Model-Based Run-Time Synthesis of Architectural Configurations for Adaptive MILS Systems

  • Alessandro Cimatti
  • Rance DeLong
  • Ivan StojicEmail author
  • Stefano Tonetta
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11698)


In order to be resilient, a system must be adaptable. Trustworthy adaptation requires that a system can be dynamically reconfigured at run-time without compromising the robustness and integrity of the system. Adaptive MILS extends MILS, a successful paradigm for rigorously developed and assured composable static systems, with reconfiguration mechanisms and a framework within which those mechanisms may be safely and securely employed for adaptation.

In this paper, we address the problem of synthesizing at run-time reconfigurations that are trustworthy taking into account the entwining of information flows and reconfigurations. The approach is based on a new extension of the Architecture Analysis & Design Language (AADL), already used for specifying MILS policy architectures, which is now enhanced to specify the configuration state space in terms of parameters, the possible reconfigurations, monitoring properties and the related alarms. Supporting tools have been developed for the run-time synthesis of new architectural configurations that preserve safety and security properties formalized in terms of invariants and information flow.


Safety and security MILS Reconfiguration Adaptive systems Model-based systems engineering Formal specification 



This work was supported by the CITADEL Project, funded by the Horizon 2020 Programme of the European Union (grant agreement no. 700665).


  1. 1.
    Allen, R., Douence, R., Garlan, D.: Specifying and analyzing dynamic software architectures. In: Astesiano, E. (ed.) FASE 1998. LNCS, vol. 1382, pp. 21–37. Springer, Heidelberg (1998). Scholar
  2. 2.
    Barrett, C.W., Sebastiani, R., Seshia, S.A., Tinelli, C.: Satisfiability modulo theories. In: Handbook of Satisfiability, pp. 825–885. IOS Press (2009)Google Scholar
  3. 3.
    Boettcher, C., DeLong, R., Rushby, J., Sifre, W.: The MILS component integration approach to secure information sharing. In: DASC (2008)Google Scholar
  4. 4.
    Bozga, M., Jaber, M., Maris, N., Sifakis, J.: Modeling dynamic architectures using Dy-BIP. In: Gschwind, T., De Paoli, F., Gruhn, V., Book, M. (eds.) SC 2012. LNCS, vol. 7306, pp. 1–16. Springer, Heidelberg (2012). Scholar
  5. 5.
    Bozzano, M., Cimatti, A., Katoen, J., Nguyen, V.Y., Noll, T., Roveri, M.: Safety, dependability and performance analysis of extended AADL models. Comput. J. 54(5), 754–775 (2011)CrossRefGoogle Scholar
  6. 6.
    Bozzano, M., Cimatti, A., Katoen, J.-P., Nguyen, V.Y., Noll, T., Roveri, M.: The COMPASS approach: correctness, modelling and performability of aerospace systems. In: Buth, B., Rabe, G., Seyfarth, T. (eds.) SAFECOMP 2009. LNCS, vol. 5775, pp. 173–186. Springer, Heidelberg (2009). Scholar
  7. 7.
    Bradbury, J.S., Cordy, J.R., Dingel, J., Wermelinger, M.: A survey of self-management in dynamic software architecture specifications. In: WOSS, pp. 28–33 (2004)Google Scholar
  8. 8.
    Bruni, R., Melgratti, H.C., Montanari, U.: Behaviour, interaction and dynamics. In: Specification, Algebra, and Software - Essays Dedicated to Kokichi Futatsugi, pp. 382–401 (2014)CrossRefGoogle Scholar
  9. 9.
    Canal, C., Pimentel, E., Troya, J.M.: Specification and refinement of dynamic software architectures. In: Donohoe, P. (ed.) Software Architecture. ITIFIP, vol. 12, pp. 107–125. Springer, Boston, MA (1999). Scholar
  10. 10.
    Cimatti, A., Stojic, I., Tonetta, S.: Formal specification and verification of dynamic parametrized architectures. In: Havelund, K., Peleska, J., Roscoe, B., de Vink, E. (eds.) FM 2018. LNCS, vol. 10951, pp. 625–644. Springer, Cham (2018). Scholar
  11. 11.
    CITADEL Modeling and Specification Languages. Technical report D3.1, Version 2.3, CITADEL Project, August 2018Google Scholar
  12. 12.
    CITADEL Configuration and Reconfiguration Synthesis. Technical report D3.4, Version 1.0, CITADEL Project, November 2018Google Scholar
  13. 13.
    Feiler, P.H., Gluch, D.P.: Model-Based Engineering with AADL: An Introduction to the SAE Architecture Analysis & Design Language. SEI Series in Software Engineering. Addison-Wesley, Boston (2012)Google Scholar
  14. 14.
    Goguen, J.A., Meseguer, J.: Security policies and security models. In: IEEE Symposium on Security and Privacy, pp. 11–20 (1982)Google Scholar
  15. 15.
    Hirsch, D., Inverardi, P., Montanari, U.: Reconfiguration of software architecture styles with name mobility. In: Porto, A., Roman, G.-C. (eds.) COORDINATION 2000. LNCS, vol. 1906, pp. 148–163. Springer, Heidelberg (2000). Scholar
  16. 16.
    Konnov, I.V., Kotek, T., Wang, Q., Veith, H., Bliudze, S., Sifakis, J.: Parameterized systems in BIP: design and model checking. In: CONCUR (2016)Google Scholar
  17. 17.
    Magee, J., Kramer, J.: Dynamic structure in software architectures. In: SIGSOFT, pp. 3–14 (1996)Google Scholar
  18. 18.
    Medvidovic, N., Taylor, R.N.: A classification and comparison framework for software architecture description languages. IEEE Trans. Softw. Eng. 26(1), 70–93 (2000)CrossRefGoogle Scholar
  19. 19.
    Métayer, D.L.: Describing software architecture styles using graph grammars. IEEE Trans. Softw. Eng. 24(7), 521–533 (1998)CrossRefGoogle Scholar
  20. 20.
    Milner, R., Parrow, J., Walker, D.: A calculus of mobile processes I and II. Inf. Comput. 100(1), 1–77 (1992)MathSciNetCrossRefGoogle Scholar
  21. 21.
    Rozenberg, G. (ed.): Handbook of Graph Grammars and Computing by Graph Transformations, Volume 1: Foundations. World Scientific, Singapore (1997)zbMATHGoogle Scholar
  22. 22.
    Rushby, J.: The design and verification of secure systems. In: ACM Operating Systems Review, pp. 12–21 (1981)CrossRefGoogle Scholar
  23. 23.
    Rushby, J.: Separation and integration in MILS (the MILS constitution). Technical report, Menlo Park, CA, February 2008Google Scholar
  24. 24.
    Architecture Analysis & Design Language (AADL) (rev. B): SAE Standard AS5506B, International Society of Automotive Engineers, September 2012Google Scholar
  25. 25.
    Sifakis, J., Bensalem, S., Bliudze, S., Bozga, M.: A theory agenda for component-based design. In: De Nicola, R., Hennicker, R. (eds.) Software, Services, and Systems. LNCS, vol. 8950, pp. 409–439. Springer, Cham (2015). Scholar
  26. 26.
    SLIM 3.0 - Syntax and Semantics. Technical Note D1–2, Issue 4.7, COMPASS Project, June 2016Google Scholar
  27. 27.
    Webber, D., Gomaa, H.: Modeling variability in software product lines with the variation point model. Sci. Comput. Program. 53(3), 305–331 (2004)MathSciNetCrossRefGoogle Scholar
  28. 28.
    Wermelinger, M., Fiadeiro, J.L.: Algebraic software architecture reconfiguration. In: Nierstrasz, O., Lemoine, M. (eds.) ESEC/SIGSOFT FSE -1999. LNCS, vol. 1687, pp. 393–409. Springer, Heidelberg (1999). Scholar
  29. 29.
    Xu, H., Zeng, G., Chen, B.: Description and verification of dynamic software architectures for distributed systems. JSW 5(7), 721–728 (2010)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Alessandro Cimatti
    • 1
  • Rance DeLong
    • 2
  • Ivan Stojic
    • 1
    Email author
  • Stefano Tonetta
    • 1
  1. 1.FBK-irstTrentoItaly
  2. 2.The Open GroupReadingUK

Personalised recommendations