|
|
Time for High-Confidence Software SystemsEdward A. Lee
Citation
Edward A. Lee. "Time for High-Confidence Software Systems". Talk or presentation, 1, May, 2011.
Abstract
All widely used software abstractions lack temporal semantics. The notion of correct execution of a program written in every widely-used programming language today does not depend on the temporal behavior of the program. But temporal behavior matters in almost all systems. Even in systems with no particular real-time requirements, timing of programs is relevant to the value delivered by programs, and in the case of concurrent programs, also affects the functionality. In systems with real-time requirements, such as most cyber-physical systems, temporal behavior affects not just the value delivered by a system but also its correctness.
The lack of temporal semantics in programs has many consequences that can undermine confidence in systems. For example, without temporal semantics, denial-of-service attacks are no threat. Typically, a denial-of-service attack only affects the timing of services, and if timing is irrelevant to correctness, then such an attacks is also irrelevant. But we know that such attacks are not irrelevant. Worse, without temporal semantics in programs, there is no semantic basis for distinguishing between normal behavior and behavior under attack. Hence, detection of denial-of-service attacks is at best a heuristic.
In this talk, we will argue that time can and must become part of the semantics of programs for a large class of applications. To illustrate that this is both practical and useful, we will describe two recent efforts at Berkeley in the design and analysis of timing-centric software systems. On the design side, we will describe PTIDES, a programming model for distributed real-time systems. PTIDES rests on a rigorous semantics of discrete-event systems and reflects the realities in distributed real-time, where measuring the passage of time is imperfect. PTIDES enables deterministic time-sensitive distributed actions. It relies on certain assumptions about networks that are not trivial (time synchronization with bounded error and bounded latency), but which have been shown in some contexts to be achievable and economical. PTIDES is also robust to subsystem failures, and, perhaps most interestingly, provides a semantic basis for detecting such failures at the earliest possible time.
Electronic downloads
- HTML
Edward A. Lee. <a
href="http://chess.eecs.berkeley.edu/pubs/840.html"
><i>Time for High-Confidence Software
Systems</i></a>, Talk or presentation, 1, May,
2011.
- Plain text
Edward A. Lee. "Time for High-Confidence Software
Systems". Talk or presentation, 1, May, 2011.
- BibTeX
@presentation{Lee11_TimeForHighConfidenceSoftwareSystems,
author = {Edward A. Lee},
title = {Time for High-Confidence Software Systems},
day = {1},
month = {May},
year = {2011},
abstract = {All widely used software abstractions lack
temporal semantics. The notion of correct
execution of a program written in every
widely-used programming language today does not
depend on the temporal behavior of the program.
But temporal behavior matters in almost all
systems. Even in systems with no particular
real-time requirements, timing of programs is
relevant to the value delivered by programs, and
in the case of concurrent programs, also affects
the functionality. In systems with real-time
requirements, such as most cyber-physical systems,
temporal behavior affects not just the value
delivered by a system but also its correctness.
The lack of temporal semantics in programs has
many consequences that can undermine confidence in
systems. For example, without temporal semantics,
denial-of-service attacks are no threat.
Typically, a denial-of-service attack only affects
the timing of services, and if timing is
irrelevant to correctness, then such an attacks is
also irrelevant. But we know that such attacks are
not irrelevant. Worse, without temporal semantics
in programs, there is no semantic basis for
distinguishing between normal behavior and
behavior under attack. Hence, detection of
denial-of-service attacks is at best a heuristic.
In this talk, we will argue that time can and must
become part of the semantics of programs for a
large class of applications. To illustrate that
this is both practical and useful, we will
describe two recent efforts at Berkeley in the
design and analysis of timing-centric software
systems. On the design side, we will describe
PTIDES, a programming model for distributed
real-time systems. PTIDES rests on a rigorous
semantics of discrete-event systems and reflects
the realities in distributed real-time, where
measuring the passage of time is imperfect. PTIDES
enables deterministic time-sensitive distributed
actions. It relies on certain assumptions about
networks that are not trivial (time
synchronization with bounded error and bounded
latency), but which have been shown in some
contexts to be achievable and economical. PTIDES
is also robust to subsystem failures, and, perhaps
most interestingly, provides a semantic basis for
detecting such failures at the earliest possible
time. },
URL = {http://chess.eecs.berkeley.edu/pubs/840.html}
}
Posted by Mary Stewart on 5 May 2011.
For additional information, see the
Publications FAQ or
contact webmaster at chess eecs berkeley edu.
Notice:
This material is presented to ensure timely dissemination of scholarly
and technical work. Copyright and all rights therein are retained by
authors or by other copyright holders. All persons copying this
information are expected to adhere to the terms and constraints
invoked by each author's copyright.
|
