Using a .net Checkability
Profile to Limit Interactions
between Embedded Controllers.
David Greaves, Atif Alvi
Tope Omitola, Daniel Gordon.
University of Cambridge
Computer Laboratory
David Greaves - SENSORCOM08 - France.
A Vision of Evolution for UbiComp
– A myriad of devices connected to the network.
– All devices are connected and share a
common, all-pervasive, middleware.
– Devices contain controllable and controlling
components.
David Greaves - SENSORCOM08 - France.
Rules of the Domain
• No rule should issue a command under the same circumstances where
another rule issues the counter-rule.
• Inlet and outlet valves must not both be open at once.
• Fire Alarm must mute all music sources.
• The front gates must always be remotely openable by some method or
other.
David Greaves - SENSORCOM08 - France.
Feature Interaction Detection
• Can we define a framework for code
management in a UbiComp or Sensor/Actuator
network that enables proof of safety and liveness
?
• We propose using a .net bytecode framework and
evaluate its cost and flexibility.
David Greaves - SENSORCOM08 - France.
Component Architecture
• We partition all devices and services in to
– Pebbles (sensors, actuators, software processes)
– Applications (heating control, burglar alarm, CD
player control...)
• Further, we partition application code so it
contains no device drivers, dynamic storage,
dynamic binding and uses simple network I/O to
all pebbles.
David Greaves - SENSORCOM08 - France.
A Device: A collection of Pebbles and a Canned App
Lets look at what a modern TV set contains:
 1. The following separate devices, each of which can be individually
useful in a networked home:
•
•
•
•
•
RF Tuner
Colour Display
Ni-Cam Audio Decoder
Power Amplifier
Surround Sound Decoder
•
•
•
•
•
IR Receiver
Teletext Decoder
MPEG Decoder
Programming Memory
Front Panel User Interface
 2. A canned application that joins the components.
David Greaves - SENSORCOM08 - France.
Automated Directory Systems Work
• Devices register in an ad hoc database
– eg. UPnP’s SSDP, INS and O2S Oxygen system
• Devices can be found by service offered
– eg. A colour printer on floor 3 west.
• Retrieval by conjunction of predicates
(Few successful deployments.
Unexpected behaviours.
Load balancing/path finding unsupported.)
David Greaves - SENSORCOM08 - France.
Controllers Vs The Controlled
• API Reflection is now a Mature Technology
• It will be further deployed (?)
– X-by-wire, Field Busses, Sensor Networks, CAN.
– EDDL, XDDL, Embedded Systems
• Code Reflection has seen virtually no work!
– i.e. how do devices describe their embedded
behaviour
– and how is reactive behaviour between actuators
and sensors captured ?
David Greaves - SENSORCOM08 - France.
Code Reflection
• A device must expose the proactive behaviour
of its canned application(s)
– Actual source code (constrained language)
– Proof carrying actual source code
– Summary of behaviour
– E.G. I will not send control messages when I am in standby
mode.
– E.G. I am always off between 1:00 and 5:00.
• Device is banned from full operation within
domain unless proof obligations are met.
David Greaves - SENSORCOM08 - France.
An Example .net CD player.
• We built a CD/DVD player according to our
component architecture.
• The application code was implemented in a pair of .net
code bundles.
• The bytecode can be read out by a domain controller
and checked, along with the other participating
applications in the domain, against the rules of the
domain.
David Greaves - SENSORCOM08 - France.
David Greaves - SENSORCOM08 - France.
Pebbles
Project
General
Flow
David Greaves - SENSORCOM08 - France.
CD/DVD Player Components
David Greaves - SENSORCOM08 - France.
CD/DVD Player Block Diagram
David Greaves - SENSORCOM08 - France.
Software Costs
• Embedded devices have limited
capabilities, especially RAM, but ROM is
not so critical.
• XML parsing is expensive in RAM use.
• We have implemented .net interpreter,
HTTP server and XML output all at
'reasonable' cost.
David Greaves - SENSORCOM08 - France.
David Greaves - SENSORCOM08 - France.
Heap and Stack Ram Use
David Greaves - SENSORCOM08 - France.
Checkability Classes ?
• We have imposed a checkability profile on the .net
bundles.
• Current profile is finite-state and strictly limited in IO
libraries used.
• All participating applications in the domain must
correspond to our profile.
• In the future, can define a richer class, based on linear
integer programming, Presburg and so on.
David Greaves - SENSORCOM08 - France.
Conclusions
• Running a 'complex' software stack is not a real
obstacle, but don't parse too much XML.
• Using .net bytecode in embedded systems can be fast
and compact enough, otherwise reflect your behaviour
in .net while executing something else.
• We need to explore incremental model checking.
• We need to formally define our checkability class.
David Greaves - SENSORCOM08 - France.
The End
• [email protected]
• www.cl.cam.ac.uk/Research/SRG/HAN/Pebbles
• The Pebbles, AutoHAN and Oxygen O2S Teams
David Greaves - SENSORCOM08 - France.