1 |
@Article{DiscoTectTSE,
AUTHOR = {Schmerl, Bradley and Aldrich, Jonathan and Garlan, David and Kazman, Rick and Yan, Hong},
TITLE = {Discovering Architectures from Running Systems},
YEAR = {2006},
MONTH = {July},
JOURNAL = {IEEE Transactions on Software Engineering},
VOLUME = {32},
NUMBER = {7},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/discotect-tse.pdf},
ABSTRACT = {One of the challenging problems for software developers is guaranteeing that a system as built is consistent with its architectural design. In this paper, we describe a technique that uses runtime observations about an executing system to construct an architectural view of the system. In this technique, we develop mappings that exploit regularities in system implementation and architectural style. These mappings describe how low-level system events can be interpreted as more abstract architectural operations and are formally defined using Colored Petri Nets. In this paper, we describe a system, called DiscoTect, that uses these mappings and we introduce the DiscoSTEP mapping language and its formal definition. Two case studies showing the application of DiscoTect suggest that the tool is practical to apply to legacy systems and can dynamically verify conformance to a preexisting architectural specification.},
NOTE = {Also available from IEEE. Appendix A, Appendix B},
KEYWORDS = {DiscoTect, Rainbow, Self-Repair, Software Architecture} }
|
2 |
@Article{Poladian2006,
AUTHOR = {Sousa, Jo\~{a}o and Poladian, Vahe and Garlan, David and Schmerl, Bradley and Shaw, Mary},
TITLE = {Task-Based Adaptation for Ubiquitous Computing},
YEAR = {2006},
MONTH = {May},
JOURNAL = {IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications and Reviews, Special Issue on Engineering Autonomic Systems},
VOLUME = {36},
NUMBER = {3},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/tbuc.pdf},
ABSTRACT = {An important domain for autonomic systems is the area of ubiquitous computing: users are increasingly surrounded by technology that is heterogeneous, pervasive, and variable. In this paper we describe our work in developing self-adapting computing infrastructure that automates the configuration and reconfiguration of such environments. Focusing on the engineering issues of self-adaptation in the presence of heterogeneous platforms, legacy applications, mobile users, and resource variable environments, we describe a new approach based on the following key ideas: (a) Explicit representation of user tasks allows us to determine what service qualities are required of a given configuration; (b) Decoupling task and preference specification from the lower level mechanisms that carry out those preferences provides a clean engineering separation of concerns between what is needed and how it is carried out; and (c) Efficient algorithms allow us to calculate in real time near-optimal resource allocations and reallocations for a given task.},
NOTE = {Also available at IEEE Xplore},
KEYWORDS = {Aura, Autonomic Systems, Ubiquitous Computing} }
|
3 |
@Article{Garlan2004,
AUTHOR = {Garlan, David and Cheng, Shang-Wen and Huang, An-Cheng and Schmerl, Bradley and Steenkiste, Peter},
TITLE = {Rainbow: Architecture-Based Self Adaptation with Reusable Infrastructure},
YEAR = {2004},
MONTH = {October},
JOURNAL = {IEEE Computer},
VOLUME = {37},
NUMBER = {10},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/computer04.pdf},
ABSTRACT = {The Rainbow framework uses software architectures and a reusable infrastructure to support self-adaptation of software systems. The use of external adaptation mechanisms allows the explicit specification of adaptation strategies for multiple system concerns.},
KEYWORDS = {Autonomic Systems, Landmark, Rainbow, Self-adaptation} }
|
4 |
@Article{Garlan2002a,
AUTHOR = {Garlan, David and Siewiorek, Dan and Smalagic, Asim and Steenkiste, Peter},
TITLE = {Project Aura: Towards Distraction-Free Pervasive Computing},
YEAR = {2002},
MONTH = {April},
JOURNAL = {IEEE Pervasive Computing, special issue on Integrated Pervasive Computing Environments},
VOLUME = {1},
NUMBER = {2},
PAGES = {22-31},
PDF = {http://www.cs.cmu.edu/afs/cs/project/aura/www/docdir/Aura-Perv02.pdf},
ABSTRACT = {The most precious resource in a computer system is no longer its processor, memory, disk, or network, but rather human attention. Aura aims to minimize distractions on a user's attention, creating an environment that adapts to the user's context and needs.},
KEYWORDS = {Aura, Ubiquitous Computing} }
|
5 |
@Article{Garlan2002b,
AUTHOR = {Garlan, David and Kompanek, Andrew and Cheng, Shang-Wen},
TITLE = {Reconciling the Needs of Architectural Description with Object-Modeling Notations},
YEAR = {2002},
JOURNAL = {Science of Computer Programming},
VOLUME = {44},
PAGES = {23-49},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/uml01/uml01.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/uml01/uml01.ps},
ABSTRACT = {Complex software systems require expressive notations for representing their software architectures. Two competing paths have emerged. One is to use a specialized notation for architecture - or architecture description language (ADL). The other is to adapt a general-purpose modeling notation, such as UML. The latter has a number of benefits, including familiarity to developers, close mapping to implementations, and commercial tool support. However, it remains an open question as to how best to use object-oriented notations for architectural description, and, indeed, whether they are sufficiently expressive, as currently defined. In this paper we take a systematic look at these questions, examining the space of possible mappings from ADLs into object notations. Specifically, we describe (a) the principle strategies for representing architectural structure in UML; (b) the benefits and limitations of each strategy; and (c) aspects of architectural description that are intrinsically difficult to model in UML using the strategies.},
KEYWORDS = {Software Architecture, UML} }
|
6 |
@Article{Sousa2001,
AUTHOR = {Sousa, Jo\~{a}o and Garlan, David},
TITLE = {Formal Modeling of the Enterprise JavaBeans Component Integration Framework},
YEAR = {2001},
MONTH = {March},
JOURNAL = {Information and Software Technology},
VOLUME = {43},
NUMBER = {3},
NOTE = {Also available as Technical Report CMU-CS-00-162, Carnegie Mellon University School of Computer Science},
KEYWORDS = {Formal Methods, Software Architecture} }
|
7 |
@Article{Kaplan2002,
AUTHOR = {Kaplan, Alan and Schmerl, Bradley and Veeraraghaven, Rajesh},
TITLE = {Toward Automated Support for Transparent Interoperable Queries},
YEAR = {2002},
MONTH = {October},
JOURNAL = {Journal of Information Technology and Management},
VOLUME = {3},
NUMBER = {4},
PAGES = {387-406},
URL = {http://www.ingentaconnect.com/content/klu/item/2002/00000003/00000004/05093521;jsessionid=h7vv7b6cf8uk.victoria},
NOTE = {A shorter version of this paper appeared in the Ninth Workshop on Information Technologies and Systems (WITS99)(Charlotte, USA, December 1999)} }
|
8 |
@Article{DGJN97,
AUTHOR = {Dingel, Jurgen and Garlan, David and Jha, Somesh and Notkin, David},
TITLE = {Towards a formal treatment of implicit invocation using rely/guarantee reasoning},
YEAR = {1998},
JOURNAL = {Formal Aspects of Computing},
VOLUME = {1-},
PAGES = {193-213},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/implinvoc-fac98/implinvoc-fac98.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/implinvoc-fac98/implinvoc-fac98.ps},
ABSTRACT = {Implicit invocation has become an important architectural style for large-scale system design and evolution. This paper addresses the lack of specification and verification formalisms for such systems. A formal computational model for implicit invocation is presented. We develop a verification framework for implicit invocation that is based on Jones' rely/guarantee reasoning for concurrent systems. The application of the framework is illustrated with several examples. The merits and limitations of the rely/guarantee paradigm in the context of implicit invocation systems are also discussed. },
NOTE = {Supersedes CMU-CS-97-153.},
KEYWORDS = {Implicit Invocation, Formal Methods, Software Architecture} }
|
9 |
@Article{Monroe97Software,
AUTHOR = {Monroe, Robert T. and Kompanek, Andrew and Melton, Ralph and Garlan, David},
TITLE = {Architectural Styles, Design Patterns, and Objects},
YEAR = {1997},
MONTH = {January},
JOURNAL = {IEEE Software},
KEY = {Monroe},
VOLUME = {14},
NUMBER = {1},
PAGES = {43-52},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/ObjPatternsArch-ieee97/ObjPatternsArch-ieee97.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/ObjPatternsArch-ieee97/ObjPatternsArch-ieee97.ps},
ABSTRACT = {Software system builders are increasingly recognizing the importance of exploiting design knowledge in the engineering of new systems. One way to do this is to define an architectural style for a collection of related systems. The style determines a coherent vocabulary of system design elements and rules for their composition. By structuring the design space for a family of related systems a style can, in principle, drastically simplify the process of building a system, reduce costs of implementation through reusable infrastructure, and improve system integrity through style-specific analyses and checks.
Like architectural style, object-oriented design patterns attempt to capture and exploit design knowledge to ease the process of designing software systems and reusing proven designs. There are, however, significant differences in the roles and capabilities of architectural styles and object-oriented design patterns, as there are between architectural design and object-oriented design. In this paper we illustrate the relationship between software architecture and object-oriented design, as well as the relationship between architectural styles and design patterns. We begin by defining our terms and then proceed to compare and contrast the various approaches with examples.
},
KEYWORDS = {Architectural Style, Software Architecture} }
|
10 |
@Article{Allen97TOSEM,
AUTHOR = {Allen, Robert and Garlan, David},
TITLE = {A Formal Basis for Architectural Connection},
YEAR = {1997},
MONTH = {July},
JOURNAL = {ACM Transactions on Software Engineering and Methodology},
KEY = {Allen},
VOLUME = {6},
NUMBER = {3},
PAGES = {213-249},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/wright-tosem97-revision/wright-tosem97-revision.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/wright-tosem97-revision/wright-tosem97-revision.ps},
ABSTRACT = {As software systems become more complex the overall system structure -- or software architecture -- becomes a central design problem. An important step towards an engineering discipline of software is a formal basis for describing and analyzing these designs. In this paper we present a formal approach to one aspect of architectural design: the interactions between components. The key idea is to define architectural connectors as explicit semantic entities. These are specified as a collection of protocols that characterize each of the participant roles in an interaction and how these roles interact. We illustrate how this scheme can be used to define a variety of common architectural connectors. We further provide a formal semantics and show how this leads to a system in which architectural compatibility can be checked in a way analogous to type checking in programming languages.
},
KEYWORDS = {Formal Methods, Model Checking, Software Architecture} }
|
11 |
@Article{Garlan1997,
AUTHOR = {Garlan, David and Tomayko, James and Gluch, David},
TITLE = {Agents of Change: Educating Future Leaders in Software Engineering},
YEAR = {1997},
MONTH = {November},
JOURNAL = {IEEE Computer},
KEYWORDS = {Software Engineering, Education} }
|
12 |
@Article{Garlan95TSE-intro,
AUTHOR = {Garlan, David and Perry, Dewayne},
TITLE = {Introduction to the Special Issue on Software Architecture},
YEAR = {1995},
MONTH = {April},
JOURNAL = {IEEE Transactions on Software Engineering},
KEY = {Garlan},
VOLUME = {21},
NUMBER = {4},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/saintro-tse95/saintro-tse95.pdf},
ABSTRACT = {A critical aspect of the design for any large software system is its gross structure represented as a high-level organization of computational elements and interactions between those elements. Broadly speaking, this is the software architectural level of design. The structure of software has long been recognized as an important issue of concern. However, recently software architecture has begun to emerge as an explicit field of study for software engineering practitioners and researchers. Evidence of this trend is apparent in a large body of recent work in research such as module interface languages, domain specific architectures, architectural description languages, design patterns and handbooks, formal underpinnings for architectural design, and architectural design environments. This IEEE Transactions on Software Engineering Special Issue on Software Architecture presents seven papers that illustrate many of these emerging research areas.},
KEYWORDS = {Software Architecture} }
|
13 |
@Article{IEEE1995/reuse,
AUTHOR = {Garlan, David and Allen, Robert and Ockerbloom, John},
TITLE = {Architectural Mismatch: Why Reuse is so Hard},
YEAR = {1995},
JOURNAL = {IEEE Software},
VOLUME = {12},
NUMBER = {6},
PAGES = {17-26},
KEYWORDS = {Software Architecture} }
|
14 |
@Article{Abowd1995,
AUTHOR = {Abowd, Gregory and Allen, Robert and Garlan, David},
TITLE = {Formalizing Style to Understand Descriptions of Software Architecture},
YEAR = {1995},
MONTH = {October},
JOURNAL = {ACM Transactions on Software Engineering and Methodology},
VOLUME = {4},
NUMBER = {4},
PAGES = {319-364},
PDF = {http://www.cs.cmu.edu/afs/cs.cmu.edu/project/able/ftp/styleformalism-tosem95/styleformalism-tosem95.pdf},
PS = {http://www.cs.cmu.edu/afs/cs.cmu.edu/project/able/ftp/styleformalism-tosem95/styleformalism-tosem95.ps},
ABSTRACT = {The software architecture of most systems is usually described informally and diagrammatically by means of boxes and lines. In order for these descriptions to be meaningful, the diagrams are understood by interpreting the boxes and lines in specic, conventionalized ways. The informal, imprecise nature of these interpretations has a number of limitations. In this paper we consider these conventionalized interpretations as architectural styles and provide a formal framework for their uniform denition. In addition to providing a template for precisely dening new architectural styles, this framework allows for analysis within and between dierent architectural styles.},
KEYWORDS = {Architectural Analysis, Architectural Style, Landmark, Software Architecture} }
|
15 |
@Article{Garlan2006a,
AUTHOR = {Seceleanu, Tiberiu and Garlan, David},
TITLE = {Developing adaptive systems with synchronized architectures},
YEAR = {2006},
MONTH = {November},
JOURNAL = {The Journal of Systems and Software},
VOLUME = {79},
NUMBER = {11},
PAGES = {1514-1526},
URL = {http://dx.doi.org/10.1016/j.jss.2006.03.047},
ABSTRACT = {In this paper we show how to specify and refine self-adapting systems, by employing the state-based formalism called action systems. Assuming a fixed set of possible configurations, we use a recently-introduced synchronization operator to achieve separation of concerns between adaptation policy, fault tolerance and steady-state system execution. Using action systems allows us to apply standard refinement techniques, aimed for correct implementations of higher-level models. We illustrate this idea by applying it to the problem of coping with dynamically-varying user requirements and possible fault situations.},
KEYWORDS = {Autonomic Systems, Software Architecture} }
|
16 |
@Article{garlan2007,
AUTHOR = {Garlan, David and Schmerl, Bradley},
TITLE = {The RADAR Architecture for Personal Cognitive Assistance},
YEAR = {2007},
MONTH = {April},
JOURNAL = {International Journal of Software Engineering and Knowledge Engineering},
VOLUME = {17},
NUMBER = {2},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/IJSEKE-paper-submission.pdf},
ABSTRACT = {Current desktop environments provide weak support for carrying out complex user-oriented tasks. Although individual applications are becoming increasingly sophisticated and feature-rich, users must map their high-level goals to the low-level operational vocabulary of applications, and deal with a myriad of routine tasks (such as keeping up with email, keeping calendars and web sites up-to-date, etc.). An alternative vision is that of a personal cognitive assistant. Like a good secretary, such an assistant would help users accomplish their high-level goals, coordinating the use of multiple applications, automatically handling routine tasks, and, most importantly, adapting to the individual needs of a user over time. In this paper we describe the architecture and its implementation for a personal cognitive assistant called RADAR. Key features include (a) extensibility through the use of a plug-in agent architecture (b) transparent integration with legacy applications and data of today?s desktop environments, and (c) extensive use of learning so that the environment adapts to the individual user over time.},
NOTE = {A shorter version of this paper appeared in the 2006 Conference on Software Engineering and Knowledge Engineering (SEKE 2006).},
KEYWORDS = {Personal Assistance, RADAR, Software Architecture} }
|
17 |
@Article{RajhansMPM2009,
AUTHOR = {Rajhans, Akshay and Cheng, Shang-Wen and Schmerl, Bradley and Garlan, David and Krogh, Bruce and Agbi, Clarence and Bhave, Ajinkya Y.},
TITLE = {An Architectural Approach to the Design and Analysis of Cyber-Physical Systems},
YEAR = {2009},
JOURNAL = {Electronic Communications of the EASST},
VOLUME = {21: Multi-Paradigm Modeling},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/286-855-1-PB.pdf},
ABSTRACT = {This paper presents an extension of existing software architecture tools to model physical systems, their interconnections, and the interactions between physical and cyber components. A new CPS architectural style is introduced to support the principled design and evaluation of alternative architectures for cyber-physical systems (CPSs). The implementation of the CPS architectural style in AcmeStudio includes behavioral annotations on components and connectors using either ?nite state processes (FSP) or linear hybrid automata (LHA) with plug-ins to perform behavior analysis using the Labeled Transition System Analyzer (LTSA) or Polyhedral Hybrid Automata Veri?er (PHAVer), respectively. The CPS architectural style and analysis plug-ins are illustrated with an example.
},
KEYWORDS = {Cyberphysical Systems} }
|
18 |
@Article{Delisle1990,
AUTHOR = {Delisle, Norman and Garlan, David},
TITLE = {A Formal Specification of an Oscilloscope},
YEAR = {1990},
MONTH = {September},
JOURNAL = {IEEE Software},
VOLUME = {7},
NUMBER = {5} }
|
19 |
@Article{AANSG08,
AUTHOR = {Abi-Antoun, Marwan and Aldrich, Jonathan and Nahas, Nagi and Schmerl, Bradley and Garlan, David},
TITLE = {Differencing and Merging of Architectural Views},
YEAR = {2008},
MONTH = {March},
JOURNAL = {Automated Software Engineering Journal},
VOLUME = {15},
NUMBER = {1},
ABSTRACT = {Differencing and merging architectural views is an important activity in software engineering. However, existing approaches are still based on restrictive assumptions, such as requiring view elements to have unique identiers or exactly matching types, which is often not the case in many application domains.
We propose an approach based on structural information. We generalize a published polynomial-time tree-to-tree correction algorithm that detects inserts, renames and deletes, into a novel algorithm that additionally detects restricted moves.
Our algorithm also supports forcing and preventing matches between view elements. We incorporate the algorithm into tools to compare and merge Component-and-Connector (C&C) architectural views. We provide an empirical evaluation of the algorithm. We illustrate the tools using extended examples, and use them to detect and reconcile interesting differences between real architectural views.},
NOTE = {Final version available online at http://dx.doi.org/10.1007/s10515-007-0023-3.},
KEYWORDS = {Acme, ArchJava, Software Architecture} }
|
20 |
@Article{Kang2009,
AUTHOR = {Kang, Sungwon and Garlan, David},
TITLE = {Valuation of Architecture-based Deterministic Plan for Software Evolution},
YEAR = {2009},
MONTH = {October},
JOURNAL = {The KIPS Transactions: Part D},
VOLUME = {16-D},
NUMBER = {5},
PAGES = {755-566},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/12 J4_200900069_R5-clean copy.pdf},
ABSTRACT = {Software architecture allows us to make many decisions about a software system and analyze it even before it exists in order to make systematic and planned development possible. Similarly, architecture-based software evolution planning makes planned evolution possible by allowing us to make many decisions about evolution of a software system and analyze its evolution at the level of architecture design before software evolution is realized. In this paper, we develop a framework for architecture-based software evolution planning for the class of deterministic evolution plans by defining and relating various essential concepts and developing its valuation mechanism so that a plan with the greatest value among candidate plans can be selected as the optimal plan. A case study is conducted for explicating the framework and exemplifying its usage.} }
|
21 |
@Article{Kim2010,
AUTHOR = {Kim, Jung Soo and Garlan, David},
TITLE = {Analyzing Architectural Styles},
YEAR = {2010},
JOURNAL = {Journal of Software and Systems},
VOLUME = {83},
NUMBER = {7},
PAGES = {1216-1235},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/JSS-final-revision3.pdf},
ABSTRACT = {The backbone of most software architectures and component integration frameworks is one or more architectural styles that provide a domain-specic design vocabulary and a set of constraints on how that vocabulary is used. Today's architectural styles are increasingly complex, involving rich vocabularies and numerous constraints. Hence, designing a sound and appropriate style becomes an intellectually challenging activity. Unfortunately, although there are numerous tools to help in the analysis of architectures for individual systems, relatively less work has been done on tools to help in the design of architectural styles. In this paper we address this gap by showing how to map an architectural style, expressed formally in an architectural description language, into a relational model that can then be checked for properties, such as whether a style is consistent, whether a style satises some predicates over its architectural structure, and whether two styles are compatible for composition.},
KEYWORDS = {Architectural Analysis, Architectural Style} }
|
22 |
@Article{2012:Cheng:Stitch,
AUTHOR = {Cheng, Shang-Wen and Garlan, David},
TITLE = {Stitch: A Language for Architecture-Based Self-Adaptation},
YEAR = {2012},
MONTH = {December},
JOURNAL = {Journal of Systems and Software, Special Issue on State of the Art in Self-Adaptive Systems},
VOLUME = {85},
NUMBER = {12},
EDITOR = {Weyns, Danny and Andersson, Jesper and Malek, Sam and Schmerl, Bradley},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/JSS-S-11-00544.pdf},
ABSTRACT = {Requirements for high availability in computing systems today demand that
systems be self-adaptive to maintain expected qualities-of-service in the presence
of system faults, variable environmental conditions, and changing user
requirements. Autonomic computing tackles the challenge of automating
tasks that humans would otherwise have to perform to achieve this goal.
However, existing approaches to autonomic computing lack the ability to
capture routine human repair tasks in a way that takes into account the
business context that humans use in selecting an appropriate form of adaptation,
while dealing with timing delays and uncertainties in outcome of
repair actions. In this article, we present Stitch, a language for representing
repair strategies within the context of an architecture-based self-adaptation
framework. Stitch supports the explicit representation of repair decision
trees together with the ability to express business objectives, allowing a
self-adaptive system to select a strategy that has optimal utility in a given
context, even},
NOTE = {http://dx.doi.org/10.1016/j.jss.2012.02.060
},
KEYWORDS = {Landmark, Rainbow, Self-adaptation, Self-Repair, Stitch} }
|
23 |
@Article{Garlan/Mismatch/2009,
AUTHOR = {Garlan, David and Allen, Robert and Ockerbloom, John},
TITLE = {Architectural Mismatch: Why Reuse is Still So Hard},
YEAR = {2009},
MONTH = {July},
JOURNAL = {IEEE Software, 25th-Anniversary Top Picks},
PAGES = {66-69},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/DG+09.pdf},
KEYWORDS = {Software Architecture} }
|
24 |
@Article{Barnes/AEVol/2012,
AUTHOR = {Barnes, Jeffrey M. and Garlan, David and Schmerl, Bradley},
TITLE = {Evolution styles: foundations and models for software architecture evolution},
YEAR = {2014},
MONTH = {May},
JOURNAL = {Journal of Software and Systems Modeling},
VOLUME = {13},
NUMBER = {2},
PAGES = {649-678},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/sosym.pdf},
ABSTRACT = {As new market opportunities, technologies, platforms, and frameworks become available, systems require large-scale and systematic architectural restructuring to accommodate them. Todays architects have few techniques to help them plan this architecture evolution. In particular, they have little assistance in planning alternative evolution paths, trading off various aspects of the different paths, or knowing best practices for particular domains. In this paper we describe an approach for planning and reasoning about architecture evolution. Our approach focuses on providing architects with the means to model prospective evolution paths and supporting analysis to select among these candidate paths. To demonstrate the usefulness of our approach, we show how it can be applied to an actual architecture evolution. In addition, we present some theoretical results about our evolution path constraint specification language.},
NOTE = {DOI 10.1007/s10270-012-0301-9},
KEYWORDS = {Architecture Evolution, Landmark} }
|
25 |
@Article{Rajhans/TAC/2013,
AUTHOR = {Rajhans, Akshay and Bhave, Ajinkya Y. and Ruchkin, Ivan and Krogh, Bruce and Garlan, David and Platzer, Andre and Schmerl, Bradley},
TITLE = {Supporting Heterogeneity in Cyber-Physical Systems Architectures},
YEAR = {2014},
MONTH = {December},
JOURNAL = {IEEE Transactions on Automatic Control},
VOLUME = {59},
NUMBER = {12},
PAGES = {3178--3193},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/TAS-Dec-2014.pdf},
ABSTRACT = {Cyber-physical systems (CPS) are heterogeneous, because
they tightly couple computation, communication and control along with
physical dynamics, which are traditionally considered separately. Without
a comprehensive modeling formalism, model-based development of CPS
involves using a multitude of models in a variety of formalisms that
capture various aspects of the system design, such as software design,
networking design, physical models, and protocol design. Without a
rigorous unifying framework, system integration and integration of the
analysis results for various models remains ad hoc. In this paper, we
propose a multi-view architecture framework that treats models as views
of the underlying system structure and uses structural and semantic
mappings to ensure consistency and enable system-level veri?cation
from that of the models in a hierarchical and compositional manner.
Throughout the paper, the theoretical concepts are illustrated using two
examples, an automotive intersection collision avoidance system and a
quadrotor.},
NOTE = {Also available at http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=6882828},
KEYWORDS = {Cyberphysical Systems, Landmark} }
|
26 |
@Article{Kang/2014/IJSEKE,
AUTHOR = {Kang, Sungwon and Garlan, David},
TITLE = {Architecture-based planning of software evolution},
YEAR = {2014},
MONTH = {March},
JOURNAL = {International Journal of Software Engineering and Knowledge Engineering},
VOLUME = {24},
NUMBER = {2},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/evolutionPlanning.pdf},
ABSTRACT = {Software architecture allows us to make many decisions about a software system and analyze it even before it has been implemented, so as to make planned development possible. Similarly, architecture-based software evolution planning makes planned evolution possible by allowing us to make many decisions about the evolution of a software system and to analyze its evolution at the level of architecture design before software evolution is realized. In this paper, we develop a framework for architecture-based software evolution planning. It is done by defining various foundational terms and concepts, providing a taxonomy of software evolution plans, and then showing how to calculate values for various types of plans. By identifying and defining constituent foundational concepts, this conceptual framework makes precise the notion of architecture-based software planning. By developing a value-calculation framework for software evolution plans, it also provides a basis for concrete methods for designing and evaluating evolution plans.},
NOTE = {DOI: 10.1142/S0218194014500090},
KEYWORDS = {Architecture Evolution} }
|
27 |
@Article{Camara:2016:ALS:2872308.2774222,
AUTHOR = {C\'{a}mara, Javier and Moreno, Gabriel A. and Garlan, David and Schmerl, Bradley},
TITLE = {Analyzing Latency-Aware Self-Adaptation Using Stochastic Games and Simulations},
YEAR = {2016},
MONTH = {February},
JOURNAL = {ACM Transactions on Autonomous and Adaptive Systems (TAAS) - Special Section on Best Papers from SEAMS 2014 and Regular Articles},
VOLUME = {10},
NUMBER = {4},
PAGES = {23:1--23:28},
ADDRESS = {New York, NY, USA},
PUBLISHER = {ACM},
URL = {http://doi.acm.org/10.1145/2774222},
ABSTRACT = {Self-adaptive systems must decide which adaptations to apply and when. In reactive approaches, adaptations are chosen and executed after some issue in the system has been detected (e.g., unforeseen attacks or failures). In proactive approaches, predictions are used to prepare the system for some future event (e.g., traffic spikes during holidays). In both cases, the choice of adaptation is based on the estimated impact it will have on the system. Current decision-making approaches assume that the impact will be instantaneous, whereas it is common that adaptations take time to produce their impact. Ignoring this latency is problematic because adaptations may not achieve their effect in time for a predicted event. Furthermore, lower impact but quicker adaptations may be ignored altogether, even if over time the accrued impact is actually higher. In this article, we introduce a novel approach to choosing adaptations that considers these latencies. To show how this improves adaptation decisions, we use a two-pronged approach: (i) model checking of Stochastic Multiplayer Games (SMGs) enables us to understand best- and worst-case scenarios of optimal latency-aware and non-latency-aware adaptation without the need to develop specific adaptation algorithms. However, since SMGs do not provide an algorithm to make choices at runtime, we propose a (ii) latency-aware adaptation algorithm to make decisions at runtime. Simulations are used to explore more detailed adaptation behavior and to check if the performance of the algorithm falls within the bounds predicted by SMGs. Our results show that latency awareness improves adaptation outcomes and also allows a larger set of adaptations to be exploited.},
NOTE = {ISSN 1556-4665},
KEYWORDS = {Latency-aware, Self-adaptation, Stochastic Games} }
|
28 |
@Article{Camara/ISS/2015,
AUTHOR = {C\'{a}mara, Javier and Correia, Pedro and de Lemos, Rog\'{e}rio and Garlan, David and Gomes, Pedro and Schmerl, Bradley and Ventura, Rafael},
TITLE = {Incorporating Architecture-Based Self-Adaptation into an Adaptive Industrial Software System},
YEAR = {2015},
JOURNAL = {Journal of Systems and Software},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ABSA-DCASc.pdf},
ABSTRACT = {Complex software-intensive systems are increasingly relied upon for all kinds
of activities in society, leading to the requirement that these systems should be
resilient to changes that may occur to the system, its environment, or its goals.
Traditionally, resilience has been achieved either through: (i) low-level mechanisms embedded in the implementation (e.g., exception handling, timeouts,
redundancies), which are unable to detect subtle but important anomalies (e.g.,
progressive performance degradation); or (ii) human oversight, which is costly
and unreliable. Architecture-based self-adaptation (ABSA) is regarded as a
promising approach to improve the resilience and reduce the development/operation costs of such systems. Although researchers have illustrated the benefits
of ABSA through a number of small-scale case studies, it remains to be seen whether ABSA is truly effective in handling changes at run-time in industrial-scale systems. In this paper, we report on our experience applying an ABSA
framework (Rainbow) to a large-scale commercial software system, called Data
Acquisition and Control Service (DCAS), which is used to monitor and manage
highly populated networks of devices in renewable energy production plants. In the approach followed, we have replaced some of the existing adaptive mechanisms embedded in DCAS by those advocated by ABSA proponents. This has
allowed us to assess the development costs associated with the reengineering
of adaptive mechanisms when using an ABSA solution, and to make effective
comparisons, in terms of operational performance, between a baseline industrial system and one that uses ABSA. Our results show that using the ABSA
concepts as embodied in Rainbow enabled an independent team of developers
to: (i) effectively implement the adaptation behavior required from such industrial systems; and (ii) obtain important benefits in terms of maintainability and extensibility of adaptation mechanisms.},
NOTE = {Available on-line http://dx.doi.org/10.1016/j.jss.2015.09.021},
KEYWORDS = {Rainbow, Self-adaptation, Software Engineering} }
|
29 |
@Article{Camara:2016:50,
AUTHOR = {C\'{a}mara, Javier and Lopes, Ant\'{o}nia and Garlan, David and Schmerl, Bradley},
TITLE = {Adaptation impact and environment models for architecture-based self-adaptive systems},
YEAR = {2016},
JOURNAL = {Science of Computer Programming, Special issue of the 11th International Symposium on Formal Aspects of Component Software },
VOLUME = {127},
PAGES = {50-75},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/LGC-IMCamara_2016_50.pdf},
ABSTRACT = {Self-adaptive systems have the ability to adapt their behavior to dynamic operating conditions. In reaction to changes in the environment, these systems determine the appropriate corrective actions based in part on information about which action will have the best impact on the system. Existing models used to describe the impact of adaptations are either unable to capture the underlying uncertainty and variability of such dynamic environments, or are not compositional and described at a level of abstraction too low to scale in terms of specification effort required for non-trivial systems. In this paper, we address these shortcomings by describing an approach to the specification of impact models based on architectural system descriptions, which at the same time allows us to represent both variability and uncertainty in the outcome of adaptations, hence improving the selection of the best corrective action. The core of our approach is a language equipped with a formal semantics defined in terms of Discrete Time Markov Chains that enables us to describe both the impact of adaptation tactics, as well as the assumptions about the environment. To validate our approach, we show how employing our language can improve the accuracy of predictions used for decision-making in the Rainbow framework for architecture-based self-adaptation.},
NOTE = {doi:10.1016/j.scico.2015.12.006},
KEYWORDS = {Self-adaptation, uncertainty} }
|
30 |
@Article{2016/Franco/JSS,
AUTHOR = {Franco, Jo\~{a}o and Correia, Francisco and Barbosa, Raul and Zenha-Rela, Mario and Schmerl, Bradley and Garlan, David},
TITLE = {Improving Self-Adaptation Planning through Software Architecture-based Stochastic Modeling},
YEAR = {2016},
MONTH = {May},
JOURNAL = {Journal of Systems and Software},
VOLUME = {115},
PAGES = {42-60},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/images.pdf},
ABSTRACT = {The ever-growing complexity of software systems makes it increasingly challenging to foresee at design time all interactions between a system and its environment.
Most self-adaptive systems trigger adaptations through operators that are statically configured for specific environment and system conditions. However, in the occurrence of uncertain conditions, self-adaptive decisions may not be effective and might lead to a disruption of the desired non-functional attributes.
To address this, we propose an approach that improves the planning stage by predicting the outcome of each strategy. In detail, we automatically derive a
stochastic model from a formal architecture description of the managed system with the changes imposed by each strategy. Such information is used to optimize the self-adaptation decisions to fulfill the desired quality goals.
To assess the effectiveness of our approach we apply it to a cloud-based news system and predicted the reliability for each possible adaptation strategy. The results obtained from our approach are compared to a representative static planning algorithm as well as to an oracle that always makes the ideal decision.
Experiments show that our method improves both availability and cost when compared to the static planning algorithm, while being close to the oracle.
Our approach may therefore be used to optimize self-adaptation planning.},
KEYWORDS = {Self-adaptation} }
|
31 |
@Article{2017:Camara:Resilience,
AUTHOR = {C\'{a}mara, Javier and de Lemos, Rog\'{e}rio and Laranjeiro, Nuno and Ventura, Rafael and Vieira, Marco},
TITLE = {Robustness-Driven Resilience Evaluation of Self-Adaptive Systems},
YEAR = {2017},
JOURNAL = {IEEE Transactions on Dependable and Secure Computing },
VOLUME = {14},
NUMBER = {1},
PAGES = {50-64},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/RD-RE-SAS-TDSC.pdf},
ABSTRACT = {An increasingly important requirement for certain classes of software-intensive systems is the ability to self-adapt their structure and behavior at run-time when reacting to changes that may occur to the system, its environment, or its goals. A major challenge related to self-adaptive software systems is the ability to provide assurances of their resilience when facing changes. Since in these systems, the components that act as controllers of a target system incorporate highly complex software, there is the need to analyze the impact that controller failures might have on the services delivered by the system. In this paper, we present a novel approach for evaluating the resilience of self-adaptive software systems by applying robustness testing techniques to the controller to uncover failures that can affect system resilience. The approach for evaluating resilience, which is based on probabilistic model checking, quantifies the probability of satisfaction of system properties when the target system is subject to controller failures. The feasibility of the proposed approach is evaluated in the context of an industrial middleware system used to monitor and manage highly populated networks of devices, which was implemented using the Rainbow framework for architecture-based self-adaptation.},
KEYWORDS = {Assurance, Landmark, Rainbow, Resilience, Self-adaptation} }
|
32 |
@Article{2018/Moreno/FlexibleLatency,
AUTHOR = {Moreno, Gabriel A. and C\'{a}mara, Javier and Garlan, David and Schmerl, Bradley},
TITLE = {Flexible and Efficient Decision-Making for Proactive
Latency-Aware Self-Adaptation},
YEAR = {2018},
MONTH = {May},
JOURNAL = {ACM Transactions on Autonomous and Adaptive Systems},
VOLUME = {13},
NUMBER = {1},
ABSTRACT = {Proactive latency-aware adaptation is an approach for self-adaptive systems that considers both the current
and anticipated adaptation needs when making adaptation decisions, taking into account the latency of the
available adaptation tactics. Since this is a problem of selecting adaptation actions in the context of the
probabilistic behavior of the environment, Markov decision processes (MDP) are a suitable approach. However,
given all the possible interactions between the different and possibly concurrent adaptation tactics, the system,
and the environment, constructing the MDP is a complex task. Probabilistic model checking has been used
to deal with this problem, but it requires constructing the MDP every time an adaptation decision is made
to incorporate the latest predictions of the environment behavior. In this article, we describe PLA-SDP, an
approach that eliminates that run-time overhead by constructing most of the MDP offine. At run time, the
adaptation decision is made by solving the MDP through stochastic dynamic programming, weaving in the
environment model as the solution is computed. We also present extensions that support different notions
of utility, such as maximizing reward gain subject to the satisfaction of a probabilistic constraint, making
PLA-SDP applicable to systems with different kinds of adaptation goals.},
NOTE = {https://doi.org/10.1145/3149180},
KEYWORDS = {Latency-aware, Self-adaptation} }
|
33 |
@Article{2018:Camara:UncertaintyReduction,
AUTHOR = {C\'{a}mara, Javier and Peng, Wenxin and Garlan, David and Schmerl, Bradley},
TITLE = {Reasoning about Sensing Uncertainty and its Reduction in Decision-Making for Self-Adaptation},
YEAR = {2018},
MONTH = {1 December},
JOURNAL = {Science of Computer Programming},
VOLUME = {167},
PAGES = {51-69},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/scp-uncertainty.pdf},
ABSTRACT = {Adaptive systems are expected to adapt to unanticipated run-time events using imperfect information about themselves, their environment, and goals. This entails
handling the effects of uncertainties in decision-making, which are not always
considered as a first-class concern. This paper contributes a formal analysis technique that explicitly considers uncertainty in sensing when reasoning about the
best way to adapt, together with uncertainty reduction mechanisms to improve
system utility. We illustrate our approach on a Denial of Service (DoS) attack
scenario and present results that demonstrate the benefits of uncertainty-aware
decision-making in comparison to using an uncertainty-ignorant approach, both
in the presence and absence of uncertainty reduction mechanisms.},
KEYWORDS = {Formal Methods, Self-adaptation} }
|
34 |
@Article{2019:Camara:Synthesis,
AUTHOR = {C\'{a}mara, Javier and Garlan, David and Schmerl, Bradley},
TITLE = {Synthesizing Tradeoff Spaces of Quantitative Guarantees for Families of Software Systems},
YEAR = {2019},
MONTH = {June},
JOURNAL = {Journal of Systems and Software},
VOLUME = {152},
PAGES = {33-49},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/CGS-JSS19.pdf},
ABSTRACT = {Designing software in a way that guarantees run-time behavior while achieving an acceptable balance among multiple quality attributes is an open problem. Providing guarantees about the satisfaction of the same requirements under uncertain environments is even more challenging. Tools and techniques to inform engineers about poorly-understood design spaces in the presence of uncertainty are needed, so that engineers can explore the design space, especially when tradeoffs are crucial. To tackle this problem, we describe an approach that combines synthesis of spaces of system design alternatives from formal specifications of architectural styles with probabilistic formal verification. The main contribution of this paper is a formal framework for specification-driven synthesis and analysis of design spaces that provides formal guarantees about the correctness of system behaviors and satisfies quantitative properties (e.g., defined over system qualities) subject to uncertainty, which is treated as a first-class entity. We illustrate our approach in two case studies: a service-based adaptive system and a mobile robotics architecture. Our results show how the framework can provide useful insights into how average case probabilistic guarantees can differ from worst case guarantees, emphasizing the relevance of combining quantitative formal verification methods with structural synthesis, in contrast with techniques based on simulation and dynamic analysis that can only provide estimates about average case probabilistic properties.},
NOTE = {https://doi.org/10.1016/j.jss.2019.02.055},
KEYWORDS = {Architectural Analysis, Architectural Style, Assurance} }
|
35 |
@Article{2018/MOSAICO,
AUTHOR = {C\'{a}mara, Javier and Schmerl, Bradley and Moreno, Gabriel A. and Garlan, David},
TITLE = {MOSAICO: Offline Synthesis of Adaptation Strategy Repertoires with Flexible Trade-Offs},
YEAR = {2018},
MONTH = {September},
JOURNAL = {Automated Software Engineering},
VOLUME = {25},
NUMBER = {3},
PAGES = { 595â626},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/CĂĄmara2018_Article_MOSAICOOfflineSynthesisOfAdapt.pdf},
ABSTRACT = {Self-adaptation improves the resilience of software-intensive systems, enabling them to adapt their structure and behavior to run-time changes
(e.g., in workload and resource availability). Many of these approaches reason
about the best way of adapting by synthesizing adaptation plans online via
planning or model checking tools. This method enables the exploration of a
rich solution space, but optimal solutions and other guarantees (e.g., constraint
satisfaction) are computationally costly, resulting in long planning times during which changes may invalidate plans. An alternative to online planning
involves selecting at run time the adaptation best suited to the current system
and environment conditions from among a predefined repertoire of adaptation
strategies that capture repair and optimization tasks. This method does not incur run-time overhead but requires additional effort from engineers, who have
to specify strategies and lack support to systematically assess their quality. In
this article, we present MOSAICO, an approach for offline synthesis of adaptation strategy repertoires that makes a novel use of discrete abstractions of the
state space to flexibly adapt extra-functional behavior in a scalable manner.
The approach supports making trade-offs: (i) among multiple extra-functional
concerns, and (ii) between computation time and adaptation quality (varying
abstraction resolution). Our results show a remarkable improvement on system qualities in contrast to manually-specified repertoires. More interestingly,
moderate increments in abstraction resolution can lead to pronounced quality improvements, whereas high resolutions yield only negligible improvement
over medium resolutions.},
NOTE = {Springer Link},
KEYWORDS = {Formal Methods, Planning, Rainbow, Self-adaptation} }
|
36 |
@Article{Mead:SEE:2018,
AUTHOR = {Mead, Nancy and Garlan, David and Shaw, Mary},
TITLE = {Half a Century of Software Engineering Education: The CMU Exemplar},
YEAR = {2018},
MONTH = {September},
JOURNAL = {IEEE Software, Special Issue on 50th Anniversary of Software Engineering},
VOLUME = {35},
NUMBER = {5},
PAGES = {25 -- 31},
URL = {https://ieeexplore.ieee.org/document/8409913},
ABSTRACT = {Now, more than ever, the software profession
needs rigorous software engineering
education based on enduring principles. This
must reach the increasing diversity of the
developer community and the diverse paths
the developer takes into the profession. },
NOTE = {Issue received the 2018 APEX Award of Excellence},
KEYWORDS = {Education, Software Engineering} }
|
37 |
@Article{2019:IEEESoftware:BRASS,
AUTHOR = {Aldrich, Jonathan and Garlan, David and K\"astner, Christian and Le Goues, Claire and Mohseni-Kabir, Anahita and Ruchkin, Ivan and Samuel, Selva and Schmerl, Bradley and Timperley, Christopher Steven and Veloso, Manuela and Voysey, Ian and Biswas, Joydeep and Guha, Arjun and Holtz, Jarrett and C\'{a}mara, Javier and Jamshidi, Pooyan},
TITLE = {Model-Based Adaptation for Robotics Software},
YEAR = {2019},
MONTH = {March},
JOURNAL = {IEEE Software},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/brass-mars-ieee-software2019.pdf},
ABSTRACT = {We have developed model-based adaptation, an approach that leverages models of software and its environment to enable automated adaptation. The goal of our approach is to build long-lasting mobile software systems that can effectively adapt to changes in their environment.},
KEYWORDS = {Self-adaptation} }
|
38 |
@Article{Bozhinoski:JSA:2019,
AUTHOR = {Bozhinoski, Darko and Garlan, David and Malavolta, Ivano and Pelliccione, Patrizio},
TITLE = {Managing safety and mission completion via collective run-time adaptation},
YEAR = {2019},
JOURNAL = {Journal of Systems Architecture},
VOLUME = {95},
PAGES = {19--35},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/SYSARC1584_201902001602722101.pdf},
ABSTRACT = {Mobile Multi-Robot Systems (MMRSs) are an emerging class of systems that are composed of a team of robots, various devices (like movable cameras, sensors) which collaborate with each other to accomplish defined missions. Moreover, these systems must operate in dynamic and potentially uncontrollable and unknown environments that might compromise the safety of the system and the completion of the defined mission. A model of the environment describing, e.g., obstacles, no-fly zones, wind and weather conditions might be available, however, the assumption that such a model is both correct and complete is often wrong. In this paper, we describe an approach that supports execution of missions at run time. It addresses collective adaptation problems in a decentralized fashion, and enables the addition of new entities in the system at any time. Moreover, it is based on two adaptation resolution methods: one for (potentially partial) resolution of mission-related issues and one for full resolution of safety-related issues.},
KEYWORDS = {Self-adaptation} }
|
39 |
@Article{Adepu:ExpInd:2022,
AUTHOR = {Adepu, Sridhar and Li, Nianyu and Kang, Eunsuk and Garlan, David},
TITLE = {Modeling and Analysis of Explanation for Secure Industrial Control Systems},
YEAR = {2022},
MONTH = {July},
JOURNAL = {ACM Transactions on Autonomous and Adaptive Systems},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/Explanation_for_Secure_Industrial_Control_System.pdf},
ABSTRACT = {Many self-adaptive systems benefit from human involvement and oversight, where a human operator can provide expertise not
available to the system and detect problems that the system is unaware of. One way of achieving this synergy is by placing the human
operator on the loop â i.e., providing supervisory oversight and intervening in the case of questionable adaptation decisions. To make
such interaction effective, an explanation can play an important role in allowing the human operator to understand why the system is
making certain decisions and improve the level of knowledge that the operator has about the system. This, in turn, may improve
the operatorâs capability to intervene and if necessarily, override the decisions being made by the system. However, explanations
may incur costs, in terms of delay in actions and the possibility that a human may make a bad judgement. Hence, it is not always
obvious whether an explanation will improve overall utility and, if so, what kind of explanation should be provided to the operator. In
this work, we define a formal framework for reasoning about explanations of adaptive system behaviors and the conditions under
which they are warranted. Specifically, we characterize explanations in terms of explanation content, effect, and cost. We then present a
dynamic system adaptation approach that leverages a probabilistic reasoning technique to determine when an explanation should be
used in order to improve overall system utility. We evaluate our explanation framework in the context of a realistic industrial control
system with adaptive behaviors.},
NOTE = {https://dl.acm.org/doi/10.1145/3557898},
KEYWORDS = {Explainable Software, Formal Methods, Self-adaptation} }
|
40 |
@Article{2019:Nabor:Microservice,
AUTHOR = {Mendon\c{c}a, Nabor C. and Jamshidi, Pooyan and Garlan, David and Pahl, Claus},
TITLE = {Developing Self-Adaptive Microservice Systems: Challenges and Directions},
YEAR = {2019},
MONTH = {26 November},
JOURNAL = {IEEE Software},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/1910.07660.pdf},
ABSTRACT = {A self-adaptive system can dynamically monitor and adapt its behavior to preserve or enhance its quality attributes under uncertain operating conditions. This article identifies key challenges for the development of microservice applications as self-adaptive systems, using a cloud-based intelligent video surveillance application as a motivating example. It also suggests potential new directions for addressing most of the identified challenges by leveraging existing microservice practices and technologies.},
KEYWORDS = {Self-adaptation} }
|
41 |
@Article{2021:ROSArch:JSS,
AUTHOR = {Malavolta, Ivano and Lewis, Grace A. and Schmerl, Bradley and Lago, Patricia and Garlan, David},
TITLE = {Mining Guidelines for Architecting Robotics Software},
YEAR = {2021},
MONTH = {August},
JOURNAL = {Journal of Systems and Software},
VOLUME = {178},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/JSS_ROS_2020.pdf},
ABSTRACT = {Context. The Robot Operating System (ROS) is the de-facto standard for robotics software.However, ROS-based systems are getting larger and more complex and could benefit from good software architecture practices.Goal. We aim at (i) unveiling the state-of-the-practice in terms of targeted quality attributes and architecture documentation in ROS-based systems, and (ii) providing empirically-grounded guidance to roboticists about how to properly architect ROS-based systems.Method. We designed and conducted an observational study where we (i) built a dataset of335 GitHub repositories containing real open-source ROS-based systems, and (ii) mined the repositories to extract and synthesize quantitative and qualitative findings about how roboticists are architecting ROS-based systems.Results. First, we extracted an empirically-grounded overview of the state of the practice for architecting and documenting ROS-based systems. Second, we synthesized a catalog of 47architecting guidelines for ROS-based systems. Third, the extracted guidelines were validated by119 roboticists working on real-world open-source ROS-based systems.Conclusions. Roboticists can use our architecting guidelines for applying good design principles to develop robots that meet quality requirements, and researchers can use our results as evidence-based indications about how real-world ROS systems are architected today, thus inspiring future research contributions},
NOTE = {https://doi.org/10.1016/j.jss.2021.110969},
KEYWORDS = {Software Architecture} }
|
42 |
@Article{2020:REACT-ION,
AUTHOR = {Pfannm\"{u}ller, Martin and Breitbach, Martin and Weckesser, Marcus and Becker, Christian and Schmerl, Bradley and Sch\"{u}rr, Andy and Krupitzer, Christian},
TITLE = {REACT-ION: A Model-based Runtime Environment for Situation-aware Adaptations},
YEAR = {2020},
MONTH = {December},
JOURNAL = {ACM Transactions on Autonomous and Adaptive Systems},
VOLUME = {15},
NUMBER = {4},
PAGES = {1-29},
ABSTRACT = {Trends such as the Internet of Things lead to a growing number of networked devices and to a variety of communication systems. Adding self-adaptive capabilities to these communication systems is one approach to reducing administrative effort and coping with changing execution contexts. Existing frameworks can help reducing development effort but are neither tailored toward the use in communication systems nor easily usable without knowledge in self-adaptive systems development. Accordingly, in previous work, we proposed REACT, a reusable, model-based runtime environment to complement communication systems with adaptive behavior. REACT addresses heterogeneity and distribution aspects of such systems and reduces development effort. In this article, we propose REACT-IONâan extension of REACT for situation awareness. REACT-ION offers a context management module that is able to acquire, store, disseminate, and reason on context data. The context management module is the basis for (i) proactive adaptation with REACT-ION and (ii) self-improvement of the underlying feedback loop. REACT-ION can be used to optimize adaptation decisions at runtime based on the current situation. Therefore, it can cope with uncertainty and situations that were not foreseeable at design time. We show and evaluate in two case studies how REACT-IONâs situation awareness enables proactive adaptation and self-improvement.},
KEYWORDS = {Cyberphysical Systems, Self-adaptation, Self-awareness & Adaptation} }
|
43 |
@Article{Wohlrab2021negotiation,
AUTHOR = {Wohlrab, Rebekka and Garlan, David},
TITLE = {A Negotiation Support System for Defining Utility Functions for Multi-Stakeholder Self-Adaptive Systems},
YEAR = {2022},
JOURNAL = {Requirements Engineering},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/2021_Wohlrab_utility_negotiation_accepted.pdf},
ABSTRACT = {For realistic self-adaptive systems, multiple quality attributes need to be
considered and traded off against each other. These quality attributes are commonly encoded in a utility function, for instance, a weighted sum of relevant
objectives. Utility functions are typically subject to a set of constraints, i.e.,
hard requirements that should not be violated by the system. The research
agenda for requirements engineering for self-adaptive systems has raised the
need for decision-making techniques that consider the trade-offs and priorities of multiple objectives. Human stakeholders need to be engaged in the
decision-making process so that constraints and the relative importance of
each objective can be correctly elicited. This paper presents a method that
supports multiple stakeholders in eliciting constraints, prioritizing relevant
quality attributes, negotiating priorities, and giving input to define utility
functions for self-adaptive systems. We developed tool support in the form
of a blackboard system that aggregates information by different stakeholders,
detects conflicts, proposes mechanisms to reach an agreement, and generates
a utility function. We performed a think-aloud study with 14 participants to
investigate negotiation processes and assess the approachâs understandability
and user satisfaction. Our study sheds light on how humans reason about and
how they negotiate around quality attributes. The mechanisms for conflict detection and resolution were perceived as very useful. Overall, our approach was
found to make the process of utility function definition more understandable
and transparent.},
NOTE = {https://doi.org/10.1007/s00766-021-00368-y},
KEYWORDS = {Explainable Software, Self-adaptation} }
|
44 |
@Article{2022:SoSym:UIP,
AUTHOR = {C\'{a}mara, Javier and Troya, Javier and Vallecillo, Antonio and Bencomo, Nelly and Calinescu, Radu and Cheng, Betty H.C. and Garlan, David and Schmerl, Bradley},
TITLE = {The uncertainty interaction problem in self-adaptive systems},
YEAR = {2022},
MONTH = {August},
JOURNAL = {Software System and Modelling},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/Sosym2022.pdf},
ABSTRACT = {The problem of mitigating uncertainty in self-adaptation has driven much of the research proposed in the area of software
engineering for self-adaptive systems in the last decade. Although many solutions have already been proposed, most of
them tend to tackle specific types, sources, and dimensions of uncertainty (e.g., in goals, resources, adaptation functions)
in isolation. A special concern are the aspects associated with uncertainty modeling in an integrated fashion. Different
uncertainties are rarely independent and often compound, affecting the satisfaction of goals and other system properties in
subtle and often unpredictable ways. Hence, there is still limited understanding about the specific ways in which uncertainties
from various sources interact and ultimately affect the properties of self-adaptive, software-intensive systems. In this SoSym
expert voice, we introduce the Uncertainty Interaction Problem as a way to better qualify the scope of the challenges with
respect to representing different types of uncertainty while capturing their interaction in models employed to reason about
self-adaptation. We contribute a characterization of the problem and discuss its relevance in the context of case studies taken
from two representative application domains. We posit that the Uncertainty Interaction Problem should drive future research
in software engineering for autonomous and self-adaptive systems, and therefore, contribute to evolving uncertainty modeling
towards holistic approaches that would enable the construction of more resilient self-adaptive systems.},
NOTE = {Expert Voice Paper (https://doi.org/10.1007/s10270-022-01037-6)},
KEYWORDS = {Self-adaptation, uncertainty} }
|
45 |
@Article{2022:JSS:ExpSAS,
AUTHOR = {Wohlrab, Rebekka and C\'{a}mara, Javier and Garlan, David and Schmerl, Bradley},
TITLE = {Explaining quality attribute tradeoffs in automated planning for self-adaptive systems},
YEAR = {2022},
MONTH = {October},
JOURNAL = {The Journal of Systems and Software},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/xplanqasas.pdf},
ABSTRACT = {Self-adaptive systems commonly operate in heterogeneous contexts and need to consider multiple quality attributes. Human stakeholders often express their quality preferences by defining utility func- tions, which are used by self-adaptive systems to automatically generate adaptation plans. However, the adaptation space of realistic systems is large and it is obscure how utility functions impact the generated adaptation behavior, as well as structural, behavioral, and quality constraints. Moreover, human stakeholders are often not aware of the underlying tradeoffs between quality attributes. To address this issue, we present an approach that uses machine learning techniques (dimensionality reduction, clustering, and decision tree learning) to explain the reasoning behind automated planning. Our approach focuses on the tradeoffs between quality attributes and how the choice of weights in utility functions results in different plans being generated. We help humans understand quality attribute tradeoffs, identify key decisions in adaptation behavior, and explore how differences in utility functions result in different adaptation alternatives. We present two systems to demonstrate the approachâs applicability and consider its potential application to 24 exemplar self-adaptive systems. Moreover, we describe our assessment of the tradeoff between the information reduction and the amount of explained variance retained by the results obtained with our approach.},
KEYWORDS = {Explainable Software, Planning, Self-adaptation} }
|
46 |
@Article{2022:JSS:Extra,
AUTHOR = {C\'{a}mara, Javier and Wohlrab, Rebekka and Garlan, David and Schmerl, Bradley},
TITLE = {ExTrA: Explaining architectural design tradeoff spaces via dimensionality reduction.},
YEAR = {2022},
MONTH = {December},
JOURNAL = {Journal of Systems and Software},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ExTrA__Explaining_Architectural_Design_Tradeoff_Spaces_via_Dimensionality_Reduction.pdf},
ABSTRACT = {In software design, guaranteeing the correctness of run-time system behavior while achieving an acceptable balance among multiple quality attributes remains a challenging problem. Moreover, providing guarantees about the satisfaction of those requirements when systems are subject to uncertain environments is even more challenging. While recent developments in architectural analysis techniques can assist architects in exploring the satisfaction of quantitative guarantees across the design space, existing approaches are still limited because they do not explicitly link design decisions to satisfaction of quality requirements. Furthermore, the amount of information they yield can be overwhelming to a human designer, making it difficult to see the forest for the trees. In this paper we present ExTrA (Explaining Tradeoffs of software Architecture design spaces), an approach to analyzing architectural design spaces that addresses these limitations and provides a basis for explaining design tradeoffs. Our approach employs dimensionality reduction techniques employed in machine learning pipelines like Principal Component Analysis (PCA) and Decision Tree Learning (DTL) to enable architects to understand how design decisions contribute to the satisfaction of extra-functional properties across the design space. Our results show feasibility of the approach in two case studies and evidence that combining complementary techniques like PCA and DTL is a viable approach to facilitate comprehension of tradeoffs in poorly-understood design spaces.},
NOTE = {https://doi.org/10.1016/j.jss.2022.111578},
KEYWORDS = {Architectural Analysis, Explainable Software} }
|
47 |
@Article{2023:FM:IEEE,
AUTHOR = {C\'{a}mara, Javier and Garlan, David},
TITLE = {A study on the impact of repetition of formative assessments in a formal methods course for professional software engineers},
YEAR = {2023},
JOURNAL = {IEEE Software},
ABSTRACT = {Although tests are traditionally used as mandatory summative assessments at
the end of the instruction period and their purpose is measuring how well a student has
learned a given subject, they can also play an important role in formative assessment
when they are employed as an instrument to aid in the acquisition and retention of
knowledge. This study evaluates the role of tests as weekly formative assessments and
investigates the impact of their repetition (i.e., administering the same test more than
once) on academic performance of students in a postgraduate formal methods course for
professional software engineers. Our hypothesis is that repetition in formative
assessments leads to increased academic performance, as well as to an improvement in
the effectiveness of gauging student progress. Based on an analysis of data from a
population of 194 students that took the course during the period 2013-2017, we report
results that point at the validity of our hypothesis.},
NOTE = {doi: 10.1109/MS.2023.3291400},
KEYWORDS = {Education, Formal Methods} }
|
48 |
@Article{IEEE:CaRE:2023,
AUTHOR = {Hossen, Md Abir and Kharade, Sonam and Schmerl, Bradley and C\'{a}mara, Javier and O\'Kane, Jason M. and Czaplinski, Ellen C. and Dzurilla, Katherine A. and Garlan, David and Jamshidi, Pooyan},
TITLE = {CaRE: Finding Root Causes of Configuration Issues in Highly-Configurable Robots},
YEAR = {2023},
MONTH = {May},
JOURNAL = {IEEE Robotics and Automation Letters},
PAGES = {1-8},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/CaRE_Finding_Root_Causes_of_Configuration_Issues_in_Highly-Configurable_Robots.pdf},
ABSTRACT = {Robotic systems have subsystems with a combinatorially large configuration space and hundreds or thousands of possible software and hardware configuration options interacting non-trivially. The configurable parameters are set to target specific objectives, but they can cause functional faults when incorrectly configured. Finding the root cause of such faults is challenging due to the exponentially large configuration space and the dependencies between the robot's configuration settings and performance. This paper proposes CaRE âa method for diagnosing the root cause of functional faults through the lens of causality. CaRE abstracts the causal relationships between various configuration options and the robot's performance objectives by learning a causal structure and estimating the causal effects of options on robot performance indicators. We demonstrate CaRE 's efficacy by finding the root cause of the observed functional faults and validating the diagnosed root cause by conducting experiments in both physical robots ( Husky and Turtlebot 3 ) and in simulation ( Gazebo ). Furthermore, we demonstrate that the causal models learned from robots in simulation (e.g., Husky in Gazebo ) are transferable to physical robots across different platforms (e.g., Husky and Turtlebot 3 ).},
NOTE = {doi: 10.1109/LRA.2023.3280810} }
|
49 |
@Article{Camara:Expl:IEEESoftware:2024,
AUTHOR = {C\'{a}mara, Javier and Wohlrab, Rebekka and Garlan, David and Schmerl, Bradley},
TITLE = {Focusing on What Matters: Explaining Quality Tradeoffs in Software-Intensive Systems via Dimensionality Reduction},
YEAR = {2024},
MONTH = {January},
JOURNAL = {IEEE Software},
VOLUME = {41},
PAGES = {64-73},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/IEEE_Software__Tradeoff_Focused_ExplanationsCamara_Expl_IEEESoftware_2024.pdf},
ABSTRACT = {Building and operating software-intensive systems often involves exploring decision spaces made up of large numbers of variables and complex relations among them. Understanding such spaces is often overwhelming to human decision makers, who have limited capacity to digest large amounts of information, making it difficult to distinguish the forest through the trees. In this article, we report on our experience in which we used dimensionality reduction techniques to enable decision makers in different domains (software architecture, smart manufacturing, automated planning for service robots) to focus on the elements of the decision space that explain most of the quality variation, filtering out noise, and thus reducing cognitive complexity.},
NOTE = {DOI: https://doi.ieeecomputersociety.org/10.1109/MS.2023.3320689},
KEYWORDS = {Explainable Software, Planning, Self-adaptation, Software Architecture} }
|
50 |
@Article{Sousa:2024:Security,
AUTHOR = {Sousa, Bruno and Dias, Duarte and Antunes, Nuno and C\'{a}mara, Javier and Wagner, Ryan and Schmerl, Bradley and Garlan, David and Fidalgo, Pedro},
TITLE = {MONDEO-Tactics5G: Multistage botnet detection and tactics for 5G/6G networks},
YEAR = {2024},
MONTH = {May},
JOURNAL = {Computers & Security},
VOLUME = {140},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/MONDEO_AIDA.pdf},
ABSTRACT = {Mobile malware is a malicious code specifically designed to target mobile devices to perform multiple types of fraud. The number of attacks reported each day is increasing constantly and is causing an impact not only at the end-user level but also at the network operator level. Malware like FluBot contributes to identity theft and data loss but also enables remote Command & Control (C2) operations, which can instrument infected devices to conduct Distributed Denial of Service (DDoS) attacks. Current mobile device-installed solutions are not effective, as the end user can ignore security warnings or install malicious software. This article designs and evaluates MONDEO-Tactics5G - a multistage botnet detection mechanism that does not require software installation on end-user devices, together with tactics for 5G network operators to manage infected devices. We conducted an evaluation that demonstrates high accuracy in detecting FluBot malware, and in the different adaptation strategies to reduce the risk of DDoS while minimising the impact on the clients' satisfaction by avoiding disrupting established sessions.},
NOTE = {https://doi.org/10.1016/j.cose.2024.103768},
KEYWORDS = {Rainbow} }
|
51 |
@Article{Casimira:TAAS:2024,
AUTHOR = {Casimiro, Maria and Soares, Diogo and Garlan, David and Rodrigues, Luis and Romano, Paolo},
TITLE = {Self-Adapting Machine Learning-based Systems via a Probabilistic Model Checking Framework},
YEAR = {2024},
MONTH = {March},
JOURNAL = {ACM Transactions on Autonomous and Adaptive Systems},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ACSOS_TAAS_journal_extension_CR.pdf},
ABSTRACT = {This paper focuses on the problem of optimizing system utility of Machine-Learning (ML) based systems in the presence of ML mispredictions. This is achieved via the use of self-adaptive systems and through the execution of adaptation tactics, such as model retraining, which operate at the level of individual ML components.
To address this problem, we propose a probabilistic modeling framework that reasons about the cost/benefit trade-offs associated with adapting ML components. The key idea of the proposed approach is to decouple the problems of estimating (i) the expected performance improvement after adaptation and (ii) the impact of ML adaptation on overall system utility.
We apply the proposed framework to engineer a self-adaptive ML-based fraud-detection system, which we evaluate using a publicly-available, real fraud detection data-set. We initially consider a scenario in which information on modelâs quality is immediately available. Next we relax this assumption by integrating (and extending) state-of-the-art techniques for estimating modelâs quality in the proposed framework. We show that by predicting the system utility stemming from retraining a ML component, the probabilistic model checker can generate adaptation strategies that are significantly closer to the optimal, as compared against baselines such as periodic or reactive retraining.},
KEYWORDS = {Machine Learning, Model Checking, Self-adaptation} }
|
52 |
@Article{SPE:2024:Mendonca,
AUTHOR = {Aderaldo, Carlos and Costa, Thiago M. and Vasconcelos, Davi M. and Mendon\c{c}a, Nabor C. and C\'{a}mara, Javier and Garlan, David},
TITLE = {A Declarative Approach and Benchmark Tool for Controlled Evaluation of Microservice Resiliency Patterns},
YEAR = {2024},
MONTH = {August},
JOURNAL = {Software Practice and Experience},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/spe2023-resilence-bench-accepted.pdf},
ABSTRACT = {Microservice developers increasingly use resiliency patterns such as Retry and Circuit Breaker to cope with remote services that are likely to fail. However, there is still little research on how the invocation delays typically introduced by those resiliency patterns may impact application performance under varying workloads and failure scenarios. This paper presents a novel approach and benchmark tool for experimentally evaluating the performance impact of existing resiliency patterns in a controlled setting. The main novelty of this approach resides in the ability to declaratively specify and automatically generate multiple testing scenarios involving different resiliency patterns, which one can implement using any programming language and resilience library. The paper illustrates the benefits of the proposed approach and tool by reporting on an experimental study of the performance impact of the Retry and Circuit Breaker resiliency patterns in two mainstream programming languages (C# and Java) using two popular resilience libraries (Polly and Resilience4j), under multiple service workloads and failure rates. Our results show that, under low to moderate failure rates, both resiliency patterns effectively reduce the load over the applicationâs target service with barely any impact on the applicationâs performance. However, as the failure rate increases, both patterns significantly degrade the applicationâs performance, with their effect varying depending on the serviceâs workload and the patternsâ programming language and resilience library.},
KEYWORDS = {Resilience} }
|
|
|
1 |
@InProceedings{Fairbanks2006,
AUTHOR = {Fairbanks, George and Scherlis, William and Garlan, David},
TITLE = {Design Fragments Make Using Frameworks Easier},
YEAR = {2006},
MONTH = {22-27 October},
BOOKTITLE = {Proceedings of ACM SIGPLAN Conference on Object Oriented Programs, Systems, Languages, and Applications (OOPSLA) 2006},
ADDRESS = {Portland, OR, USA},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/OOPSLA-06.pdf},
ABSTRACT = {Object oriented frameworks impose new burdens on programmers that libraries did not, such as requiring the programmer to understand the method callback sequence, respecting behavior constraints within these methods, and devising solutions within a constrained solution space. To overcome these burdens, we express the repeated patterns of engagement with the framework as a design fragment. We analyzed the 20 demo applets provided by Sun and created a representative catalog of design fragments of conventional best practice. By evaluating 36 applets pulled from the internet we show that these design fragments are common, many applets copied the structure of the Sun demos, and that creation of a catalog of design fragments is practical. Design fragments give programmers immediate benefit through tool-based conformance assurance and long-term benefit through expression of design intent.},
KEYWORDS = {Design Fragments, Design Patterns, Frameworks} }
|
2 |
@InProceedings{Fairbanks2006a,
AUTHOR = {Fairbanks, George and Bierhoff, Kevin and D'Souza, Desmond},
TITLE = {Software Architecture at a Large Financial Firm},
YEAR = {2006},
MONTH = {22-27 October},
BOOKTITLE = {Proceedings of ACM SIGPLAN Conference on Object Oriented Programs, Systems, Languages, and Applications (OOPSLA) 2006},
ADDRESS = {Portland, OR, USA},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/oopsla06-exp.pdf},
ABSTRACT = {System builders have historically used informal software architecture models to understand options, make choices, and communicate with others. Research into software architecture over the past fifteen years has indicated that more precise architecture models may be beneficial. At a large financial firm, we applied precise software architecture techniques on four software projects and this experience has revealed a number of practical issues. We made the following observations across the projects: 1) Architecture models can be used to bridge gaps between business requirements and technology, 2) A small collection of techniques and a detail knob are practical and useful in a variety of projects, 3) Architecture modeling techniques amplify the skills of the architects, 4) A model of domain concepts and relationships is helpful when building architecture models, and 5) It is difficult to know when to stop adding detail to your architecture model. We believe that these observations motivate future research and can help practitioners make software architecture more effective in practice.},
KEYWORDS = {Software Architecture} }
|
3 |
@InProceedings{Kim2006,
AUTHOR = {Kim, Jung Soo and Garlan, David},
TITLE = {Analyzing Architectural Styles with Alloy},
YEAR = {2006},
MONTH = {17 July},
BOOKTITLE = {Workshop on the Role of Software Architecture for Testing and Analysis 2006 (ROSATEA 2006)},
ADDRESS = {Portland, ME, USA},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/rosatea2006-final.pdf},
ABSTRACT = {The backbone of many architectures is an architectural style that provides a domain-specific design vocabulary and set of constraints on how that vocabulary can be used. Hence, designing a sound and appropriate architectural style becomes an important and intellectually challenging activity. Unfortunately, although there are numerous tools to help in the analysis of individual architectures, relatively less work has been done on tools to help the style designer. In this paper we show how to map an architectural style, expressed formally in an architectural description language, into a relational model that can be automatically checked for properties such as whether a style is consistent, whether a style satisfies some predicate over the architectural structure, whether two styles are compatible for composition, and whether one style refines another.},
KEYWORDS = {Acme, Formal Methods, Software Architecture} }
|
4 |
@InProceedings{Garlan2006,
AUTHOR = {Garlan, David and Schmerl, Bradley},
TITLE = {An Architecture for Personal Cognitive Assistance},
YEAR = {2006},
MONTH = {5-7 July},
BOOKTITLE = {18th International Conference on Software Engineering and Knowledge Engineering},
ADDRESS = {San Francisco Bay, USA},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/seke06.pdf},
ABSTRACT = {Current desktop environments provide weak support for carrying out complex user-oriented tasks. Although individual applications are becoming increasingly sophisticated and featurerich, users must map their high-level goals to the low-level operational vocabulary of applications, and deal with a myriad of routine tasks (such as keeping up with email, keeping calendars and web sites up-to-date, etc.). An alternative vision is that of a personal cognitive assistant. Like a good secretary, such an assistant would help users accomplish their high-level goals, coordinating the use of multiple applications, automatically handling routine tasks, and, most importantly, adapting to the individual needs of a user over time. In this paper we describe the architecture and its implementation for a personal cognitive assistant called RADAR. Key features include (a) extensibility through the use of a plug-in agent architecture (b) transparent integration with legacy applications and data of today?s desktop environments, and (c) extensive use of learning so that the environment adapts to the individual user over time.},
KEYWORDS = {Personal Assistance, RADAR, Software Architecture} }
|
5 |
@InProceedings{Sousa2005,
AUTHOR = {Sousa, Jo\~{a}o and Poladian, Vahe and Garlan, David and Schmerl, Bradley},
TITLE = {Capitalizing on Awareness of User Tasks for Guiding Adaptation.},
YEAR = {2005},
BOOKTITLE = {Proceedings of the First International Workshop on Adaptive and Self-managing Enterprise Applications, at CAISE'05},
ADDRESS = {Portugal},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/asmea05.pdf},
ABSTRACT = {Computers support more and more tasks in the personal and professional activities of users. Such user tasks increasingly span large periods of time and many locations across the enterprise space and beyond. Recently there has been a growing interest in developing applications that can cope with the specific environmental conditions at each location, and adapt to dynamic changes in system resources. However, in a given situation there may be many possible configuration solutions, and an awareness of the user's intent for each task is a critical element in knowing which one to pick. In this paper, we discuss the limitations of building such awareness into applications, and propose to factor the awareness of user tasks into a common software layer. That however, brings up the problem of coordinating the system-wide adaptation performed by such a layer with fine-grain adaptation performed by resource-aware applications. We summarize the main features of an architectural framework that incorporates such a layer, and distill some of the lessons learned in implementing the framework.},
KEYWORDS = {Aura, Autonomic Systems, Ubiquitous Computing} }
|
6 |
@InProceedings{Schmerl2005,
AUTHOR = {Schmerl, Bradley and Yan, Hong and Garlan, David},
TITLE = {DiscoTect: A System for Discovering Architectures from Running Systems (Demonstration)},
YEAR = {2005},
MONTH = {September},
BOOKTITLE = {Proceedings of the Joint European Software Engineering Conference and ACM SIGSOFT Symposium on the Foundations of Software Engineering},
ADDRESS = {Lisbon, Portugal},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/discotect.pdf},
ABSTRACT = {One of the challenges for software architects is ensuring that an implemented system faithfully represents its architecture. We describe and demonstrate a tool, called DiscoTect, that addresses this challenge by dynamically monitoring a running system and deriving the software architecture as that system runs. The derivation process is based on mappings that relate low level system-level events to higher-level architectural events. The resulting architecture is then fed into existing architectural design tools so that comparisons can be conducted with the design time architecture and architectural analyses can be re-run to ensure that they are still valid. In addition to the demonstration, we briefly describe the mapping language and formal definition of the language in terms of Colored Petri Nets.},
KEYWORDS = {DiscoTect} }
|
7 |
@InProceedings{Antoun2005,
AUTHOR = {Abi-Antoun, Marwan and Aldrich, Jonathan and Garlan, David and Schmerl, Bradley and Nahas, Nagi and Tseng, Tony},
TITLE = {Software Architecture with Acme and ArchJava (Research Demonstration)},
YEAR = {2005},
MONTH = {May},
BOOKTITLE = {Proceedings of the 27th International Conference on Software Engineering},
ADDRESS = {St. Louis, MS},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/archjava-demo-icse05.pdf},
ABSTRACT = {We demonstrate a tool to incrementally synchronize an Acme architectural model described in the Acme Architectural Description Language (ADL) with an implementation in ArchJava, an extension of the Java programming language that includes explicit architectural modeling constructs.},
KEYWORDS = {Acme, ArchJava, Software Architecture} }
|
8 |
@InProceedings{Antoun2005a,
AUTHOR = {Abi-Antoun, Marwan and Aldrich, Jonathan and Garlan, David and Schmerl, Bradley and Nahas, Nagi and Tseng, Tony},
TITLE = {Improving System Dependability by Enforcing Architectural Intent},
YEAR = {2005},
MONTH = {May},
BOOKTITLE = {Proceedings of the 2005 Workshop on Architecting Dependable Systems (WADS 2005)},
ADDRESS = {St. Louis, MS},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/WADS05-2.pdf},
ABSTRACT = {Developing dependable software systems requires enforcing conformance between architecture and implementation during software development and evolution. We address this problem with a multi-pronged approach: (a) automated refinement of a component-and-connector (C&C) architectural view into an initial implementation, (b) enforcement of architectural structure at the programming language level, (c) automated abstraction of a C&C view from an implementation, and (d) semi-automated incremental synchronization between the architectural and the implementation C&C views.
We use an Architecture Description Language (ADL), Acme, to describe the architecture, and ArchJava, an implementation language which embeds a C&C architecture specification within Java implementation code. Although both Acme and ArchJava specify C&C views, a number of structural differences may arise. Our approach can detect structural differences which correspond directly to implementation-level violations of the well thoughtout architectural intent. Furthermore, supplementing the C&C view extracted from the implementation with architectural types and styles can uncover additional violations. },
KEYWORDS = {Acme, ArchJava, Software Architecture} }
|
9 |
@InProceedings{Poladian2005,
AUTHOR = {Poladian, Vahe and Sousa, Jo\~{a}o and Padberg, Frank and Shaw, Mary},
TITLE = {Anticipatory Configuration of Resource-aware Applications},
YEAR = {2005},
MONTH = {May},
BOOKTITLE = {Proceedings of the 7th International Workshop on Economics Driven Software Engineering Research, affiliated with the 27th International Conference on Software Engineering},
ADDRESS = {St. Louis, MS},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/edser7.pdf},
ABSTRACT = {We propose an improved approach to dynamic configuration of resource-aware applications. The new anticipatory model of configuration maximizes utility based on three inputs: user preferences, application capability profiles, and resource availability. In this respect, the proposed model is similar to a model of configuration described in [2]. However, the latter addresses the dynamic nature of the problem by reacting to changes (such as decrease in resource availability), and maximizes the utility in a point-wise manner. The newly proposed anticipatory approach explicitly models the duration of the task and leverages possible information about the future (such as stochastic resource availability over the expected duration of the task). We expect that the anticipatory model will improve user's utility, conserve scarce resources, and reduce the amount of disruption to the user resulting from changes when compared to the reactive model. However, the optimization problem underlying the anticipatory model is computationally more difficult than the problem underlying the reactive model. We would like to investigate if the anticipatory approach is feasible and efficient in practice while delivering the above-mentioned improvements. In this paper, we carefully state the model of anticipatory configuration, highlight the sources of complexity in the problem, propose an algorithm to the anticipatory configuration problem, and provide a roadmap for research.},
KEYWORDS = {Dynamic Configuration, Aura} }
|
10 |
@InProceedings{Garlan2005,
AUTHOR = {Garlan, David and Reinholtz, William K. and Schmerl, Bradley and Sherman, Nicholas and Tseng, Tony},
TITLE = {Bridging the Gap between Systems Design and Space Systems Software},
YEAR = {2005},
MONTH = {6-7 April},
BOOKTITLE = {Proceedings of the 29th Annual IEEE/NASA Software Engineering Workshop (SEW-29)},
ADDRESS = {Greenbelt, MD},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/sew-final.pdf},
ABSTRACT = {A challenging problem for software engineering practitioners is moving from high-level system architectures produced by system engineers to deployable software produced by software engineers. In this paper we describe our experience working with NASA engineers to develop an approach and toolset for automating the generation of space systems software from architectural specifications. Our experience shows that it is possible to leverage the space systems domain, formal architectural specifications, and component technology to provide retargetable code generators for this class of software.},
KEYWORDS = {Acme, Software Architecture} }
|
11 |
@InProceedings{Cheng2005,
AUTHOR = {Cheng, Shang-Wen and Garlan, David and Schmerl, Bradley},
TITLE = {Making Self-Adaptation an Engineering Reality},
YEAR = {2005},
BOOKTITLE = {Proceedings of the Conference on Self-Star Properties in Complex Information Systems},
VOLUME = {3460},
EDITOR = {Babaoghu, Ozlap and Jelasity, Mark and Montroser, Alberto and Fetzer, Christof and Leonardi, Stefano and Van Moorsel, Aad},
SERIES = {LNCS},
PUBLISHER = {Springer-Verlag},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/self-star-2005.pdf},
ABSTRACT = {In this paper, we envision a world where a software engineer could take an existing software system, specify, for a set of properties of interest, an objective, conditions for change, and strategies for their adaptation and, within a few man weeks, make that system self-adaptive where it was not before. We describe how our approach generalizes to different classes of systems and holds promise for cost-effective, dynamic system self-adaptation to become an engineering reality.},
NOTE = {Also available from Springer-Verlag here},
KEYWORDS = {Autonomic Systems, Rainbow, Self-Repair} }
|
12 |
@InProceedings{Garlan2004a,
AUTHOR = {Garlan, David and Poladian, Vahe and Schmerl, Bradley and Sousa, Jo\~{a}o},
TITLE = {Task-based Self-adaptation},
YEAR = {2004},
MONTH = {31 October - 1 November},
BOOKTITLE = {Proceedings of the ACM SIGSOFT 2004 Workshop on Self-Managing Systems (WOSS'04)},
ADDRESS = {Newport Beach, CA},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/woss04.pdf},
ABSTRACT = {Recently there has been increasing interest in developing systems that can adapt dynamically to cope with changing environmental conditions and unexpected system errors. Most efforts for achieving self-adaptation have focused on the mechanisms for detecting opportunities for improvement and then taking appropriate action. However, such mechanisms beg the question: what is the system trying to achieve? In a given situation there may be many possible adaptations, and knowing which one to pick is a difficult question. In this paper we advocate the use of explicit representation of user task as a critical element in addressing this missing link.},
KEYWORDS = {Autonomic Systems, Self-Repair} }
|
13 |
@InProceedings{Roshandel2004,
AUTHOR = {Roshandel, Roshanak and Schmerl, Bradley and Medvidovic, Nenad and Garlan, David},
TITLE = {Understanding Tradeoffs among Different Architectural Modelling Approaches},
YEAR = {2004},
MONTH = {11-14 June},
BOOKTITLE = {Proceedings of the 4th Working IEEE/IFIP Conference on Software Architectures (WICSA4)},
ADDRESS = {Oslo, Norway},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/wicsa4-roshandel.pdf},
ABSTRACT = {Over the past decade a number of architecture description languages (ADLs) have been proposed to facilitate modeling and analysis of software architecture. While each claims to have various benefits, to date there have been few studies to assess the relative merits of these approaches. In this paper we describe our experience using two ADLs to model a system initially described in UML, and compare their effectiveness in identifying system design flaws. We also describe the techniques we used for extracting architectural models from a UML system description.},
KEYWORDS = {Software Architecture} }
|
14 |
@InProceedings{Cheng2004,
AUTHOR = {Cheng, Shang-Wen and Huang, An-Cheng and Garlan, David and Schmerl, Bradley and Steenkiste, Peter},
TITLE = {An Architecture for Coordinating Multiple Self-Management Systems},
YEAR = {2004},
MONTH = {11-14 June},
BOOKTITLE = {Proceedings of the 4th Working IEEE/IFIP Conference on Software Architectures (WICSA4)},
ADDRESS = {Oslo, Norway},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/wicsa4-cheng.pdf},
ABSTRACT = {A common approach to adding self-management capabilities to a system is to provide one or more external control modules, whose responsibility is to monitor system behavior, and adapt the system at run time to achieve various goals (configure the system, improve performance, recover from faults, etc.). An important problem arises when there is more than one such self-management module: how can one make sure that they are composed to provide consistent and complementary benefits? In this paper we describe a solution that introduces a self-management coordination architecture and infrastructure to support such composition. We focus on the problem of coordinating self-configuring and self-healing capabilities, particularly with respect to global configuration and incremental repair. We illustrate the approach in the context of a self-managing video teleconference system that composes two pre-existing adaptation modules to achieve synergistic benefits of both.},
KEYWORDS = {Autonomic Systems, Coordination, Rainbow, Self-adaptation} }
|
15 |
@InProceedings{Poladian2004,
AUTHOR = {Poladian, Vahe and Sousa, Jo\~{a}o and Garlan, David and Shaw, Mary},
TITLE = {Dynamic Configuration of Resource-Aware Services},
YEAR = {2004},
MONTH = {23-28 May},
BOOKTITLE = { Proceedings of the 26th International Conference on Software Engineering},
ADDRESS = {Edinburgh, Scotland},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/aura_icse04/aura_icse04.pdf},
ABSTRACT = {An important emerging requirement for computing systems is the ability to adapt at run time, taking advantage of local computing devices, and coping with dynamically changing resources. Three specific technical challenges in satisfying this requirement are to (1) select an appropriate set of applications or services to carry out a user s task, (2) allocate (possibly scarce) resources among those applications, and (3) reconfigure the applications or resource assignments if the situation changes. In this paper we show how to provide a shared infrastructure that automates configuration decisions given a specification of the user s task. The heart of the approach is an analytical model and an efficient algorithm that can be used at run time to make near-optimal (re)configuration decisions. We validate this approach both analytically and by applying it to a representative scenario.},
KEYWORDS = {Mult-fidelity Applications, Resource Allocation, Resource Aware Computing, Service Composition, Ubiquitous Computing} }
|
16 |
@InProceedings{Yan2004a,
AUTHOR = {Yan, Hong and Garlan, David and Schmerl, Bradley and Aldrich, Jonathan and Kazman, Rick},
TITLE = {DiscoTect: A System for Discovering Architectures from Running Systems},
YEAR = {2004},
MONTH = {23-28 May},
BOOKTITLE = {Proceedings of the 26th International Conference on Software Engineering},
ADDRESS = {Edinburgh, Scotland},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/icse04-discotect/discotect.pdf},
ABSTRACT = {One of the challenging problems for software developers is guaranteeing that a system as built is consistent with its architectural design. In this paper we describe a technique that uses run time observations about an executing system to construct an architectural view of the system. With this technique we develop mappings that exploit regularities in system implementation and architectural style. These mappings describe how low-level system events can be interpreted as more abstract architectural operations. We describe the current implementation of a tool that uses these mappings, and show that it can highlight inconsistencies between implementation and architecture.},
KEYWORDS = {DiscoTect, Software Architecture} }
|
17 |
@InProceedings{Schmerl2004,
AUTHOR = {Schmerl, Bradley and Garlan, David},
TITLE = {AcmeStudio: Supporting Style-Centered Architecture Development (Research Demonstration)},
YEAR = {2004},
MONTH = {23-28 May},
BOOKTITLE = {Proceedings of the 26th International Conference on Software Engineering},
ADDRESS = {Edinburgh, Scotland},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/icse04-acmestudio/acmestudio.pdf},
ABSTRACT = {Software architectural modeling is crucial to the development of high-quality software. Software engineering tool support is required for this activity, so that models can be developed, viewed, analyzed, and refined to implementations. This support needs to be provided in a flexible and extensible manner so that the tools can fit into a company s process and can use particular, perhaps company-defined, domain-specific architectural styles. Early architecture development environments were restricted to supporting particular architectural styles, and were not easy to tailor to other styles or domains. In this research demonstration, we describe AcmeStudio, a styleneutral architecture development environment that can (1) allow architects to tailor the environment for particular domains; (2) be used as a framework for integrating domain-specific architectural analyses; and (3) can be extended to integrate with other tools that are used in a company s software development process. We illustrate the main features of AcmeStudio and provide some insight into how we have tailored it to real-world domains specific to NASA and Ford Motor Company.},
KEYWORDS = {Acme, AcmeStudio, Software Architecture} }
|
18 |
@InProceedings{Fairbanks2004,
AUTHOR = {Fairbanks, George},
TITLE = {Software Engineering Environment Support for Frameworks: A Position Paper},
YEAR = {2004},
MONTH = {May},
BOOKTITLE = {Proceedings of the ICSE 2004 Workshop on Directions in Software Engineering Environments},
ADDRESS = {Edinburgh, Scotland},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/WoDSEE/paper.pdf},
ABSTRACT = {Modern software engineering environments provide programmers with contextual information on methods and classes in their software system. However, programmers increasingly encounter frameworks such as Microsoft Foundation Classes or Enterprise Java Beans whose required plug-in mechanisms cannot be adequately described with method or class documentation. The needs of programmers using frameworks are different from the needs when using libraries. Software engineering environments should be augmented with tools to aid programmers in understanding the demands of using frameworks.},
KEYWORDS = {Design Fragments} }
|
19 |
@InProceedings{Garlan2004b,
AUTHOR = {Garlan, David and Schmerl, Bradley},
TITLE = {Using Architectural Models at Runtime: Research Challenges},
YEAR = {2004},
MONTH = {May},
BOOKTITLE = {Proceedings of the European Workshop on Software Architectures},
ADDRESS = {St. Andrews, Scotland},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/EWSA/paper-final.pdf},
ABSTRACT = {One crucial aspect of high quality software engineering is the development of a welldefined software architectural model. Despite advances in using software architectural models to clarify system design, there remains the problem of determining whether the system as implemented has the architecture as designed? One approach is to to this is to monitor the running system and translate observed events to events that construct and update an architectural model that reflects the actual running system. One can then compare this dynamically-determined model to the correct architectural model. Discrepancies can be used to flag implementation errors, or, possibly, to effect run-time adaptations to correct certain kinds of flaws.At Carnegie Mellon University, our research group has been investigating the use of system monitoring and reflection using architectural models. In the process of exploring this area we have identified a number of significant research challenges. In this paper we outline our experience, and use that as a way to lay out an agenda for architecture-based approaches to system monitoring and system self-repair.},
KEYWORDS = {Autonomic Systems, Dynamic Configuration, Self-Repair, Software Architecture} }
|
20 |
@InProceedings{Steppe2004,
AUTHOR = {Steppe, Kevin and Garlan, David and Bylenok, Greg and Schmerl, Bradley and Shevchenko, Nataliya},
TITLE = {Tool Support for Model Based Architectural Design for Automotive Control Systems},
YEAR = {2004},
MONTH = {17-19 March},
BOOKTITLE = {First European Workshop on Model Driven Architecture with Emphasis on Industrial Application},
ADDRESS = {Enschede, The Netherlands},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/MDAEIA2004/MDAEIA2004.pdf},
ABSTRACT = {In conjunction with Ford Motor Company, we built a tool to support multilevel architectural design. The tool, called Synergy, allows Ford to visually design architectures of vehicle control components. The components are imported from existing Simulink models; then the tool automatically generates a detailed view showing all required connections and ports. The resulting model is exported to Simulink for further analysis. In this paper we describe the conceptual and technical challenges encountered in building Synergy and our design choices for solving them.},
KEYWORDS = {Acme, Software Architecture} }
|
21 |
@InProceedings{Steppe2004a,
AUTHOR = {Steppe, Kevin and Bylenok, Greg and Garlan, David and Schmerl, Bradley and Abirov, Kanat and Shevchenko, Nataliya},
TITLE = {Two-tiered Architectural Design for Automotive Control Systems: An Experience Report},
YEAR = {2004},
MONTH = {10-12 January},
BOOKTITLE = {Automotive Software Workshop on Future Generation Software Architectures in the Automotive Domain},
ADDRESS = {San Diego, CA},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/ASW04/ASW04.pdf},
ABSTRACT = {An attractive approach to architecture-based design is to structure the development process into two tiers. The top tier represents the abstract design (or architecture) of a system in terms of abstract components. The bottom tier refines that design by making specific implementation decisions, such as platform, middleware, and component implementations. While attractive in principle, there has been relatively little industrial-based experience to shed light on problems and solutions involved in such an approach. In this paper we describe our experience in developing tools to introduce a two-tiered model-based approach to the design of Ford Motor Company s automotive control systems, highlighting the principle challenges, and evaluating the effectiveness of our solutions for them.},
NOTE = {(Workshop Proceedings)},
KEYWORDS = {Acme, Software Architecture} }
|
22 |
@InProceedings{Poladian2003,
AUTHOR = {Kumar, Rajnish and Poladian, Vahe and Greenberg, Ira and Messer, Alan and Milojicic, Dejan},
TITLE = {Selecting Devices for Aggregation},
YEAR = {2003},
BOOKTITLE = {Proceedings of the 5th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA 2003)},
ABSTRACT = {As intelligent devices become affordable and wireless infrastructure becomes pervasive, the potential to combine, or aggregate, device functionality to provide a user with a better experience grows. Often, there will be multiple devices providing similar functionality that the user will have to choose from for the aggregation. This paper presents the design and prototype implementation of a system for automatic selection of devices for aggregation in a dynamic environment. It allows a user to express trade-offs between the quality of device attributes, user distraction, and aggregation stability. This approach enables a user to have a richer experience without having to constantly worry about the device and the environment details.},
KEYWORDS = {Resource Aware Computing, Service Composition} }
|
23 |
@InProceedings{Poladian2003a,
AUTHOR = {Poladian, Vahe and Butler, Shawn and Shaw, Mary and Garlan, David},
TITLE = {Time is Not Money: The case for multi-dimensional accounting in value-based software engineering},
YEAR = {2003},
MONTH = {May},
BOOKTITLE = {Fifth Workshop on Economics-Driven Software Engineering Research (EDSER-5)},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/EDSER5/paper.pdf},
ABSTRACT = {'Time is money', or so goes the old saying. Perhaps influenced by this aphorism, some strategies for incorporating costs in the analysis of software design express all costs in currency units for reasons of simplicity and tractability. Indeed, in theoretical economics all costs can, in principle, be expressed in dollars. Software engineering problems, however, often present situations in which converting all costs to a common currency is problematical. In this paper we pinpoint some of these situations and the underlying causes of the problems, and we argue that it is often better to treat costs as a multidimensional value, with dimensions corresponding to distinct types of resources. We go on to highlight the differences among cost dimensions that need to be considered when developing cost-benefit analyses, and we suggest mechanisms for mediating among heterogeneous cost dimensions.},
KEYWORDS = {Mult-fidelity Applications, Resource Allocation, Resource Aware Computing} }
|
24 |
@InProceedings{Kim2003,
AUTHOR = {Garlan, David and Khersonsky, Serge and Kim, Jung Soo},
TITLE = {Model Checking Publish-Subscribe Systems},
YEAR = {2003},
MONTH = {May},
BOOKTITLE = {Proceedings of The 10th International SPIN Workshop on Model Checking of Software (SPIN 03)},
ADDRESS = {Portland, OR},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/SPIN03/SPIN03.pdf},
ABSTRACT = {While publish-subscribe systems have good engineering properties, they are difficult to reason about and to test. Model checking such systems is an attractive alternative. However, in practice coming up with an appropriate state model for a pub-sub system can be a difficult and error-prone task. In this paper we address this problem by describing a generic pub-sub model checking framework. The key feature of this framework is a reusable, parameterized state machine model that captures pub-sub runtime event management and dispatch policy. Generation of models for specific pub-sub systems is then handled by a translation tool that accepts as input a set of pub-sub component descriptions together with a set of pub-sub properties, and maps them into the framework where they can be checked using off-the-shelf model checking tools.},
KEYWORDS = {Model Checking, Publish Subscribe Systems} }
|
25 |
@InProceedings{Fairbanks2003,
AUTHOR = {Fairbanks, George},
TITLE = {Why Can't They Create Architecture Models Like Developer X? An Experience Report},
YEAR = {2003},
MONTH = {3-10 May},
BOOKTITLE = {The 2003 International Conference on Software Engineering (ICSE'03)},
ADDRESS = {Portland, OR},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/exp02/paper.pdf},
ABSTRACT = {A large financial company, struggling with legacy systems that did not interoperate, performed a pilot project to teach software architecture to an enthusiastic application development team. Experienced mentors, including the author, worked with the application team for seven months who completed their engineering goal successfully. However, the mentors were unsuccessful in their attempt to train any of the six members of application team to create architecture models on their own, though they were able to create them collaboratively with the mentors. This surprising result is due to the application team's strong preference for concrete artifacts over abstract ones. Even more surprising, an application developer from a different project, 'Developer X', read the architecture modeling documentation on an internal website and, without mentoring, created good architecture models within a few days. In light of this failure to teach software architecture, two short-term strategies are suggested for the use of software architecture in companies and long-term strategies are discussed.},
KEYWORDS = {Software Architecture} }
|
26 |
@InProceedings{Spitznagel2003,
AUTHOR = {Spitznagel, Bridget and Garlan, David},
TITLE = {A Compositional Formalization of Connector Wrappers},
YEAR = {2003},
BOOKTITLE = {The 2003 International Conference on Software Engineering (ICSE'03)},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/connwrap/connwrap.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/connwrap/connwrap.ps},
ABSTRACT = {Increasingly systems are composed of parts: software components, and the interaction mechanisms (connectors) that enable them to communicate. When assembling systems from independently developed and potentially mismatched parts, wrappers may be used to overcome mismatch as well as to remedy extra-functional deficiencies. Unfortunately the current practice of wrapper creation and use is ad hoc, resulting in artifacts that are often hard to reuse or compose, and whose impact is difficult to analyze. What is needed is a more principled basis for creating, understanding, and applying wrappers. Focusing on the class of connector wrappers (wrappers that address issues related to communication and compatibility), we present a means of characterizing connector wrappers as protocol transformations, modularizing them, and reasoning about their properties. Examples are drawn from commonly practiced dependability enhancing techniques.},
KEYWORDS = {Software Architecture} }
|
27 |
@InProceedings{Garlan2002,
AUTHOR = {Garlan, David and Schmerl, Bradley},
TITLE = {Model-based Adaptation for Self-Healing Systems},
YEAR = {2002},
MONTH = {18-19 November},
BOOKTITLE = {ACM SIGSOFT Workshop on Self-Healing Systems (WOSS'02),},
ADDRESS = {Charleston, SC},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/WOSS02/paper-submitted.pdf},
ABSTRACT = {Traditional mechanisms that allow a system to detect and recover from errors are typically wired into applications at the level of code where they are hard to change, reuse, or analyze. An alterna-tive approach is to use externalized adaptation: one or more mod-els of a system are maintained at run time and external to the ap-plication as a basis for identifying problems and resolving them. In this paper we provide an overview of recent research in which we use architectural models as the basis for such problem diagno-sis and repair. These models can be specialized to the particular style of the system, the quality of interest, and the dimensions of run time adaptation that are permitted by the running system.},
KEYWORDS = {Autonomic Systems, Self-Repair, Software Architecture} }
|
28 |
@InProceedings{Dingel2002,
AUTHOR = {Dingel, Juergen and Garlan, David and Damon, Craig},
TITLE = {Bridging the HLA: Problems and Solutions},
YEAR = {2002},
MONTH = {11-13 October},
BOOKTITLE = {Sixth IEEE International Workshop on Distributed Simulation and Real Time Applications (DS-RT '02)},
ADDRESS = {Fort Worth, TX},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/dsrt02/dsrt-distrib.pdf},
ABSTRACT = {The High-Level Architecture (HLA) provides a common architecture for distributed modeling and simulation. In its original form, the HLA allows a number of simulations to be joined together into a federation using a single run time infrastructure. Recently there has been an interest in joining multiple such federations together using a mediating unit, called an HLA },
KEYWORDS = {Formal Methods, Software Architecture} }
|
29 |
@InProceedings{Cheng2002,
AUTHOR = {Cheng, Shang-Wen and Garlan, David and Schmerl, Bradley and Steenkiste, Peter and Hu, Ningning},
TITLE = {Software Architecture-based Adaptation for Grid Computing},
YEAR = {2002},
MONTH = {July},
BOOKTITLE = {The 11th IEEE Conference on High Performance Distributed Computing (HPDC},
ADDRESS = {Edinburgh, Scotland},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/hpdc02/hpdc02.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/hpdc02/hpdc02.ps},
ABSTRACT = {Grid applications must increasingly self-adapt dynamically to changing environments. In most cases, adaptation has been implemented in an ad hoc fashion, on a perapplication basis. This paper describes work which generalizes adaptation so that it can be used across applications by providing an adaptation framework. This framework uses a software architectural model of the system to analyze whether the application requires adaptation, and allows repairs to be written in the context of the architectural model and propagated to the running system. In this paper, we exemplify our framework by applying it to the domain of load-balancing a client-server system. We report on an experiment conducted using our framework, which illustrates that this approach maintains architectural requirements.},
KEYWORDS = {Autonomic Systems, Self-Repair, Software Architecture} }
|
30 |
@InProceedings{Poladian2002,
AUTHOR = {Poladian, Vahe and Garlan, David and Shaw, Mary},
TITLE = {Selection and Configuration in Mobile Environments: A Utility-Based Approach},
YEAR = {2002},
MONTH = {May},
BOOKTITLE = {Fourth Workshop on Economics-Driven Software Engineering Research (EDSER-4)},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/EDSER4/EDSER.pdf},
ABSTRACT = {Users of low-power mobile computing platforms make ad hoc decisions when choosing software components among alternatives and configuring those components. We propose applying utility-theoretic models, which can help determine optimal allocation of scarce resources to applications given the user's utility and application resource usage. We believe that taking into consideration resource consumption and applying microeconomic models has the potential of improving the user's satisfaction with the system. In this paper, we formulate the problem, demonstrate the use of a microeconomics-based model on a simple version of the problem, and list possible solutions. Further, we identify issues typical of mobile environments that are not addressed by existing research, and propose ways of tackling these issues.} }
|
31 |
@InProceedings{Schmerl2002,
AUTHOR = {Schmerl, Bradley and Garlan, David},
TITLE = {Exploiting Architectural Design Knowledge to Support Self-repairing Systems},
YEAR = {2002},
MONTH = {15-19 July},
BOOKTITLE = {The 14th International Conference on Software Engineering and Knowledge Engineering},
ADDRESS = {Ischia, Italy},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/seke02/paper.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/seke02/paper.ps},
ABSTRACT = {In an increasing number of domains software is now required to be self-adapting and self-healing. While in the past such abilities were incorporated into software on a per system basis, proliferation of such systems calls for more generalized mechanisms to manage dynamic adaptation. General mechanisms have the advantage that they can be reused in numerous systems, analyzed separately from the system being adapted, and easily changed to incorporate new adaptations. Moreover, they provide a natural home for encoding the expertise of system designers and implementers about adaptation strategies and policies. In this paper, we show how architecture description languages and tools can be extended to provide such generalized dynamic adaptation mechanisms.},
KEYWORDS = {AcmeStudio, Self-Repair, Software Architecture} }
|
32 |
@InProceedings{Cheng2002a,
AUTHOR = {Cheng, Shang-Wen and Garlan, David and Schmerl, Bradley and Sousa, Jo\~{a}o and Spitznagel, Bridget and Steenkiste, Peter},
TITLE = {Using Architectural Style as a Basis for Self-repair},
YEAR = {2002},
MONTH = {25-31 August},
BOOKTITLE = {Software Architecture: System Design, Development, and Maintenance (Proceedings of the 3rd Working IEEE/IFIP Conference on Software Architecture)},
PAGES = {45-59},
EDITOR = {Bosch, Jan and Gentleman, Morven and Hofmeister, Christine and Kuusela, Juha},
PUBLISHER = {Kluwer Academic Publishers},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/wicsa3-arch/WICSA-web.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp//wicsa3-arch/WICSA-web.ps},
ABSTRACT = {An increasingly important requirement for software systems is the capability to adapt at run time in order to accommodate varying resources, system errors, and changing requirements. For such self-repairing systems, one of the hard problems is determining when a change is needed, and knowing what kind of adaptation is required. Recently several researchers have explored the possibility of using architectural models as a basis for run time monitoring, error detection, and repair. Each of these efforts, however, has demonstrated the feasibility of using architectural models in the context of a specific style. In this paper we show how to generalize these solutions by making architectural style a parameter in the monitoring/repair framework and its supporting infrastructure. The value of this generalization is that it allows one to tailor monitoring/ repair mechanisms to match both the properties of interest (such as performance or security), and the available operators for run time adaptation.},
KEYWORDS = {Architectural Analysis, Autonomic Systems, Self-Repair, Software Architecture} }
|
33 |
@InProceedings{Sousa2002,
AUTHOR = {Sousa, Jo\~{a}o and Garlan, David},
TITLE = {Aura: an Architectural Framework for User Mobility in Ubiquitous Computing Environments},
YEAR = {2002},
MONTH = {25-31 August},
BOOKTITLE = {Software Architecture: System Design, Development, and Maintenance (Proceedings of the 3rd Working IEEE/IFIP Conference on Software Architecture)},
PAGES = {29-43},
EDITOR = {Bosch, Jan and Gentleman, Morven and Hofmeister, Christine and Kuusela, Juha},
PUBLISHER = {Kluwer Academic Publishers},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/wicsa3-aura/wicsa.pdf},
ABSTRACT = {Ubiquitous computing poses a number of challenges for software architecture. One of the most important is the ability to design software systems that accommodate dynamically-changing resources. Resource variability arises naturally in a ubiquitous computing setting through user mobility (a user moves from one computing environment to another), and through the need to exploit time-varying resources in a given environment (such as wireless bandwidth). Traditional approaches to handling resource variability in applications attempt to address the problem by imposing uniformity on the environment. We argue that those approaches are inadequate, and describe an alternative architectural framework that is better matched to the needs of ubiquitous computing. A key feature of the architecture is that user tasks become first class entities. User proxies, or Auras, use models of user tasks to set up, monitor and adapt computing environments proactively. The architectural framework has been implemented and currently being used as a central component of Project Aura, a campus-wide ubiquitous computing effort.},
KEYWORDS = {Aura, Software Architecture, Ubiquitous Computing} }
|
34 |
@InProceedings{Cheng2002b,
AUTHOR = {Cheng, Shang-Wen and Garlan, David and Schmerl, Bradley and Sousa, Jo\~{a}o and Spitznagel, Bridget and Steenkiste, Peter and Hu, Ningning},
TITLE = {Software Architecture-based Adaptation for Pervasive Systems},
YEAR = {2002},
MONTH = {8-11 April},
BOOKTITLE = {International Conference on Architecture of Computing Systems (ARCS'02): Trends in Network and Pervasive Computing},
VOLUME = {2299},
EDITOR = {Schmeck, H and Ungerer, T and Wolf, L},
SERIES = {Lecture Notes in Computer Science},
ADDRESS = {Karlsruhe, Germany},
PUBLISHER = {Springer-Verlag},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/arch-arcs02/arcs-final.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/arch-arcs02/arcs-final.ps},
ABSTRACT = { An important requirement for pervasive computing systems is the ability to adapt at runtime to handle varying resources, user mobility, changing user needs, and system faults. In this paper we describe an approach in which dynamic adaptation is supported by the use of software architectural models to monitor an application and guide dynamic changes to it. The use of externalized models permits one to make reconfiguration decisions based on a global per-spective of the running system, apply analytic models to determine correct re-pair strategies, and gauge the effectiveness of repair through continuous system monitoring. We illustrate the application of this idea to pervasive computing systems, focusing on the need to adapt based on performance-related criteria and models.},
KEYWORDS = {Software Architecture, Ubiquitous Computing} }
|
35 |
@InProceedings{Garlan2001,
AUTHOR = {Garlan, David and Schmerl, Bradley and Chang, Jichuan},
TITLE = {Using Gauges for Architecture-Based Monitoring and Adaptation},
YEAR = {2001},
MONTH = {12-14 December},
BOOKTITLE = {Proceedings of the Working Conference on Complex and Dynamic Systems Architecture},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/cdsa01/cdsa.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/cdsa01/cdsa.ps},
ABSTRACT = {An increasingly important requirement for complex systems is the capability to adapt at runtime in order to accommodate variable resources, system errors, and changing requirements. An essential aspect of adaptation is the ability to observe a system's runtime behavior and interpret those observations in terms that permit a high-level understanding of the system's status. In this paper we describe mechanisms for monitoring a running system, interpreting monitored data in terms of the system's architecture, and analyzing the system architecture to ascertain if the system's runtime behavior fits within the envelope of acceptable behavior. We illustrate the use of these mechanisms for the important special case of system performance monitoring. },
KEYWORDS = {Self-Repair, Software Architecture} }
|
36 |
@InProceedings{Spitznagel2001,
AUTHOR = {Spitznagel, Bridget and Garlan, David},
TITLE = {A Compositional Approach for Constructing Connectors},
YEAR = {2001},
MONTH = {28-31 August},
BOOKTITLE = {The Working IEEE/IFIP Conference on Software Architecture (WICSA'01)},
ADDRESS = {Amsterdam, The Netherlands},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/wicsa01/wicsa_paper.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/wicsa01/wicsa_paper.ps},
ABSTRACT = {Increasingly, systems are composed from independently developed parts, and mechanisms that allow those parts to interact (connectors). In many situations, specialized forms of interaction are needed to bridge component mismatches or to achieve extra-functional properties (e.g., security, performance, reliability), making the design and implementation of these interaction mechanisms a critical issue. Unfortunately, system developers have few options: they must live with available, but often inadequate, generic support for interaction (such as RPC), or they must handcraft specialized mechanisms at great cost. In this paper we describe a partial solution to this problem, whereby interaction mechanisms are constructed compositionally. Specifically, we describe a set of operators that can transform generic communication mechanisms (such as RPC and publish-subscribe) to incrementally add new capabilities. We show how these transformations can be used to realize complex interactions (such as Kerberized RPC) and to generate implementations of the new connector types at relatively low cost. },
KEYWORDS = {Software Architecture} }
|
37 |
@InProceedings{Cheng2001,
AUTHOR = {Cheng, Shang-Wen and Garlan, David},
TITLE = {Mapping Architectural Concepts to UML-RT},
YEAR = {2001},
MONTH = {June},
BOOKTITLE = {Proceedings of the 2001 International Conference on Parallel and Distributed Processing Techniques and Applications (PDPTA'2001)},
ADDRESS = {Las Vegas, NV},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/pdpta01/pdpta01.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/pdpta01/pdpta01.ps},
ABSTRACT = {Complex software systems require expressive notations for representing their software architectures. Two competing paths have emerged, one using a specialized notation for architecture - or architecture description language (ADL), the other using notations applied generally throughout design, such as UML. The latter has a number of benefits, including familiarity to developers, close mappings to implementations, and commercial tool support. However, it remains an open question how best to use object-oriented notations for architectural description and whether they are sufficiently expressive as currently defined. In this paper, we present a mapping between Acmea notation designed for expressing architectures - and the UML Real-Time Profile - an object-oriented design notation. Specifically, we describe (a) how to map Acme descriptions to descriptions in the UML Real-Time Profile, and (b)the places where this mapping breaks down. },
KEYWORDS = {Software Architecture, UML} }
|
38 |
@InProceedings{Garlan2001a,
AUTHOR = {Garlan, David and Schmerl, Bradley},
TITLE = {Component-Based Software Engineering in a Pervasive Computing Environment},
YEAR = {2001},
MONTH = {14-15 May},
BOOKTITLE = {The 4th ICSE Workshop on Component-Based Software Engineering: Component Certification and System Prediction},
ADDRESS = {Toronto, Canada},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/cbse01/cbse01-submission.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/cbse01/cbse01-submission.ps},
ABSTRACT = {Being able to find, adapt, and incorporate disparate components to form working, reliable applications is the goal of component-based software engineering. To date, there has been a lot of research, among other things, on locating components, reasoning about component compatibility, and methods for interoperability. Pervasive computing raises a number of new challenges for component-based software engineering that heretofore have been given little attention, such as mobility, adaptability, and resource awareness. In this paper we motivate and discuss the need for research in these areas, and discuss how our work in the Aura group at Carnegie Mellon University helps to address these issues. },
KEYWORDS = {Aura, Software Architecture, Ubiquitous Computing} }
|
39 |
@InProceedings{Kaplan2000,
AUTHOR = {Kaplan, Alan and Ridgeway, John and Schmerl, Bradley and Sridar, Krishnan and Wileden, Jack},
TITLE = {Toward Pure Polylingual Persistence},
YEAR = {2000},
MONTH = {September},
BOOKTITLE = {Ninth International Workshop on Persistent Object Systems: Design, Implementation and Use (POS9)},
ADDRESS = {Lillehammer, Norway} }
|
40 |
@InProceedings{Schmerl1997a,
AUTHOR = {Schmerl, Bradley and Marlin, Chris},
TITLE = {Versioning and Consistency for Dynamically Composed Configurations},
YEAR = {1997},
MONTH = {May},
BOOKTITLE = {The 7th International Workshop on Software Configuration Management},
VOLUME = {1235},
PAGES = {49-65},
SERIES = {Lecture Notes in Computer Science},
ADDRESS = {Boston, MA},
PUBLISHER = {Springer, Berlin},
ABSTRACT = {Dynamically composed software systems are constructed as they execute. Although these systems are of increasing importance and arise in a number of application areas, configuration management tools do not provide much support for them. This paper presents progress towards providing enhanced configuration management techniques for dynamically composed systems. The paper commences with an example of dynamically composed systems, which is used to motivate the relevance of dynamically composed systems, and to highlight various design issues and requirements for configuration management in this domain. A model, and its associated notation DCDL, is then presented to describe particular aspects of the example. This model seamlessly integrates the notions of consistency, specified in terms of complete configurations, and version families, which are relevant to the incomplete configurations of crucial importance in understanding configurations of dynamically composed systems. DCDL is then used to provide insight into the requirements for configuration management tools for dynamically composed systems.} }
|
41 |
@InProceedings{Schmerl1996a,
AUTHOR = {Schmerl, Bradley and Marlin, Chris},
TITLE = {Consistency issues in partially bound dynamically composed systems},
YEAR = {1996},
MONTH = {June},
BOOKTITLE = {Proceedings of the 1996 Australian Software Engineering Conference},
PAGES = {183-191},
ADDRESS = {Melbourne, Australia},
PDF = {http://www.cs.cmu.edu/~schmerl/publications/schmerl96consistency,pdf},
ABSTRACT = {Dynamically composed systems are able to incorporate new components as they execute. Therefore, configurations of these systems are not fully elaborated until at least the time that they are executed, and they are perhaps never fully elaborated. Such incomplete configurations are termed partially bound configurations. Although partially bound, it is still important to be able to analyse these configurations to ascertain whether they meet certain assumptions about their composition. We are endevouring to provide such support for the construction of dynamically composed systems through the application of configuration management concepts. One way in which these concepts can be applied in this domain is to explicitly state such assumptions and hence be able to validate partially bound configurations against these assumptions; in this way, inconsistencies can be reported as soon as they arise. This paper disucsses the issues involved in providing this kind of consistency mechanism for dynamically composed systems.} }
|
42 |
@InProceedings{Schmerl1996b,
AUTHOR = {Schmerl, Bradley and Marlin, Chris},
TITLE = {Defining consistency in the context of partially bound configurations of dynamically composed systems},
YEAR = {1996},
MONTH = {March},
BOOKTITLE = {6th International Workshop on Software Configuration Management - Preprint of Proceedings},
ADDRESS = {Berlin, Germany} }
|
43 |
@InProceedings{Schmerl1995,
AUTHOR = {Schmerl, Bradley and Marlin, Chris},
TITLE = {Configuration management for dynamically bound systems},
YEAR = {1995},
MONTH = {April},
BOOKTITLE = {Proceedings of the 5th Workshop on Software Configuration Management},
ADDRESS = {Seattle, WA} }
|
44 |
@InProceedings{Glastonbury1997,
AUTHOR = {Glastonbury, Dan and Marlin, Chris and Read, Michael and Schmerl, Bradley},
TITLE = {Run-time views as a debugging aid in an integrated software development environment},
YEAR = {1997},
MONTH = {December},
BOOKTITLE = {1997 Software Visualisation Workshop},
PAGES = {51-59},
ADDRESS = {Adelaide, South Australia},
PUBLISHER = {Flinders University, South Australia} }
|
45 |
@InProceedings{Garlan1999,
AUTHOR = {Garlan, David and Wang, Zhenyu},
TITLE = {A Case Study in Software Architecture Interchange},
YEAR = {1999},
BOOKTITLE = {Proceedings of Coordination'99},
PUBLISHER = {Springer-Verlag},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/www/publications/acme-wr2rap/acme-wr2rap.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/www/publications/acme-wr2rap/acme-wr2rap.ps},
ABSTRACT = {An important issue for the specification and design of software architectures is how to combine the analysis capabilities of multiple architectural definition languages (ADLs) and their supporting toolsets. In this paper, we describe our experience of integrating three ADLs: Wright, Rapide, and Aesop. We discovered that it is possible achieve interoperability in ADL tools for a non-trivial subset of the systems describable by these languages, even though the languages have different views about architectural structure and semantics. To carry out the integration we used the Acme architectural interchange language and its supporting tools. },
KEYWORDS = {Acme, Architectural Analysis, Software Architecture} }
|
46 |
@InProceedings{Garlan00ArchRoadmap,
AUTHOR = {Garlan, David},
TITLE = {Software Architecture: a Roadmap},
YEAR = {2000},
BOOKTITLE = {Proceedings of the Conference on The Future of Software Engineering},
KEY = {Garlan},
PAGES = {91--101},
EDITOR = {Finkelstein, A.},
SERIES = {ICSE '00},
ADDRESS = {Limerick, Ireland},
PUBLISHER = {ACM Press},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/roadmap2000/roadmap2000.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/roadmap2000/roadmap2000.ps},
ABSTRACT = {Over the past decade software architecture has received increasing attention as an important subfield of software engineering. During that time there has been considerable progress in developing the technological and methodologi-cal base for treating architectural design as an engineering discipline. However, much remains to be done to achieve that goal. Moreover, the changing face of technology raises a number of new challenges for software architecture. This paper examines some of the important trends of software architecture in research and practice, and speculates on the important emerging trends, challenges, and aspirations. },
KEYWORDS = {Software Architecture} }
|
47 |
@InProceedings{Garlan2000,
AUTHOR = {Garlan, David and Khersonsky, Serge},
TITLE = {Model Checking Implicit-Invocation Systems},
YEAR = {2000},
MONTH = {November},
BOOKTITLE = {Proceedings of the 10th International Workshop on Software Specification and Design (IWSSD-10)},
ADDRESS = {San Diego, CA},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/iwssd10/iwssd10.pdf},
ABSTRACT = {While implicit invocation (publish-subscribe) systems have good engineering properties, they are difficult to reason about and to test. Model checking such systems is an attractive alternative. However, it is not clear what kinds of state models are best suited for this. In this paper we propose a structural approach, which factors the model checking problem into two parts: behavior specific to a particular implicit invocation system, and reusable runtime infrastructure that handles event-based communication and delivery policies. The reusable portion is itself structured so that alternative runtime mechanisms may be experimented with. },
KEYWORDS = {Model Checking, Publish Subscribe Systems} }
|
48 |
@InProceedings{Garlan2000a,
AUTHOR = {Garlan, David},
TITLE = {Pervasive Computing and the Future of CSCW Systems},
YEAR = {2000},
MONTH = {November},
BOOKTITLE = {CSCW2000 Workshop on Software Architectures for Cooperative Systems},
ABSTRACT = {The use of largely isolated workstations and laptops as the primary carrier of personal computing is giving way to a world of pervasive computing populated by ubiquitous networks of heterogeneous computing and information facilities. In such a world the boundaries between a user},
NOTE = {(Position Paper)},
KEYWORDS = {Software Architecture, Ubiquitous Computing} }
|
49 |
@InProceedings{Garlan2000b,
AUTHOR = {Garlan, David},
TITLE = {Software Architecture and Object-Oriented Systems},
YEAR = {2000},
MONTH = {August},
BOOKTITLE = {Proceedings of the IPSJ Object-Oriented Symposium 2000},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/OO 2000-dist.pdf},
ABSTRACT = {Over the past decade software architecture has emerged as an important subfield of software engineering. During that time there has been considerable progress in developing the technological and methodological base for treating architectural design as an engineering discipline, including specialized architectural description languages, tools, analytic techniques, handbooks, and methods. In this paper I survey the main features of the field, and then compare software architecture with object-oriented systems to illustrate some of the important similarities and differences between the two fields. },
KEYWORDS = {Object-oriented Systems, Software Architecture} }
|
50 |
@InProceedings{Garlan2000e,
AUTHOR = {Garlan, David and Kompanek, Andrew},
TITLE = {Reconciling the Needs of Architectural Description with Object-Modeling Notations},
YEAR = {2000},
MONTH = {October},
BOOKTITLE = {Proceedings of the Third International Conference on the Unified Modeling Language - << UML >> 2000},
ADDRESS = {York, UK},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/uml00/uml00.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/uml00/uml00.ps},
ABSTRACT = {Complex software systems require expressive notations for representing their software architectures. Two competing paths have emerged. One is to use a specialized notation for architecture -- or architecture description language (ADL). The other is to adapt a general-purpose modeling notation, such as UML. The latter has a number of benefits including familiarity to developers, close mapping to implementations, and commercial tool support. However, it remains an open question as to how best to use object-oriented notations for architectural description, and, indeed, whether they are sufficiently expressive, as currently defined. In this paper we take a systematic look at these questions, examining the space of possible mappings from ADLs into object notations. Specifically, we describe (a) the principle strategies for representing architectural structure in UML; (b) the benefits and limitations of each strategy; and (c) aspects of architectural description that are intrinsically difficult to model in UML using the strategies. },
KEYWORDS = {Software Architecture, UML} }
|
51 |
@InProceedings{AGI98FSE,
AUTHOR = {Allen, Robert and Garlan, David and Ivers, James},
TITLE = {Formal Modeling and Analysis of the HLA Component Integration Standard},
YEAR = {1998},
MONTH = {November},
BOOKTITLE = {Proceedings of the Sixth International Symposium on the Foundations of Software Engineering (FSE-6)},
KEY = {Allen},
ADDRESS = {Lake Buena Vista, Florida},
PUBLISHER = {ACM},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/hla-fse98/hla-fse98.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/hla-fse98/hla-fse98.ps},
ABSTRACT = {An increasingly important trend in the engineering of complex systems is the design of component integration standards. Such standards define rules of interaction and shared communication infrastructure that permit composition of systems out of independently-developed parts. A problem with these standards is that it is often difficult to understand exactly what they require and provide, and to analyze them in order to understand their deeper properties. In this paper we use our experience in modeling the High Level Architecture (HLA) for Distributed Simulation to show how one can capture the structured protocol inherent in an integration standard as a formal architectural model that can be analyzed to detect anomalies, race conditions, and deadlocks. },
KEYWORDS = {Architectural Analysis, Formal Methods, Software Architecture} }
|
52 |
@InProceedings{Dingel1998,
AUTHOR = {Dingel, Jurgen and Garlan, David and Jha, Somesh and Notkin, David},
TITLE = {Reasoning about Implicit Invocation},
YEAR = {1998},
MONTH = {November},
BOOKTITLE = {Proceedings of the Sixth International Symposium on the Foundations of Software Engineering (FSE-6)},
ADDRESS = {Lake Buena Vista, Florida},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/implinvoc-fse98/implinvoc-fse98.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/implinvoc-fse98/implinvoc-fse98.ps},
ABSTRACT = {Implicit invocation has become an important architectural style for large-scale system design and evolution. This paper addresses the lack of specication and verication formalisms for such systems. Based on standard notions from process algebra and trace semantics, we dene a formal computational model for implicit invocation. A verication methodology is presented that supports linear time temporal logic and compositional reasoning. First, the entire system is partioned into groups of components (methods) that behave independently. Then, local properties are proved for each of the groups. A precise description of the cause and the eect of an event supports this step. Using local correctness, independence of groups, and properties of the delivery of events, we infer the desired property of the overall system. Two detailed examples illustrate the use of our framework. },
KEYWORDS = {Formal Methods, Implicit Invocation, Model Checking, Software Architecture} }
|
53 |
@InProceedings{Spitznagel1998,
AUTHOR = {Spitznagel, Bridget and Garlan, David},
TITLE = {Architecture-Based Performance Analysis},
YEAR = {1998},
MONTH = {June},
BOOKTITLE = {Proceedings of the 1998 Conference on Software Engineering and Knowledge Engineering (SEKE'98)},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/perform-seke98/perform-seke98.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/perform-seke98/perform-seke98.ps},
ABSTRACT = {A software architecture should expose important system properties for consideration and analysis. Performance-related properties are frequently of interest in determining the acceptability of a given software design. In this paper we show how queueing network modeling can be adapted to support performance analysis of software architectures. We also describe a tool for transforming a software architecture in a particular style into a queueing network and analyzing its performance. },
KEYWORDS = {Architectural Analysis, Software Architecture} }
|
54 |
@InProceedings{Garlan98OMG,
AUTHOR = {Garlan, David},
TITLE = {Higher-Order Connectors},
YEAR = {1998},
MONTH = {January},
BOOKTITLE = {Proceedings of Workshop on Compositional Software Architectures},
KEY = {Garlan},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/hoc-omg98/hoc-omg98.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/hoc-omg98/hoc-omg98.ps},
ABSTRACT = {A critical issue for architectural design is the nature of the glue, or connectors, with which a system's parts are combined. Thus an important first step toward improving our ability to compose parts is to make to make connectors explicit semantic enties, where they can be documented, analyzed, and (sometimes) used to generate code. A number of notations for software architecture do precisely this. However, a key second step is to understand operations over connectors. In principle, such operations would permit one to produce new connectors out of old ones, adapt existing connectors to new contexts of use, and factor out common properties of connectors so they can be reused. In this paper we argue that the use of ``higher order connectors'' is one way to achieve this goal. },
ANNOTE = {http://www.objs.com/workshops/ws9801/index.html},
KEYWORDS = {Software Architecture} }
|
55 |
@InProceedings{Allen98FASE,
AUTHOR = {Allen, Robert and Douence, Remi and Garlan, David},
TITLE = {Specifying and Analyzing Dynamic Software Architectures},
YEAR = {1998},
MONTH = {March},
BOOKTITLE = {Proceedings of the 1998 Conference on Fundamental Approaches to Software Engineering (FASE'98)},
KEY = {Allen},
VOLUME = {1382},
SERIES = {Lecture Notes in Computer Science},
ADDRESS = {Lisbon, Portugal},
PUBLISHER = {Springer},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/wright-fase98/wright-fase98.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/wright-fase98/wright-fase98.ps},
ABSTRACT = {A critical issue for complex component-based systems design is the modeling and analysis of architecture. One of the complicating factors in developing architectural models is accounting for systems whose architecture changes dynamically (during run time). This is because dynamic changes to architectural structure may interact in subtle ways with on-going computations of the system.
In this paper we argue that it is possible and valuable to provide a modeling approach that accounts for the interactions between architectural reconfiguration and non-reconfiguration system functionality, while maintaining a separation of concerns between these two aspects of a system. The key to the approach is to use a uniform notation and semantic base for both reconfiguration and steady-state behavior, while at the same time providing syntactic separation between the two. As we will show, this permits us to view the architecture in terms of a set of possible architectural snapshots, each with its own steady-state behavior. Transitions between these snapshots are accounted for by special reconfiguration-triggering events.
},
NOTE = {An expanded version of the paper Specifying Dynamism in Software Architectures, which appeared in the Proceedings of the Workshop on Foundations of Component-Based Software Engineering, September 1997.},
ANNOTE = {CONFERENCE-URL : http://www.di.fc.ul.pt:80/~llf/etaps98/},
KEYWORDS = {Dynamism, Formal Methods, Software Architecture, Wright} }
|
56 |
@InProceedings{Melton97CASCON,
AUTHOR = {Melton, Ralph and Garlan, David},
TITLE = {Architectural Unification},
YEAR = {1997},
MONTH = {November},
BOOKTITLE = {Proceedings of CASCON'97},
KEY = {Melton},
ADDRESS = {Ontario, Canada},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/Unification/Unification.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/Unification/Unification.ps},
ABSTRACT = {Many software designs are produced by combining and elaborating existing architectural design fragments. These fragments may be design patterns, partially thought-out ideas, or portions of some previously-developed system design. To provide mechanized support for this activity it is necessary to have a precise characterization of when and how two or more architectural fragments can be combined. In this paper we describe extensions to notations for software architecture to represent incomplete design fragments, and algorithms for combining fragments in a process analogous to unification in logic.
},
ANNOTE = {CONFERENCE-URL : http://www.cas.ibm.ca/cascon/cfp.html} }
|
57 |
@InProceedings{Allen97SimWkshop,
AUTHOR = {Allen, Robert and Garlan, David},
TITLE = {Formal Modeling and Analysis of the HLA RTI},
YEAR = {1997},
MONTH = {March},
BOOKTITLE = {Summary Report of the 1997 Spring Simulation Interoperability Workshop},
KEY = {Allen},
PAGES = {1153-1161},
ADDRESS = {Orlando, Florida},
PUBLISHER = {Institute for Simulation and Training},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/hla-siw97/hla-siw97.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/hla-siw97/hla-siw97.ps},
ABSTRACT = {The HLA RTI is a complex artifact, supporting several classes of interaction (e.g., federation management, object management, time management). A critical challenge in producing an RTI architectural framework (and its associated simulation interface specifications) is to develop confidence that its specification is well-formed and complete. In this paper we describe on-going work in formally modelling the HLA both to document the standard more precisely, as well as to analyze it for anomalies, omissions, inconsistencies, and ambiguities. The technical basis for this work is the use of a formal architectural description language, called Wright, and its accompanying toolset. },
NOTE = {IST-CF-97-01.2},
KEYWORDS = {Formal Methods, Software Architecture, Wright} }
|
58 |
@InProceedings{Garlan97CASCON,
AUTHOR = {Garlan, David and Monroe, Robert T. and Wile, David},
TITLE = {Acme: An Architecture Description Interchange Language},
YEAR = {1997},
MONTH = {November},
BOOKTITLE = {Proceedings of CASCON'97},
KEY = {Garlan},
PAGES = {169-183},
ADDRESS = {Toronto, Ontario},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/acme-cascon97/acme-cascon97.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/acme-cascon97/acme-cascon97.ps},
ABSTRACT = {Numerous architectural description languages (ADLs) have been developed, each providing complementary capabilities for architectural development and analysis. Unfortunately, each ADL and supporting toolset operates in isolation, making it difficult to integrate those tools and share architectural descriptions. ACME is being developed as a joint effort of the software architecture research community as a common interchange format for architecture design tools. ACME provides a structural framework for characterizing architectures, together with annotation facilities for additional ADL-specific information. This scheme permits subsets of ADL tools to share architectural information that is jointly understood, while tolerating the presence of information that falls outside their common vocabulary. In this paper we describe ACME's key features, rationale, and technical innovations. },
NOTE = {One of the 14 high-impact papers from the first decade of CASCON, 2010.},
ANNOTE = {CONFERENCE-URL : http://www.cas.ibm.ca/cascon/cfp.html},
KEYWORDS = {Acme, Landmark, Software Architecture} }
|
59 |
@InProceedings{Monroe1996,
AUTHOR = {Monroe, Robert},
TITLE = {Capturing Design Expertise in Customized Software Architecture Design Environments},
YEAR = {1996},
MONTH = {October},
BOOKTITLE = {Proceedings of the Second International Software Architecture Workshop},
PDF = {http://www.cs.cmu.edu/afs/cs.cmu.edu/project/able/ftp/armani-isaw/armani-isaw2.pdf},
PS = {http://www.cs.cmu.edu/afs/cs.cmu.edu/project/able/ftp/armani-isaw/armani-isaw2.ps},
ABSTRACT = {Software architecture is receiving increasing attention as a powerful way to deal with the complexity of large software systems. It has emerged as a distinct form of abstraction for software systems with its own set of design issues, vocabulary, and goals. Like designers in other disciplines, software architects can gain significant leverage by using powerful design environments and tools. Powerful design tools generally encapsulate a relatively small amount of design expertise that provides the important functionality of the tool within a relatively large support infrastructure. In this position paper I argue that in order to make the development of specialized architectural design tools practical it must be relatively easy and inexpensive to capture and make use of the desired design expertise. I then briefly describe an emerging approach for capturing this design expertise so that it can be used to incrementally configure architectural design environments.},
KEYWORDS = {Software Architecture} }
|
60 |
@InProceedings{Allen95Aegis,
AUTHOR = {Allen, Robert and Garlan, David},
TITLE = {A Case Study in Architectural Modelling: The AEGIS System},
YEAR = {1996},
MONTH = {March},
BOOKTITLE = {Proceedings of the Eighth International Workshop on Software Specification and Design (IWSSD-8)},
KEY = {Allen},
PAGES = {6-15},
ADDRESS = {Paderborn, Germany},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/aegis-iwssd8/aegis-iwssd8.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/aegis-iwssd8/aegis-iwssd8.ps},
ABSTRACT = {Software architecture is receiving increasingly attention as a critical design level for software systems. However, the current practice of architectural description is largely informal and ad hoc, with the consequence that architectural documents serve as a poor communication mechanism, are difficult to analyze, and may have very little relationship to the implemented system. In an attempt to address these problems several researchers have experimented with formalisms for architectural specification and modelling. One such formalism is Wright. In this paper we show how Wright can be used to provide insight into an architectural design by modelling a prototype implementation of part of the AEGIS Weapons System.},
KEYWORDS = {Software Architecture, Wright} }
|
61 |
@InProceedings{Garlan97ISAW2,
AUTHOR = {Garlan, David},
TITLE = {Style-Based Refinement for Software Architecture},
YEAR = {1996},
MONTH = {October},
BOOKTITLE = {Joint Proceedings of the Second International Software Architecture Workshop (ISAW2) and the International Workshop on Multiple Perspectives in Software Development (Viewpoints '96)},
KEY = {Garlan},
ADDRESS = {San Francisco, CA},
PUBLISHER = {ACM Press},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/refinement-isaw2/refinement-isaw2.pdf},
ABSTRACT = {A question that frequently arises for architectural design is 'When can I implement a design in style S1 using a design in style S2?' In this paper I propose a technique for structuring a solution to this kind of problem using the idea of substyles. This technique leads to a two-step process in which first, useful subsets of a family of architectures are identified, and second, refinement rules specific to these subsets are established. I will argue that this technique, in combination with an unconventional interpretation of refinement, clarifies how engineers actually carry out architectural refinement and provides a formal framework for establishing the correctness of those methods.} }
|
62 |
@InProceedings{Monroe96ICSR,
AUTHOR = {Monroe, Robert T. and Garlan, David},
TITLE = {Style-based Reuse for Software Architectures},
YEAR = {1996},
MONTH = {April},
BOOKTITLE = {Proceedings of the Fourth International Conference on Software Reuse},
KEY = {Monroe},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/shelf-icsr96/shelf-icsr96.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/shelf-icsr96/shelf-icsr96.ps},
ABSTRACT = {Although numerous mechanisms for promoting software reuse have been proposed and implemented over the years, most have focused on the reuse of implementation code. There is much conjecture and some empirical evidence, however, that the most effective forms of reuse are generally found at more abstract levels of software design. In this paper we discuss software reuse at the architectural level of design. Specifically, we argue that the concept of 'architectural style' is useful for supporting the classification, storage, and retrieval of reusable architectural design elements. We briefly describe the Aesop system's Software Shelf, a tool that assists designers in selecting appropriate design elements and patterns based on stylistic information and design constraints.},
KEYWORDS = {Architectural Style, Software Architecture} }
|
63 |
@InProceedings{Garlan95Dagstuhl,
AUTHOR = {Garlan, David},
TITLE = {What is Style?},
YEAR = {1995},
MONTH = {February},
BOOKTITLE = {Proceedings of the Dagstuhl Workshop on Software Architecture},
KEY = {David Garlan},
ADDRESS = {Saarbruecken, Germany},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/style-iwass95/style-iwass95.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/style-iwass95/style-iwass95.ps},
ABSTRACT = {A central aspect of architectural design is the use of recurring organizational patterns and idioms- or architectural styles. Examples include generic system organizations such as those based on dataflow or layers, as well as specific organizational structures such as the classical decomposition of a compiler, the OSI communication stack, and the MVC user interface paradigm.
The principled use of architectural styles has a number of practical benefits. First, it promotes design reuse: routine solutions with well-understood properties can be reapplied to new problems with confidence. Second, it can lead to significant code reuse: often the invariant aspects of an architectural style lend themselves to shared implementations. Third, it is easier for others to understand a system's organization if conventionalized structures are used. For example, even without giving details, characterization of a system as a 'client-server' organization immediately conveys a strong image of the kinds of pieces and how they fit together. Fourth,use of standardized styles supports interoperability. Examples include CORBA object-oriented architecture, and event-based tool integration. Fifth, by constraining the design space, an architectural style often permits specialized,style-specific analyses. For example, it is possible to analyze pipe-filter systems for schedulability, throughput, latency, and deadlock-freedom. Such analyses might not be meaningful for an arbitrary, ad hoc architecture - or even one constructed in a different style. Sixth, it is usually possible to provide style-specific visualizations: this makes it possible to provide graphical and textual renderings that match engineers' domain-specific intuitions about how their designs should be depicted. },
KEYWORDS = {Architectural Style, Software Architecture} }
|
64 |
@InProceedings{Allen96IWSSD,
AUTHOR = {Allen, Robert},
TITLE = {Formalism and Informalism in Architectural Style: A Case Study},
YEAR = {1995},
MONTH = {April},
BOOKTITLE = {Proceedings of the First International Workshop on Architectures for Software Systems},
KEY = {Garlan},
ABSTRACT = {Increasingly, developers look to software architecture to help them control the complexity of their systems. When developing a particular system, designers tend not to explore all possible alternatives for its architecture. Instead, they use specific patterns and idioms that are effective for the domain in which they are working. We term such a collection of patterns and idioms an architectural style.
Unfortunately, with few exceptions current exploitation of architectural style is informal and ad hoc. In this paper we consider an alternative to the ad hoc description of architectural styles, a formal description based on the inherent structure of software architectures. We explore this solution by describing Justo and Cunha's message passing style in Wright, an architecture description language based on CSP. },
KEYWORDS = {Architectural Style, Software Architecture} }
|
65 |
@InProceedings{Garlan95ICSE-17,
AUTHOR = {Garlan, David and Allen, Robert and Ockerbloom, John},
TITLE = {Architectural Mismatch, or, Why it's hard to build systems out of existing parts},
YEAR = {1995},
MONTH = {April},
BOOKTITLE = {Proceedings of the 17th International Conference on Software Engineering},
KEY = {Garlan},
PAGES = {179-185},
ADDRESS = {Seattle, Washington},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/archmismatch-icse17/archmismatch-icse17.pdf},
ABSTRACT = {Many would argue that future breakthroughs in software productivity will depend on our ability to combine existing pieces of software to produce new applications. An important step towares this goal is the development of new techniques to detect and cope with mismatches in the assembled parts. Some problems of composition are due to low-level issues of interoperability, such as mismatches in programming languages or database schemas. However, in this paper we highlight a different, and in many ways more pervasive, class of problem: architectural mismatch. Specifically, we use our experience in building a family of software design environments from existing parts to illustrate a variety of types of mismatch that center around the assumptions a reusable part makes about the structure of the application in which is to appear. Based on this experience we show how an architectural view of the mismatch problem exposes some fundamental, thorny problems for software composition and suggests possible research avenues needed to solve them.},
NOTE = {A revised and extended version of this paper appeared in <a href=http://ieeexplore.ieee.org/iel1/52/9910/00469757.pdf><i>IEEE Software</i>, Volume 12, Issue 6, Nov. 1995 (pp. 17-26)</a>. This paper was awarded an ACM SIGSOFT Impact Paper Award in 2011.},
KEYWORDS = {Architectural Style, Landmark, Software Architecture} }
|
66 |
@InProceedings{Garlan94ZUM,
AUTHOR = {Garlan, David},
TITLE = {Integrating Formal Methods into a Professional Master of Software Engineering Program},
YEAR = {1994},
MONTH = {June},
BOOKTITLE = {Proceedings of the Eighth Z User Meeting},
KEY = {Garlan},
SERIES = {Workshops in Computing},
ADDRESS = {Cambridge, England},
PUBLISHER = {Springer-Verlag},
PDF = {http://www.cs.cmu.edu/afs/cs.cmu.edu/project/able/ftp/fmmse-zum94/fmmse-zum94.pdf},
PS = {http://www.cs.cmu.edu/afs/cs.cmu.edu/project/able/ftp/fmmse-zum94/fmmse-zum94.ps},
ABSTRACT = {A critical issue in the design of a professional software engineering degree program is the way in which formal methods are integrated into the curriculum. The approach taken by most programs is to teach formal techniques for software development in a separate course on formal methods. In this paper we detail some of the problems with that approach and describe an alternative in which formal methods are integrated across the curriculum. We illustrate the strengths and weaknesses of this alternative in terms of our experience of using it in the Master of Software Engineering Program at Carnegie Mellon University.},
KEYWORDS = {Education, Formal Methods} }
|
67 |
@InProceedings{Garlan94Aesop,
AUTHOR = {Garlan, David and Allen, Robert and Ockerbloom, John},
TITLE = {Exploiting Style in Architectural Design Environments},
YEAR = {1994},
MONTH = {December},
BOOKTITLE = {Proceedings of SIGSOFT'94: The Second ACM SIGSOFT Symposium on the Foundations of Software Engineering},
KEY = {Garlan},
PUBLISHER = {ACM Press},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/aesop-fse2/aesop-fse2.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/aesop-fse2/aesop-fse2.ps},
ABSTRACT = {As the design of software architectures emerges as a discipline within software engineering, it will become increasingly important to support architectural description and analysis with tools and environments. In this paper we describe a system for developing architectural design environments that exploit architectural styles to guide software architects in producing specific systems. The primary contributions of this research are:
- A generic object model for representing architectural designs;
- The characterization of architectural styles as speculations of this object model;
- A toolkit for creating an open architectural design environment from a description of a specific architectural style.
We use our experience in implementing these concepts to illustrate how style-oriened architectural design raises new challenges for software support environments.},
KEYWORDS = {Architectural Style, Software Architecture} }
|
68 |
@InProceedings{Allen94MIL,
AUTHOR = {Allen, Robert and Garlan, David},
TITLE = {Beyond Definition/Use: Architectural Interconnection},
YEAR = {1994},
MONTH = {August},
BOOKTITLE = {Proceedings of the ACM Interface Definition Language Workshop},
KEY = {Allen},
VOLUME = {29},
NUMBER = {8},
PUBLISHER = {SIGPLAN Notices},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/connectors-idl94/connectors-idl94.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/connectors-idl94/connectors-idl94.ps},
ABSTRACT = {Large software systems require decompositional mechanisms in order to make them tractable. Traditionally, MILs and IDLs have played this role by providing notations based on definition/use bindings. In this paper we argue that current MIL/IDLs based on definition/use have some serious drawbacks. A significant problem is that they fail to distinguish between 'implementation' and 'interaction' relationships between modules. We propose an alternative model in which components interact along well-defined lines of communication - or connectors. Connectors are defined as protocols that capture the expected patterns of communication between modules. We show how this leads to a scheme that is much more expressive for architectural relationships, that allows the formal definition of module interaction, and that supports its own form of automated checks and formal reasoning.},
KEYWORDS = {Software Architecture, Wright} }
|
69 |
@InProceedings{Garlan1994b,
AUTHOR = {Garlan, David},
TITLE = {The Role of Software Architecture in Requirements Engineering},
YEAR = {1994},
BOOKTITLE = {Proceedings of the Second International Conference on Requirements Engineering},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/sareqts-re94/sareqts-re94.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/sareqts-re94/sareqts-re94.ps},
ABSTRACT = {Problem Space versus Solution Space Requirements engineering is concerned fundamen tally with the shape of the problem space. Its primary goal is to determine the dimensions of the problem that the software system is to solve. In contrast, software architecture is concerned with the shape of the solution space. Its primary goal is to determine the structure of a solution to a problem posed by a set of requirements. Thus, understanding the role of software architecture in requirements engineering is largely a matter of understanding the dynamic relationship between identification of a problem to be solved and a description of its solution.},
KEYWORDS = {Software Architecture, Software Engineering} }
|
70 |
@InProceedings{Garlan1994c,
AUTHOR = {Garlan, David and Shaw, Mary},
TITLE = {Software Development Assignments for a Software Architecture Course},
YEAR = {1994},
MONTH = {May},
BOOKTITLE = {Software Engineering Resources: Proceedings of the ACM/IEEE International Workshop on Software Engineering Education},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/assignments-csee96/assignments-csee96.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/assignments-csee96/assignments-csee96.ps},
ABSTRACT = {As software systems grow in size and complexity their design problem extends beyond algorithms and data structures to issues of system design. These issues|the software architecture level of software design|are becoming increasingly important to the practicing software engineer. Consequently, it is important to nd eective ways to teach this material. To meet this need we developed a course, 'Architectures for Software Systems,' and have taught it four times. In this paper we describe the principal software development assignments that this course uses to develop skill at applying architectural principles to the design and implementation of software systems. The major challenges in designing such assignments are (1) making sure that students spend their time on architectural issues rather than coding, and (2) helping students establish and maintain a desired architectural style. We address these issues by providing working examples as starting points. These examples are usable in other courses.},
KEYWORDS = {Education, Software Architecture} }
|
71 |
@InProceedings{Allen94ICSE,
AUTHOR = {Allen, Robert and Garlan, David},
TITLE = {Formalizing Architectural Connection},
YEAR = {1994},
MONTH = {May},
BOOKTITLE = {Proceedings of the Sixteenth International Conference on Software Engineering},
KEY = {Allen},
PAGES = {71-80},
ADDRESS = {Sorrento, Italy},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/AG94.pdf},
ABSTRACT = {As software systems become more complex the overall system structure, or software architecture, becomes a central design problem. An important step towards an engineering discipline of software is a formal basis for describing and analyzing these designs. In this paper we present a theory for one aspect of architectural description: the interactions between components. the key idea is to define architectural connectors as explicit semantic entities. These are specified as a collection of protocols that characterize each of the participant roles in an interaction and how these roles interact. We illustrate how this scheme can be used to define a variety of common architectural connectors. We provide a formal semantics and show how this leads to a sound deductive system in which architectural compatibility can be checked in a way analogous to type checking in programming languages.},
NOTE = {Awarded ICSE2004 Best Paper (ICSE-10)},
KEYWORDS = {Formal Methods, Landmark, Software Architecture} }
|
72 |
@InProceedings{Abowd93FSE,
AUTHOR = {Abowd, Gregory and Allen, Robert and Garlan, David},
TITLE = {Using Style to Understand Descriptions of Software Architecture},
YEAR = {1993},
MONTH = {December},
BOOKTITLE = {Proceedings of SIGSOFT'93: Foundations of Software Engineering},
KEY = {Abowd},
VOLUME = {18},
NUMBER = {5},
PAGES = {9-20},
SERIES = {Software Engineering Notes},
PUBLISHER = {ACM Press},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/styleformalism-fse1/styleformalism-fse1.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/styleformalism-fse1/styleformalism-fse1.ps},
ABSTRACT = {The software architecture of most systems is described informally and diagrammatically. In order for these descriptions to be meaningful at all, figures are understood by interpreting the boxes and lines in specific, conventionalized ways. The imprecision of these interpretations has a number of limitations. In this paper we consider these convetionalized interpretations as architectural styles and provide a formal framework for their uniform definition. In addition to providing a template for precisely defining new architectural styles, this framework allows for the proof that the notational constraints on a style are sufficient to guarantee the meanings of all described systems and provides a unified semantic base through which different stylistic interpretations can be compared.},
KEYWORDS = {Architectural Style, Software Architecture} }
|
73 |
@InProceedings{Notkin1993,
AUTHOR = {Notkin, David and Garlan, David and Griswold, William and Sullivan, Kevin},
TITLE = {Adding Implicit Invocation to Languages: Three Aproaches},
YEAR = {1993},
MONTH = {November},
BOOKTITLE = {Proceedings of the JSSST Symp. Object Technologies for Advanced Software},
VOLUME = {742},
SERIES = {Lecture Notes in Computer Science},
PUBLISHER = {Spring-Verlag},
PDF = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/implinvoc-jssst93/implinvoc-jssst93.pdf},
PS = {http://www.cs.cmu.edu/afs/cs/project/able/ftp/implinvoc-jssst93/implinvoc-jssst93.ps},
ABSTRACT = { Implicit invocation based on event announcement is an increasingly important technique for integrating systems. However, the use of this technique has largely been confined to tool integration systems---in which tools exist as independent processes---and special-purpose languages---in which specialized forms of event broadcast are designed into the language from the start. This paper broadens the class of systems that can benefit from this approach by showing how to augment general-purpose programming languages with facilities for implicit invocation. We illustrate the approach in the context of three different languages, Ada, C++, and Common Lisp. The intent is to highlight the key design considerations that arise in extending such languages with implicit invocation.},
KEYWORDS = {Implicit Invocation} }
|
74 |
@InProceedings{Garlan2006c,
AUTHOR = {Garlan, David and Schmerl, Bradley},
TITLE = {Architecture-driven Modelling and Analysis},
YEAR = {2006},
BOOKTITLE = {Proceedings of the 11th Australian Workshop on Safety Related Programmable Systems (SCS'06)},
VOLUME = {69},
EDITOR = {Cant, Tony},
SERIES = {Conferences in Research and Practice in Information Technology},
ADDRESS = {Melbourne, Australia},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/aSCSa-final.pdf},
ABSTRACT = {Over the past 15 years there has been increasing recognition that careful attention to the design of a system?s software architecture is critical to satisfying its requirements for quality attributes such as performance, security, and dependability. As a consequence, during this period the field of software architecture has matured significantly. However, current practices of software architecture rely on relatively informal methods, limiting the potential for fully exploiting architectural designs to gain insight and improve the quality of the resulting system. In this paper we draw from a variety of research results to illustrate how formal approaches to software architecture can lead to enhancements in software quality, including improved clarity of design, support for analysis, and assurance that implementations conform to their intended architecture.},
KEYWORDS = {Acme, AcmeStudio, Architectural Analysis, Architectural Style, Landmark, Software Architecture} }
|
75 |
@InProceedings{2010/Faulring/Radar,
AUTHOR = {Faulring, Andrew and Myers, Brad and Mohnkern, Ken and Schmerl, Bradley and Steinfeld, Aaron and Zimmerman, John and Smailagic, Asim and Hansen, Jeffery and Siewioreck, Daniel},
TITLE = {Agent-Assisted Task Management that Reduces Email Overhead},
YEAR = {2010},
MONTH = {7-10 February},
BOOKTITLE = {Proceedings of the 14th International Conference on Intelligent User Interfaces},
PAGES = {61-70},
ADDRESS = {Hong Kong, China},
PUBLISHER = {ACM Press},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/radar-iui10.pdf},
ABSTRACT = {RADAR is a multiagent system with a mixed-initiative user
interface designed to help office workers cope with email
overload. RADAR agents observe experts to learn models
of their strategies and then use the models to assist other
people who are working on similar tasks. The agents assistance helps a person to transition from the normal email-centric workflow to a more efficient task-centric workflow.
The Email Classifier learns to identify tasks contained within emails and then inspects new emails for similar tasks. A
novel task-management user interface displays the found
tasks in a to-do list, which has integrated support for performing the tasks. The Multitask Coordination Assistant
learns a model of the order in which experts perform tasks
and then suggests a schedule to other people who are working on similar tasks. A novel Progress Bar displays the suggested schedule of incomplete tasks as well as the completed tasks. A large evaluation demonstrated that novice
users confronted with an email overload test performed
significantly better (a 37% better overall score with a factor
of four fewer errors) when assisted by the RADAR agents.
},
NOTE = {Honorable Mention Award in the Best Paper
Contest. DOI},
KEYWORDS = {RADAR} }
|
76 |
@InProceedings{Poladian2007,
AUTHOR = {Poladian, Vahe and Garlan, David and Shaw, Mary and Schmerl, Bradley and Sousa, Jo\~{a}o and Satyanarayanan, Mahadev},
TITLE = {Leveraging Resource Prediction for Anticipatory Dynamic Configuration},
YEAR = {2007},
MONTH = {8-11 July},
BOOKTITLE = { Proceedings of the First IEEE International Conference on Self-Adaptive and Self-Organizing Systems, SASO-2007},
PAGES = {214-223},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/predictive_configuration_16_marked.pdf},
ABSTRACT = {Self-adapting systems based on multiple concurrent applications must decide how to allocate scarce resources to
applications and how to set the quality parameters of each
application to best satisfy the user. Past work has made
those decisions with analytic models that used current resource availability information: they react to recent changes in resource availability as they occur, rather than anticipating future availability. These reactive techniques may model each local decision optimally, but the accumulation of decisions over time nearly always becomes less than optimal.
In this paper, we propose an approach to self adaptation, called anticipatory configuration that leverages
predictions of future resource availability to improve utility for the user over the duration of the task. The approach solves the following technical challenges: (1) how to express resource availability prediction, (2) how to combine prediction from multiple sources, and (3) how to leverage predictions continuously while improving utility to the user. Our experiments show that when certain adaptation operations are costly, anticipatory configuration provides better utility to the user than reactive configuration, while being comparable in resource demand.},
KEYWORDS = {Aura, Dynamic Configuration, Resource Aware Computing, Service Composition, Ubiquitous Computing} }
|
77 |
@InProceedings{SOAR2009,
AUTHOR = {Raheja, Rahul and Cheng, Shang-Wen and Garlan, David and Schmerl, Bradley},
TITLE = {Improving Architecture-Based Self-Adaptation using Preemption},
YEAR = {2009},
MONTH = {14 September},
BOOKTITLE = {Proceedings of the Workshop on Self-Organizing Architecture},
ADDRESS = {Cambridge, UK},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/SOAR-web.pdf},
ABSTRACT = {One common approach to self-adaptive systems is to incorporate a control layer that monitors a system, supervisorily detects problems, and applies adaptation strategies to fix problems or improve system behavior. While such approaches have been found to be quite effective, they are typically limited to carrying out a single adaptation at a time, delaying other adaptations until the current one finishes. This in turn leads to a problem in which a time-critical adaptation may have to wait for an existing long-running adaptation to complete, thereby missing a window of opportunity for that adaptation. In this paper we improve on existing practice through an approach in which adaptations can be preempted to allow for other time-critical adaptations to be scheduled. Scheduling is based on an algorithm that maximizes time-related utility for a set of concurrently executing adaptations.},
KEYWORDS = {Autonomic Systems, Rainbow, Self-adaptation, Software Architecture, Software Engineering} }
|
78 |
@InProceedings{Celiku2007,
AUTHOR = {Celiku, Orieta and Garlan, David},
TITLE = {Using Medical Devices to Teach Formal Modeling},
YEAR = {2007},
MONTH = {25-27 June},
BOOKTITLE = {Joint Workshop on High Confidence Medical Devices, Software, and Systems (HCMDSS) and Medical Device Plug-and-Play (MD PnP) Interoperability},
ADDRESS = {Boston, MA},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/CelikuGarlanMedicalDevices.pdf},
SLIDES = {http://acme.able.cs.cmu.edu/pubs/uploads/slides/CelikuGarlanMedicalDevicesPoster.pdf},
ABSTRACT = {Over the past decade there has been considerable progress in the development of formal methods to improve our confidence in complex systems. Today the use of such methods in certain fields, such as hardware design, or nuclear power control systems, is de rigueur, with commensurate improvements in quality and reliability.
Regrettably, however, the use of formalism in the medical device domain is relatively sparse. This is due in large part to the perceived difficulty of using formal methods by ordinary engineers and domain specialists, and by the lack of training in how best to apply existing tools to solve the problems faced in that domain.
Over the past few years we have been developing educational materials to help bridge this gap. Specifically we have developed a course in formal modeling for practicing engineers. A core component of this effort is a set of exercises drawn from the medical device domain, which are used to
a) show how formal modeling can be used as an effective technique to improve quality and reliability of software-intensive systems
b) provide guidelines on selecting appropriate modeling approaches for the problem at hand
c) give students hands-on experience in modeling and tool-assisted analysis
In this paper we outline our use of medical device challenge problems in achieving these goals. We argue that such exercises (and the underlying concepts) can go a long way towards bridging the gap between theory and practice, and could be used more generally to improve the state of the practice in developing high-confidence systems, in general, and medical devices, in particular.},
KEYWORDS = {Education, Formal Methods} }
|
79 |
@InProceedings{Latoza2007,
AUTHOR = {LaToza, Thomas and Garlan, David and Herbsleb, James and Myers, Brad},
TITLE = {Program Comprehension as Fact Finding},
YEAR = {2007},
MONTH = {3-7 September},
BOOKTITLE = {Proceedings of the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE 2007)},
PAGES = {361-370},
ADDRESS = {Dubrovnik, Croatia},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/fp242-latoza.pdf},
ABSTRACT = {Little is known about how developers think about design during
code modification tasks or how experienced developers design
knowledge helps them work more effectively. We performed a lab
study in which thirteen developers worked for 3 hours understanding
the design of a 54 KLOC open source application. Participants
had from 0 to 10.5 years of industry experience and were
grouped into three experts and ten novices. We observed that
participants spent their time seeking, learning, critiquing, explaining,
proposing, and implementing facts about the code such as
getFoldLevel has effects. These facts served numerous roles,
such as suggesting changes, constraining changes, and predicting
the amount of additional investigation necessary to make a
change. Differences between experts and novices included that
the experts explained the root cause of the design problem and
made changes to address it, while novice changes addressed only
the symptoms. Experts did not read more methods but also did not
visit some methods novices wasted time understanding. Experts
talked about code in terms of abstractions such as caching while
novices more often described code statement by statement. Experts
were able to implement a change faster than novices. Experts
perceived problems novices did not and were able to explain
facts novices could not. These findings have interesting implications
for future tools.},
NOTE = {Available from the ACM Digital Library: http://doi.acm.org/10.1145/1287624.1287675},
KEYWORDS = {Software Architecture} }
|
80 |
@InProceedings{Sousa2008-WICSA,
AUTHOR = {Sousa, Jo\~{a}o and Schmerl, Bradley and Poladian, Vahe and Brodsky, Alex},
TITLE = {UDesign: End-User Design Applied to Monitoring and Control Applications for Smart Spaces},
YEAR = {2008},
MONTH = {18-22 February},
BOOKTITLE = {Proceedings of the 2008 Working IFIP/IEEE Conference on Software Architecture},
ADDRESS = {Vancouver, BC, Canada},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/uDesign-final.pdf},
ABSTRACT = {This paper introduces an architectural style for enabling end-users to quickly design and deploy software systems in domains characterized by highly personalized and dynamic requirements.
The style offers an intuitive metaphor based on boxes, pipes, and wires, but retains enough preciseness that systems can be automatically assembled and dynamically reconfigured based on uDesign descriptions. uDesign was primarily motivated and validated within monitoring and control applications for smart spaces, but we envision possible extensions to other domains.
Our contribution differs from early attempts at end-user programming in the level of abstraction, software architecture rather than programming, and in the subject of description: run-time rather than code structures.
To validate the approach, the paper presents (a) two case studies, one in health care and one in home security, (b) the formal semantics of uDesigns primitives, and (c) a mapping of those primitives to an existing software infrastructure: the Aura infrastructure.},
KEYWORDS = {Architectural Style, Aura, Service Composition, Ubiquitous Computing} }
|
81 |
@InProceedings{Cheng:2007:huas/iwlu,
AUTHOR = {Cheng, Shang-Wen and Garlan, David},
TITLE = {Handling Uncertainty in Autonomic Systems},
YEAR = {2007},
MONTH = {5 November},
BOOKTITLE = {Proceedings of the International Workshop on Living with Uncertainties (IWLU'07), co-located with the 22nd International Conference on Automated Software Engineering (ASE'07)},
ADDRESS = {Atlanta, GA, USA},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/IWLU07-HandlingUncertainties-pub.pdf},
ABSTRACT = {Autonomic, or self-adaptive, systems are increasingly important. One of the most prevalent techniques is to adopt a control systems view of the solution: adding a runtime, separate control unit that monitors and adapts the system under consideration. A problem with this paradigm for system engineering is that the control and the system are loosely coupled, introducing a variety of sources of uncertainty. In this paper we describe three specific sources of uncertainty, and briefly explain how we address those in the Rainbow Project.},
NOTE = {<a href=http://godzilla.cs.toronto.edu/IWLU/program.html>http://godzilla.cs.toronto.edu/IWLU/program.html</a>},
KEYWORDS = {Autonomic Systems, Rainbow, Self-adaptation, Self-Repair, Stitch, uncertainty} }
|
82 |
@InProceedings{Celiku2007a,
AUTHOR = {Celiku, Orieta and Garlan, David and Schmerl, Bradley},
TITLE = {Augmenting Architectural Modeling to Cope with Uncertainty},
YEAR = {2007},
MONTH = {5 November},
BOOKTITLE = {Proceedings of the International Workshop on Living with Uncertainties (IWLU'07), co-located with the 22nd International Conference on Automated Software Engineering (ASE'07)},
ADDRESS = {Atlanta, GA, USA},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/uncertainty-web.pdf},
ABSTRACT = {Notations and techniques for architectural modeling and analysis have matured considerably over the past two decades. However, to date these approaches have primarily focused on architectural properties and behavior that can be precisely defined. In this paper we argue that it is possible to augment existing architecture description languages (ADLs) to support reasoning and analysis in the presence of uncertainty. Specifically, we outline two basic extensions to formal architecture descriptions that take advantage of probabilistic specifications to support architecture-based analyses such as simulation, detection of behavioral drift, and reasoning about the expected outcomes of uncertain behavior. An important property of these specifications is that they allow incremental refinement ďż˝ as more is known about the behavior of the system, specifications can be extended without invalidating previous analyses.},
NOTE = {<a href=http://godzilla.cs.toronto.edu/IWLU/program.html>http://godzilla.cs.toronto.edu/IWLU/program.html</a>},
KEYWORDS = {Acme, AcmeStudio, Architectural Analysis, Software Architecture} }
|
83 |
@InProceedings{Poladian:2007:iwlu,
AUTHOR = {Poladian, Vahe and Shaw, Mary and Garlan, David},
TITLE = {Modeling Uncertainty of Predictive Inputs in Anticipatory Dynamic Configuration},
YEAR = {2007},
MONTH = {5 November},
BOOKTITLE = {Proceedings of the International Workshop on Living with Uncertainties (IWLU'07), co-located with the 22nd International Conference on Automated Software Engineering (ASE'07),},
ADDRESS = {Atlanta, GA, USA},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/uncertainty_in_configuration_v5.1.pdf},
ABSTRACT = {Dynamic adaptive systems based on multiple concurrent applications typically employ optimization models to decide how to allocate scarce resources among the applications and how to tune their runtime settings for optimal quality-of-service according to the preferences of an end user.
Traditionally, such systems have avoided dealing with uncertainty by assuming that current snapshots of the relevant inputs are precise and by solving for an optimal system point. To achieve dynamic behavior, a system performs an optimization loop upon discovering changes in the input variables (e.g. changes in the available level of resources) and adapts the applications according to the new optimal solution. Unfortunately, when certain adaptation actions incur costs, such reactive adaptation strategies suffer from a significant shortcoming: several locally optimal decisions over time may often be less than optimal globally.
By using predictive information about the future values of the problem inputs, we can model and implement an anticipatory adaptation strategy that helps improve the global behavior of the system in many situations. However, modeling predictions requires representing and dealing with uncertainty from different sources. In this paper, we describe our proposed approach to represent multiple sources of uncertainty and outline algorithms for solving the anticipatory configuration problem with predictive inputs.},
NOTE = {<a href=http://godzilla.cs.toronto.edu/IWLU/program.html>http://godzilla.cs.toronto.edu/IWLU/program.html</a>},
KEYWORDS = {Aura, Dynamic Configuration, Resource Allocation, Resource Aware Computing, Ubiquitous Computing, uncertainty} }
|
84 |
@InProceedings{Cheng2006,
AUTHOR = {Cheng, Shang-Wen and Garlan, David and Schmerl, Bradley},
TITLE = {Architecture-based Self-adaptation in the Presence of Multiple Objectives},
YEAR = {2006},
MONTH = {21-22 May},
BOOKTITLE = {ICSE 2006 Workshop on Software Engineering for Adaptive and Self-Managing Systems (SEAMS)},
ADDRESS = {Shanghai, China},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/seams06.pdf},
ABSTRACT = {In the world of autonomic computing, the ultimate aim is to automate human tasks in system management to achieve high-level stakeholder objectives. One common approach is to capture and represent human expertise in a form executable by a computer. Techniques to capture such expertise in programs, scripts, or rule sets are effective to an extent. However, they are often incapable of expressing the necessary adaptation expertise and emulating the subtleties of trade-offs in high-level decision making. In this paper, we propose a new language of adaptation that is suffi-ciently expressive to capture the subtleties of choice, deriving its ontology from system administration tasks and its underlying formalism from utility theory.},
KEYWORDS = {Landmark, Rainbow, Self-adaptation, Self-Repair} }
|
85 |
@InProceedings{Sousa2008a,
AUTHOR = {Sousa, Jo\~{a}o and Poladian, Vahe and Garlan, David and Schmerl, Bradley and Steenkiste, Peter},
TITLE = {Steps toward Activity-Oriented Computing},
YEAR = {2008},
MONTH = {14 April},
BOOKTITLE = {Proceedings of the 2008 NSF Next Generation Software Program Workshop},
ADDRESS = {Miami, FL},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/IPDPS-web.pdf},
ABSTRACT = {Most pervasive computing technologies focus on helping users with computer-oriented tasks. In this NSF-funded project, we instead focus on using computers to support user-centered activities that normally do not involve the use of computers. Examples may include everyday tasks around such as answering the doorbell or doing laundry. A focus on activity-based computing brings to the foreground a number of unique challenges. These include activity definition and representation, system design, interfaces for managing activities, and ensuring robust operation. Our project focuses on the first two challenges.},
KEYWORDS = {Aura, Ubiquitous Computing} }
|
86 |
@InProceedings{Sousa2008b,
AUTHOR = {Sousa, Jo\~{a}o and Balan, Rajesh and Poladian, Vahe and Garlan, David and Satyanarayanan, Mahadev},
TITLE = {User Guidance of Resource-Adaptive Systems},
YEAR = {2008},
MONTH = {July},
BOOKTITLE = {ICSOFT'08 International Conference on Software and Data Technologies},
ADDRESS = {Porto, Portugal},
ABSTRACT = {This paper presents a framework for engineering resource-adaptive software systems targeted at small
mobile devices. The proposed framework empowers users to control tradeoffs among a rich set of servicespecific
aspects of quality of service. After motivating the problem, the paper proposes a model for
capturing user preferences with respect to quality of service, and illustrates prototype user interfaces to elicit
such models. The paper then describes the extensions and integration work made to accommodate the
proposed framework on top of an existing software infrastructure for ubiquitous computing.
The research question addressed here is the feasibility of coordinating resource allocation and
adaptation policies in a way that end-users can understand and control in real time. The evaluation covered
both systems and the usability perspectives, the latter by means of a user study. The contributions of this
work are: first, a set of design guidelines for resource-adaptive systems, including APIs for integrating new
applications; second, a concrete infrastructure that implements the guidelines. And third, a way to model
quality of service tradeoffs based on utility theory, which our research indicates end-users with diverse
backgrounds are able to leverage for guiding the adaptive behaviors towards activity-specific quality goals.},
KEYWORDS = {Aura, Resource Aware Computing} }
|
87 |
@InProceedings{Garlan/2009/SOA,
AUTHOR = {Garlan, David and Carley, Kathleen M. and Schmerl, Bradley and Bigrigg, Michael W. and Celiku, Orieta},
TITLE = {Using Service-Oriented Architectures for Socio-Cultural Analysis},
YEAR = {2009},
MONTH = {1-3 July},
BOOKTITLE = {Proceedings of the 21st International Conference on Software Engineering and Knowledge Engineering (SEKE2009)},
ADDRESS = {Boston, USA},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/SORASCS-SEKE09.pdf},
ABSTRACT = {An emergent domain that raises some unique engineering challenges is that of software architectures to convert large bodies of unstructured data to human-usable knowledge, such as in the domain of socio-cultural information analysis. We report on an architecture based on Service-Oriented Architectures that we are applying in this domain. We list the requirements that such an architecture must support, describe our architecture for addressing them, and outline what we believe are the important engineering and research issues that must still be overcome.},
KEYWORDS = {SORASCS, Service Composition, Software Architecture} }
|
88 |
@InProceedings{Garlan/2009/ICSE/AEvol,
AUTHOR = {Garlan, David and Schmerl, Bradley},
TITLE = {Ăvol: A tool for defining and planning architecture evolution},
YEAR = {2009},
MONTH = {20-22 May},
BOOKTITLE = {2009 International Conference on Software Engineering},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ICSE2009_FRD_0231_Schmerl_Bradley.pdf},
ABSTRACT = {Architecture evolution is a key feature of most software systems. There are few tools that help architects plan and execute these evolutionary paths. We demonstrate a tool to enable architects to describe evolution paths, associate properties with elements of the paths, and perform trade-off analysis over these paths.},
KEYWORDS = {Architecture Evolution} }
|
89 |
@InProceedings{MISE2009,
AUTHOR = {Chaki, Sagar and Diaz-Pace, Andres and Garlan, David and Garfunkel, Arie and Ozkaya, Ipek},
TITLE = {Towards Engineered Architecture Evolution},
YEAR = {2009},
MONTH = {May},
BOOKTITLE = {Workshop on Modeling in Software Engineering 2009},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ICSE2009_MISE_2013_Chaki_Sagar-1.pdf},
ABSTRACT = {Architecture evolution, a key aspect of software evolution,
is typically done in an ad hoc manner, guided only
by the competence of the architect performing it. This process
lacks the rigor of an engineering discipline. In this
paper, we argue that architecture evolution must be engineered
based on rational decisions that are supported by
formal models and objective analyses. We believe that evolutions
of a restricted form close-ended evolution, where
the starting and ending design points are known a priori
are amenable to being engineered. We discuss some of the
key challenges in engineering close-ended evolution. We
present a conceptual framework in which an architecture
evolutionary trajectory is modeled as a sequence of steps,
each captured by an operator. The goal of our framework is
to support exploration and objective evaluation of different
evolutionary trajectories. We conclude with open research
questions in developing this framework.},
KEYWORDS = {Architecture Evolution} }
|
90 |
@InProceedings{Cheng:2009:RAIDE/icse,
AUTHOR = {Cheng, Shang-Wen and Garlan, David and Schmerl, Bradley},
TITLE = {RAIDE for Engineering Architecture-Based Self-Adaptive Systems},
YEAR = {2009},
BOOKTITLE = {2009 International Conference on Software Engineering},
ADDRESS = {Vancouver, BC, Canada},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ICSE2009_IRD_0659_Cheng_Shang-Wen.pdf},
ABSTRACT = {Rainbow is an approach for engineering self-adaptive systems, with run-time, closed-loop control over target systems to monitor, detect, decide, and act on opportunities for system improvement. RAIDE enables adaptation engineers to customize the Rainbow framework, simulate adaptation behavior, and deploy Rainbow run-time components.},
KEYWORDS = {Rainbow} }
|
91 |
@InProceedings{Cheng:2009:benchmark/znn:seams,
AUTHOR = {Cheng, Shang-Wen and Garlan, David and Schmerl, Bradley},
TITLE = {Evaluating the Effectiveness of the Rainbow Self-Adaptive System},
YEAR = {2009},
MONTH = {18-19 May},
BOOKTITLE = {ICSE 2009 Workshop on Software Engineering for Adaptive and Self-Managing Systems (SEAMS\'09), Vancouver, BC, Canada},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ICSE2009_SEAMS_2528_Cheng_Shang-Wen.pdf},
ABSTRACT = {Rainbow is a framework for engineering a system with run-time, self-adaptive capabilities to monitor, detect, decide, and act on opportunities for system improvement. We applied Rainbow to a system, Znn.com, and evaluated its effectiveness to self-adapt on three levels: its effectiveness to maintain quality attribute in the face of changing conditions, run-time overheads of adaptation, and the engineering effort to use it to add self-adaptive capabilities to Znn.com. We make Znn.com and the associated evaluation tools available to the community so that other researchers can use it to evaluate their own systems and the community can compare different systems. In this paper, we report on our evaluation experience, reflect on some principles for benchmarking self-adaptive systems, and discuss the suitability of our evaluation tools for this purpose.},
NOTE = {Awarded Most Influential Paper for SEAMS 2009},
KEYWORDS = {Benchmark, Rainbow} }
|
92 |
@InProceedings{Garlan/2009/ArchEvol,
AUTHOR = {Garlan, David and Barnes, Jeffrey M. and Schmerl, Bradley and Celiku, Orieta},
TITLE = {Evolution Styles: Foundations and Tool Support for Software Architecture Evolution},
YEAR = {2009},
MONTH = {14-17 September},
BOOKTITLE = {Proceedings of the Joint Working IEEE/IFIP Conference on Software Architecture 2009 & European Conference on Software Architecture 2009},
ADDRESS = {Cambridge, UK},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/wicsa-09-camera-web.pdf},
ABSTRACT = {As new market opportunities, technologies, platforms, and frameworks become available, systems require large-scale and systematic architectural restructuring to accommodate them. Todays architects have few tools and techniques to help them plan this architecture evolution. In particular, they have little assistance in planning alternative evolution paths, trading-off various aspects of the different paths, or knowing best practices for particular domains. In this paper we describe an approach for assisting architects in developing and reasoning about architectural evolution paths. The key in-sight of our approach is that, architecturally, many system evolutions follow certain common patterns or evolution styles. We define what we mean by an evolution style, and show how it can be used to provide automated assistance for expressing architectural evolution, and for reasoning about both the correctness and quality of evolution paths.},
KEYWORDS = {Architecture Evolution} }
|
93 |
@InProceedings{Bhave/ERTS2010,
AUTHOR = {Bhave, Ajinkya Y. and Garlan, David and Krogh, Bruce and Rajhans, Akshay and Schmerl, Bradley},
TITLE = {Augmenting Software Architectures with Physical Components},
YEAR = {2010},
MONTH = {19-21 May},
BOOKTITLE = {Proceedings of the Embedded Real Time Software and Systems Conference (ERTS^2 2010)},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ERTS2_2010.pdf},
ABSTRACT = {This paper presents an extension of existing software architecture tools to model physical systems, their interconnections, and the interactions between physical and cyber components. We introduce a new cyber-physical system (CPS) architectural style to support the construction of architectural descriptions of complete systems and to serve as the reference context for analysis and evaluation of design alternatives using existing model-based tools. The implementation of the CPS architectural style in AcmeStudio includes behavioral annotations on components and connectors using either finite state processes (FSP) or linear hybrid automata (LHA) with plug-ins to perform behavior analysis. The application of the CPS architectural style is illustrated for the STARMAC quadrotor.},
KEYWORDS = {Cyberphysical Systems} }
|
94 |
@InProceedings{2013:Camara/Correia,
AUTHOR = {C\'{a}mara, Javier and Correia, Pedro and de Lemos, Rog\'{e}rio and Garlan, David and Gomes, Pedro and Schmerl, Bradley and Ventura, Rafael},
TITLE = {Evolving an Adaptive Industrial Software System to Use Architecture-based Self-Adaptation},
YEAR = {2013},
MONTH = {20-21 May},
BOOKTITLE = {Proceedings of the 8th International Symposium on Software Engineering for Adaptive and Self-Managing Systems},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/eaisabsa.pdf},
ABSTRACT = {Although architecture-based self-adaptation has
been widely used, there is still little understanding about
the validity and tradeoffs of incorporating it into real-world software-intensive systems which already feature built-in adaptation mechanisms. In this paper, we report on our experience in integrating Rainbow, a platform for architecture-based self-adaptation, and an industrial middleware employed to monitor and manage highly populated networks of devices. Concretely, we reflect on aspects such as the effort required for framework customization and legacy code refactoring, performance improvement, and the impact of architecture-based self-adaptation on system evolution.},
KEYWORDS = {Rainbow} }
|
95 |
@InProceedings{Schmerl/2011/ICSE,
AUTHOR = {Schmerl, Bradley and Garlan, David and Dwivedi, Vishal and Bigrigg, Michael W. and Carley, Kathleen M.},
TITLE = {SORASCS: A Case Study in SOA-based Platform Design for Socio-Cultural Analysis},
YEAR = {2011},
BOOKTITLE = {Proceedings of the 33rd International Conference on Software Engineering.},
ADDRESS = {Hawaii, USA},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/SORASCS-ICSE2011-cr-final.pdf},
ABSTRACT = {An increasingly important class of software-based systems is plat-forms that permit integration of third-party components, services, and tools. Service-Oriented Architecture (SOA) is one such plat-form that has been successful in providing integration and distri-bution in the business domain, and could be effective in other domains (e.g., scientific computing, healthcare, and complex deci-sion making). In this paper, we discuss our application of SOA to provide an integration platform for socio-cultural analysis, a domain that, through models, tries to understand, analyze and predict relationships in large complex social systems. In developing this platform, called SORASCS, we had to overcome issues we believe are generally applicable to any application of SOA within a domain that involves technically naďve users and seeks to establish a sustainable software ecosystem based on a common integration platform. We discuss those issues and the lessons learned about the kinds of problems that occur, and pathways toward a solution.},
KEYWORDS = {Architectural Style, SORASCS} }
|
96 |
@InProceedings{10.1109/ISESE.2004.1334899,
AUTHOR = {Boehm, Barry and Bhuta, Jesal and Garlan, David and Gradman, Eric and Huang, LiGuo and Lam, Alexander and Madachy, Ray and Medvidovic, Nenad and Meyer, Kenneth and Meyers, Steven and Perez, Gustavo and Reinholtz, Kirk and Roshandel, Roshanak and Rouquette, Nicolas},
TITLE = {Using Empirical Testbeds to Accelerate Technology Maturity and Transition: The SCRover Experience},
YEAR = {2004},
BOOKTITLE = {International Symposium on Empirical Software Engineering},
PAGES = {117-126},
ADDRESS = {Los Alamitos, CA, USA},
PUBLISHER = {IEEE Computer Society},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ISESE04.pdf},
ABSTRACT = {This paper is an experience report on a first attempt
to develop and apply a new form of software: a fullservice
testbed designed to evaluate alternative software
dependability technologies, and to accelerate their
maturation and transition into project use. The SCRover
testbed includes not only the specifications, code, and
hardware of a public safety robot, but also the package of
instrumentation, scenario drivers, seeded defects,
experimentation guidelines, and comparative effort and
defect data needed to facilitate technology evaluation
experiments.
The SCRover testbeds initial operational capability
has been recently applied to evaluate two architecture
definition languages (ADLs) and toolsets, Mae and
AcmeStudio. The testbed evaluation showed (1) that the
ADL-based toolsets were complementary and costeffective
to apply to mission-critical systems; (2) that the
testbed was cost-effective to use by researchers; and (3)
that collaboration in testbed use by researchers and the
Jet Propulsion Laboratory (JPL) project users resulted in
actions to accelerate technology maturity and transition
into project use. The evaluation also identified a number
of lessons learned for improving the SCRover testbed,
and for development and application of future technology
evaluation testbeds.},
NOTE = {ISBN 0-7695-2165-7},
ANNOTE = {DOI : http://doi.ieeecomputersociety.org/10.1109/ISESE.2004.1334899},
KEYWORDS = {Software Engineering} }
|
97 |
@InProceedings{Views/Bhave/2010,
AUTHOR = {Bhave, Ajinkya Y. and Krogh, Bruce and Garlan, David and Schmerl, Bradley},
TITLE = {Multi-domain Modeling of Cyber-Physical Systems using Architectural Views},
YEAR = {2010},
MONTH = {30 November},
BOOKTITLE = {Proceedings of the 1st Analytic Virtual Integration of Cyber-Physical Systems Workshop.},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/MMCPSAV.pdf},
ABSTRACT = {Designing cyber-physical systems(CPSs)increasingly requires the use of multi-domain models throughout the development process. Ensuring consistent relationships between various system models is an important part of an integrated design methodology. This paper describes an architectural approach to reasoning about relations between heterogeneous system models. The runtime base architecture of the system is used as a unifying representation to compare the structure and semantics of the associated models. Each model is related to the base architecture through the abstraction of an architectural view, which captures structural and semantic correspondences between model elements and system entities. The use of the architectural view framework to relate system models from different domains is illustrated in the context of a quadrotor air vehicle.},
NOTE = {Co-located with RTSS 2010.},
KEYWORDS = {Architectural Style, Cyberphysical Systems} }
|
98 |
@InProceedings{Ruchkin:2015:AAHP,
AUTHOR = {Ruchkin, Ivan and Schmerl, Bradley and Garlan, David},
TITLE = {Architectural Abstractions for Hybrid Programs},
YEAR = {2015},
MONTH = {4-8 May},
BOOKTITLE = {Proceedings of the 18th International ACM Sigsoft Symposium on Component-Based Software Engineering (CBSE 2015)},
ADDRESS = {Montreal, QC, Canada},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/AAHP.pdf},
ABSTRACT = {Modern cyber-physical systems interact closely with continuous physical processes like kinematic movement. Software component frameworks do not provide an explicit way to represent or reason about these processes. Meanwhile, hybrid program models have been successful in proving critical properties of discrete-continuous systems. These programs deal with diverse aspects of a cyber-physical system such as controller decisions, component communication protocols, and mechanical dynamics, requiring several programs to address the variation. However, currently these aspects are often intertwined in mostly monolithic hybrid programs, which are difficult to understand, change, and organize. These issues can be addressed by component-based engineering, making hybrid modeling more practical. This paper lays the foundation for using architectural models to provide component-based benefits to developing hybrid programs. We build formal architectural abstractions of hybrid programs and formulas, enabling analysis of hybrid programs at the component level, reusing parts of hybrid programs, and automatic transformation from views into hybrid programs and formulas. Our approach is evaluated in the context of a robotic collision avoidance case study. },
NOTE = {CBSE Best Paper Award},
KEYWORDS = {Architecture View Consistency, Cyberphysical Systems, Landmark, Software Architecture} }
|
99 |
@InProceedings{Bhave/CPS/2011,
AUTHOR = {Bhave, Ajinkya Y. and Krogh, Bruce and Garlan, David and Schmerl, Bradley},
TITLE = {View Consistency in Architectures for Cyber-Physical Systems},
YEAR = {2011},
MONTH = {April},
BOOKTITLE = {Proceedings of the 2nd ACM/IEEE International Conference on Cyber-Physical Systems},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ICCPS11_BKGS.pdf},
ABSTRACT = {Current methods for modeling, analysis, and design
of cyber-physical systems lack a unifying framework due to the
complexity and heterogeneity of the constituent elements and
their interactions. Our approach is to define relationships between
system models at the architectural level, which captures the
structural interdependencies and some semantic interdependencies
between representations without attempting to comprehend
all of the details of any particular modeling formalism. This
paper addresses the issue of defining and evaluating consistency
between architectural views imposed by various heterogeneous
models and a base architecture (BA) for the complete system. This
notion of structural consistency ensures that the model elements
adhere to the cyber and physical types and the connections
between components present in the BA, which serves as the
unifying framework for model-based development. Consistency
checking between a model and the underlying system architecture
is formulated as a typed graph matching problem between
the connectivity graphs of the corresponding architectural view
and the systems BA. The usefulness of the approach to check
system modeling assumptions is illustrated in the context of two
heterogeneous views of a quadrotor air vehicle.},
KEYWORDS = {Architecture View Consistency, Cyberphysical Systems} }
|
100 |
@InProceedings{Rajhans/2011/CPS,
AUTHOR = {Rajhans, Akshay and Bhave, Ajinkya Y. and Loos, Sarah and Krogh, Bruce and Platzer, Andre and Garlan, David},
TITLE = {Using Parameters in Architectural Views to Support Heterogeneous Design and Verification},
YEAR = {2011},
MONTH = {12-15 December},
BOOKTITLE = {50th IEEE Conference on Decision and Control (CDC) and European Control Conference (ECC)},
ADDRESS = {Orlando, FL},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/RBL+_CDC11.pdf},
ABSTRACT = {Current methods for designing cyber-physical systems
lack a unifying framework due to the heterogeneous nature
of the constituent models and their respective analysis and verification
tools. There is a need for a formal representation of the
relationships between the different models. Our approach is to
define these relationships at the architectural level, associating
with each model a particular view of the overall system base
architecture. This architectural framework captures critical
structural and semantic information without including all
the details of the various modeling formalisms. This paper
introduces the use of logical constraints over parameters in the
architectural views to represent the conditions under which the
specifications verified for each model are true and imply the
system-level specification. Interdependencies and connections
between the constraints in the architectural views are managed
in the base architecture using first-order logic of real arithmetic
to ensure consistency and correct reasoning. The approach is
illustrated in the context of heterogeneous verification of a
leader-follower vehicle scenario.},
KEYWORDS = {Architecture View Consistency, Cyberphysical Systems} }
|
101 |
@InProceedings{Barnes/NASA/2012,
AUTHOR = {Barnes, Jeffrey M.},
TITLE = {NASA\'s Advanced Multimission Operations System: A Case Study in Software Architecture Evolution},
YEAR = {2012},
MONTH = {25-28 June},
BOOKTITLE = {Proceedings of the International ACM SIGSOFT Conference on the Quality of Software Architectures 2012},
ADDRESS = {Bertinoro, Italy},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/qosa-12-camera.pdf},
ABSTRACT = {Virtually all software systems of significant size and longevity eventually undergo changes to their basic architectural structure. Such changes may be prompted by new feature requests, new quality attribute requirements, changing technology, or other reasons. Whatever the cause, software architecture evolution is commonplace in real-world software projects. However, research in this area has suffered from problems of validation; previous work has tended to make heavy use of toy examples and hypothetical scenarios and has not been well supported by real-world examples. To help address this problem, this paper presents a case study of an ongoing effort at the Jet Propulsion Laboratory to rearchitect the Advanced Multimission Operations System used to operate NASA�s deep-space and astrophysics missions. Based on examination of project documents and interviews with project personnel, I describe the goals and approach of this evolution effort, then demonstrate how approaches and formal methods from previous research in architecture evolution may be applied to this evolution while using languages and tools already in place at the Jet Propulsion Laboratory.},
KEYWORDS = {Architecture Evolution} }
|
102 |
@InProceedings{Casonova/2011/ARFD,
AUTHOR = {Casanova, Paulo and Schmerl, Bradley and Garlan, David and Abreu, Rui},
TITLE = {Architecture-based Run-time Fault Diagnosis},
YEAR = {2011},
MONTH = {13-16 September},
BOOKTITLE = {Proceedings of the 5th European Conference on Software Architecture},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ecsa2011-abrtfd.pdf},
ABSTRACT = {An important step in achieving robustness to run-time faults is the ability
to detect and repair problems when they arise in a running system. Effective
fault detection and repair could be greatly enhanced by run-time fault diagnosis
and localization, since it would allow the repair mechanisms to focus adaptation
effort on the parts most in need of attention. In this paper we describe
an approach to run-time fault diagnosis that combines architectural models with
spectrum-based reasoning for multiple fault localization. Spectrum-based reasoning
is a lightweight technique that takes a form of trace abstraction and produces
a list (ordered by probability) of likely fault candidates. We show how this technique
can be combined with architectural models to support run-time diagnosis
that can (a) scale to modern distributed software systems; (b) accommodate the
use of black-box components and proprietary infrastructure for which one has
neither a specification nor source code; and (c) handle inherent uncertainty about
the probable cause of a problem even in the face of transient faults and faults that
arise only when certain combinations of system components interact.},
KEYWORDS = {Rainbow, Self-adaptation} }
|
103 |
@InProceedings{2011:Dwivedi:SCORE,
AUTHOR = {Dwivedi, Vishal and Velasco Elizondo, Perla and Maria Fernandes, Jose and Garlan, David and Schmerl, Bradley},
TITLE = {An Architectural Approach to End User Orchestrations},
YEAR = {2011},
MONTH = {13-16 September},
BOOKTITLE = {Proceedings of the 5th European Conference on Software Architecture},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ECSA-EndUserOrchestrations.pdf},
ABSTRACT = {Computations are pervasive across many domains, where end users have to compose various heterogeneous computational entities to perform professional activities. Service-Oriented Architecture (SOA) is a widely used mechanism that can support such forms of compositions as it allows heterogeneous systems to be wrapped as services that can then be combined with each other. However, current SOA orchestration languages require writing scripts that are typically too low-level for end users to write, being targeted at professional programmers and business analysts. To address this problem, this paper proposes an approach based on an architectural-style for service orchestration using an end user specification style called SCORE. SCORE uses high-level constructs that can be tailored for different domains and automatically translated into executable constructs by tool support. We demonstrate the usefulness of SCORE across two domains dynamic network analysis and neuroscience, where users are intelligence analysts and scientists respectively. They can use an architectural style based vocabulary as a basis of their domain-specific},
KEYWORDS = {Architectural Style, Service Composition, Software Architecture, SORASCS} }
|
104 |
@InProceedings{Garlan:2010:SEU:1882362.1882389,
AUTHOR = {Garlan, David},
TITLE = {Software Engineering in an Uncertain World},
YEAR = {2010},
BOOKTITLE = {Proceedings of the FSE/SDP workshop on Future of Software Engineering Research},
PAGES = {125--128},
SERIES = {FoSER '10},
ADDRESS = {New York, NY, USA},
PUBLISHER = {ACM},
URL = {http://doi.acm.org/10.1145/1882362.1882389},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/foser057-garlan.pdf},
ABSTRACT = {In this paper, we argue that the reality of today's software systems requires us to consider uncertainty as a first-class concern in the design, implementation, and deployment of those systems. We further argue that this induces a paradigm shift, and a number of research challenges that must be addressed.},
NOTE = {ISBN 978-1-4503-0427-6},
KEYWORDS = {Software Architecture, Software Engineering, uncertainty} }
|
105 |
@InProceedings{Velasco/Mismatch/2013,
AUTHOR = {Velasco Elizondo, Perla and Dwivedi, Vishal and Garlan, David and Schmerl, Bradley and Maria Fernandes, Jose},
TITLE = {Resolving Data Mismatches in End-User Compositions},
YEAR = {2013},
MONTH = {10-13 June},
BOOKTITLE = {Proceedings of the 4th International Symposium on End-User Development},
ADDRESS = {IT University of Copenhagen, Denmark},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/resolvingDataMismatchesVelasco_Mismatch_2013.pdf},
ABSTRACT = {Many domains such as scientific computing and neuroscience require
end users to compose heterogeneous computational entities to automate their professional
tasks. However, an issue that frequently hampers such composition is
data-mismatches between computational entities. Although, many composition
frameworks today provide support for data mismatch resolution through specialpurpose
data converters, end users still have to put significant effort in dealing
with data mismatches, e.g., identifying the available converters and determining
which of them meet their QoS expectations. In this paper we present an approach
that eliminates this effort by automating the detection and resolution of data mismatches.
Specifically, it uses architectural abstractions to automatically detect
different types of data mismatches, model-generation techniques to fix those mismatches,
and utility theory to decide the best fix based on QoS constraints. We
illustrate our approach in the neuroscience domain where data-mismatches can
be fixed in an efficient manner on the order of few seconds.},
KEYWORDS = {End-user Architecture, SORASCS} }
|
106 |
@InProceedings{Garlan/EUA/2012,
AUTHOR = {Garlan, David and Dwivedi, Vishal and Ruchkin, Ivan and Schmerl, Bradley},
TITLE = {Foundations and Tools for End-User Architecting},
YEAR = {2012},
BOOKTITLE = {Large-Scale Complex IT Systems. Development, Operation and Management, 17th Monterey Workshop 2012, Oxford, UK, March 19-21, 2012},
VOLUME = {7539},
PAGES = {157-182},
EDITOR = {Garlan, David and Calinescu, Radu},
SERIES = {Lecture Notes in Computer Science},
PUBLISHER = {Springer},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/EUA-LNCS.pdf},
ABSTRACT = {Within an increasing number of domains an important emerging need
is the ability for technically naive users to compose computational elements into
novel configurations. Examples include astronomers who create new analysis
pipelines to process telescopic data, intelligence analysts who must process diverse
sources of unstructured text to discover socio-technical trends, and medical
researchers who have to process brain image data in new ways to understand
disease pathways. Creating such compositions today typically requires low-level
technical expertise, limiting the use of computational methods and increasing the
cost of using them. In this paper we describe an approach -- which we term
end-user architecting -- that exploits the similarity between such compositional
activities and those of software architects. Drawing on the rich heritage of software
architecture languages, methods, and tools, we show how those techniques
can be adapted to support end users in composing rich computational systems
through domain-specific compositional paradigms and component repositories,
without requiring that they have knowledge of the low-level implementation details
of the components or the compositional infrastructure. Further, we outline a
set of open research challenges that the area of end-user architecting raises.},
NOTE = {Book Reference: http://www.springer.com/computer/swe/book/978-3-64234058-1},
KEYWORDS = {End-user Architecture, Landmark, Service Composition, SORASCS} }
|
107 |
@InProceedings{2013:Casanova/Garlan,
AUTHOR = {Casanova, Paulo and Garlan, David and Schmerl, Bradley and Abreu, Rui},
TITLE = {Diagnosing architectural run-time failures},
YEAR = {2013},
MONTH = {20-21 May},
BOOKTITLE = {Proceedings of the 8th International Symposium on Software Engineering for Adaptive and Self-Managing Systems},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/darf.pdf},
ABSTRACT = {Self-diagnosis is a fundamental capability of self-adaptive
systems. In order to recover from faults, systems need
to know which part is responsible for the incorrect behavior. In
previous work we showed how to apply a design-time diagnosis
technique at run time to identify faults at the architectural level
of a system. Our contributions address three major shortcomings
of our previous work: 1) we present an expressive, hierarchical
language to describe system behavior that can be used to
diagnose when a system is behaving different to expectation; the
hierarchical language facilitates mapping low level system events
to architecture level events; 2) we provide an automatic way to
determine how much data to collect before an accurate diagnosis
can be produced; and 3) we develop a technique that allows the
detection of correlated faults between components. Our results
are validated experimentally by injecting several failures into a
system and accurately diagnosing them using our algorithm.},
NOTE = {Received SEAMS 2013 Best Paper Award},
KEYWORDS = {Diagnosis, Self-adaptation} }
|
108 |
@InProceedings{Yuan/2013/ABSS,
AUTHOR = {Yuan, Eric and Malek, Sam and Schmerl, Bradley and Garlan, David and Gennari, Jeffrey},
TITLE = {Architecture-Based Self-Protecting Software Systems},
YEAR = {2013},
MONTH = {17-21 June},
BOOKTITLE = {Proceedings of the Ninth International ACM Sigsoft Conference on the Quality of Software Architectures (QoSA 2013)},
PAGES = {33-42},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/p33-yuan.pdf},
ABSTRACT = {Since conventional software security approaches are often manually developed and statically deployed, they are no longer sufficient against today's sophisticated and evolving cyber security threats. This has motivated the development of self-protecting software that is capable of detecting security threats and mitigating them through runtime adaptation techniques. In this paper, we argue for an architecture-based self- protection (ABSP) approach to address this challenge. In ABSP, detection and mitigation of security threats are informed by an architectural representation of the running system, maintained at runtime. With this approach, it is possible to reason about the impact of a potential security breach on the system, assess the overall security posture of the system, and achieve defense in depth. To illustrate the effectiveness of this approach, we present several architecture adaptation patterns that provide reusable detection and mitigation strategies against well-known web application security threats. Finally, we describe our ongoing work in realizing these patterns on top of Rainbow, an existing architecture-based adaptation framework.},
NOTE = {DOI: 10.1145/2465478.2465479},
KEYWORDS = {Rainbow, Science of Security, Self-adaptation} }
|
109 |
@InProceedings{2013:Barnes/TOPI,
AUTHOR = {Barnes, Jeffrey M. and Garlan, David},
TITLE = {Challenges in Developing a Software Architecture Evolution Tool as a Plug-In},
YEAR = {2013},
MONTH = {21 May},
BOOKTITLE = {Proceedings of the 3rd Workshop on Developing Tools as Plug-Ins},
PAGES = {13--18},
ADDRESS = {San Francisco, CA, USA},
ABSTRACT = {Recent research has developed a theoretical basis for
providing software architects with better support for planning
and carrying out major evolutions of software systems. However,
these theoretical models have yet to be implemented in a complete,
integrated tool. In this paper, we consider some of the challenges
involved in developing such a tool as a plug-in to an existing architecture
modeling framework. We present an experience report
based on the development of a prototype architecture evolution
tool as a plug-in to MagicDraw, a commercial UML tool. We
find that there are many practical obstacles to developing tools
for architecture evolution modeling as plug-ins, and we discuss
some of the key factors that plug-in developers should weigh when
considering frameworks.},
KEYWORDS = {Architecture Evolution} }
|
110 |
@InProceedings{Barnes:2013/EvolutionPlanning,
AUTHOR = {Barnes, Jeffrey M. and Pandey, Ashutosh and Garlan, David},
TITLE = {Automated Planning for Software Architecture Evolution},
YEAR = {2013},
MONTH = {11-15 November},
BOOKTITLE = {The 28th IEEE/ACM International Conference on Automated Software Engineering},
ADDRESS = {Silicon Valley, CA},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ASE2013-final.pdf},
ABSTRACT = {In previous research, we have developed a theoretical
framework to help software architects make better decisions when
planning software evolution. Our approach is based on representation
and analysis of candidate evolution pathssequences of transitional
architectures leading from the current system to a desired
target architecture. One problem with this kind of approach is
that it imposes a heavy burden on the software architect, who
must explicitly define and model these candidate paths. In this
paper, we show how automated planning techniques can be used
to support automatic generation of evolution paths, relieving this
burden on the architect. We illustrate our approach by applying
it to a data migration scenario, showing how this architecture
evolution problem can be translated into a planning problem and
solved using existing automated planning tools.},
KEYWORDS = {Architecture Evolution} }
|
111 |
@InProceedings{2013/Casanova/Unobserved,
AUTHOR = {Casanova, Paulo and Garlan, David and Schmerl, Bradley and Abreu, Rui},
TITLE = {Diagnosing Unobserved Components in Self-Adaptive Systems},
YEAR = {2014},
MONTH = {2-3 June},
BOOKTITLE = {9th International Symposium on Software Engineering for Adaptive and Self-Managing Systems},
ADDRESS = {Hyderabad, India},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/unobserved2013_Casanova_Unobserved.pdf},
ABSTRACT = {Availability is an increasingly important quality for today's
software-based systems and it has been successfully addressed
by the use of closed-loop control systems in self-adaptive systems.
Probes are inserted into a running system to obtain
information and the information is fed to a controller that,
through provided interfaces, acts on the system to alter its
behavior. When a failure is detected, pinpointing the source
of the failure is a critical step for a repair action. However,
information obtained from a running system is commonly
incomplete due to probing costs or unavailability of probes.
In this paper we address the problem of fault localization
in the presence of incomplete system monitoring. We may
not be able to directly observe a component but we may be
able to infer its health state. We provide formal criteria to
determine when health states of unobservable components
can be inferred and establish formal theoretical bounds for
accuracy when using any spectrum-based fault localization
algorithm.},
KEYWORDS = {Diagnosis, Self-adaptation} }
|
112 |
@InProceedings{2014/Dwivedi/Mutlifidelity,
AUTHOR = {Dwivedi, Vishal and Garlan, David and Pfeffer, J\"{u}rgen and Schmerl, Bradley},
TITLE = {Model-based Assistance for Making Time/Fidelity Trade-offs in Component Compositions},
YEAR = {2014},
MONTH = {7-9 April},
BOOKTITLE = {11th International Conference on Information Technology : New Generations (ITNG 2014), Special track on: MDCBSE: Model-Driven, Component-Based Software Engineering},
ADDRESS = {Las Vegas, NV},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ITNGpaper.pdf},
ABSTRACT = {In many scientific fields, simulations and analyses
require compositions of computational entities such as web services,
programs, and applications. In such fields, users may
want various trade-offs between different qualities. Examples
include: (i) performing a quick approximation vs. an accurate, but
slower, experiment, (ii) using local slower execution environments
vs. remote, but advanced, computing facilities, (iii) using quicker
approximation algorithms vs. computationally expensive algorithms
with smaller data. However, such trade-offs are difficult
to make as many such decisions today are either (a) wired into
a fixed configuration and cannot be changed, or (b) require
detailed systems knowledge and experimentation to determine
what configuration to use. In this paper we propose an approach
that uses architectural models coupled with automated design
space generation for making fidelity and timeliness trade-offs. We
illustrate this approach through an example in the intelligence
analysis domain.},
KEYWORDS = {Acme, End-user Architecture, Model Checking, Mult-fidelity Applications, Resource Aware Computing} }
|
113 |
@InProceedings{2014/Schmerl/ABSP-DoS,
AUTHOR = {Schmerl, Bradley and C\'{a}mara, Javier and Gennari, Jeffrey and Garlan, David and Casanova, Paulo and Moreno, Gabriel A. and Glazier, Thomas J. and Barnes, Jeffrey M.},
TITLE = {Architecture-Based Self-Protection: Composing and Reasoning about Denial-of-Service Mitigations},
YEAR = {2014},
MONTH = {8-9 April},
BOOKTITLE = {HotSoS 2014: 2014 Symposium and Bootcamp on the Science of Security},
ADDRESS = {Raleigh, NC, USA},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/absp-dos2014_Schmerl_ABSP-DoS.pdf},
ABSTRACT = {Security features are often hardwired into software
applications, making it difficult to adapt security responses to
reflect changes in runtime context and new attacks. In prior
work, we proposed the idea of architecture-based self-protection
as a way of separating adaptation logic from application logic
and providing a global perspective for reasoning about security
adaptations in the context of other business goals. In this paper,
we present an approach, based on this idea, for combating denial-of-
service (DoS) attacks. Our approach allows DoS-related tactics
to be composed into more sophisticated mitigation strategies
that encapsulate possible responses to a security problem. Then,
utility-based reasoning can be used to consider different business
contexts and qualities. We describe how this approach forms the
underpinnings of a scientific approach to self-protection, allowing
us to reason about how to make the best choice of mitigation
at runtime. Moreover, we also show how formal analysis can
be used to determine whether the mitigations cover the range
of conditions the system is likely to encounter, and the effect of
mitigations on other quality attributes of the system. We evaluate
the approach using the Rainbow self-adaptive framework and
show how Rainbow chooses DoS mitigation tactics that are
sensitive to different business contexts.},
KEYWORDS = {Assurance, Autonomic Systems, Landmark, Model Checking, Rainbow, Science of Security, Self-adaptation, Stitch} }
|
114 |
@InProceedings{Camara/Stochastic/2014,
AUTHOR = {C\'{a}mara, Javier and Moreno, Gabriel A. and Garlan, David},
TITLE = {Stochastic Game Analysis and Latency Awareness for Proactive Self-Adaptation},
YEAR = {2014},
MONTH = {2-3 June},
BOOKTITLE = {9th International Symposium on Software Engineering for Adaptive and Self-Managing Systems},
ADDRESS = {Hyderabad, India},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/stochastic-proactive.pdf},
ABSTRACT = {Although different approaches to decision-making in self-
adaptive systems have shown their effectiveness in the past
by factoring in predictions about the system and its environment (e.g., resource availability), no proposal considers the
latency associated with the execution of tactics upon the target system. However, different adaptation tactics can take
different amounts of time until their effects can be observed.
In reactive adaptation, ignoring adaptation tactic latency
can lead to suboptimal adaptation decisions (e.g., activating a server that takes more time to boot than the transient
spike in traffic that triggered its activation). In proactive
adaptation, taking adaptation latency into account is necessary to get the system into the desired state to deal with
an upcoming situation. In this paper, we introduce a formal analysis technique based on model checking of stochastic multiplayer games (SMGs) that enables us to quantify
the potential benefits of employing different types of algorithms for self-adaptation. In particular, we apply this technique to show the potential benefit of considering adaptation tactic latency in proactive adaptation algorithms. Our
results show that factoring in tactic latency in decision making improves the outcome of adaptation. We also present an
algorithm to do proactive adaptation that considers tactic
latency, and show that it achieves higher utility than an algorithm that under the assumption of no latency is optimal.},
KEYWORDS = {Assurance, Landmark, Latency-aware, Model Checking, Self-adaptation} }
|
115 |
@InProceedings{2014/Ruchkin/CBI,
AUTHOR = {Ruchkin, Ivan and De Niz, Dio and Chaki, Sagar and Garlan, David},
TITLE = {Contract-Based Integration of Cyber-Physical Analyses},
YEAR = {2014},
MONTH = {12-17 October},
BOOKTITLE = {Embedded Systems Week},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/paper-camera-ready-ieee-verified-178-EM82.pdf},
ABSTRACT = {Developing cyber-physical systems involves creating systems
with properties from multiple domains, e.g., timing, logical
correctness, thermal resilience, aerodynamics, and mechanical
stress. In today�s industrial practice, multiple analyses
are used to obtain and verify such properties. Unfortunately,
given that these analyses originate from different
scientific domains, they abstract away interactions among
themselves, risking the invalidation of their results. Specifically,
one challenge is to ensure that an analysis is never
applied to a model that violates its assumptions. Since such
violation can originate from the updating of the model by
another analysis, analyses must be executed in the correct
order. Another challenge is to do this soundly and scalably
over models of realistic complexity and diverse set of analyses.
To address these challenges, we develop an analysis
integration approach that uses contracts to specify dependencies
between analyses, determine their correct orders of
application, and specify and verify applicability conditions
across multiple domains. We present an implementation of
our approach, and demonstrate its effectiveness, extensibility,
and scalability.},
KEYWORDS = {Cyberphysical Systems, Landmark} }
|
116 |
@InProceedings{Garlan:2014:SAT:2593882.2593886,
AUTHOR = {Garlan, David},
TITLE = {Software Architecture: A Travelogue},
YEAR = {2014},
BOOKTITLE = {Proceedings of the on Future of Software Engineering},
PAGES = {29--39},
SERIES = {FOSE 2014},
ADDRESS = {New York, NY, USA },
PUBLISHER = {ACM},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/GarlanFOSE-Final-Rev.pdf},
ABSTRACT = {Over the past two and a half decades software architecture has
emerged as an important subfield of software engineering. During
that time there has been considerable progress in developing the
technological and methodological base for treating architectural
design as an engineering discipline. However, much still remains
to be done to achieve that. Moreover, the changing face of
technology raises a number of challenges for software
architecture. This travelogue recounts the history of the field, its
current state of practice and research, and speculates on some of
the important emerging trends, challenges, and aspirations},
NOTE = {ISBN 978-1-4503-2865-4. Also available from ACM DOI: 10.1145/2593882.2593886.} }
|
117 |
@InProceedings{Camara/2014/Qosa,
AUTHOR = {C\'{a}mara, Javier and Correia, Pedro and de Lemos, Rog\'{e}rio and Vieira, Marco},
TITLE = {Empirical Resilience Evaluation of an Architecture-based Self-Adaptive Software System},
YEAR = {2014},
MONTH = {30 June - 3 July},
BOOKTITLE = {Tenth International ACM Sigsoft Conference on the Quality of Software Architectures},
ADDRESS = {Lille, France},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/QoSA14.pdf},
ABSTRACT = {Architecture-based self-adaptation is considered as a promising approach to drive down the development and opera-
tion costs of complex software systems operating in ever
changing environments. However, there is still a lack of
evidence supporting the arguments for the beneficial impact of architecture-based self-adaptation on resilience with
respect to other customary approaches, such as embedded
code-based adaptation. In this paper, we report on an empirical study about the impact on resilience of incorporating
architecture-based self-adaptation in an industrial middleware used to collect data in highly populated networks of
devices. To this end, we compare the results of resilience
evaluation between the original version of the middleware,
in which adaptation mechanisms are embedded at the code-
level, and a modified version of that middleware in which the
adaptation mechanisms are implemented using Rainbow, a
framework for architecture-based self-adaptation. Our results show improved levels of resilience in architecture-based
compared to embedded code-based self-adaptation.},
NOTE = {ACM SIGSOFT QoSA Distinguished Paper Award},
KEYWORDS = {Assurance, Landmark, Rainbow, Self-adaptation} }
|
118 |
@InProceedings{Camara/FACS2014,
AUTHOR = {C\'{a}mara, Javier and Lopes, Ant\'{o}nia and Garlan, David and Schmerl, Bradley},
TITLE = {Impact Models for Architecture-Based Self-Adaptive Systems},
YEAR = {2014},
MONTH = {10-12 September},
BOOKTITLE = {Proceedings of the 11th International Symposium on Formal Aspects of Component Software (FACS2014)},
ADDRESS = {Bertinoro, Italy},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/LGC-IM-submitted.pdf},
ABSTRACT = {Self-adaptive systems have the ability to adapt their behavior to dynamic operation conditions. In reaction to changes in the environment, these systems determine the appropriate corrective actions based in part on information
about which action will have the best impact on the system. Existing models used to describe the impact of adaptations are either unable to capture the underlying uncertainty and variability of such dynamic environments, or are not compositional and described at a level of abstraction too low to scale in terms of specification effort required for non-trivial systems. In this paper, we address these
shortcomings by describing an approach to the specification of impact models based on architectural system descriptions, which at the same time allows us to represent both variability and uncertainty in the outcome of adaptations, hence improving the selection of the best corrective action. The core of our approach is an impact model language equipped with a formal semantics defined in terms
of Discrete Time Markov Chains. To validate our approach, we show how employing our language can improve the accuracy of predictions used for decision-making in the Rainbow framework for architecture-based self-adaptation.},
KEYWORDS = {Autonomic Systems, Benchmark, Rainbow, Self-adaptation, Self-awareness & Adaptation, Stitch} }
|
119 |
@InProceedings{ruchkin/active/2014,
AUTHOR = {Ruchkin, Ivan and De Niz, Dio and Chaki, Sagar and Garlan, David},
TITLE = {ACTIVE: A Tool for Integrating Analysis Contracts},
YEAR = {2014},
MONTH = {2 December},
BOOKTITLE = {The 5th Analytic Virtual Integration of Cyber-Physical Systems Workshop},
ADDRESS = {Rome, Italy},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/avicps14-camera-ready.pdf},
ABSTRACT = {Development of modern Cyber-Physical Systems (CPS) re-
lies on a number of analysis tools to verify critical properties. The Architecture Analysis and Design Language
(AADL) standard provides a common architectural model
to which multiple CPS analyses can be applied. Unfortunately, interaction between these analyses can invalidate their results. In this paper we present ACTIVE, a tool developed within the OSATE/AADL infrastructure to solve this problem. We analyze the problems that occur when multiple analyses are applied to an AADL model and how these problems invalidate analysis results. Interactions between analyses, implemented as OSATE plugins, are formally described in ACTIVE in order to enable automatic verification.
In particular, these interactions are captured in an analysis contract consisting of inputs, outputs, assumptions, and guarantees. The inputs and outputs help determine the correct order of execution of the plugins. Assumptions capture the conditions that must be valid in order to execute an analysis plugin, while guarantees are conditions that are expected to be valid afterwards. ACTIVE allows the use of any generic verification tool (e.g., a model checker) to validate these conditions. To coordinate these activities our tool uses two components: ACTIVE EXECUTER and ACTIVE VERIFIER. ACTIVE EXECUTER invokes the analysis plugins in the required order and uses ACTIVE VERIFIER to check assumptions and guarantees. ACTIVE VERIFIER identifies and executes the verification tool that needs to be invoked based on the target formula. Together, they ensure that plugins are always executed in the correct order and under the correct conditions, guaranteeing correct results.
To the best of our knowledge, ACTIVE is the first extensible framework that integrates independently-developed analysis plugins ensuring provably-correct interactions.},
KEYWORDS = {Cyberphysical Systems, Formal Methods} }
|
120 |
@InProceedings{Camara2015DADS,
AUTHOR = {C\'{a}mara, Javier and Garlan, David and Schmerl, Bradley and Pandey, Ashutosh},
TITLE = {Optimal Planning for Architecture-Based Self-Adaptation via Model Checking of Stochastic Games},
YEAR = {2015},
MONTH = {13-17 April},
BOOKTITLE = {Proceedings of the 10th DADS Track of the 30th ACM Symposium on Applied Computing},
ADDRESS = {Salamanca, Spain},
ABSTRACT = {Architecture-based approaches to self-adaptation rely on architectural descriptions to reason about the best way of adapting the structure and behavior of software-intensive systems at run time, either by choosing among a set of predefined adaptation strategies, or by automatically generating adaptation plans. Predefined strategy selection has allow computational overhead and facilitates dealing with uncertainty (e.g., by accounting explicitly for contingencies derived from unexpected outcomes of actions), but requires additional designer effort regarding the specification of strategies and is unable to guarantee optimal solutions. In contrast, run time plan generation is able to explore a richer
solution space and provide optimal solutions in some cases,
but is more limited when dealing with uncertainty, and incurs higher computational overheads. In this paper, we
propose an approach to optimal adaptation plan generation for architecture-based self-adaptation via model checking of stochastic multiplayer games (SMGs). Our approach
enables: (i) trade-off analysis among different qualities by means of utility functions and preferences, and (ii) explicit modeling of uncertainty in the outcome of adaptation actions and the behavior of the environment. Basing on the concepts embodied in the Rainbow framework for self-adaptation, we illustrate our approach in Znn.com, a case study
that reproduces the infrastructure for a news website.},
KEYWORDS = {Assurance, Model Checking, Planning, Self-adaptation, Stochastic Games} }
|
121 |
@InProceedings{Camara/2015/Human,
AUTHOR = {C\'{a}mara, Javier and Moreno, Gabriel A. and Garlan, David},
TITLE = {Reasoning about Human Participation in Self-Adaptive Systems},
YEAR = {2015},
MONTH = {18-19 May},
BOOKTITLE = {Proceedings of the 10th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS 2015)},
ADDRESS = {Florence, Italy},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/seams15.pdf},
ABSTRACT = {Self-adaptive systems overcome many of the limitations of human supervision in complex software-intensive systems
by endowing them with the ability to automatically adapt their
structure and behavior in the presence of runtime changes.
However, adaptation in some classes of systems (e.g., safety-
critical) can benefit by receiving information from humans (e.g.,
acting as sophisticated sensors, decision-makers), or by involving
them as system-level effectors to execute adaptations (e.g., when
automation is not possible, or as a fallback mechanism). However,
human participants are influenced by factors external to the
system (e.g., training level, fatigue) that affect the likelihood
of success when they perform a task, its duration, or even if
they are willing to perform it in the first place. Without careful
consideration of these factors, it is unclear how to decide when to
involve humans in adaptation, and in which way. In this paper,
we investigate how the explicit modeling of human participants
can provide a better insight into the trade-offs of involving
humans in adaptation. We contribute a formal framework to
reason about human involvement in self-adaptation, focusing on
the role of human participants as actors (i.e., effectors) during
the execution stage of adaptation. The approach consists of:
(i) a language to express adaptation models that capture factors
affecting human behavior and its interactions with the system,
and (ii) a formalization of these adaptation models as stochastic
multiplayer games (SMGs) that can be used to analyze human-
system-environment interactions. We illustrate our approach in
an adaptive industrial middleware used to monitor and manage
sensor networks in renewable energy production plants.},
KEYWORDS = {Assurance, Human-in-the-loop, Self-adaptation, Self-awareness & Adaptation, Stochastic Games} }
|
122 |
@InProceedings{Coker/2015,
AUTHOR = {Coker, Zack and Garlan, David and Le Goues, Claire},
TITLE = {SASS: Self-adaptation using stochastic search},
YEAR = {2015},
MONTH = {18-19 May},
BOOKTITLE = {Proceedings 10th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS 2015)},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/PID3582925.pdf},
ABSTRACT = {Future-generation self-adaptive systems will need
to be able to optimize for multiple interrelated, difficult-to-measure,
and evolving quality properties. To navigate this complex
search space, current self-adaptive planning techniques
need to be improved. In this position paper, we argue that the
research community should more directly pursue the application
of stochastic search techniquessearch techniques, such as hill
climbing or genetic algorithms, that incorporate an element of
randomnessto self-adaptive systems research. These techniques
are well-suited to handling multi-dimensional search spaces and
complex problems, situations which arise often for self-adaptive
systems. We believe that recent advances in both fields make this
a particularly promising research trajectory. We demonstrate
one way to apply some of these advances in a search-based
planning prototype technique to illustrate both the feasibility and
the potential of the proposed research. This strategy informs
a number of potentially interesting research directions and
problems. In the long term, this general technique could enable
sophisticated plan generation techniques that improve domain
specific knowledge, decrease human effort, and increase the
application of self-adaptive systems.},
KEYWORDS = {Self-adaptation} }
|
123 |
@InProceedings{2015/Moreno/PMC,
AUTHOR = {Moreno, Gabriel A. and C\'{a}mara, Javier and Garlan, David and Schmerl, Bradley},
TITLE = {Proactive Self-Adaptation under Uncertainty: a Probabilistic Model Checking Approach},
YEAR = {2015},
MONTH = {30 August - 4 September},
BOOKTITLE = {Proceedings of the 10th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering},
ADDRESS = {Bergamo, Italy},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/fse15main-mainid213-p-1d01012-24621-final.pdf},
ABSTRACT = {Self-adaptive systems tend to be reactive and myopic, adapting
in response to changes without anticipating what the
subsequent adaptation needs will be. Adapting reactively
can result in inefficiencies due to the system performing a
suboptimal sequence of adaptations. Furthermore, when
adaptations have latency, and take some time to produce
their effect, they have to be started with sufficient lead time
so that they complete by the time their effect is needed.
Proactive latency-aware adaptation addresses these issues
by making adaptation decisions with a look-ahead horizon
and taking adaptation latency into account. In this paper we
present an approach for proactive latency-aware adaptation
under uncertainty that uses probabilistic model checking for
adaptation decisions. The key idea is to use a formal model
of the adaptive system in which the adaptation decision is
left underspecified through nondeterminism, and have the
model checker resolve the nondeterministic choices so that
the accumulated utility over the horizon is maximized. The
adaptation decision is optimal over the horizon, and takes
into account the inherent uncertainty of the environment
predictions needed for looking ahead. Our results show that
the decision based on a look-ahead horizon, and the factoring
of both tactic latency and environment uncertainty, considerably
improve the effectiveness of adaptation decisions.},
KEYWORDS = {Latency-aware, Model Checking, Self-adaptation, Self-awareness & Adaptation, Stochastic Games} }
|
124 |
@InProceedings{Pandey:SASO:2016,
AUTHOR = {Pandey, Ashutosh and Moreno, Gabriel A. and C\'{a}mara, Javier and Garlan, David},
TITLE = {Hybrid Planning for Decision Making in Self-Adaptive Systems},
YEAR = {2016},
MONTH = {12-16 September},
BOOKTITLE = {Proceedings of the 10th IEEE International Conference on Self-Adaptive and Self-Organizing Systems (SASO 2016)},
ADDRESS = {Augsburg, Germany},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/SASO2016.pdf},
ABSTRACT = {Run-time generation of adaptation plans is a powerful
mechanism that helps a self-adaptive system to meet its goals
in a dynamically changing environment. In the past, researchers
have demonstrated successful use of various automated planning
techniques to generate adaptation plans at run time. However, for
a planning technique, there is often a trade-off between timeliness
and optimality of the solution. For some self-adaptive systems,
ideally, one would like to have a planning approach that is both
quick and finds an optimal adaptation plan. To find the right
balance between these conflicting requirements, this paper introduces
a hybrid planning approach that combines more than one
planner to obtain the benefits of each. In this paper, to instantiate
a hybrid planner we combine deterministic planning with Markov
Decision Process (MDP) planning to obtain the best of both worlds:
deterministic planning provides plans quickly when timeliness is
critical, while allowing MDP planning to generate optimal plans
when the system has sufficient time to do so. We validate the
hybrid planning approach using a realistic workload pattern in
a simulated cloud-based self-adaptive system.},
KEYWORDS = {Planning, Self-adaptation} }
|
125 |
@InProceedings{Ruchkin/2015/AC-SPC,
AUTHOR = {Ruchkin, Ivan and Rao, Ashwini and De Niz, Dio and Chaki, Sagar and Garlan, David},
TITLE = {Eliminating Inter-Domain Vulnerabilities in Cyber-Physical
Systems: An Analysis Contracts Approach},
YEAR = {2015},
MONTH = {16 October},
BOOKTITLE = {Proceedings of the First ACM Workshop on Cyber-Physical Systems Security and Privacy},
ADDRESS = {Denver, Colorado},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/AC for SPC-camera-ready-preprint-v2.pdf},
ABSTRACT = {Designing secure cyber-physical systems (CPS) is a particularly
difficult task since security vulnerabilities stem not
only from traditional cybersecurity concerns, but also physical
ones as well. Many of the standard methods for CPS
design make strong and unverified assumptions about the
trustworthiness of physical devices, such as sensors. When
these assumptions are violated, subtle inter-domain vulnerabilities
are introduced into the system model. In this paper
we propose to use formal specification of analysis contracts
to expose security assumptions and guarantees of analyses
from reliability, control, and sensor security domains. We
show that this specification allows us to determine where
these assumptions are violated or ignore important failure
modes that open the door to malicious attacks. We demonstrate
how this approach can help discover and prevent vulnerabilities
in a self-driving car example.},
KEYWORDS = {Cyberphysical Systems, Science of Security} }
|
126 |
@InProceedings{Glazier/2015/CAS,
AUTHOR = {Glazier, Thomas J. and C\'{a}mara, Javier and Schmerl, Bradley and Garlan, David},
TITLE = {Analyzing Resilience Properties of Different Topologies of Collective Adaptive Systems},
YEAR = {2015},
MONTH = {21 September},
BOOKTITLE = {Proceedings of the 3rd FoCAS Workshop on the Fundamentals of Collective Adaptive Systems},
ADDRESS = {Boston, MA, USA},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/PID3850133.pdf},
ABSTRACT = {Modern software systems are often compositions
of entities that increasingly use self-adaptive capabilities to
improve their behavior to achieve systematic quality goals. Self-adaptive
managers for each component system attempt to provide
locally optimal results, but if they cooperated and potentially
coordinated their efforts it might be possible to obtain more
globally optimal results. The emergent properties that result
from such composition and cooperation of self-adaptive systems
are not well understood, difficult to reason about, and
present a key challenge in the evolution of modern software
systems. For example, the effects of coordination patterns and
protocols on emergent properties such as the resiliency of the
collectives need to be understood when designing these systems.
In this paper we propose that probabilistic model checking
of stochastic multiplayer games (SMG) provides a promising
approach to analyze, understand, and reason about emergent
properties in collectives of adaptive systems (CAS). Probabilistic
Model Checking of SMGs is a technique particularly suited
to analyzing emergent properties in CAS, since SMG models
capture: (i) the uncertainty and variability intrinsic to the CAS
and its execution environment in the form of probabilistic and
nondeterministic choices, and (ii) the competitive/cooperative
aspects of the interplay among the constituent systems of the
CAS. Analysis of SMGs allows us to reason about things like
the worst case scenarios, which constitutes a new contribution
to understanding emergent properties in CAS. We investigate
the use of SMGs to show how they can be useful in analyzing
the impact of communication topology for collections of fully
cooperative systems defending against an external attack.
},
KEYWORDS = {Assurance, Coordination, Model Checking, Self-adaptation, Stochastic Games} }
|
127 |
@InProceedings{Ruchkin/2015/loops,
AUTHOR = {Ruchkin, Ivan and Schmerl, Bradley and Garlan, David},
TITLE = {Analytic Dependency Loops in Architectural Models of Cyber-Physical Systems},
YEAR = {2015},
MONTH = {28 September},
BOOKTITLE = {Proceedings of the 8th International Workshop on Model-based Architecting of Cyber-Physical and Embedded Systems},
ADDRESS = {Ottawa, Canada},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/MBA-CPS.pdf},
ABSTRACT = {Rigorous engineering of safety-critical Cyber-
Physical Systems (CPS) requires integration of heterogeneous
modeling methods from different disciplines. It is often necessary
to view this integration from the perspective of analyses
algorithms that read and change models. Although analytic
integration supports formal contract-based verification of model
evolution, it suffers from the limitation of analytic dependency
loops. Dependency loops between analyses cannot be resolved
based on the existing contract-based verification. This paper
makes a step towards using rich architectural description to
resolve circular analytic dependencies. We characterize the dependency
loop problem and discuss three algorithmic approaches
to resolving such loops: analysis iteration, constraint solving, and
genetic search. These approaches take advantage of information
in multi-view architectures to resolve analytic dependency loops.},
KEYWORDS = {Architecture View Consistency, Cyberphysical Systems} }
|
128 |
@InProceedings{Sukkerd/2015/SEFM,
AUTHOR = {Sukkerd, Roykrong and Garlan, David and Simmons, Reid},
TITLE = {Task Planning of Cyber-Human Systems},
YEAR = {2015},
MONTH = {7-11 September},
BOOKTITLE = {Proceedings of the 13th International Conference on Software Engineering and Formal Methods},
VOLUME = {9276},
SERIES = {LNCS },
ADDRESS = {York, UK},
PUBLISHER = {Springer},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/SEFM15_Sukkerd_Springer.pdf},
ABSTRACT = {Internet of Things (IoT) allows for cyber-physical applications
to be created and composed to provide intelligent support or
automation of end-user tasks. For many of such tasks, human participation
is crucial to the success and the quality of the tasks. The cyber
systems should proactively request help from the humans to accomplish
the tasks when needed. However, the outcome of such system-human
synergy may be affected by factors external to the systems. Failure to
consider those factors when involving human participants in the tasks
may result in suboptimal performance and negative experience on the
humans. In this paper, we propose an approach for automated generation
of control strategies of cyber-human systems. We investigate how
explicit modeling of human participant can be used in automated planning
to generate cooperative strategy of human and system to achieve a
given task, by means of which best and appropriately utilize the human.
Specifically, our approach consists of: (1) a formal framework for modeling
cooperation between cyber system and human, and (2) a formalization
of system-human cooperative task planning as strategy synthesis
of stochastic multiplayer game. We illustrate our approach through an
example of indoor air quality control in smart homes.},
KEYWORDS = {Activity-oriented Computing, Cyberphysical Systems, Human-in-the-loop, Model Checking, Ubiquitous Computing} }
|
129 |
@InProceedings{2015/Ruchkin/MODELS,
AUTHOR = {Ruchkin, Ivan},
TITLE = {Architectural and Analytic Integration of Cyber-Physical System Models},
YEAR = {2015},
MONTH = {30 September - 2 October},
BOOKTITLE = {ACM/IEEE 18th International Conference on Model Driven Engineering Languages and Systems, ACM Student Research Award Competition},
ADDRESS = {Ottawa, Canada},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/SRC-131.pdf},
ABSTRACT = {Modeling methods for Cyber-Physical Systems
(CPS) originate in various engineering fields, and are difficult to
use together due to their heterogeneity. Inconsistencies between
mutually oblivious models and analyses often lead to implicit design
errors, which may cause catastrophic failures of critical CPS.
Such consistency issues are not fully solved by the state-of-the-art
integration methods, which lack generality, formal guarantees,
and effectiveness. To overcome these limitations and achieve
better integration, this paper outlines a two-level integration
approach based on architectural views and analysis contracts.
In particular, this paper proposes languages and algorithms
to specify and verify important integration properties, such as
correct analysis execution and rich consistency of architectural
views. According to the results to date, this approach shows
promise in detection and prevention of implicit errors, which
would be difficult to fix otherwise.
},
NOTE = {Gold Medal Winner},
KEYWORDS = {Cyberphysical Systems} }
|
130 |
@InProceedings{2016/Lamba/MBAD,
AUTHOR = {Lamba, Hemank and Glazier, Thomas J. and Schmerl, Bradley and C\'{a}mara, Javier and Garlan, David and Pfeffer, J\"{u}rgen},
TITLE = {A Model-based Approach to Anomaly Detection in Software Architectures (Poster)},
YEAR = {2016},
MONTH = {19-21 April},
BOOKTITLE = {Symposium and Bootcamp on the Science of Security},
ADDRESS = {Pittsburgh, PA},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ModelBasedAnomalyDetection.pdf},
ABSTRACT = {In an organization, the interactions users have with software leaves patterns or traces of the parts of the systems accessed. These interactions can be associated with the underlying software architecture. The first step in detecting problems like insider threat is to detect those traces that are anomalous.
In this paper, we present a method to find anomalous users leveraging these interaction traces, categorized by user roles. We propose a model based approach to cluster user sequences and find outliers. Such a technique could be useful in finding potentially anomalous users, insiders, or compromised accounts.We show that the approach works on a simulation of a large scale system based on and Amazon Web application style.},
KEYWORDS = {Science of Security, Software Architecture} }
|
131 |
@InProceedings{2016:Schmerl:Raindroid,
AUTHOR = {Schmerl, Bradley and Gennari, Jeffrey and C\'{a}mara, Javier and Garlan, David},
TITLE = {Raindroid - A System for Run-time Mitigation of Android Intent Vulnerabilities (Poster)},
YEAR = {2016},
MONTH = {19-21 April},
BOOKTITLE = {Symposium and Bootcamp on the Science of Security},
ADDRESS = {Pittsburgh, PA},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/raindroid-poster.pdf},
ABSTRACT = {Modern frameworks are required to be extendable as well
as secure. However, these two qualities are often at odds.
In this poster we describe an approach that uses a combination of static analysis and run-time management, based
on software architecture models, that can improve security
while maintaining framework extendability. We implement
a prototype of the approach for the Android platform. Static
analysis identifies the architecture and communication patterns among the collection of apps on an Android device
and which communications might be vulnerable to attack.
Run-time mechanisms monitor these potentially vulnerable
communication patterns, and adapt the system to either
deny them, request explicit approval from the user, or allow them.},
KEYWORDS = {Human-in-the-loop, Rainbow, Science of Security} }
|
132 |
@InProceedings{2016:Moreno:plasdp,
AUTHOR = {Moreno, Gabriel A. and C\'{a}mara, Javier and Garlan, David and Schmerl, Bradley},
TITLE = {Efficient Decision-Making under Uncertainty for Proactive Self-Adaptation},
YEAR = {2016},
MONTH = {19-22 July},
BOOKTITLE = {Proceedings of the 13th IEEE International Conference on Autonomic Computing (ICAC 2016)},
ADDRESS = {W\"{u}rzburg, Germany},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/gmoreno-icac2016.pdf},
ABSTRACT = {Proactive latency-aware adaptation is an approach
for self-adaptive systems that improves over reactive adaptation
by considering both the current and anticipated adaptation needs
of the system, and taking into account the latency of adaptation
tactics so that they can be started with the necessary lead time.
Making an adaptation decision with these characteristics requires
solving an optimization problem to select the adaptation path that
maximizes an objective function over a finite look-ahead horizon.
Since this is a problem of selecting adaptation actions in the
context of the probabilistic behavior of the environment, Markov
decision processes (MDP) are a suitable approach. However, given
all the possible interactions between the different and possibly
concurrent adaptation tactics, the system, and the environment,
constructing the MDP is a complex task. Probabilistic model
checking can be used to deal with this problem since it takes
as input a formal specification of the stochastic system, which
is internally translated into an MDP, and solved. One drawback
of this solution is that the MDP has to be constructed every
time an adaptation decision has to be made to incorporate the
latest predictions of the environment behavior. In this paper
we present an approach that eliminates that run-time overhead
by constructing most of the MDP offline, also using formal
specification. At run time, the adaptation decision is made by
solving the MDP through stochastic dynamic programming,
weaving in the stochastic environment model as the solution
is computed. Our experimental results show that this approach
reduces the adaptation decision time by an order of magnitude
compared to the probabilistic model checking approach, while
producing the same results.},
NOTE = {Selected as a best paper.},
KEYWORDS = {Latency-aware, Self-adaptation} }
|
133 |
@InProceedings{2016/Sukkerd/SEsCPS,
AUTHOR = {Sukkerd, Roykrong and C\'{a}mara, Javier and Garlan, David and Simmons, Reid},
TITLE = {Multiscale Time Abstractions for Long-Range Planning under Uncertainty},
YEAR = {2016},
MONTH = {16 May},
BOOKTITLE = {Proceedings of the 2nd ICSE Workshop on Software Engineering for Smart Cyberphysical Systems},
ADDRESS = {Austin, Texas},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/SEsCPS20162016_Sukkerd_SEsCPS.pdf},
ABSTRACT = {Planning in CPSs requires temporal reasoning to handle the
dynamics of the environment, including human behavior, as
well as temporal constraints on system goals and durations
of actions that systems and human actors may take. The
discrete abstraction of time in a state space planning should
have a time sampling parameter value that satisfies some
relation to achieve a certain precision. In particular, the
sampling period should be small enough to allow the dynamics
of the problem domain to be modeled with sufficient
precision. Meanwhile, in many cases, events in the far future
(relative to the sampling period) may be relevant to the
decision making earlier in the planning timeline; therefore,
a longer planning look-ahead horizon can yield a closer-to-optimal
plan. Unfortunately, planning with a uniform fine-grained
discrete abstraction of time and a long look-ahead
horizon is typically computationally infeasible. In this paper,
we propose a multiscale temporal planning approach {
formulated as MDP planning { to preserve the required time
fidelity of the problem domain and at the same time approximate
a globally optimal plan. We illustrate our approach
in a middleware used to monitor large sensor networks.},
KEYWORDS = {Cyberphysical Systems, Planning, uncertainty} }
|
134 |
@InProceedings{2016/Neves/IoTBD,
AUTHOR = {Neves, Pedro Caldeira and Schmerl, Bradley and Bernardino, Jorge and C\'{a}mara, Javier},
TITLE = {Big Data in Cloud Computing: features and issues},
YEAR = {2016},
MONTH = {23-25 April},
BOOKTITLE = {Proceedings of the 2016 International Conference on Internet of Things and Big Data},
ADDRESS = {Rome, Italy},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/IoTBD_2016_10.pdf},
ABSTRACT = {The term big data arose under the explosive increase of global data as a technology that is able to store and process big and varied volumes of data, providing both enterprises and science with deep insights over its clients/experiments. Cloud computing provides a reliable, fault-tolerant, available and scalable environment to harbour big data distributed management systems. Within the context of this paper we present an overview of both technologies and cases of success when integrating big data and cloud frameworks. Although big data solves much of our current problems it still presents some gaps and issues that raise concern and need improvement. Security, privacy, scalability, data governance policies, data heterogeneity, disaster recovery mechanisms, and other challenges are yet to be addressed. Other concerns are related to cloud computing and its ability to deal with exabytes of information or address exaflop computing efficiently. This paper presents an overview of both cloud and big data technologies describing the current issues with these technologies.},
KEYWORDS = {Big data} }
|
135 |
@InProceedings{2016/Ruchkin/integration,
AUTHOR = {Ruchkin, Ivan},
TITLE = {Integration Beyond Components and Models: Research Challenges and Directions},
YEAR = {2016},
MONTH = {April},
BOOKTITLE = {Proceedings of the 3rd Architecture Centric Virtual Integration Workshop},
ADDRESS = {Venice, Italy},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/acvi-2016.pdf},
ABSTRACT = {Recent research in embedded and cyber-physical
systems has developed theories and tools for integration of
heterogeneous components and models. These efforts, although
important, are insufficient for high-quality and error-free systems
integration since inconsistencies between system elements may
stem from factors not directly represented in models (e.g.,
analysis tools and expert disagreements). Therefore, we need to
broaden our perspective on integration, and devise approaches
in three novel directions of integration: modeling methods, data
sets, and humans. This paper summarizes the latest advances, and
discusses those directions and associated challenges in integration
for cyber-physical systems.},
KEYWORDS = {Cyberphysical Systems, Software Architecture} }
|
136 |
@InProceedings{2016/Schmerl/AndroidSecurity,
AUTHOR = {Schmerl, Bradley and Gennari, Jeffrey and Sadeghi, Alireza and Bagheri, Hamid and Malek, Sam and C\'{a}mara, Javier and Garlan, David},
TITLE = {Architecture Modeling and Analysis of
Security in Android Systems},
YEAR = {2016},
MONTH = {30 November - 2 December},
BOOKTITLE = {Proceedings of the 10th European Conference on Software Architecture (ECSA 2016)},
VOLUME = {9839},
SERIES = {Lecture Notes in Computer Science},
ADDRESS = {Copenhagen, Denmark},
PUBLISHER = {Springer},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/architecture-modeling-analysis-cr.pdf},
ABSTRACT = {Software architecture modeling is important for analyzing system quality
attributes, particularly security. However, such analyses often assume that the
architecture is completely known in advance. In many modern domains, especially
those that use plugin-based frameworks, it is not possible to have such
a complete model because the software system continuously changes. The Android
mobile operating system is one such framework, where users can install
and uninstall apps at run time. We need ways to model and analyze such architectures
that strike a balance between supporting the dynamism of the underlying
platforms and enabling analysis, particularly throughout a system�s lifetime. In
this paper, we describe a formal architecture style that captures the modifiable
architectures of Android systems, and that supports security analysis as a system
evolves. We illustrate the use of the style with two security analyses: a predicatebased
approach defined over architectural structure that can detect some common
security vulnerabilities, and inter-app permission leakage determined by model
checking. We also show how the evolving architecture of an Android device can
be obtained by analysis of the apps on a device, and provide some performance
evaluation that indicates that the architecture can be amenable for use throughout
the system�s lifetime.},
KEYWORDS = {Acme, Architectural Analysis, Architectural Style, Science of Security} }
|
137 |
@InProceedings{MARTCPS16,
AUTHOR = {Ruchkin, Ivan and Samuel, Selva and Schmerl, Bradley and Rico, Amanda and Garlan, David},
TITLE = {Challenges in Physical Modeling for Adaptation of Cyber-Physical Systems},
YEAR = {2016},
MONTH = {12-14 December},
BOOKTITLE = {Workshop on MARTCPS Models at Runtime and Networked Control for Cyber Physical Systems at IEEE World Forum on the Internet of Things},
ADDRESS = {Reston, Virginia},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/MARTCPS2016.pdf},
ABSTRACT = {Cyber-physical systems (CPSs) mix software,
hardware, and physical aspects with equal importance. Typically,
the use of models of such systems during run time
has concentrated only on managing and controlling the cyber
(software) aspects. However, to fully realize the goals of a
CPS, physical models too have to be treated as first-class
models. This approach gives rise to three main challenges:
(a) identifying and integrating physical and software models
with different characteristics and semantics; (b) obtaining
instances of physical models at a suitable level of abstraction
for adaptation; and (c) using and adapting physical models to
control CPSs. In this position paper, we elaborate on these three
challenges and describe our vision of making physical models
first-class entities in adaptation. We illustrate this vision in the
context of power adaptation for a service robotic system.},
NOTE = {Winner of the IEEE World Forum on the Internet of Things Best Paper Award},
KEYWORDS = {Cyberphysical Systems} }
|
138 |
@InProceedings{2017/Lamba/Cluster,
AUTHOR = {Lamba, Hemank and Glazier, Thomas J. and C\'{a}mara, Javier and Schmerl, Bradley and Garlan, David and Pfeffer, J\"{u}rgen},
TITLE = {Model-based cluster analysis for identifying suspicious activity sequences in software},
YEAR = {2017},
MONTH = {24 March},
BOOKTITLE = {Proceedings of the 3rd International Workshop on Security and Privacy Analytics (IWSPA 2017)},
ADDRESS = {Scottsdale, AZ},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/model-based-cluster-submitted.pdf},
ABSTRACT = {Large software systems have to contend with a significant number of
users who interact with different components of the system in various
ways. The sequences of components that are used as part of an interaction
define sets of behaviors that users have with the system. These
can be large in number. Among these users, it is possible that there are
some who exhibit anomalous behaviors â for example, they may have
found back doors into the system and are doing something malicious.
These anomalous behaviors can be hard to distinguish from normal
behavior because of the number of interactions a system may have,
or because traces may deviate only slightly from normal behavior. In
this paper we describe a model-based approach to cluster sequences of
user behaviors within a system and to find suspicious, or anomalous,
sequences. We exploit the underlying software architecture of a system
to define these sequences. We further show that our approach is better at
detecting suspicious activities than other approaches, specifically those
that use unigrams and bigrams for anomaly detection. We show this on
a simulation of a large scale system based on Amazon Web application
style architecture.},
KEYWORDS = {Science of Security} }
|
139 |
@InProceedings{2017:Moreno:CobRAPLA,
AUTHOR = {Moreno, Gabriel A. and Papadopoulos, Alessandro V. and Angelopoulo, Konstantinos and C\'{a}mara, Javier and Schmerl, Bradley},
TITLE = {Comparing Model-Based Predictive Approaches to Self-Adaptation: CobRA and PLA},
YEAR = {2017},
MONTH = {22-23 May},
BOOKTITLE = {Proceedings of the 12th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS 2017)},
ADDRESS = {Buenos Aires, Argentina},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/PLAvsCobRA.pdf},
ABSTRACT = {Modern software-intensive systems must often guarantee
certain quality requirements under changing run-time
conditions and high levels of uncertainty. Self-adaptation has
proven to be an effective way to engineer systems that can
address such challenges, but many of these approaches are purely
reactive and adapt only after a failure has taken place. To
overcome some of the limitations of reactive approaches (e.g.,
lagging behind environment changes and favoring short-term
improvements), recent proactive self-adaptation mechanisms apply
ideas from control theory, such as model predictive control
(MPC), to improve adaptation. When selecting which MPC
approach to apply, the improvement that can be obtained with
each approach is scenario-dependent, and so guidance is needed
to better understand how to choose an approach for a given
situation. In this paper, we compare CobRA and PLA, two
approaches that are inspired by MPC. CobRA is a requirements-based
approach that applies control theory, whereas PLA is
architecture-based and applies stochastic analysis. We compare
the two approaches applied to RUBiS, a benchmark system for
web and cloud application performance, discussing the required
expertise needed to use both approaches and comparing their
run-time performance with respect to different metrics.},
KEYWORDS = {Self-adaptation} }
|
140 |
@InProceedings{2017:Pandey:HybridPlanningFormalization,
AUTHOR = {Pandey, Ashutosh and Ruchkin, Ivan and Schmerl, Bradley and C\'{a}mara, Javier},
TITLE = {Towards a Formal Framework for Hybrid Planning in Self-Adaptation},
YEAR = {2017},
MONTH = {22-23 May},
BOOKTITLE = {Proceedings of the 12th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS 2017)},
ADDRESS = {Buenos Aires, Argentina},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/hybrid-planning-seams2017.pdf},
ABSTRACT = {Approaches to self-adaptation face a fundamental
trade-off between quality and timeliness in decision-making. Due
to this trade-off, designers of self-adaptive systems often have
to find a fixed and suboptimal compromise between these two
requirements. Recent work has proposed the hybrid planning approach
that can resolve this trade-off dynamically and potentially
in an optimal way. The promise of hybrid planning is to combine
multiple planners at run time to produce adaptation plans of
the highest quality within given time constraints. However, since
decision-making approaches are complex and diverse, the problem
of combining them is even more difficult, and no frameworks for
hybrid planning. This paper makes an important step in simplifying
the problem of hybrid planning by formalizing it and decomposing
it into four simpler subproblems. These formalizations
will serve as a foundation for creating and evaluating engineering
solutions to the hybrid planning problem.},
KEYWORDS = {Planning, Self-adaptation} }
|
141 |
@InProceedings{2017:Camara:ArchitectureSynthesis,
AUTHOR = {C\'{a}mara, Javier and Garlan, David and Schmerl, Bradley},
TITLE = {Synthesis and Quantitative Verification of Tradeoff Spaces for Families of Software Systems},
YEAR = {2017},
MONTH = {11-15 September},
BOOKTITLE = {Proceedings of the 11th European Conference on Software Architecture},
ADDRESS = {Cantebury, UK},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/cgsecsa17.pdf},
ABSTRACT = {Designing software in a way that provides guarantees about run-time behavior while achieving an acceptable balance between multiple extra-functional properties is still an open problem. Tools and techniques to inform engineers about poorly-understood design spaces are needed. To tackle this problem, we propose an approach that combines synthesis of spaces of system design alternatives from formal specifications of architectural styles with quantitative verification applied to every point of the generated solution space. The main contribution of this paper is a formal framework for specification-driven synthesis and analysis of design spaces that provides formal guarantees about the correctness of system behaviors and satisfies quantitative properties (e.g., defined over system qualities). We illustrate our proposal by analyzing the configuration space of a Tele Assistance System (TAS) using a prototype implementation of our approach.},
NOTE = {Winner of the ECSA Best Paper Award},
KEYWORDS = {Architectural Style, Formal Methods, Model Checking, Software Architecture} }
|
142 |
@InProceedings{Dwivedi:EUC:2017,
AUTHOR = {Dwivedi, Vishal and Herbsleb, James and Garlan, David},
TITLE = {What Ails End-User Composition: A Cross-Domain Qualitative Study},
YEAR = {2017},
BOOKTITLE = {End-User Development. IS-EUD 2017},
VOLUME = {10303},
SERIES = {Lecture Notes in Computer Science},
PUBLISHER = {Springer},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/Dwivedi2017_Chapter_WhatAilsEnd-UserCompositionACr.pdf},
ABSTRACT = {Across many domains, end-users need to compose computational elements into novel configurations to perform their day-to-day tasks. End-user composition is a common programming activity performed by such end-users to accomplish this composition task. While there have been many studies on end-user programming, we still need a better understanding of activities involved in end-user composition and environments to support them. In this paper we report a qualitative study of four popular composition environments belonging to diverse application domains, including: Taverna workflow environment for life sciences, Loni Pipeline for brain imaging, SimMan3G for medical simulations and Kepler for scientific simulations. We interview end-users of these environments to explore their experiences while performing common compositions tasks. We use âContent Analysisâ technique to analyze these interviews to explore what are the barriers to end-user composition in these domains. Furthermore, our findings show that there are some unique differences in the requirements of naive end-users vs. expert programmers. We believe that not only are these findings useful to improve the quality of end-user composition environments, but they can also help towards development of better end-user composition frameworks.},
KEYWORDS = {End-user Architecture} }
|
143 |
@InProceedings{2017:Uncertainty:Camara,
AUTHOR = {C\'{a}mara, Javier and Peng, Wenxin and Garlan, David and Schmerl, Bradley},
TITLE = {Reasoning about Sensing Uncertainty in Decision-Making for Self-Adaptation},
YEAR = {2017},
MONTH = {5 September},
BOOKTITLE = {Proceedings of the 15th International Workshop on Foundations of Coordination Languages and Self-Adaptive Systems (FOCLASA 2017)},
VOLUME = {10729},
SERIES = {Lecture Notes in Computer Science},
PUBLISHER = {Springer},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/CPGS-CR-foclasa17.pdf},
ABSTRACT = {Self-Adaptive systems are expected to adapt to unanticipated run-time
events using imperfect information about their environment. This entails handling
the effects of uncertainties in decision-making, which are not always considered
as a first-class concern. This paper contributes a formal analysis technique that
explicitly considers uncertainty in sensing when reasoning about the best way to
adapt. We illustrate our approach on a Denial of Service (DoS) attack scenario
and present some preliminary results that show the benefits of uncertainty-aware
decision-making with respect to using an uncertainty-ignorant approach.},
KEYWORDS = {Self-adaptation, uncertainty} }
|
144 |
@InProceedings{2017:Pandey:IBLHP,
AUTHOR = {Pandey, Ashutosh and Schmerl, Bradley and Garlan, David},
TITLE = {Instance-based Learning for Hybrid Planning},
YEAR = {2017},
MONTH = {18-22 September},
BOOKTITLE = {Proceedings of the 3rd International Workshop on Data-driven Self-regulating Systems (DSS 2017)},
ADDRESS = {Tucson, AZ, USA},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/IBL-DSS2017.pdf},
ABSTRACT = {Due to the fundamental trade-off between quality and timeliness of planning, designers of self-adaptive systems often have to compromise between an approach that is quick to find an adaptation plan and an approach that is slow but finds a quality adaptation plan. To deal with this trade-off, in our previous work, we proposed a hybrid planning approach that combines a deliberative and a reactive planning approach to find a balance between quality and timeliness of planning.
However, when reactive and deliberative planning is combined to
instantiate a hybrid planner, the key challenge is to decide which
approach(es) should be invoked to solve a planning problem. To
this end, this paper proposes to use a data-driven instance-based
learning to find an appropriate combination of the two planning
approaches when solving a planning problem. As an initial proof
of concept, the paper presents results of a small experiment that
demonstrates the potential of the proposed approach to identify a
combination of the two planning approaches to solve a planning
problem.},
KEYWORDS = {Planning, Self-adaptation} }
|
145 |
@InProceedings{2001/Dependable/NASA,
AUTHOR = {Rouquette, Nicolas and Medvidovic, Nenad and Garlan, David},
TITLE = {Dependable Autonomous Systems = knowing well what to do + knowing how to do it well},
YEAR = {2001},
MONTH = {10-12 January},
BOOKTITLE = {Proceedings of the NASA High Dependability Computing Consortium Workshop},
ADDRESS = {NASA AMES, Moffett Field, CA},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/01-0052.pdf},
ABSTRACT = {This position paper reflects upon experiences and lessons learned from several spacecraft projects at JPL and JPL's recent collaboration with software architecture researchers from USC and CMU.},
KEYWORDS = {Self-adaptation} }
|
146 |
@InProceedings{2017:Camara:RTSS,
AUTHOR = {Seetanandi, Gautham Nayak and C\'{a}mara, Javier and Almeida, Luis and Ă
rz\'{e}n, Karl-Erik and Maggio, Martina},
TITLE = {Event-Driven Bandwidth Allocation with Formal Guarantees for Camera Networks},
YEAR = {2017},
MONTH = {5-8 December},
BOOKTITLE = {Proceedings of the 2017 IEEE Real-Time Systems Symposium},
ADDRESS = {Paris, France},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/RTSS17_Gautham.pdf},
ABSTRACT = {Modern computing systems are often formed by
multiple components that interact with each other through the
use of shared resources (e.g., CPU, network bandwidth, storage).
In this paper, we consider a representative scenario of one such
system in the context of an Internet of Things application. The
system consists of a network of self-adaptive cameras that share
a communication channel, transmitting streams of frames to a
central node. The cameras can modify a quality parameter to
adapt the amount of information encoded and to affect their
bandwidth requirements and usage. A critical design choice for
such a system is scheduling channel access, i.e., how to determine
the amount of channel capacity that should be used by each of the
cameras at any point in time. Two main issues have to be considered
for the choice of a bandwidth allocation scheme: (i) camera
adaptation and network access scheduling may interfere with
one another, (ii) bandwidth distribution should be triggered only
when necessary, to limit additional overhead. This paper proposes
the first formally verified event-triggered adaptation scheme for
bandwidth allocation, designed to minimize additional overhead
in the network. Desired properties of the system are verified using
model checking. The paper also describes experimental results
obtained with an implementation of the scheme.
},
KEYWORDS = {Formal Methods, Self-adaptation} }
|
147 |
@InProceedings{Pandey:FAS2017:Hybrid,
AUTHOR = {Pandey, Ashutosh},
TITLE = {Hybrid Planning in Self-Adaptive Systems},
YEAR = {2017},
MONTH = {18-22 September},
BOOKTITLE = {FAS* Foundations and Applications of Self* Systems (FAS* 2017) Doctoral Symposium},
ADDRESS = {Tucson, AZ, USA},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/HybridPlanningDoctoralSymposium.pdf},
ABSTRACT = {Self-adaptive software systems make decisions at
run time that seek to change their behavior in response to
faults, changing environments and attacks. Therefore, having an
appropriate planning approach to find an adaptation plan is
critical to successful self-adaptation. For many realistic systems,
ideally one would like to have a planning approach that is both
quick and finds an optimal adaptation plan. However, due to the
fundamental trade-off between quality and timeliness of planning,
often designers have to compromise between an approach that is
quick to find a plan and an approach that is slow but finds an
optimal plan. To deal with this trade-off, this work proposes a
hybrid planning approach that combines more than one planning
approach to bring their benefits together.},
KEYWORDS = {Planning, Self-adaptation} }
|
148 |
@InProceedings{Ruchkin/2018/IPL,
AUTHOR = {Ruchkin, Ivan and Sunshine, Joshua and Iraci, Grant and Schmerl, Bradley and Garlan, David},
TITLE = {IPL: An Integration Property Language for Multi-Model Cyber-Physical Systems},
YEAR = {2018},
MONTH = {15-17 July},
BOOKTITLE = {22nd International Symposium on Formal Methods (FM2018)},
ADDRESS = {Oxford, UK},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/fm2018-paper-camera-ready-1.pdf},
ABSTRACT = {Design and verification of modern systems requires diverse models,
which often come from a variety of disciplines, and it is challenging to manage
their heterogeneity â especially in the case of cyber-physical systems. To check
consistency between models, recent approaches map these models to flexible static
abstractions, such as architectural views. This model integration approach, however, comes at a cost of reduced expressiveness because complex behaviors of the
models are abstracted away. As a result, it may be impossible to automatically
verify important behavioral properties across multiple models, leaving systems
vulnerable to subtle bugs. This paper introduces the Integration Property Language (IPL) that improves integration expressiveness using modular verification of
properties that depend on detailed behavioral semantics while retaining the ability
for static system-wide reasoning. We prove that the verification algorithm is sound
and analyze its termination conditions. Furthermore, we perform a case study on a
mobile robot to demonstrate IPL is practically useful and evaluate its performance.},
NOTE = {Appendices},
KEYWORDS = {Cyberphysical Systems, Formal Methods, Model Checking} }
|
149 |
@InProceedings{SEAMS:SWIM:2018,
AUTHOR = {Moreno, Gabriel A. and Schmerl, Bradley and Garlan, David},
TITLE = {SWIM: An Exemplar for Evaluation and Comparison of
Self-Adaptation Approaches for Web Applications},
YEAR = {2018},
MONTH = {28-29 May},
BOOKTITLE = {Proceedings of the 13th International Symposium on Software Engineering for Adaptive and Self-Managing Systems},
ADDRESS = {Gothenburg, Sweden},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/seams18-swim-cr.pdf},
ABSTRACT = {Research in self-adaptive systems often uses web applications as
target systems, running the actual software on real web servers.
This approach has three drawbacks. First, these systems are not
easy and/or cheap to deploy. Second, run-time conditions cannot
be replicated exactly to compare diferent adaptation approaches
due to uncontrolled factors. Third, running experiments is time-
consuming. To address these issues, we present SWIM, an exemplar
that simulates a web application. SWIM can be used as a target
system with an external adaptation manager interacting with it
through its TCP-based interface. Since the servers are simulated,
this use case addresses the irst two problems. The full beneit
of SWIM is attained when the adaptation manager is built as a
simulation module. An experiment using a simulated 60-server
cluster, processing 18 hours of traic with 29 million requests takes
only 5 minutes to run on a laptop computer. SWIM has been used
for evaluating self-adaptation approaches, and for a comparative
study of model-based predictive approaches to self-adaptation.},
NOTE = {Best Artifact Paper Award Winner},
KEYWORDS = {Self-adaptation} }
|
150 |
@InProceedings{2018:SEAMS:Uncertainty,
AUTHOR = {Moreno, Gabriel A. and C\'{a}mara, Javier and Garlan, David and Klein, Mark},
TITLE = {Uncertainty Reduction in Self-Adaptive Systems},
YEAR = {2018},
MONTH = {28-29 May},
BOOKTITLE = {Proc. of the 13th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS)},
ADDRESS = {Gothenburg, Sweden},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/seams18-ur-cr.pdf},
ABSTRACT = {Self-adaptive systems depend on models of themselves and their
environment to decide whether and how to adapt, but these models
are often affected by uncertainty. While current adaptation decision
approaches are able to model and reason about this uncertainty,
they do not consider ways to reduce it. This presents an opportunity
for improving decision-making in self-adaptive systems, because
reducing uncertainty results in a better characterization of the current
and future states of the system and the environment (at some
cost), which in turn supports making better adaptation decisions.
We propose uncertainty reduction as the natural next step in uncertainty
management in the field of self-adaptive systems. This
requires both an approach to decide when to reduce uncertainty,
and a catalog of tactics to reduce different kinds of uncertainty. We
present an example of such a decision, examples of uncertainty
reduction tactics, and describe how uncertainty reduction requires
changes to the different activities in the typical self-adaptation loop.},
KEYWORDS = {Self-adaptation, uncertainty} }
|
151 |
@InProceedings{SEsCPS:Explanation:2018,
AUTHOR = {Sukkerd, Roykrong and Simmons, Reid and Garlan, David},
TITLE = {Towards Explainable Multi-Objective Probabilistic Planning},
YEAR = {2018},
MONTH = {27 May},
BOOKTITLE = {Proceedings of the 4th International Workshop on Software Engineering for Smart Cyber-Physical Systems (SEsCPS\'18)},
ADDRESS = {Gothenburg, Sweden},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ICSE-WS-SEsCPS-13.pdf},
ABSTRACT = {Use of multi-objective probabilistic planning to synthesize
behavior of CPSs can play an important role in engineering
systems that must self-optimize for multiple quality objectives
and operate under uncertainty. However, the reasoning
behind automated planning is opaque to end-users. They
may not understand why a particular behavior is generated,
and therefore not be able to calibrate their confidence in the
systems working properly. To address this problem, we propose
a method to automatically generate verbal explanation
of multi-objective probabilistic planning, that explains why a
particular behavior is generated on the basis of the optimization
objectives. Our explanation method involves describing
objective values of a generated behavior and explaining
any tradeoff made to reconcile competing objectives. We contribute:
(i) an explainable planning representation that facilitates
explanation generation, and (ii) an algorithm for generating
contrastive justification as explanation for why a generated
behavior is best with respect to the planning objectives.
We demonstrate our approach on a mobile robot case study.},
KEYWORDS = {Explainable Software, Self-adaptation} }
|
152 |
@InProceedings{2018:Wagner:HotSoS,
AUTHOR = {Wagner, Ryan and Garlan, David and Fredrikson, Matthew},
TITLE = {Poster: Quantitative Underpinnings of Secure, Graceful Degradation},
YEAR = {2018},
MONTH = {10-11 April},
BOOKTITLE = {Proceedings of the 2018 Symposium of Hot Topics in the Science of Security},
ADDRESS = {Raleigh, North Carolina},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/hotsos-gracefuldegradation.pdf},
KEYWORDS = {Science of Security} }
|
153 |
@InProceedings{2018:SEAMS:Uncertainty:Kinneer,
AUTHOR = {Kinneer, Cody and Coker, Zack and Wang, Jiacheng and Garlan, David and Le Goues, Claire},
TITLE = {Managing Uncertainty in Self-Adaptive Systems with Plan Reuse
and Stochastic Search},
YEAR = {2018},
MONTH = {28-29 May},
BOOKTITLE = {Proceedings of the 13th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS)},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/seams-uncertainty-kinneerpdf.pdf},
ABSTRACT = {Many software systems operate in environments where change
and uncertainty are the rule, rather than exceptions. Techniques
for self-adaptation allow these systems to automatically respond
to environmental changes, yet they do not handle changes to the
adaptive system itself, such as the addition or removal of adaptation
tactics. Instead, changes in a self-adaptive system often require a
human planner to redo an expensive planning process to allow
the system to continue satisfying its quality requirements under
different conditions; automated techniques typically must replan
from scratch. We propose to address this problem by reusing prior
planning knowledge to adapt in the face of unexpected situations.
We present a planner based on genetic programming that reuses
existing plans. While reuse of material in genetic algorithms has
recently applied successfully in the area of automated program
repair, we find that naĂŻvely reusing existing plans for self-* planning
actually results in a loss of utility. Furthermore, we propose a
series of techniques to lower the costs of reuse, allowing genetic
techniques to leverage existing information to improve planning
utility when replanning for unexpected changes.},
NOTE = {Selected as a distinguished paper},
KEYWORDS = {Planning, Self-adaptation, Stochastic Search, uncertainty} }
|
154 |
@InProceedings{Mendonca:AKSAS:2018,
AUTHOR = {Mendon\c{c}a, Nabor C. and Garlan, David and Schmerl, Bradley and C\'{a}mara, Javier},
TITLE = {Generality vs. Reusability in Architecture-Based Self-Adaptation:
The Case for Self-Adaptive Microservices},
YEAR = {2018},
MONTH = {24-28 September},
BOOKTITLE = {The 12th European Conference on Software Architecture: Companion Proceedings},
ADDRESS = {Madrid, Spain},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/aksas2018-final.pdf},
ABSTRACT = {Why is it so difficult to build self-adaptive systems by reusing existing
self-adaptation services and frameworks? In this paper, we
argue that one possible explanation is that there is a fundamental
mismatch between the adaptation needs of modern software
systems, and the architectural models and adaptation mechanisms
supported by current self-adaptation solutions. We identify and
discuss the main reasons leading to this problem by looking into a
number of representative self-adaptation solutions that have been
proposed in recent years, including open source frameworks and
cloud-based services, from two perspectives: generality, i.e., their
ability to support a variety of architectural models and adaptation
mechanisms, and reusability, i.e., their ability to be reused without
requiring substantial effort from software developers. We then make
the case that recent industry progress toward microservices and
their enabling technologies can open the way to the development
of more general and reusable self-adaptation solutions.},
KEYWORDS = {Self-adaptation} }
|
155 |
@InProceedings{2019/Jamshidi/ML,
AUTHOR = {Jamshidi, Pooyan and C\'{a}mara, Javier and Schmerl, Bradley and K\"astner, Christian and Garlan, David},
TITLE = {Machine Learning Meets Quantitative Planning: Enabling Self-adaptation in Autonomous Robots},
YEAR = {2019},
MONTH = {25-26 May},
BOOKTITLE = {Proceedings of the 14th Symposium on Software Engineering for Adaptive and Self-Managing Systems},
ADDRESS = {Montreal, Canada},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/SEAMS2019-ML.pdf},
ABSTRACT = {Modern cyber-physical systems (e.g., robotics systems) are typically composed of physical and software components, the characteristics of which are likely to change over time.
Assumptions about parts of the system made at design time may not hold at run time, especially when a system is deployed for long periods (e.g., over decades).
Self-adaptation is designed to find reconfigurations of systems to handle such run-time inconsistencies. Planners can be used to find and enact optimal reconfigurations in such an evolving context. However, for systems that are highly configurable, such planning becomes intractable due to the size of the adaptation space.
To overcome this challenge, in this paper we explore an approach that (a) uses machine learning to find Pareto-optimal configurations without needing to explore every configuration, and (b) restricts the search space to such configurations to make planning tractable.
We explore this in the context of robot missions that need to consider task timeliness and energy consumption. An independent evaluation shows that our approach results in high quality adaptation plans in uncertain and adversarial environments. },
KEYWORDS = {Cyberphysical Systems, Self-adaptation} }
|
156 |
@InProceedings{2020:ICSA:Microservices,
AUTHOR = {Mendon\c{c}a, Nabor C. and Aderaldo, Carlos and C\'{a}mara, Javier and Garlan, David},
TITLE = {Model-Based Analysis of Microservice Resiliency Patterns},
YEAR = {2020},
MONTH = {16-20 March},
BOOKTITLE = {Proceedings of the 2020 IEEE International Conference on Software Architecture},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/PID63707632020_ICSA_Microservices.pdf},
ABSTRACT = {Microservice application developers try to mitigate
the impact of partial outages typically by implementing
service-to-service interactions that use well-known resiliency
patterns, such as Retry, Fail Fast, and Circuit Breaker. However,
those resiliency patternsâas well as their available open-source
implementationsâare often documented informally, leaving it up
to application developers to figure out when and how to use those
patterns in the context of a particular microservice application.
In this paper, we take a first step towards improving on this
situation by introducing a model checking-based approach in
which we use the PRISM probabilistic model checker to analyze
the behavior of the Retry and Circuit Breaker resiliency patterns
as continuous-time Markov chains (CTMC). This approach has
enabled us to quantify the impact of applying each resiliency
pattern on multiple quality attributes, as well as to determine
how to best tune their parameters to deal with varying service
availability conditions, in the context of a simple client-service
interaction scenario.},
KEYWORDS = {Model Checking, Software Architecture} }
|
157 |
@InProceedings{2019:Sukkerd:Explanation,
AUTHOR = {Zhao, Ellin and Sukkerd, Roykrong},
TITLE = {Interactive Explanation for Planning-Based Systems},
YEAR = {2019},
MONTH = {16-18 April},
BOOKTITLE = {Proceedings of the 10th ACM/IEEE International Conference on Cyberphysical Systems, Work-in-Progress track},
ADDRESS = {Montreal, Canada},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/zhao_iccps.pdf},
ABSTRACT = {As Cyber-Physical Systems (CPSs) become more autonomous,
it becomes harder for humans who interact with the CPSs to
understand the behavior of the systems. Particularly for CPSs
that must perform tasks while optimizing for multiple quality
objectives and acting under uncertainty, it can be difficult
for humans to understand the system behavior generated by
an automated planner. This work-in-progress presents an
approach at clarifying system behavior through interactive
explanation by allowing end-users to ask Why and Why-Not questions about specific behaviors of the system, and
providing answers in the form of contrastive explanation.},
KEYWORDS = {Explainable Software, Human-in-the-loop, Self-adaptation} }
|
158 |
@InProceedings{Glazier:2019:metamanagement,
AUTHOR = {Glazier, Thomas J. and Garlan, David},
TITLE = {An Automated Approach to Management of a Collection of Autonomic Systems},
YEAR = {2019},
MONTH = {16 June},
BOOKTITLE = {Proceedings of the 4th eCAS Workshop on Engineering Collective Adaptive Systems},
ADDRESS = {Umea, Sweden},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/eCASEv1.pdf},
ABSTRACT = {Modern enterprise IT systems are increasingly becoming
compositions of many subsystems each of which is
an autonomic system. These individual autonomic systems act
independently to maintain their locally defined SLAs but can take
actions which are inconsistent with and potentially detrimental
to the global system objective. Currently, human administrators
intervene to resolve these conflicts but are challenged by
complexity in the prediction of current and future states of
the constituent systems and their managers, multiple conflicting
quality dimensions which may change over time, combinatorially
large configuration space across the set of constituent systems,
and the time critical nature of the decisions to be made to prevent
further degradation. To address these challenges, this paper
proposes an approach that enables the creation of a higher level
autonomic system, referred to as a meta-manager, that does not
subsume the control functions nor does it directly orchestrate the
actions of the sub-autonomic managers. Instead, we encapsulate
and abstract the behavior of each subsystem as a parameterized
adaptation policy which can be adjusted by the meta-manager
to tune the adaptive behavior of the subsystem adaptation. We
can effectively instantiate this idea by considering each of the
subsystems as a player in a stochastic multi-player game against
itâs local environment, and synthesize an adaptation strategy
using off-the-shelf tools for stochastic game analysis.},
KEYWORDS = {Meta-management, Self-adaptation} }
|
159 |
@InProceedings{Kinneer:2019:observability,
AUTHOR = {Kinneer, Cody and Wagner, Ryan and Fang, Fei and Le Goues, Claire and Garlan, David},
TITLE = {Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats},
YEAR = {2019},
MONTH = {9-11 October},
BOOKTITLE = {Proceedings of the 17th ACM-IEEE International Conference on Formal Methods and Models for Systems Design (MEMCODE\'19)},
ADDRESS = {San Diego, USA},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/memocode2019.pdf},
ABSTRACT = {Advanced persistent threats (APTs) are a particularly troubling challenge
for software systems. The adversarial nature of the security
domain, and APTs in particular, poses unresolved challenges to
the design of self-* systems, such as how to defend against multiple
types of attackers with different goals and capabilities. In
this interaction, the observability of each side is an important and
under-investigated issue in the self-* domain. We propose a model
of APT defense that elevates observability as a first-class concern.
We evaluate this model by showing how an informed approach that
uses observability improves the defenderâs utility compared to a
uniform random strategy, can enable robust planning through sensitivity
analysis, and can inform observability-related architectural
design decisions.},
KEYWORDS = {Science of Security, Self-adaptation} }
|
160 |
@InProceedings{2019:SEAMS:DartSim,
AUTHOR = {Moreno, Gabriel A. and Kinneer, Cody and Pandey, Ashutosh and Garlan, David},
TITLE = {DARTSim: An Exemplar for Evaluation and Comparison of Self-Adaptation Approaches for Smart Cyber-Physical Systems},
YEAR = {2019},
MONTH = {25-26 May},
BOOKTITLE = {Proceedings of the 14th International Symposium on Software Engineering for Adaptive and Self-Managing Systems},
ADDRESS = {Montreal, Canada},
ABSTRACT = {Motivated by the need for cyber-physical systems (CPS) to perform in dynamic and uncertain environments, smart CPS (sCPS) utilize self-adaptive capabilities to autonomously manage uncertainties at the intersection of the cyber and physical worlds. In this context, self-adaptation approaches face particular challenges, including (i) environment monitoring that is subject to sensing errors; (ii) adaptation actions that take time, sometimes due to physical movement; (iii) dire consequences for not adapting in a timely manner; and (iv) incomparable objectives that cannot be conflated into a single utility metric (e.g., avoiding an accident vs. providing good service). To enable researchers to evaluate and compare self-adaptation approaches aiming to address these unique challenges of sCPS, we introduce the DARTSim exemplar. DARTSim implements a high-level simulation of a team of unmanned air vehicles (UAVs) performing a reconnaissance mission in a hostile and unknown environment. Designed to be easily used by researchers, DARTSim provides a TCP-based interface for easy integration with external adaptation managers, documentation, and a fast simulation capability.},
NOTE = {Awarded Best Artifact Award for SEAMS 2019},
KEYWORDS = {Self-adaptation} }
|
161 |
@InProceedings{2019:Kubow,
AUTHOR = {Aderaldo, Carlos and Mendon\c{c}a, Nabor C. and Schmerl, Bradley and Garlan, David},
TITLE = {Kubow: An Architecture-Based Self-Adaptation Service for
Cloud Native Applications},
YEAR = {2019},
MONTH = {9-13 September},
BOOKTITLE = {Proceedings of the 2019 European Conference on Software Architecture: Tools Track},
ADDRESS = {Paris, France},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ecsa2019-tools-final.pdf},
ABSTRACT = {This paper presents Kubow, an extensible architecture-based selfadaptation
service for cloud native applications. Kubow itself was
implemented by customizing and extending the Rainbow self-adaptation
framework with support for Docker containers and Kubernetes.
The paper highlights Kubowâs architecture and main design
decisions, and illustrates its use and configuration through a simple
example. An accompanying demo video is available at the projectâs
web site: https://ppgia-unifor.github.io/kubow/.},
NOTE = {Awarded Best Demo},
KEYWORDS = {Self-adaptation} }
|
162 |
@InProceedings{2020:ICDS:Lynceus,
AUTHOR = {Casimiro, Maria and Didona, Diego and Romano, Paolo and Rodrigues, Luis and Zwaenepoel, Willy and Garlan, David},
TITLE = {Lynceus: Cost-efficient Tuning and Provisioning of Data Analytic Jobs},
YEAR = {2020},
MONTH = {8-10 July},
BOOKTITLE = {The 40th International Conference on Distributed Computing Systems},
ADDRESS = {Singapore},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ICDCS_2020_paper_2972020_ICDS_Lynceus.pdf},
ABSTRACT = {Modern data analytic and machine learning jobs
find in the cloud a natural deployment platform to satisfy their
notoriously large resource requirements. Yet, to achieve cost
efficiency, it is crucial to identify a deployment configuration that
satisfies user-defined QoS constraints (e.g., on execution time),
while avoiding unnecessary over-provisioning.
This paper introduces Lynceus, a new approach for the
optimization of cloud-based data analytic jobs that improves over
state-of-the-art approaches by enabling significant cost savings
both in terms of the final recommended configuration and of the
optimization process used to recommend configurations.
Unlike existing solutions, Lynceus optimizes in a joint fashion
both the cloud-related (i.e., which and how many machines to
provision) and the application-level (e.g. the hyper-parameters
of a machine learning algorithm) parameters. This allows for a
reduction of the cost of recommended configurations by up to
3.7X at the 90-th percentile with respect to existing approaches,
which treat the optimization of cloud-related and application level
parameters as two independent problems.
Further, Lynceus reduces the cost of the optimization process
(i.e., the cloud cost incurred for testing configurations) by
up to 11X. Such an improvement is achieved thanks to two
mechanisms: i) a timeout approach which allows to abort the
exploration of configurations that are deemed suboptimal, while
still extracting useful information to guide future explorations
and to improve its predictive model â differently from recent
works, which either incur the full cost for testing suboptimal
configurations or are unable to extract any knowledge from
aborted runs; ii) a long-sighted and budget-aware technique
that determines which configurations to test by predicting the
long-term impact of each exploration â unlike state-of-the-art
approaches for the optimization of cloud jobs, which adopt greedy
optimization methods.},
KEYWORDS = {Big data, Machine Learning, Resource Allocation} }
|
163 |
@InProceedings{ToD:ICSE:2019,
AUTHOR = {D\"{u}rschmid, Tobias and Kang, Eunsuk and Garlan, David},
TITLE = {Trade-off-oriented Development: Making Quality Attribute Trade-offs First-class},
YEAR = {2019},
MONTH = {May},
BOOKTITLE = {Proceedings of the 41st International Conference on Software Engineering: New Ideas and Emerging Results},
ADDRESS = {Montreal, CA},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/TradeoffOrientedDevelopmentToD_ICSE_2019.pdf},
ABSTRACT = {Implementing a solution for a design decision that
precisely satisfies the trade-off between quality attributes can be
extremely challenging. Further, typically quality attribute tradeoffs
are not represented as first-class entities in development
artifacts. Hence, decisions might be suboptimal and lack requirements
traceability as well as changeability. We propose Tradeoff-
oriented Development (ToD), a new concept to automate
the selection and integration of reusable implementations for
a given design decision based on quality attribute trade-offs.
Implementations that vary in quality attributes and that solve
reoccurring design decisions are collected in a design decision
library. Developers declaratively specify the quality attribute
trade-off, which is then used to automatically select the best
fitting implementation. We argue that thereby, software could
satisfy the trade-offs more precisely, requirements are traceable
and changeable, and advances in implementations automatically
improve existing software.},
KEYWORDS = {Software Architecture} }
|
164 |
@InProceedings{2020:ICSE:RobotArchitecture,
AUTHOR = {Malavolta, Ivano and Lewis, Grace A. and Schmerl, Bradley and Lago, Patricia and Garlan, David},
TITLE = {How do you Architect your Robots? State of the Practice and Guidelines for ROS-based System},
YEAR = {2020},
MONTH = {23-29 May},
BOOKTITLE = {Proceedings of the 42nd International Conference on Software Engineering: Software Engineering in Practice},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ICSE_SEIP_20202020_ICSE_RobotArchitecture.pdf},
ABSTRACT = {The Robot Operating System (ROS) is the de-facto standard for robotic software.
If on one hand ROS is helping roboticists, e.g., by providing a standardized communication platform, on the other hand ROS-based systems are getting larger and more complex and could benefit from good software architecture practices.
This paper presents an observational study aimed at (i) unveiling the state of the practice for architecture of ROS-based systems and (ii) providing guidance to roboticists about how to properly architect ROS-based systems. To achieve these goals, we (i) build a dataset of 335 GitHub repositories containing real open-source ROS-based systems, (ii) mine the repositories for extracting the state of the practice about how roboticists are architecting them, and (iii) synthesize a catalog of 49 evidence-based guidelines for architecting ROS-based systems.
The guidelines have been validated by 77 roboticists working on real-world open-source ROS-based systems. },
KEYWORDS = {Architectural Analysis, Software Architecture} }
|
165 |
@InProceedings{2020:SEAMS:CoAdaptation,
AUTHOR = {C\'{a}mara, Javier and Schmerl, Bradley and Garlan, David},
TITLE = {Software Architecture and Task Plan Co-Adaptation for Mobile Service Robots},
YEAR = {2020},
MONTH = {29 June - 3 July},
BOOKTITLE = {Proceedings of the 15th International Symposium on Software Engineering for Adaptive and Self-managing Systems (SEAMS)},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/SEAMS2020_Mobile_Robots.pdf},
ABSTRACT = {Self-adaptive systems increasingly need to reason about and adapt both structural and behavioral system aspects, such as in mobile service robots, which must reason about missions that they need to achieve and the architecture of the software executing them. Deciding how to best adapt these systems to run time changes is challenging because it entails considering mutual dependencies between the software architecture that the system is running and the outcome of plans for completing tasks, while also considering multiple trade-offs and uncertainties. Considering all these aspects in planning for adaptation often yields large solution spaces which cannot be adequately explored at run time.
We address this challenge by proposing a planning approach able to consider the impact of mutual dependencies between software architecture and task planning on the satisfaction of mission goals. The approach is able to reason quantitatively about the outcome of adaptation decisions handling both the reconfiguration of the system's architecture and adaptation of task plans under uncertainty and in a rich trade-off space.
Our results show: (i) feasibility of run-time decision-making for self-adaptation in an otherwise intractable solution space by dividing-and-conquering adaptation into architecture reconfiguration and task planning sub-problems, and (ii) improved quality of adaptation decisions with respect to decision making that does not consider dependencies between architecture and task planning.},
NOTE = {Talk},
KEYWORDS = {Cyberphysical Systems, Formal Methods, Model Checking, Planning, Rainbow, Robot Adaptation, Self-adaptation, Software Architecture} }
|
166 |
@InProceedings{2020:Venaro:BPMDS,
AUTHOR = {Venero, Sheila and Schmerl, Bradley and Montecchi, Leonardo and Dos Reis, Julio Cesar and Rubira, Cecilia M. F.},
TITLE = {Automated Planning for supporting Knowledge-intensive Processes},
YEAR = {2020},
MONTH = {8-9 June},
BOOKTITLE = {Proceedings of the 20th Business Process Modeling, Development and Support (BPMDS) Working Conference},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/Automated_Planning_for_supporting__Knowledge_intensive_Processes.pdf},
ABSTRACT = {Knowledge-intensive processes (KiPs) are processes characterized by high levels of unpredictability and dynamism. Their process structure may not be known before their execution. One way to cope with this uncertainty is to defer decisions regarding the process structure until run time. In this paper, we consider the definition of the process structure as a planning problem. Our approach uses automated planning techniques to generate plans that define process models according to the current context. The generated plan model relies on a metamodel called METAKIP that represents the basic elements of KiPs.
Our solution explores Markov Decision Processes (MDP) to generate plan models. This technique allows uncertainty representation by defining state transition probabilities, which gives us more flexibility than traditional approaches. We construct an MDP model and solve it with the help of the PRISM model-checker. The solution is evaluated by means of a proof of concept in the medical domain and reveals the feasibility of our approach.},
KEYWORDS = {Model Checking, Stochastic Games} }
|
167 |
@InProceedings{Li:2020:SEAMS-Expl,
AUTHOR = {Li, Nianyu and Adepu, Sridhar and Kang, Eunsuk and Garlan, David},
TITLE = {Explanations for Human-on-the-loop: A Probabilistic Model Checking Approach},
YEAR = {2020},
MONTH = {29 June - 3 July},
BOOKTITLE = {Proceedings of the 15th International Symposium on Software Engineering for Adaptive and Self-managing Systems (SEAMS)},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/SEAMS_CameraReady-8.pdf},
ABSTRACT = {Many self-adaptive systems benefit from human involvement and
oversight, where a human operator can provide expertise not available
to the system and can detect problems that the system is
unaware of. One way of achieving this is by placing the human
operator on the loop â i.e., providing supervisory oversight and
intervening in the case of questionable adaptation decisions. To
make such interaction effective, explanation is sometimes helpful to
allow the human to understand why the system is making certain
decisions and calibrate confidence from the human perspective.
However, explanations come with costs in terms of delayed actions
and the possibility that a human may make a bad judgement. Hence,
it is not always obvious whether explanations will improve overall
utility and, if so, what kinds of explanation to provide to the operator.
In this work, we define a formal framework for reasoning
about explanations of adaptive system behaviors and the conditions
under which they are warranted. Specifically, we characterize
explanations in terms of explanation content, effect, and cost. We
then present a dynamic adaptation approach that leverages a probabilistic
reasoning technique to determine when the explanation
should be used in order to improve overall system utility.},
NOTE = {Talk},
KEYWORDS = {Explainable Software, Model Checking, Self-adaptation} }
|
168 |
@InProceedings{2020:Control:SEAMS,
AUTHOR = {C\'{a}mara, Javier and Papadopoulos, Alessandro V. and Vogel, Thomas and Weyns, Danny and Garlan, David and Huang, Shihong and Tei, Kenji},
TITLE = {Towards Bridging the Gap between Control and Self-Adaptive System Properties},
YEAR = {2020},
MONTH = {29 June - 3 July},
BOOKTITLE = {Proceedings of the 15th International Symposium on Software Engineering for Adaptive and Self-managing Systems (SEAMS)},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/2004.118462020_Control_SEAMS.pdf},
ABSTRACT = {Two of the main paradigms used to build adaptive software employ different types of properties to capture relevant aspects of the systemâs run-time behavior. On the one hand, control systems consider properties that concern static aspects like stability, as well as dynamic properties that capture the transient evolution of variables such as settling time. On the other hand, self-adaptive systems consider mostly non-functional properties that capture concerns such as performance, reliability, and cost. In general, it is not easy to reconcile these two types of properties or identify under which conditions they constitute a good fit to provide run-time guarantees. There is a need of identifying the key properties in the areas of control and self-adaptation, as well as of characterizing and mapping them to better understand how they relate and possibly complement each other. In this paper, we take a first step to tackle this problem by: (1) identifying a set of key properties in control theory, (2) illustrating the formalization of some of these properties employing temporal logic languages commonly used to engineer self-adaptive software systems, and (3) illustrating how to map key properties that characterize self-adaptive software systems into control properties, leveraging their formalization in temporal logics. We illustrate the different steps of the mapping on an exemplar case in the cloud computing domain and conclude with identifying open challenges in the area.},
NOTE = {Talk},
KEYWORDS = {Control Theory, Self-adaptation} }
|
169 |
@InProceedings{2020:Sukkerd:Expl,
AUTHOR = {Sukkerd, Roykrong and Simmons, Reid and Garlan, David},
TITLE = {Tradeoff-Focused Contrastive Explanation for MDP Planning},
YEAR = {2020},
MONTH = {31 August - 4 September},
BOOKTITLE = {Proceedings of the 29th IEEE International Conference on Robot & Human Interactive Communication},
ADDRESS = {Virtual},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/sukkerdRO-MAN20.pdf},
ABSTRACT = {End-usersâ trust in automated agents is important as automated decision-making and planning is increasingly used in many aspects of peopleâs lives. In real-world applications of planning, multiple optimization objectives are often involved.Thus, planning agentsâ decisions can involve complex tradeoffs among competing objectives. It can be difficult for the end-users to understand why an agent decides on a particular planning solution on the basis of its objective values. As a result, the users may not know whether the agent is making the right decisions, and may lack trust in it. In this work, we contribute an approach, based on contrastive explanation, that enables a multi-objective MDP planning agent to explain its decisions in a way that communicates its tradeoff rationale in terms of the domain-level concepts. We conduct a human subjects experiment to evaluate the effectiveness of our explanation approach in a mobile robot navigation domain. The results show that our approach significantly improves the usersâ understanding, and confidence in their understanding, of the tradeoff rationale of the planning agent},
KEYWORDS = {Explainable Software, Planning} }
|
170 |
@InProceedings{2020:Pandey:Hybrid,
AUTHOR = {Pandey, Ashutosh and Ruchkin, Ivan and Schmerl, Bradley and Garlan, David},
TITLE = {Hybrid Planning Using Learning and Model Checking for Autonomous Systems},
YEAR = {2020},
MONTH = {19-23 August},
BOOKTITLE = {Proceedings of the 2020 IEEE Conference on Autonomic Computing and Self-organizing Systems (ACSOS)},
ADDRESS = {Washington, D.C.},
ABSTRACT = {Self-adaptive software systems rely on planning to
make adaptation decisions autonomously. Planning is required
to produce high-quality adaptation plans in a timely manner;
however, quality and timeliness of planning are conflicting in
nature. This conflict can be reconciled with hybrid planning,
which can combine reactive planning (to quickly provide an
emergency response) with deliberative planning that take time
but determine a higher-quality plan. While often effective, reactive
planning sometimes risks making the situation worse. Hence,
a challenge in hybrid planning is to decide whether to invoke
reactive planning until the deliberative planning is ready with a
high-quality plan. To make this decision, this paper proposes a
novel learning-based approach. We demonstrate that this learning-based
approach outperforms existing techniques that are based
on specifying fixed conditions to invoke reactive planning in two
domains: enterprise cloud systems and unmanned aerial vehicles.},
NOTE = {Supplemental Material | Presentation Video},
KEYWORDS = {Formal Methods, Machine Learning, Self-adaptation} }
|
171 |
@InProceedings{2020:Li:HIL-Model,
AUTHOR = {Li, Nianyu and C\'{a}mara, Javier and Garlan, David and Schmerl, Bradley},
TITLE = {Reasoning about When to Provide Explanation for Human-in-the-loop Self-Adaptive Systems},
YEAR = {2020},
MONTH = {19-23 August},
BOOKTITLE = {Proceedings of the 2020 IEEE Conference on Autonomic Computing and Self-organizing Systems (ACSOS)},
ADDRESS = {Washington, D.C.},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ExplanationInLoop2020.pdf},
ABSTRACT = {Many self-adaptive systems benefit from human involvement, where a human operator can provide expertise not available to the system and perform adaptations involving physical changes that cannot be automated.
However, a lack of transparency and intelligibility of system goals and the autonomous behaviors enacted to achieve them may hinder a human operator's effort to make such involvement effective.
Explanation is sometimes helpful to allow the human to understand why the system is making certain decisions. However, explanations come with costs in terms of, e.g., delayed actions.
Hence, it is not always obvious whether explanations will improve the satisfaction of system goals and, if so,
when to provide them to the operator. In this work, we define a formal framework for reasoning about explanations of adaptive system behaviors and the conditions under which they are warranted. Specifically, we characterize explanations in terms of their impact on a human operator's ability to effectively engage in adaptive actions.
We then present
a decision-making approach for planning in self-adaptation
that leverages a probabilistic reasoning tool to determine when the explanation should be used
in an adaptation strategy in order to improve overall system utility.
We illustrate our approach in a representative scenario for the application of an adaptive news website in the context of potential denial-of-service attacks. },
NOTE = {Presentation Video},
KEYWORDS = {Formal Methods, Human-in-the-loop, Self-adaptation, Stochastic Games} }
|
172 |
@InProceedings{2020:Google:TJ,
AUTHOR = {Glazier, Thomas J. and Garlan, David and Schmerl, Bradley},
TITLE = {Case Study of an Automated Approach to Managing Collections of Autonomic Systems},
YEAR = {2020},
MONTH = {19-23 August},
BOOKTITLE = {Proceedings of the 2020 IEEE Conference on Autonomic Computing and Self-organizing Systems (ACSOS)},
ADDRESS = {Washington, D.C.},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ACSOS_2020_Automated_Management_of_Collections_of_Autonomic_Systems.pdf},
ABSTRACT = {Many applications have taken advantage of cloud
provided autonomic capabilities, commonly auto-scaling, to harness
easily available compute capacity to maintain performance
against defined quality objectives. This has caused the management
complexity of enterprise applications to increase. It is
now common for an application to be a collection of autonomic
sub-systems. However, combining individual autonomic systems
to create an application can lead to behaviors that negatively
impact the global aggregate utility of the application and in
some cases can be conflicting and self-destructive. Commonly,
human administrators address these behaviors as part of a design
time analysis of the situation or a run time mitigation of the
undesired effects. However, the task of controlling and mitigating
undesirable behaviors is complex and error prone. To handle the
complexity of managing a collection of autonomic systems we
have previously proposed an automated approach to the creation
of a higher level autonomic management system, referred to as a
Meta-Manager. In this paper, we improve upon prior work with
a more streamlined and understandable formal representation of
the approach, expand its capabilities to include global knowledge,
and test its potential applicability and effectiveness by managing
the complexity of a collection of autonomic systems in a case
study of a major outage suffered by the Google Cloud Platform.},
NOTE = {Presentation Video},
KEYWORDS = {Meta-management, Self-adaptation} }
|
173 |
@InProceedings{2020:REACT,
AUTHOR = {Pfannm\"{u}ller, Martin and Breitbach, Martin and Krupitzer, Christian and Weckesser, Marcus and Becker, Christian and Schmerl, Bradley and Sch\"{u}rr, Andy},
TITLE = {REACT: A Model-Based Runtime Environment for Adapting Communication Systems},
YEAR = {2020},
MONTH = {19-23 August},
BOOKTITLE = {Proceedings of the 2020 IEEE Conference on Autonomic Computing and Self-organizing Systems (ACSOS)},
ADDRESS = {Washington, D.C.},
ABSTRACT = {Trends such as the Internet of Things or edge
computing lead to a growing number of networked devices.
Hence, it is becoming increasingly important to manage communication
systems at runtime. Adding self-adaptive capabilities
is one approach to reduce administrative effort and cope with
changing execution contexts. Existing frameworks for building
self-adaptive software can help to reduce development effort
in general. Yet, they are neither tailored towards the use
in communication systems nor easily usable without profound
knowledge in self-adaptive systems development. In this paper, we
propose REACT, a reusable, model-based runtime environment
to complement communication systems with adaptive behavior. It
addresses the heterogeneity and distribution aspects of networks
and reduces development effort. REACT empowers developers
of communication systems to add adaptive behavior without
having experience in self-adaptive systems development. We
show the effectiveness and efficiency of our prototype in an
experimental evaluation based on two distinct use cases from
the communication systems domain: cloud resource management
and software-defined networking. The first use case includes a
comparison with Rainbow, which represents a state-of-the-art
model-based framework for building self-adaptive systems. The
second use case applies REACT in a sophisticated, real-world
communication system scenario.},
KEYWORDS = {Self-adaptation} }
|
174 |
@InProceedings{2021:MAPECTML,
AUTHOR = {Weyns, Danny and Schmerl, Bradley and Kishida, Masako and Leva, Alberto and Litoiu, Marin and Ozay, Necmiye and Paterson, Colin and Tei, Kenji},
TITLE = {Towards Better Adaptive Systems by Combining MAPE, Control Theory, and Machine Learning},
YEAR = {2021},
MONTH = {17-24 May},
BOOKTITLE = {Proceedings of the 16th Symposium on Software Engineering for Adaptive and Self-Managing Systems},
ADDRESS = {Virtual},
ABSTRACT = {Two established techniques to engineer adaptive systems are architecture-based adaptation that uses a Monitor-Analysis-Planning-Executing (MAPE) loop that reasons over architectural models (aka Knowledge) to make adaptation decisions, and control-based adaptation that relies on principles of control theory (CT) to realize adaptation.
Recently, we also observe a rapid growing interest in applying machine learning (ML) to support different adaptation mechanisms.
While MAPE and CT have particular characteristics and strengths to be applied independently, in this paper we are concerned with the question of how these techniques are related with one another and whether combining them and supporting them with ML can produce better adaptive systems.
We motivate the combined use of different adaptation techniques using scenarios from two different domains and illustrate the analysis involved in combining different adaptation techniques. The paper concludes with suggestions for further research in this interesting area.},
KEYWORDS = {Control Theory, Machine Learning, Self-adaptation} }
|
175 |
@InProceedings{2021:FASE:Li,
AUTHOR = {Li, Nianyu and Zhang, Mingyue and Kang, Eunsuk and Garlan, David},
TITLE = {Engineering Secure Self-adaptive Systems with Bayesian Games},
YEAR = {2021},
MONTH = {27 March - 1 April},
BOOKTITLE = {Proceedings of the 24th International Conference on Fundamental Approaches to Software Engineering},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/FASE2021.pdf},
ABSTRACT = {Security attacks present unique challenges to self-adaptive
system design due to the adversarial nature of the environment. Game
theory approaches have been explored in security to model malicious
behaviors and design reliable defense for the system in a mathematically
grounded manner. However, modeling the system as a single player, as
done in prior works, is insufficient for the system under partial compromise
and for the design of fine-grained defensive strategies where the rest of the
system with autonomy can cooperate to mitigate the impact of attacks.
To deal with such issues, we propose a new self-adaptive framework incorporating
Bayesian game theory and model the defender (i.e., the system)
at the granularity of components. Under security attacks, the architecture
model of the system is translated into a Bayesian multi-player game,
where each component is explicitly modeled as an independent player
while security attacks are encoded as variant types for the components.
The optimal defensive strategy for the system is dynamically computed
by solving the pure equilibrium (i.e., adaptation response) to achieve
the best possible system utility, improving the resiliency of the system
against security attacks. We illustrate our approach using an example
involving load balancing and a case study on inter-domain routing.},
KEYWORDS = {Formal Methods, Science of Security, Self-adaptation} }
|
176 |
@InProceedings{2020:ACSOS:SelfStar,
AUTHOR = {Kinneer, Cody and Van Tonder, Rijnard and Garlan, David and Le Goues, Claire},
TITLE = {Building Reusable Repertoires for Stochastic Self-* Planners},
YEAR = {2020},
MONTH = {17-21 August},
BOOKTITLE = {Proceedings of the 2020 IEEE Conference on Autonomic Computing and Self-organizing Systems (ACSOS)},
ADDRESS = {Washington, D.C., USA},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ACSOS_2020_Building_Reusable_Repertoires.pdf},
ABSTRACT = {Plan reuse is a promising approach for enabling self-* systems to effectively adapt to unexpected changes, such as evolving existing adaptation strategies after an unexpected change using stochastic search. An ideal self-* planner should be able to reuse repertoires of adaptation strategies, but this is challenging due to the evaluation overhead. For effective reuse, a repertoire should be both (a) likely to generalize to future situations, and (b) cost effective to evaluate. In this work, we present an approach inspired by chaos engineering for generating a diverse set of adaptation strategies to reuse, and we explore two analysis approaches based on clone detection and syntactic transformation for constructing repertoires of adaptation tactics that are likely to be amenable to reuse in stochastic search self-* planners. An evaluation of the proposed approaches on a simulated system inspired by Amazon AWS shows planning effectiveness improved by up to 20% and reveals tradeoffs in planning timeliness and optimality.},
NOTE = {Presentation Video},
KEYWORDS = {Self-adaptation, Self-Repair, Stochastic Search} }
|
177 |
@InProceedings{2020:MASCOTS,
AUTHOR = {Mendes, Pedro and Casimiro, Maria and Romano, Paolo and Garlan, David},
TITLE = {TrimTuner: Efficient Optimization of MachineLearning Jobs in the Cloud via Sub-Sampling},
YEAR = {2020},
BOOKTITLE = {Proceedings of the 2020 Symposium on Modelling, Analysis, and Simulation of Computer and Telecommunication Systems (MASCOTS 2020)},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/TrimTuner-MASCOTS-20.pdf},
ABSTRACT = {This work introduces TrimTuner, the first system for optimizing machine learning jobs in the cloud to exploit sub-sampling techniques to reduce the cost of the optimization process, while keeping into account user-specified constraints. TrimTuner jointly optimizes the cloud and application-specific parameters and, unlike state of the art works for cloud optimization, eschews the need to train the model with the full training set every time a new configuration is sampled. Indeed, by leveraging sub-sampling techniques and data-sets that are up to 60x smaller than the original one, we show that TrimTuner can reduce the cost of the optimization process by up to 50x. Further, TrimTuner speeds-up the recommendation process by 65Ăwith respect to state of the art techniques for hyper-parameter optimization that use sub-sampling techniques. The reasons for this improvement are twofold: i) a novel domain specific heuristic that reduces the number of configurations for which the acquisition function has to be evaluated; ii) the adoption of an ensemble of decision trees that enables boosting the speed of the recommendation process by one additional order of magnitude.},
KEYWORDS = {Machine Learning} }
|
178 |
@InProceedings{2021:Wohlrab:REFSQ,
AUTHOR = {Wohlrab, Rebekka and Garlan, David},
TITLE = {Defining Utility Functions for Multi-Stakeholder Self-Adaptive Systems},
YEAR = {2021},
MONTH = {12-15 April},
BOOKTITLE = {Proceedings of the 27th International Working Conference on Requirements Engineering: Foundation for Software Quality},
ADDRESS = {Essen, Germany (Virtual)},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/refsq_2021.pdf},
ABSTRACT = {[Context and motivation:] For realistic self-adaptive systems,
multiple quality attributes need to be considered and traded off
against each other. These quality attributes are commonly encoded in
a utility function, for instance, a weighted sum of relevant objectives.
[Question/problem:] The research agenda for requirements engineering
for self-adaptive systems has raised the need for decision-making
techniques that consider the trade-offs and priorities of multiple objectives.
Human stakeholders need to be engaged in the decision-making
process so that the relative importance of each objective can be correctly
elicited. [Principal ideas/results:] This research preview paper
presents a method that supports multiple stakeholders in prioritizing
relevant quality attributes, negotiating priorities to reach an agreement,
and giving input to define utility functions for self-adaptive systems.
[Contribution:] The proposed method constitutes a lightweight solution
for utility function definition. It can be applied by practitioners and
researchers who aim to develop self-adaptive systems that meet stakeholders'
requirements. We present details of our plan to study the application
of our method using a case study.},
KEYWORDS = {Self-adaptation} }
|
179 |
@InProceedings{2021:Li:HeyPreparatory,
AUTHOR = {Li, Nianyu and C\'{a}mara, Javier and Garlan, David and Schmerl, Bradley and Jin, Zhi},
TITLE = {Hey! Preparing Humans to do Tasks in Self-adaptive Systems},
YEAR = {2021},
MONTH = {18-21 May},
BOOKTITLE = {Proceedings of the 16th Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS 2021)},
ADDRESS = {Virtual},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/Preparatory_SEAMS.pdf},
ABSTRACT = {Many self-adaptive systems benefit from human involvement, where human operators can complement the capabilities of systems (e.g., by supervising decisions, or performing adaptations and tasks involving physical changes that cannot be automated). However, insufficient preparation (e.g., lack of task context comprehension) may hinder the effectiveness of human involvement, especially when operators are unexpectedly interrupted to perform a new task. Preparatory notification of a task provided in advance can sometimes help human operators focus their attention on the forthcoming task and understand its context before task execution, hence improving effectiveness. Nevertheless, deciding when to use preparatory notification as a tactic is not obvious and entails considering different factors that include uncertainties induced by human operator behavior (who might ignore the notice message), human attributes (e.g., operator training level), and other information that refers to the state of the system and its environment.
In this paper, informed by work in cognitive science on human attention and context management, we introduce a formal framework to reason about
the usage of preparatory notifications
in self-adaptive systems involving human operators. Our framework characterizes the effects of managing attention via task notification in terms of task context comprehension. We also build on our framework to develop an automated probabilistic reasoning technique able to determine when and in what form a preparatory notification tactic should be used to optimize system goals. We illustrate our approach in a representative scenario of human-robot collaborative goods delivery. },
NOTE = {Awarded Best Student Paper for SEAMS 2021},
KEYWORDS = {Explainable Software, Formal Methods, Robot Adaptation, Self-adaptation} }
|
180 |
@InProceedings{2020:ASE:CPS,
AUTHOR = {Gafford, Benjamin and D\"{u}rschmid, Tobias and Moreno, Gabriel A. and Kang, Eunsuk},
TITLE = {Synthesis-Based Resolution of Feature Interactions in Cyber-Physical Systems},
YEAR = {2020},
MONTH = {21-25 September},
BOOKTITLE = {Proceedings of the IEEE/ACM International Conference on Automated Software Engineering (ASE)},
ADDRESS = {Virtual},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ase20-feature-interactions.pdf},
ABSTRACT = {The feature interaction problem arises when two or more independent features interact with each other in an undesirable manner.Feature interactions remain a challenging and important problem in emerging domains of cyber-physical systems (CPS), such as intelligent vehicles, unmanned aerial vehicles (UAVs) and the Internet of Things (IoT), where the outcome of an unexpected interaction may result in a safety failure. Existing approaches to resolving feature interactions rely on priority lists or fixed strategies, but may not be effective in scenarios where none of the competing feature actions are satisfactory with respect to system requirements. This paper proposes a novel synthesis-based approach to resolution, where a conflict among features is resolved by synthesizingan action that best satisfies the specification of desirable system behaviors in the given environmental context. Unlike existing resolution methods,our approach is capable of producing a desirable system outcome even when none of the conflicting actions are satisfactory. The effectiveness of the proposed approach is demonstrated using a case study involving interactions among safety-critical features in an autonomous drone.},
KEYWORDS = {Cyberphysical Systems, Formal Methods} }
|
181 |
@InProceedings{2020:FSE:Robustness,
AUTHOR = {Zhang, Changjian and Garlan, David and Kang, Eunsuk},
TITLE = {A Behavioral Notion of Robustness for Software Systems},
YEAR = {2020},
MONTH = {6-16 November},
BOOKTITLE = {Proceedings of the 2020 ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE)},
ADDRESS = {Virtual},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/fse20-robustness.pdf},
ABSTRACT = {Software systems are designed and implemented with assumptions about the environment. However, once the system is deployed,the actual environment may deviate from its expected behavior,possibly undermining desired properties of the system. To enable systematic design of systems that are robust against potential environmental deviations, we propose a rigorous notion of robustness for software systems. In particular, the robustness of a system is de-fined as the largest set of deviating environmental behaviors under which the system is capable of guaranteeing a desired property. We describe a new set of design analysis problems based on our notion of robustness, and a technique for automatically computing robustness of a system given its behavior description. We demonstrate potential applications of our robustness notion on two case studies involving network protocols and safety-critical interfaces.},
KEYWORDS = {Architectural Analysis, Explainable Software, Model Checking} }
|
182 |
@InProceedings{2021:Cheng:Debate,
AUTHOR = {Cheng, Shang-Wen},
TITLE = {Change Is the Ultimate Self-Adaptive Challenge},
YEAR = {2021},
MONTH = {18-21 May},
BOOKTITLE = {Proceedings of the 16th Symposium on Software Engineering for Adaptive and Self-Managing Systems},
ADDRESS = {Virtual},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/Cheng_SEAMS_2021.pdf},
ABSTRACT = {This paper argues that change alone is sufficiently difficult; simply, handling change, i.e., anticipated changes, remains the ultimate challenge of self-adaptation.},
KEYWORDS = {Self-adaptation, uncertainty} }
|
183 |
@InProceedings{2021:Garlan:Debate,
AUTHOR = {Garlan, David},
TITLE = {The Unknown Unknowns are not Totally Unknown},
YEAR = {2021},
MONTH = {18-21 May},
BOOKTITLE = {Proceedings of the 16th Symposium on Software Engineering for Adaptive and Self-Managing Systems},
ADDRESS = {Virtual},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/GARLAN_SEAMS21_Debate_Final.pdf},
ABSTRACT = {The question of whether âhandling unanticipated changes is the ultimate challenge for self-adaptationâ is impossible to evaluate without looking closely at what âunanticipatedâ means. In this position paper I try to bring a little clarity to this issue by arguing that the common distinction between âknown unknownsâ and âunknown unknownsâ is too crude: for most systems there are changes that are not directly handled by âfirst-orderâ adaptation, but can, with appropriate engineering, be addressed naturally through âsecond-orderâ adaptation. I explain what I mean by this and consider ways in which such systems might be engineered.},
KEYWORDS = {Self-adaptation, uncertainty} }
|
184 |
@InProceedings{2021:FSE:Chang,
AUTHOR = {Zhang, Changjian and Wagner, Ryan and Orvalho, Pedro and Garlan, David and Manquinho, Vasco and Martins, Ruben and Kang, Eunsuk},
TITLE = {AlloyMax: Bringing Maximum Satisfaction to Relational Specifications.},
YEAR = {2021},
MONTH = {23-28 August},
BOOKTITLE = {The ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE) 2021},
ADDRESS = {Virtual},
ABSTRACT = {Alloy is a declarative modeling language based on a first-order relational logic. Its constraint-based analysis has enabled a wide range of applications in software engineering, including configuration synthesis, bug finding, test-case generation, and security analysis.
Certain types of analysis tasks in these domains involve finding an optimal solution. For example, in a network configuration problem, instead of finding any valid configuration, it may be desirable to find one that is most permissive (i.e., it permits a maximum number of packets). Due to its dependence on SAT, however, Alloy cannot be used to specify and analyze these types of problems.
We propose AlloyMax, an extension of Alloy with a capability
to express and analyze problems with optimal solutions. AlloyMax introduces (1) a small addition of language constructs that can be used to specify a wide range of problems that involve optimality and (2) a new analysis engine that leverages a Maximum Satisfiability (MaxSAT) solver to generate optimal solutions. To enable this
new type of analysis, we show how a specification in a first-order relational logic can be translated into an input format of MaxSAT solversânamely, a Boolean formula in weighted conjunctive normal form (WCNF). We demonstrate the applicability and scalability of AlloyMax on a benchmark of problems. To our knowledge, AlloyMax is the first approach to enable analysis with optimality in a relational modeling language, and we believe that AlloyMax has the potential to bring a wide range of new applications to Alloy.},
NOTE = {Distinguished Paper Award},
KEYWORDS = {Formal Methods, Planning} }
|
185 |
@InProceedings{SAML21,
AUTHOR = {Casimiro, Maria and Romano, Paolo and Garlan, David and Moreno, Gabriel A. and Kang, Eunsuk and Klein, Mark},
TITLE = {Self-Adaptation for Machine Learning Based Systems},
YEAR = {2021},
MONTH = {14 September},
BOOKTITLE = {Proceedings of the 1st International Workshop on Software Architecture and Machine Learning (SAML)},
SERIES = {LNCS},
ADDRESS = {Virtual, (Originally V\"axjĂś, Sweden)},
PUBLISHER = {Springer},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/SAML2021-paper6SAML21.pdf},
ABSTRACT = {Todayâs world is witnessing a shift from human-written software to machine-learned software, with the rise of systems
that rely on machine learning. These systems typically operate in non-static environments, which are prone to unexpected
changes, as is the case of self-driving cars and enterprise systems. In this context, machine-learned software can misbehave.
Thus, it is paramount that these systems are capable of detecting problems with their machined-learned components and
adapt themselves to maintain desired qualities. For instance, a fraud detection system that cannot adapt its machine-learned
model to efficiently cope with emerging fraud patterns or changes in the volume of transactions is subject to losses of millions
of dollars. In this paper, we take a first step towards the development of a framework aimed to self-adapt systems that rely
on machine-learned components. We describe: (i) a set of causes of machine-learned component misbehavior and a set of
adaptation tactics inspired by the literature on machine learning, motivating them with the aid of a running example; (ii) the
required changes to the MAPE-K loop, a popular control loop for self-adaptive systems; and (iii) the challenges associated
with developing this framework. We conclude the paper with a set of research questions to guide future work.},
KEYWORDS = {Machine Learning, Self-adaptation} }
|
186 |
@InProceedings{CASA21,
AUTHOR = {Alharbi, Mohammed and Huang, Shihong and Garlan, David},
TITLE = {A Probabilistic Model for Personality Trait Focused Explainability},
YEAR = {2021},
MONTH = {13-17 September},
BOOKTITLE = {Proceedings of the 4th international Workshop on Context-aware, Autonomous and Smart Architecture (CASA 2021), co-located with the 15th European Conference on Software Architecture},
ADDRESS = {Virtual (Originally V\"axjĂś Sweden)},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/CASA-paper5.pdf},
ABSTRACT = {Explainability refers to the degree to
which a software systemâs actions or solutions can be
understood by humans. Giving humans the right
amount of explanation at the right time is an
important factor in maximizing the effective
collaboration between an adaptive system and
humans during interaction. However, explanations
come with costs, such as the required time of
explanation and humansâ response time. Hence it is
not always clear whether explanations will improve
overall system utility and, if so, how the system should
effectively provide explanation to humans,
particularly given that different humans may benefit
from different amounts and frequency of explanation.
To provide a partial basis for making such decisions,
this paper defines a formal framework that
incorporates human personality traits as one of the
important elements in guiding automated decision-
making about the proper amount of explanation that
should be given to the human to improve the overall
system utility. Specifically, we use probabilistic model
analysis to determine how to utilize explanations in an
effective way. To illustrate our approach, Grid â a
virtual human and system interaction game -- is
developed to represent scenarios for human-systems
collaboration and to demonstrate how a humanâs
personality traits can be used as a factor to consider for systems
in providing appropriate explanations.},
KEYWORDS = {Explainable Software} }
|
187 |
@InProceedings{ECSA21,
AUTHOR = {C\'{a}mara, Javier and Silva, Mariana and Garlan, David and Schmerl, Bradley},
TITLE = {Explaining Architectural Design Tradeoff Spaces: a Machine Learning Approach},
YEAR = {2021},
MONTH = {13-17 September},
BOOKTITLE = {Proceedings of the 15th European Conference on Software Architecture},
ADDRESS = {Virtual (Originally, V\"axjĂś Sweden)},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/Explaining_Architectural_Tradeoff_Spaces__a_Machine_Learning_Approach.pdf},
ABSTRACT = {In software design, guaranteeing the correctness of run-time system behavior while achieving an acceptable balance among multiple quality attributes remains a challenging problem.
Moreover, providing guarantees about the satisfaction of those requirements when systems are subject to uncertain environments is even more challenging.
While recent developments in architectural analysis techniques can assist architects in exploring the satisfaction of quantitative guarantees across the design space, existing approaches are still limited because they do not explicitly link design decisions to satisfaction of quality requirements.
Furthermore, the amount of information they yield can be overwhelming to a human designer, making it difficult to distinguish the forest through the trees.
In this paper, we present an approach to analyzing architectural design spaces that addresses these limitations and provides a basis to enable the explainability of design tradeoffs.
Our approach combines dimensionality reduction techniques employed in machine learning pipelines with quantitative verification to enable architects to understand how design decisions contribute to the satisfaction of strict quantitative guarantees under uncertainty across the design space.
Our results show feasibility of the approach in two case studies and evidence that dimensionality reduction is a viable approach to facilitate comprehension of tradeoffs in poorly-understood design spaces.},
KEYWORDS = {Explainable Software, Machine Learning, Self-adaptation} }
|
188 |
@InProceedings{2021:SISSY,
AUTHOR = {Weyns, Danny and Bures, Tomas and Calinescu, Radu and Craggs, Barnaby and Fitzgerald, John and Garlan, David and Nuseibeh, Bashar and Pasquale, Liliana and Rashid, Awais and Ruchkin, Ivan and Schmerl, Bradley},
TITLE = {Six Software Engineering Principles for Smarter Cyber-Physical Systems},
YEAR = {2021},
MONTH = {27 September},
BOOKTITLE = {Proceedings of the Workshop on Self-Improving System Integration},
ABSTRACT = {Cyber-Physical Systems (CPS) integrate computational and physical components. With the digitisation of society
and industry and the progressing integration of systems, CPS
need to become âsmarterâ in the sense that they can adapt and
learn to handle new and unexpected conditions, and improve
over time. Smarter CPS present a combination of challenges that
existing engineering methods have difficulties addressing: inter-
twined digital, physical and social spaces, need for heterogeneous
modelling formalisms, demand for context-tied cooperation to
achieve system goals, widespread uncertainty and disruptions in
changing contexts, inherent human constituents, and continuous
encounter with new situations. While approaches have been put
forward to deal with some of these challenges, a coherent perspective on engineering smarter CPS is lacking. In this paper, we
present six engineering principles for addressing the challenges
of smarter CPS. As smarter CPS are software-intensive systems,
we approach them from a software engineering perspective with
the angle of self-adaptation that offers an effective approach to
deal with run-time change. The six principles create an integrated
landscape for the engineering and operation of smarter CPS.},
KEYWORDS = {Cyberphysical Systems} }
|
189 |
@InProceedings{ASDYE2021,
AUTHOR = {Casimiro, Maria and Garlan, David and C\'{a}mara, Javier and Rodrigues, Luis and Romano, Paolo},
TITLE = {A Probabilistic Model Checking Approach to Self-Adapting Machine Learning Systems},
YEAR = {2021},
MONTH = {6 December},
BOOKTITLE = {Proceedings of the Third International Workshop on Automated and verifiable Software sYstem DEvelopment (ASYDE)},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ASYDE-CR.pdf},
ABSTRACT = {Machine Learning (ML) is increasingly used in domains such
as cyber-physical systems and enterprise systems. These systems typically operate in non-static environments, prone to unpredictable changes that can adversely impact the accuracy of the ML models, which are usually in the critical path of the systems. Mispredictions of ML components
can thus affect other components in the system, and ultimately impact overall system utility in non-trivial ways. From this perspective, self-adaptation techniques appear as a natural solution to reason about how to react to environment changes via adaptation tactics that can
potentially improve the quality of ML models (e.g., model retrain), and ultimately maximize system utility. However, adapting ML components is non-trivial, since adaptation tactics have costs and it may not be clear in a given context whether the benefits of ML adaptation outweigh its
costs. In this paper, we present a formal probabilistic framework, based on model checking, that incorporates the essential governing factors for reasoning at an architectural level about adapting ML classifiers in a
system context. The proposed framework can be used in a self-adaptive system to create adaptation strategies that maximize rewards of a multidimensional utility space. Resorting to a running example from the enterprise
systems domain, we show how the proposed framework can be
employed to determine the gains achievable via ML adaptation and to find the boundary that renders adaptation worthwhile.},
KEYWORDS = {Machine Learning, Model Checking, Self-adaptation} }
|
190 |
@InProceedings{2022:ICSA:ROSDiscover,
AUTHOR = {Timperley, Christopher Steven and D\"{u}rschmid, Tobias and Schmerl, Bradley and Garlan, David and Le Goues, Claire},
TITLE = {ROSDiscover: Statically Detecting Run-Time Architecture Misconfigurations in Robotics Systems},
YEAR = {2022},
MONTH = {12-15 March},
BOOKTITLE = {Proceedings of the 19th International Conference on Software Architecture (ICSA 2022)},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ROSDiscover_Statically_Detecting_Run-Time_Architecture_Misconfigurations_in_Robotics_Systems__Artifact_Paper.pdf},
ABSTRACT = {Robot systems are growing in importance and complexity. Ecosystems for robot software, such as the ROS, provide libraries of reusable software components that can be configured and composed into larger systems. To support compositionality, ROS uses late binding and architecture configuration via "launch files" that describe how to initialize the components in a system.
However, late binding often leads to systems failing silently due to misconfiguration, for example by misrouting or dropping messages entirely.
In this paper we present ROSDiscover, which statically recovers the run-time architecture of ROS systems to find such architecture misconfiguration bugs. First, ROSDiscover constructs component level architectural models (ports, parameters) from source code. Second, architecture configuration files are analyzed to compose the system from these component models and derive the connections in the system. Finally, the reconstructed architecture is checked against architectural rules described in first-order logic to identify potential misconfigurations.
We present an evaluation of ROSDiscover on real world, off-the-shelf robotic systems, measuring the accuracy, effectiveness, and practicality of our approach. To that end, we collected the first data set of architecture configuration bugs in ROS from popular open-source systems and measure how effective our approach is for detecting configuration bugs in that set.},
KEYWORDS = {Acme, Architectural Analysis, Publish Subscribe Systems, Software Architecture} }
|
191 |
@InProceedings{ICSA:Diaz:2022,
AUTHOR = {Diaz-Pace, Andres and Garlan, David},
TITLE = {Making Architecture Optimization Transparent with Tactic-Based Explanations},
YEAR = {2022},
MONTH = {12-15 March},
BOOKTITLE = {Proceedings of the 19th International Conference on Software Architecture (ICSA 2022)},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/Making Architecture OptimizatâŚ.pdf},
ABSTRACT = {Over the past decade, a number of automated techniques
and tools have been developed for optimizing architectural
designs with respect to quality-attribute goals. In these systems,
the optimization process is typically seen as a black box, since it
is not possible for a human to have access to the decisions that led
to a particular solution generated by an optimization tool. Even
when these decisions are available for inspection, the amount of
information can be overwhelming for the architect. As a result,
humans might not completely understand the rationale behind
a given solution or trust that a tool made correct decisions. To
mitigate this problem, we propose a semi-automated approach
for generating textual explanations for any architectural solution
produced by a tool. This kind of explanation provides a summary
of the key architectural tactics that were applied to achieve an
optimized architecture that satisfies a set of quality-attribute objectives.
In this paper, we discuss two procedures for determining
the key tactics to be explained. As an initial experiment, we used a
popular optimization tool to generate solutions and explanations
for a small but non-trivial design space involving performance,
reliability, and cost objectives. We also performed an exploratory
user study to assess the effectiveness of these explanations.},
KEYWORDS = {Explainable Software, Software Architecture} }
|
192 |
@InProceedings{2022:Wohlrab:SEAMS,
AUTHOR = {Wohlrab, Rebekka and Meira-G\'{o}es, R\^{o}mulo and Vierhauser, Michael},
TITLE = {Run-Time Adaptation of Quality Attributes for Automated Planning},
YEAR = {2022},
MONTH = {18-24 May},
BOOKTITLE = {Proceedings of the 17th Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMSâ22)},
ADDRESS = {Pittsburgh, USA and Virtual},
ABSTRACT = {Self-adaptive systems typically operate in heterogeneous environments and need to optimize their behavior based on a variety of
quality attributes to meet stakeholdersâ needs. During adaptation
planning, these quality attributes are considered in the form of constraints, describing requirements that must be fulfilled, and utility
functions, which are used to select an optimal plan among several
alternatives. Up until now, most automated planning approaches are
not designed to adapt quality attributes, their priorities, and their
trade-offs at run time. Instead, both utility functions and constraints
are commonly defined at design time. There exists a clear lack of
run-time mechanisms that support their adaptation in response
to changes in the environment or in stakeholdersâ preferences. In
this paper, we present initial work that combines automated planning and adaptation of quality attributes to address this gap. The
approach helps to semi-automatically adjust utility functions and
constraints based on changes at run time. We present a preliminary experimental evaluation that indicates that our approach can
provide plans with higher utility values while fulfilling changed
or added constraints. We conclude this paper with our envisioned
research outlook and plans for future empirical studies.},
KEYWORDS = {Self-adaptation} }
|
193 |
@InProceedings{Casimiro:ACSOS:2022,
AUTHOR = {Casimiro, Maria and Romano, Paolo and Garlan, David and Rodrigues, Luis},
TITLE = {Towards a Framework for Adapting Machine Learning Components},
YEAR = {2022},
BOOKTITLE = {2022 IEEE International Conference on Autonomic Computing and Self-Organizing Systems (ACSOS)},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/ACSOS2022.pdf},
ABSTRACT = {Machine Learning (ML) models are now commonly
used as components in systems. As any other component, ML
components can produce erroneous outputs that may penalize
system utility. In this context, self-adaptive systems emerge as
a natural approach to cope with ML mispredictions, through
the execution of adaptation tactics such as model retraining. To
synthesize an adaptation strategy, the self-adaptation manager
needs to reason about the cost-benefit tradeoffs of the applicable
tactics, which is a non-trivial task for tactics such as model
retraining, whose benefits are both context- and data-dependent.
To address this challenge, this paper proposes a probabilistic
modeling framework that supports automated reasoning about
the cost/benefit tradeoffs associated with improving ML components of ML-based systems. The key idea of the proposed approach is to decouple the problems of (i) estimating the expected
performance improvement after retrain and (ii) estimating the
impact of ML improved predictions on overall system utility.
We demonstrate the application of the proposed framework by
using it to self-adapt a state-of-the-art ML-based fraud-detection
system, which we evaluate using a publicly-available, real fraud
detection dataset. We show that by predicting system utility stemming from retraining a ML component, the probabilistic model
checker can generate adaptation strategies that are significantly
closer to the optimal, as compared against baselines such as
periodic retraining, or reactive retraining.},
NOTE = {Presentation Video},
KEYWORDS = {Machine Learning, Self-adaptation} }
|
194 |
@InProceedings{Zhang:ICSE:2023,
AUTHOR = {Zhang, Changjian and Saluja, Taranj and Meira-G\'{o}es, R\^{o}mulo and Bolton, Matthew and Garlan, David and Kang, Eunsuk},
TITLE = {Robustification of Behavioral Designs against Environmental Deviations},
YEAR = {2023},
MONTH = {14-20 May},
BOOKTITLE = {Proceedings of the 45th International Conference on Software Engineering},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/Robustification___ICSE_23_Camera_Ready.pdf},
ABSTRACT = {Modern software systems are deployed in a highly dynamic, uncertain environment. Ideally, a system that is robust should be capable of establishing its most critical requirements even in the presence of possible deviations in the environment. We propose a technique called behavioral robustification, which involves systematically and rigorously improving the robustness of a design against potential deviations. Given behavioral models of a system and its environment, along with a set of user-specified deviations, our robustification method produces a redesign that is capable of satisfying a desired property even when the environment exhibits those deviations. In particular, we describe how the robustification problem can be formulated as a multi- objective optimization problem, where the goal is to restrict the deviating environment from causing a violation of a desired property, while maximizing the amount of existing functionality and minimizing the cost of changes to the original design. We demonstrate the effectiveness of our approach on case studies involving the robustness of an electronic voting machine and safety-critical interfaces.},
KEYWORDS = {Formal Methods, Resilience, Resource prediction} }
|
195 |
@InProceedings{Chu:SEAMS:2023,
AUTHOR = {Chu, Simon and Shedden, Emma and Zhang, Changjian and Meira-G\'{o}es, R\^{o}mulo and Moreno, Gabriel A. and Garlan, David and Kang, Eunsuk},
TITLE = {Runtime Resolution of Feature Interactions through Adaptive Requirement Weakening.},
YEAR = {2023},
MONTH = {15-16 May},
BOOKTITLE = {Proceedings of the 18th International Symposium on Software Engineering for Adaptive and Self-Managing Systems},
ABSTRACT = {The feature interaction problem occurs when two or
more independently developed components interact with each
other in unanticipated ways, resulting in undesirable system
behaviors. Feature interaction problems remain a challenge for
emerging domains in cyber-physical systems (CPS), such as the
Internet of Things and autonomous drones. Existing techniques
for resolving feature interactions take a âwinner-takes-allâ approach, where one out of the conflicting features is selected
as the most desirable one, and the rest are disabled. However,
when multiple of the conflicting features fulfill important system
requirements, being forced to select one of them can result in
an undesirable system outcome. In this paper, we propose a new
resolution approach that allows all of the conflicting features
to continue to partially fulfill their requirements during the
resolution process. In particular, our approach leverages the
idea of adaptive requirement weakening, which involves one or
more features temporarily weakening their level of performance
in order to co-exist with the other features in a consistent
manner. Given feature requirements specified in Signal Temporal
Logic (STL), we propose an automated method and a runtime
architecture for automatically weakening the requirements to
resolve a conflict. We demonstrate our approach through case
studies on feature interactions in autonomous drones.},
KEYWORDS = {Formal Methods, Self-adaptation} }
|
196 |
@InProceedings{AAAI23::HyperJump,
AUTHOR = {Mendes, Pedro and Casimiro, Maria and Romano, Paolo and Garlan, David},
TITLE = {HyperJump: Accelerating HyperBand via Risk Modelling},
YEAR = {2023},
BOOKTITLE = {Proceedings of the 37th AAAI Conference on Artificial Intelligence},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/hyperjump_AAAI23_CR.pdf},
ABSTRACT = {In the literature on hyper-parameter tuning, a number of recent solutions rely on low-fidelity observations (e.g., training with sub-sampled datasets) in order to efficiently identify promising configurations to be then tested via high-fidelity
observations (e.g., using the full dataset). Among these, HyperBand is arguably one of the most popular solutions, due to its efficiency and theoretically provable robustness.
In this work, we introduce HyperJump, a new approach that builds on HyperBandâs robust search strategy and complements it with novel model-based risk analysis techniques that accelerate the search by skipping the evaluation of low
risk configurations, i.e., configurations that are likely to be eventually discarded by HyperBand. We evaluate HyperJump on a suite of hyper-parameter optimization problems and show that it provides over one-order of magnitude speed-ups,
both in sequential and parallel deployments, on a variety of deep-learning, kernel-based learning and neural architectural search problems when compared to HyperBand and to several state-of-the-art optimizers.},
KEYWORDS = {Machine Learning, Self-adaptation} }
|
197 |
@InProceedings{2023:Sedghpour:IC2E,
AUTHOR = {Sedghpour, Mohammad Reza Saleh and Garlan, David and Schmerl, Bradley and Klein, Cristian and Tordsson, Johan},
TITLE = {Breaking the Vicious Circle: Self-Adaptive Microservice Circuit Breaking and Retry},
YEAR = {2023},
MONTH = {25-28 September},
BOOKTITLE = {Proceedings of the 11th IEEE International conference on Cloud Engineering (IC2E)},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/Mohammad___Paper___6.pdf},
ABSTRACT = {Microservice-based architectures consist of numer- ous, loosely coupled services with multiple instances. Service meshes aim to simplify traffic management and prevent mi- croservice overload through circuit breaking and request retry mechanisms. Previous studies have demonstrated that the static configuration of these mechanisms is unfit for the dynamic environment of microservices. We conduct a sensitivity analysis to understand the impact of retrying across a wide range of scenarios. Based on the findings, we propose a retry controller that can also work with dynamically configured circuit breakers. We have empirically assessed our proposed controller in various scenarios, including transient overload and noisy neighbors while enforcing adaptive circuit breaking. The results show that our proposed controller does not deviate from a well-tuned configura- tion while maintaining carried response time and adapting to the changes. In comparison to the default static retry configuration that is mostly used in practice, our approach improves the carried throughput up to 12x and 32x respectively in the cases of transient overload and noisy neighbors.},
NOTE = {Best Paper Award},
KEYWORDS = {Self-adaptation, Self-Repair} }
|
198 |
@InProceedings{ICSE2024:Duerschmid:ROSInfer,
AUTHOR = {D\"{u}rschmid, Tobias and Timperley, Christopher Steven and Garlan, David and Le Goues, Claire},
TITLE = {ROSInfer: Statically Inferring Behavioral Component Models for ROS-based Robotics Systems},
YEAR = {2024},
MONTH = {14-20 April},
BOOKTITLE = {Proceedings of the 46th International Conference on Software Engineering (ICSE 2024)},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/icse2023-static-inference.pdf},
ABSTRACT = {Robotics systems are complex, safety-critical systems that can con- sist of hundreds of software components that interact with each other dynamically during run time. Software components of robot- ics systems often exhibit reactive, periodic, and state-dependent behavior. Incorrect component composition can lead to unexpected behavior, such as components passively waiting for initiation mes- sages that never arrive. Model-based software analysis is a common technique to identify incorrect behavioral composition by checking desired properties of given behavioral models that are based on component state machines. However, writing state machine models for hundreds of software components manually is a labor-intensive process. This motivates work on automated model inference. In this paper, we present an approach to infer behavioral models for systems based on the Robot Operating System (ROS) using static analysis by exploiting assumptions about the usage of the ROS API and ecosystem. Our approach is based on searching for common behavioral patterns that ROS developers use for implementing reac- tive, periodic, and state-dependent behavior using the ROS frame- work API. We evaluate our approach and our tool ROSInfer on five complex real-world ROS systems with a total of 534 components. For this purpose we manually created 155 models of components from the source code to be used as a ground truth and available data set for other researchers. ROSInfer can infer causal triggers for 87 % of component architectural behaviors in the 534 components.},
KEYWORDS = {Software Architecture} }
|
199 |
@InProceedings{FEMCAD:2023,
AUTHOR = {Zhang, Changjian and Dardik, Ian and Meira-G\'{o}es, R\^{o}mulo and Garlan, David and Kang, Eunsuk},
TITLE = {Fortis: A Tool for Analysis and Repair of Robust Software Systems},
YEAR = {2023},
MONTH = {23-27 October},
BOOKTITLE = {Proc. Formal Methods in Computer-Aided Design 2023},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/fortis-fmcad.pdf},
ABSTRACT = {This paper presents Fortis, a tool for automated, formal analysis and repair of robust discrete systems. Given a system model, an environment model, and a safety property, the tool can be used to automatically compute robustness as the amount of deviations in the environment under which the system can continue to guarantee the property. In addition, Fortis enables automated repair of a given system to improve its robustness against a set of intolerable deviations through a process called robustification. With these techniques, Fortis enables a new process for developing robust-by-design systems. The paper presents the overall design of Fortis as well as the key details behind the robustness analysis and robustification techniques. The applicability and performance of Fortis are illustrated through experimental results over a set of case study systems, including a radiation therapy system, an electronic voting machine, network protocols, and a transportation fare system.},
KEYWORDS = {Formal Methods} }
|
200 |
@InProceedings{Diaz-Pace:ECSA:20223,
AUTHOR = {Diaz-Pace, Andres and Wohlrab, Rebekka and Garlan, David},
TITLE = {Supporting the Exploration of Quality Attribute Tradeoffs in Large Design Spaces},
YEAR = {2023},
MONTH = {18-22 September},
BOOKTITLE = {17th European Conference on Software Architecture (ECSA)},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/explainability-paper-ecsa2023-lncs.pdf},
ABSTRACT = {When designing and evolving software architectures, archi- tects need to consider large design spaces of architectural decisions. These decisions tend to impact the quality attributes of the system, such as performance, security, or reliability. Relevant quality attributes might influence each other and usually need to be traded off by architects. When exploring a design space, it is often challenging for architects to understand what tradeoffs exist and how they are connected to architectural decisions. This is particularly problematic in architectural spaces generated by automated optimization tools, as the underlying tradeoffs behind the decisions that they make are unclear. This paper presents an approach to explore quality-attribute tradeoffs via clustering and visualization techniques. The approach allows architects to get an overview of the main tradeoffs and their links to architectural configurations. We evaluated the approach in a think-aloud study with 9 participants from academia and industry. Our findings show that the proposed tech- niques can be useful in understanding feasible tradeoffs and architectural changes affecting those tradeoffs in large design spaces.},
NOTE = {Best Paper Award},
KEYWORDS = {Software Architecture} }
|
201 |
@InProceedings{Garlan:2024:Designing,
AUTHOR = {Garlan, David and Schmerl, Bradley and Wohlrab, Rebekka and C\'{a}mara, Javier},
TITLE = {Challenges in Creating Effective Automated Design Environments: An experience report from the domain of generative manufacturing},
YEAR = {2024},
MONTH = {15 April},
BOOKTITLE = {Proc. the 1st International Workshop on Designing Software},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/DesigningLMCO-2.pdf},
ABSTRACT = {The emergence of powerful automated design tools in many domains is changing the nature of design, as human-intensive activities can be increasingly off-loaded to those tools. Rather than having a human consider only handful of options, as has been done historically, such tools now enable the generation of a large space of potential designs, exhibiting different tradeoffs among competing qualities of merit, and supporting systematic exploration of the design space. At the same time, this paradigm raises new challenges centered on enabling humans to effectively navigate that generated space in order to select a design that best meets their requirements. In this paper we describe our experience in the domain of generative manufacturing, in which we developed a novel design environment for airplane parts manufacturing that incorporates a number of sophisticated design tools and attempts to tackle the emergent problems of design space exploration that are faced by designers of those parts. We use this experience to highlight the challenges that we faced and reflect on their applicability more generally to tool-assisted software design environments.},
KEYWORDS = {Explainable Software} }
|
202 |
@InProceedings{Pace:2024:Design,
AUTHOR = {Diaz-Pace, Andres and Garlan, David},
TITLE = {The Architect in the Maze: On the Effective Usage of Automated Design Exploration},
YEAR = {2024},
MONTH = {15 April},
BOOKTITLE = {Proc. the 1st International Workshop on Designing Software},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/Designing2024_updated1.pdf},
ABSTRACT = {
Designing a software architecture that satisfies a set of quality- attribute requirements has traditionally been a challenging activity for human architects, as it involves the exploration and assessment of alternative design decisions. The development of automated optimization tools for the architecture domain has opened new opportunities, because these tools are able to explore a large space of alternatives, and thus extend the architectâs capabilities. In this context, however, architects need to efficiently navigate through a large space and understand the main relations between design decisions and feasible quality-attribute tradeoffs in a maze of possi- ble alternatives. Although Machine Learning (ML) techniques can help to reduce the complexity of the task by sifting through the data generated by the tools, the standard techniques often fall short because they cannot offer architectural insights or relevant answers to the architectâs questions. In this paper, and based on previous experiences, we argue that ML techniques should be adapted to the architecture domain, and propose a conceptual framework towards that goal. Furthermore, we show how the framework can be instan- tiated by adapting clustering techniques to answer architectural questions regarding a client-server design space.},
KEYWORDS = {Explainable Software} }
|
203 |
@InProceedings{Chu:SEAMS:2024,
AUTHOR = {Chu, Simon and Koe, Justin and Garlan, David and Kang, Eunsuk},
TITLE = {Integrating Graceful Degradation and Recovery through Requirement-driven Adaptation},
YEAR = {2024},
MONTH = {15-16 April},
BOOKTITLE = {Proc. the International Conference on Software Engineering for Adaptive and Self-managing Systems (SEAMS)},
ABSTRACT = {Cyber-physical systems (CPS) are subject to environmental uncer- tainties such as adverse operating conditions, malicious attacks, and hardware degradation. These uncertainties may lead to failures that put the system in a sub-optimal or unsafe state. Systems that are resilient to such uncertainties rely on two types of operations: (1) graceful degradation, for ensuring that the system maintains an acceptable level of safety during unexpected environmental condi- tions and (2) recovery, to facilitate the resumption of normal system functions. Typically, mechanisms for degradation and recovery are developed independently from each other, and later integrated into a system, requiring the designer to develop an additional, ad-hoc logic for activating and coordinating between the two operations.
In this paper, we propose a self-adaptation approach for improv- ing system resiliency through automated triggering and coordina- tion of graceful degradation and recovery. The key idea behind our approach is to treat degradation and recovery as requirement-driven adaptation tasks: Degradation can be thought of as temporarily weakening original (i.e., ideal) system requirements to be achieved by the system, and recovery as strengthening the weakened require- ments when the environment returns within an expected operating boundary. Furthermore, by treating weakening and strengthen- ing as dual operations, we argue that a single requirement-based adaptation method is sufficient to enable coordination between degradation and recovery. Given system requirements specified in signal temporal logic (STL), we propose a run-time adaptation framework that performs degradation and recovery in response to environmental changes. We describe a prototype implementation of our framework and demonstrate the feasibility of the proposed approach using a case study in unmanned underwater vehicles.},
KEYWORDS = {Self-adaptation} }
|
204 |
@InProceedings{Zhang:FM24,
AUTHOR = {Zhang, Changjian and Kapoor, Parv and Meira Goes, Romulo and Garlan, David and Kang, Eunsuk and Ganlath, Akila and Mishra, Shatadal and Ammar, Nejib},
TITLE = {Tolerance of Reinforcement Learning Controllers against Deviations in Cyber Physical Systems},
YEAR = {2024},
MONTH = {11-13 September},
BOOKTITLE = {26th International Symposium on Formal Methods (FM24)},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/FM 2024.pdf},
ABSTRACT = {Cyber-physical systems (CPS) with reinforcement learning (RL)-based controllers are increasingly being deployed in complex phys- ical environments such as autonomous vehicles, the Internet-of-Things (IoT), and smart cities. An important property of a CPS is tolerance; i.e., its ability to function safely under possible disturbances and un- certainties in the actual operation. In this paper, we introduce a new, expressive notion of tolerance that describes how well a controller is ca- pable of satisfying a desired system requirement, specified using Signal Temporal Logic (STL), under possible deviations in the system. Based on this definition, we propose a novel analysis problem, called the tol- erance falsification problem, which involves finding small deviations that result in a violation of the given requirement. We present a novel, two- layer simulation-based analysis framework and a novel search heuristic for finding small tolerance violations. To evaluate our approach, we con- struct a set of benchmark problems where system parameters can be configured to represent different types of uncertainties and disturbances in the system. Our evaluation shows that our falsification approach and heuristic can effectively find small tolerance violations.
},
NOTE = {To appear},
KEYWORDS = {Cyberphysical Systems, Formal Methods, Machine Learning} }
|
205 |
@InProceedings{Mendes:ECAI:2024,
AUTHOR = {Mendes, Pedro and Romano, Paolo and Garlan, David},
TITLE = {Error-Driven Uncertainty Aware Training},
YEAR = {2024},
MONTH = {19-24 October},
BOOKTITLE = {27th European Conference on Artificial Intelligence},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/EUAT_ECAI.pdf},
ABSTRACT = {Neural networks are often overconfident about their pre- dictions, which undermines their reliability and trustworthiness. In this work, we present a novel technique, named Error-Driven Un- certainty Aware Training (EUAT), which aims to enhance the ability of neural models to estimate their uncertainty correctly, namely to be highly uncertain when they output inaccurate predictions and low uncertain when their output is accurate. The EUAT approach oper- ates during the modelâs training phase by selectively employing two loss functions depending on whether the training examples are cor- rectly or incorrectly predicted by the model. This allows for pursu- ing the twofold goal of i) minimizing model uncertainty for correctly predicted inputs and ii) maximizing uncertainty for mispredicted in- puts, while preserving the modelâs misprediction rate. We evaluate EUAT using diverse neural models and datasets in the image recog- nition domains considering both non-adversarial and adversarial set- tings. The results show that EUAT outperforms existing approaches for uncertainty estimation (including other uncertainty-aware train- ing techniques, calibration, ensembles, and DEUP) by providing un- certainty estimates that not only have higher quality when evaluated via statistical metrics (e.g., correlation with residuals) but also when employed to build binary classifiers that decide whether the modelâs output can be trusted or not and under distributional data shifts.},
NOTE = {To appear},
KEYWORDS = {Machine Learning, uncertainty} }
|
206 |
@InProceedings{Mendes:AISafety:2024,
AUTHOR = {Mendes, Pedro and Romano, Paolo and Garlan, David},
TITLE = {Hyper-parameter Tuning for Adversarially Robust Models},
YEAR = {2024},
MONTH = {4 August},
BOOKTITLE = {AISafety 2024},
ADDRESS = {Jeju, South Korea},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/HTP_Robust_Models_AIsafetyMendes_AISafety_2024.pdf},
ABSTRACT = {This work focuses on the problem of hyper-parameter tuning (HPT) for robust (i.e., adversarially trained) models, shedding light on the new challenges and opportunities arising during the HPT process for robust models. To this end, we conduct an extensive experimental study based on three popular deep models and explore exhaustively nine (discretized) hyper-parameters (HPs), two fidelity dimensions, and two attack bounds, for a total of 19208 configurations (corresponding to 50 thousand GPU hours).
Through this study, we show that the complexity of the HPT problem is further exacerbated in adversarial settings due to the need to independently tune the HPs used during standard and adversarial training: succeeding in doing so (i.e., adopting different HP settings in both phases) can lead to a reduction of up to 80% and 43% of the error for clean and adversarial inputs, respectively. We also identify new opportunities to reduce the cost of HPT for robust models. Specifically, we propose to leverage cheap adversarial training methods to obtain inexpensive, yet highly correlated, estimations of the quality achievable using more robust/expensive state-of-the-art methods. We show that, by exploiting this novel idea in conjunction with a recent multi-fidelity optimizer (taKG), the efficiency of the HPT process can be enhanced by up to 2.1x.},
NOTE = {Best Paper Award},
KEYWORDS = {Machine Learning} }
|
207 |
@InProceedings{Canelas:ISSTA:2024,
AUTHOR = {Canelas, Paulo and Schmerl, Bradley and Fonesca, Alcides and Timperley, Christopher Steven},
TITLE = {Understanding Misconfigurations in ROS: An Empirical Study
and Current Approaches},
YEAR = {2024},
MONTH = {16-20 September},
BOOKTITLE = {The ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA)},
ADDRESS = {Vienna, Austria},
PDF = {http://acme.able.cs.cmu.edu/pubs/uploads/pdf/study_misconfigurations_paper.pdf},
ABSTRACT = {The Robot Operating System (ROS) is a highly popular framework and ecosystem that allows developers to build robot software sys- tems from reusable, off-the-shelf components. Systems are often built by customizing and connecting components into a working ensemble via configuration files. While reusable components allow developers to quickly prototype working robots in theory, in prac- tice, ensuring that those components are configured and connected appropriately is fundamentally challenging, as evidenced by the large number of questions asked on developer forums. Developers must be careful to abide by the assumptions of individual compo- nents, which are often unchecked and unstated when building their systems. Failure to do so can result in misconfigurations that are only discovered once the robot is deployed in the field, at which point errors may lead to unpredictable and dangerous behavior. De- spite misconfigurations having been studied in the broader context of software engineering, robotics software (and ROS in particular) poses domain-specific challenges with potentially disastrous conse- quences. To understand and improve the reliability of ROS projects, it is critical to identify the types of misconfigurations developers face. To that end, we study ROS Answers, a Q&A platform, to iden- tify and categorize misconfigurations during ROS development. We then conduct a literature review to assess the coverage of these misconfigurations using existing detection techniques. In total, we find 12 high-level categories and 50 sub-categories of misconfigura- tions. Of these categories, 27 are not covered by existing techniques. To conclude, we discuss how to tackle those misconfigurations in future work.},
NOTE = {To appear},
KEYWORDS = {Robot Adaptation} }
|
|
|