adaptive systems: Research challenges in the provision of assurances," in Software Engineering for Self-Adaptive Systems III. Assurances, R. de Lemos, D. Garlan, C. Ghezzi, and H. Giese, Eds. Cham: Springer International Publishing, 2017, pp. 3--30.
[39]
A. Easwaran, S. Kannan, and O. Sokolsky, "Steering of discrete event systems: Control theory approach," Electronic Notes in Theoretical Computer Science, vol. 144, no. 4, pp. 21--39, 2006, proceedings of the Fifth Workshop on Runtime Verification (RV 2005).
[40]
Y. Falcone, L. Mounier, J.-C. Fernandez, and J.-L. Richier, "Runtime enforcement monitors: composition, synthesis, and enforcement abilities," Formal Methods in System Design, vol. 38, no. 3, pp. 223--262, 2011.
[41]
Y. Falcone, J.-C. Fernandez, and L. Mounier, "What can you verify and enforce at runtime?" International Journal on Software Tools for Technology Transfer, vol. 14, no. 3, pp. 349--382, 2012.
[42]
D. Alrajeh, A. Cailliau, and A. van Lamsweerde, "Adapting requirements models to varying environments," in International Conference on Software Engineering (ICSE). ACM, 2020, pp. 50--61.
[43]
A. van Lamsweerde, Requirements Engineering - From System Goals to UML Models to Software Specifications. Wiley, 2009.
[44]
S. Chu, E. Shedden, C. Zhang, R. Meira-Góes, G. A. Moreno, D. Garlan, and E. Kang, "Runtime resolution of feature interactions through adaptive requirement weakening," in Proceedings of the 18th Symposium on Software Engineering for Adaptive and Self-Managing Systems, ser. SEAMS '23, 2023.
[45]
N. D'Ippolito, V. A. Braberman, J. Kramer, J. Magee, D. Sykes, and S. Uchitel, "Hope for the best, prepare for the worst: multi-tier control for adaptive systems," in 36th International Conference on Software Engineering (ICSE). ACM, 2014, pp. 688--699.
[46]
E. Hollnagel, "The phenotype of erroneous actions," International Journal of Man-Machine Studies, vol. 39, no. 1, pp. 1--32, 1993. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S0020737383710515
[47]
D. Basin, S. Radomirovic, and L. Schmid, "Modeling human errors in security protocols," in 2016 IEEE 29th Computer Security Foundations Symposium (CSF), 2016, pp. 325--340.
[48]
M. L. Bolton, E. J. Bass, and R. I. Siminiceanu, "Generating phenotypical erroneous human behavior to evaluate human-automation interaction using model checking," International Journal of Human-Computer Studies, vol. 70, no. 11, pp. 888--906, 2012. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S1071581912000997
Recommendations
Robustification of Gaussian Bayes Classifier by the Minimum β-Divergence Method
The goal of classification is to classify new objects into one of the several known populations. A common problem in most of the existing classifiers is that they are very much sensitive to outliers. To overcome this problem, several author's attempt to ...
A general approach for robustification of ICA algorithms
LVA/ICA'10: Proceedings of the 9th international conference on Latent variable analysis and signal separationThis paper presents a general and robust approach to mitigating impact of outliers in independent component analysis applications. The approach detects and removes outlier samples from the dataset and has minimal impact on the overall performance when ...
Leveraged least trimmed absolute deviations
AbstractThe design of regression models that are not affected by outliers is an important task which has been subject of numerous papers within the statistics community for the last decades. Prominent examples of robust regression models are least trimmed ...
Comments
Information & Contributors
Information
Published In
May 2023
2713 pages
ISBN:9781665457019
- General Chair:
- John Grundy,
- Program Co-chairs:
- Lori Pollock,
- Massimiliano Di Penta
Sponsors
In-Cooperation
- IEEE CS
Publisher
IEEE Press
Publication History
Published: 26 July 2023
Check for updates
Qualifiers
- Research-article
Conference
ICSE '23
Sponsor:
ICSE '23: 45th International Conference on Software Engineering
May 14 - 20, 2023
Victoria, Melbourne, Australia
Acceptance Rates
Overall Acceptance Rate 276 of 1,856 submissions, 15%
Upcoming Conference
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 46Total Downloads
- Downloads (Last 12 months)31
- Downloads (Last 6 weeks)1
Reflects downloads up to 25 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in