Christopher Gerking

The MechatronicUML method: model-driven software engineering of self-adaptive mechatronic systems

The software of mechatronic systems interacts with the systems physical environment. In such systems, an incorrect software may cause harm to human life. As a consequence, software engineering methods for developing such software need to enable developers to effectively and efficiently proof their correctness. This is further complicated by additional characteristics of mechatronic systems as self-adaptation and coordination with other systems. In this poster, we present MechatronicUML which is a model-driven software engineering method that especially considers these characteristics of self-adaptive mechatronic systems.

Generating Modelica Models from Software Specifications for the Simulation of Cyber-Physical Systems

Future smart systems will provide functionality by dynamically interacting with each other in cyber-physical systems. Such interactions require a message-based coordination under hard real-time constraints. This is realized by complex software, which combines discrete, state-based behavior with continuous behavior controlling the dynamics of the physical system parts. The development methods and tools for these kinds of software are not well integrated so far. For the modeling and simulation of physical and continuous control behavior, Modelica can be used. For modeling the discrete coordination behavior, MECHATRONICUML (MUML) can be used, which in addition offers a formal verification of safety requirements like deadlock-freedom of interactions, for example. We introduce in this paper an automatic transformation for formally verified MUML models into Modelica to ensure that the discrete state-based software correctly interacts with the continuous control software, physical parts, and a plant model. We illustrate this concept by means of a car-to-car coordination scenario.

A tool suite for the model-driven software engineering of cyber-physical systems

Cyber-physical systems, e.g., autonomous cars or trains, interact with their physical environment. As a consequence, they commonly have to coordinate with other systems via complex message communication while realizing safety-critical and real-time tasks. As a result, those systems should be correct by construction. Software architects can achieve this by using the MechatronicUML process and language. This paper presents the MechatronicUML Tool Suite that offers unique features to support the MechatronicUML modeling and analyses tasks.

How to Efficiently Build a Front-End Tool for UPPAAL: A Model-Driven Approach

We propose a model-driven engineering approach that facilitates the production of tool chains that use the popular model checker Uppaal as a back-end analysis tool. In this approach, we introduce a metamodel for Uppaal ’s input model, containing both timed-automata concepts and syntax-related elements for C-like expressions. We also introduce a metamodel for Uppaal ’s query language to specify temporal properties; as well as a metamodel for traces to interpret Uppaal ’s counterexamples and witnesses. The approach provides a systematic way to build software bridging tools (i.e., tools that translate from a domain-specific language to Uppaal ’s input language) such that these tools become easier to debug, extend, reuse and maintain. We demonstrate our approach on five different domains: cyber-physical systems, hardware-software co-design, cyber-security, reliability engineering and software timing analysis.

Towards Safe Execution of Reconfigurations in Cyber-Physical Systems

The component-based software architecture of a cyber-physical system (CPS) is often subject to structural reconfigurations in response to changing environmental conditions. When introducing reconfigurations to CPS, it is mandatory to ensure that the execution of a reconfiguration does not compromise the safety of the system, e.g., by causing a violation of hard real-time constraints. Existing approaches for ensuring safe reconfiguration do not consider such hard realtime constraints or the interaction of a CPS with its physical environment. Thus, they can not detect all relevant unsafe situations. In this paper, we introduce a novel approach that is based on a design-time specification of conditions for unsafe states combined with a runtime evaluation of these conditions. This enables to detect all relevant unsafe states with respect to a requested reconfiguration at runtime. We illustrate our approach based on a smart railway system.

Model Checking the Information Flow Security of Real-Time Systems

Cyber-physical systems are processing large amounts of sensitive information, but are increasingly often becoming the target of cyber attacks. Thus, it is essential to verify the absence of unauthorized information flow at design time before the systems get deployed. Our paper addresses this problem by proposing a novel approach to model-check the information flow security of cyber-physical systems represented by timed automata. We describe the transformation into so-called test automata, reducing the verification to a reachability test that is carried out using the off-the-shelf model checker Uppaal. Opposed to related work, we analyze the real-time behavior of systems, allowing software engineers to precisely identify timing channels that would enable attackers to draw conclusions from the system’s response times. We illustrate the approach by detecting a timing channel in a simplified model of a cyber-manufacturing system.

Model-driven test case design for model-to-model semantics preservation

Model transformations used in model-driven software development need to be semantics-preserving, i.e., the meaning of a model must not be distorted by the transformation. Testing whether a transformation preserves the dynamic semantics of a model requires oracles such as model checkers, which explore the runtime statespace of models. The high amount of repetitive code to integrate heterogeneous transformation engines and test oracles makes the design of semantics preservation tests a tedious task. In this paper, we apply the approach of model-driven testing to the domain of model transformation. We present a visual domain-specific language for the design of model transformation tests, which reduces test cases to their essential components. Our language enables an immediate execution of test cases with precise validation feedback. We evaluate our approach in terms of a case study based on the MechatronicUML modeling language for the software development of cyber-physical systems.

Towards ensuring security by design in cyber-physical systems engineering processes

Engineering cyber-physical systems secure by design requires engineers to consider security from the ground up. However, current systems engineering processes are not tailored to cyber-physical systems, or lack an integration with security engineering. In this paper, we integrate secure software engineering practices into an engineering process for cyber-physical systems. Thereby, we enable engineers to specify security requirements at the level of systems engineering, and to take effective countermeasures during both platform-independent and platform-specific software engineering. Our key contribution is the integration of threat models for tracing security requirements to countermeasures. We illustrate our approach by an autonomous car with high security requirements.

Reducing the Verbosity of Imperative Model Refinements by Using General-Purpose Language Facilities

Refinements are model transformations that leave large parts of the source models unchanged. Therefore, if refinements are executed outplace, model elements need to be copied to the target model. Refinements written in imperative languages are increasingly verbose, unless suitable language facilities exist for creating these copies implicitly. Thus, for languages restricted to general-purpose facilities, the verbosity of refinements is still an open problem. Existing approaches towards reducing this verbosity suffer from the complexity of developing a higher-order transformation to synthesize the copying code. In this paper, we propose a generic transformation library for creating implicit copies, reducing the verbosity without a higher-order transformation. We identify the underlying general-purpose language facilities, and compare state-of-the-art languages against these requirements. We give a proof of concept using the imperative QVTo language, and showcase the ability of our library to reduce the verbosity of an industrial-scale transformation chain.

Industrial Security by Design

1 Einleitung . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2 Bedrohungsszenarien . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3 Nachverfolgung der Informationssicherheit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4 Stand der Technik . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 5 Fazit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Literatur . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20