Effective aspects : A typed monadic model to control and reason about aspect interference

Figueroa, Ismael

22 April 2014

Aspect-oriented programming (AOP) aims to enhance modularity and reusability in software systems by offering an abstraction mechanism to deal with crosscutting concerns. But, in most general-purpose aspect languages aspects have almost unrestricted power, eventually conflicting with these goals. This work presents Effective Aspects: a novel approach to embed the pointcut/advice model of AOP in a statically-typed functional programming language like Haskell; along two main contributions. First, we define a monadic embedding of the full pointcut/advicemodel of AOP. Type soundness is guaranteed by exploiting the underlying type system, in particular phantom types and a new anti-unification type class. In this model aspects are first-class, can be deployed dynamically, and the pointcut language is extensible, therefore combining the flexibility of dynamically-typed aspect languages with the guarantees of a static type system. Monads enable us to directly reason about computational effects both in aspects and base programs using traditional monadic techniques. Using this we extend the notion of Open Modules with effects, and also with protected pointcut interfaces to external advising. These restrictions are enforced statically using the type system. Also, we adapt the techniques of EffectiveAdvice to reason about and enforce control flow properties as well as to control effect interference. We show that the parametricity-based approach to effect interference falls short in the presence of multiple aspects and propose a different approach using monad views, a novel technique for handling the monad stack, developed by Schrijvers and Oliveira. Then, we exploit the properties of our model to enable the modular construction of new semantics for aspect scoping and weaving. Our second contribution builds upon a powerful model to reason about mixin-based composition of effectful components and their interference, based on equational reasoning, parametricity, and algebraic laws about monadic effects. Our contribution is to show how to reason about interference in the presence of unrestricted quantification through pointcuts. We show that global reasoning can be compositional, which is key for the scalability of the approach in the face of large and evolving systems. We prove a general equivalence theorem that is based on a few conditions that can be established, reused, and adapted separately as the system evolves. The theorem is defined for an abstract monadic AOP model; we illustrate its use with a simple version of the model just described. This work brings type-based reasoning about effects for the first time in the pointcut/advice model, in a framework that is expressive, extensible and well-suited for development of robust aspect-oriented systems as well as a research tool for new aspect semantics.

[SPI:OTHER] Engineering Sciences/Other

Aspect-oriented programming

Monads

Modular reasoning

Compositional reasoning

Effective aspects : A typed monadic model to control and reason about aspect interference / Effective aspects : Un modèle monadique et typé pour contrôler l’interférence entre aspects

Figueroa, Ismael

22 April 2014

La programmation orientée aspect (AOP) vise à améliorer la modularité et la réutilisation des couches logiciels en proposant un mécanisme d’abstraction pour faire face aux préoccupations transversales. Cependant, dans la plupart des langages d’aspects généralistes, les aspects ont un pouvoir presque illimité, rentrant éventuellement en conflit avec ces objectifs. Dans ce travail, nous présentons Effective Aspects : une nouvelle approche pour incorporer le modèle pointcut/advice de l’AOP dans un langage de programmation fonctionnel statiquement typé comme Haskell. Notre travail comprend deux contributions principales. Premièrement, nous définissons un plongement monadique du modèle pointcut/advice complet de l’AOP. La correction du typage est garantie par l’exploitation du système de type sous-jacent, en particulier les types fantômes et une nouvelle classe de type pour faire de l’anti-unification de types. Dans ce modèle, les aspects sont de première classe, peuvent être déployés de façon dynamique, et le langage de pointcuts est extensible, combinant donc la flexibilité des langages d’aspect typés dynamiquement avec les garanties d’un système de type statique. Les monades nous permettent de raisonner directement sur les effets du calcul à la fois dans les aspects et les programmes de base en utilisant des techniques monadiques traditionnelle. Avec ce système, nous étendons la notion de “open modules” avec des effets, et aussi avec les interfaces de pointcut protégés à l’extérieur d’un advice. Ces restrictions sont appliquées statiquement par le système de type. Aussi, nous adaptons les techniques de EffectiveAdvice afin de raisonner sur des propriétés du flot de contrôle. En outre, nous montrons comment contrôler l’interférence des effets en utilisant l’approche fondée sur la paramétricité de EffectiveAdvice. Nous montrons que cette approche n’est pas satisfaisante en présence de multiples aspects et proposons une approche différente en utilisant des vues monadiques, une nouvelle technique pour le traitement de la pile monadique, développée par Schrijvers et Oliveira. Ensuite, nous exploitons les propriétés de notre modèle pour permettre la construction modulaire de nouvelles sémantiques pour la portée d’aspects et le tissage. Notre deuxième contribution s’appuie sur un modèle puissant pour raisonner sur la composition de mixins avec effets et leur interférence, fondée sur un raisonnement équationnelle, paramétrique, et les lois algébriques sur les effets monadiques. Notre contribution est de montrer comment raisonner sur l’interférence en présence de quantification sans restriction pour les pointcuts. Nous montrons que le raisonnement global peut être compositionnelle, ce qui est essentiel pour le passage à l’échelle de l’approche face aux évolutions de grands systèmes. / Aspect-oriented programming (AOP) aims to enhance modularity and reusability in software systems by offering an abstraction mechanism to deal with crosscutting concerns. But, in most general-purpose aspect languages aspects have almost unrestricted power, eventually conflicting with these goals. This work presents Effective Aspects: a novel approach to embed the pointcut/advice model of AOP in a statically-typed functional programming language like Haskell; along two main contributions. First, we define a monadic embedding of the full pointcut/advicemodel of AOP. Type soundness is guaranteed by exploiting the underlying type system, in particular phantom types and a new anti-unification type class. In this model aspects are first-class, can be deployed dynamically, and the pointcut language is extensible, therefore combining the flexibility of dynamically-typed aspect languages with the guarantees of a static type system. Monads enable us to directly reason about computational effects both in aspects and base programs using traditional monadic techniques. Using this we extend the notion of Open Modules with effects, and also with protected pointcut interfaces to external advising. These restrictions are enforced statically using the type system. Also, we adapt the techniques of EffectiveAdvice to reason about and enforce control flow properties as well as to control effect interference. We show that the parametricity-based approach to effect interference falls short in the presence of multiple aspects and propose a different approach using monad views, a novel technique for handling the monad stack, developed by Schrijvers and Oliveira. Then, we exploit the properties of our model to enable the modular construction of new semantics for aspect scoping and weaving. Our second contribution builds upon a powerful model to reason about mixin-based composition of effectful components and their interference, based on equational reasoning, parametricity, and algebraic laws about monadic effects. Our contribution is to show how to reason about interference in the presence of unrestricted quantification through pointcuts. We show that global reasoning can be compositional, which is key for the scalability of the approach in the face of large and evolving systems. We prove a general equivalence theorem that is based on a few conditions that can be established, reused, and adapted separately as the system evolves. The theorem is defined for an abstract monadic AOP model; we illustrate its use with a simple version of the model just described. This work brings type-based reasoning about effects for the first time in the pointcut/advice model, in a framework that is expressive, extensible and well-suited for development of robust aspect-oriented systems as well as a research tool for new aspect semantics.

Programmation orientée aspect

Monades

Raisonnement modulaire

Raisonnement compositionnel

Aspect-oriented programming

Monads

Modular reasoning

Compositional reasoning

On the Security and Reliability of Fixed-Wing Unmanned Aircraft Systems

Muniraj, Devaprakash

20 September 2019

The focus of this dissertation is on developing novel methods and extending existing ones to improve the security and reliability of fixed-wing unmanned aircraft systems (UAS). Specifically, we focus on three strands of work: i) designing UAS controllers with performance guarantees using the robust control framework, ii) developing tools for detection and mitigation of physical-layer security threats in UAS, and iii) extending tools from compositional verification to design and verify complex systems such as UAS. Under the first category, we use the robust H-infinity control approach to design a linear parameter-varying (LPV) path-following controller for a fixed-wing UAS that enables the aircraft to follow any arbitrary planar curvature-bounded path under significant environmental disturbances. Three other typical path-following controllers, namely, a linear time-invariant H-infinity controller, a nonlinear rate-tracking controller, and a PID controller, are also designed. We study the relative merits and limitations of each approach and demonstrate through extensive simulations and flight tests that the LPV controller has the most consistent position tracking performance for a wide array of geometric paths. Next, convex synthesis conditions are developed for control of distributed systems with uncertain initial conditions, whereby independent norm constraints are placed on the disturbance input and the uncertain initial state. Using this approach, we design a distributed controller for a network of three fixed-wing UAS and demonstrate the improvement in the transient response of the network when switching between different trajectories. Pertaining to the second strand of this dissertation, we develop tools for detection and mitigation of security threats to the sensors and actuators of UAS. First, a probabilistic framework that employs tools from statistical analysis to detect sensor attacks on UAS is proposed. By incorporating knowledge about the physical system and using a Bayesian network, the proposed approach minimizes the false alarm rates, which is a major challenge for UAS that operate in dynamic and uncertain environments. Next, the security vulnerabilities of existing UAS actuators are identified and three different methods of differing complexity and effectiveness are proposed to detect and mitigate the security threats. While two of these methods involve developing algorithms and do not require any hardware modification, the third method entails hardware modifications to the actuators to make them resilient to malicious attacks. The three methods are compared in terms of different attributes such as computational demand and detection latency. As for the third strand of this dissertation, tools from formal methods such as compositional verification are used to design an unmanned multi-aircraft system that is deployed in a geofencing application, where the design objective is to guarantee a critical global system property. Verifying such a property for the multi-aircraft system using monolithic (system-level) verification techniques is a challenging task due to the complexity of the components and the interactions among them. To overcome these challenges, we design the components of the multi-aircraft system to have a modular architecture, thereby enabling the use of component-based reasoning to simplify the task of verifying the global system property. For component properties that can be formally verified, we employ results from Euclidean geometry and formal methods to prove those properties. For properties that are difficult to be formally verified, we rely on Monte Carlo simulations. We demonstrate how compositional reasoning is effective in reducing the use of simulations/tests needed in the verification process, thereby increasing the reliability of the unmanned multi-aircraft system. / Doctor of Philosophy / Given the safety-critical nature of many unmanned aircraft systems (UAS), it is crucial for stake holders to ensure that UAS when deployed behave as intended despite atmospheric disturbances, system uncertainties, and malicious adversaries. To this end, this dissertation deals with developing novel methods and extending existing ones to improve the security and reliability of fixed-wing UAS. Specifically, we focus on three key areas: i) designing UAS controllers with performance guarantees, ii) developing tools for detection and mitigation of security threats to sensors and actuators of UAS, and iii) extending tools from compositional verification to design and verify complex systems such as UAS. Pertaining to the first area, we design controllers for UAS that would enable the aircraft to follow any arbitrary planar curvature-bounded path under significant atmospheric disturbances. Four different controllers of differing complexity and effectiveness are designed, and their relative merits and limitations are demonstrated through extensive simulations and flight tests. Next, we develop control design tools to improve the transient response of multi-mission UAS networks. Using these tools, we design a controller for a network of three fixed-wing UAS and demonstrate the improvement in the transient response of the network when switching between different trajectories. As for the contributions in the second area, we develop tools for detection and mitigation of security threats to the sensors and actuators of UAS. First, we propose a framework for detecting sensor attacks on UAS. By judiciously using knowledge about the physical system and techniques from statistical analysis, the framework minimizes the false alarm rates, which is a major challenge in designing attack detection systems for UAS. Then, we focus on another important attack surface of the UAS, namely, the actuators. Here, we identify the security vulnerabilities of existing UAS actuators and propose three different methods to detect and mitigate the security threats. The three methods are compared in terms of different attributes such as computational demand, detection latency, need for hardware modifications, etc. In regard to the contributions in the third area, tools from compositional verification are used to design an unmanned multi-aircraft system that is tasked to track and compromise an aerial encroacher, wherein the multi-aircraft system is required to satisfy a global system property pertaining to collision avoidance and close tracking. A common approach to verifying global properties of systems is monolithic verification where the whole system is analyzed. However, such an approach becomes intractable for complex systems like the multi-aircraft system considered in this work. We overcome this difficulty by employing the compositional verification approach, whereby the problem of verifying the global system property is reduced to a problem of reasoning about the system’s components. That being said, even formally verifying some component properties can be a formidable task; in such cases, one has to rely on Monte Carlo simulations. By suitably designing the components of the multi-aircraft system to have a modular architecture, we show how one can perform focused component-level simulations rather than conduct simulations on the whole system, thereby limiting the use of simulations during the verification process and, as a result, increasing the reliability of the system.

path following

unmanned aircraft systems

robust control

distributed control

UAS security

compositional reasoning

verified design

An algebraic theory of componentised interaction

Chilton, Christopher James

January 2013

This thesis provides a specification theory with strong algebraic and compositionality properties, allowing for the systematic construction of new components out of existing ones, while ensuring that given properties continue to hold at each stage of system development. The theory shares similarities with the interface automata of de Alfaro and Henzinger, but is linear-time in the style of Dill's trace theory, and is endowed with a richer collection of operators. Components are assumed to communicate with one another by synchronisation of input and output actions, with the component specifying the allowed sequences of interactions between itself and the environment. When the environment produces an interaction that the component is unwilling to receive, a communication mismatch occurs, which can correspond to run-time error or underspecification. These are modelled uniformly as inconsistencies. A linear-time refinement preorder corresponding to substitutivity preserves the absence of inconsistency under all environments, allowing for the safe replacement of components at run-time. To build complex systems, a range of compositional operators are introduced, including parallel composition, logical conjunction and disjunction, hiding, and quotient. These can be used to examine the structural behaviour of a system, combine independently developed requirements, abstract behaviour, and incrementally synthesise missing components, respectively. It is shown that parallel composition is monotonic under refinement, conjunction and disjunction correspond to the meet and join operations on the refinement preorder, and quotient is the adjoint of parallel composition. Full abstraction results are presented for the equivalence defined as mutual refinement, a consequence of the refinement being the weakest preorder capturing substitutivity. Extensions of the specification theory with progress-sensitivity (ensuring that refinement cannot introduce quiescence) and real-time constraints on when interactions may and may not occur are also presented. These theories are further complemented by assume-guarantee frameworks for supporting component-based reasoning, where contracts (characterising sets of components) separate the assumptions placed on the environment from the guarantees provided by the components. By defining the compositional operators directly on contracts, sound and complete assume-guarantee rules are formulated that preserve both safety and progress. Examples drawn from distributed systems are used to demonstrate how these rules can be used for mechanically deriving component-based designs.

005