% % GENERATED FROM http://acme.able.cs.cmu.edu % by : anonymous % IP : ec2-44-210-237-223.compute-1.amazonaws.com % at : Fri, 29 Mar 2024 02:06:36 -0400 GMT % % Selection : All publications % @Article{DiscoTectTSE, AUTHOR = {Schmerl, Bradley and Aldrich, Jonathan and Garlan, David and Kazman, Rick and Yan, Hong}, TITLE = {Discovering Architectures from Running Systems}, YEAR = {2006}, MONTH = {July}, JOURNAL = {IEEE Transactions on Software Engineering}, VOLUME = {32}, NUMBER = {7}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/discotect-tse.pdf}, ABSTRACT = {One of the challenging problems for software developers is guaranteeing that a system as built is consistent with its architectural design. In this paper, we describe a technique that uses runtime observations about an executing system to construct an architectural view of the system. In this technique, we develop mappings that exploit regularities in system implementation and architectural style. These mappings describe how low-level system events can be interpreted as more abstract architectural operations and are formally defined using Colored Petri Nets. In this paper, we describe a system, called DiscoTect, that uses these mappings and we introduce the DiscoSTEP mapping language and its formal definition. Two case studies showing the application of DiscoTect suggest that the tool is practical to apply to legacy systems and can dynamically verify conformance to a preexisting architectural specification.}, NOTE = {Also available from IEEE. Appendix A, Appendix B}, KEYWORDS = {DiscoTect, Rainbow, Self-Repair, Software Architecture} } @InProceedings{Fairbanks2006, AUTHOR = {Fairbanks, George and Scherlis, William and Garlan, David}, TITLE = {Design Fragments Make Using Frameworks Easier}, YEAR = {2006}, MONTH = {22-27 October}, BOOKTITLE = {Proceedings of ACM SIGPLAN Conference on Object Oriented Programs, Systems, Languages, and Applications (OOPSLA) 2006}, ADDRESS = {Portland, OR, USA}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/OOPSLA-06.pdf}, ABSTRACT = {Object oriented frameworks impose new burdens on programmers that libraries did not, such as requiring the programmer to understand the method callback sequence, respecting behavior constraints within these methods, and devising solutions within a constrained solution space. To overcome these burdens, we express the repeated patterns of engagement with the framework as a design fragment. We analyzed the 20 demo applets provided by Sun and created a representative catalog of design fragments of conventional best practice. By evaluating 36 applets pulled from the internet we show that these design fragments are common, many applets copied the structure of the Sun demos, and that creation of a catalog of design fragments is practical. Design fragments give programmers immediate benefit through tool-based conformance assurance and long-term benefit through expression of design intent.}, KEYWORDS = {Design Fragments, Design Patterns, Frameworks} } @InProceedings{Fairbanks2006a, AUTHOR = {Fairbanks, George and Bierhoff, Kevin and D'Souza, Desmond}, TITLE = {Software Architecture at a Large Financial Firm}, YEAR = {2006}, MONTH = {22-27 October}, BOOKTITLE = {Proceedings of ACM SIGPLAN Conference on Object Oriented Programs, Systems, Languages, and Applications (OOPSLA) 2006}, ADDRESS = {Portland, OR, USA}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/oopsla06-exp.pdf}, ABSTRACT = {System builders have historically used informal software architecture models to understand options, make choices, and communicate with others. Research into software architecture over the past fifteen years has indicated that more precise architecture models may be beneficial. At a large financial firm, we applied precise software architecture techniques on four software projects and this experience has revealed a number of practical issues. We made the following observations across the projects: 1) Architecture models can be used to bridge gaps between business requirements and technology, 2) A small collection of techniques and a detail knob are practical and useful in a variety of projects, 3) Architecture modeling techniques amplify the skills of the architects, 4) A model of domain concepts and relationships is helpful when building architecture models, and 5) It is difficult to know when to stop adding detail to your architecture model. We believe that these observations motivate future research and can help practitioners make software architecture more effective in practice.}, KEYWORDS = {Software Architecture} } @InProceedings{Kim2006, AUTHOR = {Kim, Jung Soo and Garlan, David}, TITLE = {Analyzing Architectural Styles with Alloy}, YEAR = {2006}, MONTH = {17 July}, BOOKTITLE = {Workshop on the Role of Software Architecture for Testing and Analysis 2006 (ROSATEA 2006)}, ADDRESS = {Portland, ME, USA}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/rosatea2006-final.pdf}, ABSTRACT = {The backbone of many architectures is an architectural style that provides a domain-specific design vocabulary and set of constraints on how that vocabulary can be used. Hence, designing a sound and appropriate architectural style becomes an important and intellectually challenging activity. Unfortunately, although there are numerous tools to help in the analysis of individual architectures, relatively less work has been done on tools to help the style designer. In this paper we show how to map an architectural style, expressed formally in an architectural description language, into a relational model that can be automatically checked for properties such as whether a style is consistent, whether a style satisfies some predicate over the architectural structure, whether two styles are compatible for composition, and whether one style refines another.}, KEYWORDS = {Acme, Formal Methods, Software Architecture} } @InProceedings{Garlan2006, AUTHOR = {Garlan, David and Schmerl, Bradley}, TITLE = {An Architecture for Personal Cognitive Assistance}, YEAR = {2006}, MONTH = {5-7 July}, BOOKTITLE = {18th International Conference on Software Engineering and Knowledge Engineering}, ADDRESS = {San Francisco Bay, USA}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/seke06.pdf}, ABSTRACT = {Current desktop environments provide weak support for carrying out complex user-oriented tasks. Although individual applications are becoming increasingly sophisticated and featurerich, users must map their high-level goals to the low-level operational vocabulary of applications, and deal with a myriad of routine tasks (such as keeping up with email, keeping calendars and web sites up-to-date, etc.). An alternative vision is that of a personal cognitive assistant. Like a good secretary, such an assistant would help users accomplish their high-level goals, coordinating the use of multiple applications, automatically handling routine tasks, and, most importantly, adapting to the individual needs of a user over time. In this paper we describe the architecture and its implementation for a personal cognitive assistant called RADAR. Key features include (a) extensibility through the use of a plug-in agent architecture (b) transparent integration with legacy applications and data of today?s desktop environments, and (c) extensive use of learning so that the environment adapts to the individual user over time.}, KEYWORDS = {Personal Assistance, RADAR, Software Architecture} } @Article{Poladian2006, AUTHOR = {Sousa, Jo\~{a}o and Poladian, Vahe and Garlan, David and Schmerl, Bradley and Shaw, Mary}, TITLE = {Task-Based Adaptation for Ubiquitous Computing}, YEAR = {2006}, MONTH = {May}, JOURNAL = {IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications and Reviews, Special Issue on Engineering Autonomic Systems}, VOLUME = {36}, NUMBER = {3}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/tbuc.pdf}, ABSTRACT = {An important domain for autonomic systems is the area of ubiquitous computing: users are increasingly surrounded by technology that is heterogeneous, pervasive, and variable. In this paper we describe our work in developing self-adapting computing infrastructure that automates the configuration and reconfiguration of such environments. Focusing on the engineering issues of self-adaptation in the presence of heterogeneous platforms, legacy applications, mobile users, and resource variable environments, we describe a new approach based on the following key ideas: (a) Explicit representation of user tasks allows us to determine what service qualities are required of a given configuration; (b) Decoupling task and preference specification from the lower level mechanisms that carry out those preferences provides a clean engineering separation of concerns between what is needed and how it is carried out; and (c) Efficient algorithms allow us to calculate in real time near-optimal resource allocations and reallocations for a given task.}, NOTE = {Also available at IEEE Xplore}, KEYWORDS = {Aura, Autonomic Systems, Ubiquitous Computing} } @TechReport{Antoun2006, AUTHOR = {Abi-Antoun, Marwan and Aldrich, Jonathan and Nahas, Nagi and Schmerl, Bradley and Garlan, David}, TITLE = {Differencing and Merging of Architectural Views}, YEAR = {2005}, NUMBER = {CMU-ISRI-05-128}, INSTITUTION = {Carnegie Mellon University Institute for Software Research International}, URL = {http://reports-archive.adm.cs.cmu.edu/anon/isri2005/abstracts/05-128.html}, ABSTRACT = {As architecture-based techniques become more widely adopted, software architects face the problem of reconciling different versions of architectural models. However, existing approaches to differencing and merging architectural views are based on restrictive assumptions, such as requiring view elements to have unique identifiers or explicitly log changes between versions. To overcome some of the above limitations, we propose differencing and merging architectural views based on structural information. To that effect, we generalize a published polynomial-time tree-to-tree correction algorithm (that detects inserts, renames and deletes) into a novel algorithm to additionally detect restricted moves and support forcing and preventing matches between view elements. We implement a set of tools to compare and merge component-and-connector (C&C) architectural views, incorporating the algorithm. Finally, we provide an empirical evaluation of the algorithm and the tools on case studies with real software, illustrating the practicality of the approach to find and reconcile interesting divergences between architectural views.}, KEYWORDS = {Software Architecture} } @InProceedings{Sousa2005, AUTHOR = {Sousa, Jo\~{a}o and Poladian, Vahe and Garlan, David and Schmerl, Bradley}, TITLE = {Capitalizing on Awareness of User Tasks for Guiding Adaptation.}, YEAR = {2005}, BOOKTITLE = {Proceedings of the First International Workshop on Adaptive and Self-managing Enterprise Applications, at CAISE'05}, ADDRESS = {Portugal}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/asmea05.pdf}, ABSTRACT = {Computers support more and more tasks in the personal and professional activities of users. Such user tasks increasingly span large periods of time and many locations across the enterprise space and beyond. Recently there has been a growing interest in developing applications that can cope with the specific environmental conditions at each location, and adapt to dynamic changes in system resources. However, in a given situation there may be many possible configuration solutions, and an awareness of the user's intent for each task is a critical element in knowing which one to pick. In this paper, we discuss the limitations of building such awareness into applications, and propose to factor the awareness of user tasks into a common software layer. That however, brings up the problem of coordinating the system-wide adaptation performed by such a layer with fine-grain adaptation performed by resource-aware applications. We summarize the main features of an architectural framework that incorporates such a layer, and distill some of the lessons learned in implementing the framework.}, KEYWORDS = {Aura, Autonomic Systems, Ubiquitous Computing} } @PhdThesis{Sousa2005a, AUTHOR = {Sousa, Jo\~{a}o}, TITLE = {Scaling Task Management in Space and Time: Reducing User Overhead in Ubiquitous-Computing Environments}, YEAR = {2005}, SCHOOL = {Carnegie Mellon University School of Computer Science Technical Report CMU-CS-05-123}, KEYWORDS = {Aura, Ubiquitous Computing} } @InProceedings{Schmerl2005, AUTHOR = {Schmerl, Bradley and Yan, Hong and Garlan, David}, TITLE = {DiscoTect: A System for Discovering Architectures from Running Systems (Demonstration)}, YEAR = {2005}, MONTH = {September}, BOOKTITLE = {Proceedings of the Joint European Software Engineering Conference and ACM SIGSOFT Symposium on the Foundations of Software Engineering}, ADDRESS = {Lisbon, Portugal}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/discotect.pdf}, ABSTRACT = {One of the challenges for software architects is ensuring that an implemented system faithfully represents its architecture. We describe and demonstrate a tool, called DiscoTect, that addresses this challenge by dynamically monitoring a running system and deriving the software architecture as that system runs. The derivation process is based on mappings that relate low level system-level events to higher-level architectural events. The resulting architecture is then fed into existing architectural design tools so that comparisons can be conducted with the design time architecture and architectural analyses can be re-run to ensure that they are still valid. In addition to the demonstration, we briefly describe the mapping language and formal definition of the language in terms of Colored Petri Nets.}, KEYWORDS = {DiscoTect} } @InProceedings{Antoun2005, AUTHOR = {Abi-Antoun, Marwan and Aldrich, Jonathan and Garlan, David and Schmerl, Bradley and Nahas, Nagi and Tseng, Tony}, TITLE = {Software Architecture with Acme and ArchJava (Research Demonstration)}, YEAR = {2005}, MONTH = {May}, BOOKTITLE = {Proceedings of the 27th International Conference on Software Engineering}, ADDRESS = {St. Louis, MS}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/archjava-demo-icse05.pdf}, ABSTRACT = {We demonstrate a tool to incrementally synchronize an Acme architectural model described in the Acme Architectural Description Language (ADL) with an implementation in ArchJava, an extension of the Java programming language that includes explicit architectural modeling constructs.}, KEYWORDS = {Acme, ArchJava, Software Architecture} } @InProceedings{Antoun2005a, AUTHOR = {Abi-Antoun, Marwan and Aldrich, Jonathan and Garlan, David and Schmerl, Bradley and Nahas, Nagi and Tseng, Tony}, TITLE = {Improving System Dependability by Enforcing Architectural Intent}, YEAR = {2005}, MONTH = {May}, BOOKTITLE = {Proceedings of the 2005 Workshop on Architecting Dependable Systems (WADS 2005)}, ADDRESS = {St. Louis, MS}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/WADS05-2.pdf}, ABSTRACT = {Developing dependable software systems requires enforcing conformance between architecture and implementation during software development and evolution. We address this problem with a multi-pronged approach: (a) automated refinement of a component-and-connector (C&C) architectural view into an initial implementation, (b) enforcement of architectural structure at the programming language level, (c) automated abstraction of a C&C view from an implementation, and (d) semi-automated incremental synchronization between the architectural and the implementation C&C views. We use an Architecture Description Language (ADL), Acme, to describe the architecture, and ArchJava, an implementation language which embeds a C&C architecture specification within Java implementation code. Although both Acme and ArchJava specify C&C views, a number of structural differences may arise. Our approach can detect structural differences which correspond directly to implementation-level violations of the well thoughtout architectural intent. Furthermore, supplementing the C&C view extracted from the implementation with architectural types and styles can uncover additional violations. }, KEYWORDS = {Acme, ArchJava, Software Architecture} } @InProceedings{Poladian2005, AUTHOR = {Poladian, Vahe and Sousa, Jo\~{a}o and Padberg, Frank and Shaw, Mary}, TITLE = {Anticipatory Configuration of Resource-aware Applications}, YEAR = {2005}, MONTH = {May}, BOOKTITLE = {Proceedings of the 7th International Workshop on Economics Driven Software Engineering Research, affiliated with the 27th International Conference on Software Engineering}, ADDRESS = {St. Louis, MS}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/edser7.pdf}, ABSTRACT = {We propose an improved approach to dynamic configuration of resource-aware applications. The new anticipatory model of configuration maximizes utility based on three inputs: user preferences, application capability profiles, and resource availability. In this respect, the proposed model is similar to a model of configuration described in [2]. However, the latter addresses the dynamic nature of the problem by reacting to changes (such as decrease in resource availability), and maximizes the utility in a point-wise manner. The newly proposed anticipatory approach explicitly models the duration of the task and leverages possible information about the future (such as stochastic resource availability over the expected duration of the task). We expect that the anticipatory model will improve user's utility, conserve scarce resources, and reduce the amount of disruption to the user resulting from changes when compared to the reactive model. However, the optimization problem underlying the anticipatory model is computationally more difficult than the problem underlying the reactive model. We would like to investigate if the anticipatory approach is feasible and efficient in practice while delivering the above-mentioned improvements. In this paper, we carefully state the model of anticipatory configuration, highlight the sources of complexity in the problem, propose an algorithm to the anticipatory configuration problem, and provide a roadmap for research.}, KEYWORDS = {Dynamic Configuration, Aura} } @InProceedings{Garlan2005, AUTHOR = {Garlan, David and Reinholtz, William K. and Schmerl, Bradley and Sherman, Nicholas and Tseng, Tony}, TITLE = {Bridging the Gap between Systems Design and Space Systems Software}, YEAR = {2005}, MONTH = {6-7 April}, BOOKTITLE = {Proceedings of the 29th Annual IEEE/NASA Software Engineering Workshop (SEW-29)}, ADDRESS = {Greenbelt, MD}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/sew-final.pdf}, ABSTRACT = {A challenging problem for software engineering practitioners is moving from high-level system architectures produced by system engineers to deployable software produced by software engineers. In this paper we describe our experience working with NASA engineers to develop an approach and toolset for automating the generation of space systems software from architectural specifications. Our experience shows that it is possible to leverage the space systems domain, formal architectural specifications, and component technology to provide retargetable code generators for this class of software.}, KEYWORDS = {Acme, Software Architecture} } @InProceedings{Cheng2005, AUTHOR = {Cheng, Shang-Wen and Garlan, David and Schmerl, Bradley}, TITLE = {Making Self-Adaptation an Engineering Reality}, YEAR = {2005}, BOOKTITLE = {Proceedings of the Conference on Self-Star Properties in Complex Information Systems}, VOLUME = {3460}, EDITOR = {Babaoghu, Ozlap and Jelasity, Mark and Montroser, Alberto and Fetzer, Christof and Leonardi, Stefano and Van Moorsel, Aad}, SERIES = {LNCS}, PUBLISHER = {Springer-Verlag}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/self-star-2005.pdf}, ABSTRACT = {In this paper, we envision a world where a software engineer could take an existing software system, specify, for a set of properties of interest, an objective, conditions for change, and strategies for their adaptation and, within a few man weeks, make that system self-adaptive where it was not before. We describe how our approach generalizes to different classes of systems and holds promise for cost-effective, dynamic system self-adaptation to become an engineering reality.}, NOTE = {Also available from Springer-Verlag here}, KEYWORDS = {Autonomic Systems, Rainbow, Self-Repair} } @InCollection{Coutaz2005, AUTHOR = {Coutaz, Joelle and Crowley, Jame L. and Dobson, Simon and Garlan, David}, TITLE = {Context is Key}, YEAR = {2005}, MONTH = {March}, BOOKTITLE = {Communications of the ACM, Special Issue on The Disappearing Computer}, VOLUME = {58}, NUMBER = {4}, PAGES = {49-53}, KEYWORDS = {Ubiquitous Computing} } @Misc{Cheng2005a, AUTHOR = {Cheng, Shang-Wen and Nord, Robert and Stafford, Judith}, TITLE = {WICSA Wiki WAN Party: capturing experience in software architecture best practices}, YEAR = {2005}, MONTH = {January}, HOWPUBLISHED = {ACM SIGSOFT Software Engineering Notes, Volume 30, Number 1}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/wwwp.pdf}, ABSTRACT = {Researchers, practitioners, educators, and students of software architecture would benefit from having online access to quality information about the state of research and practice of software architecture. In recent years, Wiki technology has enabled distributed and collaborative editing of content using only a Web browser. To explore whether Wiki technology would be effective in facilitating the ongoing discussion and evolution of ideas on software architecture, we hosted the WICSA Wiki WAN Party (WWWP) during the 4th Working IEEE/IFIP Conference on Software Architecture (WICSA 2004). We used a history tool developed at IBM Research to monitor site activity and provide daily feedback to conference participants. This report recounts experience hosting this Wiki site and summarizes the site activity.}, KEYWORDS = {Software Architecture} } @PhdThesis{Spitznagel2004, AUTHOR = {Spitznagel, Bridget}, TITLE = {Compositional Transformation of Software Connectors}, YEAR = {2005}, SCHOOL = {Carnegie Mellon Univeristy School of Computer Science Technical Report CMU-CS-04-128}, KEYWORDS = {Software Architecture} } @TechReport{Yan2004, AUTHOR = {Yan, Hong and Aldrich, Jonathan and Garlan, David and Kazman, Rick and Schmerl, Bradley}, TITLE = {Discovering Architectures from Running Systems: Lessons Learned}, YEAR = {2004}, NUMBER = {CMU-SEI-2004-TR-016}, INSTITUTION = {Software Engineering Institute} } @InProceedings{Garlan2004a, AUTHOR = {Garlan, David and Poladian, Vahe and Schmerl, Bradley and Sousa, Jo\~{a}o}, TITLE = {Task-based Self-adaptation}, YEAR = {2004}, MONTH = {31 October - 1 November}, BOOKTITLE = {Proceedings of the ACM SIGSOFT 2004 Workshop on Self-Managing Systems (WOSS'04)}, ADDRESS = {Newport Beach, CA}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/woss04.pdf}, ABSTRACT = {Recently there has been increasing interest in developing systems that can adapt dynamically to cope with changing environmental conditions and unexpected system errors. Most efforts for achieving self-adaptation have focused on the mechanisms for detecting opportunities for improvement and then taking appropriate action. However, such mechanisms beg the question: what is the system trying to achieve? In a given situation there may be many possible adaptations, and knowing which one to pick is a difficult question. In this paper we advocate the use of explicit representation of user task as a critical element in addressing this missing link.}, KEYWORDS = {Autonomic Systems, Self-Repair} } @InProceedings{Roshandel2004, AUTHOR = {Roshandel, Roshanak and Schmerl, Bradley and Medvidovic, Nenad and Garlan, David}, TITLE = {Understanding Tradeoffs among Different Architectural Modelling Approaches}, YEAR = {2004}, MONTH = {11-14 June}, BOOKTITLE = {Proceedings of the 4th Working IEEE/IFIP Conference on Software Architectures (WICSA4)}, ADDRESS = {Oslo, Norway}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/wicsa4-roshandel.pdf}, ABSTRACT = {Over the past decade a number of architecture description languages (ADLs) have been proposed to facilitate modeling and analysis of software architecture. While each claims to have various benefits, to date there have been few studies to assess the relative merits of these approaches. In this paper we describe our experience using two ADLs to model a system initially described in UML, and compare their effectiveness in identifying system design flaws. We also describe the techniques we used for extracting architectural models from a UML system description.}, KEYWORDS = {Software Architecture} } @Article{Garlan2004, AUTHOR = {Garlan, David and Cheng, Shang-Wen and Huang, An-Cheng and Schmerl, Bradley and Steenkiste, Peter}, TITLE = {Rainbow: Architecture-Based Self Adaptation with Reusable Infrastructure}, YEAR = {2004}, MONTH = {October}, JOURNAL = {IEEE Computer}, VOLUME = {37}, NUMBER = {10}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/computer04.pdf}, ABSTRACT = {The Rainbow framework uses software architectures and a reusable infrastructure to support self-adaptation of software systems. The use of external adaptation mechanisms allows the explicit specification of adaptation strategies for multiple system concerns.}, KEYWORDS = {Autonomic Systems, Landmark, Rainbow, Self-adaptation} } @InProceedings{Cheng2004, AUTHOR = {Cheng, Shang-Wen and Huang, An-Cheng and Garlan, David and Schmerl, Bradley and Steenkiste, Peter}, TITLE = {An Architecture for Coordinating Multiple Self-Management Systems}, YEAR = {2004}, MONTH = {11-14 June}, BOOKTITLE = {Proceedings of the 4th Working IEEE/IFIP Conference on Software Architectures (WICSA4)}, ADDRESS = {Oslo, Norway}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/wicsa4-cheng.pdf}, ABSTRACT = {A common approach to adding self-management capabilities to a system is to provide one or more external control modules, whose responsibility is to monitor system behavior, and adapt the system at run time to achieve various goals (configure the system, improve performance, recover from faults, etc.). An important problem arises when there is more than one such self-management module: how can one make sure that they are composed to provide consistent and complementary benefits? In this paper we describe a solution that introduces a self-management coordination architecture and infrastructure to support such composition. We focus on the problem of coordinating self-configuring and self-healing capabilities, particularly with respect to global configuration and incremental repair. We illustrate the approach in the context of a self-managing video teleconference system that composes two pre-existing adaptation modules to achieve synergistic benefits of both.}, KEYWORDS = {Autonomic Systems, Coordination, Rainbow, Self-adaptation} } @TechReport{Ivers2004, AUTHOR = {Ivers, James and Clements, Paul and Garlan, David and Nord, Robert and Schmerl, Bradley and Silva, Jaime Rodrigo Oviedo}, TITLE = {Documenting Component and Connector Views with UML 2.0}, YEAR = {2004}, NUMBER = {CMU/SEI-2004-TR-008}, INSTITUTION = {Software Engineering Institute}, KEYWORDS = {UML, Software Architecture} } @InProceedings{Poladian2004, AUTHOR = {Poladian, Vahe and Sousa, Jo\~{a}o and Garlan, David and Shaw, Mary}, TITLE = {Dynamic Configuration of Resource-Aware Services}, YEAR = {2004}, MONTH = {23-28 May}, BOOKTITLE = { Proceedings of the 26th International Conference on Software Engineering}, ADDRESS = {Edinburgh, Scotland}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/aura_icse04/aura_icse04.pdf}, ABSTRACT = {An important emerging requirement for computing systems is the ability to adapt at run time, taking advantage of local computing devices, and coping with dynamically changing resources. Three specific technical challenges in satisfying this requirement are to (1) select an appropriate set of applications or services to carry out a user s task, (2) allocate (possibly scarce) resources among those applications, and (3) reconfigure the applications or resource assignments if the situation changes. In this paper we show how to provide a shared infrastructure that automates configuration decisions given a specification of the user s task. The heart of the approach is an analytical model and an efficient algorithm that can be used at run time to make near-optimal (re)configuration decisions. We validate this approach both analytically and by applying it to a representative scenario.}, KEYWORDS = {Mult-fidelity Applications, Resource Allocation, Resource Aware Computing, Service Composition, Ubiquitous Computing} } @InProceedings{Yan2004a, AUTHOR = {Yan, Hong and Garlan, David and Schmerl, Bradley and Aldrich, Jonathan and Kazman, Rick}, TITLE = {DiscoTect: A System for Discovering Architectures from Running Systems}, YEAR = {2004}, MONTH = {23-28 May}, BOOKTITLE = {Proceedings of the 26th International Conference on Software Engineering}, ADDRESS = {Edinburgh, Scotland}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/icse04-discotect/discotect.pdf}, ABSTRACT = {One of the challenging problems for software developers is guaranteeing that a system as built is consistent with its architectural design. In this paper we describe a technique that uses run time observations about an executing system to construct an architectural view of the system. With this technique we develop mappings that exploit regularities in system implementation and architectural style. These mappings describe how low-level system events can be interpreted as more abstract architectural operations. We describe the current implementation of a tool that uses these mappings, and show that it can highlight inconsistencies between implementation and architecture.}, KEYWORDS = {DiscoTect, Software Architecture} } @InProceedings{Schmerl2004, AUTHOR = {Schmerl, Bradley and Garlan, David}, TITLE = {AcmeStudio: Supporting Style-Centered Architecture Development (Research Demonstration)}, YEAR = {2004}, MONTH = {23-28 May}, BOOKTITLE = {Proceedings of the 26th International Conference on Software Engineering}, ADDRESS = {Edinburgh, Scotland}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/icse04-acmestudio/acmestudio.pdf}, ABSTRACT = {Software architectural modeling is crucial to the development of high-quality software. Software engineering tool support is required for this activity, so that models can be developed, viewed, analyzed, and refined to implementations. This support needs to be provided in a flexible and extensible manner so that the tools can fit into a company s process and can use particular, perhaps company-defined, domain-specific architectural styles. Early architecture development environments were restricted to supporting particular architectural styles, and were not easy to tailor to other styles or domains. In this research demonstration, we describe AcmeStudio, a styleneutral architecture development environment that can (1) allow architects to tailor the environment for particular domains; (2) be used as a framework for integrating domain-specific architectural analyses; and (3) can be extended to integrate with other tools that are used in a company s software development process. We illustrate the main features of AcmeStudio and provide some insight into how we have tailored it to real-world domains specific to NASA and Ford Motor Company.}, KEYWORDS = {Acme, AcmeStudio, Software Architecture} } @InProceedings{Fairbanks2004, AUTHOR = {Fairbanks, George}, TITLE = {Software Engineering Environment Support for Frameworks: A Position Paper}, YEAR = {2004}, MONTH = {May}, BOOKTITLE = {Proceedings of the ICSE 2004 Workshop on Directions in Software Engineering Environments}, ADDRESS = {Edinburgh, Scotland}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/WoDSEE/paper.pdf}, ABSTRACT = {Modern software engineering environments provide programmers with contextual information on methods and classes in their software system. However, programmers increasingly encounter frameworks such as Microsoft Foundation Classes or Enterprise Java Beans whose required plug-in mechanisms cannot be adequately described with method or class documentation. The needs of programmers using frameworks are different from the needs when using libraries. Software engineering environments should be augmented with tools to aid programmers in understanding the demands of using frameworks.}, KEYWORDS = {Design Fragments} } @InProceedings{Garlan2004b, AUTHOR = {Garlan, David and Schmerl, Bradley}, TITLE = {Using Architectural Models at Runtime: Research Challenges}, YEAR = {2004}, MONTH = {May}, BOOKTITLE = {Proceedings of the European Workshop on Software Architectures}, ADDRESS = {St. Andrews, Scotland}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/EWSA/paper-final.pdf}, ABSTRACT = {One crucial aspect of high quality software engineering is the development of a welldefined software architectural model. Despite advances in using software architectural models to clarify system design, there remains the problem of determining whether the system as implemented has the architecture as designed? One approach is to to this is to monitor the running system and translate observed events to events that construct and update an architectural model that reflects the actual running system. One can then compare this dynamically-determined model to the correct architectural model. Discrepancies can be used to flag implementation errors, or, possibly, to effect run-time adaptations to correct certain kinds of flaws.At Carnegie Mellon University, our research group has been investigating the use of system monitoring and reflection using architectural models. In the process of exploring this area we have identified a number of significant research challenges. In this paper we outline our experience, and use that as a way to lay out an agenda for architecture-based approaches to system monitoring and system self-repair.}, KEYWORDS = {Autonomic Systems, Dynamic Configuration, Self-Repair, Software Architecture} } @InProceedings{Steppe2004, AUTHOR = {Steppe, Kevin and Garlan, David and Bylenok, Greg and Schmerl, Bradley and Shevchenko, Nataliya}, TITLE = {Tool Support for Model Based Architectural Design for Automotive Control Systems}, YEAR = {2004}, MONTH = {17-19 March}, BOOKTITLE = {First European Workshop on Model Driven Architecture with Emphasis on Industrial Application}, ADDRESS = {Enschede, The Netherlands}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/MDAEIA2004/MDAEIA2004.pdf}, ABSTRACT = {In conjunction with Ford Motor Company, we built a tool to support multilevel architectural design. The tool, called Synergy, allows Ford to visually design architectures of vehicle control components. The components are imported from existing Simulink models; then the tool automatically generates a detailed view showing all required connections and ports. The resulting model is exported to Simulink for further analysis. In this paper we describe the conceptual and technical challenges encountered in building Synergy and our design choices for solving them.}, KEYWORDS = {Acme, Software Architecture} } @InProceedings{Steppe2004a, AUTHOR = {Steppe, Kevin and Bylenok, Greg and Garlan, David and Schmerl, Bradley and Abirov, Kanat and Shevchenko, Nataliya}, TITLE = {Two-tiered Architectural Design for Automotive Control Systems: An Experience Report}, YEAR = {2004}, MONTH = {10-12 January}, BOOKTITLE = {Automotive Software Workshop on Future Generation Software Architectures in the Automotive Domain}, ADDRESS = {San Diego, CA}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/ASW04/ASW04.pdf}, ABSTRACT = {An attractive approach to architecture-based design is to structure the development process into two tiers. The top tier represents the abstract design (or architecture) of a system in terms of abstract components. The bottom tier refines that design by making specific implementation decisions, such as platform, middleware, and component implementations. While attractive in principle, there has been relatively little industrial-based experience to shed light on problems and solutions involved in such an approach. In this paper we describe our experience in developing tools to introduce a two-tiered model-based approach to the design of Ford Motor Company s automotive control systems, highlighting the principle challenges, and evaluating the effectiveness of our solutions for them.}, NOTE = {(Workshop Proceedings)}, KEYWORDS = {Acme, Software Architecture} } @InProceedings{Poladian2003, AUTHOR = {Kumar, Rajnish and Poladian, Vahe and Greenberg, Ira and Messer, Alan and Milojicic, Dejan}, TITLE = {Selecting Devices for Aggregation}, YEAR = {2003}, BOOKTITLE = {Proceedings of the 5th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA 2003)}, ABSTRACT = {As intelligent devices become affordable and wireless infrastructure becomes pervasive, the potential to combine, or aggregate, device functionality to provide a user with a better experience grows. Often, there will be multiple devices providing similar functionality that the user will have to choose from for the aggregation. This paper presents the design and prototype implementation of a system for automatic selection of devices for aggregation in a dynamic environment. It allows a user to express trade-offs between the quality of device attributes, user distraction, and aggregation stability. This approach enables a user to have a richer experience without having to constantly worry about the device and the environment details.}, KEYWORDS = {Resource Aware Computing, Service Composition} } @TechReport{Roshandel2003, AUTHOR = {Roshandel, Roshanak and Schmerl, Bradley and Medvidovic, Nenad and Garlan, David and Zhang, Dehua}, TITLE = {Using Multiple Views to Model and Analyze Software Architecture: An Experience Report}, YEAR = {2003}, NUMBER = {USC-CSE-2003-508}, INSTITUTION = {University of Southern California, Center for Software Engineering}, PDF = {http://sunset.usc.edu/publications/TECHRPTS/2003/usccse2003-508/usccse2003-508.pdf}, ABSTRACT = {Architectural modeling and analysis is a critical phase in developing large and complex software systems. The usefulness of multiple views has likewise long been recognized. In this experience report, we explain how we used two ADLs to model a system initially described in UML. The system (SCRover) itheir Mission Data System technology. We describe (a) the processes that we used to extract architectural models from the UML description, (b) the way in which each ADL was used to model the system, (c) a classification of the architectural defects we uncovered, and (d) a comparison of the relative benefits of the two ADLs in terms of the different classes of defects they uncovered.}, KEYWORDS = {Software Architecture} } @TechReport{Sousa2003, AUTHOR = {Sousa, Jo\~{a}o and Garlan, David}, TITLE = {The Aura Software Architecture: An Infrastructure for Ubiquitous Computing}, YEAR = {2003}, MONTH = {August}, NUMBER = {CMU-CS-03-183}, INSTITUTION = { School of Computer Science, Carnegie Mellon University}, KEYWORDS = {Aura, Ubiquitous Computing} } @InProceedings{Poladian2003a, AUTHOR = {Poladian, Vahe and Butler, Shawn and Shaw, Mary and Garlan, David}, TITLE = {Time is Not Money: The case for multi-dimensional accounting in value-based software engineering}, YEAR = {2003}, MONTH = {May}, BOOKTITLE = {Fifth Workshop on Economics-Driven Software Engineering Research (EDSER-5)}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/EDSER5/paper.pdf}, ABSTRACT = {'Time is money', or so goes the old saying. Perhaps influenced by this aphorism, some strategies for incorporating costs in the analysis of software design express all costs in currency units for reasons of simplicity and tractability. Indeed, in theoretical economics all costs can, in principle, be expressed in dollars. Software engineering problems, however, often present situations in which converting all costs to a common currency is problematical. In this paper we pinpoint some of these situations and the underlying causes of the problems, and we argue that it is often better to treat costs as a multidimensional value, with dimensions corresponding to distinct types of resources. We go on to highlight the differences among cost dimensions that need to be considered when developing cost-benefit analyses, and we suggest mechanisms for mediating among heterogeneous cost dimensions.}, KEYWORDS = {Mult-fidelity Applications, Resource Allocation, Resource Aware Computing} } @Book{Clements2003, AUTHOR = {Clements, Paul and Bachmann, Felix and Bass, Len and Garlan, David and Ivers, James and Little, Reed and Nord, Robert and Stafford, Judith}, TITLE = {Documenting Software Architectures: Views and Beyond}, YEAR = {2003}, PUBLISHER = {Addison-Wesley}, ABSTRACT = {<center> <br><img src='http://www.cs.cmu.edu/~able/publications/DSA/cover.jpg'> </center> For all but the most trivial software systems, you must pay close attention to its architecture?the conceptual glue that holds every phase of a project together for its many stakeholders. Without an architecture that is appropriate for the problem being solved, the project will at the very least stumble along, or most likely, fail. Even with a superb architecture, if it is not well understood and well communicated?in other words, well documented?the project cannot be considered a complete success.Although architecture is now widely recognized as a critical element in software development, there has been little guidance independent of language or notation about how to capture it. Based on the authors' extensive experience, Documenting Software Architecture, helps you to decide what information to document and then, with guidelines and examples (in various notations, including UML), shows you how to express an architecture in a form that everyone can understand. If you go to the trouble to create a strong architecture, you must also be prepared to describe it in enough detail, without ambiguity, and to organize it so that others can quickly find the information they need. As a guide for practitioners, the book covers:Seven rules for sound documentation The uses of software architecture documentation, including goals and strategies Architectural views and styles, with general introductions and specific examples Documenting software interfaces and software behavior Templates for capturing and organizing the information to generate a coherent package.<br> 'This book is of immense value. It should save you months of trials and errors, lots of undeserved hassle, and many costly mistakes that could potentially jeopardize the whole endeavor. It will become an important reference on the shelf of the software architect.'<br> ?From the Foreword by Philippe Kruchten, Rational Software Canada.}, NOTE = {<a href=http://www.cs.cmu.edu/~able/publications/DSA/Jolt.pdf>2003 Jolt Productivity Award Winner</a>}, ANNOTE = {<a href=http://www.amazon.com/exec/obidos/ASIN/0201703726/002-2443472-2680023>Available from Amazon.com</a>}, KEYWORDS = {Software Architecture} } @InBook{Garlan2003, AUTHOR = {Garlan, David and Cheng, Shang-Wen and Schmerl, Bradley}, TITLE = {Increasing System Dependability through Architecture-based Self-repair}, YEAR = {2003}, BOOKTITLE = {Architecting Dependable Systems}, EDITOR = {de Lemos, Rog\'{e}rio and Gacek, Cristina and Romanovsky, Alexander}, PUBLISHER = {Springer-Verlag}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/WADS/WADS-architecture.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/WADS/WADS-architecture.ps}, ABSTRACT = {One increasingly important technique for improving system dependability is to provide mechanisms for a system to adapt at run time in order to accommodate varying resources, system errors, and changing requirements. For such 'self-repairing' systems one of the hard problems is determining when a change is needed, and knowing what kind of adaptation is required. In this paper we describe a partial solution in which stylized architectural design models are maintained at run time as a vehicle for automatically monitoring system behavior, for detecting when that behavior falls outside of acceptable ranges, and for deciding on a high-level repair strategy. The main innovative feature of the approach is the ability to specialize a generic run time adaptation framework to support particular architectural styles and properties of interest. Specifically, a formal description of an architectural style defines for a family of related systems the conditions under which adaptation should be considered, provides an analytic basis for detecting anomalies, and serves as a basis for developing sound repair strategies.}, KEYWORDS = {Rainbow, Self-Repair, Software Architecture} } @InProceedings{Kim2003, AUTHOR = {Garlan, David and Khersonsky, Serge and Kim, Jung Soo}, TITLE = {Model Checking Publish-Subscribe Systems}, YEAR = {2003}, MONTH = {May}, BOOKTITLE = {Proceedings of The 10th International SPIN Workshop on Model Checking of Software (SPIN 03)}, ADDRESS = {Portland, OR}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/SPIN03/SPIN03.pdf}, ABSTRACT = {While publish-subscribe systems have good engineering properties, they are difficult to reason about and to test. Model checking such systems is an attractive alternative. However, in practice coming up with an appropriate state model for a pub-sub system can be a difficult and error-prone task. In this paper we address this problem by describing a generic pub-sub model checking framework. The key feature of this framework is a reusable, parameterized state machine model that captures pub-sub runtime event management and dispatch policy. Generation of models for specific pub-sub systems is then handled by a translation tool that accepts as input a set of pub-sub component descriptions together with a set of pub-sub properties, and maps them into the framework where they can be checked using off-the-shelf model checking tools.}, KEYWORDS = {Model Checking, Publish Subscribe Systems} } @InProceedings{Fairbanks2003, AUTHOR = {Fairbanks, George}, TITLE = {Why Can't They Create Architecture Models Like Developer X? An Experience Report}, YEAR = {2003}, MONTH = {3-10 May}, BOOKTITLE = {The 2003 International Conference on Software Engineering (ICSE'03)}, ADDRESS = {Portland, OR}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/exp02/paper.pdf}, ABSTRACT = {A large financial company, struggling with legacy systems that did not interoperate, performed a pilot project to teach software architecture to an enthusiastic application development team. Experienced mentors, including the author, worked with the application team for seven months who completed their engineering goal successfully. However, the mentors were unsuccessful in their attempt to train any of the six members of application team to create architecture models on their own, though they were able to create them collaboratively with the mentors. This surprising result is due to the application team's strong preference for concrete artifacts over abstract ones. Even more surprising, an application developer from a different project, 'Developer X', read the architecture modeling documentation on an internal website and, without mentoring, created good architecture models within a few days. In light of this failure to teach software architecture, two short-term strategies are suggested for the use of software architecture in companies and long-term strategies are discussed.}, KEYWORDS = {Software Architecture} } @InProceedings{Spitznagel2003, AUTHOR = {Spitznagel, Bridget and Garlan, David}, TITLE = {A Compositional Formalization of Connector Wrappers}, YEAR = {2003}, BOOKTITLE = {The 2003 International Conference on Software Engineering (ICSE'03)}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/connwrap/connwrap.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/connwrap/connwrap.ps}, ABSTRACT = {Increasingly systems are composed of parts: software components, and the interaction mechanisms (connectors) that enable them to communicate. When assembling systems from independently developed and potentially mismatched parts, wrappers may be used to overcome mismatch as well as to remedy extra-functional deficiencies. Unfortunately the current practice of wrapper creation and use is ad hoc, resulting in artifacts that are often hard to reuse or compose, and whose impact is difficult to analyze. What is needed is a more principled basis for creating, understanding, and applying wrappers. Focusing on the class of connector wrappers (wrappers that address issues related to communication and compatibility), we present a means of characterizing connector wrappers as protocol transformations, modularizing them, and reasoning about their properties. Examples are drawn from commonly practiced dependability enhancing techniques.}, KEYWORDS = {Software Architecture} } @Misc{Clements2002, AUTHOR = {Clements, Paul and Bachmann, Felix and Garlan, David and Little, Reed and Nord, Robert and Stafford, Judith}, TITLE = {A Practical Method for Documenting Software Architectures}, YEAR = {2002}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/icse03-dsa/submitted.pdf}, ABSTRACT = {A practical approach for documenting software architectures is presented. The approach is based on the well-known architectural concept of views, and holds that documentation consists of documenting the relevant views and then documenting the information that applies to more than one view. Views can be usefully grouped into viewtypes, corresponding to the three broad ways an architect must think about a system: as a set of implementation units, as a set of runtime elements interacting to carry out the system's work, and as a set of elements existing in and relating to external structures in its environment. A simple three-step procedure for choosing the relevant views to document is given, and applied to the problem of documentation for a large, complex NASA system.}, KEYWORDS = {Software Architecture} } @InProceedings{Garlan2002, AUTHOR = {Garlan, David and Schmerl, Bradley}, TITLE = {Model-based Adaptation for Self-Healing Systems}, YEAR = {2002}, MONTH = {18-19 November}, BOOKTITLE = {ACM SIGSOFT Workshop on Self-Healing Systems (WOSS'02),}, ADDRESS = {Charleston, SC}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/WOSS02/paper-submitted.pdf}, ABSTRACT = {Traditional mechanisms that allow a system to detect and recover from errors are typically wired into applications at the level of code where they are hard to change, reuse, or analyze. An alterna-tive approach is to use externalized adaptation: one or more mod-els of a system are maintained at run time and external to the ap-plication as a basis for identifying problems and resolving them. In this paper we provide an overview of recent research in which we use architectural models as the basis for such problem diagno-sis and repair. These models can be specialized to the particular style of the system, the quality of interest, and the dimensions of run time adaptation that are permitted by the running system.}, KEYWORDS = {Autonomic Systems, Self-Repair, Software Architecture} } @InProceedings{Dingel2002, AUTHOR = {Dingel, Juergen and Garlan, David and Damon, Craig}, TITLE = {Bridging the HLA: Problems and Solutions}, YEAR = {2002}, MONTH = {11-13 October}, BOOKTITLE = {Sixth IEEE International Workshop on Distributed Simulation and Real Time Applications (DS-RT '02)}, ADDRESS = {Fort Worth, TX}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/dsrt02/dsrt-distrib.pdf}, ABSTRACT = {The High-Level Architecture (HLA) provides a common architecture for distributed modeling and simulation. In its original form, the HLA allows a number of simulations to be joined together into a federation using a single run time infrastructure. Recently there has been an interest in joining multiple such federations together using a mediating unit, called an HLA }, KEYWORDS = {Formal Methods, Software Architecture} } @InProceedings{Cheng2002, AUTHOR = {Cheng, Shang-Wen and Garlan, David and Schmerl, Bradley and Steenkiste, Peter and Hu, Ningning}, TITLE = {Software Architecture-based Adaptation for Grid Computing}, YEAR = {2002}, MONTH = {July}, BOOKTITLE = {The 11th IEEE Conference on High Performance Distributed Computing (HPDC}, ADDRESS = {Edinburgh, Scotland}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/hpdc02/hpdc02.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/hpdc02/hpdc02.ps}, ABSTRACT = {Grid applications must increasingly self-adapt dynamically to changing environments. In most cases, adaptation has been implemented in an ad hoc fashion, on a perapplication basis. This paper describes work which generalizes adaptation so that it can be used across applications by providing an adaptation framework. This framework uses a software architectural model of the system to analyze whether the application requires adaptation, and allows repairs to be written in the context of the architectural model and propagated to the running system. In this paper, we exemplify our framework by applying it to the domain of load-balancing a client-server system. We report on an experiment conducted using our framework, which illustrates that this approach maintains architectural requirements.}, KEYWORDS = {Autonomic Systems, Self-Repair, Software Architecture} } @InProceedings{Poladian2002, AUTHOR = {Poladian, Vahe and Garlan, David and Shaw, Mary}, TITLE = {Selection and Configuration in Mobile Environments: A Utility-Based Approach}, YEAR = {2002}, MONTH = {May}, BOOKTITLE = {Fourth Workshop on Economics-Driven Software Engineering Research (EDSER-4)}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/EDSER4/EDSER.pdf}, ABSTRACT = {Users of low-power mobile computing platforms make ad hoc decisions when choosing software components among alternatives and configuring those components. We propose applying utility-theoretic models, which can help determine optimal allocation of scarce resources to applications given the user's utility and application resource usage. We believe that taking into consideration resource consumption and applying microeconomic models has the potential of improving the user's satisfaction with the system. In this paper, we formulate the problem, demonstrate the use of a microeconomics-based model on a simple version of the problem, and list possible solutions. Further, we identify issues typical of mobile environments that are not addressed by existing research, and propose ways of tackling these issues.} } @InProceedings{Schmerl2002, AUTHOR = {Schmerl, Bradley and Garlan, David}, TITLE = {Exploiting Architectural Design Knowledge to Support Self-repairing Systems}, YEAR = {2002}, MONTH = {15-19 July}, BOOKTITLE = {The 14th International Conference on Software Engineering and Knowledge Engineering}, ADDRESS = {Ischia, Italy}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/seke02/paper.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/seke02/paper.ps}, ABSTRACT = {In an increasing number of domains software is now required to be self-adapting and self-healing. While in the past such abilities were incorporated into software on a per system basis, proliferation of such systems calls for more generalized mechanisms to manage dynamic adaptation. General mechanisms have the advantage that they can be reused in numerous systems, analyzed separately from the system being adapted, and easily changed to incorporate new adaptations. Moreover, they provide a natural home for encoding the expertise of system designers and implementers about adaptation strategies and policies. In this paper, we show how architecture description languages and tools can be extended to provide such generalized dynamic adaptation mechanisms.}, KEYWORDS = {AcmeStudio, Self-Repair, Software Architecture} } @Article{Garlan2002a, AUTHOR = {Garlan, David and Siewiorek, Dan and Smalagic, Asim and Steenkiste, Peter}, TITLE = {Project Aura: Towards Distraction-Free Pervasive Computing}, YEAR = {2002}, MONTH = {April}, JOURNAL = {IEEE Pervasive Computing, special issue on Integrated Pervasive Computing Environments}, VOLUME = {1}, NUMBER = {2}, PAGES = {22-31}, PDF = {http://www.cs.cmu.edu/afs/cs/project/aura/www/docdir/Aura-Perv02.pdf}, ABSTRACT = {The most precious resource in a computer system is no longer its processor, memory, disk, or network, but rather human attention. Aura aims to minimize distractions on a user's attention, creating an environment that adapts to the user's context and needs.}, KEYWORDS = {Aura, Ubiquitous Computing} } @TechReport{Bachmann2002, AUTHOR = {Bachmann, Felix and Bass, Len and Clements, Paul and Garlan, David and Ivers, James and Little, Reed and Nord, Robert and Stafford, Judith}, TITLE = {Documenting Software Architecture: Documenting Interfaces}, YEAR = {2002}, NUMBER = {CMU/SEI-2002-TN-015}, INSTITUTION = {Software Engineering Institute}, KEYWORDS = {Software Architecture} } @InProceedings{Cheng2002a, AUTHOR = {Cheng, Shang-Wen and Garlan, David and Schmerl, Bradley and Sousa, Jo\~{a}o and Spitznagel, Bridget and Steenkiste, Peter}, TITLE = {Using Architectural Style as a Basis for Self-repair}, YEAR = {2002}, MONTH = {25-31 August}, BOOKTITLE = {Software Architecture: System Design, Development, and Maintenance (Proceedings of the 3rd Working IEEE/IFIP Conference on Software Architecture)}, PAGES = {45-59}, EDITOR = {Bosch, Jan and Gentleman, Morven and Hofmeister, Christine and Kuusela, Juha}, PUBLISHER = {Kluwer Academic Publishers}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/wicsa3-arch/WICSA-web.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp//wicsa3-arch/WICSA-web.ps}, ABSTRACT = {An increasingly important requirement for software systems is the capability to adapt at run time in order to accommodate varying resources, system errors, and changing requirements. For such self-repairing systems, one of the hard problems is determining when a change is needed, and knowing what kind of adaptation is required. Recently several researchers have explored the possibility of using architectural models as a basis for run time monitoring, error detection, and repair. Each of these efforts, however, has demonstrated the feasibility of using architectural models in the context of a specific style. In this paper we show how to generalize these solutions by making architectural style a parameter in the monitoring/repair framework and its supporting infrastructure. The value of this generalization is that it allows one to tailor monitoring/ repair mechanisms to match both the properties of interest (such as performance or security), and the available operators for run time adaptation.}, KEYWORDS = {Architectural Analysis, Autonomic Systems, Self-Repair, Software Architecture} } @InProceedings{Sousa2002, AUTHOR = {Sousa, Jo\~{a}o and Garlan, David}, TITLE = {Aura: an Architectural Framework for User Mobility in Ubiquitous Computing Environments}, YEAR = {2002}, MONTH = {25-31 August}, BOOKTITLE = {Software Architecture: System Design, Development, and Maintenance (Proceedings of the 3rd Working IEEE/IFIP Conference on Software Architecture)}, PAGES = {29-43}, EDITOR = {Bosch, Jan and Gentleman, Morven and Hofmeister, Christine and Kuusela, Juha}, PUBLISHER = {Kluwer Academic Publishers}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/wicsa3-aura/wicsa.pdf}, ABSTRACT = {Ubiquitous computing poses a number of challenges for software architecture. One of the most important is the ability to design software systems that accommodate dynamically-changing resources. Resource variability arises naturally in a ubiquitous computing setting through user mobility (a user moves from one computing environment to another), and through the need to exploit time-varying resources in a given environment (such as wireless bandwidth). Traditional approaches to handling resource variability in applications attempt to address the problem by imposing uniformity on the environment. We argue that those approaches are inadequate, and describe an alternative architectural framework that is better matched to the needs of ubiquitous computing. A key feature of the architecture is that user tasks become first class entities. User proxies, or Auras, use models of user tasks to set up, monitor and adapt computing environments proactively. The architectural framework has been implemented and currently being used as a central component of Project Aura, a campus-wide ubiquitous computing effort.}, KEYWORDS = {Aura, Software Architecture, Ubiquitous Computing} } @InProceedings{Cheng2002b, AUTHOR = {Cheng, Shang-Wen and Garlan, David and Schmerl, Bradley and Sousa, Jo\~{a}o and Spitznagel, Bridget and Steenkiste, Peter and Hu, Ningning}, TITLE = {Software Architecture-based Adaptation for Pervasive Systems}, YEAR = {2002}, MONTH = {8-11 April}, BOOKTITLE = {International Conference on Architecture of Computing Systems (ARCS'02): Trends in Network and Pervasive Computing}, VOLUME = {2299}, EDITOR = {Schmeck, H and Ungerer, T and Wolf, L}, SERIES = {Lecture Notes in Computer Science}, ADDRESS = {Karlsruhe, Germany}, PUBLISHER = {Springer-Verlag}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/arch-arcs02/arcs-final.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/arch-arcs02/arcs-final.ps}, ABSTRACT = { An important requirement for pervasive computing systems is the ability to adapt at runtime to handle varying resources, user mobility, changing user needs, and system faults. In this paper we describe an approach in which dynamic adaptation is supported by the use of software architectural models to monitor an application and guide dynamic changes to it. The use of externalized models permits one to make reconfiguration decisions based on a global per-spective of the running system, apply analytic models to determine correct re-pair strategies, and gauge the effectiveness of repair through continuous system monitoring. We illustrate the application of this idea to pervasive computing systems, focusing on the need to adapt based on performance-related criteria and models.}, KEYWORDS = {Software Architecture, Ubiquitous Computing} } @TechReport{Bachmann2002a, AUTHOR = {Bachmann, Felix and Bass, Len and Clements, Paul and Garlan, David and Ivers, James and Little, Reed and Nord, Robert and Stafford, Judith}, TITLE = {Documenting Software Architecture: Documenting Behavior}, YEAR = {2002}, NUMBER = {CMU/SEI-2002-TN-001}, INSTITUTION = {Software Engineering Institute}, KEYWORDS = {Software Architecture} } @Article{Garlan2002b, AUTHOR = {Garlan, David and Kompanek, Andrew and Cheng, Shang-Wen}, TITLE = {Reconciling the Needs of Architectural Description with Object-Modeling Notations}, YEAR = {2002}, JOURNAL = {Science of Computer Programming}, VOLUME = {44}, PAGES = {23-49}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/uml01/uml01.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/uml01/uml01.ps}, ABSTRACT = {Complex software systems require expressive notations for representing their software architectures. Two competing paths have emerged. One is to use a specialized notation for architecture - or architecture description language (ADL). The other is to adapt a general-purpose modeling notation, such as UML. The latter has a number of benefits, including familiarity to developers, close mapping to implementations, and commercial tool support. However, it remains an open question as to how best to use object-oriented notations for architectural description, and, indeed, whether they are sufficiently expressive, as currently defined. In this paper we take a systematic look at these questions, examining the space of possible mappings from ADLs into object notations. Specifically, we describe (a) the principle strategies for representing architectural structure in UML; (b) the benefits and limitations of each strategy; and (c) aspects of architectural description that are intrinsically difficult to model in UML using the strategies.}, KEYWORDS = {Software Architecture, UML} } @InProceedings{Garlan2001, AUTHOR = {Garlan, David and Schmerl, Bradley and Chang, Jichuan}, TITLE = {Using Gauges for Architecture-Based Monitoring and Adaptation}, YEAR = {2001}, MONTH = {12-14 December}, BOOKTITLE = {Proceedings of the Working Conference on Complex and Dynamic Systems Architecture}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/cdsa01/cdsa.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/cdsa01/cdsa.ps}, ABSTRACT = {An increasingly important requirement for complex systems is the capability to adapt at runtime in order to accommodate variable resources, system errors, and changing requirements. An essential aspect of adaptation is the ability to observe a system's runtime behavior and interpret those observations in terms that permit a high-level understanding of the system's status. In this paper we describe mechanisms for monitoring a running system, interpreting monitored data in terms of the system's architecture, and analyzing the system architecture to ascertain if the system's runtime behavior fits within the envelope of acceptable behavior. We illustrate the use of these mechanisms for the important special case of system performance monitoring. }, KEYWORDS = {Self-Repair, Software Architecture} } @TechReport{Bachmann2001, AUTHOR = {Bachmann, Felix and Bass, Len and Clements, Paul and Garlan, David and Ivers, James and Little, Reed and Nord, Robert and Stafford, Judith}, TITLE = {Documenting Software Architectures: Organization of Documentation Package}, YEAR = {2001}, NUMBER = {CMU/SEI-2001-TN-010}, INSTITUTION = {Software Engineering Institute}, KEYWORDS = {Software Architecture} } @InProceedings{Spitznagel2001, AUTHOR = {Spitznagel, Bridget and Garlan, David}, TITLE = {A Compositional Approach for Constructing Connectors}, YEAR = {2001}, MONTH = {28-31 August}, BOOKTITLE = {The Working IEEE/IFIP Conference on Software Architecture (WICSA'01)}, ADDRESS = {Amsterdam, The Netherlands}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/wicsa01/wicsa_paper.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/wicsa01/wicsa_paper.ps}, ABSTRACT = {Increasingly, systems are composed from independently developed parts, and mechanisms that allow those parts to interact (connectors). In many situations, specialized forms of interaction are needed to bridge component mismatches or to achieve extra-functional properties (e.g., security, performance, reliability), making the design and implementation of these interaction mechanisms a critical issue. Unfortunately, system developers have few options: they must live with available, but often inadequate, generic support for interaction (such as RPC), or they must handcraft specialized mechanisms at great cost. In this paper we describe a partial solution to this problem, whereby interaction mechanisms are constructed compositionally. Specifically, we describe a set of operators that can transform generic communication mechanisms (such as RPC and publish-subscribe) to incrementally add new capabilities. We show how these transformations can be used to realize complex interactions (such as Kerberized RPC) and to generate implementations of the new connector types at relatively low cost. }, KEYWORDS = {Software Architecture} } @InProceedings{Cheng2001, AUTHOR = {Cheng, Shang-Wen and Garlan, David}, TITLE = {Mapping Architectural Concepts to UML-RT}, YEAR = {2001}, MONTH = {June}, BOOKTITLE = {Proceedings of the 2001 International Conference on Parallel and Distributed Processing Techniques and Applications (PDPTA'2001)}, ADDRESS = {Las Vegas, NV}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/pdpta01/pdpta01.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/pdpta01/pdpta01.ps}, ABSTRACT = {Complex software systems require expressive notations for representing their software architectures. Two competing paths have emerged, one using a specialized notation for architecture - or architecture description language (ADL), the other using notations applied generally throughout design, such as UML. The latter has a number of benefits, including familiarity to developers, close mappings to implementations, and commercial tool support. However, it remains an open question how best to use object-oriented notations for architectural description and whether they are sufficiently expressive as currently defined. In this paper, we present a mapping between Acmea notation designed for expressing architectures - and the UML Real-Time Profile - an object-oriented design notation. Specifically, we describe (a) how to map Acme descriptions to descriptions in the UML Real-Time Profile, and (b)the places where this mapping breaks down. }, KEYWORDS = {Software Architecture, UML} } @InProceedings{Garlan2001a, AUTHOR = {Garlan, David and Schmerl, Bradley}, TITLE = {Component-Based Software Engineering in a Pervasive Computing Environment}, YEAR = {2001}, MONTH = {14-15 May}, BOOKTITLE = {The 4th ICSE Workshop on Component-Based Software Engineering: Component Certification and System Prediction}, ADDRESS = {Toronto, Canada}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/cbse01/cbse01-submission.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/cbse01/cbse01-submission.ps}, ABSTRACT = {Being able to find, adapt, and incorporate disparate components to form working, reliable applications is the goal of component-based software engineering. To date, there has been a lot of research, among other things, on locating components, reasoning about component compatibility, and methods for interoperability. Pervasive computing raises a number of new challenges for component-based software engineering that heretofore have been given little attention, such as mobility, adaptability, and resource awareness. In this paper we motivate and discuss the need for research in these areas, and discuss how our work in the Aura group at Carnegie Mellon University helps to address these issues. }, KEYWORDS = {Aura, Software Architecture, Ubiquitous Computing} } @InCollection{Garlan2001b, AUTHOR = {Garlan, David}, TITLE = {Software Architecture}, YEAR = {2001}, BOOKTITLE = {Wiley Encyclopedia of Software Engineering}, EDITOR = {Marciniak, J}, PUBLISHER = {John Wiley & Sons}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/encycSE2001/encyclopedia-dist.ps}, ABSTRACT = {As the size and complexity of software systems increase, the design, specification, and analysis of overall system structure becomes a critical issue. Structural issues include the organization of a system as a composition of components; global control structures, the protocols for communication, synchronization, and data access; the assignment of functionality to design elements; the composition of design elements; physical distribution; scaling and performance, and dimensions of evolution. This is the software architecture level of design. }, KEYWORDS = {Software Architecture} } @TechReport{Dingel2001, AUTHOR = {Dingel, Juergen and Garlan, David and Damon, Craig}, TITLE = {A feasibility study of the HLA bridge}, YEAR = {2001}, MONTH = {March}, NUMBER = {CMU-CS-01-103}, INSTITUTION = {Carnegie Mellon University School of Computer Science}, KEYWORDS = {Formal Methods, Software Architecture} } @Article{Sousa2001, AUTHOR = {Sousa, Jo\~{a}o and Garlan, David}, TITLE = {Formal Modeling of the Enterprise JavaBeans Component Integration Framework}, YEAR = {2001}, MONTH = {March}, JOURNAL = {Information and Software Technology}, VOLUME = {43}, NUMBER = {3}, NOTE = {Also available as Technical Report CMU-CS-00-162, Carnegie Mellon University School of Computer Science}, KEYWORDS = {Formal Methods, Software Architecture} } @TechReport{Monroe2001, AUTHOR = {Monroe, Robert}, TITLE = {Capturing Software Architecture Design Expertise With Armani}, YEAR = {2001}, MONTH = {January}, NUMBER = {CMU-CS-98-163}, INSTITUTION = {Carnegie Mellon University School of Computer Science}, NOTE = {Version 2.3.}, KEYWORDS = {Acme, Software Architecture} } @Article{Kaplan2002, AUTHOR = {Kaplan, Alan and Schmerl, Bradley and Veeraraghaven, Rajesh}, TITLE = {Toward Automated Support for Transparent Interoperable Queries}, YEAR = {2002}, MONTH = {October}, JOURNAL = {Journal of Information Technology and Management}, VOLUME = {3}, NUMBER = {4}, PAGES = {387-406}, URL = {http://www.ingentaconnect.com/content/klu/item/2002/00000003/00000004/05093521;jsessionid=h7vv7b6cf8uk.victoria}, NOTE = {A shorter version of this paper appeared in the Ninth Workshop on Information Technologies and Systems (WITS99)(Charlotte, USA, December 1999)} } @InProceedings{Kaplan2000, AUTHOR = {Kaplan, Alan and Ridgeway, John and Schmerl, Bradley and Sridar, Krishnan and Wileden, Jack}, TITLE = {Toward Pure Polylingual Persistence}, YEAR = {2000}, MONTH = {September}, BOOKTITLE = {Ninth International Workshop on Persistent Object Systems: Design, Implementation and Use (POS9)}, ADDRESS = {Lillehammer, Norway} } @PhdThesis{Schmerl1997, AUTHOR = {Schmerl, Bradley}, TITLE = {Designing Configuration Management Tools for Dynamically Composed Systems}, YEAR = {1997}, MONTH = {October}, ADDRESS = {Adelaide, South Australia}, SCHOOL = {Flinders University}, PDF = {http://www.cs.cmu.edu/~schmerl/publications/thesis.pdf} } @InProceedings{Schmerl1997a, AUTHOR = {Schmerl, Bradley and Marlin, Chris}, TITLE = {Versioning and Consistency for Dynamically Composed Configurations}, YEAR = {1997}, MONTH = {May}, BOOKTITLE = {The 7th International Workshop on Software Configuration Management}, VOLUME = {1235}, PAGES = {49-65}, SERIES = {Lecture Notes in Computer Science}, ADDRESS = {Boston, MA}, PUBLISHER = {Springer, Berlin}, ABSTRACT = {Dynamically composed software systems are constructed as they execute. Although these systems are of increasing importance and arise in a number of application areas, configuration management tools do not provide much support for them. This paper presents progress towards providing enhanced configuration management techniques for dynamically composed systems. The paper commences with an example of dynamically composed systems, which is used to motivate the relevance of dynamically composed systems, and to highlight various design issues and requirements for configuration management in this domain. A model, and its associated notation DCDL, is then presented to describe particular aspects of the example. This model seamlessly integrates the notions of consistency, specified in terms of complete configurations, and version families, which are relevant to the incomplete configurations of crucial importance in understanding configurations of dynamically composed systems. DCDL is then used to provide insight into the requirements for configuration management tools for dynamically composed systems.} } @TechReport{Schmerl1996, AUTHOR = {Schmerl, Bradley and Marlin, Chris}, TITLE = {Modelling Dynamic Configurations to Guide Tool Design}, YEAR = {1996}, NUMBER = {97-01}, INSTITUTION = {Flinders University Department of Computer Science}, PDF = {http://www.cs.cmu.edu/~schmerl/publications/schmerl97modelling}, ABSTRACT = {The ability to update a software system as it is being used is increasingly important and manifests itself in systems that must be maintained while executing, in systems where choices about which components comprise a system are deferred until their use, and where systems can be customised. Systems that fit one or more of these characteristics we call Dynamically Composed Systems (DCSs). Although some attention has been given to providing tools to support dynamic updates, and models of such dynamic updates have been constructed, little work as been done in examining this from a configuration management perspective. This paper describes a model of configuration management for dynamically composed systems, based on an existing model of configuration management for statically composed systems. The model includes a dynamic configuration description language, DCDL, and a formalization in terms of many-sorted algebraic specification techniques. The use of this model to design tools to support configuration management for dynamically composed systems is then discussed.} } @InProceedings{Schmerl1996a, AUTHOR = {Schmerl, Bradley and Marlin, Chris}, TITLE = {Consistency issues in partially bound dynamically composed systems}, YEAR = {1996}, MONTH = {June}, BOOKTITLE = {Proceedings of the 1996 Australian Software Engineering Conference}, PAGES = {183-191}, ADDRESS = {Melbourne, Australia}, PDF = {http://www.cs.cmu.edu/~schmerl/publications/schmerl96consistency,pdf}, ABSTRACT = {Dynamically composed systems are able to incorporate new components as they execute. Therefore, configurations of these systems are not fully elaborated until at least the time that they are executed, and they are perhaps never fully elaborated. Such incomplete configurations are termed partially bound configurations. Although partially bound, it is still important to be able to analyse these configurations to ascertain whether they meet certain assumptions about their composition. We are endevouring to provide such support for the construction of dynamically composed systems through the application of configuration management concepts. One way in which these concepts can be applied in this domain is to explicitly state such assumptions and hence be able to validate partially bound configurations against these assumptions; in this way, inconsistencies can be reported as soon as they arise. This paper disucsses the issues involved in providing this kind of consistency mechanism for dynamically composed systems.} } @InProceedings{Schmerl1996b, AUTHOR = {Schmerl, Bradley and Marlin, Chris}, TITLE = {Defining consistency in the context of partially bound configurations of dynamically composed systems}, YEAR = {1996}, MONTH = {March}, BOOKTITLE = {6th International Workshop on Software Configuration Management - Preprint of Proceedings}, ADDRESS = {Berlin, Germany} } @InProceedings{Schmerl1995, AUTHOR = {Schmerl, Bradley and Marlin, Chris}, TITLE = {Configuration management for dynamically bound systems}, YEAR = {1995}, MONTH = {April}, BOOKTITLE = {Proceedings of the 5th Workshop on Software Configuration Management}, ADDRESS = {Seattle, WA} } @InCollection{Schmerl1995a, AUTHOR = {Schmerl, Bradley and Marlin, Chris}, TITLE = {Designing configuration management facilities for dynamically bound systems}, YEAR = {1995}, BOOKTITLE = {Software Configuration Management: ICSE SCM-4 and SCM-5 Workshops - Selected Papers}, VOLUME = {1005}, PAGES = {88-100}, EDITOR = {Estublier, Jacky}, SERIES = {Lecture Notes in Computer Science}, PUBLISHER = {Spring-Verlag} } @InProceedings{Glastonbury1997, AUTHOR = {Glastonbury, Dan and Marlin, Chris and Read, Michael and Schmerl, Bradley}, TITLE = {Run-time views as a debugging aid in an integrated software development environment}, YEAR = {1997}, MONTH = {December}, BOOKTITLE = {1997 Software Visualisation Workshop}, PAGES = {51-59}, ADDRESS = {Adelaide, South Australia}, PUBLISHER = {Flinders University, South Australia} } @PhdThesis{Monroe1999, AUTHOR = {Monroe, Robert}, TITLE = {Rapid Development of Custom Software Architecture Design Environments}, YEAR = {1999}, MONTH = {August}, SCHOOL = {Carnegie Mellon University School of Computer Science}, NOTE = {Published as CMU SCS Technical Report CMU-CS-99-161}, KEYWORDS = {Software Architecture} } @InProceedings{Garlan1999, AUTHOR = {Garlan, David and Wang, Zhenyu}, TITLE = {A Case Study in Software Architecture Interchange}, YEAR = {1999}, BOOKTITLE = {Proceedings of Coordination'99}, PUBLISHER = {Springer-Verlag}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/www/publications/acme-wr2rap/acme-wr2rap.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/www/publications/acme-wr2rap/acme-wr2rap.ps}, ABSTRACT = {An important issue for the specification and design of software architectures is how to combine the analysis capabilities of multiple architectural definition languages (ADLs) and their supporting toolsets. In this paper, we describe our experience of integrating three ADLs: Wright, Rapide, and Aesop. We discovered that it is possible achieve interoperability in ADL tools for a non-trivial subset of the systems describable by these languages, even though the languages have different views about architectural structure and semantics. To carry out the integration we used the Acme architectural interchange language and its supporting tools. }, KEYWORDS = {Acme, Architectural Analysis, Software Architecture} } @TechReport{Damon1999, AUTHOR = {Damon, Craig and Melton, Ralph and Bigelow, Elizabeth and Ivers, James and Garlan, David}, TITLE = {Formalizing a Specification for Analysis: The HLA Ownership Properties}, YEAR = {1999}, MONTH = {April}, NUMBER = {CMU-CS-99-126}, INSTITUTION = {Carnegie Mellon University School of Computer Science}, KEYWORDS = {Architectural Analysis, Formal Methods, Software Architecture} } @InProceedings{Garlan00ArchRoadmap, AUTHOR = {Garlan, David}, TITLE = {Software Architecture: a Roadmap}, YEAR = {2000}, BOOKTITLE = {Proceedings of the Conference on The Future of Software Engineering}, KEY = {Garlan}, PAGES = {91--101}, EDITOR = {Finkelstein, A.}, SERIES = {ICSE '00}, ADDRESS = {Limerick, Ireland}, PUBLISHER = {ACM Press}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/roadmap2000/roadmap2000.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/roadmap2000/roadmap2000.ps}, ABSTRACT = {Over the past decade software architecture has received increasing attention as an important subfield of software engineering. During that time there has been considerable progress in developing the technological and methodologi-cal base for treating architectural design as an engineering discipline. However, much remains to be done to achieve that goal. Moreover, the changing face of technology raises a number of new challenges for software architecture. This paper examines some of the important trends of software architecture in research and practice, and speculates on the important emerging trends, challenges, and aspirations. }, KEYWORDS = {Software Architecture} } @InProceedings{Garlan2000, AUTHOR = {Garlan, David and Khersonsky, Serge}, TITLE = {Model Checking Implicit-Invocation Systems}, YEAR = {2000}, MONTH = {November}, BOOKTITLE = {Proceedings of the 10th International Workshop on Software Specification and Design (IWSSD-10)}, ADDRESS = {San Diego, CA}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/iwssd10/iwssd10.pdf}, ABSTRACT = {While implicit invocation (publish-subscribe) systems have good engineering properties, they are difficult to reason about and to test. Model checking such systems is an attractive alternative. However, it is not clear what kinds of state models are best suited for this. In this paper we propose a structural approach, which factors the model checking problem into two parts: behavior specific to a particular implicit invocation system, and reusable runtime infrastructure that handles event-based communication and delivery policies. The reusable portion is itself structured so that alternative runtime mechanisms may be experimented with. }, KEYWORDS = {Model Checking, Publish Subscribe Systems} } @InProceedings{Garlan2000a, AUTHOR = {Garlan, David}, TITLE = {Pervasive Computing and the Future of CSCW Systems}, YEAR = {2000}, MONTH = {November}, BOOKTITLE = {CSCW2000 Workshop on Software Architectures for Cooperative Systems}, ABSTRACT = {The use of largely isolated workstations and laptops as the primary carrier of personal computing is giving way to a world of pervasive computing populated by ubiquitous networks of heterogeneous computing and information facilities. In such a world the boundaries between a user}, NOTE = {(Position Paper)}, KEYWORDS = {Software Architecture, Ubiquitous Computing} } @InProceedings{Garlan2000b, AUTHOR = {Garlan, David}, TITLE = {Software Architecture and Object-Oriented Systems}, YEAR = {2000}, MONTH = {August}, BOOKTITLE = {Proceedings of the IPSJ Object-Oriented Symposium 2000}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/OO 2000-dist.pdf}, ABSTRACT = {Over the past decade software architecture has emerged as an important subfield of software engineering. During that time there has been considerable progress in developing the technological and methodological base for treating architectural design as an engineering discipline, including specialized architectural description languages, tools, analytic techniques, handbooks, and methods. In this paper I survey the main features of the field, and then compare software architecture with object-oriented systems to illustrate some of the important similarities and differences between the two fields. }, KEYWORDS = {Object-oriented Systems, Software Architecture} } @TechReport{Wang2000, AUTHOR = {Wang, Zhenyu and Garlan, David}, TITLE = {Task-Driven Computing}, YEAR = {2000}, MONTH = {May}, NUMBER = {CMU-CS-00-154}, INSTITUTION = {Carnegie Mellon University School of Computer Science} } @Unpublished{Garlan2000c, AUTHOR = {Garlan, David and Kompanek, Andrew and Kenney, John and Luckham, David and Schmerl, Bradley and Wile, David}, TITLE = {An Activity Language for the ADL Toolkit}, YEAR = {2000}, MONTH = {August}, PDF = {http://www.cs.cmu.edu/~able/publications/ActivityLanguage/ActivityLanguageProposal0800.pdf}, PS = {http://www.cs.cmu.edu/~able/publications/ActivityLanguage/ActivityLanguageProposal0800.ps}, ABSTRACT = {With an eye toward sharing event-based behavior in architectural descriptions, a number of researchers at ISI (Wile), CMU (Garlan & Kompanek) and Stanford (Luckham & Kenney) started a dialogue to converge on an event standard. The results are summarized in this working report. The main idea of the proposal is to adopt an Acme-like approach: a simple base-level event representation would capture the minimal, core aspects of events. Additionally, other more tool-specific information could be added to those event representations in the form of annotations. In this report we outline the proposed scheme. We begin by enumerating some of the requirements that we identified early in our discussions. Next we discuss the basic ontology of events, activities and their types. Then we introduce two proposals for concrete representation: one based on XML, the other on an Acme-like syntax. Finally, we illustrate how collections of events derived from existing ADLs can be mapped into the activity language. }, NOTE = {Working draft}, KEYWORDS = {Software Architecture} } @Unpublished{Hu2000, AUTHOR = {Hu, Jianing}, TITLE = {Adding Maps to Acme}, YEAR = {2000}, MONTH = {August}, PDF = {http://www.cs.cmu.edu/~able/publications/MappingProposal/MappingProposal0800.pdf}, PS = {http://www.cs.cmu.edu/~able/publications/MappingProposal/MappingProposal0800.ps}, ABSTRACT = {Multiple architectural views of a system are often helpful in describing a system's design. While there are numerous languages for describing the contents of an individual architectural view, to date those languages have not supported the description of relationships between views. In this report we describe an extension to Acme for expressing maps between the structural aspects of architecture and for expressing constraints over those maps. }, NOTE = {Working Draft}, KEYWORDS = {Acme, Software Architecture} } @InCollection{Garlan00AcmeChapter, AUTHOR = {Garlan, David and Monroe, Robert T. and Wile, David}, TITLE = {Acme: Architectural Description of Component-Based Systems}, YEAR = {2000}, BOOKTITLE = {Foundations of Component-Based Systems}, KEY = {garlan}, PAGES = {47-68}, EDITOR = {Leavens, Gary T. and Sitaraman, Murali}, PUBLISHER = {Cambridge University Press}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/acme-fcbs/acme-fcbs.pdf}, ABSTRACT = {Over the past decade there has been considerable experimentation with the design of architecture description languages that can provide a formal basis for descrip- tion and analysis of the architectures of component-based systems. As the eld has matured there has emerged among the software architecture research community general consensus about many aspects of the foundations for architectural represen- tation and analysis. One result has been the development of a generic architecture description language, called Acme, that can serve as a common representation for software architectures and that permits the integration of diverse collections of in- dependently developed architectural analysis tools. In this paper we describe the Acme language and tools, and our experience in using it to integrate architecture analysis tools and to describe component-based systems. }, KEYWORDS = {Acme, Software Architecture} } @TechReport{Bachmann2000, AUTHOR = {Bachmann, Felix and Bass, Len and Carriere, Jeromy and Clements, Paul and Garlan, David and Ivers, James and Nord, Robert and Little, Reed}, TITLE = {Software Architecture Documentation in Practice: Documenting Architectural Layers}, YEAR = {2000}, NUMBER = {CMU/SEI-2000-SR-004}, INSTITUTION = {Software Engineering Institute}, KEYWORDS = {Software Architecture} } @TechReport{Garlan2000d, AUTHOR = {Garlan, David and Sousa, Jo\~{a}o}, TITLE = {Documenting Software Architectures: Recommendations for Industrial Practice}, YEAR = {2000}, MONTH = {October}, NUMBER = {CMU-CS-00-169}, INSTITUTION = {Carnegie Mellon University School of Computer Science} } @InProceedings{Garlan2000e, AUTHOR = {Garlan, David and Kompanek, Andrew}, TITLE = {Reconciling the Needs of Architectural Description with Object-Modeling Notations}, YEAR = {2000}, MONTH = {October}, BOOKTITLE = {Proceedings of the Third International Conference on the Unified Modeling Language - << UML >> 2000}, ADDRESS = {York, UK}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/uml00/uml00.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/uml00/uml00.ps}, ABSTRACT = {Complex software systems require expressive notations for representing their software architectures. Two competing paths have emerged. One is to use a specialized notation for architecture -- or architecture description language (ADL). The other is to adapt a general-purpose modeling notation, such as UML. The latter has a number of benefits including familiarity to developers, close mapping to implementations, and commercial tool support. However, it remains an open question as to how best to use object-oriented notations for architectural description, and, indeed, whether they are sufficiently expressive, as currently defined. In this paper we take a systematic look at these questions, examining the space of possible mappings from ADLs into object notations. Specifically, we describe (a) the principle strategies for representing architectural structure in UML; (b) the benefits and limitations of each strategy; and (c) aspects of architectural description that are intrinsically difficult to model in UML using the strategies. }, KEYWORDS = {Software Architecture, UML} } @InProceedings{AGI98FSE, AUTHOR = {Allen, Robert and Garlan, David and Ivers, James}, TITLE = {Formal Modeling and Analysis of the HLA Component Integration Standard}, YEAR = {1998}, MONTH = {November}, BOOKTITLE = {Proceedings of the Sixth International Symposium on the Foundations of Software Engineering (FSE-6)}, KEY = {Allen}, ADDRESS = {Lake Buena Vista, Florida}, PUBLISHER = {ACM}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/hla-fse98/hla-fse98.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/hla-fse98/hla-fse98.ps}, ABSTRACT = {An increasingly important trend in the engineering of complex systems is the design of component integration standards. Such standards define rules of interaction and shared communication infrastructure that permit composition of systems out of independently-developed parts. A problem with these standards is that it is often difficult to understand exactly what they require and provide, and to analyze them in order to understand their deeper properties. In this paper we use our experience in modeling the High Level Architecture (HLA) for Distributed Simulation to show how one can capture the structured protocol inherent in an integration standard as a formal architectural model that can be analyzed to detect anomalies, race conditions, and deadlocks. }, KEYWORDS = {Architectural Analysis, Formal Methods, Software Architecture} } @Article{DGJN97, AUTHOR = {Dingel, Jurgen and Garlan, David and Jha, Somesh and Notkin, David}, TITLE = {Towards a formal treatment of implicit invocation using rely/guarantee reasoning}, YEAR = {1998}, JOURNAL = {Formal Aspects of Computing}, VOLUME = {1-}, PAGES = {193-213}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/implinvoc-fac98/implinvoc-fac98.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/implinvoc-fac98/implinvoc-fac98.ps}, ABSTRACT = {Implicit invocation has become an important architectural style for large-scale system design and evolution. This paper addresses the lack of specification and verification formalisms for such systems. A formal computational model for implicit invocation is presented. We develop a verification framework for implicit invocation that is based on Jones' rely/guarantee reasoning for concurrent systems. The application of the framework is illustrated with several examples. The merits and limitations of the rely/guarantee paradigm in the context of implicit invocation systems are also discussed. }, NOTE = {Supersedes CMU-CS-97-153.}, KEYWORDS = {Implicit Invocation, Formal Methods, Software Architecture} } @InProceedings{Dingel1998, AUTHOR = {Dingel, Jurgen and Garlan, David and Jha, Somesh and Notkin, David}, TITLE = {Reasoning about Implicit Invocation}, YEAR = {1998}, MONTH = {November}, BOOKTITLE = {Proceedings of the Sixth International Symposium on the Foundations of Software Engineering (FSE-6)}, ADDRESS = {Lake Buena Vista, Florida}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/implinvoc-fse98/implinvoc-fse98.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/implinvoc-fse98/implinvoc-fse98.ps}, ABSTRACT = {Implicit invocation has become an important architectural style for large-scale system design and evolution. This paper addresses the lack of specication and verication formalisms for such systems. Based on standard notions from process algebra and trace semantics, we dene a formal computational model for implicit invocation. A verication methodology is presented that supports linear time temporal logic and compositional reasoning. First, the entire system is partioned into groups of components (methods) that behave independently. Then, local properties are proved for each of the groups. A precise description of the cause and the eect of an event supports this step. Using local correctness, independence of groups, and properties of the delivery of events, we infer the desired property of the overall system. Two detailed examples illustrate the use of our framework. }, KEYWORDS = {Formal Methods, Implicit Invocation, Model Checking, Software Architecture} } @InProceedings{Spitznagel1998, AUTHOR = {Spitznagel, Bridget and Garlan, David}, TITLE = {Architecture-Based Performance Analysis}, YEAR = {1998}, MONTH = {June}, BOOKTITLE = {Proceedings of the 1998 Conference on Software Engineering and Knowledge Engineering (SEKE'98)}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/perform-seke98/perform-seke98.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/perform-seke98/perform-seke98.ps}, ABSTRACT = {A software architecture should expose important system properties for consideration and analysis. Performance-related properties are frequently of interest in determining the acceptability of a given software design. In this paper we show how queueing network modeling can be adapted to support performance analysis of software architectures. We also describe a tool for transforming a software architecture in a particular style into a queueing network and analyzing its performance. }, KEYWORDS = {Architectural Analysis, Software Architecture} } @InProceedings{Garlan98OMG, AUTHOR = {Garlan, David}, TITLE = {Higher-Order Connectors}, YEAR = {1998}, MONTH = {January}, BOOKTITLE = {Proceedings of Workshop on Compositional Software Architectures}, KEY = {Garlan}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/hoc-omg98/hoc-omg98.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/hoc-omg98/hoc-omg98.ps}, ABSTRACT = {A critical issue for architectural design is the nature of the glue, or connectors, with which a system's parts are combined. Thus an important first step toward improving our ability to compose parts is to make to make connectors explicit semantic enties, where they can be documented, analyzed, and (sometimes) used to generate code. A number of notations for software architecture do precisely this. However, a key second step is to understand operations over connectors. In principle, such operations would permit one to produce new connectors out of old ones, adapt existing connectors to new contexts of use, and factor out common properties of connectors so they can be reused. In this paper we argue that the use of ``higher order connectors'' is one way to achieve this goal. }, ANNOTE = {http://www.objs.com/workshops/ws9801/index.html}, KEYWORDS = {Software Architecture} } @InProceedings{Allen98FASE, AUTHOR = {Allen, Robert and Douence, Remi and Garlan, David}, TITLE = {Specifying and Analyzing Dynamic Software Architectures}, YEAR = {1998}, MONTH = {March}, BOOKTITLE = {Proceedings of the 1998 Conference on Fundamental Approaches to Software Engineering (FASE'98)}, KEY = {Allen}, VOLUME = {1382}, SERIES = {Lecture Notes in Computer Science}, ADDRESS = {Lisbon, Portugal}, PUBLISHER = {Springer}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/wright-fase98/wright-fase98.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/wright-fase98/wright-fase98.ps}, ABSTRACT = {A critical issue for complex component-based systems design is the modeling and analysis of architecture. One of the complicating factors in developing architectural models is accounting for systems whose architecture changes dynamically (during run time). This is because dynamic changes to architectural structure may interact in subtle ways with on-going computations of the system. In this paper we argue that it is possible and valuable to provide a modeling approach that accounts for the interactions between architectural reconfiguration and non-reconfiguration system functionality, while maintaining a separation of concerns between these two aspects of a system. The key to the approach is to use a uniform notation and semantic base for both reconfiguration and steady-state behavior, while at the same time providing syntactic separation between the two. As we will show, this permits us to view the architecture in terms of a set of possible architectural snapshots, each with its own steady-state behavior. Transitions between these snapshots are accounted for by special reconfiguration-triggering events. }, NOTE = {An expanded version of the paper Specifying Dynamism in Software Architectures, which appeared in the Proceedings of the Workshop on Foundations of Component-Based Software Engineering, September 1997.}, ANNOTE = {CONFERENCE-URL : http://www.di.fc.ul.pt:80/~llf/etaps98/}, KEYWORDS = {Dynamism, Formal Methods, Software Architecture, Wright} } @Article{Monroe97Software, AUTHOR = {Monroe, Robert T. and Kompanek, Andrew and Melton, Ralph and Garlan, David}, TITLE = {Architectural Styles, Design Patterns, and Objects}, YEAR = {1997}, MONTH = {January}, JOURNAL = {IEEE Software}, KEY = {Monroe}, VOLUME = {14}, NUMBER = {1}, PAGES = {43-52}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/ObjPatternsArch-ieee97/ObjPatternsArch-ieee97.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/ObjPatternsArch-ieee97/ObjPatternsArch-ieee97.ps}, ABSTRACT = {Software system builders are increasingly recognizing the importance of exploiting design knowledge in the engineering of new systems. One way to do this is to define an architectural style for a collection of related systems. The style determines a coherent vocabulary of system design elements and rules for their composition. By structuring the design space for a family of related systems a style can, in principle, drastically simplify the process of building a system, reduce costs of implementation through reusable infrastructure, and improve system integrity through style-specific analyses and checks. Like architectural style, object-oriented design patterns attempt to capture and exploit design knowledge to ease the process of designing software systems and reusing proven designs. There are, however, significant differences in the roles and capabilities of architectural styles and object-oriented design patterns, as there are between architectural design and object-oriented design. In this paper we illustrate the relationship between software architecture and object-oriented design, as well as the relationship between architectural styles and design patterns. We begin by defining our terms and then proceed to compare and contrast the various approaches with examples. }, KEYWORDS = {Architectural Style, Software Architecture} } @PhdThesis{Allen97Thesis, AUTHOR = {Allen, Robert}, TITLE = {A Formal Approach to Software Architecture}, YEAR = {1997}, MONTH = {January}, SCHOOL = {Carnegie Mellon, School of Computer Science}, PDF = {http://reports-archive.adm.cs.cmu.edu/anon/1997/CMU-CS-97-144.pdf}, PS = {http://reports-archive.adm.cs.cmu.edu/anon/1997/CMU-CS-97-144.ps}, ABSTRACT = {As software systems become more complex, the overall system structure---or software architecture---becomes a central design problem. A system's architecture provides a model of the system that suppresses implementation detail, allowing the architect to concentrate on the analyses and decisions that are most crucial to structuring the system to satisfy its requirements. Unfortunately, current representations of software architecture are informal and ad hoc. While architectural concepts are often embodied in infrastructure to support specific architectural styles and in the initial conceptualization of a system configuration, the lack of an explicit, independently-characterized architecture or architectural style significantly limits the benefits of software architectural design in current practice. In this dissertation, I show that an Architecture Description Language based on a formal, abstract model of system behavior can provide a practical means of describing and analyzing software architectures and architectural styles. This dissertation demonstrates this claim through Wright, an architectural description language based on the formal description of the abstract behavior of architectural components and connectors. Wright provides a practical formal basis for the description of both architectural configurations and of architectural styles. It is distinguished by the use of explicit, independent connector types as interaction patterns, the ability to describe the abstract behavior of components using a CSP-like notation, the characterization of styles using predicates over system instances, and a collection of static checks to determine the consistency and completeness of an architectural specification. We introduce techniques to support the analysis of large-scale systems, and demonstrate Wright's expressiveness and practicality through three case studies. }, NOTE = {Issued as CMU Technical Report CMU-CS-97-144.} } @Article{Allen97TOSEM, AUTHOR = {Allen, Robert and Garlan, David}, TITLE = {A Formal Basis for Architectural Connection}, YEAR = {1997}, MONTH = {July}, JOURNAL = {ACM Transactions on Software Engineering and Methodology}, KEY = {Allen}, VOLUME = {6}, NUMBER = {3}, PAGES = {213-249}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/wright-tosem97-revision/wright-tosem97-revision.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/wright-tosem97-revision/wright-tosem97-revision.ps}, ABSTRACT = {As software systems become more complex the overall system structure -- or software architecture -- becomes a central design problem. An important step towards an engineering discipline of software is a formal basis for describing and analyzing these designs. In this paper we present a formal approach to one aspect of architectural design: the interactions between components. The key idea is to define architectural connectors as explicit semantic entities. These are specified as a collection of protocols that characterize each of the participant roles in an interaction and how these roles interact. We illustrate how this scheme can be used to define a variety of common architectural connectors. We further provide a formal semantics and show how this leads to a system in which architectural compatibility can be checked in a way analogous to type checking in programming languages. }, KEYWORDS = {Formal Methods, Model Checking, Software Architecture} } @InProceedings{Melton97CASCON, AUTHOR = {Melton, Ralph and Garlan, David}, TITLE = {Architectural Unification}, YEAR = {1997}, MONTH = {November}, BOOKTITLE = {Proceedings of CASCON'97}, KEY = {Melton}, ADDRESS = {Ontario, Canada}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/Unification/Unification.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/Unification/Unification.ps}, ABSTRACT = {Many software designs are produced by combining and elaborating existing architectural design fragments. These fragments may be design patterns, partially thought-out ideas, or portions of some previously-developed system design. To provide mechanized support for this activity it is necessary to have a precise characterization of when and how two or more architectural fragments can be combined. In this paper we describe extensions to notations for software architecture to represent incomplete design fragments, and algorithms for combining fragments in a process analogous to unification in logic. }, ANNOTE = {CONFERENCE-URL : http://www.cas.ibm.ca/cascon/cfp.html} } @InProceedings{Allen97SimWkshop, AUTHOR = {Allen, Robert and Garlan, David}, TITLE = {Formal Modeling and Analysis of the HLA RTI}, YEAR = {1997}, MONTH = {March}, BOOKTITLE = {Summary Report of the 1997 Spring Simulation Interoperability Workshop}, KEY = {Allen}, PAGES = {1153-1161}, ADDRESS = {Orlando, Florida}, PUBLISHER = {Institute for Simulation and Training}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/hla-siw97/hla-siw97.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/hla-siw97/hla-siw97.ps}, ABSTRACT = {The HLA RTI is a complex artifact, supporting several classes of interaction (e.g., federation management, object management, time management). A critical challenge in producing an RTI architectural framework (and its associated simulation interface specifications) is to develop confidence that its specification is well-formed and complete. In this paper we describe on-going work in formally modelling the HLA both to document the standard more precisely, as well as to analyze it for anomalies, omissions, inconsistencies, and ambiguities. The technical basis for this work is the use of a formal architectural description language, called Wright, and its accompanying toolset. }, NOTE = {IST-CF-97-01.2}, KEYWORDS = {Formal Methods, Software Architecture, Wright} } @InProceedings{Garlan97CASCON, AUTHOR = {Garlan, David and Monroe, Robert T. and Wile, David}, TITLE = {Acme: An Architecture Description Interchange Language}, YEAR = {1997}, MONTH = {November}, BOOKTITLE = {Proceedings of CASCON'97}, KEY = {Garlan}, PAGES = {169-183}, ADDRESS = {Toronto, Ontario}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/acme-cascon97/acme-cascon97.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/acme-cascon97/acme-cascon97.ps}, ABSTRACT = {Numerous architectural description languages (ADLs) have been developed, each providing complementary capabilities for architectural development and analysis. Unfortunately, each ADL and supporting toolset operates in isolation, making it difficult to integrate those tools and share architectural descriptions. ACME is being developed as a joint effort of the software architecture research community as a common interchange format for architecture design tools. ACME provides a structural framework for characterizing architectures, together with annotation facilities for additional ADL-specific information. This scheme permits subsets of ADL tools to share architectural information that is jointly understood, while tolerating the presence of information that falls outside their common vocabulary. In this paper we describe ACME's key features, rationale, and technical innovations. }, NOTE = {One of the 14 high-impact papers from the first decade of CASCON, 2010.}, ANNOTE = {CONFERENCE-URL : http://www.cas.ibm.ca/cascon/cfp.html}, KEYWORDS = {Acme, Landmark, Software Architecture} } @Article{Garlan1997, AUTHOR = {Garlan, David and Tomayko, James and Gluch, David}, TITLE = {Agents of Change: Educating Future Leaders in Software Engineering}, YEAR = {1997}, MONTH = {November}, JOURNAL = {IEEE Computer}, KEYWORDS = {Software Engineering, Education} } @TechReport{Dingel1997, AUTHOR = {Dingel, Juergen and Garlan, David and Jha, Somesh and Notkin, David}, TITLE = {Toward a formal treatment of implicit invocation}, YEAR = {1997}, MONTH = {July}, NUMBER = {CMU-CS-97-153}, INSTITUTION = {Carnegie Mellon University School of Computer Science}, KEYWORDS = {Formal Methods, Implicit Invocation} } @InProceedings{Monroe1996, AUTHOR = {Monroe, Robert}, TITLE = {Capturing Design Expertise in Customized Software Architecture Design Environments}, YEAR = {1996}, MONTH = {October}, BOOKTITLE = {Proceedings of the Second International Software Architecture Workshop}, PDF = {http://www.cs.cmu.edu/afs/cs.cmu.edu/project/able/ftp/armani-isaw/armani-isaw2.pdf}, PS = {http://www.cs.cmu.edu/afs/cs.cmu.edu/project/able/ftp/armani-isaw/armani-isaw2.ps}, ABSTRACT = {Software architecture is receiving increasing attention as a powerful way to deal with the complexity of large software systems. It has emerged as a distinct form of abstraction for software systems with its own set of design issues, vocabulary, and goals. Like designers in other disciplines, software architects can gain significant leverage by using powerful design environments and tools. Powerful design tools generally encapsulate a relatively small amount of design expertise that provides the important functionality of the tool within a relatively large support infrastructure. In this position paper I argue that in order to make the development of specialized architectural design tools practical it must be relatively easy and inexpensive to capture and make use of the desired design expertise. I then briefly describe an emerging approach for capturing this design expertise so that it can be used to incrementally configure architectural design environments.}, KEYWORDS = {Software Architecture} } @InProceedings{Allen95Aegis, AUTHOR = {Allen, Robert and Garlan, David}, TITLE = {A Case Study in Architectural Modelling: The AEGIS System}, YEAR = {1996}, MONTH = {March}, BOOKTITLE = {Proceedings of the Eighth International Workshop on Software Specification and Design (IWSSD-8)}, KEY = {Allen}, PAGES = {6-15}, ADDRESS = {Paderborn, Germany}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/aegis-iwssd8/aegis-iwssd8.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/aegis-iwssd8/aegis-iwssd8.ps}, ABSTRACT = {Software architecture is receiving increasingly attention as a critical design level for software systems. However, the current practice of architectural description is largely informal and ad hoc, with the consequence that architectural documents serve as a poor communication mechanism, are difficult to analyze, and may have very little relationship to the implemented system. In an attempt to address these problems several researchers have experimented with formalisms for architectural specification and modelling. One such formalism is Wright. In this paper we show how Wright can be used to provide insight into an architectural design by modelling a prototype implementation of part of the AEGIS Weapons System.}, KEYWORDS = {Software Architecture, Wright} } @InProceedings{Garlan97ISAW2, AUTHOR = {Garlan, David}, TITLE = {Style-Based Refinement for Software Architecture}, YEAR = {1996}, MONTH = {October}, BOOKTITLE = {Joint Proceedings of the Second International Software Architecture Workshop (ISAW2) and the International Workshop on Multiple Perspectives in Software Development (Viewpoints '96)}, KEY = {Garlan}, ADDRESS = {San Francisco, CA}, PUBLISHER = {ACM Press}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/refinement-isaw2/refinement-isaw2.pdf}, ABSTRACT = {A question that frequently arises for architectural design is 'When can I implement a design in style S1 using a design in style S2?' In this paper I propose a technique for structuring a solution to this kind of problem using the idea of substyles. This technique leads to a two-step process in which first, useful subsets of a family of architectures are identified, and second, refinement rules specific to these subsets are established. I will argue that this technique, in combination with an unconventional interpretation of refinement, clarifies how engineers actually carry out architectural refinement and provides a formal framework for establishing the correctness of those methods.} } @Book{Shaw1996, AUTHOR = {Shaw, Mary and Garlan, David}, TITLE = {Software Architecture: Perspectives on an Emerging Discipline}, YEAR = {1996}, PUBLISHER = {Prentice Hall}, ABSTRACT = {This book examine architectures for software systems as well as better ways to support software development. We attempt to bring together the useful abstractions of systems design and the notations and tools of the software developer, and look at patterns used for system organization. We present an introduction to the field of software architecture. Our purpose is to illustrate the discipling and examine the ways in which architectural design can impact software design. Our selection emphasizes informal descriptions, touching lightly on formal notations and specifications and on tools to support them. The book serves two groups: First, professional software developers looking for new patterns for system organization. By identifying useful patterns clearly, giving examples, comparing them, and evaluating their utility in various settings, the book will sharpen their understanding and broaden their options. Second, students with interersts in software system organization.
Education in Software Architecture
This book can be used for a course, Architectures for Software Systems, that brings together the emerging models for software archtitectures and shows how to approach systems from an architectural point of view. }, NOTE = {Prentice Hall Ordering Information}, KEYWORDS = {Software Architecture} } @InProceedings{Monroe96ICSR, AUTHOR = {Monroe, Robert T. and Garlan, David}, TITLE = {Style-based Reuse for Software Architectures}, YEAR = {1996}, MONTH = {April}, BOOKTITLE = {Proceedings of the Fourth International Conference on Software Reuse}, KEY = {Monroe}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/shelf-icsr96/shelf-icsr96.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/shelf-icsr96/shelf-icsr96.ps}, ABSTRACT = {Although numerous mechanisms for promoting software reuse have been proposed and implemented over the years, most have focused on the reuse of implementation code. There is much conjecture and some empirical evidence, however, that the most effective forms of reuse are generally found at more abstract levels of software design. In this paper we discuss software reuse at the architectural level of design. Specifically, we argue that the concept of 'architectural style' is useful for supporting the classification, storage, and retrieval of reusable architectural design elements. We briefly describe the Aesop system's Software Shelf, a tool that assists designers in selecting appropriate design elements and patterns based on stylistic information and design constraints.}, KEYWORDS = {Architectural Style, Software Architecture} } @Article{Garlan95TSE-intro, AUTHOR = {Garlan, David and Perry, Dewayne}, TITLE = {Introduction to the Special Issue on Software Architecture}, YEAR = {1995}, MONTH = {April}, JOURNAL = {IEEE Transactions on Software Engineering}, KEY = {Garlan}, VOLUME = {21}, NUMBER = {4}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/saintro-tse95/saintro-tse95.pdf}, ABSTRACT = {A critical aspect of the design for any large software system is its gross structure represented as a high-level organization of computational elements and interactions between those elements. Broadly speaking, this is the software architectural level of design. The structure of software has long been recognized as an important issue of concern. However, recently software architecture has begun to emerge as an explicit field of study for software engineering practitioners and researchers. Evidence of this trend is apparent in a large body of recent work in research such as module interface languages, domain specific architectures, architectural description languages, design patterns and handbooks, formal underpinnings for architectural design, and architectural design environments. This IEEE Transactions on Software Engineering Special Issue on Software Architecture presents seven papers that illustrate many of these emerging research areas.}, KEYWORDS = {Software Architecture} } @InProceedings{Garlan95Dagstuhl, AUTHOR = {Garlan, David}, TITLE = {What is Style?}, YEAR = {1995}, MONTH = {February}, BOOKTITLE = {Proceedings of the Dagstuhl Workshop on Software Architecture}, KEY = {David Garlan}, ADDRESS = {Saarbruecken, Germany}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/style-iwass95/style-iwass95.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/style-iwass95/style-iwass95.ps}, ABSTRACT = {A central aspect of architectural design is the use of recurring organizational patterns and idioms- or architectural styles. Examples include generic system organizations such as those based on dataflow or layers, as well as specific organizational structures such as the classical decomposition of a compiler, the OSI communication stack, and the MVC user interface paradigm. The principled use of architectural styles has a number of practical benefits. First, it promotes design reuse: routine solutions with well-understood properties can be reapplied to new problems with confidence. Second, it can lead to significant code reuse: often the invariant aspects of an architectural style lend themselves to shared implementations. Third, it is easier for others to understand a system's organization if conventionalized structures are used. For example, even without giving details, characterization of a system as a 'client-server' organization immediately conveys a strong image of the kinds of pieces and how they fit together. Fourth,use of standardized styles supports interoperability. Examples include CORBA object-oriented architecture, and event-based tool integration. Fifth, by constraining the design space, an architectural style often permits specialized,style-specific analyses. For example, it is possible to analyze pipe-filter systems for schedulability, throughput, latency, and deadlock-freedom. Such analyses might not be meaningful for an arbitrary, ad hoc architecture - or even one constructed in a different style. Sixth, it is usually possible to provide style-specific visualizations: this makes it possible to provide graphical and textual renderings that match engineers' domain-specific intuitions about how their designs should be depicted. }, KEYWORDS = {Architectural Style, Software Architecture} } @InProceedings{Allen96IWSSD, AUTHOR = {Allen, Robert}, TITLE = {Formalism and Informalism in Architectural Style: A Case Study}, YEAR = {1995}, MONTH = {April}, BOOKTITLE = {Proceedings of the First International Workshop on Architectures for Software Systems}, KEY = {Garlan}, ABSTRACT = {Increasingly, developers look to software architecture to help them control the complexity of their systems. When developing a particular system, designers tend not to explore all possible alternatives for its architecture. Instead, they use specific patterns and idioms that are effective for the domain in which they are working. We term such a collection of patterns and idioms an architectural style. Unfortunately, with few exceptions current exploitation of architectural style is informal and ad hoc. In this paper we consider an alternative to the ad hoc description of architectural styles, a formal description based on the inherent structure of software architectures. We explore this solution by describing Justo and Cunha's message passing style in Wright, an architecture description language based on CSP. }, KEYWORDS = {Architectural Style, Software Architecture} } @InProceedings{Garlan95ICSE-17, AUTHOR = {Garlan, David and Allen, Robert and Ockerbloom, John}, TITLE = {Architectural Mismatch, or, Why it's hard to build systems out of existing parts}, YEAR = {1995}, MONTH = {April}, BOOKTITLE = {Proceedings of the 17th International Conference on Software Engineering}, KEY = {Garlan}, PAGES = {179-185}, ADDRESS = {Seattle, Washington}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/archmismatch-icse17/archmismatch-icse17.pdf}, ABSTRACT = {Many would argue that future breakthroughs in software productivity will depend on our ability to combine existing pieces of software to produce new applications. An important step towares this goal is the development of new techniques to detect and cope with mismatches in the assembled parts. Some problems of composition are due to low-level issues of interoperability, such as mismatches in programming languages or database schemas. However, in this paper we highlight a different, and in many ways more pervasive, class of problem: architectural mismatch. Specifically, we use our experience in building a family of software design environments from existing parts to illustrate a variety of types of mismatch that center around the assumptions a reusable part makes about the structure of the application in which is to appear. Based on this experience we show how an architectural view of the mismatch problem exposes some fundamental, thorny problems for software composition and suggests possible research avenues needed to solve them.}, NOTE = {A revised and extended version of this paper appeared in <a href=http://ieeexplore.ieee.org/iel1/52/9910/00469757.pdf><i>IEEE Software</i>, Volume 12, Issue 6, Nov. 1995 (pp. 17-26)</a>. This paper was awarded an ACM SIGSOFT Impact Paper Award in 2011.}, KEYWORDS = {Architectural Style, Landmark, Software Architecture} } @Article{IEEE1995/reuse, AUTHOR = {Garlan, David and Allen, Robert and Ockerbloom, John}, TITLE = {Architectural Mismatch: Why Reuse is so Hard}, YEAR = {1995}, JOURNAL = {IEEE Software}, VOLUME = {12}, NUMBER = {6}, PAGES = {17-26}, KEYWORDS = {Software Architecture} } @Article{Abowd1995, AUTHOR = {Abowd, Gregory and Allen, Robert and Garlan, David}, TITLE = {Formalizing Style to Understand Descriptions of Software Architecture}, YEAR = {1995}, MONTH = {October}, JOURNAL = {ACM Transactions on Software Engineering and Methodology}, VOLUME = {4}, NUMBER = {4}, PAGES = {319-364}, PDF = {http://www.cs.cmu.edu/afs/cs.cmu.edu/project/able/ftp/styleformalism-tosem95/styleformalism-tosem95.pdf}, PS = {http://www.cs.cmu.edu/afs/cs.cmu.edu/project/able/ftp/styleformalism-tosem95/styleformalism-tosem95.ps}, ABSTRACT = {The software architecture of most systems is usually described informally and diagrammatically by means of boxes and lines. In order for these descriptions to be meaningful, the diagrams are understood by interpreting the boxes and lines in specic, conventionalized ways. The informal, imprecise nature of these interpretations has a number of limitations. In this paper we consider these conventionalized interpretations as architectural styles and provide a formal framework for their uniform denition. In addition to providing a template for precisely dening new architectural styles, this framework allows for analysis within and between dierent architectural styles.}, KEYWORDS = {Architectural Analysis, Architectural Style, Landmark, Software Architecture} } @InCollection{Shaw1995, AUTHOR = {Shaw, Mary and Garlan, David}, TITLE = {Formulations and Formalisms in Software Architecture}, YEAR = {1995}, BOOKTITLE = {Computer Science Today: Recent Trends and Developments}, VOLUME = {1000}, PAGES = {307-323}, EDITOR = {Van Leeuwen, Jan}, SERIES = {Lecture Notes in Computer Science}, PUBLISHER = {Spring-Verlag}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/saformalisms-lncs1000/saformalisms-lncs1000.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/saformalisms-lncs1000/saformalisms-lncs1000.ps}, ABSTRACT = {Software architecture is the level of software design that ad- dresses the overall structure and properties of software systems. It provides a focus for certain aspects of design and development that are not appropriately addressed within the constituent modules. Architectural design depends heavily on accurate specications of subsystems and their interactions. These specications must cover a wide variety of properties, so the specication notations and associated methods must be selected or developed to match the properties of interest. Unfortunately, the available formal methods are only a partial match for architectural needs, which entail description of structure, packaging, environmental assumptions, representation, and performance as well as functionality. A prerequisite for devising or selecting a formal method is sound understanding of what needs to be formalized. For software architecture, much of this understanding is arising through progressive codication, which begins with real-world examples and creates progressively more precise models that eventually support formalization. This paper explores the pro- gressive codication of software architecture: the relation between emerging models and the selection, development, and use of formal systems.}, KEYWORDS = {Software Architecture} } @InProceedings{Garlan94ZUM, AUTHOR = {Garlan, David}, TITLE = {Integrating Formal Methods into a Professional Master of Software Engineering Program}, YEAR = {1994}, MONTH = {June}, BOOKTITLE = {Proceedings of the Eighth Z User Meeting}, KEY = {Garlan}, SERIES = {Workshops in Computing}, ADDRESS = {Cambridge, England}, PUBLISHER = {Springer-Verlag}, PDF = {http://www.cs.cmu.edu/afs/cs.cmu.edu/project/able/ftp/fmmse-zum94/fmmse-zum94.pdf}, PS = {http://www.cs.cmu.edu/afs/cs.cmu.edu/project/able/ftp/fmmse-zum94/fmmse-zum94.ps}, ABSTRACT = {A critical issue in the design of a professional software engineering degree program is the way in which formal methods are integrated into the curriculum. The approach taken by most programs is to teach formal techniques for software development in a separate course on formal methods. In this paper we detail some of the problems with that approach and describe an alternative in which formal methods are integrated across the curriculum. We illustrate the strengths and weaknesses of this alternative in terms of our experience of using it in the Master of Software Engineering Program at Carnegie Mellon University.}, KEYWORDS = {Education, Formal Methods} } @InProceedings{Garlan94Aesop, AUTHOR = {Garlan, David and Allen, Robert and Ockerbloom, John}, TITLE = {Exploiting Style in Architectural Design Environments}, YEAR = {1994}, MONTH = {December}, BOOKTITLE = {Proceedings of SIGSOFT'94: The Second ACM SIGSOFT Symposium on the Foundations of Software Engineering}, KEY = {Garlan}, PUBLISHER = {ACM Press}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/aesop-fse2/aesop-fse2.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/aesop-fse2/aesop-fse2.ps}, ABSTRACT = {As the design of software architectures emerges as a discipline within software engineering, it will become increasingly important to support architectural description and analysis with tools and environments. In this paper we describe a system for developing architectural design environments that exploit architectural styles to guide software architects in producing specific systems. The primary contributions of this research are: We use our experience in implementing these concepts to illustrate how style-oriened architectural design raises new challenges for software support environments.}, KEYWORDS = {Architectural Style, Software Architecture} } @TechReport{Allen94ConnectorsTR, AUTHOR = {Allen, Robert and Garlan, David}, TITLE = {Formal Connectors}, YEAR = {1994}, MONTH = {March}, KEY = {Allen}, NUMBER = {CMU-CS-94-115}, INSTITUTION = {Carnegie Mellon University, School of Computer Science}, PS = {http://reports.adm.cs.cmu.edu/usr/anon/1994/CMU-CS-94-115.ps}, ABSTRACT = {As software systems become more complex the overall system structure -- or software architecture -- becomes a central design problem. An important step towards an engineering discipline of software is a formal basis for describing and analyzing these designs. In this paper we present a theory for one aspect of architectural description: the interactions between components. The key idea is to define architectural connectors as explicit semantic entities. These are specified as a collection of protocols that characterize each of the participant roles in an interaction and how these roles interact. We illustrate how this scheme can be used to define a variety of common architectural connectors. We further provide a formal semantics and show how this leads to a system in which architectural compatibility can be checked in a way analogous to type checking in programming languages.}, KEYWORDS = {Formal Methods, Software Architecture} } @InProceedings{Allen94MIL, AUTHOR = {Allen, Robert and Garlan, David}, TITLE = {Beyond Definition/Use: Architectural Interconnection}, YEAR = {1994}, MONTH = {August}, BOOKTITLE = {Proceedings of the ACM Interface Definition Language Workshop}, KEY = {Allen}, VOLUME = {29}, NUMBER = {8}, PUBLISHER = {SIGPLAN Notices}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/connectors-idl94/connectors-idl94.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/connectors-idl94/connectors-idl94.ps}, ABSTRACT = {Large software systems require decompositional mechanisms in order to make them tractable. Traditionally, MILs and IDLs have played this role by providing notations based on definition/use bindings. In this paper we argue that current MIL/IDLs based on definition/use have some serious drawbacks. A significant problem is that they fail to distinguish between 'implementation' and 'interaction' relationships between modules. We propose an alternative model in which components interact along well-defined lines of communication - or connectors. Connectors are defined as protocols that capture the expected patterns of communication between modules. We show how this leads to a scheme that is much more expressive for architectural relationships, that allows the formal definition of module interaction, and that supports its own form of automated checks and formal reasoning.}, KEYWORDS = {Software Architecture, Wright} } @InCollection{Garlan1995, AUTHOR = {Garlan, David and Shaw, Mary}, TITLE = {An Introduction to Software Architecture}, YEAR = {1995}, BOOKTITLE = {Advances in Software Engineering and Knowledge Engineering}, VOLUME = {2}, EDITOR = {Ambriola, V and Tortora, G}, SERIES = {Series on Software Engineering and Knowledge Engineering}, PUBLISHER = {World Scientific Publishing Company}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/intro_softarch/intro_softarch.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/intro_softarch/intro_softarch.ps}, ABSTRACT = {As the size of software systems increases, the algorithms and data structures of the computation no longer constitute the major design problems. When systems are constructed from many components, the organization of the overall system -- the software architecture -- presents a new set of design problems. This level of design has been addressed in a number of ways including informal diagrams and descriptive terms, module interconnection languages, templates and frameworks for systems that serve the needs of specific domains, and formal models of component integration mechanisms. In this paper we provide an introduction to the emerging field of software architecture. We begin by considering a number of common architectural styles upon which many systems are currently based and show how different styles can be combined in a single design. Then we present six case studies to illustrate how architectural representations can improve our understanding of complex software systems. Finally, we survey some of the outstanding problems in the field, and consider a few of the promising research directions. }, NOTE = {Also available as: Carnegie Mellon University Technical Report CMU-CS-94-166, January 1994. Reprinted in CMIS 460: Software Design and Development Faculty Course Guide, University of Maryland, Office of Instructional Development, Summer 1995}, KEYWORDS = {Architectural Style, Software Architecture, Software Engineering} } @TechReport{Garlan1994, AUTHOR = {Shaw, Mary and Garlan, David}, TITLE = {Characteristics of Higher-level Languages for Software Architectures}, YEAR = {1994}, NUMBER = {CMU-CS-94-210}, INSTITUTION = {Carnegie Mellon University School of Computer Science}, KEYWORDS = {Software Architecture} } @Misc{Garlan1994a, AUTHOR = {Garlan, David and Perry, Dewayne}, TITLE = {Software Architecture: Practice, Potential, and Pitfalls Panel Introduction}, YEAR = {1994}, MONTH = {May}, HOWPUBLISHED = {Panel Introduction in Proceedings of the Sixteenth International Conference on Software Engineering}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/saintro-icse16/saintro-icse16.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/saintro-icse16/saintro-icse16.ps}, ABSTRACT = {Whatever the long-term impact of software architecture may turn out to be, an appropriate starting point is a concrete appraisal of the current state of the practice in the use of software architecture. It is the purpose of this panel to take a step in this direction. By assembling a panel of experts with a broad base of experience in the area, we hope to provide concrete examples of what is now possible when architectural principles are applied to industrial problems in systematic ways, to consider the potential impact of software architecture over the next few years, and to suggest steps that should be taken to bring this about.}, KEYWORDS = {Software Architecture} } @InProceedings{Garlan1994b, AUTHOR = {Garlan, David}, TITLE = {The Role of Software Architecture in Requirements Engineering}, YEAR = {1994}, BOOKTITLE = {Proceedings of the Second International Conference on Requirements Engineering}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/sareqts-re94/sareqts-re94.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/sareqts-re94/sareqts-re94.ps}, ABSTRACT = {Problem Space versus Solution Space Requirements engineering is concerned fundamen tally with the shape of the problem space. Its primary goal is to determine the dimensions of the problem that the software system is to solve. In contrast, software architecture is concerned with the shape of the solution space. Its primary goal is to determine the structure of a solution to a problem posed by a set of requirements. Thus, understanding the role of software architecture in requirements engineering is largely a matter of understanding the dynamic relationship between identification of a problem to be solved and a description of its solution.}, KEYWORDS = {Software Architecture, Software Engineering} } @InProceedings{Garlan1994c, AUTHOR = {Garlan, David and Shaw, Mary}, TITLE = {Software Development Assignments for a Software Architecture Course}, YEAR = {1994}, MONTH = {May}, BOOKTITLE = {Software Engineering Resources: Proceedings of the ACM/IEEE International Workshop on Software Engineering Education}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/assignments-csee96/assignments-csee96.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/assignments-csee96/assignments-csee96.ps}, ABSTRACT = {As software systems grow in size and complexity their design problem extends beyond algorithms and data structures to issues of system design. These issues|the software architecture level of software design|are becoming increasingly important to the practicing software engineer. Consequently, it is important to nd eective ways to teach this material. To meet this need we developed a course, 'Architectures for Software Systems,' and have taught it four times. In this paper we describe the principal software development assignments that this course uses to develop skill at applying architectural principles to the design and implementation of software systems. The major challenges in designing such assignments are (1) making sure that students spend their time on architectural issues rather than coding, and (2) helping students establish and maintain a desired architectural style. We address these issues by providing working examples as starting points. These examples are usable in other courses.}, KEYWORDS = {Education, Software Architecture} } @InProceedings{Allen94ICSE, AUTHOR = {Allen, Robert and Garlan, David}, TITLE = {Formalizing Architectural Connection}, YEAR = {1994}, MONTH = {May}, BOOKTITLE = {Proceedings of the Sixteenth International Conference on Software Engineering}, KEY = {Allen}, PAGES = {71-80}, ADDRESS = {Sorrento, Italy}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/AG94.pdf}, ABSTRACT = {As software systems become more complex the overall system structure, or software architecture, becomes a central design problem. An important step towards an engineering discipline of software is a formal basis for describing and analyzing these designs. In this paper we present a theory for one aspect of architectural description: the interactions between components. the key idea is to define architectural connectors as explicit semantic entities. These are specified as a collection of protocols that characterize each of the participant roles in an interaction and how these roles interact. We illustrate how this scheme can be used to define a variety of common architectural connectors. We provide a formal semantics and show how this leads to a sound deductive system in which architectural compatibility can be checked in a way analogous to type checking in programming languages.}, NOTE = {Awarded ICSE2004 Best Paper (ICSE-10)}, KEYWORDS = {Formal Methods, Landmark, Software Architecture} } @TechReport{Allen92PFTR, AUTHOR = {Allen, Robert and Garlan, David}, TITLE = {Towards Formalized Software Architectures}, YEAR = {1992}, MONTH = {July}, KEY = {Allen}, NUMBER = {CMU-CS-92-163}, INSTITUTION = {Carnegie Mellon University, School of Computer Science}, PS = {http://reports-archive.adm.cs.cmu.edu/anon/1992/CMU-CS-92-163.ps}, ABSTRACT = {An important goal in software engineering is to describe complex software systems at an architectural level of abstraction. While there are many useful architectural paradigms (pipes, blackboards, etc.) they are typically understood only idiomatically and applied in an ad hoc fashion. We show how a formal model allows us to say precisely what we mean by a software architecture, explore its properties, and systematically describe instances of the architecture. We illustrate the approach using the well-known example of pipe-filter architectures.}, KEYWORDS = {Formal Methods, Software Architecture} } @InProceedings{Abowd93FSE, AUTHOR = {Abowd, Gregory and Allen, Robert and Garlan, David}, TITLE = {Using Style to Understand Descriptions of Software Architecture}, YEAR = {1993}, MONTH = {December}, BOOKTITLE = {Proceedings of SIGSOFT'93: Foundations of Software Engineering}, KEY = {Abowd}, VOLUME = {18}, NUMBER = {5}, PAGES = {9-20}, SERIES = {Software Engineering Notes}, PUBLISHER = {ACM Press}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/styleformalism-fse1/styleformalism-fse1.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/styleformalism-fse1/styleformalism-fse1.ps}, ABSTRACT = {The software architecture of most systems is described informally and diagrammatically. In order for these descriptions to be meaningful at all, figures are understood by interpreting the boxes and lines in specific, conventionalized ways. The imprecision of these interpretations has a number of limitations. In this paper we consider these convetionalized interpretations as architectural styles and provide a formal framework for their uniform definition. In addition to providing a template for precisely defining new architectural styles, this framework allows for the proof that the notational constraints on a style are sufficient to guarantee the meanings of all described systems and provides a unified semantic base through which different stylistic interpretations can be compared.}, KEYWORDS = {Architectural Style, Software Architecture} } @InProceedings{Notkin1993, AUTHOR = {Notkin, David and Garlan, David and Griswold, William and Sullivan, Kevin}, TITLE = {Adding Implicit Invocation to Languages: Three Aproaches}, YEAR = {1993}, MONTH = {November}, BOOKTITLE = {Proceedings of the JSSST Symp. Object Technologies for Advanced Software}, VOLUME = {742}, SERIES = {Lecture Notes in Computer Science}, PUBLISHER = {Spring-Verlag}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/implinvoc-jssst93/implinvoc-jssst93.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/implinvoc-jssst93/implinvoc-jssst93.ps}, ABSTRACT = { Implicit invocation based on event announcement is an increasingly important technique for integrating systems. However, the use of this technique has largely been confined to tool integration systems---in which tools exist as independent processes---and special-purpose languages---in which specialized forms of event broadcast are designed into the language from the start. This paper broadens the class of systems that can benefit from this approach by showing how to augment general-purpose programming languages with facilities for implicit invocation. We illustrate the approach in the context of three different languages, Ada, C++, and Common Lisp. The intent is to highlight the key design considerations that arise in extending such languages with implicit invocation.}, KEYWORDS = {Implicit Invocation} } @TechReport{Garlan1992, AUTHOR = {Garlan, David and Scott, Curtis}, TITLE = {Reactive Integration for Traditional Programming Languages}, YEAR = {1992}, NUMBER = {CMU-CS-92-217}, INSTITUTION = {Carnegie Mellon University School of Computer Science} } @InCollection{Garlan1992a, AUTHOR = {Garlan, David and Shaw, Mary and Okasaki, Chris and Scott, Curtis and Swonger, Roy}, TITLE = {Experience with a Course on Architectures for Software Systems}, YEAR = {1992}, BOOKTITLE = {Lecture Notes in Computer Science}, VOLUME = {640}, PAGES = {23-43}, PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/sacourse-csee92/sacourse-csee92.pdf}, PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/sacourse-csee92/sacourse-csee92.ps}, ABSTRACT = {As software systems grow in size and complexity their design problem extends beyond algorithms and data structures to issues of system design. This area receives little or no treatment in existing computer science curricula. Although courses about specific systems are usually available there is no systematic treatment of the organizations used to assemble components into systems. These issues - the software architecture level of software design - are the subject of a new course that we taught for the first time in Spring 1992. This paper describes the motivation for the course, the content and structure of the current version, and our plans for improving the next version.}, KEYWORDS = {Education, Software Architecture} } @PhdThesis{Fairbanks2007, AUTHOR = {Fairbanks, George}, TITLE = {Design Fragments}, YEAR = {2007}, SCHOOL = {Institute for Software Research, Carnegie Mellon University}, HOWPUBLISHED = {Technical Report CMU-ISRI-07-108} } @Article{Garlan2006a, AUTHOR = {Seceleanu, Tiberiu and Garlan, David}, TITLE = {Developing adaptive systems with synchronized architectures}, YEAR = {2006}, MONTH = {November}, JOURNAL = {The Journal of Systems and Software}, VOLUME = {79}, NUMBER = {11}, PAGES = {1514-1526}, URL = {http://dx.doi.org/10.1016/j.jss.2006.03.047}, ABSTRACT = {In this paper we show how to specify and refine self-adapting systems, by employing the state-based formalism called action systems. Assuming a fixed set of possible configurations, we use a recently-introduced synchronization operator to achieve separation of concerns between adaptation policy, fault tolerance and steady-state system execution. Using action systems allows us to apply standard refinement techniques, aimed for correct implementations of higher-level models. We illustrate this idea by applying it to the problem of coping with dynamically-varying user requirements and possible fault situations.}, KEYWORDS = {Autonomic Systems, Software Architecture} } @Unpublished{Schmerl2006a, AUTHOR = {Schmerl, Bradley and Butler, Shawn and Garlan, David}, TITLE = {Architecture-based Simulation for Security and Performance}, YEAR = {2006}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/simulator.pdf}, ABSTRACT = {Architectural analysis is key to producing high quality architectures. In this demonstration we present two extensions to AcmeStudio, and domain-neutral Architecture Development Environment, to add Performance and Security Simulation. Using AcmeStudio as the integration platform for these analyses allows comparisons and trade-offs between these different quality attributes.}, NOTE = {Submitted for publication.}, KEYWORDS = {AcmeStudio, Architectural Analysis, Architectural Style, Software Architecture} } @TechReport{Sousa2005b, AUTHOR = {Sousa, Jo\~{a}o and Balan, Rajesh and Poladian, Vahe and Garlan, David and Satyanarayanan, Mahadev}, TITLE = {Giving Users the Steering Wheel for Guiding Resource-Adaptive Systems}, YEAR = {2005}, MONTH = {December}, NUMBER = {CMU-CS-05-198}, INSTITUTION = {Carnegie Mellon University School of Computer Science}, KEYWORDS = {Aura, Mult-fidelity Applications, Resource Allocation, Service Composition, Ubiquitous Computing} } @Article{garlan2007, AUTHOR = {Garlan, David and Schmerl, Bradley}, TITLE = {The RADAR Architecture for Personal Cognitive Assistance}, YEAR = {2007}, MONTH = {April}, JOURNAL = {International Journal of Software Engineering and Knowledge Engineering}, VOLUME = {17}, NUMBER = {2}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/IJSEKE-paper-submission.pdf}, ABSTRACT = {Current desktop environments provide weak support for carrying out complex user-oriented tasks. Although individual applications are becoming increasingly sophisticated and feature-rich, users must map their high-level goals to the low-level operational vocabulary of applications, and deal with a myriad of routine tasks (such as keeping up with email, keeping calendars and web sites up-to-date, etc.). An alternative vision is that of a personal cognitive assistant. Like a good secretary, such an assistant would help users accomplish their high-level goals, coordinating the use of multiple applications, automatically handling routine tasks, and, most importantly, adapting to the individual needs of a user over time. In this paper we describe the architecture and its implementation for a personal cognitive assistant called RADAR. Key features include (a) extensibility through the use of a plug-in agent architecture (b) transparent integration with legacy applications and data of today?s desktop environments, and (c) extensive use of learning so that the environment adapts to the individual user over time.}, NOTE = {A shorter version of this paper appeared in the 2006 Conference on Software Engineering and Knowledge Engineering (SEKE 2006).}, KEYWORDS = {Personal Assistance, RADAR, Software Architecture} } @InProceedings{Garlan2006c, AUTHOR = {Garlan, David and Schmerl, Bradley}, TITLE = {Architecture-driven Modelling and Analysis}, YEAR = {2006}, BOOKTITLE = {Proceedings of the 11th Australian Workshop on Safety Related Programmable Systems (SCS'06)}, VOLUME = {69}, EDITOR = {Cant, Tony}, SERIES = {Conferences in Research and Practice in Information Technology}, ADDRESS = {Melbourne, Australia}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/aSCSa-final.pdf}, ABSTRACT = {Over the past 15 years there has been increasing recognition that careful attention to the design of a system?s software architecture is critical to satisfying its requirements for quality attributes such as performance, security, and dependability. As a consequence, during this period the field of software architecture has matured significantly. However, current practices of software architecture rely on relatively informal methods, limiting the potential for fully exploiting architectural designs to gain insight and improve the quality of the resulting system. In this paper we draw from a variety of research results to illustrate how formal approaches to software architecture can lead to enhancements in software quality, including improved clarity of design, support for analysis, and assurance that implementations conform to their intended architecture.}, KEYWORDS = {Acme, AcmeStudio, Architectural Analysis, Architectural Style, Landmark, Software Architecture} } @InProceedings{2010/Faulring/Radar, AUTHOR = {Faulring, Andrew and Myers, Brad and Mohnkern, Ken and Schmerl, Bradley and Steinfeld, Aaron and Zimmerman, John and Smailagic, Asim and Hansen, Jeffery and Siewioreck, Daniel}, TITLE = {Agent-Assisted Task Management that Reduces Email Overhead}, YEAR = {2010}, MONTH = {7-10 February}, BOOKTITLE = {Proceedings of the 14th International Conference on Intelligent User Interfaces}, PAGES = {61-70}, ADDRESS = {Hong Kong, China}, PUBLISHER = {ACM Press}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/radar-iui10.pdf}, ABSTRACT = {RADAR is a multiagent system with a mixed-initiative user interface designed to help office workers cope with email overload. RADAR agents observe experts to learn models of their strategies and then use the models to assist other people who are working on similar tasks. The agents assistance helps a person to transition from the normal email-centric workflow to a more efficient task-centric workflow. The Email Classifier learns to identify tasks contained within emails and then inspects new emails for similar tasks. A novel task-management user interface displays the found tasks in a to-do list, which has integrated support for performing the tasks. The Multitask Coordination Assistant learns a model of the order in which experts perform tasks and then suggests a schedule to other people who are working on similar tasks. A novel Progress Bar displays the suggested schedule of incomplete tasks as well as the completed tasks. A large evaluation demonstrated that novice users confronted with an email overload test performed significantly better (a 37% better overall score with a factor of four fewer errors) when assisted by the RADAR agents. }, NOTE = {Honorable Mention Award in the Best Paper Contest. DOI}, KEYWORDS = {RADAR} } @InProceedings{Poladian2007, AUTHOR = {Poladian, Vahe and Garlan, David and Shaw, Mary and Schmerl, Bradley and Sousa, Jo\~{a}o and Satyanarayanan, Mahadev}, TITLE = {Leveraging Resource Prediction for Anticipatory Dynamic Configuration}, YEAR = {2007}, MONTH = {8-11 July}, BOOKTITLE = { Proceedings of the First IEEE International Conference on Self-Adaptive and Self-Organizing Systems, SASO-2007}, PAGES = {214-223}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/predictive_configuration_16_marked.pdf}, ABSTRACT = {Self-adapting systems based on multiple concurrent applications must decide how to allocate scarce resources to applications and how to set the quality parameters of each application to best satisfy the user. Past work has made those decisions with analytic models that used current resource availability information: they react to recent changes in resource availability as they occur, rather than anticipating future availability. These reactive techniques may model each local decision optimally, but the accumulation of decisions over time nearly always becomes less than optimal. In this paper, we propose an approach to self adaptation, called anticipatory configuration that leverages predictions of future resource availability to improve utility for the user over the duration of the task. The approach solves the following technical challenges: (1) how to express resource availability prediction, (2) how to combine prediction from multiple sources, and (3) how to leverage predictions continuously while improving utility to the user. Our experiments show that when certain adaptation operations are costly, anticipatory configuration provides better utility to the user than reactive configuration, while being comparable in resource demand.}, KEYWORDS = {Aura, Dynamic Configuration, Resource Aware Computing, Service Composition, Ubiquitous Computing} } @Article{RajhansMPM2009, AUTHOR = {Rajhans, Akshay and Cheng, Shang-Wen and Schmerl, Bradley and Garlan, David and Krogh, Bruce and Agbi, Clarence and Bhave, Ajinkya Y.}, TITLE = {An Architectural Approach to the Design and Analysis of Cyber-Physical Systems}, YEAR = {2009}, JOURNAL = {Electronic Communications of the EASST}, VOLUME = {21: Multi-Paradigm Modeling}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/286-855-1-PB.pdf}, ABSTRACT = {This paper presents an extension of existing software architecture tools to model physical systems, their interconnections, and the interactions between physical and cyber components. A new CPS architectural style is introduced to support the principled design and evaluation of alternative architectures for cyber-physical systems (CPSs). The implementation of the CPS architectural style in AcmeStudio includes behavioral annotations on components and connectors using either ?nite state processes (FSP) or linear hybrid automata (LHA) with plug-ins to perform behavior analysis using the Labeled Transition System Analyzer (LTSA) or Polyhedral Hybrid Automata Veri?er (PHAVer), respectively. The CPS architectural style and analysis plug-ins are illustrated with an example. }, KEYWORDS = {Cyberphysical Systems} } @InProceedings{SOAR2009, AUTHOR = {Raheja, Rahul and Cheng, Shang-Wen and Garlan, David and Schmerl, Bradley}, TITLE = {Improving Architecture-Based Self-Adaptation using Preemption}, YEAR = {2009}, MONTH = {14 September}, BOOKTITLE = {Proceedings of the Workshop on Self-Organizing Architecture}, ADDRESS = {Cambridge, UK}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/SOAR-web.pdf}, ABSTRACT = {One common approach to self-adaptive systems is to incorporate a control layer that monitors a system, supervisorily detects problems, and applies adaptation strategies to fix problems or improve system behavior. While such approaches have been found to be quite effective, they are typically limited to carrying out a single adaptation at a time, delaying other adaptations until the current one finishes. This in turn leads to a problem in which a time-critical adaptation may have to wait for an existing long-running adaptation to complete, thereby missing a window of opportunity for that adaptation. In this paper we improve on existing practice through an approach in which adaptations can be preempted to allow for other time-critical adaptations to be scheduled. Scheduling is based on an algorithm that maximizes time-related utility for a set of concurrently executing adaptations.}, KEYWORDS = {Autonomic Systems, Rainbow, Self-adaptation, Software Architecture, Software Engineering} } @InBook{Prediction2008, AUTHOR = {Poladian, Vahe and Cheng, Shang-Wen and Garlan, David and Schmerl, Bradley}, TITLE = {Improving Architecture-Based Self-Adaption Through Resource Prediction}, YEAR = {2008}, BOOKTITLE = {Software Engineering for Self-Adaptive Systems}, VOLUME = {5525}, EDITOR = {Cheng, Betty H.C. and de Lemos, Rog\'{e}rio and Giese, Holger and Inverardi, Paola and Magee, Jeff}, SERIES = {Lecture Notes in Computer Science}, PUBLISHER = {LNCS}, CHAPTER = {15}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/LNCS-SEfSASChapter-2009-0222-web.pdf}, ABSTRACT = {An increasingly important concern for modern systems design is how best to incorporate self-adaptation into systems so as to improve their ability to dynamically respond to faults, resource variation, and changing user needs. One promising approach is to use architectural models as a basis for monitoring, problem detection, and repair selection. While this approach has been shown to yield positive results, current systems use a reactive approach: they respond to problems only when they occur. In this paper we argue that self-adaptation can be improved by adopting an anticipatory approach in which predictions are used to inform adaptation strategies. We show how such an approach can be incorporated into an architecture-based adaptation framework and demonstrate the benefits of the approach.}, KEYWORDS = {Rainbow, Resource prediction, Self-adaptation} } @InProceedings{Celiku2007, AUTHOR = {Celiku, Orieta and Garlan, David}, TITLE = {Using Medical Devices to Teach Formal Modeling}, YEAR = {2007}, MONTH = {25-27 June}, BOOKTITLE = {Joint Workshop on High Confidence Medical Devices, Software, and Systems (HCMDSS) and Medical Device Plug-and-Play (MD PnP) Interoperability}, ADDRESS = {Boston, MA}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/CelikuGarlanMedicalDevices.pdf}, SLIDES = {http://acme.able.cs.cmu.edu/pubs/uploads/slides/CelikuGarlanMedicalDevicesPoster.pdf}, ABSTRACT = {Over the past decade there has been considerable progress in the development of formal methods to improve our confidence in complex systems. Today the use of such methods in certain fields, such as hardware design, or nuclear power control systems, is de rigueur, with commensurate improvements in quality and reliability. Regrettably, however, the use of formalism in the medical device domain is relatively sparse. This is due in large part to the perceived difficulty of using formal methods by ordinary engineers and domain specialists, and by the lack of training in how best to apply existing tools to solve the problems faced in that domain. Over the past few years we have been developing educational materials to help bridge this gap. Specifically we have developed a course in formal modeling for practicing engineers. A core component of this effort is a set of exercises drawn from the medical device domain, which are used to a) show how formal modeling can be used as an effective technique to improve quality and reliability of software-intensive systems b) provide guidelines on selecting appropriate modeling approaches for the problem at hand c) give students hands-on experience in modeling and tool-assisted analysis In this paper we outline our use of medical device challenge problems in achieving these goals. We argue that such exercises (and the underlying concepts) can go a long way towards bridging the gap between theory and practice, and could be used more generally to improve the state of the practice in developing high-confidence systems, in general, and medical devices, in particular.}, KEYWORDS = {Education, Formal Methods} } @InProceedings{Latoza2007, AUTHOR = {LaToza, Thomas and Garlan, David and Herbsleb, James and Myers, Brad}, TITLE = {Program Comprehension as Fact Finding}, YEAR = {2007}, MONTH = {3-7 September}, BOOKTITLE = {Proceedings of the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE 2007)}, PAGES = {361-370}, ADDRESS = {Dubrovnik, Croatia}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/fp242-latoza.pdf}, ABSTRACT = {Little is known about how developers think about design during code modification tasks or how experienced developers design knowledge helps them work more effectively. We performed a lab study in which thirteen developers worked for 3 hours understanding the design of a 54 KLOC open source application. Participants had from 0 to 10.5 years of industry experience and were grouped into three experts and ten novices. We observed that participants spent their time seeking, learning, critiquing, explaining, proposing, and implementing facts about the code such as getFoldLevel has effects. These facts served numerous roles, such as suggesting changes, constraining changes, and predicting the amount of additional investigation necessary to make a change. Differences between experts and novices included that the experts explained the root cause of the design problem and made changes to address it, while novice changes addressed only the symptoms. Experts did not read more methods but also did not visit some methods novices wasted time understanding. Experts talked about code in terms of abstractions such as caching while novices more often described code statement by statement. Experts were able to implement a change faster than novices. Experts perceived problems novices did not and were able to explain facts novices could not. These findings have interesting implications for future tools.}, NOTE = {Available from the ACM Digital Library: http://doi.acm.org/10.1145/1287624.1287675}, KEYWORDS = {Software Architecture} } @InBook{Sousa2008, AUTHOR = {Sousa, Jo\~{a}o and Schmerl, Bradley and Steenkiste, Peter and Garlan, David}, TITLE = {Activity Oriented Computing}, YEAR = {2008}, BOOKTITLE = {Advances in Ubiquitous Computing: Future Paradigms and Directions}, EDITOR = {Mostefaoui, Soraya Kouadri and Maamar, Zakaria and Giaglis, George}, ADDRESS = {Herschey, PA}, PUBLISHER = {IGI Publishing}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/AOC.pdf}, ABSTRACT = {This chapter introduces a new way of thinking about software systems for supporting the activities of end-users. In this approach, models of user activities are promoted to first class entities, and software systems are assembled and configured dynamically based on activity models. This constitutes a fundamental change of perspective over traditional applications: activities take the main stage and may be long-lived, whereas the agents that carry them out are plentiful and interchangeable. The core of the chapter describes a closed-loop control design that enables activity-oriented systems to become self-aware and self-configurable, and to adapt to dynamic changes both in the requirements of user activities and in the environment resources. The chapter discusses how that design addresses challenges such as user mobility, resolving conflicts in accessing scarce resources, and robustness in the broad sense of responding adequately to user expectations, even in unpredictable situations, such as random failures, erroneous user input, and continuously changing resources. The chapter further summarizes challenges and ongoing work related to managing activities where humans and automated agents collaborate, human-computer interactions for managing activities, and privacy and security aspects.}, NOTE = {Book link: http://www.igi-pub.com/books/details.asp?ID=7314}, KEYWORDS = {Aura, Ubiquitous Computing} } @Misc{Pride2006, AUTHOR = {Pride, Chris}, TITLE = {Extending Aura with an Augmented Reality Interface}, YEAR = {2007}, HOWPUBLISHED = {Undergraduate Thesis}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/PrideThesis.pdf}, ABSTRACT = {In a ubiquitous computing environment augmented reality would be an ideal choice for a display for the user. An augmented reality display assists users by adding computer generated information to their perception of reality, thus making it ideal for ubiquitous computing. Unfortunately augmented reality is technically difficult and costly to implement even when the application is designed for its use from the ground up. However, many of the necessary devices for a low fidelity implementation of augmented reality are readily available in a ubiquitous computing environment. Our research focuses on using Aura, a ubiquitous computing framework, to marshal the available devices in the environment. These devices can then be connected within the framework to provide an augmented reality display to the user at the best fidelity possible, given the available resources in a user's environment.}, KEYWORDS = {Aura} } @InProceedings{Sousa2008-WICSA, AUTHOR = {Sousa, Jo\~{a}o and Schmerl, Bradley and Poladian, Vahe and Brodsky, Alex}, TITLE = {UDesign: End-User Design Applied to Monitoring and Control Applications for Smart Spaces}, YEAR = {2008}, MONTH = {18-22 February}, BOOKTITLE = {Proceedings of the 2008 Working IFIP/IEEE Conference on Software Architecture}, ADDRESS = {Vancouver, BC, Canada}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/uDesign-final.pdf}, ABSTRACT = {This paper introduces an architectural style for enabling end-users to quickly design and deploy software systems in domains characterized by highly personalized and dynamic requirements. The style offers an intuitive metaphor based on boxes, pipes, and wires, but retains enough preciseness that systems can be automatically assembled and dynamically reconfigured based on uDesign descriptions. uDesign was primarily motivated and validated within monitoring and control applications for smart spaces, but we envision possible extensions to other domains. Our contribution differs from early attempts at end-user programming in the level of abstraction, software architecture rather than programming, and in the subject of description: run-time rather than code structures. To validate the approach, the paper presents (a) two case studies, one in health care and one in home security, (b) the formal semantics of uDesigns primitives, and (c) a mapping of those primitives to an existing software infrastructure: the Aura infrastructure.}, KEYWORDS = {Architectural Style, Aura, Service Composition, Ubiquitous Computing} } @InProceedings{Cheng:2007:huas/iwlu, AUTHOR = {Cheng, Shang-Wen and Garlan, David}, TITLE = {Handling Uncertainty in Autonomic Systems}, YEAR = {2007}, MONTH = {5 November}, BOOKTITLE = {Proceedings of the International Workshop on Living with Uncertainties (IWLU'07), co-located with the 22nd International Conference on Automated Software Engineering (ASE'07)}, ADDRESS = {Atlanta, GA, USA}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/IWLU07-HandlingUncertainties-pub.pdf}, ABSTRACT = {Autonomic, or self-adaptive, systems are increasingly important. One of the most prevalent techniques is to adopt a control systems view of the solution: adding a runtime, separate control unit that monitors and adapts the system under consideration. A problem with this paradigm for system engineering is that the control and the system are loosely coupled, introducing a variety of sources of uncertainty. In this paper we describe three specific sources of uncertainty, and briefly explain how we address those in the Rainbow Project.}, NOTE = {<a href=http://godzilla.cs.toronto.edu/IWLU/program.html>http://godzilla.cs.toronto.edu/IWLU/program.html</a>;}, KEYWORDS = {Autonomic Systems, Rainbow, Self-adaptation, Self-Repair, Stitch, uncertainty} } @InProceedings{Celiku2007a, AUTHOR = {Celiku, Orieta and Garlan, David and Schmerl, Bradley}, TITLE = {Augmenting Architectural Modeling to Cope with Uncertainty}, YEAR = {2007}, MONTH = {5 November}, BOOKTITLE = {Proceedings of the International Workshop on Living with Uncertainties (IWLU'07), co-located with the 22nd International Conference on Automated Software Engineering (ASE'07)}, ADDRESS = {Atlanta, GA, USA}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/uncertainty-web.pdf}, ABSTRACT = {Notations and techniques for architectural modeling and analysis have matured considerably over the past two decades. However, to date these approaches have primarily focused on architectural properties and behavior that can be precisely defined. In this paper we argue that it is possible to augment existing architecture description languages (ADLs) to support reasoning and analysis in the presence of uncertainty. Specifically, we outline two basic extensions to formal architecture descriptions that take advantage of probabilistic specifications to support architecture-based analyses such as simulation, detection of behavioral drift, and reasoning about the expected outcomes of uncertain behavior. An important property of these specifications is that they allow incremental refinement � as more is known about the behavior of the system, specifications can be extended without invalidating previous analyses.}, NOTE = {<a href=http://godzilla.cs.toronto.edu/IWLU/program.html>http://godzilla.cs.toronto.edu/IWLU/program.html</a>;}, KEYWORDS = {Acme, AcmeStudio, Architectural Analysis, Software Architecture} } @InProceedings{Poladian:2007:iwlu, AUTHOR = {Poladian, Vahe and Shaw, Mary and Garlan, David}, TITLE = {Modeling Uncertainty of Predictive Inputs in Anticipatory Dynamic Configuration}, YEAR = {2007}, MONTH = {5 November}, BOOKTITLE = {Proceedings of the International Workshop on Living with Uncertainties (IWLU'07), co-located with the 22nd International Conference on Automated Software Engineering (ASE'07),}, ADDRESS = {Atlanta, GA, USA}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/uncertainty_in_configuration_v5.1.pdf}, ABSTRACT = {Dynamic adaptive systems based on multiple concurrent applications typically employ optimization models to decide how to allocate scarce resources among the applications and how to tune their runtime settings for optimal quality-of-service according to the preferences of an end user. Traditionally, such systems have avoided dealing with uncertainty by assuming that current snapshots of the relevant inputs are precise and by solving for an optimal system point. To achieve dynamic behavior, a system performs an optimization loop upon discovering changes in the input variables (e.g. changes in the available level of resources) and adapts the applications according to the new optimal solution. Unfortunately, when certain adaptation actions incur costs, such reactive adaptation strategies suffer from a significant shortcoming: several locally optimal decisions over time may often be less than optimal globally. By using predictive information about the future values of the problem inputs, we can model and implement an anticipatory adaptation strategy that helps improve the global behavior of the system in many situations. However, modeling predictions requires representing and dealing with uncertainty from different sources. In this paper, we describe our proposed approach to represent multiple sources of uncertainty and outline algorithms for solving the anticipatory configuration problem with predictive inputs.}, NOTE = {<a href=http://godzilla.cs.toronto.edu/IWLU/program.html>http://godzilla.cs.toronto.edu/IWLU/program.html</a>;}, KEYWORDS = {Aura, Dynamic Configuration, Resource Allocation, Resource Aware Computing, Ubiquitous Computing, uncertainty} } @Article{Delisle1990, AUTHOR = {Delisle, Norman and Garlan, David}, TITLE = {A Formal Specification of an Oscilloscope}, YEAR = {1990}, MONTH = {September}, JOURNAL = {IEEE Software}, VOLUME = {7}, NUMBER = {5} } @InProceedings{Cheng2006, AUTHOR = {Cheng, Shang-Wen and Garlan, David and Schmerl, Bradley}, TITLE = {Architecture-based Self-adaptation in the Presence of Multiple Objectives}, YEAR = {2006}, MONTH = {21-22 May}, BOOKTITLE = {ICSE 2006 Workshop on Software Engineering for Adaptive and Self-Managing Systems (SEAMS)}, ADDRESS = {Shanghai, China}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/seams06.pdf}, ABSTRACT = {In the world of autonomic computing, the ultimate aim is to automate human tasks in system management to achieve high-level stakeholder objectives. One common approach is to capture and represent human expertise in a form executable by a computer. Techniques to capture such expertise in programs, scripts, or rule sets are effective to an extent. However, they are often incapable of expressing the necessary adaptation expertise and emulating the subtleties of trade-offs in high-level decision making. In this paper, we propose a new language of adaptation that is suffi-ciently expressive to capture the subtleties of choice, deriving its ontology from system administration tasks and its underlying formalism from utility theory.}, KEYWORDS = {Landmark, Rainbow, Self-adaptation, Self-Repair} } @Article{AANSG08, AUTHOR = {Abi-Antoun, Marwan and Aldrich, Jonathan and Nahas, Nagi and Schmerl, Bradley and Garlan, David}, TITLE = {Differencing and Merging of Architectural Views}, YEAR = {2008}, MONTH = {March}, JOURNAL = {Automated Software Engineering Journal}, VOLUME = {15}, NUMBER = {1}, ABSTRACT = {Differencing and merging architectural views is an important activity in software engineering. However, existing approaches are still based on restrictive assumptions, such as requiring view elements to have unique identiers or exactly matching types, which is often not the case in many application domains. We propose an approach based on structural information. We generalize a published polynomial-time tree-to-tree correction algorithm that detects inserts, renames and deletes, into a novel algorithm that additionally detects restricted moves. Our algorithm also supports forcing and preventing matches between view elements. We incorporate the algorithm into tools to compare and merge Component-and-Connector (C&C) architectural views. We provide an empirical evaluation of the algorithm. We illustrate the tools using extended examples, and use them to detect and reconcile interesting differences between real architectural views.}, NOTE = {Final version available online at http://dx.doi.org/10.1007/s10515-007-0023-3.}, KEYWORDS = {Acme, ArchJava, Software Architecture} } @InProceedings{Sousa2008a, AUTHOR = {Sousa, Jo\~{a}o and Poladian, Vahe and Garlan, David and Schmerl, Bradley and Steenkiste, Peter}, TITLE = {Steps toward Activity-Oriented Computing}, YEAR = {2008}, MONTH = {14 April}, BOOKTITLE = {Proceedings of the 2008 NSF Next Generation Software Program Workshop}, ADDRESS = {Miami, FL}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/IPDPS-web.pdf}, ABSTRACT = {Most pervasive computing technologies focus on helping users with computer-oriented tasks. In this NSF-funded project, we instead focus on using computers to support user-centered activities that normally do not involve the use of computers. Examples may include everyday tasks around such as answering the doorbell or doing laundry. A focus on activity-based computing brings to the foreground a number of unique challenges. These include activity definition and representation, system design, interfaces for managing activities, and ensuring robust operation. Our project focuses on the first two challenges.}, KEYWORDS = {Aura, Ubiquitous Computing} } @PhdThesis{Cheng:2008:Thesis, AUTHOR = {Cheng, Shang-Wen}, TITLE = {Rainbow: Cost-Effective Software Architecture-Based Self-Adaptation}, YEAR = {2008}, MONTH = {May}, SCHOOL = {Carnegie Mellon University}, URL = {http://reports-archive.adm.cs.cmu.edu/anon/isr2008/abstracts/08-113.html}, NOTE = {Institute for Software Research Technical Report CMU-ISR-08-113}, KEYWORDS = {Rainbow} } @InProceedings{Sousa2008b, AUTHOR = {Sousa, Jo\~{a}o and Balan, Rajesh and Poladian, Vahe and Garlan, David and Satyanarayanan, Mahadev}, TITLE = {User Guidance of Resource-Adaptive Systems}, YEAR = {2008}, MONTH = {July}, BOOKTITLE = {ICSOFT'08 International Conference on Software and Data Technologies}, ADDRESS = {Porto, Portugal}, ABSTRACT = {This paper presents a framework for engineering resource-adaptive software systems targeted at small mobile devices. The proposed framework empowers users to control tradeoffs among a rich set of servicespecific aspects of quality of service. After motivating the problem, the paper proposes a model for capturing user preferences with respect to quality of service, and illustrates prototype user interfaces to elicit such models. The paper then describes the extensions and integration work made to accommodate the proposed framework on top of an existing software infrastructure for ubiquitous computing. The research question addressed here is the feasibility of coordinating resource allocation and adaptation policies in a way that end-users can understand and control in real time. The evaluation covered both systems and the usability perspectives, the latter by means of a user study. The contributions of this work are: first, a set of design guidelines for resource-adaptive systems, including APIs for integrating new applications; second, a concrete infrastructure that implements the guidelines. And third, a way to model quality of service tradeoffs based on utility theory, which our research indicates end-users with diverse backgrounds are able to leverage for guiding the adaptive behaviors towards activity-specific quality goals.}, KEYWORDS = {Aura, Resource Aware Computing} } @InBook{2009:AdaptationChapter, AUTHOR = {Garlan, David and Schmerl, Bradley and Cheng, Shang-Wen}, TITLE = {Software Architecture-Based Self-Adaptation}, YEAR = {2009}, BOOKTITLE = {Autonomic Computing and Networking}, NUMBER = {ISBN 978-0-387-89827-8}, EDITOR = {Denko, Mieso and Yang, Laurence and Zhang, Yan}, PUBLISHER = {Springer}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/chapter-final.pdf}, ABSTRACT = {Increasingly, systems must have the ability to self-adapt to meet changes in their execution environment. Unfortunately, existing solutions require human oversight, or are limited in the kinds of systems and the set of quality-of-service concerns they address. Our approach, embodied in a system called Rainbow, uses software architecture models and architectural styles to overcome existing limitations. It provides an engineering approach and a framework of mechanisms to monitor a target system and its environment, reflect observations into a system's architecture model, detect opportunities for improvements, select a course of action, and effect changes in a closed loop. The framework provides general and reusable infrastructures with well-defined customization points, allowing engineers to systematically customize Rainbow to particular systems and concerns. }, NOTE = {Springer Link}, KEYWORDS = {Autonomic Systems, Rainbow, Self-adaptation, Self-Repair} } @PhdThesis{Poladian2008:Thesis, AUTHOR = {Poladian, Vahe}, TITLE = {Tailoring Configuration to User's Tasks under Uncertainty}, YEAR = {2008}, MONTH = {April}, SCHOOL = {Carnegie Mellon University}, URL = {http://reports-archive.adm.cs.cmu.edu/anon/2008/abstracts/08-121.html}, ABSTRACT = {The expansion of computing infrastructure has opened the possibility of a world in which users can compute everywhere. Despite such advances, computing resources are often scarce and changing, limiting a user�s ability to take advantage of the applications and devices, and requiring changes to the application runtime settings. Currently, the burden of managing the computing environment (devices, applications, and resources) falls on the user. A user must manually start applications and adjust their settings according to the available resources. Assigning such chores of configuration to the user has a number of disadvantages. First, it consumes user�s precious cognitive resources. Second, effectively managing the environment requires skills that a typical user might not have. Third, even with adequate low-level expertise, managing the environment optimally (or even adequately) can be difficult. Ideally, the computing needs of a user are seamlessly matched with the capabilities of the environment: devices, applications, and available resources. The user should enjoy the best possible application quality, without worrying about managing the low-level computing mechanisms. In this dissertation, we describe a novel approach that substantially automates the control of the configuration of the environment for a user�s task: finding and starting applications, configuring their runtime settings, and allocating possibly limited resources. Our approach simultaneously satisfies two important requirements: utility and practicality. Utility ensures that configuration decisions take into account user�s preferences for specific applications and quality of service. Practicality ensures that configuration has low runtime overhead in terms of the latency of configuration decisions and its usage of resources. First, we model configuration analytically as a problem of optimizing user�s utility based on three inputs: (1) user�s preferences, (2) application capability, and (3) resource availability. Formally, automating the control of the configuration requires solving an optimization problem, and then using the optimization solution to control the environment. Next, we design a software infrastructure that is based on the analytical model. The infrastructure implements efficient algorithms to solve the problem of configuration, eliminating the need for manual configuration. We validate our approach using experiments and simulation, demonstrating that the infrastructure satisfies the requirements of utility and practicality while substantially automating configuration.}, NOTE = {Technical Report CMU-CS-08-121} } @TechReport{Garlan:2008:EvoStyle, AUTHOR = {Garlan, David}, TITLE = {Evolution Styles: Formal foundations and tool support for software architecture evolution}, YEAR = {2008}, MONTH = {June}, NUMBER = {CMU-CS-08-142}, INSTITUTION = {School of Computer Science, Carnegie Mellon University}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/CMU-CS-08-142.pdf}, ABSTRACT = {Architecture evolution is a central feature of virtually all software systems. As new market opportuni-ties, technologies, platforms, and frameworks become available systems must change their organiza-tional structures to accommodate them, requiring large-scale and systematic restructuring. Today arc-hitects have few tools to help them plan and execute such evolutionary paths. In particular, they have almost no assistance in reasoning about questions such as: How should we stage the evolution to achieve business goals in the presence of limited development resources? How can we reduce risk in incorporating new technologies and infrastructure required by the target architecture? How can we make principled tradeoffs between time and development effort? What kinds of changes can be made independently, and which require coordinated system-wide modifications? How can an evolution plan be represented and communicated within an organization? In this report we outline first steps towards a formal basis for assisting architects in developing and reasoning about architectural evolution paths. The key insight behind the approach is that at an architectural level of abstraction many system evolutions follow certain common patterns or evolution styles. By taking advantage of regularity in the space of common architectural evolutions, and by making the notion of evolutions styles a first-class entity that can be formally defined, we can provide automated assistance for expressing architecture evolution, and for reasoning about both the correctness and quality of evolution paths.}, KEYWORDS = {Architectural Style} } @InProceedings{Garlan/2009/SOA, AUTHOR = {Garlan, David and Carley, Kathleen M. and Schmerl, Bradley and Bigrigg, Michael W. and Celiku, Orieta}, TITLE = {Using Service-Oriented Architectures for Socio-Cultural Analysis}, YEAR = {2009}, MONTH = {1-3 July}, BOOKTITLE = {Proceedings of the 21st International Conference on Software Engineering and Knowledge Engineering (SEKE2009)}, ADDRESS = {Boston, USA}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/SORASCS-SEKE09.pdf}, ABSTRACT = {An emergent domain that raises some unique engineering challenges is that of software architectures to convert large bodies of unstructured data to human-usable knowledge, such as in the domain of socio-cultural information analysis. We report on an architecture based on Service-Oriented Architectures that we are applying in this domain. We list the requirements that such an architecture must support, describe our architecture for addressing them, and outline what we believe are the important engineering and research issues that must still be overcome.}, KEYWORDS = {SORASCS, Service Composition, Software Architecture} } @InProceedings{Garlan/2009/ICSE/AEvol, AUTHOR = {Garlan, David and Schmerl, Bradley}, TITLE = {Ævol: A tool for defining and planning architecture evolution}, YEAR = {2009}, MONTH = {20-22 May}, BOOKTITLE = {2009 International Conference on Software Engineering}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ICSE2009_FRD_0231_Schmerl_Bradley.pdf}, ABSTRACT = {Architecture evolution is a key feature of most software systems. There are few tools that help architects plan and execute these evolutionary paths. We demonstrate a tool to enable architects to describe evolution paths, associate properties with elements of the paths, and perform trade-off analysis over these paths.}, KEYWORDS = {Architecture Evolution} } @InProceedings{MISE2009, AUTHOR = {Chaki, Sagar and Diaz-Pace, Andres and Garlan, David and Garfunkel, Arie and Ozkaya, Ipek}, TITLE = {Towards Engineered Architecture Evolution}, YEAR = {2009}, MONTH = {May}, BOOKTITLE = {Workshop on Modeling in Software Engineering 2009}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ICSE2009_MISE_2013_Chaki_Sagar-1.pdf}, ABSTRACT = {Architecture evolution, a key aspect of software evolution, is typically done in an ad hoc manner, guided only by the competence of the architect performing it. This process lacks the rigor of an engineering discipline. In this paper, we argue that architecture evolution must be engineered based on rational decisions that are supported by formal models and objective analyses. We believe that evolutions of a restricted form close-ended evolution, where the starting and ending design points are known a priori are amenable to being engineered. We discuss some of the key challenges in engineering close-ended evolution. We present a conceptual framework in which an architecture evolutionary trajectory is modeled as a sequence of steps, each captured by an operator. The goal of our framework is to support exploration and objective evaluation of different evolutionary trajectories. We conclude with open research questions in developing this framework.}, KEYWORDS = {Architecture Evolution} } @InProceedings{Cheng:2009:RAIDE/icse, AUTHOR = {Cheng, Shang-Wen and Garlan, David and Schmerl, Bradley}, TITLE = {RAIDE for Engineering Architecture-Based Self-Adaptive Systems}, YEAR = {2009}, BOOKTITLE = {2009 International Conference on Software Engineering}, ADDRESS = {Vancouver, BC, Canada}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ICSE2009_IRD_0659_Cheng_Shang-Wen.pdf}, ABSTRACT = {Rainbow is an approach for engineering self-adaptive systems, with run-time, closed-loop control over target systems to monitor, detect, decide, and act on opportunities for system improvement. RAIDE enables adaptation engineers to customize the Rainbow framework, simulate adaptation behavior, and deploy Rainbow run-time components.}, KEYWORDS = {Rainbow} } @InProceedings{Cheng:2009:benchmark/znn:seams, AUTHOR = {Cheng, Shang-Wen and Garlan, David and Schmerl, Bradley}, TITLE = {Evaluating the Effectiveness of the Rainbow Self-Adaptive System}, YEAR = {2009}, MONTH = {18-19 May}, BOOKTITLE = {ICSE 2009 Workshop on Software Engineering for Adaptive and Self-Managing Systems (SEAMS\'09), Vancouver, BC, Canada}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ICSE2009_SEAMS_2528_Cheng_Shang-Wen.pdf}, ABSTRACT = {Rainbow is a framework for engineering a system with run-time, self-adaptive capabilities to monitor, detect, decide, and act on opportunities for system improvement. We applied Rainbow to a system, Znn.com, and evaluated its effectiveness to self-adapt on three levels: its effectiveness to maintain quality attribute in the face of changing conditions, run-time overheads of adaptation, and the engineering effort to use it to add self-adaptive capabilities to Znn.com. We make Znn.com and the associated evaluation tools available to the community so that other researchers can use it to evaluate their own systems and the community can compare different systems. In this paper, we report on our evaluation experience, reflect on some principles for benchmarking self-adaptive systems, and discuss the suitability of our evaluation tools for this purpose.}, NOTE = {Awarded Most Influential Paper for SEAMS 2009}, KEYWORDS = {Benchmark, Rainbow} } @InProceedings{Garlan/2009/ArchEvol, AUTHOR = {Garlan, David and Barnes, Jeffrey M. and Schmerl, Bradley and Celiku, Orieta}, TITLE = {Evolution Styles: Foundations and Tool Support for Software Architecture Evolution}, YEAR = {2009}, MONTH = {14-17 September}, BOOKTITLE = {Proceedings of the Joint Working IEEE/IFIP Conference on Software Architecture 2009 & European Conference on Software Architecture 2009}, ADDRESS = {Cambridge, UK}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/wicsa-09-camera-web.pdf}, ABSTRACT = {As new market opportunities, technologies, platforms, and frameworks become available, systems require large-scale and systematic architectural restructuring to accommodate them. Todays architects have few tools and techniques to help them plan this architecture evolution. In particular, they have little assistance in planning alternative evolution paths, trading-off various aspects of the different paths, or knowing best practices for particular domains. In this paper we describe an approach for assisting architects in developing and reasoning about architectural evolution paths. The key in-sight of our approach is that, architecturally, many system evolutions follow certain common patterns or evolution styles. We define what we mean by an evolution style, and show how it can be used to provide automated assistance for expressing architectural evolution, and for reasoning about both the correctness and quality of evolution paths.}, KEYWORDS = {Architecture Evolution} } @InProceedings{Bhave/ERTS2010, AUTHOR = {Bhave, Ajinkya Y. and Garlan, David and Krogh, Bruce and Rajhans, Akshay and Schmerl, Bradley}, TITLE = {Augmenting Software Architectures with Physical Components}, YEAR = {2010}, MONTH = {19-21 May}, BOOKTITLE = {Proceedings of the Embedded Real Time Software and Systems Conference (ERTS^2 2010)}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ERTS2_2010.pdf}, ABSTRACT = {This paper presents an extension of existing software architecture tools to model physical systems, their interconnections, and the interactions between physical and cyber components. We introduce a new cyber-physical system (CPS) architectural style to support the construction of architectural descriptions of complete systems and to serve as the reference context for analysis and evaluation of design alternatives using existing model-based tools. The implementation of the CPS architectural style in AcmeStudio includes behavioral annotations on components and connectors using either finite state processes (FSP) or linear hybrid automata (LHA) with plug-ins to perform behavior analysis. The application of the CPS architectural style is illustrated for the STARMAC quadrotor.}, KEYWORDS = {Cyberphysical Systems} } @TechReport{Abi-Antoun/2009/Security/TR, AUTHOR = {Abi-Antoun, Marwan and Barnes, Jeffrey M.}, TITLE = {Enforcing Conformance between Security Architecture and Implementation}, YEAR = {2009}, MONTH = {April}, NUMBER = {CMU-ISR-09-113}, INSTITUTION = {Carnegie Mellon University Institure for Software Research}, ABSTRACT = {Analysis at the level of a runtime architecture matches the way experts reason about security or privacy better than a purely code-based strategy. However, the architecture must still be correctly realized in the implementation. We previously developed Scholia to analyze, at compile time, communication integrity between arbitrary object-oriented code, and a rich, hierarchical intended runtime architecture, using typecheckable annotations. This paper applies Scholia to security runtime architectures. Having established traceability between the target architecture and the code, we extend Scholia to enforce structural architectural constraints. At the code level, annotations enforce local, modular constraints. At the architectural level, predicates enforce global constraints. We validate the end-to-end approach in practice using a real 3,000-line Java implementation, and enforce its conformance to a security architecture designed by an expert. } } @InProceedings{2013:Camara/Correia, AUTHOR = {C\'{a}mara, Javier and Correia, Pedro and de Lemos, Rog\'{e}rio and Garlan, David and Gomes, Pedro and Schmerl, Bradley and Ventura, Rafael}, TITLE = {Evolving an Adaptive Industrial Software System to Use Architecture-based Self-Adaptation}, YEAR = {2013}, MONTH = {20-21 May}, BOOKTITLE = {Proceedings of the 8th International Symposium on Software Engineering for Adaptive and Self-Managing Systems}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/eaisabsa.pdf}, ABSTRACT = {Although architecture-based self-adaptation has been widely used, there is still little understanding about the validity and tradeoffs of incorporating it into real-world software-intensive systems which already feature built-in adaptation mechanisms. In this paper, we report on our experience in integrating Rainbow, a platform for architecture-based self-adaptation, and an industrial middleware employed to monitor and manage highly populated networks of devices. Concretely, we reflect on aspects such as the effort required for framework customization and legacy code refactoring, performance improvement, and the impact of architecture-based self-adaptation on system evolution.}, KEYWORDS = {Rainbow} } @Article{Kang2009, AUTHOR = {Kang, Sungwon and Garlan, David}, TITLE = {Valuation of Architecture-based Deterministic Plan for Software Evolution}, YEAR = {2009}, MONTH = {October}, JOURNAL = {The KIPS Transactions: Part D}, VOLUME = {16-D}, NUMBER = {5}, PAGES = {755-566}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/12 J4_200900069_R5-clean copy.pdf}, ABSTRACT = {Software architecture allows us to make many decisions about a software system and analyze it even before it exists in order to make systematic and planned development possible. Similarly, architecture-based software evolution planning makes planned evolution possible by allowing us to make many decisions about evolution of a software system and analyze its evolution at the level of architecture design before software evolution is realized. In this paper, we develop a framework for architecture-based software evolution planning for the class of deterministic evolution plans by defining and relating various essential concepts and developing its valuation mechanism so that a plan with the greatest value among candidate plans can be selected as the optimal plan. A case study is conducted for explicating the framework and exemplifying its usage.} } @InProceedings{Schmerl/2011/ICSE, AUTHOR = {Schmerl, Bradley and Garlan, David and Dwivedi, Vishal and Bigrigg, Michael W. and Carley, Kathleen M.}, TITLE = {SORASCS: A Case Study in SOA-based Platform Design for Socio-Cultural Analysis}, YEAR = {2011}, BOOKTITLE = {Proceedings of the 33rd International Conference on Software Engineering.}, ADDRESS = {Hawaii, USA}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/SORASCS-ICSE2011-cr-final.pdf}, ABSTRACT = {An increasingly important class of software-based systems is plat-forms that permit integration of third-party components, services, and tools. Service-Oriented Architecture (SOA) is one such plat-form that has been successful in providing integration and distri-bution in the business domain, and could be effective in other domains (e.g., scientific computing, healthcare, and complex deci-sion making). In this paper, we discuss our application of SOA to provide an integration platform for socio-cultural analysis, a domain that, through models, tries to understand, analyze and predict relationships in large complex social systems. In developing this platform, called SORASCS, we had to overcome issues we believe are generally applicable to any application of SOA within a domain that involves technically nave users and seeks to establish a sustainable software ecosystem based on a common integration platform. We discuss those issues and the lessons learned about the kinds of problems that occur, and pathways toward a solution.}, KEYWORDS = {Architectural Style, SORASCS} } @InProceedings{10.1109/ISESE.2004.1334899, AUTHOR = {Boehm, Barry and Bhuta, Jesal and Garlan, David and Gradman, Eric and Huang, LiGuo and Lam, Alexander and Madachy, Ray and Medvidovic, Nenad and Meyer, Kenneth and Meyers, Steven and Perez, Gustavo and Reinholtz, Kirk and Roshandel, Roshanak and Rouquette, Nicolas}, TITLE = {Using Empirical Testbeds to Accelerate Technology Maturity and Transition: The SCRover Experience}, YEAR = {2004}, BOOKTITLE = {International Symposium on Empirical Software Engineering}, PAGES = {117-126}, ADDRESS = {Los Alamitos, CA, USA}, PUBLISHER = {IEEE Computer Society}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ISESE04.pdf}, ABSTRACT = {This paper is an experience report on a first attempt to develop and apply a new form of software: a fullservice testbed designed to evaluate alternative software dependability technologies, and to accelerate their maturation and transition into project use. The SCRover testbed includes not only the specifications, code, and hardware of a public safety robot, but also the package of instrumentation, scenario drivers, seeded defects, experimentation guidelines, and comparative effort and defect data needed to facilitate technology evaluation experiments. The SCRover testbeds initial operational capability has been recently applied to evaluate two architecture definition languages (ADLs) and toolsets, Mae and AcmeStudio. The testbed evaluation showed (1) that the ADL-based toolsets were complementary and costeffective to apply to mission-critical systems; (2) that the testbed was cost-effective to use by researchers; and (3) that collaboration in testbed use by researchers and the Jet Propulsion Laboratory (JPL) project users resulted in actions to accelerate technology maturity and transition into project use. The evaluation also identified a number of lessons learned for improving the SCRover testbed, and for development and application of future technology evaluation testbeds.}, NOTE = {ISBN 0-7695-2165-7}, ANNOTE = {DOI : http://doi.ieeecomputersociety.org/10.1109/ISESE.2004.1334899}, KEYWORDS = {Software Engineering} } @Misc{2010/Vishal/EUO, AUTHOR = {Dwivedi, Vishal and Garlan, David and Schmerl, Bradley}, TITLE = {End User Orchestrations}, YEAR = {2010}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/EndUserOrchestrations.pdf}, ABSTRACT = {Service-orchestrations define how services can be composed together and are widely used to execute applications based on Service Oriented Architectures (SOAs). However, the various special purpose orchestration languages used today require code-level constructs that force the users to provide excessive technical detail. For many SOA domains end-users of these orchestrations have limited technical expertise, and hence these users find it difficult to specify orchestrations in current languages. Additionally, users specifying orchestrations would often like to reason about architectural attributes such as performance, security and composability - capabilities that current languages and tools do not support. In this paper we provide an improved technique for modeling orchestrations that allows users to focus primarily on the functional composition of services that is guided by tool supported domain-specific analyses. We introduce an abstract architectural specification language called SCORE (Simple Compositional ORchestration for End users) that defines the vocabulary of elements that can be used in a service composition. SCORE not only allows users to create correct service orchestrations, but it also removes the need for technical detail, most of which is auto-generated by tool support. We demonstrate the use of our approach to specify service-orchestrations in SORASCS (Service ORiented Architectures for Socio-Cultural Systems), which is a SOA system for the intelligence analysis domain. SORASCS users are analysts, who are involved with domain-specific analysis workflows that are represented using SCORE and executed.}, NOTE = {Submitted for publication}, KEYWORDS = {Service Composition, Software Architecture} } @Article{Kim2010, AUTHOR = {Kim, Jung Soo and Garlan, David}, TITLE = {Analyzing Architectural Styles}, YEAR = {2010}, JOURNAL = {Journal of Software and Systems}, VOLUME = {83}, NUMBER = {7}, PAGES = {1216-1235}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/JSS-final-revision3.pdf}, ABSTRACT = {The backbone of most software architectures and component integration frameworks is one or more architectural styles that provide a domain-speci c design vocabulary and a set of constraints on how that vocabulary is used. Today's architectural styles are increasingly complex, involving rich vocabularies and numerous constraints. Hence, designing a sound and appropriate style becomes an intellectually challenging activity. Unfortunately, although there are numerous tools to help in the analysis of architectures for individual systems, relatively less work has been done on tools to help in the design of architectural styles. In this paper we address this gap by showing how to map an architectural style, expressed formally in an architectural description language, into a relational model that can then be checked for properties, such as whether a style is consistent, whether a style satis es some predicates over its architectural structure, and whether two styles are compatible for composition.}, KEYWORDS = {Architectural Analysis, Architectural Style} } @InProceedings{Views/Bhave/2010, AUTHOR = {Bhave, Ajinkya Y. and Krogh, Bruce and Garlan, David and Schmerl, Bradley}, TITLE = {Multi-domain Modeling of Cyber-Physical Systems using Architectural Views}, YEAR = {2010}, MONTH = {30 November}, BOOKTITLE = {Proceedings of the 1st Analytic Virtual Integration of Cyber-Physical Systems Workshop.}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/MMCPSAV.pdf}, ABSTRACT = {Designing cyber-physical systems(CPSs)increasingly requires the use of multi-domain models throughout the development process. Ensuring consistent relationships between various system models is an important part of an integrated design methodology. This paper describes an architectural approach to reasoning about relations between heterogeneous system models. The runtime base architecture of the system is used as a unifying representation to compare the structure and semantics of the associated models. Each model is related to the base architecture through the abstraction of an architectural view, which captures structural and semantic correspondences between model elements and system entities. The use of the architectural view framework to relate system models from different domains is illustrated in the context of a quadrotor air vehicle.}, NOTE = {Co-located with RTSS 2010.}, KEYWORDS = {Architectural Style, Cyberphysical Systems} } @InProceedings{Ruchkin:2015:AAHP, AUTHOR = {Ruchkin, Ivan and Schmerl, Bradley and Garlan, David}, TITLE = {Architectural Abstractions for Hybrid Programs}, YEAR = {2015}, MONTH = {4-8 May}, BOOKTITLE = {Proceedings of the 18th International ACM Sigsoft Symposium on Component-Based Software Engineering (CBSE 2015)}, ADDRESS = {Montreal, QC, Canada}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/AAHP.pdf}, ABSTRACT = {Modern cyber-physical systems interact closely with continuous physical processes like kinematic movement. Software component frameworks do not provide an explicit way to represent or reason about these processes. Meanwhile, hybrid program models have been successful in proving critical properties of discrete-continuous systems. These programs deal with diverse aspects of a cyber-physical system such as controller decisions, component communication protocols, and mechanical dynamics, requiring several programs to address the variation. However, currently these aspects are often intertwined in mostly monolithic hybrid programs, which are difficult to understand, change, and organize. These issues can be addressed by component-based engineering, making hybrid modeling more practical. This paper lays the foundation for using architectural models to provide component-based benefits to developing hybrid programs. We build formal architectural abstractions of hybrid programs and formulas, enabling analysis of hybrid programs at the component level, reusing parts of hybrid programs, and automatic transformation from views into hybrid programs and formulas. Our approach is evaluated in the context of a robotic collision avoidance case study. }, NOTE = {CBSE Best Paper Award}, KEYWORDS = {Architecture View Consistency, Cyberphysical Systems, Landmark, Software Architecture} } @InProceedings{Bhave/CPS/2011, AUTHOR = {Bhave, Ajinkya Y. and Krogh, Bruce and Garlan, David and Schmerl, Bradley}, TITLE = {View Consistency in Architectures for Cyber-Physical Systems}, YEAR = {2011}, MONTH = {April}, BOOKTITLE = {Proceedings of the 2nd ACM/IEEE International Conference on Cyber-Physical Systems}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ICCPS11_BKGS.pdf}, ABSTRACT = {Current methods for modeling, analysis, and design of cyber-physical systems lack a unifying framework due to the complexity and heterogeneity of the constituent elements and their interactions. Our approach is to define relationships between system models at the architectural level, which captures the structural interdependencies and some semantic interdependencies between representations without attempting to comprehend all of the details of any particular modeling formalism. This paper addresses the issue of defining and evaluating consistency between architectural views imposed by various heterogeneous models and a base architecture (BA) for the complete system. This notion of structural consistency ensures that the model elements adhere to the cyber and physical types and the connections between components present in the BA, which serves as the unifying framework for model-based development. Consistency checking between a model and the underlying system architecture is formulated as a typed graph matching problem between the connectivity graphs of the corresponding architectural view and the systems BA. The usefulness of the approach to check system modeling assumptions is illustrated in the context of two heterogeneous views of a quadrotor air vehicle.}, KEYWORDS = {Architecture View Consistency, Cyberphysical Systems} } @TechReport{Gennari/2011, AUTHOR = {Gennari, Jeffrey and Garlan, David}, TITLE = {Measuring Attack Surface in Software Architecture}, YEAR = {2011}, NUMBER = {CMU-ISR-11-121}, INSTITUTION = {Institute for Software Research, School of Computer Science, Carnegie Mellon University}, URL = {http://reports-archive.adm.cs.cmu.edu/anon/isr2011/abstracts/11-121.html}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/CMU_ISR_11_121.PDF}, ABSTRACT = {In this report we show how to adapt the notion of attack surface to formally evaluate security properties at the architectural level of design and to identify vulnerabilities in architectural designs. Further we explore the application of this metric in the context of architecture-based transformations to improve security by reducing the attack surface. These transformations are described in detail and validated with a simple experiment.}, KEYWORDS = {Acme, AcmeStudio, Architectural Analysis, Science of Security} } @InProceedings{Rajhans/2011/CPS, AUTHOR = {Rajhans, Akshay and Bhave, Ajinkya Y. and Loos, Sarah and Krogh, Bruce and Platzer, Andre and Garlan, David}, TITLE = {Using Parameters in Architectural Views to Support Heterogeneous Design and Verification}, YEAR = {2011}, MONTH = {12-15 December}, BOOKTITLE = {50th IEEE Conference on Decision and Control (CDC) and European Control Conference (ECC)}, ADDRESS = {Orlando, FL}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/RBL+_CDC11.pdf}, ABSTRACT = {Current methods for designing cyber-physical systems lack a unifying framework due to the heterogeneous nature of the constituent models and their respective analysis and verification tools. There is a need for a formal representation of the relationships between the different models. Our approach is to define these relationships at the architectural level, associating with each model a particular view of the overall system base architecture. This architectural framework captures critical structural and semantic information without including all the details of the various modeling formalisms. This paper introduces the use of logical constraints over parameters in the architectural views to represent the conditions under which the specifications verified for each model are true and imply the system-level specification. Interdependencies and connections between the constraints in the architectural views are managed in the base architecture using first-order logic of real arithmetic to ensure consistency and correct reasoning. The approach is illustrated in the context of heterogeneous verification of a leader-follower vehicle scenario.}, KEYWORDS = {Architecture View Consistency, Cyberphysical Systems} } @Unpublished{Garlan/SWiFT/2011, AUTHOR = {Garlan, David and Schmerl, Bradley and Dwivedi, Vishal and Banerjee, Aparup and Glendenning, Laura and Nakayama, Mai and Patel, Nina}, TITLE = {SWiFT: A Tool for Constructing Workflows for Dynamic Network Analysis}, YEAR = {2011}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/Paper.pdf}, ABSTRACT = {AbstractDynamic Network Analysis is a domain of computation that refers to the analysis of complex social systems that change over time. Within this domain, analysts need to be able to carry out workflows, involving composition of various tools and procedures that they use to extract and analyze social systems. Typically these workflows require the incorporation of heterogeneous tools in distributed locations, are interactive in that they allow dynamic parameterization and exploration, and can be shared with and reused by other analysts in different contexts. Furthermore, because such analysts are not computer programmers, they require an approach for constructing workflows that allows them to focus on their analysis task, and that provides them with appropriate guidance in constructing and reusing workflows. In this paper, we describe a tool, called SWiFT, that provides a workflow construction environment for dynamic network analysis, built on a service oriented architecture, that provides these features.}, NOTE = {http://acme.able.cs.cmu.edu/pubs/show.php?id=333}, KEYWORDS = {Service Composition, SORASCS} } @InProceedings{Barnes/NASA/2012, AUTHOR = {Barnes, Jeffrey M.}, TITLE = {NASA\'s Advanced Multimission Operations System: A Case Study in Software Architecture Evolution}, YEAR = {2012}, MONTH = {25-28 June}, BOOKTITLE = {Proceedings of the International ACM SIGSOFT Conference on the Quality of Software Architectures 2012}, ADDRESS = {Bertinoro, Italy}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/qosa-12-camera.pdf}, ABSTRACT = {Virtually all software systems of significant size and longevity eventually undergo changes to their basic architectural structure. Such changes may be prompted by new feature requests, new quality attribute requirements, changing technology, or other reasons. Whatever the cause, software architecture evolution is commonplace in real-world software projects. However, research in this area has suffered from problems of validation; previous work has tended to make heavy use of toy examples and hypothetical scenarios and has not been well supported by real-world examples. To help address this problem, this paper presents a case study of an ongoing effort at the Jet Propulsion Laboratory to rearchitect the Advanced Multimission Operations System used to operate NASA�s deep-space and astrophysics missions. Based on examination of project documents and interviews with project personnel, I describe the goals and approach of this evolution effort, then demonstrate how approaches and formal methods from previous research in architecture evolution may be applied to this evolution while using languages and tools already in place at the Jet Propulsion Laboratory.}, KEYWORDS = {Architecture Evolution} } @InProceedings{Casonova/2011/ARFD, AUTHOR = {Casanova, Paulo and Schmerl, Bradley and Garlan, David and Abreu, Rui}, TITLE = {Architecture-based Run-time Fault Diagnosis}, YEAR = {2011}, MONTH = {13-16 September}, BOOKTITLE = {Proceedings of the 5th European Conference on Software Architecture}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ecsa2011-abrtfd.pdf}, ABSTRACT = {An important step in achieving robustness to run-time faults is the ability to detect and repair problems when they arise in a running system. Effective fault detection and repair could be greatly enhanced by run-time fault diagnosis and localization, since it would allow the repair mechanisms to focus adaptation effort on the parts most in need of attention. In this paper we describe an approach to run-time fault diagnosis that combines architectural models with spectrum-based reasoning for multiple fault localization. Spectrum-based reasoning is a lightweight technique that takes a form of trace abstraction and produces a list (ordered by probability) of likely fault candidates. We show how this technique can be combined with architectural models to support run-time diagnosis that can (a) scale to modern distributed software systems; (b) accommodate the use of black-box components and proprietary infrastructure for which one has neither a specification nor source code; and (c) handle inherent uncertainty about the probable cause of a problem even in the face of transient faults and faults that arise only when certain combinations of system components interact.}, KEYWORDS = {Rainbow, Self-adaptation} } @InProceedings{2011:Dwivedi:SCORE, AUTHOR = {Dwivedi, Vishal and Velasco Elizondo, Perla and Maria Fernandes, Jose and Garlan, David and Schmerl, Bradley}, TITLE = {An Architectural Approach to End User Orchestrations}, YEAR = {2011}, MONTH = {13-16 September}, BOOKTITLE = {Proceedings of the 5th European Conference on Software Architecture}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ECSA-EndUserOrchestrations.pdf}, ABSTRACT = {Computations are pervasive across many domains, where end users have to compose various heterogeneous computational entities to perform professional activities. Service-Oriented Architecture (SOA) is a widely used mechanism that can support such forms of compositions as it allows heterogeneous systems to be wrapped as services that can then be combined with each other. However, current SOA orchestration languages require writing scripts that are typically too low-level for end users to write, being targeted at professional programmers and business analysts. To address this problem, this paper proposes an approach based on an architectural-style for service orchestration using an end user specification style called SCORE. SCORE uses high-level constructs that can be tailored for different domains and automatically translated into executable constructs by tool support. We demonstrate the usefulness of SCORE across two domains dynamic network analysis and neuroscience, where users are intelligence analysts and scientists respectively. They can use an architectural style based vocabulary as a basis of their domain-specific}, KEYWORDS = {Architectural Style, Service Composition, Software Architecture, SORASCS} } @Article{2012:Cheng:Stitch, AUTHOR = {Cheng, Shang-Wen and Garlan, David}, TITLE = {Stitch: A Language for Architecture-Based Self-Adaptation}, YEAR = {2012}, MONTH = {December}, JOURNAL = {Journal of Systems and Software, Special Issue on State of the Art in Self-Adaptive Systems}, VOLUME = {85}, NUMBER = {12}, EDITOR = {Weyns, Danny and Andersson, Jesper and Malek, Sam and Schmerl, Bradley}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/JSS-S-11-00544.pdf}, ABSTRACT = {Requirements for high availability in computing systems today demand that systems be self-adaptive to maintain expected qualities-of-service in the presence of system faults, variable environmental conditions, and changing user requirements. Autonomic computing tackles the challenge of automating tasks that humans would otherwise have to perform to achieve this goal. However, existing approaches to autonomic computing lack the ability to capture routine human repair tasks in a way that takes into account the business context that humans use in selecting an appropriate form of adaptation, while dealing with timing delays and uncertainties in outcome of repair actions. In this article, we present Stitch, a language for representing repair strategies within the context of an architecture-based self-adaptation framework. Stitch supports the explicit representation of repair decision trees together with the ability to express business objectives, allowing a self-adaptive system to select a strategy that has optimal utility in a given context, even}, NOTE = {http://dx.doi.org/10.1016/j.jss.2012.02.060 }, KEYWORDS = {Landmark, Rainbow, Self-adaptation, Self-Repair, Stitch} } @Article{Garlan/Mismatch/2009, AUTHOR = {Garlan, David and Allen, Robert and Ockerbloom, John}, TITLE = {Architectural Mismatch: Why Reuse is Still So Hard}, YEAR = {2009}, MONTH = {July}, JOURNAL = {IEEE Software, 25th-Anniversary Top Picks}, PAGES = {66-69}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/DG+09.pdf}, KEYWORDS = {Software Architecture} } @InCollection{Sousa-SDT2009, AUTHOR = {Sousa, Jo\~{a}o and Balan, Rajesh Krishna and Poladian, Vahe and Garlan, David and Satyanarayanan, Mahadev}, TITLE = {A Software Infrastructure for User-Guided Quality-of-Service Tradeoffs}, YEAR = {2009}, BOOKTITLE = {Software and Data Technologies}, VOLUME = {47}, PAGES = {48-61}, EDITOR = {Cordeiro, J.}, SERIES = {CCIS}, PUBLISHER = {Springer}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/SIUGQoST.pdf}, ABSTRACT = {This paper presents a framework for engineering resource-adaptive software targeted at small mobile devices. Rather than building a solution from scratch, we extend and integrate existing work on software infrastructures for ubiquitous computing, and on resource-adaptive applications. This paper addresses two research questions: first, is it feasibility to coordinate resource allocation and adaptation policies among several applications in a way that is both effective and efficient. And second, can end-users understand and control such adaptive behaviors dynamically, depending on user-defined goals for each activity. The evaluation covered both the systems and the usability perspectives, the latter by means of a user study. The contributions of this work are: first, a set of design guidelines, including APIs for integrating new applications; second, a concrete infrastructure that implements the guidelines. And third, a way to model quality of service tradeoffs based on utility theory, which our research indicates end-users with diverse backgrounds are able to leverage for guiding the adaptive behaviors towards activity-specific quality goals.}, KEYWORDS = {Activity-oriented Computing, Self-awareness & Adaptation, Software Architecture, Ubiquitous Computing, Usability} } @InProceedings{Garlan:2010:SEU:1882362.1882389, AUTHOR = {Garlan, David}, TITLE = {Software Engineering in an Uncertain World}, YEAR = {2010}, BOOKTITLE = {Proceedings of the FSE/SDP workshop on Future of Software Engineering Research}, PAGES = {125--128}, SERIES = {FoSER '10}, ADDRESS = {New York, NY, USA}, PUBLISHER = {ACM}, URL = {http://doi.acm.org/10.1145/1882362.1882389}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/foser057-garlan.pdf}, ABSTRACT = {In this paper, we argue that the reality of today's software systems requires us to consider uncertainty as a first-class concern in the design, implementation, and deployment of those systems. We further argue that this induces a paradigm shift, and a number of research challenges that must be addressed.}, NOTE = {ISBN 978-1-4503-0427-6}, KEYWORDS = {Software Architecture, Software Engineering, uncertainty} } @Book{Clements2011, AUTHOR = {Clements, Paul and Bachmann, Felix and Bass, Len and Garlan, David and Ivers, James and Little, Reed and Merson, Paulo and Nord, Robert and Stafford, Judith}, TITLE = {Documenting Software Architectures: Views and Beyond, Second Edition}, YEAR = {2011}, PUBLISHER = {Addison Wesley}, KEYWORDS = {Landmark, Software Architecture} } @InBook{Weyns/Schmerl/2012, AUTHOR = {Weyns, Danny and Schmerl, Bradley and Grassi, Vincenzo and Malek, Sam and Mirandola, Raffaela and Prehofer, Christian and Wuttke, Jochen and Andersson, Jesper and Giese, Holger and Goeschka, Karl}, TITLE = {On Patterns for Decentralized Control in Self-Adaptive Systems}, YEAR = {2012}, BOOKTITLE = {Software Engineering for Self-Adaptive Systems II}, VOLUME = {7475}, EDITOR = {de Lemos, Rog\'{e}rio and Giese, Holger and Muller, Hausi and Shaw, Mary}, SERIES = { LNCS }, PUBLISHER = {Springer}, ABSTRACT = {Self-adaptive systems have the ability to adapt themselves to changes in the environment and internal dynamics to achieve particular goals. Self-adaptation is typically realized using control loops. When systems are large, complex, and heterogeneous, a single control loop may not be sufficient. Given the central role control loops play in the way we conceptualize, design, and implement self-adaptive systems, their patterns of interaction should be made explicit to foster comprehension and analysability, and to serve as the basis for developing guidelines and documenting common design choices for engineers. Because of the diversity of ways that existing self-adaptive systems organize the various self-adaptation activities, it is timely to reflect on these systems to: (a) consolidate the knowledge in this area, and (b) to develop a systematic approach for describing different control schema. In this paper, we contribute with a simple notation for describing control schema with multiple control loops, which we believe helps in achieving (b), and we use this notation to describe a number of existing self-adaptation patterns, to begin to fulfill (a). From our study, we outline numerous remaining research challenges and future work in this area.}, KEYWORDS = {Coordination, Self-adaptation} } @TechReport{Garlan/CSPE/2011, AUTHOR = {Garlan, David and Lattanze, Anthony}, TITLE = {Computer Science for Practicing Engineers: Computer Science for Everyone Else}, YEAR = {2011}, NUMBER = {CMU-ISR-11-115}, INSTITUTION = {Institute for Software Research, School of Computer Science, Carnegie Mellon University}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/CMU-ISR-11-115.pdf}, ABSTRACT = {The Computer Science for Practicing Engineers (CS4PE) course is a breath-oriented course covering key topics in computer science that represent critical foundational knowledge for anyone developing software. The course is designed for students and professionals who do not have a formal background in computer science, but currently write, or anticipate writing software as a key part of their job. CS4PE represents one important facet of Computation Thinking [Wing 2006]. Computational thinking is a fundamental skill for everyone, not just for computer scientists. To those core concepts essential to a particular professional discipline, we need to add computational thinking to every professionals analytical ability. The purpose of this report is to describe the motivation for, and the development of, the CS4PE course. The aim is to describe why such a course is needed, the design of the course, our experience in delivering the course since its inception, and feedback received from a peer review of the course content and assignments during the 2010 Conference on Software Engineering Education and Training. We will also discuss how and why the course has evolved since its initial development and delivery, as well as future directions that we expect the course to move in.}, KEYWORDS = {Education, Software Engineering} } @InProceedings{Velasco/Mismatch/2013, AUTHOR = {Velasco Elizondo, Perla and Dwivedi, Vishal and Garlan, David and Schmerl, Bradley and Maria Fernandes, Jose}, TITLE = {Resolving Data Mismatches in End-User Compositions}, YEAR = {2013}, MONTH = {10-13 June}, BOOKTITLE = {Proceedings of the 4th International Symposium on End-User Development}, ADDRESS = {IT University of Copenhagen, Denmark}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/resolvingDataMismatchesVelasco_Mismatch_2013.pdf}, ABSTRACT = {Many domains such as scientific computing and neuroscience require end users to compose heterogeneous computational entities to automate their professional tasks. However, an issue that frequently hampers such composition is data-mismatches between computational entities. Although, many composition frameworks today provide support for data mismatch resolution through specialpurpose data converters, end users still have to put significant effort in dealing with data mismatches, e.g., identifying the available converters and determining which of them meet their QoS expectations. In this paper we present an approach that eliminates this effort by automating the detection and resolution of data mismatches. Specifically, it uses architectural abstractions to automatically detect different types of data mismatches, model-generation techniques to fix those mismatches, and utility theory to decide the best fix based on QoS constraints. We illustrate our approach in the neuroscience domain where data-mismatches can be fixed in an efficient manner on the order of few seconds.}, KEYWORDS = {End-user Architecture, SORASCS} } @Article{Barnes/AEVol/2012, AUTHOR = {Barnes, Jeffrey M. and Garlan, David and Schmerl, Bradley}, TITLE = {Evolution styles: foundations and models for software architecture evolution}, YEAR = {2014}, MONTH = {May}, JOURNAL = {Journal of Software and Systems Modeling}, VOLUME = {13}, NUMBER = {2}, PAGES = {649-678}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/sosym.pdf}, ABSTRACT = {As new market opportunities, technologies, platforms, and frameworks become available, systems require large-scale and systematic architectural restructuring to accommodate them. Todays architects have few techniques to help them plan this architecture evolution. In particular, they have little assistance in planning alternative evolution paths, trading off various aspects of the different paths, or knowing best practices for particular domains. In this paper we describe an approach for planning and reasoning about architecture evolution. Our approach focuses on providing architects with the means to model prospective evolution paths and supporting analysis to select among these candidate paths. To demonstrate the usefulness of our approach, we show how it can be applied to an actual architecture evolution. In addition, we present some theoretical results about our evolution path constraint specification language.}, NOTE = {DOI 10.1007/s10270-012-0301-9}, KEYWORDS = {Architecture Evolution, Landmark} } @InProceedings{Garlan/EUA/2012, AUTHOR = {Garlan, David and Dwivedi, Vishal and Ruchkin, Ivan and Schmerl, Bradley}, TITLE = {Foundations and Tools for End-User Architecting}, YEAR = {2012}, BOOKTITLE = {Large-Scale Complex IT Systems. Development, Operation and Management, 17th Monterey Workshop 2012, Oxford, UK, March 19-21, 2012}, VOLUME = {7539}, PAGES = {157-182}, EDITOR = {Garlan, David and Calinescu, Radu}, SERIES = {Lecture Notes in Computer Science}, PUBLISHER = {Springer}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/EUA-LNCS.pdf}, ABSTRACT = {Within an increasing number of domains an important emerging need is the ability for technically naive users to compose computational elements into novel configurations. Examples include astronomers who create new analysis pipelines to process telescopic data, intelligence analysts who must process diverse sources of unstructured text to discover socio-technical trends, and medical researchers who have to process brain image data in new ways to understand disease pathways. Creating such compositions today typically requires low-level technical expertise, limiting the use of computational methods and increasing the cost of using them. In this paper we describe an approach -- which we term end-user architecting -- that exploits the similarity between such compositional activities and those of software architects. Drawing on the rich heritage of software architecture languages, methods, and tools, we show how those techniques can be adapted to support end users in composing rich computational systems through domain-specific compositional paradigms and component repositories, without requiring that they have knowledge of the low-level implementation details of the components or the compositional infrastructure. Further, we outline a set of open research challenges that the area of end-user architecting raises.}, NOTE = {Book Reference: http://www.springer.com/computer/swe/book/978-3-64234058-1}, KEYWORDS = {End-user Architecture, Landmark, Service Composition, SORASCS} } @InProceedings{2013:Casanova/Garlan, AUTHOR = {Casanova, Paulo and Garlan, David and Schmerl, Bradley and Abreu, Rui}, TITLE = {Diagnosing architectural run-time failures}, YEAR = {2013}, MONTH = {20-21 May}, BOOKTITLE = {Proceedings of the 8th International Symposium on Software Engineering for Adaptive and Self-Managing Systems}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/darf.pdf}, ABSTRACT = {Self-diagnosis is a fundamental capability of self-adaptive systems. In order to recover from faults, systems need to know which part is responsible for the incorrect behavior. In previous work we showed how to apply a design-time diagnosis technique at run time to identify faults at the architectural level of a system. Our contributions address three major shortcomings of our previous work: 1) we present an expressive, hierarchical language to describe system behavior that can be used to diagnose when a system is behaving different to expectation; the hierarchical language facilitates mapping low level system events to architecture level events; 2) we provide an automatic way to determine how much data to collect before an accurate diagnosis can be produced; and 3) we develop a technique that allows the detection of correlated faults between components. Our results are validated experimentally by injecting several failures into a system and accurately diagnosing them using our algorithm.}, NOTE = {Received SEAMS 2013 Best Paper Award}, KEYWORDS = {Diagnosis, Self-adaptation} } @PhdThesis{2011/Bhave/Thesis, AUTHOR = {Bhave, Ajinkya Y.}, TITLE = {Multi-View Consistency in Architectures for Cyber-Physical Systems}, YEAR = {2011}, SCHOOL = {Department of Electrical and Computer Engineering, Carnegie Mellon University}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ajinkya-thesis.pdf}, ABSTRACT = {Today's complex cyber-physical systems (CPSs) are created using models throughout the system development life cycle, a process referred to as model-based design (MBD). The heterogeneity of elements in CPSs requires multiple perspectives and formalisms to explore the complete design space. Ensuring the consistency of these various system models is an important part of the integrated MBD approach.

In this thesis, we propose to unify heterogeneous system models through light-weight representations of their structure and semantics using architectural descriptions. Architectures are annotated structural representations that describe systems at a high level of abstraction, allowing designers to determine appropriate assignment of functionality to elements, and make trade-o s between different quality attributes. There are two fundamental shortcomings of current architecture modeling capabilities that limit their potential to fully address the engineering problems of large-scale, heterogeneous CPSs: (i) limited vocabulary to represent physical elements and their interactions; and (ii) inadequate ways to support consistency relations between heterogeneous architecture views of the same system.

This thesis addresses the first shortcoming through the development of the CPS architectural style that supports a uni ed representation of both physical and cyber elements and their interactions in the same framework. This ability allows the architect to create a common base architecture (BA) for a CPS that provides a uni ed point of reference for multi-domain system models. To address the second shortcoming, the architectural view is used as the mechanism to represent the architectures of system models as abstractions of the underlying shared BA. In this context, well-de ned mappings between a view and the BA are used to identify and manage semantically equivalent elements (and their relations) between each model and the underlying system. Structural consistency de nes when an architectural view conforms to the structural and semantic constraints imposed by components and connectors in the system's BA. Such a notion of consistency ensures that the model elements adhere to the connectivity constraints and physical laws present between elements in the BA. We define view consistency as the existence of an appropriate morphism between the typed graphs of a view and the BA. Depending on the type of morphism present, two notions of consistency are defined: view conformance and view completeness.

Our tool framework is implemented in the AcmeStudio architecture design framework, and consists of a view map language, a graphical view editor, and a set of graph morphism algorithms for consistency checking. We illustrate the application of our architectural approach with two case studies: an autonomous quadrotor with heterogeneous legacy models, and management of model variants in simulation environments for engine control of vehicles.}, KEYWORDS = {Cyberphysical Systems} } @InProceedings{Yuan/2013/ABSS, AUTHOR = {Yuan, Eric and Malek, Sam and Schmerl, Bradley and Garlan, David and Gennari, Jeffrey}, TITLE = {Architecture-Based Self-Protecting Software Systems}, YEAR = {2013}, MONTH = {17-21 June}, BOOKTITLE = {Proceedings of the Ninth International ACM Sigsoft Conference on the Quality of Software Architectures (QoSA 2013)}, PAGES = {33-42}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/p33-yuan.pdf}, ABSTRACT = {Since conventional software security approaches are often manually developed and statically deployed, they are no longer sufficient against today's sophisticated and evolving cyber security threats. This has motivated the development of self-protecting software that is capable of detecting security threats and mitigating them through runtime adaptation techniques. In this paper, we argue for an architecture-based self- protection (ABSP) approach to address this challenge. In ABSP, detection and mitigation of security threats are informed by an architectural representation of the running system, maintained at runtime. With this approach, it is possible to reason about the impact of a potential security breach on the system, assess the overall security posture of the system, and achieve defense in depth. To illustrate the effectiveness of this approach, we present several architecture adaptation patterns that provide reusable detection and mitigation strategies against well-known web application security threats. Finally, we describe our ongoing work in realizing these patterns on top of Rainbow, an existing architecture-based adaptation framework.}, NOTE = {DOI: 10.1145/2465478.2465479}, KEYWORDS = {Rainbow, Science of Security, Self-adaptation} } @Article{Rajhans/TAC/2013, AUTHOR = {Rajhans, Akshay and Bhave, Ajinkya Y. and Ruchkin, Ivan and Krogh, Bruce and Garlan, David and Platzer, Andre and Schmerl, Bradley}, TITLE = {Supporting Heterogeneity in Cyber-Physical Systems Architectures}, YEAR = {2014}, MONTH = {December}, JOURNAL = {IEEE Transactions on Automatic Control}, VOLUME = {59}, NUMBER = {12}, PAGES = {3178--3193}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/TAS-Dec-2014.pdf}, ABSTRACT = {Cyber-physical systems (CPS) are heterogeneous, because they tightly couple computation, communication and control along with physical dynamics, which are traditionally considered separately. Without a comprehensive modeling formalism, model-based development of CPS involves using a multitude of models in a variety of formalisms that capture various aspects of the system design, such as software design, networking design, physical models, and protocol design. Without a rigorous unifying framework, system integration and integration of the analysis results for various models remains ad hoc. In this paper, we propose a multi-view architecture framework that treats models as views of the underlying system structure and uses structural and semantic mappings to ensure consistency and enable system-level veri?cation from that of the models in a hierarchical and compositional manner. Throughout the paper, the theoretical concepts are illustrated using two examples, an automotive intersection collision avoidance system and a quadrotor.}, NOTE = {Also available at http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=6882828}, KEYWORDS = {Cyberphysical Systems, Landmark} } @InProceedings{2013:Barnes/TOPI, AUTHOR = {Barnes, Jeffrey M. and Garlan, David}, TITLE = {Challenges in Developing a Software Architecture Evolution Tool as a Plug-In}, YEAR = {2013}, MONTH = {21 May}, BOOKTITLE = {Proceedings of the 3rd Workshop on Developing Tools as Plug-Ins}, PAGES = {13--18}, ADDRESS = {San Francisco, CA, USA}, ABSTRACT = {Recent research has developed a theoretical basis for providing software architects with better support for planning and carrying out major evolutions of software systems. However, these theoretical models have yet to be implemented in a complete, integrated tool. In this paper, we consider some of the challenges involved in developing such a tool as a plug-in to an existing architecture modeling framework. We present an experience report based on the development of a prototype architecture evolution tool as a plug-in to MagicDraw, a commercial UML tool. We find that there are many practical obstacles to developing tools for architecture evolution modeling as plug-ins, and we discuss some of the key factors that plug-in developers should weigh when considering frameworks.}, KEYWORDS = {Architecture Evolution} } @TechReport{2013:Casanova/Samsung, AUTHOR = {Casanova, Paulo and Schmerl, Bradley and Garlan, David and Abreu, Rui and Ahn, Jungsik}, TITLE = {Applying Autonomic Diagnosis at Samsung Electronics}, YEAR = {2013}, MONTH = {September}, NUMBER = {CMU-ISR-13-111}, INSTITUTION = {Institute for Software Research, Carnegie Mellon University}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/cmu-isr-13-111.pdf}, ABSTRACT = {An increasingly essential aspect of many critical software systems is the ability to quickly diagnose and locate faults so that appropriate corrective measures can be taken. Large, complex software systems fail unpredictably and pinpointing the source of the failure is a challenging task. In this paper we explore how our recently developed technique for automatic diagnosis performs in the automatic detection of failures and fault localization in a critical manufacturing control system of Samsung Electronics, where failures can result in large financial and schedule losses. We show how our approach can scale to such systems to diagnose intermittent faults, connectivity problems, protocol violations, and timing failures. We propose a set of measures of accuracy and performance that can be used to evaluate run-time diagnosis. We present lessons learned from this work including how instrumentation limitations may impair diagnosis accuracy: without overcoming these, there is a limit to the kinds of faults that can be detected.}, KEYWORDS = {Autonomic Systems, Diagnosis} } @InCollection{Lemos13, AUTHOR = {de Lemos, Rog\'{e}rio and Giese, Holger and Muller, Hausi A. and Shaw, Mary and Andersson, Jesper and Baresi, Luciano and Becker, Basil and Bencomo, Nelly and Brun, Yuriy and Cukic, Bojan and Desmarais, Ron and Dustdar, Schahram and Engels, Gregor and Geihs, Kurt and Goeschka, Karl M. and Gorla, Alessandra and Grassi, Vincenzo and Inverardi, Paola and Karsai, Gabor and Kramer, Jeff and Litoiu, Marin and Lopes, Ant\'{o}nia and Magee, Jeff and Malek, Sam and Mankovskii, Serge and Mirandola, Raffaela and Mylopoulos, John and Nierstrasz, Oscar and Pezz, Mauro and Prehofer, Christian and Schafer, Wilhelm and Schlichting, Rick and Schmerl, Bradley and Smith, Dennis B. and Sousa, Jo\~{a}o and Tamura, Gabriel and Tahvildari, Ladan and Villegas, Norha M. and Vogel, Thomas and Weyns, Danny and Wong, Kenny and Wuttke, Jochen}, TITLE = {Software engineering for self-adaptive systems: A second research roadmap}, YEAR = {2013}, BOOKTITLE = {Software Engineering for Self-Adaptive Systems II}, VOLUME = {7475}, PAGES = {1--32}, EDITOR = {de Lemos, Rog\'{e}rio and Giese, Holger and Muller, Hausi A. and Shaw, Mary}, PUBLISHER = {Springer-Verlag}, ABSTRACT = {The goal of this roadmap paper is to summarize the state-of-the-art and identify research challenges when developing, deploying and managing self-adaptive software systems. Instead of dealing with a wide range of topics associated with the field, we focus on four essential topics of self-adaptation: design space for self-adaptive solutions, software engineering processes for self-adaptive systems, from centralized to decentralized control, and practical run-time verification & validation for self-adaptive systems. For each topic, we present an overview, suggest future directions, and focus on selected challenges. This paper complements and extends a previous roadmap on software engineering for self-adaptive systems published in 2009 covering a different set of topics, and reflecting in part on the previous paper. This roadmap is one of the many results of the Dagstuhl Seminar 10431 on Software Engineering for Self-Adaptive Systems, which took place in October 2010.}, KEYWORDS = {Self-adaptation} } @TechReport{Cataldo:2013/SBE, AUTHOR = {Cataldo, Marcelo and Garlan, David and Herbsleb, James and McConahy, Amber Lynn and Park, Young-Suk Ahn and Schmerl, Bradley}, TITLE = {Software Platforms for Smart Building Ecosystems: Understanding the Key Architectural Capabilities and Trade-offs}, YEAR = {2013}, NUMBER = {CMU-ISR-13-104}, INSTITUTION = {Institute for Software Research, Carnegie Mellon University}, KEYWORDS = {Software Architecture} } @TechReport{Schmerl/MTD/2014, AUTHOR = {Schmerl, Bradley and C\'{a}mara, Javier and Moreno, Gabriel A. and Garlan, David and Mellinger, Andrew}, TITLE = {Architecture-Based Self-Adaptation for Moving Target Defense}, YEAR = {2014}, NUMBER = {CMU-ISR-14-109}, INSTITUTION = {Institute for Software Research, Carnegie Mellon University}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/CMU-ISR-14-109.pdf}, ABSTRACT = {The fundamental premise behind Moving Target Defense (MTD) is to create a dynamic and shifting system that is more difficult to attack than a static system because a constantly changing attack surface at least reduces the chance of an attacker finding and exploiting the weakness. However, MTD approaches are typically chosen without regard to other qualities of the system, such as performance or cost. This report explores the use of self-adaptive systems, in particular those based on the architecture of the running system. A systems software architecture can be used to trade off different quality dimensions of the system. In particular, this report describes the first steps in reasoning formally about MTD approaches, and elevating this reasoning to an architectural level, along three thrusts: (1) creating an initial catalog of MTD tactics that can be used at the architectural level, along with the impacts on security and other quality concerns, (2) using this information to inform proactive self-adaptation that uses predictions of tactic duration to improve the self-adaptation, and (3) using stochastic multiplayer games to verify the the behavior of a variety of MTD scenarios, from uninformed to predictive-reactive. This work is applied in the context of the Rainbow self-adaptive framework.}, KEYWORDS = {Rainbow, Science of Security, Self-adaptation, Software Architecture} } @InProceedings{Barnes:2013/EvolutionPlanning, AUTHOR = {Barnes, Jeffrey M. and Pandey, Ashutosh and Garlan, David}, TITLE = {Automated Planning for Software Architecture Evolution}, YEAR = {2013}, MONTH = {11-15 November}, BOOKTITLE = {The 28th IEEE/ACM International Conference on Automated Software Engineering}, ADDRESS = {Silicon Valley, CA}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ASE2013-final.pdf}, ABSTRACT = {In previous research, we have developed a theoretical framework to help software architects make better decisions when planning software evolution. Our approach is based on representation and analysis of candidate evolution pathssequences of transitional architectures leading from the current system to a desired target architecture. One problem with this kind of approach is that it imposes a heavy burden on the software architect, who must explicitly define and model these candidate paths. In this paper, we show how automated planning techniques can be used to support automatic generation of evolution paths, relieving this burden on the architect. We illustrate our approach by applying it to a data migration scenario, showing how this architecture evolution problem can be translated into a planning problem and solved using existing automated planning tools.}, KEYWORDS = {Architecture Evolution} } @InProceedings{2013/Casanova/Unobserved, AUTHOR = {Casanova, Paulo and Garlan, David and Schmerl, Bradley and Abreu, Rui}, TITLE = {Diagnosing Unobserved Components in Self-Adaptive Systems}, YEAR = {2014}, MONTH = {2-3 June}, BOOKTITLE = {9th International Symposium on Software Engineering for Adaptive and Self-Managing Systems}, ADDRESS = {Hyderabad, India}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/unobserved2013_Casanova_Unobserved.pdf}, ABSTRACT = {Availability is an increasingly important quality for today's software-based systems and it has been successfully addressed by the use of closed-loop control systems in self-adaptive systems. Probes are inserted into a running system to obtain information and the information is fed to a controller that, through provided interfaces, acts on the system to alter its behavior. When a failure is detected, pinpointing the source of the failure is a critical step for a repair action. However, information obtained from a running system is commonly incomplete due to probing costs or unavailability of probes. In this paper we address the problem of fault localization in the presence of incomplete system monitoring. We may not be able to directly observe a component but we may be able to infer its health state. We provide formal criteria to determine when health states of unobservable components can be inferred and establish formal theoretical bounds for accuracy when using any spectrum-based fault localization algorithm.}, KEYWORDS = {Diagnosis, Self-adaptation} } @InProceedings{2014/Dwivedi/Mutlifidelity, AUTHOR = {Dwivedi, Vishal and Garlan, David and Pfeffer, J\"{u}rgen and Schmerl, Bradley}, TITLE = {Model-based Assistance for Making Time/Fidelity Trade-offs in Component Compositions}, YEAR = {2014}, MONTH = {7-9 April}, BOOKTITLE = {11th International Conference on Information Technology : New Generations (ITNG 2014), Special track on: MDCBSE: Model-Driven, Component-Based Software Engineering}, ADDRESS = {Las Vegas, NV}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ITNGpaper.pdf}, ABSTRACT = {In many scientific fields, simulations and analyses require compositions of computational entities such as web services, programs, and applications. In such fields, users may want various trade-offs between different qualities. Examples include: (i) performing a quick approximation vs. an accurate, but slower, experiment, (ii) using local slower execution environments vs. remote, but advanced, computing facilities, (iii) using quicker approximation algorithms vs. computationally expensive algorithms with smaller data. However, such trade-offs are difficult to make as many such decisions today are either (a) wired into a fixed configuration and cannot be changed, or (b) require detailed systems knowledge and experimentation to determine what configuration to use. In this paper we propose an approach that uses architectural models coupled with automated design space generation for making fidelity and timeliness trade-offs. We illustrate this approach through an example in the intelligence analysis domain.}, KEYWORDS = {Acme, End-user Architecture, Model Checking, Mult-fidelity Applications, Resource Aware Computing} } @Article{Kang/2014/IJSEKE, AUTHOR = {Kang, Sungwon and Garlan, David}, TITLE = {Architecture-based planning of software evolution}, YEAR = {2014}, MONTH = {March}, JOURNAL = {International Journal of Software Engineering and Knowledge Engineering}, VOLUME = {24}, NUMBER = {2}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/evolutionPlanning.pdf}, ABSTRACT = {Software architecture allows us to make many decisions about a software system and analyze it even before it has been implemented, so as to make planned development possible. Similarly, architecture-based software evolution planning makes planned evolution possible by allowing us to make many decisions about the evolution of a software system and to analyze its evolution at the level of architecture design before software evolution is realized. In this paper, we develop a framework for architecture-based software evolution planning. It is done by defining various foundational terms and concepts, providing a taxonomy of software evolution plans, and then showing how to calculate values for various types of plans. By identifying and defining constituent foundational concepts, this conceptual framework makes precise the notion of architecture-based software planning. By developing a value-calculation framework for software evolution plans, it also provides a basis for concrete methods for designing and evaluating evolution plans.}, NOTE = {DOI: 10.1142/S0218194014500090}, KEYWORDS = {Architecture Evolution} } @TechReport{Barnes/CaseStudy2013, AUTHOR = {Barnes, Jeffrey M.}, TITLE = {Case Study Report: Architecture Evolution at Costco}, YEAR = {2013}, NUMBER = {CMU-ISR-13-116}, INSTITUTION = {Institute for Software Research, School of Computer Science, Carnegie Mellon University}, ABSTRACT = {Many software systems eventually undergo changes to their basic architectural structure. As systems age, they often require redesign in order to accommodate new requirements, support new technologies, or respond to changing market conditions. At present, however, software architects lack tools to assist them in developing plans for carrying out such evolution. In previous research, we have developed an approach to support architects in reasoning about evolution. Our approach is based on formally modeling and reasoning about possible evolution paths—sequences of transitional architectures leading from the current state to some desired target architecture. To date, much of this work has been theoretical in character. We have focused our efforts on the definition and elaboration of a theoretical framework for architecture evolution, and have done relatively little work on applying this theoretical research in practical contexts. This report presents a case study examining architecture evolution in depth in a real-world software organization: the IT division of a major global retailer. Based on content analysis of interview data and architectural documentation, the case study examines how practicing architects plan and reason about evolution, what challenges they face in doing so, and whether our modeling approach is adequate for capturing the concerns that arise in a real-world evolution. It finds that architects face a variety of pressing challenges in planning evolutions of major software systems, and use a variety of techniques to manage these challenges. It further finds that most of the major considerations that architects described in connection within a specific evolution can be successfully modeled using our approach, suggesting that the conceptual framework and specification languages that we have developed are expressive enough to be applicable to a real-world architecture evolution.}, KEYWORDS = {Architecture Evolution} } @PhdThesis{Barnes/Thesis/2013, AUTHOR = {Barnes, Jeffrey M.}, TITLE = {Software Architecture Evolution}, YEAR = {2013}, SCHOOL = {Institute for Software Research, School of Computer Science, Carnegie Mellon University}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/CMU-ISR-13-118.pdf}, ABSTRACT = {Many software systems eventually undergo changes to their basic architectural structure. Such changes may be prompted by new feature requests, new quality attribute requirements, changing technology, or other reasons. Whatever the causes, architecture evolution is commonplace in real-world software projects. Todays software architects, however, have few techniques to help them plan such evolution. In particular, they have little assistance in planning alternatives, making trade-offs among these different alternatives, or applying best practices for particular domains. To address this, we have developed an approach for assisting architects in planning and reasoning about software architecture evolution. Our approach is based on modeling and analyzing potential evolution paths that represent different ways of evolving the system. We represent an evolution path as a sequence of transitional architectural states leading from the initial architecture to the target architecture, along with evolution operators that characterize the transitions among these states. We support analysis of evolution paths through the definition and application of constraints that express rules governing the evolution of the systemand evaluation functions that assess path quality. Finally, a set of these modeling elements may be grouped together into an evolution style that encapsulates a body of knowledge relevant to a particular domain of architecture evolution. We evaluate this approach in three ways. First, we evaluate its applicability to real-world architecture evolution projects. This is accomplished through case studies of two very different software organizations. Second, we undertake a formal evaluation of the computational complexity of verifying evolution constraints. Finally, we evaluate the implementability of the approach based on our experiences developing prototype tools for software architecture evolution.}, NOTE = {Technical Report CMU-ISR-13-118}, KEYWORDS = {Architecture Evolution} } @InProceedings{2014/Schmerl/ABSP-DoS, AUTHOR = {Schmerl, Bradley and C\'{a}mara, Javier and Gennari, Jeffrey and Garlan, David and Casanova, Paulo and Moreno, Gabriel A. and Glazier, Thomas J. and Barnes, Jeffrey M.}, TITLE = {Architecture-Based Self-Protection: Composing and Reasoning about Denial-of-Service Mitigations}, YEAR = {2014}, MONTH = {8-9 April}, BOOKTITLE = {HotSoS 2014: 2014 Symposium and Bootcamp on the Science of Security}, ADDRESS = {Raleigh, NC, USA}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/absp-dos2014_Schmerl_ABSP-DoS.pdf}, ABSTRACT = {Security features are often hardwired into software applications, making it difficult to adapt security responses to reflect changes in runtime context and new attacks. In prior work, we proposed the idea of architecture-based self-protection as a way of separating adaptation logic from application logic and providing a global perspective for reasoning about security adaptations in the context of other business goals. In this paper, we present an approach, based on this idea, for combating denial-of- service (DoS) attacks. Our approach allows DoS-related tactics to be composed into more sophisticated mitigation strategies that encapsulate possible responses to a security problem. Then, utility-based reasoning can be used to consider diff erent business contexts and qualities. We describe how this approach forms the underpinnings of a scientific approach to self-protection, allowing us to reason about how to make the best choice of mitigation at runtime. Moreover, we also show how formal analysis can be used to determine whether the mitigations cover the range of conditions the system is likely to encounter, and the e ffect of mitigations on other quality attributes of the system. We evaluate the approach using the Rainbow self-adaptive framework and show how Rainbow chooses DoS mitigation tactics that are sensitive to diff erent business contexts.}, KEYWORDS = {Assurance, Autonomic Systems, Landmark, Model Checking, Rainbow, Science of Security, Self-adaptation, Stitch} } @InProceedings{Camara/Stochastic/2014, AUTHOR = {C\'{a}mara, Javier and Moreno, Gabriel A. and Garlan, David}, TITLE = {Stochastic Game Analysis and Latency Awareness for Proactive Self-Adaptation}, YEAR = {2014}, MONTH = {2-3 June}, BOOKTITLE = {9th International Symposium on Software Engineering for Adaptive and Self-Managing Systems}, ADDRESS = {Hyderabad, India}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/stochastic-proactive.pdf}, ABSTRACT = {Although diff erent approaches to decision-making in self- adaptive systems have shown their e ffectiveness in the past by factoring in predictions about the system and its environment (e.g., resource availability), no proposal considers the latency associated with the execution of tactics upon the target system. However, di fferent adaptation tactics can take diff erent amounts of time until their eff ects can be observed. In reactive adaptation, ignoring adaptation tactic latency can lead to suboptimal adaptation decisions (e.g., activating a server that takes more time to boot than the transient spike in traffic that triggered its activation). In proactive adaptation, taking adaptation latency into account is necessary to get the system into the desired state to deal with an upcoming situation. In this paper, we introduce a formal analysis technique based on model checking of stochastic multiplayer games (SMGs) that enables us to quantify the potential benefi ts of employing di fferent types of algorithms for self-adaptation. In particular, we apply this technique to show the potential benefi t of considering adaptation tactic latency in proactive adaptation algorithms. Our results show that factoring in tactic latency in decision making improves the outcome of adaptation. We also present an algorithm to do proactive adaptation that considers tactic latency, and show that it achieves higher utility than an algorithm that under the assumption of no latency is optimal.}, KEYWORDS = {Assurance, Landmark, Latency-aware, Model Checking, Self-adaptation} } @TechReport{CMU-ISR-17-119, AUTHOR = {Glazier, Thomas J. and Schmerl, Bradley and C\'{a}mara, Javier and Garlan, David}, TITLE = {Utility Theory for Self-Adaptive Systems}, YEAR = {2017}, MONTH = {December}, NUMBER = {CMU-ISR-17-119}, INSTITUTION = {Carnegie Mellon University Institute for Software Research}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/CMU-ISR-17-119.pdf}, ABSTRACT = {Self-adaptive systems choose adaptations to perform on a running system. Typically, the self-adaptive system must choose the "best" adaptation to perform in a given circumstance from a set of adaptations that may apply. Utility functions are typically used to encode some measure of goodness or badness the result of choosing a particular adaptation. Within the area of utility theory, there are a set of theories that could be used to help choose the best adaptation, that vary in the assumptions and requirements made about the system, the environment, and the business context of use. By understanding some of the formalities and advanced concepts in Utility Theory, engineers and administrators of self-adaptive systems can create more effective utility functions for their purposes, enable new forms of analysis, and potentially move into new frontiers in self-adaptive systems. In this report, we survey some of the more interesting topics in Utility Theory relevant to self-adaptive systems include objective and subjective expected utility, stochastic and fuzzy utility, and changing and state dependent utility functions.}, NOTE = {http://reports-archive.adm.cs.cmu.edu/anon/isr2017/abstracts/17-119.html}, KEYWORDS = {Self-adaptation} } @InProceedings{2014/Ruchkin/CBI, AUTHOR = {Ruchkin, Ivan and De Niz, Dio and Chaki, Sagar and Garlan, David}, TITLE = {Contract-Based Integration of Cyber-Physical Analyses}, YEAR = {2014}, MONTH = {12-17 October}, BOOKTITLE = {Embedded Systems Week}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/paper-camera-ready-ieee-verified-178-EM82.pdf}, ABSTRACT = {Developing cyber-physical systems involves creating systems with properties from multiple domains, e.g., timing, logical correctness, thermal resilience, aerodynamics, and mechanical stress. In today�s industrial practice, multiple analyses are used to obtain and verify such properties. Unfortunately, given that these analyses originate from different scientific domains, they abstract away interactions among themselves, risking the invalidation of their results. Specifically, one challenge is to ensure that an analysis is never applied to a model that violates its assumptions. Since such violation can originate from the updating of the model by another analysis, analyses must be executed in the correct order. Another challenge is to do this soundly and scalably over models of realistic complexity and diverse set of analyses. To address these challenges, we develop an analysis integration approach that uses contracts to specify dependencies between analyses, determine their correct orders of application, and specify and verify applicability conditions across multiple domains. We present an implementation of our approach, and demonstrate its effectiveness, extensibility, and scalability.}, KEYWORDS = {Cyberphysical Systems, Landmark} } @InProceedings{Garlan:2014:SAT:2593882.2593886, AUTHOR = {Garlan, David}, TITLE = {Software Architecture: A Travelogue}, YEAR = {2014}, BOOKTITLE = {Proceedings of the on Future of Software Engineering}, PAGES = {29--39}, SERIES = {FOSE 2014}, ADDRESS = {New York, NY, USA }, PUBLISHER = {ACM}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/GarlanFOSE-Final-Rev.pdf}, ABSTRACT = {Over the past two and a half decades software architecture has emerged as an important subfield of software engineering. During that time there has been considerable progress in developing the technological and methodological base for treating architectural design as an engineering discipline. However, much still remains to be done to achieve that. Moreover, the changing face of technology raises a number of challenges for software architecture. This travelogue recounts the history of the field, its current state of practice and research, and speculates on some of the important emerging trends, challenges, and aspirations}, NOTE = {ISBN 978-1-4503-2865-4. Also available from ACM DOI: 10.1145/2593882.2593886.} } @TechReport{ruchkin_architectural_2014, AUTHOR = {Ruchkin, Ivan and Dwivedi, Vishal and Garlan, David and Schmerl, Bradley}, TITLE = {Architectural Modeling of Ozone Widget Framework End-User Compositions}, YEAR = {2014}, MONTH = {June}, NUMBER = {CMU-ISR-14-108}, ADDRESS = {Pittsburgh, PA}, TYPE = {Technical Report}, INSTITUTION = {Institute for Software Research, Carnegie Mellon University}, URL = {http://reports-archive.adm.cs.cmu.edu/anon/isr2014/abstracts/14-108.html}, ABSTRACT = {Ozone Widget Framework (OWF) is an event-based web platform for lightweight integration of widget applications. This technical report presents a formal model of OWFs widget composition mechanism. First, we present a detailed description of Ozones end user composition mechanism. Then, we describe our architectural modeling approach and its value for analysis of OWF widget compositions. We go through the process of creating an architectural style to represent assemblies of Ozone widgets, reviewing modeling decision points and style alternatives.} } @InProceedings{Camara/2014/Qosa, AUTHOR = {C\'{a}mara, Javier and Correia, Pedro and de Lemos, Rog\'{e}rio and Vieira, Marco}, TITLE = {Empirical Resilience Evaluation of an Architecture-based Self-Adaptive Software System}, YEAR = {2014}, MONTH = {30 June - 3 July}, BOOKTITLE = {Tenth International ACM Sigsoft Conference on the Quality of Software Architectures}, ADDRESS = {Lille, France}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/QoSA14.pdf}, ABSTRACT = {Architecture-based self-adaptation is considered as a promising approach to drive down the development and opera- tion costs of complex software systems operating in ever changing environments. However, there is still a lack of evidence supporting the arguments for the bene ficial impact of architecture-based self-adaptation on resilience with respect to other customary approaches, such as embedded code-based adaptation. In this paper, we report on an empirical study about the impact on resilience of incorporating architecture-based self-adaptation in an industrial middleware used to collect data in highly populated networks of devices. To this end, we compare the results of resilience evaluation between the original version of the middleware, in which adaptation mechanisms are embedded at the code- level, and a modifi ed version of that middleware in which the adaptation mechanisms are implemented using Rainbow, a framework for architecture-based self-adaptation. Our results show improved levels of resilience in architecture-based compared to embedded code-based self-adaptation.}, NOTE = {ACM SIGSOFT QoSA Distinguished Paper Award}, KEYWORDS = {Assurance, Landmark, Rainbow, Self-adaptation} } @InProceedings{Camara/FACS2014, AUTHOR = {C\'{a}mara, Javier and Lopes, Ant\'{o}nia and Garlan, David and Schmerl, Bradley}, TITLE = {Impact Models for Architecture-Based Self-Adaptive Systems}, YEAR = {2014}, MONTH = {10-12 September}, BOOKTITLE = {Proceedings of the 11th International Symposium on Formal Aspects of Component Software (FACS2014)}, ADDRESS = {Bertinoro, Italy}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/LGC-IM-submitted.pdf}, ABSTRACT = {Self-adaptive systems have the ability to adapt their behavior to dynamic operation conditions. In reaction to changes in the environment, these systems determine the appropriate corrective actions based in part on information about which action will have the best impact on the system. Existing models used to describe the impact of adaptations are either unable to capture the underlying uncertainty and variability of such dynamic environments, or are not compositional and described at a level of abstraction too low to scale in terms of specification effort required for non-trivial systems. In this paper, we address these shortcomings by describing an approach to the specification of impact models based on architectural system descriptions, which at the same time allows us to represent both variability and uncertainty in the outcome of adaptations, hence improving the selection of the best corrective action. The core of our approach is an impact model language equipped with a formal semantics defined in terms of Discrete Time Markov Chains. To validate our approach, we show how employing our language can improve the accuracy of predictions used for decision-making in the Rainbow framework for architecture-based self-adaptation.}, KEYWORDS = {Autonomic Systems, Benchmark, Rainbow, Self-adaptation, Self-awareness & Adaptation, Stitch} } @InProceedings{ruchkin/active/2014, AUTHOR = {Ruchkin, Ivan and De Niz, Dio and Chaki, Sagar and Garlan, David}, TITLE = {ACTIVE: A Tool for Integrating Analysis Contracts}, YEAR = {2014}, MONTH = {2 December}, BOOKTITLE = {The 5th Analytic Virtual Integration of Cyber-Physical Systems Workshop}, ADDRESS = {Rome, Italy}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/avicps14-camera-ready.pdf}, ABSTRACT = {Development of modern Cyber-Physical Systems (CPS) re- lies on a number of analysis tools to verify critical properties. The Architecture Analysis and Design Language (AADL) standard provides a common architectural model to which multiple CPS analyses can be applied. Unfortunately, interaction between these analyses can invalidate their results. In this paper we present ACTIVE, a tool developed within the OSATE/AADL infrastructure to solve this problem. We analyze the problems that occur when multiple analyses are applied to an AADL model and how these problems invalidate analysis results. Interactions between analyses, implemented as OSATE plugins, are formally described in ACTIVE in order to enable automatic verification. In particular, these interactions are captured in an analysis contract consisting of inputs, outputs, assumptions, and guarantees. The inputs and outputs help determine the correct order of execution of the plugins. Assumptions capture the conditions that must be valid in order to execute an analysis plugin, while guarantees are conditions that are expected to be valid afterwards. ACTIVE allows the use of any generic verification tool (e.g., a model checker) to validate these conditions. To coordinate these activities our tool uses two components: ACTIVE EXECUTER and ACTIVE VERIFIER. ACTIVE EXECUTER invokes the analysis plugins in the required order and uses ACTIVE VERIFIER to check assumptions and guarantees. ACTIVE VERIFIER identifies and executes the verification tool that needs to be invoked based on the target formula. Together, they ensure that plugins are always executed in the correct order and under the correct conditions, guaranteeing correct results. To the best of our knowledge, ACTIVE is the first extensible framework that integrates independently-developed analysis plugins ensuring provably-correct interactions.}, KEYWORDS = {Cyberphysical Systems, Formal Methods} } @Article{Camara:2016:ALS:2872308.2774222, AUTHOR = {C\'{a}mara, Javier and Moreno, Gabriel A. and Garlan, David and Schmerl, Bradley}, TITLE = {Analyzing Latency-Aware Self-Adaptation Using Stochastic Games and Simulations}, YEAR = {2016}, MONTH = {February}, JOURNAL = {ACM Transactions on Autonomous and Adaptive Systems (TAAS) - Special Section on Best Papers from SEAMS 2014 and Regular Articles}, VOLUME = {10}, NUMBER = {4}, PAGES = {23:1--23:28}, ADDRESS = {New York, NY, USA}, PUBLISHER = {ACM}, URL = {http://doi.acm.org/10.1145/2774222}, ABSTRACT = {Self-adaptive systems must decide which adaptations to apply and when. In reactive approaches, adaptations are chosen and executed after some issue in the system has been detected (e.g., unforeseen attacks or failures). In proactive approaches, predictions are used to prepare the system for some future event (e.g., traffic spikes during holidays). In both cases, the choice of adaptation is based on the estimated impact it will have on the system. Current decision-making approaches assume that the impact will be instantaneous, whereas it is common that adaptations take time to produce their impact. Ignoring this latency is problematic because adaptations may not achieve their effect in time for a predicted event. Furthermore, lower impact but quicker adaptations may be ignored altogether, even if over time the accrued impact is actually higher. In this article, we introduce a novel approach to choosing adaptations that considers these latencies. To show how this improves adaptation decisions, we use a two-pronged approach: (i) model checking of Stochastic Multiplayer Games (SMGs) enables us to understand best- and worst-case scenarios of optimal latency-aware and non-latency-aware adaptation without the need to develop specific adaptation algorithms. However, since SMGs do not provide an algorithm to make choices at runtime, we propose a (ii) latency-aware adaptation algorithm to make decisions at runtime. Simulations are used to explore more detailed adaptation behavior and to check if the performance of the algorithm falls within the bounds predicted by SMGs. Our results show that latency awareness improves adaptation outcomes and also allows a larger set of adaptations to be exploited.}, NOTE = {ISSN 1556-4665}, KEYWORDS = {Latency-aware, Self-adaptation, Stochastic Games} } @InProceedings{Camara2015DADS, AUTHOR = {C\'{a}mara, Javier and Garlan, David and Schmerl, Bradley and Pandey, Ashutosh}, TITLE = {Optimal Planning for Architecture-Based Self-Adaptation via Model Checking of Stochastic Games}, YEAR = {2015}, MONTH = {13-17 April}, BOOKTITLE = {Proceedings of the 10th DADS Track of the 30th ACM Symposium on Applied Computing}, ADDRESS = {Salamanca, Spain}, ABSTRACT = {Architecture-based approaches to self-adaptation rely on architectural descriptions to reason about the best way of adapting the structure and behavior of software-intensive systems at run time, either by choosing among a set of predefined adaptation strategies, or by automatically generating adaptation plans. Predefined strategy selection has allow computational overhead and facilitates dealing with uncertainty (e.g., by accounting explicitly for contingencies derived from unexpected outcomes of actions), but requires additional designer effort regarding the specification of strategies and is unable to guarantee optimal solutions. In contrast, run time plan generation is able to explore a richer solution space and provide optimal solutions in some cases, but is more limited when dealing with uncertainty, and incurs higher computational overheads. In this paper, we propose an approach to optimal adaptation plan generation for architecture-based self-adaptation via model checking of stochastic multiplayer games (SMGs). Our approach enables: (i) trade-off analysis among different qualities by means of utility functions and preferences, and (ii) explicit modeling of uncertainty in the outcome of adaptation actions and the behavior of the environment. Basing on the concepts embodied in the Rainbow framework for self-adaptation, we illustrate our approach in Znn.com, a case study that reproduces the infrastructure for a news website.}, KEYWORDS = {Assurance, Model Checking, Planning, Self-adaptation, Stochastic Games} } @Article{Camara/ISS/2015, AUTHOR = {C\'{a}mara, Javier and Correia, Pedro and de Lemos, Rog\'{e}rio and Garlan, David and Gomes, Pedro and Schmerl, Bradley and Ventura, Rafael}, TITLE = {Incorporating Architecture-Based Self-Adaptation into an Adaptive Industrial Software System}, YEAR = {2015}, JOURNAL = {Journal of Systems and Software}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ABSA-DCASc.pdf}, ABSTRACT = {Complex software-intensive systems are increasingly relied upon for all kinds of activities in society, leading to the requirement that these systems should be resilient to changes that may occur to the system, its environment, or its goals. Traditionally, resilience has been achieved either through: (i) low-level mechanisms embedded in the implementation (e.g., exception handling, timeouts, redundancies), which are unable to detect subtle but important anomalies (e.g., progressive performance degradation); or (ii) human oversight, which is costly and unreliable. Architecture-based self-adaptation (ABSA) is regarded as a promising approach to improve the resilience and reduce the development/operation costs of such systems. Although researchers have illustrated the benefits of ABSA through a number of small-scale case studies, it remains to be seen whether ABSA is truly effective in handling changes at run-time in industrial-scale systems. In this paper, we report on our experience applying an ABSA framework (Rainbow) to a large-scale commercial software system, called Data Acquisition and Control Service (DCAS), which is used to monitor and manage highly populated networks of devices in renewable energy production plants. In the approach followed, we have replaced some of the existing adaptive mechanisms embedded in DCAS by those advocated by ABSA proponents. This has allowed us to assess the development costs associated with the reengineering of adaptive mechanisms when using an ABSA solution, and to make effective comparisons, in terms of operational performance, between a baseline industrial system and one that uses ABSA. Our results show that using the ABSA concepts as embodied in Rainbow enabled an independent team of developers to: (i) effectively implement the adaptation behavior required from such industrial systems; and (ii) obtain important benefits in terms of maintainability and extensibility of adaptation mechanisms.}, NOTE = {Available on-line http://dx.doi.org/10.1016/j.jss.2015.09.021}, KEYWORDS = {Rainbow, Self-adaptation, Software Engineering} } @InProceedings{Camara/2015/Human, AUTHOR = {C\'{a}mara, Javier and Moreno, Gabriel A. and Garlan, David}, TITLE = {Reasoning about Human Participation in Self-Adaptive Systems}, YEAR = {2015}, MONTH = {18-19 May}, BOOKTITLE = {Proceedings of the 10th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS 2015)}, ADDRESS = {Florence, Italy}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/seams15.pdf}, ABSTRACT = {Self-adaptive systems overcome many of the limitations of human supervision in complex software-intensive systems by endowing them with the ability to automatically adapt their structure and behavior in the presence of runtime changes. However, adaptation in some classes of systems (e.g., safety- critical) can benefit by receiving information from humans (e.g., acting as sophisticated sensors, decision-makers), or by involving them as system-level effectors to execute adaptations (e.g., when automation is not possible, or as a fallback mechanism). However, human participants are influenced by factors external to the system (e.g., training level, fatigue) that affect the likelihood of success when they perform a task, its duration, or even if they are willing to perform it in the first place. Without careful consideration of these factors, it is unclear how to decide when to involve humans in adaptation, and in which way. In this paper, we investigate how the explicit modeling of human participants can provide a better insight into the trade-offs of involving humans in adaptation. We contribute a formal framework to reason about human involvement in self-adaptation, focusing on the role of human participants as actors (i.e., effectors) during the execution stage of adaptation. The approach consists of: (i) a language to express adaptation models that capture factors affecting human behavior and its interactions with the system, and (ii) a formalization of these adaptation models as stochastic multiplayer games (SMGs) that can be used to analyze human- system-environment interactions. We illustrate our approach in an adaptive industrial middleware used to monitor and manage sensor networks in renewable energy production plants.}, KEYWORDS = {Assurance, Human-in-the-loop, Self-adaptation, Self-awareness & Adaptation, Stochastic Games} } @InProceedings{Coker/2015, AUTHOR = {Coker, Zack and Garlan, David and Le Goues, Claire}, TITLE = {SASS: Self-adaptation using stochastic search}, YEAR = {2015}, MONTH = {18-19 May}, BOOKTITLE = {Proceedings 10th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS 2015)}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/PID3582925.pdf}, ABSTRACT = {Future-generation self-adaptive systems will need to be able to optimize for multiple interrelated, difficult-to-measure, and evolving quality properties. To navigate this complex search space, current self-adaptive planning techniques need to be improved. In this position paper, we argue that the research community should more directly pursue the application of stochastic search techniquessearch techniques, such as hill climbing or genetic algorithms, that incorporate an element of randomnessto self-adaptive systems research. These techniques are well-suited to handling multi-dimensional search spaces and complex problems, situations which arise often for self-adaptive systems. We believe that recent advances in both fields make this a particularly promising research trajectory. We demonstrate one way to apply some of these advances in a search-based planning prototype technique to illustrate both the feasibility and the potential of the proposed research. This strategy informs a number of potentially interesting research directions and problems. In the long term, this general technique could enable sophisticated plan generation techniques that improve domain specific knowledge, decrease human effort, and increase the application of self-adaptive systems.}, KEYWORDS = {Self-adaptation} } @InBook{Camara/2016/SMGs, AUTHOR = {C\'{a}mara, Javier and Garlan, David and Moreno, Gabriel A. and Schmerl, Bradley}, TITLE = {Analyzing Self-Adaptation via Model Checking of Stochastic Games}, YEAR = {2017}, BOOKTITLE = {Software Engineering for Self-Adaptive Systems III. Assurances}, NUMBER = {9640}, EDITOR = {de Lemos, Rog\'{e}rio and Garlan, David and Ghezzi, Carlo and Giese, Holger}, PUBLISHER = {Springer}, TYPE = {Lecture Notes in Computer Science}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/SEfSAS3-SMGs.pdf}, ABSTRACT = {Design decisions made during early development stages of self-adaptive systems tend to have a significant impact upon system properties at runtime (e.g., safety, QoS). However, understanding the implications of these decisions a priori is difficult due to the different types and degrees of uncertainty that affect such systems (e.g., simplifying assumptions, human-in-the-loop). To provide some assurances about self-adaptive system designs, evidence can be gathered from activities such as simulations and prototyping, but these demand a significant effort and do not provide a systematic way of dealing with uncertainty. In this chapter, we describe an approach based on model checking of stochastic multiplayer games (SMGs) that enables developers to approximate the behavioral envelope of a self-adaptive system by analyzing best- and worst-case scenarios of alternative designs for self-adaptation mechanisms. Compared to other sources of evidence, such as simulations or prototypes, our approach provides developers with a preliminary understanding of adaptation behavior with less effort, and without the need to have any specific adaptation algorithms or infrastructure in place. We illustrate our approach by showing how it can be used to mitigate different types of uncertainty in contexts such as self-protecting systems, proactive latency-aware adaptation, and human-in-the-loop.}, KEYWORDS = {Assurance, Formal Methods, Human-in-the-loop, Model Checking, Science of Security, Self-adaptation, Stochastic Games} } @InProceedings{2015/Moreno/PMC, AUTHOR = {Moreno, Gabriel A. and C\'{a}mara, Javier and Garlan, David and Schmerl, Bradley}, TITLE = {Proactive Self-Adaptation under Uncertainty: a Probabilistic Model Checking Approach}, YEAR = {2015}, MONTH = {30 August - 4 September}, BOOKTITLE = {Proceedings of the 10th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering}, ADDRESS = {Bergamo, Italy}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/fse15main-mainid213-p-1d01012-24621-final.pdf}, ABSTRACT = {Self-adaptive systems tend to be reactive and myopic, adapting in response to changes without anticipating what the subsequent adaptation needs will be. Adapting reactively can result in inefficiencies due to the system performing a suboptimal sequence of adaptations. Furthermore, when adaptations have latency, and take some time to produce their e ffect, they have to be started with sufficient lead time so that they complete by the time their eff ect is needed. Proactive latency-aware adaptation addresses these issues by making adaptation decisions with a look-ahead horizon and taking adaptation latency into account. In this paper we present an approach for proactive latency-aware adaptation under uncertainty that uses probabilistic model checking for adaptation decisions. The key idea is to use a formal model of the adaptive system in which the adaptation decision is left underspeci fied through nondeterminism, and have the model checker resolve the nondeterministic choices so that the accumulated utility over the horizon is maximized. The adaptation decision is optimal over the horizon, and takes into account the inherent uncertainty of the environment predictions needed for looking ahead. Our results show that the decision based on a look-ahead horizon, and the factoring of both tactic latency and environment uncertainty, considerably improve the eff ectiveness of adaptation decisions.}, KEYWORDS = {Latency-aware, Model Checking, Self-adaptation, Self-awareness & Adaptation, Stochastic Games} } @InProceedings{Pandey:SASO:2016, AUTHOR = {Pandey, Ashutosh and Moreno, Gabriel A. and C\'{a}mara, Javier and Garlan, David}, TITLE = {Hybrid Planning for Decision Making in Self-Adaptive Systems}, YEAR = {2016}, MONTH = {12-16 September}, BOOKTITLE = {Proceedings of the 10th IEEE International Conference on Self-Adaptive and Self-Organizing Systems (SASO 2016)}, ADDRESS = {Augsburg, Germany}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/SASO2016.pdf}, ABSTRACT = {Run-time generation of adaptation plans is a powerful mechanism that helps a self-adaptive system to meet its goals in a dynamically changing environment. In the past, researchers have demonstrated successful use of various automated planning techniques to generate adaptation plans at run time. However, for a planning technique, there is often a trade-off between timeliness and optimality of the solution. For some self-adaptive systems, ideally, one would like to have a planning approach that is both quick and finds an optimal adaptation plan. To find the right balance between these conflicting requirements, this paper introduces a hybrid planning approach that combines more than one planner to obtain the benefits of each. In this paper, to instantiate a hybrid planner we combine deterministic planning with Markov Decision Process (MDP) planning to obtain the best of both worlds: deterministic planning provides plans quickly when timeliness is critical, while allowing MDP planning to generate optimal plans when the system has sufficient time to do so. We validate the hybrid planning approach using a realistic workload pattern in a simulated cloud-based self-adaptive system.}, KEYWORDS = {Planning, Self-adaptation} } @InProceedings{Ruchkin/2015/AC-SPC, AUTHOR = {Ruchkin, Ivan and Rao, Ashwini and De Niz, Dio and Chaki, Sagar and Garlan, David}, TITLE = {Eliminating Inter-Domain Vulnerabilities in Cyber-Physical Systems: An Analysis Contracts Approach}, YEAR = {2015}, MONTH = {16 October}, BOOKTITLE = {Proceedings of the First ACM Workshop on Cyber-Physical Systems Security and Privacy}, ADDRESS = {Denver, Colorado}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/AC for SPC-camera-ready-preprint-v2.pdf}, ABSTRACT = {Designing secure cyber-physical systems (CPS) is a particularly difficult task since security vulnerabilities stem not only from traditional cybersecurity concerns, but also physical ones as well. Many of the standard methods for CPS design make strong and unverified assumptions about the trustworthiness of physical devices, such as sensors. When these assumptions are violated, subtle inter-domain vulnerabilities are introduced into the system model. In this paper we propose to use formal specification of analysis contracts to expose security assumptions and guarantees of analyses from reliability, control, and sensor security domains. We show that this specification allows us to determine where these assumptions are violated or ignore important failure modes that open the door to malicious attacks. We demonstrate how this approach can help discover and prevent vulnerabilities in a self-driving car example.}, KEYWORDS = {Cyberphysical Systems, Science of Security} } @InProceedings{Glazier/2015/CAS, AUTHOR = {Glazier, Thomas J. and C\'{a}mara, Javier and Schmerl, Bradley and Garlan, David}, TITLE = {Analyzing Resilience Properties of Different Topologies of Collective Adaptive Systems}, YEAR = {2015}, MONTH = {21 September}, BOOKTITLE = {Proceedings of the 3rd FoCAS Workshop on the Fundamentals of Collective Adaptive Systems}, ADDRESS = {Boston, MA, USA}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/PID3850133.pdf}, ABSTRACT = {Modern software systems are often compositions of entities that increasingly use self-adaptive capabilities to improve their behavior to achieve systematic quality goals. Self-adaptive managers for each component system attempt to provide locally optimal results, but if they cooperated and potentially coordinated their efforts it might be possible to obtain more globally optimal results. The emergent properties that result from such composition and cooperation of self-adaptive systems are not well understood, difficult to reason about, and present a key challenge in the evolution of modern software systems. For example, the effects of coordination patterns and protocols on emergent properties such as the resiliency of the collectives need to be understood when designing these systems. In this paper we propose that probabilistic model checking of stochastic multiplayer games (SMG) provides a promising approach to analyze, understand, and reason about emergent properties in collectives of adaptive systems (CAS). Probabilistic Model Checking of SMGs is a technique particularly suited to analyzing emergent properties in CAS, since SMG models capture: (i) the uncertainty and variability intrinsic to the CAS and its execution environment in the form of probabilistic and nondeterministic choices, and (ii) the competitive/cooperative aspects of the interplay among the constituent systems of the CAS. Analysis of SMGs allows us to reason about things like the worst case scenarios, which constitutes a new contribution to understanding emergent properties in CAS. We investigate the use of SMGs to show how they can be useful in analyzing the impact of communication topology for collections of fully cooperative systems defending against an external attack. }, KEYWORDS = {Assurance, Coordination, Model Checking, Self-adaptation, Stochastic Games} } @InProceedings{Ruchkin/2015/loops, AUTHOR = {Ruchkin, Ivan and Schmerl, Bradley and Garlan, David}, TITLE = {Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems}, YEAR = {2015}, MONTH = {28 September}, BOOKTITLE = {Proceedings of the 8th International Workshop on Model-based Architecting of Cyber-Physical and Embedded Systems}, ADDRESS = {Ottawa, Canada}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/MBA-CPS.pdf}, ABSTRACT = {Rigorous engineering of safety-critical Cyber- Physical Systems (CPS) requires integration of heterogeneous modeling methods from different disciplines. It is often necessary to view this integration from the perspective of analyses algorithms that read and change models. Although analytic integration supports formal contract-based verification of model evolution, it suffers from the limitation of analytic dependency loops. Dependency loops between analyses cannot be resolved based on the existing contract-based verification. This paper makes a step towards using rich architectural description to resolve circular analytic dependencies. We characterize the dependency loop problem and discuss three algorithmic approaches to resolving such loops: analysis iteration, constraint solving, and genetic search. These approaches take advantage of information in multi-view architectures to resolve analytic dependency loops.}, KEYWORDS = {Architecture View Consistency, Cyberphysical Systems} } @InProceedings{Sukkerd/2015/SEFM, AUTHOR = {Sukkerd, Roykrong and Garlan, David and Simmons, Reid}, TITLE = {Task Planning of Cyber-Human Systems}, YEAR = {2015}, MONTH = {7-11 September}, BOOKTITLE = {Proceedings of the 13th International Conference on Software Engineering and Formal Methods}, VOLUME = {9276}, SERIES = {LNCS }, ADDRESS = {York, UK}, PUBLISHER = {Springer}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/SEFM15_Sukkerd_Springer.pdf}, ABSTRACT = {Internet of Things (IoT) allows for cyber-physical applications to be created and composed to provide intelligent support or automation of end-user tasks. For many of such tasks, human participation is crucial to the success and the quality of the tasks. The cyber systems should proactively request help from the humans to accomplish the tasks when needed. However, the outcome of such system-human synergy may be affected by factors external to the systems. Failure to consider those factors when involving human participants in the tasks may result in suboptimal performance and negative experience on the humans. In this paper, we propose an approach for automated generation of control strategies of cyber-human systems. We investigate how explicit modeling of human participant can be used in automated planning to generate cooperative strategy of human and system to achieve a given task, by means of which best and appropriately utilize the human. Specifically, our approach consists of: (1) a formal framework for modeling cooperation between cyber system and human, and (2) a formalization of system-human cooperative task planning as strategy synthesis of stochastic multiplayer game. We illustrate our approach through an example of indoor air quality control in smart homes.}, KEYWORDS = {Activity-oriented Computing, Cyberphysical Systems, Human-in-the-loop, Model Checking, Ubiquitous Computing} } @InBook{2017/Weyns/PA, AUTHOR = {Weyns, Danny and Bencomo, Nelly and Calinescu, Radu and C\'{a}mara, Javier and Ghezzi, Carlo and Grassi, Vincenzo and Grunske, Larse and Inverardi, Paola and Jezequel, Jean-Marc and Malek, Sam and Mirandola, Raffaela and Mori, Marco and Tambrrellii, Giordano}, TITLE = {Perpetual Assurances for Self-Adaptive Systems}, YEAR = {2017}, BOOKTITLE = {Software Engineering for Self-Adaptive Systems III. Assurances}, NUMBER = {9640}, EDITOR = {de Lemos, Rog\'{e}rio and Garlan, David and Ghezzi, Carlo and Giese, Holger}, PUBLISHER = {Springer}, TYPE = {Lecture Notes in Computer Science}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/2016SEfSAS-final-perpetual-assurances.pdf}, ABSTRACT = {Providing assurances for self-adaptive systems is challenging. A primary underlying problem is uncertainty that may stem from a variety of different sources, ranging from incomplete knowledge to sensor noise and uncertain behavior of humans in the loop. Providing assurances that the self-adaptive system complies with its requirements calls for an enduring process spanning the whole lifetime of the system. In this process, humans and the system jointly derive and integrate new evidence and arguments, which we coined perpetual assurances for self-adaptive systems. In this paper, we provide a background framework and the foundation for perpetual assurances for self-adaptive systems. We elaborate on the concrete challenges of offering perpetual assurances, requirements for solutions, realization techniques and mechanisms to make solutions suitable. We also present benchmark criteria to compare solutions. We then present a concrete exemplar that researchers can use to assess and compare approaches for perpetual assurances for self-adaptation}, KEYWORDS = {Assurance, Self-adaptation, Self-awareness & Adaptation} } @InBook{MASA/HuIL2016, AUTHOR = {C\'{a}mara, Javier and Garlan, David and Moreno, Gabriel A. and Schmerl, Bradley}, TITLE = {Evaluating Trade-Offs of Human Involvement in Self-Adaptive Systems}, YEAR = {2016}, MONTH = {September}, BOOKTITLE = {Managing Trade-Offs in Self-Adaptive Systems}, EDITOR = {Mistrik, Ivan and Ali, Nour and Grundy, John and Kazman, Rick and Schmerl, Bradley}, PUBLISHER = {Elsevier}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/HuIL-MASA.pdf}, ABSTRACT = {Software systems are increasingly called upon to autonomously manage their goals in changing contexts and environments, and under evolving requirements. In some circumstances, autonomous systems cannot be fully automated but instead cooperate with human operators to maintain and adapt themselves. Furthermore, there are times when a choice should be made between doing a manual or automated repair. Involving operators in self-adaptation should itself be adaptive, and consider aspects such as the training, attention, and ability of operators. Not only do these aspects change from person to person, but they may change with the same person. These aspects make the choice of whether to involve humans non-obvious. Self-adaptive systems should trade-off whether to involve operators, taking these aspects into consideration along with other business qualities it is attempting to achieve. In this chapter, we identify the various roles that operators can perform in cooperating with self-adaptive systems. We focus on humans as effectors - doing tasks which are difficult or infeasible to automate. We describe how we modified our self-adaptive framework, Rainbow, to involve operators in this way, which involved choosing suitable human models and integrating them into the existing utility trade-off decision models of Rainbow. We use probabilistic modeling and quantitative verification to analyze the trade-offs of involving humans in adaptation, and complement our study with experiments to show how different business preferences and modalities of human involvement may result in different outcomes.}, KEYWORDS = {Human-in-the-loop, Self-adaptation, Stochastic Games} } @Unpublished{Garg/2008, AUTHOR = {Garg, Kirti and Garlan, David and Schmerl, Bradley}, TITLE = {Architecture Based Information Flow Analysis for Software Security}, YEAR = {2008}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ArchSTRIDE08.pdf}, ABSTRACT = {Using information flow modeling to perform security analysis is a common technique used during software design. While much theoretical work has been conducted in this area, there are few tools to assist with such analysis. In many instances the security analysis must be done by hand, requiring consid-erable expertise, time, and effort. Most available tools require custom code to be written for the analysis, and are consequently not well integrated with the software process, and not easily tailored to different security requirements. In this paper we describe the use of an Architecture Description Language (ADL) to (a) represent information flow in a software system, and (b) analyze the security-related properties of a system. We use a formal predicate-based de-scription of the security properties and policies, which allows for automated analysis of the information flow to uncover common security vulnerabilities. A key advantage to using ADLs is that security properties become declarative and can be automatically checked by constraint-based tools and without the need to write custom code.}, KEYWORDS = {Architectural Analysis, Science of Security} } @Article{Camara:2016:50, AUTHOR = {C\'{a}mara, Javier and Lopes, Ant\'{o}nia and Garlan, David and Schmerl, Bradley}, TITLE = {Adaptation impact and environment models for architecture-based self-adaptive systems}, YEAR = {2016}, JOURNAL = {Science of Computer Programming, Special issue of the 11th International Symposium on Formal Aspects of Component Software }, VOLUME = {127}, PAGES = {50-75}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/LGC-IMCamara_2016_50.pdf}, ABSTRACT = {Self-adaptive systems have the ability to adapt their behavior to dynamic operating conditions. In reaction to changes in the environment, these systems determine the appropriate corrective actions based in part on information about which action will have the best impact on the system. Existing models used to describe the impact of adaptations are either unable to capture the underlying uncertainty and variability of such dynamic environments, or are not compositional and described at a level of abstraction too low to scale in terms of specification effort required for non-trivial systems. In this paper, we address these shortcomings by describing an approach to the specification of impact models based on architectural system descriptions, which at the same time allows us to represent both variability and uncertainty in the outcome of adaptations, hence improving the selection of the best corrective action. The core of our approach is a language equipped with a formal semantics defined in terms of Discrete Time Markov Chains that enables us to describe both the impact of adaptation tactics, as well as the assumptions about the environment. To validate our approach, we show how employing our language can improve the accuracy of predictions used for decision-making in the Rainbow framework for architecture-based self-adaptation.}, NOTE = {doi:10.1016/j.scico.2015.12.006}, KEYWORDS = {Self-adaptation, uncertainty} } @Article{2016/Franco/JSS, AUTHOR = {Franco, Jo\~{a}o and Correia, Francisco and Barbosa, Raul and Zenha-Rela, Mario and Schmerl, Bradley and Garlan, David}, TITLE = {Improving Self-Adaptation Planning through Software Architecture-based Stochastic Modeling}, YEAR = {2016}, MONTH = {May}, JOURNAL = {Journal of Systems and Software}, VOLUME = {115}, PAGES = {42-60}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/images.pdf}, ABSTRACT = {The ever-growing complexity of software systems makes it increasingly challenging to foresee at design time all interactions between a system and its environment. Most self-adaptive systems trigger adaptations through operators that are statically confi gured for specifi c environment and system conditions. However, in the occurrence of uncertain conditions, self-adaptive decisions may not be eff ective and might lead to a disruption of the desired non-functional attributes. To address this, we propose an approach that improves the planning stage by predicting the outcome of each strategy. In detail, we automatically derive a stochastic model from a formal architecture description of the managed system with the changes imposed by each strategy. Such information is used to optimize the self-adaptation decisions to ful fill the desired quality goals. To assess the eff ectiveness of our approach we apply it to a cloud-based news system and predicted the reliability for each possible adaptation strategy. The results obtained from our approach are compared to a representative static planning algorithm as well as to an oracle that always makes the ideal decision. Experiments show that our method improves both availability and cost when compared to the static planning algorithm, while being close to the oracle. Our approach may therefore be used to optimize self-adaptation planning.}, KEYWORDS = {Self-adaptation} } @InProceedings{2015/Ruchkin/MODELS, AUTHOR = {Ruchkin, Ivan}, TITLE = {Architectural and Analytic Integration of Cyber-Physical System Models}, YEAR = {2015}, MONTH = {30 September - 2 October}, BOOKTITLE = {ACM/IEEE 18th International Conference on Model Driven Engineering Languages and Systems, ACM Student Research Award Competition}, ADDRESS = {Ottawa, Canada}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/SRC-131.pdf}, ABSTRACT = {Modeling methods for Cyber-Physical Systems (CPS) originate in various engineering fields, and are difficult to use together due to their heterogeneity. Inconsistencies between mutually oblivious models and analyses often lead to implicit design errors, which may cause catastrophic failures of critical CPS. Such consistency issues are not fully solved by the state-of-the-art integration methods, which lack generality, formal guarantees, and effectiveness. To overcome these limitations and achieve better integration, this paper outlines a two-level integration approach based on architectural views and analysis contracts. In particular, this paper proposes languages and algorithms to specify and verify important integration properties, such as correct analysis execution and rich consistency of architectural views. According to the results to date, this approach shows promise in detection and prevention of implicit errors, which would be difficult to fix otherwise. }, NOTE = {Gold Medal Winner}, KEYWORDS = {Cyberphysical Systems} } @InProceedings{2016/Lamba/MBAD, AUTHOR = {Lamba, Hemank and Glazier, Thomas J. and Schmerl, Bradley and C\'{a}mara, Javier and Garlan, David and Pfeffer, J\"{u}rgen}, TITLE = {A Model-based Approach to Anomaly Detection in Software Architectures (Poster)}, YEAR = {2016}, MONTH = {19-21 April}, BOOKTITLE = {Symposium and Bootcamp on the Science of Security}, ADDRESS = {Pittsburgh, PA}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ModelBasedAnomalyDetection.pdf}, ABSTRACT = {In an organization, the interactions users have with software leaves patterns or traces of the parts of the systems accessed. These interactions can be associated with the underlying software architecture. The first step in detecting problems like insider threat is to detect those traces that are anomalous. In this paper, we present a method to find anomalous users leveraging these interaction traces, categorized by user roles. We propose a model based approach to cluster user sequences and find outliers. Such a technique could be useful in finding potentially anomalous users, insiders, or compromised accounts.We show that the approach works on a simulation of a large scale system based on and Amazon Web application style.}, KEYWORDS = {Science of Security, Software Architecture} } @InProceedings{2016:Schmerl:Raindroid, AUTHOR = {Schmerl, Bradley and Gennari, Jeffrey and C\'{a}mara, Javier and Garlan, David}, TITLE = {Raindroid - A System for Run-time Mitigation of Android Intent Vulnerabilities (Poster)}, YEAR = {2016}, MONTH = {19-21 April}, BOOKTITLE = {Symposium and Bootcamp on the Science of Security}, ADDRESS = {Pittsburgh, PA}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/raindroid-poster.pdf}, ABSTRACT = {Modern frameworks are required to be extendable as well as secure. However, these two qualities are often at odds. In this poster we describe an approach that uses a combination of static analysis and run-time management, based on software architecture models, that can improve security while maintaining framework extendability. We implement a prototype of the approach for the Android platform. Static analysis identifi es the architecture and communication patterns among the collection of apps on an Android device and which communications might be vulnerable to attack. Run-time mechanisms monitor these potentially vulnerable communication patterns, and adapt the system to either deny them, request explicit approval from the user, or allow them.}, KEYWORDS = {Human-in-the-loop, Rainbow, Science of Security} } @InProceedings{2016:Moreno:plasdp, AUTHOR = {Moreno, Gabriel A. and C\'{a}mara, Javier and Garlan, David and Schmerl, Bradley}, TITLE = {Efficient Decision-Making under Uncertainty for Proactive Self-Adaptation}, YEAR = {2016}, MONTH = {19-22 July}, BOOKTITLE = {Proceedings of the 13th IEEE International Conference on Autonomic Computing (ICAC 2016)}, ADDRESS = {W\"{u}rzburg, Germany}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/gmoreno-icac2016.pdf}, ABSTRACT = {Proactive latency-aware adaptation is an approach for self-adaptive systems that improves over reactive adaptation by considering both the current and anticipated adaptation needs of the system, and taking into account the latency of adaptation tactics so that they can be started with the necessary lead time. Making an adaptation decision with these characteristics requires solving an optimization problem to select the adaptation path that maximizes an objective function over a finite look-ahead horizon. Since this is a problem of selecting adaptation actions in the context of the probabilistic behavior of the environment, Markov decision processes (MDP) are a suitable approach. However, given all the possible interactions between the different and possibly concurrent adaptation tactics, the system, and the environment, constructing the MDP is a complex task. Probabilistic model checking can be used to deal with this problem since it takes as input a formal specification of the stochastic system, which is internally translated into an MDP, and solved. One drawback of this solution is that the MDP has to be constructed every time an adaptation decision has to be made to incorporate the latest predictions of the environment behavior. In this paper we present an approach that eliminates that run-time overhead by constructing most of the MDP offline, also using formal specification. At run time, the adaptation decision is made by solving the MDP through stochastic dynamic programming, weaving in the stochastic environment model as the solution is computed. Our experimental results show that this approach reduces the adaptation decision time by an order of magnitude compared to the probabilistic model checking approach, while producing the same results.}, NOTE = {Selected as a best paper.}, KEYWORDS = {Latency-aware, Self-adaptation} } @InProceedings{2016/Sukkerd/SEsCPS, AUTHOR = {Sukkerd, Roykrong and C\'{a}mara, Javier and Garlan, David and Simmons, Reid}, TITLE = {Multiscale Time Abstractions for Long-Range Planning under Uncertainty}, YEAR = {2016}, MONTH = {16 May}, BOOKTITLE = {Proceedings of the 2nd ICSE Workshop on Software Engineering for Smart Cyberphysical Systems}, ADDRESS = {Austin, Texas}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/SEsCPS20162016_Sukkerd_SEsCPS.pdf}, ABSTRACT = {Planning in CPSs requires temporal reasoning to handle the dynamics of the environment, including human behavior, as well as temporal constraints on system goals and durations of actions that systems and human actors may take. The discrete abstraction of time in a state space planning should have a time sampling parameter value that satisfi es some relation to achieve a certain precision. In particular, the sampling period should be small enough to allow the dynamics of the problem domain to be modeled with sufficient precision. Meanwhile, in many cases, events in the far future (relative to the sampling period) may be relevant to the decision making earlier in the planning timeline; therefore, a longer planning look-ahead horizon can yield a closer-to-optimal plan. Unfortunately, planning with a uniform fine-grained discrete abstraction of time and a long look-ahead horizon is typically computationally infeasible. In this paper, we propose a multiscale temporal planning approach { formulated as MDP planning { to preserve the required time fi delity of the problem domain and at the same time approximate a globally optimal plan. We illustrate our approach in a middleware used to monitor large sensor networks.}, KEYWORDS = {Cyberphysical Systems, Planning, uncertainty} } @InProceedings{2016/Neves/IoTBD, AUTHOR = {Neves, Pedro Caldeira and Schmerl, Bradley and Bernardino, Jorge and C\'{a}mara, Javier}, TITLE = {Big Data in Cloud Computing: features and issues}, YEAR = {2016}, MONTH = {23-25 April}, BOOKTITLE = {Proceedings of the 2016 International Conference on Internet of Things and Big Data}, ADDRESS = {Rome, Italy}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/IoTBD_2016_10.pdf}, ABSTRACT = {The term big data arose under the explosive increase of global data as a technology that is able to store and process big and varied volumes of data, providing both enterprises and science with deep insights over its clients/experiments. Cloud computing provides a reliable, fault-tolerant, available and scalable environment to harbour big data distributed management systems. Within the context of this paper we present an overview of both technologies and cases of success when integrating big data and cloud frameworks. Although big data solves much of our current problems it still presents some gaps and issues that raise concern and need improvement. Security, privacy, scalability, data governance policies, data heterogeneity, disaster recovery mechanisms, and other challenges are yet to be addressed. Other concerns are related to cloud computing and its ability to deal with exabytes of information or address exaflop computing efficiently. This paper presents an overview of both cloud and big data technologies describing the current issues with these technologies.}, KEYWORDS = {Big data} } @InBook{2017:Schmerl:Decomp, AUTHOR = {Schmerl, Bradley and Andersson, Jesper and Vogel, Thomas and Cohen, Myra and Rubira, Cecilia M. F. and Brun, Yuriy and Gorla, Alessandra and Zambonelli, Franco and Baresi, Luciano}, TITLE = {Challenges in Composing and Decomposing Assurances for Self-Adaptive Systems}, YEAR = {2017}, BOOKTITLE = {Software Engineering for Self-Adaptive Systems III. Assurances}, NUMBER = {9640}, EDITOR = {de Lemos, Rog\'{e}rio and Garlan, David and Ghezzi, Carlo and Giese, Holger}, PUBLISHER = {Springer}, TYPE = {Lecture Notes in Computer Science}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/decomp-challenges.pdf}, ABSTRACT = {Self-adaptive software systems adapt to changes in the environment, in the system itself, in their requirements, or in their business objectives. Typically, these systems attempt to maintain system goals at run time and often provide assurance that they will meet their goals under dynamic and uncertain circumstances. While significant research has focused on ways to engineer selfadaptive capabilities into both new and legacy software systems, less work has been conducted on how to assure that self-adaptation maintains system goals. For traditional, especially safety-critical software systems, assurance techniques decompose assurances into sub-goals and evidence that can be provided by parts of the system. Existing approaches also exist for composing assurances, in terms of composing multiple goals and composing assurances in systems of systems. While some of these techniques may be applied to self-adaptive systems, we argue that several significant challenges remain in applying them to self-adaptive systems in this chapter. We discuss how existing assurance techniques can be applied to composing and decomposing assurances for self-adaptive systems, highlight the challenges in applying them, summarize existing research to address some of these challenges, and identify gaps and opportunities to be addressed by future research.}, KEYWORDS = {Assurance, Self-adaptation} } @InProceedings{2016/Ruchkin/integration, AUTHOR = {Ruchkin, Ivan}, TITLE = {Integration Beyond Components and Models: Research Challenges and Directions}, YEAR = {2016}, MONTH = {April}, BOOKTITLE = {Proceedings of the 3rd Architecture Centric Virtual Integration Workshop}, ADDRESS = {Venice, Italy}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/acvi-2016.pdf}, ABSTRACT = {Recent research in embedded and cyber-physical systems has developed theories and tools for integration of heterogeneous components and models. These efforts, although important, are insufficient for high-quality and error-free systems integration since inconsistencies between system elements may stem from factors not directly represented in models (e.g., analysis tools and expert disagreements). Therefore, we need to broaden our perspective on integration, and devise approaches in three novel directions of integration: modeling methods, data sets, and humans. This paper summarizes the latest advances, and discusses those directions and associated challenges in integration for cyber-physical systems.}, KEYWORDS = {Cyberphysical Systems, Software Architecture} } @TechReport{2015/SeminalSE, AUTHOR = {Shaw, Mary and Aldrich, Jonathan and Breux, Travis and Garlan, David and Herbsleb, James and K\"astner, Christian and Le Goues, Claire and Scherlis, William}, TITLE = {Seminal Papers in Software Engineering: The Carnegie Mellon Canonical Collection}, YEAR = {2015}, MONTH = {September}, NUMBER = {CMU-ISR-15-107}, INSTITUTION = {Institute for Software Research, Carnegie Mellon University}, URL = {http://repository.cmu.edu/isr/1033}, ABSTRACT = {To understand the context of current research, it is essential to understand how current results evolved from early fundamental papers. These classic papers develop timeless ideas that transcend technology changes, and the ideas embodied in their solutions often apply to current problems (and, indeed, are reinvented by researchers who are ignorant of the classic literature). Criteria for selection of the papers in the Canon include - Papers are selected for their overall significance. The papers should usually be the principal or definitive papers about an idea, rather than expository papers written after the idea has matured (these may appear in other reading lists). A rule of thumb is that the paper in the Canon should be the one you'd cite as the fundamental paper in its area. - Classic, timeless papers prove their significance over time. It follows that the papers of the Canon will generally be published a minimum of 12-15 years ago. - Some of the entries may be books. In these cases, the books should be important in their own right, but the entry should highlight one or a few specific passages in the book to focus on. Students should develop a sense of the rest of the book as well. - Because the size of the Canon is limited, authors will rarely be represented by multiple papers, and redundancy will generally be avoided. - All students should be familiar with all the papers, and the SE Research Core course should cover them. In practice this limits the size of the Canon to about 25 papers. The Carnegie Mellon Software Engineering faculty has selected this set of papers as a canonical collection of significant classic papers that balances completeness with reasonable size. All our software engineering students should read and understand these papers (or selections from books). Notes in this document explain the significance of the papers. We will endeavor to cover them in the Core Course in Software Engineering Research, and other courses may feel free to assume that students have read them.}, KEYWORDS = {Software Engineering} } @InProceedings{2016/Schmerl/AndroidSecurity, AUTHOR = {Schmerl, Bradley and Gennari, Jeffrey and Sadeghi, Alireza and Bagheri, Hamid and Malek, Sam and C\'{a}mara, Javier and Garlan, David}, TITLE = {Architecture Modeling and Analysis of Security in Android Systems}, YEAR = {2016}, MONTH = {30 November - 2 December}, BOOKTITLE = {Proceedings of the 10th European Conference on Software Architecture (ECSA 2016)}, VOLUME = {9839}, SERIES = {Lecture Notes in Computer Science}, ADDRESS = {Copenhagen, Denmark}, PUBLISHER = {Springer}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/architecture-modeling-analysis-cr.pdf}, ABSTRACT = {Software architecture modeling is important for analyzing system quality attributes, particularly security. However, such analyses often assume that the architecture is completely known in advance. In many modern domains, especially those that use plugin-based frameworks, it is not possible to have such a complete model because the software system continuously changes. The Android mobile operating system is one such framework, where users can install and uninstall apps at run time. We need ways to model and analyze such architectures that strike a balance between supporting the dynamism of the underlying platforms and enabling analysis, particularly throughout a system�s lifetime. In this paper, we describe a formal architecture style that captures the modifiable architectures of Android systems, and that supports security analysis as a system evolves. We illustrate the use of the style with two security analyses: a predicatebased approach defined over architectural structure that can detect some common security vulnerabilities, and inter-app permission leakage determined by model checking. We also show how the evolving architecture of an Android device can be obtained by analysis of the apps on a device, and provide some performance evaluation that indicates that the architecture can be amenable for use throughout the system�s lifetime.}, KEYWORDS = {Acme, Architectural Analysis, Architectural Style, Science of Security} } @InProceedings{MARTCPS16, AUTHOR = {Ruchkin, Ivan and Samuel, Selva and Schmerl, Bradley and Rico, Amanda and Garlan, David}, TITLE = {Challenges in Physical Modeling for Adaptation of Cyber-Physical Systems}, YEAR = {2016}, MONTH = {12-14 December}, BOOKTITLE = {Workshop on MARTCPS Models at Runtime and Networked Control for Cyber Physical Systems at IEEE World Forum on the Internet of Things}, ADDRESS = {Reston, Virginia}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/MARTCPS2016.pdf}, ABSTRACT = {Cyber-physical systems (CPSs) mix software, hardware, and physical aspects with equal importance. Typically, the use of models of such systems during run time has concentrated only on managing and controlling the cyber (software) aspects. However, to fully realize the goals of a CPS, physical models too have to be treated as first-class models. This approach gives rise to three main challenges: (a) identifying and integrating physical and software models with different characteristics and semantics; (b) obtaining instances of physical models at a suitable level of abstraction for adaptation; and (c) using and adapting physical models to control CPSs. In this position paper, we elaborate on these three challenges and describe our vision of making physical models first-class entities in adaptation. We illustrate this vision in the context of power adaptation for a service robotic system.}, NOTE = {Winner of the IEEE World Forum on the Internet of Things Best Paper Award}, KEYWORDS = {Cyberphysical Systems} } @InProceedings{2017/Lamba/Cluster, AUTHOR = {Lamba, Hemank and Glazier, Thomas J. and C\'{a}mara, Javier and Schmerl, Bradley and Garlan, David and Pfeffer, J\"{u}rgen}, TITLE = {Model-based cluster analysis for identifying suspicious activity sequences in software}, YEAR = {2017}, MONTH = {24 March}, BOOKTITLE = {Proceedings of the 3rd International Workshop on Security and Privacy Analytics (IWSPA 2017)}, ADDRESS = {Scottsdale, AZ}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/model-based-cluster-submitted.pdf}, ABSTRACT = {Large software systems have to contend with a significant number of users who interact with different components of the system in various ways. The sequences of components that are used as part of an interaction define sets of behaviors that users have with the system. These can be large in number. Among these users, it is possible that there are some who exhibit anomalous behaviors – for example, they may have found back doors into the system and are doing something malicious. These anomalous behaviors can be hard to distinguish from normal behavior because of the number of interactions a system may have, or because traces may deviate only slightly from normal behavior. In this paper we describe a model-based approach to cluster sequences of user behaviors within a system and to find suspicious, or anomalous, sequences. We exploit the underlying software architecture of a system to define these sequences. We further show that our approach is better at detecting suspicious activities than other approaches, specifically those that use unigrams and bigrams for anomaly detection. We show this on a simulation of a large scale system based on Amazon Web application style architecture.}, KEYWORDS = {Science of Security} } @Book{Schmerl:MASA:2016, TITLE = {Managing Trade-offs in Adaptable Software Architectures}, YEAR = {2016}, MONTH = {August}, EDITOR = {Mistrik, Ivan and Ali, Nour and Grundy, John and Schmerl, Bradley}, PUBLISHER = {Morgan Kaufmann}, KEYWORDS = {Self-adaptation, Software Architecture} } @Article{2017:Camara:Resilience, AUTHOR = {C\'{a}mara, Javier and de Lemos, Rog\'{e}rio and Laranjeiro, Nuno and Ventura, Rafael and Vieira, Marco}, TITLE = {Robustness-Driven Resilience Evaluation of Self-Adaptive Systems}, YEAR = {2017}, JOURNAL = {IEEE Transactions on Dependable and Secure Computing }, VOLUME = {14}, NUMBER = {1}, PAGES = {50-64}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/RD-RE-SAS-TDSC.pdf}, ABSTRACT = {An increasingly important requirement for certain classes of software-intensive systems is the ability to self-adapt their structure and behavior at run-time when reacting to changes that may occur to the system, its environment, or its goals. A major challenge related to self-adaptive software systems is the ability to provide assurances of their resilience when facing changes. Since in these systems, the components that act as controllers of a target system incorporate highly complex software, there is the need to analyze the impact that controller failures might have on the services delivered by the system. In this paper, we present a novel approach for evaluating the resilience of self-adaptive software systems by applying robustness testing techniques to the controller to uncover failures that can affect system resilience. The approach for evaluating resilience, which is based on probabilistic model checking, quantifies the probability of satisfaction of system properties when the target system is subject to controller failures. The feasibility of the proposed approach is evaluated in the context of an industrial middleware system used to monitor and manage highly populated networks of devices, which was implemented using the Rainbow framework for architecture-based self-adaptation.}, KEYWORDS = {Assurance, Landmark, Rainbow, Resilience, Self-adaptation} } @InProceedings{2017:Moreno:CobRAPLA, AUTHOR = {Moreno, Gabriel A. and Papadopoulos, Alessandro V. and Angelopoulo, Konstantinos and C\'{a}mara, Javier and Schmerl, Bradley}, TITLE = {Comparing Model-Based Predictive Approaches to Self-Adaptation: CobRA and PLA}, YEAR = {2017}, MONTH = {22-23 May}, BOOKTITLE = {Proceedings of the 12th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS 2017)}, ADDRESS = {Buenos Aires, Argentina}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/PLAvsCobRA.pdf}, ABSTRACT = {Modern software-intensive systems must often guarantee certain quality requirements under changing run-time conditions and high levels of uncertainty. Self-adaptation has proven to be an effective way to engineer systems that can address such challenges, but many of these approaches are purely reactive and adapt only after a failure has taken place. To overcome some of the limitations of reactive approaches (e.g., lagging behind environment changes and favoring short-term improvements), recent proactive self-adaptation mechanisms apply ideas from control theory, such as model predictive control (MPC), to improve adaptation. When selecting which MPC approach to apply, the improvement that can be obtained with each approach is scenario-dependent, and so guidance is needed to better understand how to choose an approach for a given situation. In this paper, we compare CobRA and PLA, two approaches that are inspired by MPC. CobRA is a requirements-based approach that applies control theory, whereas PLA is architecture-based and applies stochastic analysis. We compare the two approaches applied to RUBiS, a benchmark system for web and cloud application performance, discussing the required expertise needed to use both approaches and comparing their run-time performance with respect to different metrics.}, KEYWORDS = {Self-adaptation} } @InProceedings{2017:Pandey:HybridPlanningFormalization, AUTHOR = {Pandey, Ashutosh and Ruchkin, Ivan and Schmerl, Bradley and C\'{a}mara, Javier}, TITLE = {Towards a Formal Framework for Hybrid Planning in Self-Adaptation}, YEAR = {2017}, MONTH = {22-23 May}, BOOKTITLE = {Proceedings of the 12th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS 2017)}, ADDRESS = {Buenos Aires, Argentina}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/hybrid-planning-seams2017.pdf}, ABSTRACT = {Approaches to self-adaptation face a fundamental trade-off between quality and timeliness in decision-making. Due to this trade-off, designers of self-adaptive systems often have to find a fixed and suboptimal compromise between these two requirements. Recent work has proposed the hybrid planning approach that can resolve this trade-off dynamically and potentially in an optimal way. The promise of hybrid planning is to combine multiple planners at run time to produce adaptation plans of the highest quality within given time constraints. However, since decision-making approaches are complex and diverse, the problem of combining them is even more difficult, and no frameworks for hybrid planning. This paper makes an important step in simplifying the problem of hybrid planning by formalizing it and decomposing it into four simpler subproblems. These formalizations will serve as a foundation for creating and evaluating engineering solutions to the hybrid planning problem.}, KEYWORDS = {Planning, Self-adaptation} } @InProceedings{2017:Camara:ArchitectureSynthesis, AUTHOR = {C\'{a}mara, Javier and Garlan, David and Schmerl, Bradley}, TITLE = {Synthesis and Quantitative Verification of Tradeoff Spaces for Families of Software Systems}, YEAR = {2017}, MONTH = {11-15 September}, BOOKTITLE = {Proceedings of the 11th European Conference on Software Architecture}, ADDRESS = {Cantebury, UK}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/cgsecsa17.pdf}, ABSTRACT = {Designing software in a way that provides guarantees about run-time behavior while achieving an acceptable balance between multiple extra-functional properties is still an open problem. Tools and techniques to inform engineers about poorly-understood design spaces are needed. To tackle this problem, we propose an approach that combines synthesis of spaces of system design alternatives from formal specifications of architectural styles with quantitative verification applied to every point of the generated solution space. The main contribution of this paper is a formal framework for specification-driven synthesis and analysis of design spaces that provides formal guarantees about the correctness of system behaviors and satisfies quantitative properties (e.g., defined over system qualities). We illustrate our proposal by analyzing the configuration space of a Tele Assistance System (TAS) using a prototype implementation of our approach.}, NOTE = {Winner of the ECSA Best Paper Award}, KEYWORDS = {Architectural Style, Formal Methods, Model Checking, Software Architecture} } @InProceedings{Dwivedi:EUC:2017, AUTHOR = {Dwivedi, Vishal and Herbsleb, James and Garlan, David}, TITLE = {What Ails End-User Composition: A Cross-Domain Qualitative Study}, YEAR = {2017}, BOOKTITLE = {End-User Development. IS-EUD 2017}, VOLUME = {10303}, SERIES = {Lecture Notes in Computer Science}, PUBLISHER = {Springer}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/Dwivedi2017_Chapter_WhatAilsEnd-UserCompositionACr.pdf}, ABSTRACT = {Across many domains, end-users need to compose computational elements into novel configurations to perform their day-to-day tasks. End-user composition is a common programming activity performed by such end-users to accomplish this composition task. While there have been many studies on end-user programming, we still need a better understanding of activities involved in end-user composition and environments to support them. In this paper we report a qualitative study of four popular composition environments belonging to diverse application domains, including: Taverna workflow environment for life sciences, Loni Pipeline for brain imaging, SimMan3G for medical simulations and Kepler for scientific simulations. We interview end-users of these environments to explore their experiences while performing common compositions tasks. We use “Content Analysis” technique to analyze these interviews to explore what are the barriers to end-user composition in these domains. Furthermore, our findings show that there are some unique differences in the requirements of naive end-users vs. expert programmers. We believe that not only are these findings useful to improve the quality of end-user composition environments, but they can also help towards development of better end-user composition frameworks.}, KEYWORDS = {End-user Architecture} } @InProceedings{2017:Uncertainty:Camara, AUTHOR = {C\'{a}mara, Javier and Peng, Wenxin and Garlan, David and Schmerl, Bradley}, TITLE = {Reasoning about Sensing Uncertainty in Decision-Making for Self-Adaptation}, YEAR = {2017}, MONTH = {5 September}, BOOKTITLE = {Proceedings of the 15th International Workshop on Foundations of Coordination Languages and Self-Adaptive Systems (FOCLASA 2017)}, VOLUME = {10729}, SERIES = {Lecture Notes in Computer Science}, PUBLISHER = {Springer}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/CPGS-CR-foclasa17.pdf}, ABSTRACT = {Self-Adaptive systems are expected to adapt to unanticipated run-time events using imperfect information about their environment. This entails handling the effects of uncertainties in decision-making, which are not always considered as a first-class concern. This paper contributes a formal analysis technique that explicitly considers uncertainty in sensing when reasoning about the best way to adapt. We illustrate our approach on a Denial of Service (DoS) attack scenario and present some preliminary results that show the benefits of uncertainty-aware decision-making with respect to using an uncertainty-ignorant approach.}, KEYWORDS = {Self-adaptation, uncertainty} } @Article{2018/Moreno/FlexibleLatency, AUTHOR = {Moreno, Gabriel A. and C\'{a}mara, Javier and Garlan, David and Schmerl, Bradley}, TITLE = {Flexible and Efficient Decision-Making for Proactive Latency-Aware Self-Adaptation}, YEAR = {2018}, MONTH = {May}, JOURNAL = {ACM Transactions on Autonomous and Adaptive Systems}, VOLUME = {13}, NUMBER = {1}, ABSTRACT = {Proactive latency-aware adaptation is an approach for self-adaptive systems that considers both the current and anticipated adaptation needs when making adaptation decisions, taking into account the latency of the available adaptation tactics. Since this is a problem of selecting adaptation actions in the context of the probabilistic behavior of the environment, Markov decision processes (MDP) are a suitable approach. However, given all the possible interactions between the different and possibly concurrent adaptation tactics, the system, and the environment, constructing the MDP is a complex task. Probabilistic model checking has been used to deal with this problem, but it requires constructing the MDP every time an adaptation decision is made to incorporate the latest predictions of the environment behavior. In this article, we describe PLA-SDP, an approach that eliminates that run-time overhead by constructing most of the MDP offine. At run time, the adaptation decision is made by solving the MDP through stochastic dynamic programming, weaving in the environment model as the solution is computed. We also present extensions that support different notions of utility, such as maximizing reward gain subject to the satisfaction of a probabilistic constraint, making PLA-SDP applicable to systems with different kinds of adaptation goals.}, NOTE = {https://doi.org/10.1145/3149180}, KEYWORDS = {Latency-aware, Self-adaptation} } @InProceedings{2017:Pandey:IBLHP, AUTHOR = {Pandey, Ashutosh and Schmerl, Bradley and Garlan, David}, TITLE = {Instance-based Learning for Hybrid Planning}, YEAR = {2017}, MONTH = {18-22 September}, BOOKTITLE = {Proceedings of the 3rd International Workshop on Data-driven Self-regulating Systems (DSS 2017)}, ADDRESS = {Tucson, AZ, USA}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/IBL-DSS2017.pdf}, ABSTRACT = {Due to the fundamental trade-off between quality and timeliness of planning, designers of self-adaptive systems often have to compromise between an approach that is quick to find an adaptation plan and an approach that is slow but finds a quality adaptation plan. To deal with this trade-off, in our previous work, we proposed a hybrid planning approach that combines a deliberative and a reactive planning approach to find a balance between quality and timeliness of planning. However, when reactive and deliberative planning is combined to instantiate a hybrid planner, the key challenge is to decide which approach(es) should be invoked to solve a planning problem. To this end, this paper proposes to use a data-driven instance-based learning to find an appropriate combination of the two planning approaches when solving a planning problem. As an initial proof of concept, the paper presents results of a small experiment that demonstrates the potential of the proposed approach to identify a combination of the two planning approaches to solve a planning problem.}, KEYWORDS = {Planning, Self-adaptation} } @InProceedings{2001/Dependable/NASA, AUTHOR = {Rouquette, Nicolas and Medvidovic, Nenad and Garlan, David}, TITLE = {Dependable Autonomous Systems = knowing well what to do + knowing how to do it well}, YEAR = {2001}, MONTH = {10-12 January}, BOOKTITLE = {Proceedings of the NASA High Dependability Computing Consortium Workshop}, ADDRESS = {NASA AMES, Moffett Field, CA}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/01-0052.pdf}, ABSTRACT = {This position paper reflects upon experiences and lessons learned from several spacecraft projects at JPL and JPL's recent collaboration with software architecture researchers from USC and CMU.}, KEYWORDS = {Self-adaptation} } @InProceedings{2017:Camara:RTSS, AUTHOR = {Seetanandi, Gautham Nayak and C\'{a}mara, Javier and Almeida, Luis and Årz\'{e}n, Karl-Erik and Maggio, Martina}, TITLE = {Event-Driven Bandwidth Allocation with Formal Guarantees for Camera Networks}, YEAR = {2017}, MONTH = {5-8 December}, BOOKTITLE = {Proceedings of the 2017 IEEE Real-Time Systems Symposium}, ADDRESS = {Paris, France}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/RTSS17_Gautham.pdf}, ABSTRACT = {Modern computing systems are often formed by multiple components that interact with each other through the use of shared resources (e.g., CPU, network bandwidth, storage). In this paper, we consider a representative scenario of one such system in the context of an Internet of Things application. The system consists of a network of self-adaptive cameras that share a communication channel, transmitting streams of frames to a central node. The cameras can modify a quality parameter to adapt the amount of information encoded and to affect their bandwidth requirements and usage. A critical design choice for such a system is scheduling channel access, i.e., how to determine the amount of channel capacity that should be used by each of the cameras at any point in time. Two main issues have to be considered for the choice of a bandwidth allocation scheme: (i) camera adaptation and network access scheduling may interfere with one another, (ii) bandwidth distribution should be triggered only when necessary, to limit additional overhead. This paper proposes the first formally verified event-triggered adaptation scheme for bandwidth allocation, designed to minimize additional overhead in the network. Desired properties of the system are verified using model checking. The paper also describes experimental results obtained with an implementation of the scheme. }, KEYWORDS = {Formal Methods, Self-adaptation} } @TechReport{Wagner:APT:2017, AUTHOR = {Wagner, Ryan and Fredrikson, Matthew and Garlan, David}, TITLE = {An Advanced Persistent Threat Exemplar}, YEAR = {2017}, MONTH = {July}, NUMBER = {CMU-ISR-17-100}, INSTITUTION = {Institute of Software Research, Carnegie Mellon University}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/CMU-ISR-17-100.pdf}, ABSTRACT = {Security researchers do not have sufficient example systems for conducting research on advanced persistent threats, and companies and agencies that experience attacks in the wild are reluctant to release detailed information that can be examined. In this paper, we describe an Advanced Persistent Threat Exemplar that is intended to provide a real-world attack scenario with sufficient complexity for reasoning about defensive system adaptation, while not containing so much information as to be too complex. It draws from actual published attacks and experiences as a security engineer by the authors.}, NOTE = {http://reports-archive.adm.cs.cmu.edu/anon/isr2017/abstracts/17-100.html}, KEYWORDS = {Science of Security} } @TechReport{Camara/UncertaintyTR/2017, AUTHOR = {C\'{a}mara, Javier and Garlan, David and Kang, Won Gu and Peng, Wenxin and Schmerl, Bradley}, TITLE = {Uncertainty in Self-Adaptive Systems}, YEAR = {2017}, MONTH = {July}, NUMBER = {CMU-ISR-17-110}, INSTITUTION = {Institute for Software Research, Carnegie Mellon University}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/CMU-ISR-17-110.pdf}, ABSTRACT = {Self-Adaptive systems are expected to adapt to unanticipated run-time events using imperfect information about their environment. This entails handling the effects of uncertainties in decision-making, which are not always considered as a first-class concern. This technical report summarizes a set of existing techniques and insights into addressing uncertainty in self-adaptive systems and outlines a future research agenda on uncertainty management in self-adaptive systems. The material in this report is strongly informed by our own research in the area, and is therefore not necessarily representative of other works.}, NOTE = {http://reports-archive.adm.cs.cmu.edu/anon/isr2017/abstracts/17-110.html}, KEYWORDS = {Human-in-the-loop, Self-adaptation, uncertainty} } @InProceedings{Pandey:FAS2017:Hybrid, AUTHOR = {Pandey, Ashutosh}, TITLE = {Hybrid Planning in Self-Adaptive Systems}, YEAR = {2017}, MONTH = {18-22 September}, BOOKTITLE = {FAS* Foundations and Applications of Self* Systems (FAS* 2017) Doctoral Symposium}, ADDRESS = {Tucson, AZ, USA}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/HybridPlanningDoctoralSymposium.pdf}, ABSTRACT = {Self-adaptive software systems make decisions at run time that seek to change their behavior in response to faults, changing environments and attacks. Therefore, having an appropriate planning approach to find an adaptation plan is critical to successful self-adaptation. For many realistic systems, ideally one would like to have a planning approach that is both quick and finds an optimal adaptation plan. However, due to the fundamental trade-off between quality and timeliness of planning, often designers have to compromise between an approach that is quick to find a plan and an approach that is slow but finds an optimal plan. To deal with this trade-off, this work proposes a hybrid planning approach that combines more than one planning approach to bring their benefits together.}, KEYWORDS = {Planning, Self-adaptation} } @TechReport{2017:Shonan:CASAS, AUTHOR = {Garlan, David and D’Ippolito, Nicolas and Tei, Kenji}, TITLE = {The 2nd Controlled Adaptation of Self-Adaptive Systems Workshop (CASaS2017)}, YEAR = {2017}, MONTH = {24-28 July}, NUMBER = {NII-2017-10}, INSTITUTION = {National Institute of Informatics}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/No.2017-10-1.pdf}, ABSTRACT = {Self-adaptive systems are required to adapt its behaviour in the face of changes in their environment and goals. Such a requirement is typically achieved by developing a system as a closed-loop system following a Monitor-AnalysePlan-Act (MAPE) scheme. MAPE loops are a mechanism that allows systems to monitor their state and produce changes aiming to guarantee that the goals are met. In practice it is often the case that to achieve their desired goals, self-adaptive systems must combine a number of MAPE loops with different responsibilities and at different abstraction levels. Higher-level goals require decision-level mechanisms to produce a plan in terms of the high-level system actions to be performed. Various mechanisms have been proposed and developed for automatically generating decision-level plans (e.g., event-based controller synthesis), providing guarantees about the satisfaction of hard goals (e.g., providing a certain level of service), and supporting improvements in soft goals (e.g., doing this in an efficient or cost-effective manner). These decisions are often made at a time scale of seconds to minutes. Lower-level goals, on the other hand, typically require control mechanisms that sense the state of the system and environment and react at a fine time granularity of milliseconds. Solutions to this problem are typically based on classical control theory techniques such as discrete-time control. A successful adaptive system, then, must find ways to integrate these multiple levels of control, leading to an important question of how best to do that, and what concepts. Additionally, concepts from classical control theory (typically applied at low levels of control) can also be useful in understanding higher-level control. Recently the software engineering community has begun to study the application of control theory and the formal guarantees it provides in the context of software engineering. For example, the 2014 Dagstuhl Seminar “Control Theory meets Software Engineering”, is an example of such recent interest. That seminar discussed a variety of possible applications of control theory to software engineering problems. Also, and perhaps more relevant, is the first CASaS Shonan seminar held in 2016. The seminar focused on formal guarantees that can be provided in self-adaptive systems via the use of control theory (e.g., event-based controller synthesis and discrete-time control). The seminar was a success in many respects. It had over 30 attendees from more than 10 countries. The seminar was an active gathering of outstanding researchers in both control theory and software engineering, and provided a forum in which discussions on the connections between control theory and software engineering for self-adaptive systems could be held. Most of the attendees expressed their intention to continue studying and discussing the relation between control theory and software engineering, which was highlighted as key to address with the requirements of self-adaptive systems. As in the first edition we expected to involve a group of active researchers in key areas such as Self-Adaptive Systems, Control theory, Game theory, Software Engineering, and Requirements Engineering, creating an ideal environment to discuss current and future applications and possibilities of control theory as a mechanism to provide formal guarantees for self-adaptive systems (e.g., convergence, safety, stability). Encouraged by the success of the first CASaS, we expected to have a number of participants from a wide variety of research areas to further explore the benefits of incorporating the application capabilities and formal framework provided by control theory to self-adaptive systems. Among the research questions that we expected to discuss are: How to coordinate multiple levels of adaptive control? What kinds of properties from classical control theory can be applied at higher levels to guarantee certain properties? To what extent does the domain and contest of use influence the design of a control regime for adaptation? In what ways can AI techniques of planning and machine learning be applied to adaptive systems? How can one deal with uncertainty in a systematic fashion? How can control theory inform our decisions about ways to incorporate humans into self-adaptive systems? We envisaged the 5-day meeting to be organised in two main parts. During the first day, participants presented their background and what they are interested in, and there were three lectures about continuous control, discrete-event control, and hybrid approach were given. Then, for the remaining four days, we identified and discussed the most relevant topics selected by the participants in working groups. In the end, we decided to discuss about two topics: “cooperation and coordination” and “properties”. The first topic is concerned with ways to incorporate components with ‘’classical” control implementation into larger systems, which will typically be a mixture of discrete and continuous control, and may need to adapt at an architectural level at run time in response to environmental conditions. The second topic is concerned with ways to formalize properties that are used in control theory in terms that would be useful for systems that reason in terms of discrete control. We divided into two groups, discussed the topics, and created draft reports about the discussion. These reports were further edited and improved, and now constitute the main body of this report.}, KEYWORDS = {Control Theory, Self-adaptation} } @Article{2018:Camara:UncertaintyReduction, AUTHOR = {C\'{a}mara, Javier and Peng, Wenxin and Garlan, David and Schmerl, Bradley}, TITLE = {Reasoning about Sensing Uncertainty and its Reduction in Decision-Making for Self-Adaptation}, YEAR = {2018}, MONTH = {1 December}, JOURNAL = {Science of Computer Programming}, VOLUME = {167}, PAGES = {51-69}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/scp-uncertainty.pdf}, ABSTRACT = {Adaptive systems are expected to adapt to unanticipated run-time events using imperfect information about themselves, their environment, and goals. This entails handling the effects of uncertainties in decision-making, which are not always considered as a first-class concern. This paper contributes a formal analysis technique that explicitly considers uncertainty in sensing when reasoning about the best way to adapt, together with uncertainty reduction mechanisms to improve system utility. We illustrate our approach on a Denial of Service (DoS) attack scenario and present results that demonstrate the benefits of uncertainty-aware decision-making in comparison to using an uncertainty-ignorant approach, both in the presence and absence of uncertainty reduction mechanisms.}, KEYWORDS = {Formal Methods, Self-adaptation} } @InProceedings{Ruchkin/2018/IPL, AUTHOR = {Ruchkin, Ivan and Sunshine, Joshua and Iraci, Grant and Schmerl, Bradley and Garlan, David}, TITLE = {IPL: An Integration Property Language for Multi-Model Cyber-Physical Systems}, YEAR = {2018}, MONTH = {15-17 July}, BOOKTITLE = {22nd International Symposium on Formal Methods (FM2018)}, ADDRESS = {Oxford, UK}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/fm2018-paper-camera-ready-1.pdf}, ABSTRACT = {Design and verification of modern systems requires diverse models, which often come from a variety of disciplines, and it is challenging to manage their heterogeneity – especially in the case of cyber-physical systems. To check consistency between models, recent approaches map these models to flexible static abstractions, such as architectural views. This model integration approach, however, comes at a cost of reduced expressiveness because complex behaviors of the models are abstracted away. As a result, it may be impossible to automatically verify important behavioral properties across multiple models, leaving systems vulnerable to subtle bugs. This paper introduces the Integration Property Language (IPL) that improves integration expressiveness using modular verification of properties that depend on detailed behavioral semantics while retaining the ability for static system-wide reasoning. We prove that the verification algorithm is sound and analyze its termination conditions. Furthermore, we perform a case study on a mobile robot to demonstrate IPL is practically useful and evaluate its performance.}, NOTE = {Appendices}, KEYWORDS = {Cyberphysical Systems, Formal Methods, Model Checking} } @InProceedings{SEAMS:SWIM:2018, AUTHOR = {Moreno, Gabriel A. and Schmerl, Bradley and Garlan, David}, TITLE = {SWIM: An Exemplar for Evaluation and Comparison of Self-Adaptation Approaches for Web Applications}, YEAR = {2018}, MONTH = {28-29 May}, BOOKTITLE = {Proceedings of the 13th International Symposium on Software Engineering for Adaptive and Self-Managing Systems}, ADDRESS = {Gothenburg, Sweden}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/seams18-swim-cr.pdf}, ABSTRACT = {Research in self-adaptive systems often uses web applications as target systems, running the actual software on real web servers. This approach has three drawbacks. First, these systems are not easy and/or cheap to deploy. Second, run-time conditions cannot be replicated exactly to compare diferent adaptation approaches due to uncontrolled factors. Third, running experiments is time- consuming. To address these issues, we present SWIM, an exemplar that simulates a web application. SWIM can be used as a target system with an external adaptation manager interacting with it through its TCP-based interface. Since the servers are simulated, this use case addresses the irst two problems. The full beneit of SWIM is attained when the adaptation manager is built as a simulation module. An experiment using a simulated 60-server cluster, processing 18 hours of traic with 29 million requests takes only 5 minutes to run on a laptop computer. SWIM has been used for evaluating self-adaptation approaches, and for a comparative study of model-based predictive approaches to self-adaptation.}, NOTE = {Best Artifact Paper Award Winner}, KEYWORDS = {Self-adaptation} } @Unpublished{2018/APTArtifact, AUTHOR = {Wagner, Ryan and Garlan, David and Fredrikson, Matthew}, TITLE = {An Advanced Persistent Threat Simulation Range for Research of Self-Adaptive Systems}, YEAR = {2018}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/APT_Testbed.pdf}, ABSTRACT = {While security is important to self-adaptive systems research, it is particularly difficult to simulate the characteristics of the most insidious adversary, the advanced persistent threat (APT). The research community requires an APT simulation environment that provides the realism and depth that is necessary for a sufficient simulation, but this should not be too complex, difficult, or expensive to use. Additionally, a successful simulation environment must ensure that malware does not escape into the wild. We present a cyber range for self-adaptive systems researchers to simulate APTs, complete with an example system under test and attack scenario.}, NOTE = {Submitted for publication}, KEYWORDS = {Science of Security} } @InProceedings{2018:SEAMS:Uncertainty, AUTHOR = {Moreno, Gabriel A. and C\'{a}mara, Javier and Garlan, David and Klein, Mark}, TITLE = {Uncertainty Reduction in Self-Adaptive Systems}, YEAR = {2018}, MONTH = {28-29 May}, BOOKTITLE = {Proc. of the 13th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS)}, ADDRESS = {Gothenburg, Sweden}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/seams18-ur-cr.pdf}, ABSTRACT = {Self-adaptive systems depend on models of themselves and their environment to decide whether and how to adapt, but these models are often affected by uncertainty. While current adaptation decision approaches are able to model and reason about this uncertainty, they do not consider ways to reduce it. This presents an opportunity for improving decision-making in self-adaptive systems, because reducing uncertainty results in a better characterization of the current and future states of the system and the environment (at some cost), which in turn supports making better adaptation decisions. We propose uncertainty reduction as the natural next step in uncertainty management in the field of self-adaptive systems. This requires both an approach to decide when to reduce uncertainty, and a catalog of tactics to reduce different kinds of uncertainty. We present an example of such a decision, examples of uncertainty reduction tactics, and describe how uncertainty reduction requires changes to the different activities in the typical self-adaptation loop.}, KEYWORDS = {Self-adaptation, uncertainty} } @InProceedings{SEsCPS:Explanation:2018, AUTHOR = {Sukkerd, Roykrong and Simmons, Reid and Garlan, David}, TITLE = {Towards Explainable Multi-Objective Probabilistic Planning}, YEAR = {2018}, MONTH = {27 May}, BOOKTITLE = {Proceedings of the 4th International Workshop on Software Engineering for Smart Cyber-Physical Systems (SEsCPS\'18)}, ADDRESS = {Gothenburg, Sweden}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ICSE-WS-SEsCPS-13.pdf}, ABSTRACT = {Use of multi-objective probabilistic planning to synthesize behavior of CPSs can play an important role in engineering systems that must self-optimize for multiple quality objectives and operate under uncertainty. However, the reasoning behind automated planning is opaque to end-users. They may not understand why a particular behavior is generated, and therefore not be able to calibrate their confidence in the systems working properly. To address this problem, we propose a method to automatically generate verbal explanation of multi-objective probabilistic planning, that explains why a particular behavior is generated on the basis of the optimization objectives. Our explanation method involves describing objective values of a generated behavior and explaining any tradeoff made to reconcile competing objectives. We contribute: (i) an explainable planning representation that facilitates explanation generation, and (ii) an algorithm for generating contrastive justification as explanation for why a generated behavior is best with respect to the planning objectives. We demonstrate our approach on a mobile robot case study.}, KEYWORDS = {Explainable Software, Self-adaptation} } @InProceedings{2018:Wagner:HotSoS, AUTHOR = {Wagner, Ryan and Garlan, David and Fredrikson, Matthew}, TITLE = {Poster: Quantitative Underpinnings of Secure, Graceful Degradation}, YEAR = {2018}, MONTH = {10-11 April}, BOOKTITLE = {Proceedings of the 2018 Symposium of Hot Topics in the Science of Security}, ADDRESS = {Raleigh, North Carolina}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/hotsos-gracefuldegradation.pdf}, KEYWORDS = {Science of Security} } @InProceedings{2018:SEAMS:Uncertainty:Kinneer, AUTHOR = {Kinneer, Cody and Coker, Zack and Wang, Jiacheng and Garlan, David and Le Goues, Claire}, TITLE = {Managing Uncertainty in Self-Adaptive Systems with Plan Reuse and Stochastic Search}, YEAR = {2018}, MONTH = {28-29 May}, BOOKTITLE = {Proceedings of the 13th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS)}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/seams-uncertainty-kinneerpdf.pdf}, ABSTRACT = {Many software systems operate in environments where change and uncertainty are the rule, rather than exceptions. Techniques for self-adaptation allow these systems to automatically respond to environmental changes, yet they do not handle changes to the adaptive system itself, such as the addition or removal of adaptation tactics. Instead, changes in a self-adaptive system often require a human planner to redo an expensive planning process to allow the system to continue satisfying its quality requirements under different conditions; automated techniques typically must replan from scratch. We propose to address this problem by reusing prior planning knowledge to adapt in the face of unexpected situations. We present a planner based on genetic programming that reuses existing plans. While reuse of material in genetic algorithms has recently applied successfully in the area of automated program repair, we find that naïvely reusing existing plans for self-* planning actually results in a loss of utility. Furthermore, we propose a series of techniques to lower the costs of reuse, allowing genetic techniques to leverage existing information to improve planning utility when replanning for unexpected changes.}, NOTE = {Selected as a distinguished paper}, KEYWORDS = {Planning, Self-adaptation, Stochastic Search, uncertainty} } @Article{2019:Camara:Synthesis, AUTHOR = {C\'{a}mara, Javier and Garlan, David and Schmerl, Bradley}, TITLE = {Synthesizing Tradeoff Spaces of Quantitative Guarantees for Families of Software Systems}, YEAR = {2019}, MONTH = {June}, JOURNAL = {Journal of Systems and Software}, VOLUME = {152}, PAGES = {33-49}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/CGS-JSS19.pdf}, ABSTRACT = {Designing software in a way that guarantees run-time behavior while achieving an acceptable balance among multiple quality attributes is an open problem. Providing guarantees about the satisfaction of the same requirements under uncertain environments is even more challenging. Tools and techniques to inform engineers about poorly-understood design spaces in the presence of uncertainty are needed, so that engineers can explore the design space, especially when tradeoffs are crucial. To tackle this problem, we describe an approach that combines synthesis of spaces of system design alternatives from formal specifications of architectural styles with probabilistic formal verification. The main contribution of this paper is a formal framework for specification-driven synthesis and analysis of design spaces that provides formal guarantees about the correctness of system behaviors and satisfies quantitative properties (e.g., defined over system qualities) subject to uncertainty, which is treated as a first-class entity. We illustrate our approach in two case studies: a service-based adaptive system and a mobile robotics architecture. Our results show how the framework can provide useful insights into how average case probabilistic guarantees can differ from worst case guarantees, emphasizing the relevance of combining quantitative formal verification methods with structural synthesis, in contrast with techniques based on simulation and dynamic analysis that can only provide estimates about average case probabilistic properties.}, NOTE = {https://doi.org/10.1016/j.jss.2019.02.055}, KEYWORDS = {Architectural Analysis, Architectural Style, Assurance} } @Unpublished{2018:Pandey:Hybrid, AUTHOR = {Pandey, Ashutosh and Ruchkin, Ivan and Schmerl, Bradley and C\'{a}mara, Javier and Garlan, David}, TITLE = {Formalizing the Hybrid Planning Problem for Self-Adaptation}, YEAR = {2019}, ABSTRACT = {Planning approaches in self-adaptation face the fundamental trade-off between quality and timeliness of adaptation plans. Due to this trade-off, today designers often have to compromise between a planning approach that is quick to find a plan and an approach that is slow but finds a quality plan. To deal with this trade-off, researchers have proposed a hybrid planning approach that combines more than one planning approaches to find a balance between quality and timeliness. However, the diversity of planning approaches makes the problem of hybrid planning complex and multi-faceted. This paper advances the theory of hybrid planning by formalizing the central concepts and four subproblems of hybrid planning. This formalization can serve as a foundation for not only understanding and comparing existing hybrid planners, but also for developing new hybrid planners in the future. Moreover, to illustrate practicality of the formal model, the paper uses it to analyze two hybrid planning instantiations that have shown to effective in their respective contexts. Furthermore, grounded on the formal model, the paper formalizes explicit/implicit assumptions about these instantiations that must hold for them to be sound.}, NOTE = {Submitted for publication}, KEYWORDS = {Formal Methods, Planning, Self-adaptation} } @Article{2018/MOSAICO, AUTHOR = {C\'{a}mara, Javier and Schmerl, Bradley and Moreno, Gabriel A. and Garlan, David}, TITLE = {MOSAICO: Offline Synthesis of Adaptation Strategy Repertoires with Flexible Trade-Offs}, YEAR = {2018}, MONTH = {September}, JOURNAL = {Automated Software Engineering}, VOLUME = {25}, NUMBER = {3}, PAGES = { 595–626}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/Cámara2018_Article_MOSAICOOfflineSynthesisOfAdapt.pdf}, ABSTRACT = {Self-adaptation improves the resilience of software-intensive systems, enabling them to adapt their structure and behavior to run-time changes (e.g., in workload and resource availability). Many of these approaches reason about the best way of adapting by synthesizing adaptation plans online via planning or model checking tools. This method enables the exploration of a rich solution space, but optimal solutions and other guarantees (e.g., constraint satisfaction) are computationally costly, resulting in long planning times during which changes may invalidate plans. An alternative to online planning involves selecting at run time the adaptation best suited to the current system and environment conditions from among a predefined repertoire of adaptation strategies that capture repair and optimization tasks. This method does not incur run-time overhead but requires additional effort from engineers, who have to specify strategies and lack support to systematically assess their quality. In this article, we present MOSAICO, an approach for offline synthesis of adaptation strategy repertoires that makes a novel use of discrete abstractions of the state space to flexibly adapt extra-functional behavior in a scalable manner. The approach supports making trade-offs: (i) among multiple extra-functional concerns, and (ii) between computation time and adaptation quality (varying abstraction resolution). Our results show a remarkable improvement on system qualities in contrast to manually-specified repertoires. More interestingly, moderate increments in abstraction resolution can lead to pronounced quality improvements, whereas high resolutions yield only negligible improvement over medium resolutions.}, NOTE = {Springer Link}, KEYWORDS = {Formal Methods, Planning, Rainbow, Self-adaptation} } @Misc{2018:Ruchkin:IPL, AUTHOR = {Ruchkin, Ivan and Sunshine, Joshua and Iraci, Grant and Schmerl, Bradley and Garlan, David}, TITLE = {Appendix for IPL: An Integration Property Language for Multi-Model Cyber-Physical Systems}, YEAR = {2018}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/fm2018-appendix.pdf}, NOTE = {Paper Reference} } @InProceedings{Mendonca:AKSAS:2018, AUTHOR = {Mendon\c{c}a, Nabor C. and Garlan, David and Schmerl, Bradley and C\'{a}mara, Javier}, TITLE = {Generality vs. Reusability in Architecture-Based Self-Adaptation: The Case for Self-Adaptive Microservices}, YEAR = {2018}, MONTH = {24-28 September}, BOOKTITLE = {The 12th European Conference on Software Architecture: Companion Proceedings}, ADDRESS = {Madrid, Spain}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/aksas2018-final.pdf}, ABSTRACT = {Why is it so difficult to build self-adaptive systems by reusing existing self-adaptation services and frameworks? In this paper, we argue that one possible explanation is that there is a fundamental mismatch between the adaptation needs of modern software systems, and the architectural models and adaptation mechanisms supported by current self-adaptation solutions. We identify and discuss the main reasons leading to this problem by looking into a number of representative self-adaptation solutions that have been proposed in recent years, including open source frameworks and cloud-based services, from two perspectives: generality, i.e., their ability to support a variety of architectural models and adaptation mechanisms, and reusability, i.e., their ability to be reused without requiring substantial effort from software developers. We then make the case that recent industry progress toward microservices and their enabling technologies can open the way to the development of more general and reusable self-adaptation solutions.}, KEYWORDS = {Self-adaptation} } @PhdThesis{Moreno:Thesis:2017, AUTHOR = {Moreno, Gabriel A.}, TITLE = {Adaptation Timing in Self-Adaptive Systems}, YEAR = {2017}, MONTH = {April}, SCHOOL = {Institute for Software Research, School of Computer Science,Carnegie Mellon University}, URL = {http://reports-archive.adm.cs.cmu.edu/anon/isr2017/abstracts/17-103.html}, ABSTRACT = {Software-intensive systems are increasingly expected to operate under changing and uncertain conditions, including not only varying user needs and workloads, but also fluctuating resource capacity. Self-adaptation is an approach that aims to address this problem, giving systems the ability to change their behavior and structure to adapt to changes in themselves and their operating environment without human intervention. Self-adaptive systems tend to be reactive and myopic, adapting in response to changes without anticipating what the subsequent adaptation needs will be. Adapting reactively can result in inefficiencies due to the system performing a suboptimal sequence of adaptations. Furthermore, some adaptation tactics—atomic adaptation actions that leave the system in a consistent state—have latency and take some time to produce their effect. In that case, reactive adaptation causes the system to lag behind environment changes. What is worse, a long running adaptation action may prevent the system from performing other adaptations until it completes, further limiting its ability to effectively deal with the environment changes. To address these limitations and improve the effectiveness of self-adaptation, we present proactive latency-aware adaptation, an approach that considers the timing of adaptation (i) leveraging predictions of the near future state of the environment to adapt proactively; (ii) considering the latency of adaptation tactics when deciding how to adapt; and (iii) executing tactics concurrently. We have developed three different solution approaches embodying these principles. One is based on probabilistic model checking, making it inherently able to deal with the stochastic behavior of the environment, and guaranteeing optimal adaptation choices over a finite decision horizon. The second approach uses stochastic dynamic programming to make adaptation decisions, and thanks to performing part of the computations required to make those decisions off-line, it achieves a speedup of an order of magnitude over the first solution approach without compromising optimality. A third solution approach makes adaptation decisions based on repertoires of adaptation strategies— predefined compositions of adaptation tactics. This approach is more scalable than the other two because the solution space is smaller, allowing an adaptive system to reap some of the benefits of proactive latency-aware adaptation even if the number of ways in which it could adapt is too large for the other approaches to consider all these possibilities. We evaluate the approach using two different classes of systems with different adaptation goals, and different repertoires of adaptation strategies. One of them is a web system, with the adaptation goal of utility maximization. The other is a cyberphysical system operating in a hostile environment. In that system, self-adaptation must not only maximize the reward gained, but also keep the probability of surviving a mission above a threshold. In both cases, our results show that proactive latency-aware adaptation improves the effectiveness of self-adaptation with respect to reactive time-agnostic adaptation.}, NOTE = {Technical Report CMU-ISR-17-103}, KEYWORDS = {Latency-aware, Rainbow, Self-adaptation} } @Article{Mead:SEE:2018, AUTHOR = {Mead, Nancy and Garlan, David and Shaw, Mary}, TITLE = {Half a Century of Software Engineering Education: The CMU Exemplar}, YEAR = {2018}, MONTH = {September}, JOURNAL = {IEEE Software, Special Issue on 50th Anniversary of Software Engineering}, VOLUME = {35}, NUMBER = {5}, PAGES = {25 -- 31}, URL = {https://ieeexplore.ieee.org/document/8409913}, ABSTRACT = {Now, more than ever, the software profession needs rigorous software engineering education based on enduring principles. This must reach the increasing diversity of the developer community and the diverse paths the developer takes into the profession. }, NOTE = {Issue received the 2018 APEX Award of Excellence}, KEYWORDS = {Education, Software Engineering} } @InProceedings{2019/Jamshidi/ML, AUTHOR = {Jamshidi, Pooyan and C\'{a}mara, Javier and Schmerl, Bradley and K\"astner, Christian and Garlan, David}, TITLE = {Machine Learning Meets Quantitative Planning: Enabling Self-adaptation in Autonomous Robots}, YEAR = {2019}, MONTH = {25-26 May}, BOOKTITLE = {Proceedings of the 14th Symposium on Software Engineering for Adaptive and Self-Managing Systems}, ADDRESS = {Montreal, Canada}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/SEAMS2019-ML.pdf}, ABSTRACT = {Modern cyber-physical systems (e.g., robotics systems) are typically composed of physical and software components, the characteristics of which are likely to change over time. Assumptions about parts of the system made at design time may not hold at run time, especially when a system is deployed for long periods (e.g., over decades). Self-adaptation is designed to find reconfigurations of systems to handle such run-time inconsistencies. Planners can be used to find and enact optimal reconfigurations in such an evolving context. However, for systems that are highly configurable, such planning becomes intractable due to the size of the adaptation space. To overcome this challenge, in this paper we explore an approach that (a) uses machine learning to find Pareto-optimal configurations without needing to explore every configuration, and (b) restricts the search space to such configurations to make planning tractable. We explore this in the context of robot missions that need to consider task timeliness and energy consumption. An independent evaluation shows that our approach results in high quality adaptation plans in uncertain and adversarial environments. }, KEYWORDS = {Cyberphysical Systems, Self-adaptation} } @InProceedings{2020:ICSA:Microservices, AUTHOR = {Mendon\c{c}a, Nabor C. and Aderaldo, Carlos and C\'{a}mara, Javier and Garlan, David}, TITLE = {Model-Based Analysis of Microservice Resiliency Patterns}, YEAR = {2020}, MONTH = {16-20 March}, BOOKTITLE = {Proceedings of the 2020 IEEE International Conference on Software Architecture}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/PID63707632020_ICSA_Microservices.pdf}, ABSTRACT = {Microservice application developers try to mitigate the impact of partial outages typically by implementing service-to-service interactions that use well-known resiliency patterns, such as Retry, Fail Fast, and Circuit Breaker. However, those resiliency patterns–as well as their available open-source implementations–are often documented informally, leaving it up to application developers to figure out when and how to use those patterns in the context of a particular microservice application. In this paper, we take a first step towards improving on this situation by introducing a model checking-based approach in which we use the PRISM probabilistic model checker to analyze the behavior of the Retry and Circuit Breaker resiliency patterns as continuous-time Markov chains (CTMC). This approach has enabled us to quantify the impact of applying each resiliency pattern on multiple quality attributes, as well as to determine how to best tune their parameters to deal with varying service availability conditions, in the context of a simple client-service interaction scenario.}, KEYWORDS = {Model Checking, Software Architecture} } @Article{2019:IEEESoftware:BRASS, AUTHOR = {Aldrich, Jonathan and Garlan, David and K\"astner, Christian and Le Goues, Claire and Mohseni-Kabir, Anahita and Ruchkin, Ivan and Samuel, Selva and Schmerl, Bradley and Timperley, Christopher Steven and Veloso, Manuela and Voysey, Ian and Biswas, Joydeep and Guha, Arjun and Holtz, Jarrett and C\'{a}mara, Javier and Jamshidi, Pooyan}, TITLE = {Model-Based Adaptation for Robotics Software}, YEAR = {2019}, MONTH = {March}, JOURNAL = {IEEE Software}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/brass-mars-ieee-software2019.pdf}, ABSTRACT = {We have developed model-based adaptation, an approach that leverages models of software and its environment to enable automated adaptation. The goal of our approach is to build long-lasting mobile software systems that can effectively adapt to changes in their environment.}, KEYWORDS = {Self-adaptation} } @InProceedings{2019:Sukkerd:Explanation, AUTHOR = {Zhao, Ellin and Sukkerd, Roykrong}, TITLE = {Interactive Explanation for Planning-Based Systems}, YEAR = {2019}, MONTH = {16-18 April}, BOOKTITLE = {Proceedings of the 10th ACM/IEEE International Conference on Cyberphysical Systems, Work-in-Progress track}, ADDRESS = {Montreal, Canada}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/zhao_iccps.pdf}, ABSTRACT = {As Cyber-Physical Systems (CPSs) become more autonomous, it becomes harder for humans who interact with the CPSs to understand the behavior of the systems. Particularly for CPSs that must perform tasks while optimizing for multiple quality objectives and acting under uncertainty, it can be difficult for humans to understand the system behavior generated by an automated planner. This work-in-progress presents an approach at clarifying system behavior through interactive explanation by allowing end-users to ask Why and Why-Not questions about specific behaviors of the system, and providing answers in the form of contrastive explanation.}, KEYWORDS = {Explainable Software, Human-in-the-loop, Self-adaptation} } @Article{Bozhinoski:JSA:2019, AUTHOR = {Bozhinoski, Darko and Garlan, David and Malavolta, Ivano and Pelliccione, Patrizio}, TITLE = {Managing safety and mission completion via collective run-time adaptation}, YEAR = {2019}, JOURNAL = {Journal of Systems Architecture}, VOLUME = {95}, PAGES = {19--35}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/SYSARC1584_201902001602722101.pdf}, ABSTRACT = {Mobile Multi-Robot Systems (MMRSs) are an emerging class of systems that are composed of a team of robots, various devices (like movable cameras, sensors) which collaborate with each other to accomplish defined missions. Moreover, these systems must operate in dynamic and potentially uncontrollable and unknown environments that might compromise the safety of the system and the completion of the defined mission. A model of the environment describing, e.g., obstacles, no-fly zones, wind and weather conditions might be available, however, the assumption that such a model is both correct and complete is often wrong. In this paper, we describe an approach that supports execution of missions at run time. It addresses collective adaptation problems in a decentralized fashion, and enables the addition of new entities in the system at any time. Moreover, it is based on two adaptation resolution methods: one for (potentially partial) resolution of mission-related issues and one for full resolution of safety-related issues.}, KEYWORDS = {Self-adaptation} } @InProceedings{Glazier:2019:metamanagement, AUTHOR = {Glazier, Thomas J. and Garlan, David}, TITLE = {An Automated Approach to Management of a Collection of Autonomic Systems}, YEAR = {2019}, MONTH = {16 June}, BOOKTITLE = {Proceedings of the 4th eCAS Workshop on Engineering Collective Adaptive Systems}, ADDRESS = {Umea, Sweden}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/eCASEv1.pdf}, ABSTRACT = {Modern enterprise IT systems are increasingly becoming compositions of many subsystems each of which is an autonomic system. These individual autonomic systems act independently to maintain their locally defined SLAs but can take actions which are inconsistent with and potentially detrimental to the global system objective. Currently, human administrators intervene to resolve these conflicts but are challenged by complexity in the prediction of current and future states of the constituent systems and their managers, multiple conflicting quality dimensions which may change over time, combinatorially large configuration space across the set of constituent systems, and the time critical nature of the decisions to be made to prevent further degradation. To address these challenges, this paper proposes an approach that enables the creation of a higher level autonomic system, referred to as a meta-manager, that does not subsume the control functions nor does it directly orchestrate the actions of the sub-autonomic managers. Instead, we encapsulate and abstract the behavior of each subsystem as a parameterized adaptation policy which can be adjusted by the meta-manager to tune the adaptive behavior of the subsystem adaptation. We can effectively instantiate this idea by considering each of the subsystems as a player in a stochastic multi-player game against it’s local environment, and synthesize an adaptation strategy using off-the-shelf tools for stochastic game analysis.}, KEYWORDS = {Meta-management, Self-adaptation} } @Unpublished{Kinneer:2019:informationreuse, AUTHOR = {Kinneer, Cody and Garlan, David and Le Goues, Claire}, TITLE = {Information Reuse and Stochastic Search: Managing Uncertainty in Self-* Systems}, YEAR = {2019}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/irss.pdf}, ABSTRACT = {Many software systems operate in environments of change and uncertainty. Techniques for self-adaptation allow these systems to automatically respond to environmental changes, yet they do not handle changes to the adaptive system itself, such as the addition or removal of adaptation tactics. Instead, changes in a self-adaptive system often require a human planner to redo an expensive planning process to allow the system to continue satisfying its quality requirements under different conditions; automated techniques must replan from scratch. We propose to address this problem by reusing prior planning knowledge to adapt to unexpected situations. We present a planner based on genetic programming that reuses existing plans, and evaluate this planner on two case study systems: a cloud-based web server, and a team of autonomous aircraft. While reusing material in genetic algorithms has been recently applied successfully in the area of automated program repair, we find that naively reusing existing plans for self-* planning can actually result in a utility loss. Furthermore, we propose a series of techniques to lower the costs of reuse, allowing genetic techniques to leverage existing information to improve utility when replanning for unexpected changes, we also find that coarsely shaped search-spaces present profitable opportunities for reuse.}, NOTE = {Submitted for publication}, KEYWORDS = {Self-adaptation, Stochastic Search} } @PhdThesis{Ruchkin:2019:Thesis, AUTHOR = {Ruchkin, Ivan}, TITLE = {Integration of Modeling Methods for Cyber-Physical Systems}, YEAR = {2019}, MONTH = {March}, SCHOOL = {Carnegie Mellon University}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ruchkin-20190328-final.pdf}, ABSTRACT = {Cyber-physical systems (CPS) incorporate digital (cyber) and mechanical (physical) elements that interact in complex ways. Many safety-critical CPS, such as autonomous vehicles and drones, are becoming increasingly widespread and hence demand rigorous quality assurance. To this end, CPS engineering relies on modeling methods, which use models to represent the system and design-time analyses to interpret/change the models. Coming from diverse scientific and engineering fields, these modeling methods are difficult to combine, or integrate, due to implicit relations and dependencies between them. CPS failures can lead to substantial damage or loss of life, and are often due to two key integration challenges: (i) inconsistencies between models — contradictions in models that do not add up to a cohesive design, and (ii) incorrect interactions of analyses — analyses performed out-of-order and in mismatched contexts, leading to erroneous analysis outputs. This thesis presents a novel approach to detect and prevent integration issues between CPS modeling methods during the design phase. To detect inconsistencies between models, the approach allows engineers to specify integration properties — quantified logical statements that relate elements of multiple models — in the Integration Property Language (IPL). IPL statements describe verifiable conditions that are equivalent to an absence of inconsistencies. To interface with the models, IPL relies on integration abstractions — simplified representations of models for integration purposes. This thesis proposes two abstractions: views (annotated component-and-connector models, inspired by software architecture) and behavioral properties (expressions in model-specific property languages, such as the linear temporal logic). Combining these abstractions lets engineers relate model structure and behavior in IPL statements. To ensure correct interactions of analyses, I introduce analysis contracts — a lightweight specification that captures inputs, outputs, assumptions, and guarantees for each analysis, in terms of the integration abstractions. Given these contracts, an analysis execution platform performs analyses in the order of their dependencies, and only in the contexts that guarantee correct outputs. My approach to integration was validated on four case studies of CPS modeling methods in different systems: energy-aware planning in a mobile robot, collision avoidance in a mobile robot, thread/battery scheduling in a quadrotor, and reliable/ secure sensing in an autonomous vehicle. This validation has shown that the approach can find safety-critical errors by specifying expressive integration properties and soundly checking them within practical constraints — all while being customizable to heterogeneous models, analyses, and domains.}, NOTE = {Institute for Software Research Technical Report CMU-ISR-18-107}, KEYWORDS = {Cyberphysical Systems, Formal Methods} } @InProceedings{Kinneer:2019:observability, AUTHOR = {Kinneer, Cody and Wagner, Ryan and Fang, Fei and Le Goues, Claire and Garlan, David}, TITLE = {Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats}, YEAR = {2019}, MONTH = {9-11 October}, BOOKTITLE = {Proceedings of the 17th ACM-IEEE International Conference on Formal Methods and Models for Systems Design (MEMCODE\'19)}, ADDRESS = {San Diego, USA}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/memocode2019.pdf}, ABSTRACT = {Advanced persistent threats (APTs) are a particularly troubling challenge for software systems. The adversarial nature of the security domain, and APTs in particular, poses unresolved challenges to the design of self-* systems, such as how to defend against multiple types of attackers with different goals and capabilities. In this interaction, the observability of each side is an important and under-investigated issue in the self-* domain. We propose a model of APT defense that elevates observability as a first-class concern. We evaluate this model by showing how an informed approach that uses observability improves the defender’s utility compared to a uniform random strategy, can enable robust planning through sensitivity analysis, and can inform observability-related architectural design decisions.}, KEYWORDS = {Science of Security, Self-adaptation} } @InProceedings{2019:SEAMS:DartSim, AUTHOR = {Moreno, Gabriel A. and Kinneer, Cody and Pandey, Ashutosh and Garlan, David}, TITLE = {DARTSim: An Exemplar for Evaluation and Comparison of Self-Adaptation Approaches for Smart Cyber-Physical Systems}, YEAR = {2019}, MONTH = {25-26 May}, BOOKTITLE = {Proceedings of the 14th International Symposium on Software Engineering for Adaptive and Self-Managing Systems}, ADDRESS = {Montreal, Canada}, ABSTRACT = {Motivated by the need for cyber-physical systems (CPS) to perform in dynamic and uncertain environments, smart CPS (sCPS) utilize self-adaptive capabilities to autonomously manage uncertainties at the intersection of the cyber and physical worlds. In this context, self-adaptation approaches face particular challenges, including (i) environment monitoring that is subject to sensing errors; (ii) adaptation actions that take time, sometimes due to physical movement; (iii) dire consequences for not adapting in a timely manner; and (iv) incomparable objectives that cannot be conflated into a single utility metric (e.g., avoiding an accident vs. providing good service). To enable researchers to evaluate and compare self-adaptation approaches aiming to address these unique challenges of sCPS, we introduce the DARTSim exemplar. DARTSim implements a high-level simulation of a team of unmanned air vehicles (UAVs) performing a reconnaissance mission in a hostile and unknown environment. Designed to be easily used by researchers, DARTSim provides a TCP-based interface for easy integration with external adaptation managers, documentation, and a fast simulation capability.}, NOTE = {Awarded Best Artifact Award for SEAMS 2019}, KEYWORDS = {Self-adaptation} } @InProceedings{2019:Kubow, AUTHOR = {Aderaldo, Carlos and Mendon\c{c}a, Nabor C. and Schmerl, Bradley and Garlan, David}, TITLE = {Kubow: An Architecture-Based Self-Adaptation Service for Cloud Native Applications}, YEAR = {2019}, MONTH = {9-13 September}, BOOKTITLE = {Proceedings of the 2019 European Conference on Software Architecture: Tools Track}, ADDRESS = {Paris, France}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ecsa2019-tools-final.pdf}, ABSTRACT = {This paper presents Kubow, an extensible architecture-based selfadaptation service for cloud native applications. Kubow itself was implemented by customizing and extending the Rainbow self-adaptation framework with support for Docker containers and Kubernetes. The paper highlights Kubow’s architecture and main design decisions, and illustrates its use and configuration through a simple example. An accompanying demo video is available at the project’s web site: https://ppgia-unifor.github.io/kubow/.}, NOTE = {Awarded Best Demo}, KEYWORDS = {Self-adaptation} } @InProceedings{2020:ICDS:Lynceus, AUTHOR = {Casimiro, Maria and Didona, Diego and Romano, Paolo and Rodrigues, Luis and Zwaenepoel, Willy and Garlan, David}, TITLE = {Lynceus: Cost-efficient Tuning and Provisioning of Data Analytic Jobs}, YEAR = {2020}, MONTH = {8-10 July}, BOOKTITLE = {The 40th International Conference on Distributed Computing Systems}, ADDRESS = {Singapore}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ICDCS_2020_paper_2972020_ICDS_Lynceus.pdf}, ABSTRACT = {Modern data analytic and machine learning jobs find in the cloud a natural deployment platform to satisfy their notoriously large resource requirements. Yet, to achieve cost efficiency, it is crucial to identify a deployment configuration that satisfies user-defined QoS constraints (e.g., on execution time), while avoiding unnecessary over-provisioning. This paper introduces Lynceus, a new approach for the optimization of cloud-based data analytic jobs that improves over state-of-the-art approaches by enabling significant cost savings both in terms of the final recommended configuration and of the optimization process used to recommend configurations. Unlike existing solutions, Lynceus optimizes in a joint fashion both the cloud-related (i.e., which and how many machines to provision) and the application-level (e.g. the hyper-parameters of a machine learning algorithm) parameters. This allows for a reduction of the cost of recommended configurations by up to 3.7X at the 90-th percentile with respect to existing approaches, which treat the optimization of cloud-related and application level parameters as two independent problems. Further, Lynceus reduces the cost of the optimization process (i.e., the cloud cost incurred for testing configurations) by up to 11X. Such an improvement is achieved thanks to two mechanisms: i) a timeout approach which allows to abort the exploration of configurations that are deemed suboptimal, while still extracting useful information to guide future explorations and to improve its predictive model — differently from recent works, which either incur the full cost for testing suboptimal configurations or are unable to extract any knowledge from aborted runs; ii) a long-sighted and budget-aware technique that determines which configurations to test by predicting the long-term impact of each exploration — unlike state-of-the-art approaches for the optimization of cloud jobs, which adopt greedy optimization methods.}, KEYWORDS = {Big data, Machine Learning, Resource Allocation} } @Article{Adepu:ExpInd:2022, AUTHOR = {Adepu, Sridhar and Li, Nianyu and Kang, Eunsuk and Garlan, David}, TITLE = {Modeling and Analysis of Explanation for Secure Industrial Control Systems}, YEAR = {2022}, MONTH = {July}, JOURNAL = {ACM Transactions on Autonomous and Adaptive Systems}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/Explanation_for_Secure_Industrial_Control_System.pdf}, ABSTRACT = {Many self-adaptive systems benefit from human involvement and oversight, where a human operator can provide expertise not available to the system and detect problems that the system is unaware of. One way of achieving this synergy is by placing the human operator on the loop – i.e., providing supervisory oversight and intervening in the case of questionable adaptation decisions. To make such interaction effective, an explanation can play an important role in allowing the human operator to understand why the system is making certain decisions and improve the level of knowledge that the operator has about the system. This, in turn, may improve the operator’s capability to intervene and if necessarily, override the decisions being made by the system. However, explanations may incur costs, in terms of delay in actions and the possibility that a human may make a bad judgement. Hence, it is not always obvious whether an explanation will improve overall utility and, if so, what kind of explanation should be provided to the operator. In this work, we define a formal framework for reasoning about explanations of adaptive system behaviors and the conditions under which they are warranted. Specifically, we characterize explanations in terms of explanation content, effect, and cost. We then present a dynamic system adaptation approach that leverages a probabilistic reasoning technique to determine when an explanation should be used in order to improve overall system utility. We evaluate our explanation framework in the context of a realistic industrial control system with adaptive behaviors.}, NOTE = {https://dl.acm.org/doi/10.1145/3557898}, KEYWORDS = {Explainable Software, Formal Methods, Self-adaptation} } @InProceedings{ToD:ICSE:2019, AUTHOR = {D\"{u}rschmid, Tobias and Kang, Eunsuk and Garlan, David}, TITLE = {Trade-off-oriented Development: Making Quality Attribute Trade-offs First-class}, YEAR = {2019}, MONTH = {May}, BOOKTITLE = {Proceedings of the 41st International Conference on Software Engineering: New Ideas and Emerging Results}, ADDRESS = {Montreal, CA}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/TradeoffOrientedDevelopmentToD_ICSE_2019.pdf}, ABSTRACT = {Implementing a solution for a design decision that precisely satisfies the trade-off between quality attributes can be extremely challenging. Further, typically quality attribute tradeoffs are not represented as first-class entities in development artifacts. Hence, decisions might be suboptimal and lack requirements traceability as well as changeability. We propose Tradeoff- oriented Development (ToD), a new concept to automate the selection and integration of reusable implementations for a given design decision based on quality attribute trade-offs. Implementations that vary in quality attributes and that solve reoccurring design decisions are collected in a design decision library. Developers declaratively specify the quality attribute trade-off, which is then used to automatically select the best fitting implementation. We argue that thereby, software could satisfy the trade-offs more precisely, requirements are traceable and changeable, and advances in implementations automatically improve existing software.}, KEYWORDS = {Software Architecture} } @Article{2019:Nabor:Microservice, AUTHOR = {Mendon\c{c}a, Nabor C. and Jamshidi, Pooyan and Garlan, David and Pahl, Claus}, TITLE = {Developing Self-Adaptive Microservice Systems: Challenges and Directions}, YEAR = {2019}, MONTH = {26 November}, JOURNAL = {IEEE Software}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/1910.07660.pdf}, ABSTRACT = {A self-adaptive system can dynamically monitor and adapt its behavior to preserve or enhance its quality attributes under uncertain operating conditions. This article identifies key challenges for the development of microservice applications as self-adaptive systems, using a cloud-based intelligent video surveillance application as a motivating example. It also suggests potential new directions for addressing most of the identified challenges by leveraging existing microservice practices and technologies.}, KEYWORDS = {Self-adaptation} } @InProceedings{2020:ICSE:RobotArchitecture, AUTHOR = {Malavolta, Ivano and Lewis, Grace A. and Schmerl, Bradley and Lago, Patricia and Garlan, David}, TITLE = {How do you Architect your Robots? State of the Practice and Guidelines for ROS-based System}, YEAR = {2020}, MONTH = {23-29 May}, BOOKTITLE = {Proceedings of the 42nd International Conference on Software Engineering: Software Engineering in Practice}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ICSE_SEIP_20202020_ICSE_RobotArchitecture.pdf}, ABSTRACT = {The Robot Operating System (ROS) is the de-facto standard for robotic software. If on one hand ROS is helping roboticists, e.g., by providing a standardized communication platform, on the other hand ROS-based systems are getting larger and more complex and could benefit from good software architecture practices. This paper presents an observational study aimed at (i) unveiling the state of the practice for architecture of ROS-based systems and (ii) providing guidance to roboticists about how to properly architect ROS-based systems. To achieve these goals, we (i) build a dataset of 335 GitHub repositories containing real open-source ROS-based systems, (ii) mine the repositories for extracting the state of the practice about how roboticists are architecting them, and (iii) synthesize a catalog of 49 evidence-based guidelines for architecting ROS-based systems. The guidelines have been validated by 77 roboticists working on real-world open-source ROS-based systems. }, KEYWORDS = {Architectural Analysis, Software Architecture} } @InProceedings{2020:SEAMS:CoAdaptation, AUTHOR = {C\'{a}mara, Javier and Schmerl, Bradley and Garlan, David}, TITLE = {Software Architecture and Task Plan Co-Adaptation for Mobile Service Robots}, YEAR = {2020}, MONTH = {29 June - 3 July}, BOOKTITLE = {Proceedings of the 15th International Symposium on Software Engineering for Adaptive and Self-managing Systems (SEAMS)}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/SEAMS2020_Mobile_Robots.pdf}, ABSTRACT = {Self-adaptive systems increasingly need to reason about and adapt both structural and behavioral system aspects, such as in mobile service robots, which must reason about missions that they need to achieve and the architecture of the software executing them. Deciding how to best adapt these systems to run time changes is challenging because it entails considering mutual dependencies between the software architecture that the system is running and the outcome of plans for completing tasks, while also considering multiple trade-offs and uncertainties. Considering all these aspects in planning for adaptation often yields large solution spaces which cannot be adequately explored at run time. We address this challenge by proposing a planning approach able to consider the impact of mutual dependencies between software architecture and task planning on the satisfaction of mission goals. The approach is able to reason quantitatively about the outcome of adaptation decisions handling both the reconfiguration of the system's architecture and adaptation of task plans under uncertainty and in a rich trade-off space. Our results show: (i) feasibility of run-time decision-making for self-adaptation in an otherwise intractable solution space by dividing-and-conquering adaptation into architecture reconfiguration and task planning sub-problems, and (ii) improved quality of adaptation decisions with respect to decision making that does not consider dependencies between architecture and task planning.}, NOTE = {Talk}, KEYWORDS = {Cyberphysical Systems, Formal Methods, Model Checking, Planning, Rainbow, Robot Adaptation, Self-adaptation, Software Architecture} } @PhdThesis{2020:Pandey:Thesis, AUTHOR = {Pandey, Ashutosh}, TITLE = {Hybrid Planning in Self-adaptive Systems}, YEAR = {2020}, SCHOOL = {Carnegie Mellon University}, PDF = {http://reports-archive.adm.cs.cmu.edu/anon/isr2020/CMU-ISR-20-100.pdf}, ABSTRACT = {Planning is one of the fundamental design considerations when building a selfadaptive software system. Planning helps the adaptive system to determine an appropriate course of action at run time that seeks to change the system's behavior in response to faults, changing environments and security threats. Therefore, having an appropriate planner to find a plan is critical to a successful self-adaptation. For many adaptive systems, an appropriate planner is the one that not only finds a plan quickly, particularly, in urgent circumstances but also the plan provides a near-optimal long-term performance. However, due to the fundamental trade-off between quality and timeliness of planning, today designers often have to compromise between an approach that finds a plan quickly and an approach that is slow but finds a higher-quality plan. To deal with this trade-off, this thesis proposes a hybrid planning approach for self-adaptive systems that combines of-the-shelf deliberative and reactive planners to find a balance between quality and timeliness. The key idea is to use reactive planning to provide a quick (although potentially a sub-optimal) response, but simultaneously invoke deliberative planning to determine quality plans. Once the deliberative plan is ready, it takes over the execution from the reactive plan to provide a higher quality adaptation thereafter. Such a combination of planners can, in principle, reap the benefits of both worlds: providing plans quickly when the timing is critical, while allowing (nearly) optimal plans to be generated when the system has sufficient time to do so. Moreover, instead of going through the non-trivial process of developing a new algorithm/heuristic, hybrid planning combines off-the-shelf planners; therefore, hybrid planning does not require software engineers to master the complexity of developing new planning algorithms/heuristics. This thesis demonstrates that, compared to its constituent reactive and deliberative planners, hybrid planning can find a better balance between the timeliness and the quality of planning, thereby improve adaptation effectiveness as measured by a multidimensional utility function capturing different dimensions of a system's goal. In the process, the thesis makes contributions to both the theory and the practice of hybrid planning in self-adaptive systems. Specifically, the thesis provides: (a) a formal framework defining the problem of hybrid planning; (b) a practical approach (grounded in the formal model) to apply hybrid planning to self-adaptive systems; (c) informal guidelines and a quantitative approach to help engineers to select an appropriate set of planners to instantiate hybrid planning for a given domain, and (d) evaluation of hybrid planning using two realistic systems to bridge the gap between theory and practice. }, NOTE = {Institute for Software Research Technical Report CMU-ISR-20-100}, ANNOTE = {[Appendix](http://reports-archive.adm.cs.cmu.edu/anon/isr2020/CMU-ISR-20-100-Appendix.pdf)}, KEYWORDS = {Machine Learning, Model Checking, Planning, Self-adaptation} } @InProceedings{2020:Venaro:BPMDS, AUTHOR = {Venero, Sheila and Schmerl, Bradley and Montecchi, Leonardo and Dos Reis, Julio Cesar and Rubira, Cecilia M. F.}, TITLE = {Automated Planning for supporting Knowledge-intensive Processes}, YEAR = {2020}, MONTH = {8-9 June}, BOOKTITLE = {Proceedings of the 20th Business Process Modeling, Development and Support (BPMDS) Working Conference}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/Automated_Planning_for_supporting__Knowledge_intensive_Processes.pdf}, ABSTRACT = {Knowledge-intensive processes (KiPs) are processes characterized by high levels of unpredictability and dynamism. Their process structure may not be known before their execution. One way to cope with this uncertainty is to defer decisions regarding the process structure until run time. In this paper, we consider the definition of the process structure as a planning problem. Our approach uses automated planning techniques to generate plans that define process models according to the current context. The generated plan model relies on a metamodel called METAKIP that represents the basic elements of KiPs. Our solution explores Markov Decision Processes (MDP) to generate plan models. This technique allows uncertainty representation by defining state transition probabilities, which gives us more flexibility than traditional approaches. We construct an MDP model and solve it with the help of the PRISM model-checker. The solution is evaluated by means of a proof of concept in the medical domain and reveals the feasibility of our approach.}, KEYWORDS = {Model Checking, Stochastic Games} } @InProceedings{Li:2020:SEAMS-Expl, AUTHOR = {Li, Nianyu and Adepu, Sridhar and Kang, Eunsuk and Garlan, David}, TITLE = {Explanations for Human-on-the-loop: A Probabilistic Model Checking Approach}, YEAR = {2020}, MONTH = {29 June - 3 July}, BOOKTITLE = {Proceedings of the 15th International Symposium on Software Engineering for Adaptive and Self-managing Systems (SEAMS)}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/SEAMS_CameraReady-8.pdf}, ABSTRACT = {Many self-adaptive systems benefit from human involvement and oversight, where a human operator can provide expertise not available to the system and can detect problems that the system is unaware of. One way of achieving this is by placing the human operator on the loop – i.e., providing supervisory oversight and intervening in the case of questionable adaptation decisions. To make such interaction effective, explanation is sometimes helpful to allow the human to understand why the system is making certain decisions and calibrate confidence from the human perspective. However, explanations come with costs in terms of delayed actions and the possibility that a human may make a bad judgement. Hence, it is not always obvious whether explanations will improve overall utility and, if so, what kinds of explanation to provide to the operator. In this work, we define a formal framework for reasoning about explanations of adaptive system behaviors and the conditions under which they are warranted. Specifically, we characterize explanations in terms of explanation content, effect, and cost. We then present a dynamic adaptation approach that leverages a probabilistic reasoning technique to determine when the explanation should be used in order to improve overall system utility.}, NOTE = {Talk}, KEYWORDS = {Explainable Software, Model Checking, Self-adaptation} } @InProceedings{2020:Control:SEAMS, AUTHOR = {C\'{a}mara, Javier and Papadopoulos, Alessandro V. and Vogel, Thomas and Weyns, Danny and Garlan, David and Huang, Shihong and Tei, Kenji}, TITLE = {Towards Bridging the Gap between Control and Self-Adaptive System Properties}, YEAR = {2020}, MONTH = {29 June - 3 July}, BOOKTITLE = {Proceedings of the 15th International Symposium on Software Engineering for Adaptive and Self-managing Systems (SEAMS)}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/2004.118462020_Control_SEAMS.pdf}, ABSTRACT = {Two of the main paradigms used to build adaptive software employ different types of properties to capture relevant aspects of the system’s run-time behavior. On the one hand, control systems consider properties that concern static aspects like stability, as well as dynamic properties that capture the transient evolution of variables such as settling time. On the other hand, self-adaptive systems consider mostly non-functional properties that capture concerns such as performance, reliability, and cost. In general, it is not easy to reconcile these two types of properties or identify under which conditions they constitute a good fit to provide run-time guarantees. There is a need of identifying the key properties in the areas of control and self-adaptation, as well as of characterizing and mapping them to better understand how they relate and possibly complement each other. In this paper, we take a first step to tackle this problem by: (1) identifying a set of key properties in control theory, (2) illustrating the formalization of some of these properties employing temporal logic languages commonly used to engineer self-adaptive software systems, and (3) illustrating how to map key properties that characterize self-adaptive software systems into control properties, leveraging their formalization in temporal logics. We illustrate the different steps of the mapping on an exemplar case in the cloud computing domain and conclude with identifying open challenges in the area.}, NOTE = {Talk}, KEYWORDS = {Control Theory, Self-adaptation} } @InProceedings{2020:Sukkerd:Expl, AUTHOR = {Sukkerd, Roykrong and Simmons, Reid and Garlan, David}, TITLE = {Tradeoff-Focused Contrastive Explanation for MDP Planning}, YEAR = {2020}, MONTH = {31 August - 4 September}, BOOKTITLE = {Proceedings of the 29th IEEE International Conference on Robot & Human Interactive Communication}, ADDRESS = {Virtual}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/sukkerdRO-MAN20.pdf}, ABSTRACT = {End-users’ trust in automated agents is important as automated decision-making and planning is increasingly used in many aspects of people’s lives. In real-world applications of planning, multiple optimization objectives are often involved.Thus, planning agents’ decisions can involve complex tradeoffs among competing objectives. It can be difficult for the end-users to understand why an agent decides on a particular planning solution on the basis of its objective values. As a result, the users may not know whether the agent is making the right decisions, and may lack trust in it. In this work, we contribute an approach, based on contrastive explanation, that enables a multi-objective MDP planning agent to explain its decisions in a way that communicates its tradeoff rationale in terms of the domain-level concepts. We conduct a human subjects experiment to evaluate the effectiveness of our explanation approach in a mobile robot navigation domain. The results show that our approach significantly improves the users’ understanding, and confidence in their understanding, of the tradeoff rationale of the planning agent}, KEYWORDS = {Explainable Software, Planning} } @InProceedings{2020:Pandey:Hybrid, AUTHOR = {Pandey, Ashutosh and Ruchkin, Ivan and Schmerl, Bradley and Garlan, David}, TITLE = {Hybrid Planning Using Learning and Model Checking for Autonomous Systems}, YEAR = {2020}, MONTH = {19-23 August}, BOOKTITLE = {Proceedings of the 2020 IEEE Conference on Autonomic Computing and Self-organizing Systems (ACSOS)}, ADDRESS = {Washington, D.C.}, ABSTRACT = {Self-adaptive software systems rely on planning to make adaptation decisions autonomously. Planning is required to produce high-quality adaptation plans in a timely manner; however, quality and timeliness of planning are conflicting in nature. This conflict can be reconciled with hybrid planning, which can combine reactive planning (to quickly provide an emergency response) with deliberative planning that take time but determine a higher-quality plan. While often effective, reactive planning sometimes risks making the situation worse. Hence, a challenge in hybrid planning is to decide whether to invoke reactive planning until the deliberative planning is ready with a high-quality plan. To make this decision, this paper proposes a novel learning-based approach. We demonstrate that this learning-based approach outperforms existing techniques that are based on specifying fixed conditions to invoke reactive planning in two domains: enterprise cloud systems and unmanned aerial vehicles.}, NOTE = {Supplemental Material | Presentation Video}, KEYWORDS = {Formal Methods, Machine Learning, Self-adaptation} } @InProceedings{2020:Li:HIL-Model, AUTHOR = {Li, Nianyu and C\'{a}mara, Javier and Garlan, David and Schmerl, Bradley}, TITLE = {Reasoning about When to Provide Explanation for Human-in-the-loop Self-Adaptive Systems}, YEAR = {2020}, MONTH = {19-23 August}, BOOKTITLE = {Proceedings of the 2020 IEEE Conference on Autonomic Computing and Self-organizing Systems (ACSOS)}, ADDRESS = {Washington, D.C.}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ExplanationInLoop2020.pdf}, ABSTRACT = {Many self-adaptive systems benefit from human involvement, where a human operator can provide expertise not available to the system and perform adaptations involving physical changes that cannot be automated. However, a lack of transparency and intelligibility of system goals and the autonomous behaviors enacted to achieve them may hinder a human operator's effort to make such involvement effective. Explanation is sometimes helpful to allow the human to understand why the system is making certain decisions. However, explanations come with costs in terms of, e.g., delayed actions. Hence, it is not always obvious whether explanations will improve the satisfaction of system goals and, if so, when to provide them to the operator. In this work, we define a formal framework for reasoning about explanations of adaptive system behaviors and the conditions under which they are warranted. Specifically, we characterize explanations in terms of their impact on a human operator's ability to effectively engage in adaptive actions. We then present a decision-making approach for planning in self-adaptation that leverages a probabilistic reasoning tool to determine when the explanation should be used in an adaptation strategy in order to improve overall system utility. We illustrate our approach in a representative scenario for the application of an adaptive news website in the context of potential denial-of-service attacks. }, NOTE = {Presentation Video}, KEYWORDS = {Formal Methods, Human-in-the-loop, Self-adaptation, Stochastic Games} } @InProceedings{2020:Google:TJ, AUTHOR = {Glazier, Thomas J. and Garlan, David and Schmerl, Bradley}, TITLE = {Case Study of an Automated Approach to Managing Collections of Autonomic Systems}, YEAR = {2020}, MONTH = {19-23 August}, BOOKTITLE = {Proceedings of the 2020 IEEE Conference on Autonomic Computing and Self-organizing Systems (ACSOS)}, ADDRESS = {Washington, D.C.}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ACSOS_2020_Automated_Management_of_Collections_of_Autonomic_Systems.pdf}, ABSTRACT = {Many applications have taken advantage of cloud provided autonomic capabilities, commonly auto-scaling, to harness easily available compute capacity to maintain performance against defined quality objectives. This has caused the management complexity of enterprise applications to increase. It is now common for an application to be a collection of autonomic sub-systems. However, combining individual autonomic systems to create an application can lead to behaviors that negatively impact the global aggregate utility of the application and in some cases can be conflicting and self-destructive. Commonly, human administrators address these behaviors as part of a design time analysis of the situation or a run time mitigation of the undesired effects. However, the task of controlling and mitigating undesirable behaviors is complex and error prone. To handle the complexity of managing a collection of autonomic systems we have previously proposed an automated approach to the creation of a higher level autonomic management system, referred to as a Meta-Manager. In this paper, we improve upon prior work with a more streamlined and understandable formal representation of the approach, expand its capabilities to include global knowledge, and test its potential applicability and effectiveness by managing the complexity of a collection of autonomic systems in a case study of a major outage suffered by the Google Cloud Platform.}, NOTE = {Presentation Video}, KEYWORDS = {Meta-management, Self-adaptation} } @InProceedings{2020:REACT, AUTHOR = {Pfannm\"{u}ller, Martin and Breitbach, Martin and Krupitzer, Christian and Weckesser, Marcus and Becker, Christian and Schmerl, Bradley and Sch\"{u}rr, Andy}, TITLE = {REACT: A Model-Based Runtime Environment for Adapting Communication Systems}, YEAR = {2020}, MONTH = {19-23 August}, BOOKTITLE = {Proceedings of the 2020 IEEE Conference on Autonomic Computing and Self-organizing Systems (ACSOS)}, ADDRESS = {Washington, D.C.}, ABSTRACT = {Trends such as the Internet of Things or edge computing lead to a growing number of networked devices. Hence, it is becoming increasingly important to manage communication systems at runtime. Adding self-adaptive capabilities is one approach to reduce administrative effort and cope with changing execution contexts. Existing frameworks for building self-adaptive software can help to reduce development effort in general. Yet, they are neither tailored towards the use in communication systems nor easily usable without profound knowledge in self-adaptive systems development. In this paper, we propose REACT, a reusable, model-based runtime environment to complement communication systems with adaptive behavior. It addresses the heterogeneity and distribution aspects of networks and reduces development effort. REACT empowers developers of communication systems to add adaptive behavior without having experience in self-adaptive systems development. We show the effectiveness and efficiency of our prototype in an experimental evaluation based on two distinct use cases from the communication systems domain: cloud resource management and software-defined networking. The first use case includes a comparison with Rainbow, which represents a state-of-the-art model-based framework for building self-adaptive systems. The second use case applies REACT in a sophisticated, real-world communication system scenario.}, KEYWORDS = {Self-adaptation} } @InProceedings{2021:MAPECTML, AUTHOR = {Weyns, Danny and Schmerl, Bradley and Kishida, Masako and Leva, Alberto and Litoiu, Marin and Ozay, Necmiye and Paterson, Colin and Tei, Kenji}, TITLE = {Towards Better Adaptive Systems by Combining MAPE, Control Theory, and Machine Learning}, YEAR = {2021}, MONTH = {17-24 May}, BOOKTITLE = {Proceedings of the 16th Symposium on Software Engineering for Adaptive and Self-Managing Systems}, ADDRESS = {Virtual}, ABSTRACT = {Two established techniques to engineer adaptive systems are architecture-based adaptation that uses a Monitor-Analysis-Planning-Executing (MAPE) loop that reasons over architectural models (aka Knowledge) to make adaptation decisions, and control-based adaptation that relies on principles of control theory (CT) to realize adaptation. Recently, we also observe a rapid growing interest in applying machine learning (ML) to support different adaptation mechanisms. While MAPE and CT have particular characteristics and strengths to be applied independently, in this paper we are concerned with the question of how these techniques are related with one another and whether combining them and supporting them with ML can produce better adaptive systems. We motivate the combined use of different adaptation techniques using scenarios from two different domains and illustrate the analysis involved in combining different adaptation techniques. The paper concludes with suggestions for further research in this interesting area.}, KEYWORDS = {Control Theory, Machine Learning, Self-adaptation} } @InProceedings{2021:FASE:Li, AUTHOR = {Li, Nianyu and Zhang, Mingyue and Kang, Eunsuk and Garlan, David}, TITLE = {Engineering Secure Self-adaptive Systems with Bayesian Games}, YEAR = {2021}, MONTH = {27 March - 1 April}, BOOKTITLE = {Proceedings of the 24th International Conference on Fundamental Approaches to Software Engineering}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/FASE2021.pdf}, ABSTRACT = {Security attacks present unique challenges to self-adaptive system design due to the adversarial nature of the environment. Game theory approaches have been explored in security to model malicious behaviors and design reliable defense for the system in a mathematically grounded manner. However, modeling the system as a single player, as done in prior works, is insufficient for the system under partial compromise and for the design of fine-grained defensive strategies where the rest of the system with autonomy can cooperate to mitigate the impact of attacks. To deal with such issues, we propose a new self-adaptive framework incorporating Bayesian game theory and model the defender (i.e., the system) at the granularity of components. Under security attacks, the architecture model of the system is translated into a Bayesian multi-player game, where each component is explicitly modeled as an independent player while security attacks are encoded as variant types for the components. The optimal defensive strategy for the system is dynamically computed by solving the pure equilibrium (i.e., adaptation response) to achieve the best possible system utility, improving the resiliency of the system against security attacks. We illustrate our approach using an example involving load balancing and a case study on inter-domain routing.}, KEYWORDS = {Formal Methods, Science of Security, Self-adaptation} } @InProceedings{2020:ACSOS:SelfStar, AUTHOR = {Kinneer, Cody and Van Tonder, Rijnard and Garlan, David and Le Goues, Claire}, TITLE = {Building Reusable Repertoires for Stochastic Self-* Planners}, YEAR = {2020}, MONTH = {17-21 August}, BOOKTITLE = {Proceedings of the 2020 IEEE Conference on Autonomic Computing and Self-organizing Systems (ACSOS)}, ADDRESS = {Washington, D.C., USA}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ACSOS_2020_Building_Reusable_Repertoires.pdf}, ABSTRACT = {Plan reuse is a promising approach for enabling self-* systems to effectively adapt to unexpected changes, such as evolving existing adaptation strategies after an unexpected change using stochastic search. An ideal self-* planner should be able to reuse repertoires of adaptation strategies, but this is challenging due to the evaluation overhead. For effective reuse, a repertoire should be both (a) likely to generalize to future situations, and (b) cost effective to evaluate. In this work, we present an approach inspired by chaos engineering for generating a diverse set of adaptation strategies to reuse, and we explore two analysis approaches based on clone detection and syntactic transformation for constructing repertoires of adaptation tactics that are likely to be amenable to reuse in stochastic search self-* planners. An evaluation of the proposed approaches on a simulated system inspired by Amazon AWS shows planning effectiveness improved by up to 20% and reveals tradeoffs in planning timeliness and optimality.}, NOTE = {Presentation Video}, KEYWORDS = {Self-adaptation, Self-Repair, Stochastic Search} } @InProceedings{2020:MASCOTS, AUTHOR = {Mendes, Pedro and Casimiro, Maria and Romano, Paolo and Garlan, David}, TITLE = {TrimTuner: Efficient Optimization of MachineLearning Jobs in the Cloud via Sub-Sampling}, YEAR = {2020}, BOOKTITLE = {Proceedings of the 2020 Symposium on Modelling, Analysis, and Simulation of Computer and Telecommunication Systems (MASCOTS 2020)}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/TrimTuner-MASCOTS-20.pdf}, ABSTRACT = {This work introduces TrimTuner, the first system for optimizing machine learning jobs in the cloud to exploit sub-sampling techniques to reduce the cost of the optimization process, while keeping into account user-specified constraints. TrimTuner jointly optimizes the cloud and application-specific parameters and, unlike state of the art works for cloud optimization, eschews the need to train the model with the full training set every time a new configuration is sampled. Indeed, by leveraging sub-sampling techniques and data-sets that are up to 60x smaller than the original one, we show that TrimTuner can reduce the cost of the optimization process by up to 50x. Further, TrimTuner speeds-up the recommendation process by 65×with respect to state of the art techniques for hyper-parameter optimization that use sub-sampling techniques. The reasons for this improvement are twofold: i) a novel domain specific heuristic that reduces the number of configurations for which the acquisition function has to be evaluated; ii) the adoption of an ensemble of decision trees that enables boosting the speed of the recommendation process by one additional order of magnitude.}, KEYWORDS = {Machine Learning} } @InProceedings{2021:Wohlrab:REFSQ, AUTHOR = {Wohlrab, Rebekka and Garlan, David}, TITLE = {Defining Utility Functions for Multi-Stakeholder Self-Adaptive Systems}, YEAR = {2021}, MONTH = {12-15 April}, BOOKTITLE = {Proceedings of the 27th International Working Conference on Requirements Engineering: Foundation for Software Quality}, ADDRESS = {Essen, Germany (Virtual)}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/refsq_2021.pdf}, ABSTRACT = {[Context and motivation:] For realistic self-adaptive systems, multiple quality attributes need to be considered and traded off against each other. These quality attributes are commonly encoded in a utility function, for instance, a weighted sum of relevant objectives. [Question/problem:] The research agenda for requirements engineering for self-adaptive systems has raised the need for decision-making techniques that consider the trade-offs and priorities of multiple objectives. Human stakeholders need to be engaged in the decision-making process so that the relative importance of each objective can be correctly elicited. [Principal ideas/results:] This research preview paper presents a method that supports multiple stakeholders in prioritizing relevant quality attributes, negotiating priorities to reach an agreement, and giving input to define utility functions for self-adaptive systems. [Contribution:] The proposed method constitutes a lightweight solution for utility function definition. It can be applied by practitioners and researchers who aim to develop self-adaptive systems that meet stakeholders' requirements. We present details of our plan to study the application of our method using a case study.}, KEYWORDS = {Self-adaptation} } @PhdThesis{2021:Cody:PhD, AUTHOR = {Kinneer, Cody}, TITLE = {Search-based Plan Reuse in Self-* Systems}, YEAR = {2021}, MONTH = {May}, PAGES = {122}, SCHOOL = {Institute for Software Research, Carnegie Mellon University}, ABSTRACT = {Increasingly software systems operate in environments of change and uncertainty, where the system's ability to satisfy its quality objectives depends on its ability to adapt. Self-adaptation allows these systems to manage this challenge by autonomously adapting to changes in their environments. While self-* systems are designed precisely to manage uncertainty, unexpected changes may violate design assumptions, resulting in the system failing to satisfy its quality attribute requirements. When this occurs, the planner must generate a new plan, an expensive operation for large systems. As autonomous systems increase in size, interconnectedness, and complexity, this cost can quickly become prohibitive. This thesis addresses this problem by leveraging information contained in prior plans to reduce the replanning necessary to respond to an unexpected change. Even in the face of an unexpected change, some of the insights contained in existing plans are likely to remain applicable. For example, an autonomous aerial vehicle encountering an unexpected obstacle will need to replan to avoid the obstacle, but the drone may be able to return to its prior plan after this maneuver. A larger change will reduce the amount of reuse that is possible, for example changing the drone's mission to fly to a new location, but still, the takeoff and landing procedures may be reused. This thesis reuses existing adaptation plans by seeding a genetic algorithm with these plans. This enables a scalable self-* planner that can replan in complex systems with large search spaces. While the idea of plan reuse is intuitive, in practice plan reuse is difficult and may even be worse than replanning from scratch if not performed carefully. This dissertation provides reuse enhancing approaches to reduce the evaluation time of candidate plans, an approach for building reusable repertoires of plans and identifying generalizable plan fragments, and a co-evolutionary extension to enable plan reuse for security. The thesis is evaluated on three simulated case study systems, including a cloud-based web service provider, a team of autonomous aerial vehicles, and an enterprise business system under a cyber attack. Ultimately, plan reuse will enable large self-* systems to replan even after unexpected changes. }, KEYWORDS = {Explainable Software, Self-adaptation, Stochastic Search, uncertainty} } @InProceedings{2021:Li:HeyPreparatory, AUTHOR = {Li, Nianyu and C\'{a}mara, Javier and Garlan, David and Schmerl, Bradley and Jin, Zhi}, TITLE = {Hey! Preparing Humans to do Tasks in Self-adaptive Systems}, YEAR = {2021}, MONTH = {18-21 May}, BOOKTITLE = {Proceedings of the 16th Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS 2021)}, ADDRESS = {Virtual}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/Preparatory_SEAMS.pdf}, ABSTRACT = {Many self-adaptive systems benefit from human involvement, where human operators can complement the capabilities of systems (e.g., by supervising decisions, or performing adaptations and tasks involving physical changes that cannot be automated). However, insufficient preparation (e.g., lack of task context comprehension) may hinder the effectiveness of human involvement, especially when operators are unexpectedly interrupted to perform a new task. Preparatory notification of a task provided in advance can sometimes help human operators focus their attention on the forthcoming task and understand its context before task execution, hence improving effectiveness. Nevertheless, deciding when to use preparatory notification as a tactic is not obvious and entails considering different factors that include uncertainties induced by human operator behavior (who might ignore the notice message), human attributes (e.g., operator training level), and other information that refers to the state of the system and its environment. In this paper, informed by work in cognitive science on human attention and context management, we introduce a formal framework to reason about the usage of preparatory notifications in self-adaptive systems involving human operators. Our framework characterizes the effects of managing attention via task notification in terms of task context comprehension. We also build on our framework to develop an automated probabilistic reasoning technique able to determine when and in what form a preparatory notification tactic should be used to optimize system goals. We illustrate our approach in a representative scenario of human-robot collaborative goods delivery. }, NOTE = {Awarded Best Student Paper for SEAMS 2021}, KEYWORDS = {Explainable Software, Formal Methods, Robot Adaptation, Self-adaptation} } @InProceedings{2020:ASE:CPS, AUTHOR = {Gafford, Benjamin and D\"{u}rschmid, Tobias and Moreno, Gabriel A. and Kang, Eunsuk}, TITLE = {Synthesis-Based Resolution of Feature Interactions in Cyber-Physical Systems}, YEAR = {2020}, MONTH = {21-25 September}, BOOKTITLE = {Proceedings of the IEEE/ACM International Conference on Automated Software Engineering (ASE)}, ADDRESS = {Virtual}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ase20-feature-interactions.pdf}, ABSTRACT = {The feature interaction problem arises when two or more independent features interact with each other in an undesirable manner.Feature interactions remain a challenging and important problem in emerging domains of cyber-physical systems (CPS), such as intelligent vehicles, unmanned aerial vehicles (UAVs) and the Internet of Things (IoT), where the outcome of an unexpected interaction may result in a safety failure. Existing approaches to resolving feature interactions rely on priority lists or fixed strategies, but may not be effective in scenarios where none of the competing feature actions are satisfactory with respect to system requirements. This paper proposes a novel synthesis-based approach to resolution, where a conflict among features is resolved by synthesizingan action that best satisfies the specification of desirable system behaviors in the given environmental context. Unlike existing resolution methods,our approach is capable of producing a desirable system outcome even when none of the conflicting actions are satisfactory. The effectiveness of the proposed approach is demonstrated using a case study involving interactions among safety-critical features in an autonomous drone.}, KEYWORDS = {Cyberphysical Systems, Formal Methods} } @InProceedings{2020:FSE:Robustness, AUTHOR = {Zhang, Changjian and Garlan, David and Kang, Eunsuk}, TITLE = {A Behavioral Notion of Robustness for Software Systems}, YEAR = {2020}, MONTH = {6-16 November}, BOOKTITLE = {Proceedings of the 2020 ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE)}, ADDRESS = {Virtual}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/fse20-robustness.pdf}, ABSTRACT = {Software systems are designed and implemented with assumptions about the environment. However, once the system is deployed,the actual environment may deviate from its expected behavior,possibly undermining desired properties of the system. To enable systematic design of systems that are robust against potential environmental deviations, we propose a rigorous notion of robustness for software systems. In particular, the robustness of a system is de-fined as the largest set of deviating environmental behaviors under which the system is capable of guaranteeing a desired property. We describe a new set of design analysis problems based on our notion of robustness, and a technique for automatically computing robustness of a system given its behavior description. We demonstrate potential applications of our robustness notion on two case studies involving network protocols and safety-critical interfaces.}, KEYWORDS = {Architectural Analysis, Explainable Software, Model Checking} } @InProceedings{2021:Cheng:Debate, AUTHOR = {Cheng, Shang-Wen}, TITLE = {Change Is the Ultimate Self-Adaptive Challenge}, YEAR = {2021}, MONTH = {18-21 May}, BOOKTITLE = {Proceedings of the 16th Symposium on Software Engineering for Adaptive and Self-Managing Systems}, ADDRESS = {Virtual}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/Cheng_SEAMS_2021.pdf}, ABSTRACT = {This paper argues that change alone is sufficiently difficult; simply, handling change, i.e., anticipated changes, remains the ultimate challenge of self-adaptation.}, KEYWORDS = {Self-adaptation, uncertainty} } @InProceedings{2021:Garlan:Debate, AUTHOR = {Garlan, David}, TITLE = {The Unknown Unknowns are not Totally Unknown}, YEAR = {2021}, MONTH = {18-21 May}, BOOKTITLE = {Proceedings of the 16th Symposium on Software Engineering for Adaptive and Self-Managing Systems}, ADDRESS = {Virtual}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/GARLAN_SEAMS21_Debate_Final.pdf}, ABSTRACT = {The question of whether “handling unanticipated changes is the ultimate challenge for self-adaptation” is impossible to evaluate without looking closely at what “unanticipated” means. In this position paper I try to bring a little clarity to this issue by arguing that the common distinction between “known unknowns” and “unknown unknowns” is too crude: for most systems there are changes that are not directly handled by “first-order” adaptation, but can, with appropriate engineering, be addressed naturally through “second-order” adaptation. I explain what I mean by this and consider ways in which such systems might be engineered.}, KEYWORDS = {Self-adaptation, uncertainty} } @Article{2021:ROSArch:JSS, AUTHOR = {Malavolta, Ivano and Lewis, Grace A. and Schmerl, Bradley and Lago, Patricia and Garlan, David}, TITLE = {Mining Guidelines for Architecting Robotics Software}, YEAR = {2021}, MONTH = {August}, JOURNAL = {Journal of Systems and Software}, VOLUME = {178}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/JSS_ROS_2020.pdf}, ABSTRACT = {Context. The Robot Operating System (ROS) is the de-facto standard for robotics software.However, ROS-based systems are getting larger and more complex and could benefit from good software architecture practices.Goal. We aim at (i) unveiling the state-of-the-practice in terms of targeted quality attributes and architecture documentation in ROS-based systems, and (ii) providing empirically-grounded guidance to roboticists about how to properly architect ROS-based systems.Method. We designed and conducted an observational study where we (i) built a dataset of335 GitHub repositories containing real open-source ROS-based systems, and (ii) mined the repositories to extract and synthesize quantitative and qualitative findings about how roboticists are architecting ROS-based systems.Results. First, we extracted an empirically-grounded overview of the state of the practice for architecting and documenting ROS-based systems. Second, we synthesized a catalog of 47architecting guidelines for ROS-based systems. Third, the extracted guidelines were validated by119 roboticists working on real-world open-source ROS-based systems.Conclusions. Roboticists can use our architecting guidelines for applying good design principles to develop robots that meet quality requirements, and researchers can use our results as evidence-based indications about how real-world ROS systems are architected today, thus inspiring future research contributions}, NOTE = {https://doi.org/10.1016/j.jss.2021.110969}, KEYWORDS = {Software Architecture} } @InProceedings{2021:FSE:Chang, AUTHOR = {Zhang, Changjian and Wagner, Ryan and Orvalho, Pedro and Garlan, David and Manquinho, Vasco and Martins, Ruben and Kang, Eunsuk}, TITLE = {AlloyMax: Bringing Maximum Satisfaction to Relational Specifications.}, YEAR = {2021}, MONTH = {23-28 August}, BOOKTITLE = {The ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE) 2021}, ADDRESS = {Virtual}, ABSTRACT = {Alloy is a declarative modeling language based on a first-order relational logic. Its constraint-based analysis has enabled a wide range of applications in software engineering, including configuration synthesis, bug finding, test-case generation, and security analysis. Certain types of analysis tasks in these domains involve finding an optimal solution. For example, in a network configuration problem, instead of finding any valid configuration, it may be desirable to find one that is most permissive (i.e., it permits a maximum number of packets). Due to its dependence on SAT, however, Alloy cannot be used to specify and analyze these types of problems. We propose AlloyMax, an extension of Alloy with a capability to express and analyze problems with optimal solutions. AlloyMax introduces (1) a small addition of language constructs that can be used to specify a wide range of problems that involve optimality and (2) a new analysis engine that leverages a Maximum Satisfiability (MaxSAT) solver to generate optimal solutions. To enable this new type of analysis, we show how a specification in a first-order relational logic can be translated into an input format of MaxSAT solvers—namely, a Boolean formula in weighted conjunctive normal form (WCNF). We demonstrate the applicability and scalability of AlloyMax on a benchmark of problems. To our knowledge, AlloyMax is the first approach to enable analysis with optimality in a relational modeling language, and we believe that AlloyMax has the potential to bring a wide range of new applications to Alloy.}, NOTE = {Distinguished Paper Award}, KEYWORDS = {Formal Methods, Planning} } @InProceedings{SAML21, AUTHOR = {Casimiro, Maria and Romano, Paolo and Garlan, David and Moreno, Gabriel A. and Kang, Eunsuk and Klein, Mark}, TITLE = {Self-Adaptation for Machine Learning Based Systems}, YEAR = {2021}, MONTH = {14 September}, BOOKTITLE = {Proceedings of the 1st International Workshop on Software Architecture and Machine Learning (SAML)}, SERIES = {LNCS}, ADDRESS = {Virtual, (Originally V\"axjö, Sweden)}, PUBLISHER = {Springer}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/SAML2021-paper6SAML21.pdf}, ABSTRACT = {Today’s world is witnessing a shift from human-written software to machine-learned software, with the rise of systems that rely on machine learning. These systems typically operate in non-static environments, which are prone to unexpected changes, as is the case of self-driving cars and enterprise systems. In this context, machine-learned software can misbehave. Thus, it is paramount that these systems are capable of detecting problems with their machined-learned components and adapt themselves to maintain desired qualities. For instance, a fraud detection system that cannot adapt its machine-learned model to efficiently cope with emerging fraud patterns or changes in the volume of transactions is subject to losses of millions of dollars. In this paper, we take a first step towards the development of a framework aimed to self-adapt systems that rely on machine-learned components. We describe: (i) a set of causes of machine-learned component misbehavior and a set of adaptation tactics inspired by the literature on machine learning, motivating them with the aid of a running example; (ii) the required changes to the MAPE-K loop, a popular control loop for self-adaptive systems; and (iii) the challenges associated with developing this framework. We conclude the paper with a set of research questions to guide future work.}, KEYWORDS = {Machine Learning, Self-adaptation} } @InProceedings{CASA21, AUTHOR = {Alharbi, Mohammed and Huang, Shihong and Garlan, David}, TITLE = {A Probabilistic Model for Personality Trait Focused Explainability}, YEAR = {2021}, MONTH = {13-17 September}, BOOKTITLE = {Proceedings of the 4th international Workshop on Context-aware, Autonomous and Smart Architecture (CASA 2021), co-located with the 15th European Conference on Software Architecture}, ADDRESS = {Virtual (Originally V\"axjö Sweden)}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/CASA-paper5.pdf}, ABSTRACT = {Explainability refers to the degree to which a software system’s actions or solutions can be understood by humans. Giving humans the right amount of explanation at the right time is an important factor in maximizing the effective collaboration between an adaptive system and humans during interaction. However, explanations come with costs, such as the required time of explanation and humans’ response time. Hence it is not always clear whether explanations will improve overall system utility and, if so, how the system should effectively provide explanation to humans, particularly given that different humans may benefit from different amounts and frequency of explanation. To provide a partial basis for making such decisions, this paper defines a formal framework that incorporates human personality traits as one of the important elements in guiding automated decision- making about the proper amount of explanation that should be given to the human to improve the overall system utility. Specifically, we use probabilistic model analysis to determine how to utilize explanations in an effective way. To illustrate our approach, Grid – a virtual human and system interaction game -- is developed to represent scenarios for human-systems collaboration and to demonstrate how a human’s personality traits can be used as a factor to consider for systems in providing appropriate explanations.}, KEYWORDS = {Explainable Software} } @InProceedings{ECSA21, AUTHOR = {C\'{a}mara, Javier and Silva, Mariana and Garlan, David and Schmerl, Bradley}, TITLE = {Explaining Architectural Design Tradeoff Spaces: a Machine Learning Approach}, YEAR = {2021}, MONTH = {13-17 September}, BOOKTITLE = {Proceedings of the 15th European Conference on Software Architecture}, ADDRESS = {Virtual (Originally, V\"axjö Sweden)}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/Explaining_Architectural_Tradeoff_Spaces__a_Machine_Learning_Approach.pdf}, ABSTRACT = {In software design, guaranteeing the correctness of run-time system behavior while achieving an acceptable balance among multiple quality attributes remains a challenging problem. Moreover, providing guarantees about the satisfaction of those requirements when systems are subject to uncertain environments is even more challenging. While recent developments in architectural analysis techniques can assist architects in exploring the satisfaction of quantitative guarantees across the design space, existing approaches are still limited because they do not explicitly link design decisions to satisfaction of quality requirements. Furthermore, the amount of information they yield can be overwhelming to a human designer, making it difficult to distinguish the forest through the trees. In this paper, we present an approach to analyzing architectural design spaces that addresses these limitations and provides a basis to enable the explainability of design tradeoffs. Our approach combines dimensionality reduction techniques employed in machine learning pipelines with quantitative verification to enable architects to understand how design decisions contribute to the satisfaction of strict quantitative guarantees under uncertainty across the design space. Our results show feasibility of the approach in two case studies and evidence that dimensionality reduction is a viable approach to facilitate comprehension of tradeoffs in poorly-understood design spaces.}, KEYWORDS = {Explainable Software, Machine Learning, Self-adaptation} } @InProceedings{2021:SISSY, AUTHOR = {Weyns, Danny and Bures, Tomas and Calinescu, Radu and Craggs, Barnaby and Fitzgerald, John and Garlan, David and Nuseibeh, Bashar and Pasquale, Liliana and Rashid, Awais and Ruchkin, Ivan and Schmerl, Bradley}, TITLE = {Six Software Engineering Principles for Smarter Cyber-Physical Systems}, YEAR = {2021}, MONTH = {27 September}, BOOKTITLE = {Proceedings of the Workshop on Self-Improving System Integration}, ABSTRACT = {Cyber-Physical Systems (CPS) integrate computational and physical components. With the digitisation of society and industry and the progressing integration of systems, CPS need to become “smarter” in the sense that they can adapt and learn to handle new and unexpected conditions, and improve over time. Smarter CPS present a combination of challenges that existing engineering methods have difficulties addressing: inter- twined digital, physical and social spaces, need for heterogeneous modelling formalisms, demand for context-tied cooperation to achieve system goals, widespread uncertainty and disruptions in changing contexts, inherent human constituents, and continuous encounter with new situations. While approaches have been put forward to deal with some of these challenges, a coherent perspective on engineering smarter CPS is lacking. In this paper, we present six engineering principles for addressing the challenges of smarter CPS. As smarter CPS are software-intensive systems, we approach them from a software engineering perspective with the angle of self-adaptation that offers an effective approach to deal with run-time change. The six principles create an integrated landscape for the engineering and operation of smarter CPS.}, KEYWORDS = {Cyberphysical Systems} } @InProceedings{ASDYE2021, AUTHOR = {Casimiro, Maria and Garlan, David and C\'{a}mara, Javier and Rodrigues, Luis and Romano, Paolo}, TITLE = {A Probabilistic Model Checking Approach to Self-Adapting Machine Learning Systems}, YEAR = {2021}, MONTH = {6 December}, BOOKTITLE = {Proceedings of the Third International Workshop on Automated and verifiable Software sYstem DEvelopment (ASYDE)}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ASYDE-CR.pdf}, ABSTRACT = {Machine Learning (ML) is increasingly used in domains such as cyber-physical systems and enterprise systems. These systems typically operate in non-static environments, prone to unpredictable changes that can adversely impact the accuracy of the ML models, which are usually in the critical path of the systems. Mispredictions of ML components can thus affect other components in the system, and ultimately impact overall system utility in non-trivial ways. From this perspective, self-adaptation techniques appear as a natural solution to reason about how to react to environment changes via adaptation tactics that can potentially improve the quality of ML models (e.g., model retrain), and ultimately maximize system utility. However, adapting ML components is non-trivial, since adaptation tactics have costs and it may not be clear in a given context whether the benefits of ML adaptation outweigh its costs. In this paper, we present a formal probabilistic framework, based on model checking, that incorporates the essential governing factors for reasoning at an architectural level about adapting ML classifiers in a system context. The proposed framework can be used in a self-adaptive system to create adaptation strategies that maximize rewards of a multidimensional utility space. Resorting to a running example from the enterprise systems domain, we show how the proposed framework can be employed to determine the gains achievable via ML adaptation and to find the boundary that renders adaptation worthwhile.}, KEYWORDS = {Machine Learning, Model Checking, Self-adaptation} } @Article{2020:REACT-ION, AUTHOR = {Pfannm\"{u}ller, Martin and Breitbach, Martin and Weckesser, Marcus and Becker, Christian and Schmerl, Bradley and Sch\"{u}rr, Andy and Krupitzer, Christian}, TITLE = {REACT-ION: A Model-based Runtime Environment for Situation-aware Adaptations}, YEAR = {2020}, MONTH = {December}, JOURNAL = {ACM Transactions on Autonomous and Adaptive Systems}, VOLUME = {15}, NUMBER = {4}, PAGES = {1-29}, ABSTRACT = {Trends such as the Internet of Things lead to a growing number of networked devices and to a variety of communication systems. Adding self-adaptive capabilities to these communication systems is one approach to reducing administrative effort and coping with changing execution contexts. Existing frameworks can help reducing development effort but are neither tailored toward the use in communication systems nor easily usable without knowledge in self-adaptive systems development. Accordingly, in previous work, we proposed REACT, a reusable, model-based runtime environment to complement communication systems with adaptive behavior. REACT addresses heterogeneity and distribution aspects of such systems and reduces development effort. In this article, we propose REACT-ION—an extension of REACT for situation awareness. REACT-ION offers a context management module that is able to acquire, store, disseminate, and reason on context data. The context management module is the basis for (i) proactive adaptation with REACT-ION and (ii) self-improvement of the underlying feedback loop. REACT-ION can be used to optimize adaptation decisions at runtime based on the current situation. Therefore, it can cope with uncertainty and situations that were not foreseeable at design time. We show and evaluate in two case studies how REACT-ION’s situation awareness enables proactive adaptation and self-improvement.}, KEYWORDS = {Cyberphysical Systems, Self-adaptation, Self-awareness & Adaptation} } @InProceedings{2022:ICSA:ROSDiscover, AUTHOR = {Timperley, Christopher Steven and D\"{u}rschmid, Tobias and Schmerl, Bradley and Garlan, David and Le Goues, Claire}, TITLE = {ROSDiscover: Statically Detecting Run-Time Architecture Misconfigurations in Robotics Systems}, YEAR = {2022}, MONTH = {12-15 March}, BOOKTITLE = {Proceedings of the 19th International Conference on Software Architecture (ICSA 2022)}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ROSDiscover_Statically_Detecting_Run-Time_Architecture_Misconfigurations_in_Robotics_Systems__Artifact_Paper.pdf}, ABSTRACT = {Robot systems are growing in importance and complexity. Ecosystems for robot software, such as the ROS, provide libraries of reusable software components that can be configured and composed into larger systems. To support compositionality, ROS uses late binding and architecture configuration via "launch files" that describe how to initialize the components in a system. However, late binding often leads to systems failing silently due to misconfiguration, for example by misrouting or dropping messages entirely. In this paper we present ROSDiscover, which statically recovers the run-time architecture of ROS systems to find such architecture misconfiguration bugs. First, ROSDiscover constructs component level architectural models (ports, parameters) from source code. Second, architecture configuration files are analyzed to compose the system from these component models and derive the connections in the system. Finally, the reconstructed architecture is checked against architectural rules described in first-order logic to identify potential misconfigurations. We present an evaluation of ROSDiscover on real world, off-the-shelf robotic systems, measuring the accuracy, effectiveness, and practicality of our approach. To that end, we collected the first data set of architecture configuration bugs in ROS from popular open-source systems and measure how effective our approach is for detecting configuration bugs in that set.}, KEYWORDS = {Acme, Architectural Analysis, Publish Subscribe Systems, Software Architecture} } @Article{Wohlrab2021negotiation, AUTHOR = {Wohlrab, Rebekka and Garlan, David}, TITLE = {A Negotiation Support System for Defining Utility Functions for Multi-Stakeholder Self-Adaptive Systems}, YEAR = {2022}, JOURNAL = {Requirements Engineering}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/2021_Wohlrab_utility_negotiation_accepted.pdf}, ABSTRACT = {For realistic self-adaptive systems, multiple quality attributes need to be considered and traded off against each other. These quality attributes are commonly encoded in a utility function, for instance, a weighted sum of relevant objectives. Utility functions are typically subject to a set of constraints, i.e., hard requirements that should not be violated by the system. The research agenda for requirements engineering for self-adaptive systems has raised the need for decision-making techniques that consider the trade-offs and priorities of multiple objectives. Human stakeholders need to be engaged in the decision-making process so that constraints and the relative importance of each objective can be correctly elicited. This paper presents a method that supports multiple stakeholders in eliciting constraints, prioritizing relevant quality attributes, negotiating priorities, and giving input to define utility functions for self-adaptive systems. We developed tool support in the form of a blackboard system that aggregates information by different stakeholders, detects conflicts, proposes mechanisms to reach an agreement, and generates a utility function. We performed a think-aloud study with 14 participants to investigate negotiation processes and assess the approach’s understandability and user satisfaction. Our study sheds light on how humans reason about and how they negotiate around quality attributes. The mechanisms for conflict detection and resolution were perceived as very useful. Overall, our approach was found to make the process of utility function definition more understandable and transparent.}, NOTE = {https://doi.org/10.1007/s00766-021-00368-y}, KEYWORDS = {Explainable Software, Self-adaptation} } @InProceedings{ICSA:Diaz:2022, AUTHOR = {Diaz-Pace, Andres and Garlan, David}, TITLE = {Making Architecture Optimization Transparent with Tactic-Based Explanations}, YEAR = {2022}, MONTH = {12-15 March}, BOOKTITLE = {Proceedings of the 19th International Conference on Software Architecture (ICSA 2022)}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/Making Architecture Optimizat….pdf}, ABSTRACT = {Over the past decade, a number of automated techniques and tools have been developed for optimizing architectural designs with respect to quality-attribute goals. In these systems, the optimization process is typically seen as a black box, since it is not possible for a human to have access to the decisions that led to a particular solution generated by an optimization tool. Even when these decisions are available for inspection, the amount of information can be overwhelming for the architect. As a result, humans might not completely understand the rationale behind a given solution or trust that a tool made correct decisions. To mitigate this problem, we propose a semi-automated approach for generating textual explanations for any architectural solution produced by a tool. This kind of explanation provides a summary of the key architectural tactics that were applied to achieve an optimized architecture that satisfies a set of quality-attribute objectives. In this paper, we discuss two procedures for determining the key tactics to be explained. As an initial experiment, we used a popular optimization tool to generate solutions and explanations for a small but non-trivial design space involving performance, reliability, and cost objectives. We also performed an exploratory user study to assess the effectiveness of these explanations.}, KEYWORDS = {Explainable Software, Software Architecture} } @InProceedings{2022:Wohlrab:SEAMS, AUTHOR = {Wohlrab, Rebekka and Meira-G\'{o}es, R\^{o}mulo and Vierhauser, Michael}, TITLE = {Run-Time Adaptation of Quality Attributes for Automated Planning}, YEAR = {2022}, MONTH = {18-24 May}, BOOKTITLE = {Proceedings of the 17th Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS’22)}, ADDRESS = {Pittsburgh, USA and Virtual}, ABSTRACT = {Self-adaptive systems typically operate in heterogeneous environments and need to optimize their behavior based on a variety of quality attributes to meet stakeholders’ needs. During adaptation planning, these quality attributes are considered in the form of constraints, describing requirements that must be fulfilled, and utility functions, which are used to select an optimal plan among several alternatives. Up until now, most automated planning approaches are not designed to adapt quality attributes, their priorities, and their trade-offs at run time. Instead, both utility functions and constraints are commonly defined at design time. There exists a clear lack of run-time mechanisms that support their adaptation in response to changes in the environment or in stakeholders’ preferences. In this paper, we present initial work that combines automated planning and adaptation of quality attributes to address this gap. The approach helps to semi-automatically adjust utility functions and constraints based on changes at run time. We present a preliminary experimental evaluation that indicates that our approach can provide plans with higher utility values while fulfilling changed or added constraints. We conclude this paper with our envisioned research outlook and plans for future empirical studies.}, KEYWORDS = {Self-adaptation} } @PhdThesis{2022:Sukkerd:Thesis, AUTHOR = {Sukkerd, Roykrong}, TITLE = {Improving Transparency and Intelligibility of Multi-Objective Probabilistic Planning}, YEAR = {2022}, NUMBER = {CMU-ISR-22-104}, SCHOOL = {Institute for Software Research, School of Computer Science}, ABSTRACT = {Sequential decision-making problems with multiple objectives are natural to many application domains of AI-enabled systems. As these systems are increasingly used to work with people or to make decisions that impact people, it is important that their reasoning is intelligible to the end-users and stakeholders, to foster trust and effective human-agent collaborations. However, understanding the reasoning behind solving sequential decision problems is difficult for end-users even when white-box decision models such as Markov decision processes (MDPs) are used. Such intelligibility challenge is due to the combinatorial explosion of possible strategies for solving long-horizon problems. The multi-objective optimization aspect further complicates the problem as different objectives may conflict and reasoning about tradeoffs is required. These complexities pose a barrier for end-users to know whether the agent has made the right decisions for a given context, and may prohibit them from intervening if the agent was wrong. The goal of this thesis is to develop an explainability framework that enables the agent making sequential decisions to communicate its goals and rationale for its behavior to the end-users. We present an explainable planning framework for MDP, particularly to support problem domains with multiple optimization objectives. We propose consequence-oriented contrastive explanations, in which an argument for an agent's policy is in terms of its expected consequences on the task objectives, put in context of the selected viable alternatives to demonstrate the optimization and tradeoff reasoning of the agent. Our modeling framework supports reward decomposition, and augments MDP representation to ground the components of the reward or cost function in the domain-level concepts and semantics, to facilitate explanation generation. Our explanation generation method computes policy-level contrastive foils that describe the inflection points in the agent's decision making in terms of optimization and trade-off reasoning of the decomposed task objectives. We demonstrate the applicability of our explainable planning framework by applying it to three planning problem domains: waypoint-based navigation, UAV mission planning, and clinic scheduling. We design and conduct a human subjects experiment to evaluate the effectiveness of explanations based on measurable task performance. We design the users' task in the experiment to be: assessing the agent's planning decisions to determine whether they are the best decisions for a given problem context. Our experimental results show that our proposed consequence-oriented contrastive explanation approach significantly improves the users' ability to correctly assess the agent's planning decisions, as well as the users' confidence in their assessment. Lastly, we investigate the feasibility of a user-guided approach to our consequence oriented contrastive explanation paradigm. We propose a theoretical framework and approaches to formulate Why Not behavioral questions as state-action constraints and linear temporal logic constraints on the planning problem, and to solve for satisfying policies in order to explain the full impact that the queried behavior has on the subsequent decisions and on the task objectives. }, KEYWORDS = {Explainable Software, Planning, Self-adaptation} } @Article{2022:SoSym:UIP, AUTHOR = {C\'{a}mara, Javier and Troya, Javier and Vallecillo, Antonio and Bencomo, Nelly and Calinescu, Radu and Cheng, Betty H.C. and Garlan, David and Schmerl, Bradley}, TITLE = {The uncertainty interaction problem in self-adaptive systems}, YEAR = {2022}, MONTH = {August}, JOURNAL = {Software System and Modelling}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/Sosym2022.pdf}, ABSTRACT = {The problem of mitigating uncertainty in self-adaptation has driven much of the research proposed in the area of software engineering for self-adaptive systems in the last decade. Although many solutions have already been proposed, most of them tend to tackle specific types, sources, and dimensions of uncertainty (e.g., in goals, resources, adaptation functions) in isolation. A special concern are the aspects associated with uncertainty modeling in an integrated fashion. Different uncertainties are rarely independent and often compound, affecting the satisfaction of goals and other system properties in subtle and often unpredictable ways. Hence, there is still limited understanding about the specific ways in which uncertainties from various sources interact and ultimately affect the properties of self-adaptive, software-intensive systems. In this SoSym expert voice, we introduce the Uncertainty Interaction Problem as a way to better qualify the scope of the challenges with respect to representing different types of uncertainty while capturing their interaction in models employed to reason about self-adaptation. We contribute a characterization of the problem and discuss its relevance in the context of case studies taken from two representative application domains. We posit that the Uncertainty Interaction Problem should drive future research in software engineering for autonomous and self-adaptive systems, and therefore, contribute to evolving uncertainty modeling towards holistic approaches that would enable the construction of more resilient self-adaptive systems.}, NOTE = {Expert Voice Paper (https://doi.org/10.1007/s10270-022-01037-6)}, KEYWORDS = {Self-adaptation, uncertainty} } @InProceedings{Casimiro:ACSOS:2022, AUTHOR = {Casimiro, Maria and Romano, Paolo and Garlan, David and Rodrigues, Luis}, TITLE = {Towards a Framework for Adapting Machine Learning Components}, YEAR = {2022}, BOOKTITLE = {2022 IEEE International Conference on Autonomic Computing and Self-Organizing Systems (ACSOS)}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ACSOS2022.pdf}, ABSTRACT = {Machine Learning (ML) models are now commonly used as components in systems. As any other component, ML components can produce erroneous outputs that may penalize system utility. In this context, self-adaptive systems emerge as a natural approach to cope with ML mispredictions, through the execution of adaptation tactics such as model retraining. To synthesize an adaptation strategy, the self-adaptation manager needs to reason about the cost-benefit tradeoffs of the applicable tactics, which is a non-trivial task for tactics such as model retraining, whose benefits are both context- and data-dependent. To address this challenge, this paper proposes a probabilistic modeling framework that supports automated reasoning about the cost/benefit tradeoffs associated with improving ML components of ML-based systems. The key idea of the proposed approach is to decouple the problems of (i) estimating the expected performance improvement after retrain and (ii) estimating the impact of ML improved predictions on overall system utility. We demonstrate the application of the proposed framework by using it to self-adapt a state-of-the-art ML-based fraud-detection system, which we evaluate using a publicly-available, real fraud detection dataset. We show that by predicting system utility stemming from retraining a ML component, the probabilistic model checker can generate adaptation strategies that are significantly closer to the optimal, as compared against baselines such as periodic retraining, or reactive retraining.}, NOTE = {Presentation Video}, KEYWORDS = {Machine Learning, Self-adaptation} } @Article{2022:JSS:ExpSAS, AUTHOR = {Wohlrab, Rebekka and C\'{a}mara, Javier and Garlan, David and Schmerl, Bradley}, TITLE = {Explaining quality attribute tradeoffs in automated planning for self-adaptive systems}, YEAR = {2022}, MONTH = {October}, JOURNAL = {The Journal of Systems and Software}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/xplanqasas.pdf}, ABSTRACT = {Self-adaptive systems commonly operate in heterogeneous contexts and need to consider multiple quality attributes. Human stakeholders often express their quality preferences by defining utility func- tions, which are used by self-adaptive systems to automatically generate adaptation plans. However, the adaptation space of realistic systems is large and it is obscure how utility functions impact the generated adaptation behavior, as well as structural, behavioral, and quality constraints. Moreover, human stakeholders are often not aware of the underlying tradeoffs between quality attributes. To address this issue, we present an approach that uses machine learning techniques (dimensionality reduction, clustering, and decision tree learning) to explain the reasoning behind automated planning. Our approach focuses on the tradeoffs between quality attributes and how the choice of weights in utility functions results in different plans being generated. We help humans understand quality attribute tradeoffs, identify key decisions in adaptation behavior, and explore how differences in utility functions result in different adaptation alternatives. We present two systems to demonstrate the approach’s applicability and consider its potential application to 24 exemplar self-adaptive systems. Moreover, we describe our assessment of the tradeoff between the information reduction and the amount of explained variance retained by the results obtained with our approach.}, KEYWORDS = {Explainable Software, Planning, Self-adaptation} } @Article{2022:JSS:Extra, AUTHOR = {C\'{a}mara, Javier and Wohlrab, Rebekka and Garlan, David and Schmerl, Bradley}, TITLE = {ExTrA: Explaining architectural design tradeoff spaces via dimensionality reduction.}, YEAR = {2022}, MONTH = {December}, JOURNAL = {Journal of Systems and Software}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ExTrA__Explaining_Architectural_Design_Tradeoff_Spaces_via_Dimensionality_Reduction.pdf}, ABSTRACT = {In software design, guaranteeing the correctness of run-time system behavior while achieving an acceptable balance among multiple quality attributes remains a challenging problem. Moreover, providing guarantees about the satisfaction of those requirements when systems are subject to uncertain environments is even more challenging. While recent developments in architectural analysis techniques can assist architects in exploring the satisfaction of quantitative guarantees across the design space, existing approaches are still limited because they do not explicitly link design decisions to satisfaction of quality requirements. Furthermore, the amount of information they yield can be overwhelming to a human designer, making it difficult to see the forest for the trees. In this paper we present ExTrA (Explaining Tradeoffs of software Architecture design spaces), an approach to analyzing architectural design spaces that addresses these limitations and provides a basis for explaining design tradeoffs. Our approach employs dimensionality reduction techniques employed in machine learning pipelines like Principal Component Analysis (PCA) and Decision Tree Learning (DTL) to enable architects to understand how design decisions contribute to the satisfaction of extra-functional properties across the design space. Our results show feasibility of the approach in two case studies and evidence that combining complementary techniques like PCA and DTL is a viable approach to facilitate comprehension of tradeoffs in poorly-understood design spaces.}, NOTE = {https://doi.org/10.1016/j.jss.2022.111578}, KEYWORDS = {Architectural Analysis, Explainable Software} } @InProceedings{Zhang:ICSE:2023, AUTHOR = {Zhang, Changjian and Saluja, Taranj and Meira-G\'{o}es, R\^{o}mulo and Bolton, Matthew and Garlan, David and Kang, Eunsuk}, TITLE = {Robustification of Behavioral Designs against Environmental Deviations}, YEAR = {2023}, MONTH = {14-20 May}, BOOKTITLE = {Proceedings of the 45th International Conference on Software Engineering}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/Robustification___ICSE_23_Camera_Ready.pdf}, ABSTRACT = {Modern software systems are deployed in a highly dynamic, uncertain environment. Ideally, a system that is robust should be capable of establishing its most critical requirements even in the presence of possible deviations in the environment. We propose a technique called behavioral robustification, which involves systematically and rigorously improving the robustness of a design against potential deviations. Given behavioral models of a system and its environment, along with a set of user-specified deviations, our robustification method produces a redesign that is capable of satisfying a desired property even when the environment exhibits those deviations. In particular, we describe how the robustification problem can be formulated as a multi- objective optimization problem, where the goal is to restrict the deviating environment from causing a violation of a desired property, while maximizing the amount of existing functionality and minimizing the cost of changes to the original design. We demonstrate the effectiveness of our approach on case studies involving the robustness of an electronic voting machine and safety-critical interfaces.}, KEYWORDS = {Formal Methods, Resilience, Resource prediction} } @InProceedings{Chu:SEAMS:2023, AUTHOR = {Chu, Simon and Shedden, Emma and Zhang, Changjian and Meira-G\'{o}es, R\^{o}mulo and Moreno, Gabriel A. and Garlan, David and Kang, Eunsuk}, TITLE = {Runtime Resolution of Feature Interactions through Adaptive Requirement Weakening.}, YEAR = {2023}, MONTH = {15-16 May}, BOOKTITLE = {Proceedings of the 18th International Symposium on Software Engineering for Adaptive and Self-Managing Systems}, ABSTRACT = {The feature interaction problem occurs when two or more independently developed components interact with each other in unanticipated ways, resulting in undesirable system behaviors. Feature interaction problems remain a challenge for emerging domains in cyber-physical systems (CPS), such as the Internet of Things and autonomous drones. Existing techniques for resolving feature interactions take a “winner-takes-all” approach, where one out of the conflicting features is selected as the most desirable one, and the rest are disabled. However, when multiple of the conflicting features fulfill important system requirements, being forced to select one of them can result in an undesirable system outcome. In this paper, we propose a new resolution approach that allows all of the conflicting features to continue to partially fulfill their requirements during the resolution process. In particular, our approach leverages the idea of adaptive requirement weakening, which involves one or more features temporarily weakening their level of performance in order to co-exist with the other features in a consistent manner. Given feature requirements specified in Signal Temporal Logic (STL), we propose an automated method and a runtime architecture for automatically weakening the requirements to resolve a conflict. We demonstrate our approach through case studies on feature interactions in autonomous drones.}, KEYWORDS = {Formal Methods, Self-adaptation} } @Article{2023:FM:IEEE, AUTHOR = {C\'{a}mara, Javier and Garlan, David}, TITLE = {A study on the impact of repetition of formative assessments in a formal methods course for professional software engineers}, YEAR = {2023}, JOURNAL = {IEEE Software}, ABSTRACT = {Although tests are traditionally used as mandatory summative assessments at the end of the instruction period and their purpose is measuring how well a student has learned a given subject, they can also play an important role in formative assessment when they are employed as an instrument to aid in the acquisition and retention of knowledge. This study evaluates the role of tests as weekly formative assessments and investigates the impact of their repetition (i.e., administering the same test more than once) on academic performance of students in a postgraduate formal methods course for professional software engineers. Our hypothesis is that repetition in formative assessments leads to increased academic performance, as well as to an improvement in the effectiveness of gauging student progress. Based on an analysis of data from a population of 194 students that took the course during the period 2013-2017, we report results that point at the validity of our hypothesis.}, NOTE = {doi: 10.1109/MS.2023.3291400}, KEYWORDS = {Education, Formal Methods} } @InProceedings{AAAI23::HyperJump, AUTHOR = {Mendes, Pedro and Casimiro, Maria and Romano, Paolo and Garlan, David}, TITLE = {HyperJump: Accelerating HyperBand via Risk Modelling}, YEAR = {2023}, BOOKTITLE = {Proceedings of the 37th AAAI Conference on Artificial Intelligence}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/hyperjump_AAAI23_CR.pdf}, ABSTRACT = {In the literature on hyper-parameter tuning, a number of recent solutions rely on low-fidelity observations (e.g., training with sub-sampled datasets) in order to efficiently identify promising configurations to be then tested via high-fidelity observations (e.g., using the full dataset). Among these, HyperBand is arguably one of the most popular solutions, due to its efficiency and theoretically provable robustness. In this work, we introduce HyperJump, a new approach that builds on HyperBand’s robust search strategy and complements it with novel model-based risk analysis techniques that accelerate the search by skipping the evaluation of low risk configurations, i.e., configurations that are likely to be eventually discarded by HyperBand. We evaluate HyperJump on a suite of hyper-parameter optimization problems and show that it provides over one-order of magnitude speed-ups, both in sequential and parallel deployments, on a variety of deep-learning, kernel-based learning and neural architectural search problems when compared to HyperBand and to several state-of-the-art optimizers.}, KEYWORDS = {Machine Learning, Self-adaptation} } @Article{IEEE:CaRE:2023, AUTHOR = {Hossen, Md Abir and Kharade, Sonam and Schmerl, Bradley and C\'{a}mara, Javier and O\'Kane, Jason M. and Czaplinski, Ellen C. and Dzurilla, Katherine A. and Garlan, David and Jamshidi, Pooyan}, TITLE = {CaRE: Finding Root Causes of Configuration Issues in Highly-Configurable Robots}, YEAR = {2023}, MONTH = {May}, JOURNAL = {IEEE Robotics and Automation Letters}, PAGES = {1-8}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/CaRE_Finding_Root_Causes_of_Configuration_Issues_in_Highly-Configurable_Robots.pdf}, ABSTRACT = {Robotic systems have subsystems with a combinatorially large configuration space and hundreds or thousands of possible software and hardware configuration options interacting non-trivially. The configurable parameters are set to target specific objectives, but they can cause functional faults when incorrectly configured. Finding the root cause of such faults is challenging due to the exponentially large configuration space and the dependencies between the robot's configuration settings and performance. This paper proposes CaRE —a method for diagnosing the root cause of functional faults through the lens of causality. CaRE abstracts the causal relationships between various configuration options and the robot's performance objectives by learning a causal structure and estimating the causal effects of options on robot performance indicators. We demonstrate CaRE 's efficacy by finding the root cause of the observed functional faults and validating the diagnosed root cause by conducting experiments in both physical robots ( Husky and Turtlebot 3 ) and in simulation ( Gazebo ). Furthermore, we demonstrate that the causal models learned from robots in simulation (e.g., Husky in Gazebo ) are transferable to physical robots across different platforms (e.g., Husky and Turtlebot 3 ).}, NOTE = {doi: 10.1109/LRA.2023.3280810} } @InProceedings{2023:Sedghpour:IC2E, AUTHOR = {Sedghpour, Mohammad Reza Saleh and Garlan, David and Schmerl, Bradley and Klein, Cristian and Tordsson, Johan}, TITLE = {Breaking the Vicious Circle: Self-Adaptive Microservice Circuit Breaking and Retry}, YEAR = {2023}, MONTH = {25-28 September}, BOOKTITLE = {Proceedings of the 11th IEEE International conference on Cloud Engineering (IC2E)}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/Mohammad___Paper___6.pdf}, ABSTRACT = {Microservice-based architectures consist of numer- ous, loosely coupled services with multiple instances. Service meshes aim to simplify traffic management and prevent mi- croservice overload through circuit breaking and request retry mechanisms. Previous studies have demonstrated that the static configuration of these mechanisms is unfit for the dynamic environment of microservices. We conduct a sensitivity analysis to understand the impact of retrying across a wide range of scenarios. Based on the findings, we propose a retry controller that can also work with dynamically configured circuit breakers. We have empirically assessed our proposed controller in various scenarios, including transient overload and noisy neighbors while enforcing adaptive circuit breaking. The results show that our proposed controller does not deviate from a well-tuned configura- tion while maintaining carried response time and adapting to the changes. In comparison to the default static retry configuration that is mostly used in practice, our approach improves the carried throughput up to 12x and 32x respectively in the cases of transient overload and noisy neighbors.}, NOTE = {Best Paper Award}, KEYWORDS = {Self-adaptation, Self-Repair} } @PhdThesis{Glazier:Thesis:2023, AUTHOR = {Glazier, Thomas J.}, TITLE = {Meta-Management of Collections of Autonomic Systems}, YEAR = {2023}, MONTH = {December}, NUMBER = {CMU-S3D-23-110}, SCHOOL = {Software and Societal Systems Department, School of Computer Science}, KEYWORDS = {Self-adaptation, Self-awareness & Adaptation} } @PhdThesis{Dwivedi:Thesis:2022, AUTHOR = {Dwivedi, Vishal}, TITLE = {Halo: A Framework for End-User Architecting}, YEAR = {2022}, NUMBER = {CMU-S3D-22-110}, SCHOOL = {Software and Societal Systems Department, School of Computer Science}, KEYWORDS = {End-user Architecture} } @InProceedings{ICSE2024:Duerschmid:ROSInfer, AUTHOR = {D\"{u}rschmid, Tobias and Timperley, Christopher Steven and Garlan, David and Le Goues, Claire}, TITLE = {ROSInfer: Statically Inferring Behavioral Component Models for ROS-based Robotics Systems}, YEAR = {2024}, MONTH = {14-20 April}, BOOKTITLE = {Proceedings of the 46th International Conference on Software Engineering (ICSE 2024)}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/icse2023-static-inference.pdf}, ABSTRACT = {Robotics systems are complex, safety-critical systems that can con- sist of hundreds of software components that interact with each other dynamically during run time. Software components of robot- ics systems often exhibit reactive, periodic, and state-dependent behavior. Incorrect component composition can lead to unexpected behavior, such as components passively waiting for initiation mes- sages that never arrive. Model-based software analysis is a common technique to identify incorrect behavioral composition by checking desired properties of given behavioral models that are based on component state machines. However, writing state machine models for hundreds of software components manually is a labor-intensive process. This motivates work on automated model inference. In this paper, we present an approach to infer behavioral models for systems based on the Robot Operating System (ROS) using static analysis by exploiting assumptions about the usage of the ROS API and ecosystem. Our approach is based on searching for common behavioral patterns that ROS developers use for implementing reac- tive, periodic, and state-dependent behavior using the ROS frame- work API. We evaluate our approach and our tool ROSInfer on five complex real-world ROS systems with a total of 534 components. For this purpose we manually created 155 models of components from the source code to be used as a ground truth and available data set for other researchers. ROSInfer can infer causal triggers for 87 % of component architectural behaviors in the 534 components.}, NOTE = {To appear}, KEYWORDS = {Software Architecture} } @InProceedings{FEMCAD:2023, AUTHOR = {Zhang, Changjian and Dardik, Ian and Meira-G\'{o}es, R\^{o}mulo and Garlan, David and Kang, Eunsuk}, TITLE = {Fortis: A Tool for Analysis and Repair of Robust Software Systems}, YEAR = {2023}, MONTH = {23-27 October}, BOOKTITLE = {Proc. Formal Methods in Computer-Aided Design 2023}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/fortis-fmcad.pdf}, ABSTRACT = {This paper presents Fortis, a tool for automated, formal analysis and repair of robust discrete systems. Given a system model, an environment model, and a safety property, the tool can be used to automatically compute robustness as the amount of deviations in the environment under which the system can continue to guarantee the property. In addition, Fortis enables automated repair of a given system to improve its robustness against a set of intolerable deviations through a process called robustification. With these techniques, Fortis enables a new process for developing robust-by-design systems. The paper presents the overall design of Fortis as well as the key details behind the robustness analysis and robustification techniques. The applicability and performance of Fortis are illustrated through experimental results over a set of case study systems, including a radiation therapy system, an electronic voting machine, network protocols, and a transportation fare system.}, KEYWORDS = {Formal Methods} } @InProceedings{Diaz-Pace:ECSA:20223, AUTHOR = {Diaz-Pace, Andres and Wohlrab, Rebekka and Garlan, David}, TITLE = {Supporting the Exploration of Quality Attribute Tradeoffs in Large Design Spaces}, YEAR = {2023}, MONTH = {18-22 September}, BOOKTITLE = {17th European Conference on Software Architecture (ECSA)}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/explainability-paper-ecsa2023-lncs.pdf}, ABSTRACT = {When designing and evolving software architectures, archi- tects need to consider large design spaces of architectural decisions. These decisions tend to impact the quality attributes of the system, such as performance, security, or reliability. Relevant quality attributes might influence each other and usually need to be traded off by architects. When exploring a design space, it is often challenging for architects to understand what tradeoffs exist and how they are connected to architectural decisions. This is particularly problematic in architectural spaces generated by automated optimization tools, as the underlying tradeoffs behind the decisions that they make are unclear. This paper presents an approach to explore quality-attribute tradeoffs via clustering and visualization techniques. The approach allows architects to get an overview of the main tradeoffs and their links to architectural configurations. We evaluated the approach in a think-aloud study with 9 participants from academia and industry. Our findings show that the proposed tech- niques can be useful in understanding feasible tradeoffs and architectural changes affecting those tradeoffs in large design spaces.}, NOTE = {Best Paper Award}, KEYWORDS = {Software Architecture} } @Article{Camara:Expl:IEEESoftware:2024, AUTHOR = {C\'{a}mara, Javier and Wohlrab, Rebekka and Garlan, David and Schmerl, Bradley}, TITLE = {Focusing on What Matters: Explaining Quality Tradeoffs in Software-Intensive Systems via Dimensionality Reduction}, YEAR = {2024}, MONTH = {January}, JOURNAL = {IEEE Software}, VOLUME = {41}, PAGES = {64-73}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/IEEE_Software__Tradeoff_Focused_ExplanationsCamara_Expl_IEEESoftware_2024.pdf}, ABSTRACT = {Building and operating software-intensive systems often involves exploring decision spaces made up of large numbers of variables and complex relations among them. Understanding such spaces is often overwhelming to human decision makers, who have limited capacity to digest large amounts of information, making it difficult to distinguish the forest through the trees. In this article, we report on our experience in which we used dimensionality reduction techniques to enable decision makers in different domains (software architecture, smart manufacturing, automated planning for service robots) to focus on the elements of the decision space that explain most of the quality variation, filtering out noise, and thus reducing cognitive complexity.}, NOTE = {DOI: https://doi.ieeecomputersociety.org/10.1109/MS.2023.3320689}, KEYWORDS = {Explainable Software, Planning, Self-adaptation, Software Architecture} } @InProceedings{Garlan:2024:Designing, AUTHOR = {Garlan, David and Schmerl, Bradley and Wohlrab, Rebekka and C\'{a}mara, Javier}, TITLE = {Challenges in Creating Effective Automated Design Environments: An experience report from the domain of generative manufacturing}, YEAR = {2024}, MONTH = {15 April}, BOOKTITLE = {Proc. the 1st International Workshop on Designing Software}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/DesigningLMCO-2.pdf}, ABSTRACT = {The emergence of powerful automated design tools in many domains is changing the nature of design, as human-intensive activities can be increasingly off-loaded to those tools. Rather than having a human consider only handful of options, as has been done historically, such tools now enable the generation of a large space of potential designs, exhibiting different tradeoffs among competing qualities of merit, and supporting systematic exploration of the design space. At the same time, this paradigm raises new challenges centered on enabling humans to effectively navigate that generated space in order to select a design that best meets their requirements. In this paper we describe our experience in the domain of generative manufacturing, in which we developed a novel design environment for airplane parts manufacturing that incorporates a number of sophisticated design tools and attempts to tackle the emergent problems of design space exploration that are faced by designers of those parts. We use this experience to highlight the challenges that we faced and reflect on their applicability more generally to tool-assisted software design environments.}, KEYWORDS = {Explainable Software} } @Unpublished{2024:Hossen:CURE, AUTHOR = {Hossen, Md Abir and Kharade, Sonam and O\'Kane, Jason M. and Schmerl, Bradley and Garlan, David and Jamshidi, Pooyan}, TITLE = {CURE: Simulation-Augmented Auto-Tuning in Robotics}, YEAR = {2024}, ABSTRACT = {Robotic systems are typically composed of vari- ous subsystems, such as localization and navigation, each en- compassing numerous configurable components (e.g., selecting different planning algorithms). Once an algorithm has been selected for a component, its associated configuration options must be set to the appropriate values. Configuration options across the system stack interact non-trivially. Finding optimal configurations for highly configurable robots to achieve desired performance poses a significant challenge due to the interactions between configuration options across software and hardware that result in an exponentially large and complex configuration space. These challenges are further compounded by the need for transferability between different environments and robotic platforms. Data efficient optimization algorithms (e.g., Bayesian optimization) have been increasingly employed to automate the tuning of configurable parameters in cyber-physical systems. However, such optimization algorithms converge at later stages, often after exhausting the allocated budget (e.g., optimization steps, allotted time) and lacking transferability. This paper proposes CURE—a method that identifies causally relevant con- figuration options, enabling the optimization process to operate in a reduced search space, thereby enabling faster optimization of robot performance. CURE abstracts the causal relationships between various configuration options and robot performance objectives by learning a causal model in the source (a low-cost environment such as the Gazebo simulator) and applying the learned knowledge to perform optimization in the target (e.g., Turtlebot 3 physical robot). We demonstrate the effectiveness and transferability of CURE by conducting experiments that involve varying degrees of deployment changes in both physical robots and simulation}, NOTE = {Submitted for publication}, KEYWORDS = {Cyberphysical Systems, Machine Learning, Robot Adaptation, Self-adaptation} } @Article{Sousa:2024:Security, AUTHOR = {Sousa, Bruno and Dias, Duarte and Antunes, Nuno and C\'{a}mara, Javier and Wagner, Ryan and Schmerl, Bradley and Garlan, David and Fidalgo, Pedro}, TITLE = {MONDEO-Tactics5G: Multistage botnet detection and tactics for 5G/6G networks}, YEAR = {2024}, MONTH = {May}, JOURNAL = {Computers & Security}, VOLUME = {140}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/MONDEO_AIDA.pdf}, ABSTRACT = {Mobile malware is a malicious code specifically designed to target mobile devices to perform multiple types of fraud. The number of attacks reported each day is increasing constantly and is causing an impact not only at the end-user level but also at the network operator level. Malware like FluBot contributes to identity theft and data loss but also enables remote Command & Control (C2) operations, which can instrument infected devices to conduct Distributed Denial of Service (DDoS) attacks. Current mobile device-installed solutions are not effective, as the end user can ignore security warnings or install malicious software. This article designs and evaluates MONDEO-Tactics5G - a multistage botnet detection mechanism that does not require software installation on end-user devices, together with tactics for 5G network operators to manage infected devices. We conducted an evaluation that demonstrates high accuracy in detecting FluBot malware, and in the different adaptation strategies to reduce the risk of DDoS while minimising the impact on the clients' satisfaction by avoiding disrupting established sessions.}, NOTE = {https://doi.org/10.1016/j.cose.2024.103768}, KEYWORDS = {Rainbow} } @InProceedings{Pace:2024:Design, AUTHOR = {Diaz-Pace, Andres and Garlan, David}, TITLE = {The Architect in the Maze: On the Effective Usage of Automated Design Exploration}, YEAR = {2024}, MONTH = {15 April}, BOOKTITLE = {Proc. the 1st International Workshop on Designing Software}, PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/Designing2024_updated1.pdf}, ABSTRACT = { Designing a software architecture that satisfies a set of quality- attribute requirements has traditionally been a challenging activity for human architects, as it involves the exploration and assessment of alternative design decisions. The development of automated optimization tools for the architecture domain has opened new opportunities, because these tools are able to explore a large space of alternatives, and thus extend the architect’s capabilities. In this context, however, architects need to efficiently navigate through a large space and understand the main relations between design decisions and feasible quality-attribute tradeoffs in a maze of possi- ble alternatives. Although Machine Learning (ML) techniques can help to reduce the complexity of the task by sifting through the data generated by the tools, the standard techniques often fall short because they cannot offer architectural insights or relevant answers to the architect’s questions. In this paper, and based on previous experiences, we argue that ML techniques should be adapted to the architecture domain, and propose a conceptual framework towards that goal. Furthermore, we show how the framework can be instan- tiated by adapting clustering techniques to answer architectural questions regarding a client-server design space.}, KEYWORDS = {Explainable Software} }