Declarative Model Query Framework for Monitoring Heterogeneous Embedded Systems
Gergely Varr´o
As contemporary embedded systems are more often organized into a network, the relevance of security issues, namely, to detect possible threats by monitoring, and to defeat attacks by eliminating weak points of system architecture via recon- figuration has significantly increased. The model-driven development of security monitors requires (i) an integrated model-based layer to hide the heterogeneity of data sources (like sensors and actuators), and (ii) critical situations to be formal- ized as declarative queries.
To support this application scenario, I plan to elaborate ahigh-level declarative query framework interacting with heterogeneous data sources via a model- based interface. The framework will provide support for incremental query execution over hybrid data sources.
1 Motivation
Embedded systems are integral parts of our everyday life due to their wide-spread appearance in automobiles, airplanes, and medical instruments. As characteris- tic specificities, these systems require (i) support for operations over hybrid data sources (like model-based repositories, configuration files, or relational databases), (ii) end-to-end traceability from high-level models to deployed artifacts, and (iii) real-time data processing.
Since recent embedded systems are frequently organized into a network, their security becomes a highly relevant issue. More specifically, developing solutions to protect these systems from manipulation has high priority.
The protection of distributed embedded systems typically involves (i) moni- toring tasks to detect the appearance or disappearance of forbidden or required patterns, and (ii) run-time reconfiguration tasks to eliminate those structures of the overall system architecture that are considered weak from security aspects.
Research activities in the field of security monitoring have typically focused on observing the communication between applications with a fixed structure, while the supervision of reconfiguration activities was out-of-scope until recently despite the large variety of their application areas (like ad-hoc networks, peer-to-peer systems, car-to-car communication, etc.).
Reconfiguration tasks can be implemented according to the process of Model- Driven Development (MDD) as demonstrated by several rule-based [1], automata- driven [2], or aspect-oriented [3] approaches.
The rule-based technique of graph transformation (GT) [4] is an appropriate choice to specify system restructuring operations due to its well-founded formal background. The viability of the approach is illustrated, e.g., by [5], which pro- posed to combine the concepts of timed automata and graph transformation to de- fine reconfiguration tasks.
When reconfiguration operations of distributed embedded systems are speci- fied in a model-driven way and by graph transformation rules, the corresponding monitoring conditions, which typically describe critical situations and threats, are formalized asdeclarative queriesoperating on an integratedmodel-based layer with object-oriented data representation, which can hide the underlying hybrid data sources(see Fig. 1).
Real-time data source Model-based
data source Relational
data source
Relational DBMS
Model
repository Sensor Integrated system model (EMF, etc) Queries (for threats, violations, etc)
Heterogeneous data sources
Distributed real-time embedded system Computer2
Computer1 HW Controller3
Figure 1: Queries operating on heterogeneous data sources
According to the graph transformation approach, queries are evaluated by per- formance critical pattern matching algorithms at execution time. These algorithms should be able to handle model navigations on data sources operating in either passive, or active communication mode. In case of passive data sources, the main challenge of performing navigations lies in the heterogeneity of data representation in different repositories. However, for active data sources, monitors should addi- tionally be able to react to real-time model changes by calculating threat patterns fast, which requires efficient optimization techniques (e.g., [6, 7, 8]) to appear in implementations. Among these approaches, incremental pattern matching [9]
can be particularly useful as reconfigurations typically alter only a small fraction of the system.
As a summary, this research proposal contributes towards the model-driven development and incremental evaluation of monitoring queries appearing in self-
This project assumes a strong collaboration and my deep involvement in the research activities of the Host Institute. In this sense, the Real-Time Systems Lab of TU Darmstadt can provide the application domain knowledge and know-how needed for building the query framework appropriately in distributed embedded systems, while my expertise in designing and implementing efficient (incremental) algorithms for model-driven development processes supports the production of an advanced and fast monitoring module.
The proposed query framework could directly contribute (i) to a subtask of the CASED project, which investigates security issues for embedded systems, and fo- cuses on monitoring distributed systems and on self-reconfiguration concepts, and (ii) to the activities of the DFG research group QuaP2P, which studies monitoring and self-optimization concepts of peer-to-peer systems. In this sense, my research could establish links to two very important projects at TU Darmstadt.
2 State of the art and research challenges
2.1 Interfacing with repositories
For data representation, repositories internally use a relational or an object-oriented data model. When they operate on a relational data model like in case of relational database management systems (RDBMSs) and they are aimed to be accessed via an object-oriented interface, an object-relational mapping (e.g., Hibernate) is used to bridge the gap between internal and external data representation. Even reposi- tories, which operate on an object-oriented data model, can be obviously accessed directly via model-based interfaces, which typically conform to the metamodel- ing framework of the Unified Modeling Language (UML), the Eclipse Modeling Framework (EMF), the Java Metadata Interface (JMI), Entity Data Models (EDM), the Universal Data Model (UDM), Enterprise Java Beans (EJB), or the Visual and Precise Metamodeling (VPM) language.
Though these solutions are appropriate for software running on ,,traditional”
computers, they are insufficient for embedded systems due tolack of general sup- port for accessing low-level data structures of sensors and activators in an object-oriented way.
This challenge has already been recognized by OMG, when formulating the Common Warehouse Metamodel (CWM) standard as it supports a large variety of data models (including record-based, relational, and object-oriented representa- tions), and provides a specification language for transformations as well, butCWM lacks proper implementations for model query tasks.
2.2 Query execution over multiple data sources
Execution of SQL queries on relational data sources has been investigated for decades, and as a result many sophisticated algorithms and techniques have been
developed. However, when relational databases are hidden behind an object-ori- ented data representation layer by object-relational mappings, the execution of declarative model-based queriesprovided by the corresponding frameworks of these mappings frequently has suboptimal performance and cannot be influ- enced by domain experts.
When purely model-based repositories are used, a large variety of model trans- formation tools (such as AGG [10], ATL [11], Declarative QVT [12], Fujaba [13], GrGen [14], MOFLON [15], oAW [16], VIATRA [17]) becomes available, which internally perform querying tasks as a part of their translation engines. Unfortu- nately, state-of-the-art transformation engines are monolithic, and query handling modules are not separated from the rest of the system on either the specification or the implementation level. As a result, the direct application of these tools is inappropriate for monitoring embedded systems.
Besides general-purpose model transformation tools, several model-based que- ry approaches (like EMF Query) exist, which also fulfill all the basic criteria needed for the model-driven development of monitors. However, each such tool supports only model-based data sources, which prevents to perform monitoring in a heterogeneous repository environment.
2.3 Query optimization techniques
In current tools, topological restrictions in queries are expressed by either OCL expressions or graph patterns.
When OCL expressions are used, the direction of link traversals must be de- fined explicitly. This approach may have a significant negative impact on the per- formance of the tool if topological restrictions are checked in a wrong order.
Though valuable initiatives already exist for transforming OCL expressions to their equivalents [18], this technique still requires manual interaction from the user, which is unacceptable as system developers are typically inexperienced in the question of efficient query execution. As a summary,OCL-based solutions and implementations for the efficient checking of topological restrictions are still missing.
When topological restrictions are expressed by graph patterns, many sophisti- cated data structures and algorithms become available to execute queries efficiently as valuable research has been carried out for decades in the field of graph transfor- mation.
When query evaluation is performed on passive data sources, several batch techniques including adaptive [6, 19], parallel [7], and recursive [8, 20] graph pat- tern matching algorithms can be used for performance optimization. However, these approaches might be inefficient when manipulations are initiated by active data sources in real-time. For such a situation,incremental graph pattern match- ing[9] might be more appropriate, but this techniquehas not been exploited for monitoring embedded systems.
3 Objectives
As a response to problems mentioned in Section 2, I plan to elaborate ahigh-level model query framework interacting with various model repositoriesaccording to the following design guidelines. The framework should
Objective 1. interact withvarious data sources,
Objective 2. acceptdeclarative query specification for security monitoring, Objective 3. provide supportfor the execution of queries over hybrid data sources, Objective 4. strongly focus onincremental query evaluation.
The overall architecture of the proposed framework is presented in Fig. 2.
Query execution
Query specification
Query service API Query
language
Query language extension1
Notification
Data source1
Notification in Data source1
Monitoring system Query framework
Figure 2: Architecture of the proposed framework
In order to integrate a data source into the query framework, (i) an extension is prepared as a descendant of a declarative query specification language, and (ii) the general notification mechanism of the framework is extended by a data source specific module at design-time. By using the declarative specification language, end-users define queries as compile-time inputs of the framework.
During runtime operation, which is shown by red arcs, the query execution module communicates with passive and active data sources by performing navi- gations, and by processing notification messages about model changes by an in- cremental algorithm, respectively. Results of queries are requested by the overall monitoring system via the Query service API.
4 Project plan
The breakdown of research activities is summarized below on a work package ba- sis.
4.1 Design of compile-time interaction interfaces.
Objectives. This work package focuses on the compile-time tasks of the query framework that can be used for monitoring self-reconfiguring systems. This re- quires a high-level and declarative repository independent query specification layer to be selected, which is later extended by repository-specific operations, which can be executed at runtime. Finally, a common notification framework and its data source specific extensions will be prepared to support efficient, incremental query execution.
Description of work.
Task 1.1 Selection of a query language.After evaluating existing query lan- guages, a metamodel based declarative specification language will be selected to support the capturing of queries in a model repository independent way for the purpose of security monitoring in ad-hoc networks. (Objective 2)
Task 1.2 Definition of repository-specific query language extensions.By using the metamodels of repository-specific data representations, an extension of the specification language will be provided by mapping high-level navigational constraints to repository-specific operations.
(Objective 1)
Task 1.3 Definition of notification mechanisms.In order to support the ef- ficient, incremental evaluation of queries, a notification framework will be defined, which is extended by data source specific notifica- tion mechanisms. (Objective 4)
Deliverables.
D1.1 Selection of a query language Report 2
D1.2 Definition of repository-specific query language exten- sions
Report 6 D1.3 Definition of notification mechanisms Report 8 The main innovation of this work package is a common specification layer for queriesby which repositories conforming to different data representations can be accessed and navigated on a uniform model-based interface.
4.2 Design of runtime execution framework
Objectives. This work package focuses on the development of runtime query ex- ecution framework. For this purpose, an interface will be defined for providing query services of the framework to its runtime environment for monitoring pur- poses. Finally, the incremental query execution engine will be developed.
Description of work.
Task 2.1 Specification of runtime interaction interfaces. Communication interfaces will be defined to control the runtime interactions be- tween the querying framework and its environment including the repositories that store the monitored models and the software com- ponents that use the query service. (Objective 1)
Task 2.2 Prototype for incremental query execution engine.A prototype incremental query execution engine will be developed. The engine will use the repository-specific access and notification interfaces during its operation. (Objective 3)
Deliverables.
D2.1 Specification of runtime interaction interfaces Report 11 D2.2 Prototype for incremental query execution engine Prototype 22 The main innovation of this work package is theincremental evaluation of queries, which tracks changes occurring in the underlying models, and avoids complete recalculations when queries are executed. This technique might be used for efficiently checking security properties of self-reconfiguring systems as restruc- turing operations typically affect small portions of these systems.
4.3 Case studies
Objectives. In order to evaluate the practical usefulness of the research results, case studies will be carried out aiming at the application of the query framework for monitoring purposes in embedded systems. Techniques and tools developed in previous work packages will be periodically assessed from validation perspective on the case studies.
Description of work.
Task 3.1 Case study for car-to-car communication.This task will show the usefulness of the query framework when applied in monitoring and self-healing processes in car-to-car communication.
Task 3.2 Case study for peer-to-peer networks.This task will demonstrate the usefulness of the query framework when applied in monitoring and self-optimization tasks in peer-to-peer social networks.
Deliverables.
D3.1 Case study for car-to-car communication Report 16 D3.2 Case study for peer-to-peer networks Report 24 The case studies are selected from the embedded system application do- main, where incremental evaluation of properties in monitoring tasks can be con- sidered novelty.
4.4 Research schedule
The schedule of work package tasks (with related deliverables) is summarized in Figure 3.
WP 1
Task 1.1 Selection of a query language
Design of compile-time interaction interfaces
Task 1.2 Definition of repository-specific query language extensions Task 1.3 Definition of notification mechanisms
WP 2 Design of runtime execution framework
Specification of runtime interaction interfaces Task 2.2 Prototype for incremental query execution engine WP 3 Case studies
Task 3.1 Case study for car-to-car communication Task 3.2 Case study for peer-to-peer networks Task 2.1
24 22 20 18 16 14 12 10 8 6 4 2
Figure 3: Research schedule
The project is divided into three 8-month phases. The first phase specifies the compile-time interaction interfaces of the framework, while the second deals with the basic development of the runtime execution engine. The third period aims at improving the performance of the system by using incremental pattern matching techniques. Corresponding parts of the first case study are prepared for the first two phases. The third phase is terminated by carrying out a complete case study from the domain of peer-to-peer networks.
5 Long-term impacts
In my research plan, I propose a well-defined query framework for efficiently han- dling navigations on graph-based models stored in heterogeneous repository envi- ronment. In addition, an implementation for incremental query execution is sug- gested for monitoring self-reconfiguring systems.
Impacts from security engineering viewpoint. Results of the proposed re- search are aimed to be directly applied in the field of security engineering to per- form security-related monitoring of embedded systems. More specifically, the query framework could be used to detect forbidden or required patterns to iden- tify and eliminate weak points in distributed embedded systems. This proposal assumes a strong cooperation with participants of the CASED research project of the Host Institute whose aim is to develop security monitors in a model-driven way.
The query framework will also be applicable in a peer-to-peer simulation plat- form (also developed at the Host Institute as part of the QuaP2P project) to initiate network reconfigurations specified with graph transformation.
Impacts from general model-driven development viewpoint. On a longer timescale, the proposed research may have the following additional positive effects in the process of developing general-purpose model transformation tools.
On one hand, domain experts can implement efficient query algorithms faster as the process of algorithm development can be detached from the model reposi- tory environment. On the other hand, pattern matching algorithms can be shared among different model transformation tools, which may accelerate their develop- ment cycle as it could rely on stable APIs, for which efficient implementations are provided by domain experts. Algorithm sharing can also facilitate the integration of general-purpose model transformation tools.
References
[1] Koral Ilgun, Richard A. Kemmerer, and Phillip A. Porras. State transition analysis: A rule-based intrusion detection approach. IEEE Transactions on Software Engineer- ing, 21(3):181–199, March 1995.
[2] Jay Ligatti, Lujo Bauer, and David Walker. Edit automata: Enforcement mechanisms for run-time security policies. International Journal of Information Security, 4(1–
2):2–16, February 2005.
[3] Zhi Jian Zhu and Mohammad Zulkernine. A model-based aspect-oriented framework for building intrusion-aware software systems.Information and Software Technology, 51(5):865–875, May 2009.
[4] Hartmut Ehrig, Gregor Engels, Hans-J¨org Kreowski, and Grzegorz Rozenberg, ed- itors. Handbook on Graph Grammars and Computing by Graph Transformation, volume 2: Applications, Languages and Tools. World Scientific, 1999.
[5] J¨urgen Gausemeier, Ursula Frank, Holger Giese, Florian Klein, Andreas Schmidt, Daniel Steffen, and Matthias Tichy. A design methodology for self-optimizing sys- tems. InProc. of the 6th Conference on Automation, Assistance and Embedded Real Time Platforms for Transportation, Braunschweig, Germany, February 2005.
[6] Gergely Varr´o, D´aniel Varr´o, and Katalin Friedl. Adaptive graph pattern matching for model transformations using model-sensitive search plans. In Gabor Karsai and Gabriele Taentzer, editors, Proc. of International Workshop on Graph and Model Transformation (GraMoT’05), volume 152 ofElectronic Notes in Theoretical Com- puter Science, pages 191–205, Tallinn, Estonia, September 2005.
[7] Gergely Mezei, Tiham´er Levendovszky, and Hassan Charaf. A distribution technique for graph rewriting and model transformation sytems. InIASTED International Con- ference on Parallel and Distributed Computing and Networks, Innsbruck, Austria, February 2007.
[8] Gergely Varr´o, ´Akos Horv´ath, and D´aniel Varr´o. Recursive graph pattern matching with magic sets and global search plans. In Manfred Nagl, Andy Sch¨urr, and Al- bert Z¨undorf, editors,Proc. of the 3rd International Symposium on Applications of Graph Transformation with Industrial Relevance, volume 5088 ofLecture Notes in Computer Science, pages 456–470, Kassel, Germany, 2008. Springer.
[9] G´abor Bergmann, Andr´as ¨Okr¨os, Istv´an R´ath, D´aniel Varr´o, and Gergely Varr´o. In- cremental pattern matching in the VIATRA model transformation system. In Ga- bor Karsai and Gabriele Taentzer, editors,Proc. of the 3rd International Workshop on Graph and Model Transformation, pages 25–32, Leipzig, Germany, May 2008.
ACM.
[10] Claudia Ermel, Michael Rudolf, and Gabriele Taentzer. In [4], chapter The AGG- Approach: Language and Tool Environment, pages 551–603. World Scientific, 1999.
[11] Fr´ed´eric Jouault, Freddy Allilaire, Jean B´ezivin, and Ivan Kurtev. ATL: A model transformation tool.Science of Computer Programming, 72(1–2):31–39, June 2008.
[12] QVT Partners.Revised submission for MOF 2.0 Query/Views/Transformations RFP, August 2003.http://qvtp.org/.
[13] Ulrich Nickel, J¨org Niere, and Albert Z¨undorf. The FUJABA environment. InProc.
of the 22nd International Conference on Software Engineering, pages 742–745. ACM Press, 2000.
[14] Rubino Geiß, Veit Batz, Daniel Grund, Sebastian Hack, and Adam M. Szalkowski.
GrGen: A fast SPO-based graph rewriting tool. InProc. of the 3rd International Con- ference on Graph Transformation, pages 383–397, Natal, Brazil, September 2006.
Springer Verlag.
[15] Carsten Amelunxen, Alexander K¨onigs, Tobias R¨otschke, and Andy Sch¨urr.
MOFLON: A standard-compliant metamodeling framework with graph transforma- tions. In Arend Rensink and Jos Warmer, editors,Proc. of the 2nd European Con- ference on Model Driven Architecture - Foundations and Applications, volume 4066 of Lecture Notes in Computer Science, pages 361–375, Bilbao, Spain, July 2006.
Springer Verlag.
[16] Sven Efftinge, Peter Friese, Arno Haase, Clemens Kadura, Bernd Kolb, Dieter Moroff, Karsten Thoms, and Markus V¨olter. openArchitectureWare 4.2 user guide, September 2007. http://www.eclipse.org/gmt/oaw/doc/4.2/
openArchitectureWare-42-reference.pdf.
[17] Andr´as Balogh and D´aniel Varr´o. Advanced model transformation language con- structs in the VIATRA2 framework. InProc. of the 21st ACM Symposium on Applied Computing, pages 1280–1287, Dijon, France, April 2006. ACM Press.
[18] Jordi Cabot and Ernest Teniente. Transformation techniques for OCL constraints.
Science of Computer Programming, 68(3):179–195, October 2007.
[19] Gernot Veit Batz. An optimization technique for subgraph matching strategies. Tech- nical Report 2006-7, Universit¨at Karlsruhe, April 2006.
[20] Michael Lawley and Jim Steel. Practical declarative model transformation with Tefkat. In Jean B´ezivin, Bernhard Rumpe, Andy Sch¨urr, and Laurence Tratt, editors, Proc. of the International Workshop on Model Transformation in Practice (MTiP 2005), October 2005.http://sosym.dcs.kcl.ac.uk/events/mtip05/.
