Hybrid Rebeca: Modeling and Analyzing of Cyber-Physical Systems

Hybrid Reb eca: Mo deling and Analyzing of Cyb er-Ph ysical Systems Iman Jahandideh 1 and F atemeh Ghassemi 1 Marjan Sirjani 2 , 3 1 Sc ho ol of Electrical and Computer Engineering, Universit y of T ehran { jahandideh.iman,fghassemi } @ut.ac.ir 2 Sc ho ol of Inno v ation, Design and Engineering, M¨ alardalen Universit y , V¨ aster ˚ as, Sweden marjan.sirjani@mdh.se 3 Sc ho ol of Computer Science, Reykjavik Univ ersit y , Reykjavik, Iceland Abstract. In cyb er-ph ysical systems lik e automotive systems, there are components lik e sensors, actuators, and con trollers that communicate async hronously with each other. The computational model of actor supports mo deling distributed asynchronously communicating systems. W e propose Hybrid Rebeca language to support mo deling of cyber-physical systems. Hybrid Rebeca is an extension of actor-based language Reb eca. In this extension, ph ysical actors are introduced as new computational en tities to encapsulate physical b eha viors. T o supp ort v arious means of communication among the en tities, the netw ork is explicitly mo deled as a separate entit y from actors. W e derive hybrid automata as the basis for analysis of Hybrid Reb eca mo dels. W e demonstrate the applicabilit y of our approac h through a case study in the domain of automotive systems. W e use SpaceEx framew ork for the analysis of the case study . Keyw ords: Actor mo del · Cyb er-ph yscial systems · Hybrid automata. 1 In tro duction Em b edded systems consist of micropro cessors which control a physical b eha vior. Ninety-eigh t p er- cen t of all micropro cessors are manufactured as comp onents of embedded systems [25]. In such hybrid systems, ph ysical and cyb er behaviors, c haracterized as con tinuous and discrete respectively , affect each other. Cyb er-ph ysical sytems (CPSs) are heterogeneous systems with tight interactions b et w een ph ysical and softw are pro cesses where comp onen ts in the system usually communicate through netw ork. These systems are used in wide v ariet y of safety-critical applications, from auto- motiv e and avionic systems to rob otic surgery and smart grids. This makes v erifying and analyzing CPSs one of the main concerns while develop ing such systems. Mo del-based design is an effective technique for developing correct CPSs [7]. It relies on mo dels sp ecifying the b eha vior of the system often in a formal wa y . Using mo dels instead of ph ysical realizations of the system, beside reducing the costs of the dev elopment, can provide new insigh ts early in the design pro cess and enable analyzing the system behavior in man y complex situations that can not easily b e repro duced in its real environmen t. F urthermore formal and extensive analysis of the mo del can pro vide more confidence in the correctness of the system. The heterogeneity of CPSs creates new modeling c hallenges that stem from interactions betw een differen t kinds of comp onents. New theories and to ols are needed to facilitate designing and analyzing CPSs. F urthermore, for dealing with such systems with complicated and heterogeneous comp onen ts, b esides expressiv eness 2 Iman Jahandideh and F atemeh Ghassemi Marjan Sirjani p o w er, a lev el of friend liness is app ealing in design to ols. This friendliness can b e as imp ortan t as expressiv eness [21]. F riendliness is ev aluated b y its faithfulness to the system it is mo deling, and usability to the mo deler. Existing mo deling frameworks for hybrid systems such as hybrid automata [3,10] and hybrid P etri nets [5] can b e used to mo del CPSs. The former has higher analysis p o wer while the latter can b e more easily used for mo deling even t-based systems [5]. Due to the existence of netw ork in CPSs, the provided mo deling pow er in these frameworks is not satisfactory for systems comp osed of many in teracting heterogeneous entities. In the domain of automotive, ECUs, sensors and actuators ma y b e connected directly by wire or through a comm unication media such as a serial bus. Impro ving the lev el of abstraction is b eneficial to reduce errors introduced during the design pro cess and improv e p erception of the mo del. The computation mo del of actors provides a suitable lev el of abstraction to faithfully mo del distributed async hronously comm unicating systems [2,11]. Actors are units of computation whic h can only communicate by asynchronous message passing. Each actor is equipped by a mailb o x in which the received messages are buffered. W e extend the actor-based language Reb eca, with ph ysical b eha vior to supp ort hybrid systems. Additionally , we need to supp ort v arious types of comm unication, namely wired connections with no delay , serial buses with deterministic b ehavior, and wireless comm unication among the actors. So, we decided not to mo del the b eha vior of the net work as an actor within a mo del, and instead mo del it as a separate entit y . T o implement the extended actor mo del, we prop ose Hybrid R eb e c a , as an extension of (Timed) Reb eca [23,1]. Reb eca pro vides an op erational in terpretation of actor mo del through a Jav a-like syn tax. Its timed extension supp orts mo deling of the computation time, and netw ork delay for message communication. Hybrid Reb eca, extends Timed Reb eca with con tinuous b eha viors based on our extended actor mo del. Hybrid Reb eca defines tw o t ypes of classes, softw are and ph ysical. Soft w are classes are similar to reactiv e classes in Reb eca language where the computational behaviors are defined by message serv ers. Physical classes in addition to message servers, can also contain different mo des, where the con tinuous b eha viors are sp ecified. A physical actor (whic h is instantiated from a ph ysical class) m ust alw ays ha ve one activ e mo de. This activ e mo de defines the runtime con tin uous behavior of the actor. By changing the activ e mode of a ph ysical actor, it’s possible to change the contin uous b eha vior of the actor. In this version, CAN net w ork is defined as net w ork mo del for communications of the actors. Actors can communicate with each other either through the CAN netw ork or directly b y wire. Since CAN is a priority-based netw ork, a priority must b e assigned for the messages that are sent through CAN. Real-v alued v ariables are added on which contin uous b eha viors are defined. The mo des of ph ysical classes are similar to the concept of locations in hybrid automata, and to solv e these b eha viors, the semantics of Hybird Reb eca is defined as a hybrid automaton, for which man y verification algorithms and to ols are av ailable. The main contribution of the pap er can b e summarized as providing an actor-based formalism that supp orts “friendliness” with small n umber of primitive concepts. In particular it distinguishes b et w een soft ware and physical actors and supp orts tw o types of connections among actors (in principle one could hav e more types). A to ol which automatically derives a hybrid automaton from a giv en mo del is implemented, which is suitable for formal reachabilit y analysis. The rest of the pap er is structured as follows. The next section defines hybrid automata, actor model and Reb eca language. Section 3 presents our extended actor mo del for mo deling CPSs. In section 4 the syntax and semantics of Hybrid Reb eca language is defined. Section 5 presen ts our case study and its Hybrid Reb eca: Mo deling and Analyzing of Cyb er-Ph ysical Systems 3 results. In section 6 we briefly men tion some related w orks. In section 7 we discuss one of our design decisions for our extend actor mo del. The conclusion is presented in section 8. 2 Preliminaries As we define the semantics of our framework based on hybrid automata, we first pro vide an ov erview on this mo del and then explain actor mo del and Timed Reb eca. 2.1 Hybrid Automata Hybrid automata (HA) [3,10] is a formal mo del for systems with discrete and contin uous b eha viors. Informally a hybrid automaton is a finite state machine consisting of a set of real-v alued v ariables, mo des and transitions. Eac h mo de, whic h w e also call lo c ation , defines a contin uous b eha vior on the v ariables of the mo del. The con tinuous b eha viors or flows are usually describ ed by ordinary differen tial equations which define ho w the v alues of the v ariables c hange with time. T ransitions act as discrete actions b et ween contin uous b eha viors of the system, where the v ariables can change instan taneously . In Fig. 1 a hybrid automaton for a simple heater mo del is presented. The v ariable t represen ts the temp erature of the en vironment. The lo cations named off and on define the con tin- uous b eha vior of the temp erature when the heater is off and on, resp ectiv ely . F or each lo cation, the flo w of the temp erature is defined accordingly . The transition with the guard t == 22 states that when the temp erature is equal to 22 the heater c an b e turned off. In h ybrid automaton, the choice b et w een staying in one lo cation and taking an e nabled transition is nondeterministic. T o make the turning off b eha vior deterministic, the inv ariant t ≤ 22 is defined in the on lo cation. This inv ariant states that the heater can only stay in this lo cation as long as the temp erature is less than 22. The turning on b ehavior of the heater is defined similarly . Initially the heater is off and the temp erature is 20. on ˙ t = 4 − 0 . 1 t t ≤ 22 off ˙ t = − 0 . 1 t t ≥ 18 t == 22 t == 18 t = 20 Fig. 1. A hybrid automaton for a heater which consists of tw o lo cations (mo des) named on and off . Each lo cation defines a flo w and an inv ariant on the v ariable t whic h is the temp erature. The mo de of the heater c hanges b y means of guarded transitions betw een the locations. The initial location is off and the initial v alue of t is 20. Let a v aluation v : V → V al b e a function that assigns a v alue to each v ariable of V where V al is the set of v alues, defined b y the context. W e denote the set of v aluations on the set of v ariables V as V ( V ). F ormally a hybrid automaton is defined b y the tuple ( L o c , V ar , L ab , ⇒ , Flws , Inv , Init ) as follo ws: – L o c is a finite set of lo cations, 4 Iman Jahandideh and F atemeh Ghassemi Marjan Sirjani – V ar is a finite set of real-v alued v ariables, – L ab is a finite set of synchronization lab els. – ⇒ is a finite set of transitions. A transition is a tuple ( l , a, µ, l 0 ) ∈ ⇒ where l ∈ L o c is the source lo cation, l 0 ∈ Loc is the destination lo cation, a ∈ Lab is a sync hronization lab el and µ ∈ V ( V ar ) 2 is a transition relation on v ariables. The elements of µ = ( v , v 0 ) represen ts the v aluation of the v ariables b efore and after taking the transition. In some mo dels, lik e in our example, this transition relation is represented with a guard and a set of assignments on the v ariables. The guard defines the v aluation v and the assignments define the v aluation v 0 . – Flws is a labeling function that assigns a set of flo ws to eac h location l ∈ Loc . Each flo w is a function from R ≥ 0 → V ( V ar ). Each flow sp ecifies how the v alues of v ariables ev olve ov er time. A flo w is usually defined by a doted v ariable ˙ v whic h represents the first deriv ativ e. – Inv is a lab eling function that assigns an inv ariant Inv ( l ) ⊆ V ( V ar ) to each lo cation l ∈ L o c , – Init is a lab eling function that assigns an initial condition Init ( l ) ⊆ V ( V ar ) to eac h lo cation l ∈ L o c . In the example given in Fig. 1, the lo cations and the v ariables are defined as L o c = { on , off } and V ar = { t } resp ectiv ely . Since our example only consists of a single automaton, L ab = ∅ and the lab els o ver the transitions are  which is not sho wn for brevit y . Also the transition relations only consist of guards and the assignments are empty . The flows and the inv ariant of each lo cation is defined on the lo cation itself. The initial condition for lo cation off is Init ( off ) = { t = 20 } and for location on is Init ( off ) = ∅ . Note that in our language, w e do not use primed v ariables of the form v 0 to represent v aluation after discrete transitions. W e use v 0 instead of ˙ v to represent the first deriv ativ e of v ariable v 2.2 Actor Mo del and Timed Reb eca Actor mo del is used for mo deling distributed systems. It w as originally prop osed by Hewitt [11]. In this model actors are self-contained and concurrent [2] and can be regarded as units of computation. An y comm unication is done through asynchronous message passing on a fair medium where message deliv ery is guaran teed but is not in -order. This mo del abstracts a wa y the net work effects like dela ys, message conflicts, no de crashes, etc. In this mo del eac h actor has a an address and a mailb ox whic h stores the received messages. The b eha vior of an actor is defined in its message handlers, called metho ds . The metho ds are executed by pro cessing the messages. T o extend the actor mo del with hybrid concepts for sp ecifying CPSs, we use Reb eca as our basis framew ork and hence, use the terms actor model and Reb eca in terc hangeably in this paper. Reb eca [23] is a formal actor-based mo deling language and is supp orted by mo del chec king to ols to bridge the gap betw een formal metho ds and softw are engineering. Rebeca provides an op erational in terpretation of actor mo del through a Jav a-like syntax. It also offers a comp ositional verification approac h to deal with the state-space explosion problem in mo del c heckin g. Because of its design principle it is p ossible to extend the core language for a sp ecific domain [22]. F or example, different extensions hav e been in tro duced in v arious domains such as probabilistic systems [24], real-time systems [1], soft ware pro duct lines [20], and broadcasting environmen t [26]. In Reb eca, actors are called rebecs and are instances of r e active classes defined in the mo del. Reb ecs communicate with each other through async hronous message passing and a Reb ec’s mailbox is mo deled b y a message queue. A reactiv e class consists of known r eb e cs to sp ecify the rebecs it can comm unicate with, state variables to maintain the internal state, and message servers to define the Hybrid Reb eca: Mo deling and Analyzing of Cyb er-Ph ysical Systems 5 reaction of the reb ec on the receiv ed messages. The computation in a reb ec takes place b y removing a message from the message queue and executing its corresp onding message server. Timed Reb eca [1] is an extension of Reb eca for distributed and asynchronous systems with tim- ing constraints. It adds the timing concepts c omputation time , message delivery time and message expir ation . These concepts are materialized by new constructs: delay , after , and de ad line . In Timed Reb eca mo del, each reb ec has it’s own lo cal clo c k which can b e considered as synchronized dis- tributed clo cks. The delay statement mo dels the passage of time during the execution of a message serv er. Statemen ts after and de ad line are used in conjunction with send statements and sp ecify the net work delay and the message deadline, resp ectiv ely . 3 Actor Mo del for CPSs Extending actor model for mo deling cyber-physical systems can b e divided to tw o parts, offering mor e c oncr ete mo dels for network , and extending actors with physic al b ehaviors . Reb eca offers a fair and nondeterministic net work mo del. F or many application of CPSs this net work mo del is to o abstract or completely in v alid. F or example Control Area Netw ork (CAN) [18] proto col is a dominant netw orking proto col in automotive industry , which can not b e faithfully mo deled b y Rebeca’s netw ork mo del as b y this protocol, messages are deterministically delivered to their receivers. Mo deling the netw ork as an explicit actor, do es not guarantee determinacy of message deliveries as the net work actor is executed concurrently with other actors, therefore its determinacy is affected b y the in terlea ving seman tics. In other words, the massage deliv ery sequence b y the netw ork actor dep ends on the execution order of sending actors. So we modeled the netw ork as a separate en tity from the actors. T o extend the actor mo del with physical b eha viors, we decided to separate physical actors from soft ware actors. In this approac h softw are actors will b e similar to Timed Reb eca actors and the ph ysical b eha viors are defined in separate ph ysical actors. Ph ysical actors are similar to a h ybrid automaton in syntax and semantics. Like a hybrid automaton, each physical actor consists of a set of mo des. Each mo de defines its flows, inv ariant, guard and actions where actions are a set of statemen ts. The actions are the effect of the mo de, when the contin uous b eha vior is finished. A physical actor can only be in one mo de (characterizing a sp ecific con tinuous b eha vior) at an y momen t. In this approach the physical b eha vior of a system can easily b e started, stopp ed or c hanged by changing the active mo des of physical actors, either by the actor itself or b y a request from another actor. As w e fo cus on automotive systems, to make the netw ork sp ecification more concrete, in the first step w e consider the CAN proto col in our language. CAN is a serial bus netw ork where no des can send messages at an y moment. When multiple nodes request to send a message at the same time, only the message with the highest priorit y is accepted and sent through the net w ork. After a message is sent, the netw ork c ho oses another message from the requested messages. The messages are sent through the netw ork one by one. As messages in this proto col must hav e unique priorities, messages are deterministically communicated. F urthermore, we assume that all CAN no des implement a priority-based buffer. This simplifies the net w ork mo del which can be represented b y a single global priority-based queue [6]. T o implemen t this proto col, a unique priorit y m ust b e assigned to each message and the communication delay b et ween each tw o communicating actors m ust be specified. These specifications can b e defined outside of the actors so that actors b ecome agnostic ab out the underlying netw ork of the mo del. This will also make the mo del more mo dular, since it is easier to change the netw ork of the system without mo difying the actors. Not all the 6 Iman Jahandideh and F atemeh Ghassemi Marjan Sirjani Softw are Actor Thread Methods Mailbox State Softw are Actor Thread Methods Mailbox State Physical Actor Thread Methods Modes Mailbox State+Mode Physical Actor Thread Methods Modes Mailbox State+Mode msg (wire) msg (wire) msg (wire) msg msg msg msg msg (wire) CAN Fig. 2. Hybrid Reb eca mo del: each actor has its own thread of control, message queue, and ID. In addition to these, physical actors ha ve modes that are defined by a guard, an inv ariant, and actions. Actors can comm unicate with each other either by sending messages through CAN or directly by wire. actors communicate through CAN. Some of the actors ma y b e connected by wire and ha ve direct comm unication with each other. In our language, b oth types of communication are considered, and actors can comm unicate with each other either via wire or CAN. All messages, irresp ectiv e of the comm unication medium, are ev en tually inserted to their receiver’s message queue. If t w o or more sim ultaneous messages (from wire or CAN) got inserted into a message queue, the resulting ordering will b e nondeterministic. Note that there can not b e t w o sim ultaneous messages from CAN, since CAN is a serial bus. The resulting hyb rid Reb eca mo del has b een illustrated in Fig. 2. 4 Hybrid Reb eca Hybrid Reb eca is an extension of Timed Rebeca to supp ort physical b eha viors. Timed Rebeca supp orts deadline sp ecification for messages, but b ecause of tec hnical issues, Hybrid Reb eca does not supp ort this feature. Other timing b eha viors lik e netw ork dela y and computation time are supp orted. In Hybrid Reb eca w e ha ve tw o t ypes of rebecs: soft ware and ph ysical. These reb ecs comm unicate through async hronous message passing. Each reb ec has a queue for messages, and services the message at the head of the queue by executing the corresp onding message serv er for that message. Soft ware reb ecs are for mo deling softw are (discrete) b eha viors. These reb ecs are reactive and self-con tained and they can ha ve multiple message serv ers. Ph ysical rebecs are for mo deling ph ysical (con tinuous) b ehaviors and the physical b eha viors are defined by their mo des. F or physical reb ecs a reserv ed message server is defined for changing the reb ec’s active mo de. Hybrid Reb eca: Mo deling and Analyzing of Cyb er-Ph ysical Systems 7 Hybrid Reb eca has the concept of class for rebecs, and reb ecs of the model are instantiated from these classes in the main blo ck. In the instantiation phase the connection t yp e of the rebecs with eac h other must b e defined. F or now our language supp orts only tw o types of connection: CAN and wire. When reb ecs communicated through wire, the communication delay is considered to b e zero. After instan tiating reb ecs, the CAN sp ecification must b e defined. 4.1 Syn tax A Hybrid Rebeca mo del definition consists of a set of classes and a main blo c k, where classes define differen t types of reb ecs and main sp ecifies the initial configuration and CAN sp ecification. The syntax of Hybrid Reb eca is presented in Fig. 3. The syn tax of a softw are class is similar to a reactive class in Timed Reb eca, which resembles a class definition in Jav a. A softw are class consists of a set of known rebecs, state v ariables and message servers. The known rebecs are the reb ecs that an instance of this class can send message to. The syntax of message servers is like a metho d in ob ject-oriented languages, exp ect that they hav e no return v alue. The core statemen ts of our language are v ariable/mo de assignmen t, c onditional, delay , and metho d calls. An actor can send a message asynchronously to other reb ecs through metho d calls. A physical class is similar to a soft ware class except that it also contains the definition for ph ysical mo des. The structure of a mo de resembles a location in hybrid automata, and it consists of in v ariant, flows, guard and a set of actions. The com parison expression of an inv ariant and a guard expression are sp ecified b y the reserved words inv and guard , respectively . The actions following the guard expression, which are expressed as a statement blo c k, define the b ehavior of the reb ec up on lea ving the corresp onding mode. W e remark that the next entering mo de is either explicitly defined b y the user through the statement setmo de in the statemen t block or the default mo de none if it w as not sp ecified. Mo de none is a sp ecial mo de defined in all physical reb ecs. This mo de represents an idle b eha vior and its flows are defined as zero. Activ ating this mo de can b e interpreted as stopping the ph ysical b eha vior of a physical rebec. Other rebecs can change the mo de of a physical rebecs b y sending the message setMo de . Three primitiv e data t yp es are a v ailable in Hybrid Rebeca: int , r e al , and flo at . V ariables of t yp es int and r e al are only allow ed in softw are and physical classes, resp ectiv ely . Message parameters and state v ariables can b e only defined of primitive type with some restrictions. V ariables of type flo at can be used in both t yp es of classes. Mathematically the float and real v alues are the same. How ever to eac h real v ariable, a flow is assigned whic h determines ho w its v alue evolv e with time. A float v ariable can b e used to capture the v alue of a real v ariable in differen t snapshots. This can b e used in communication with soft w are reb ecs. The v alue of a float v ariable can b e changed only by assignmen t, but the v alue of a real v ariable can b e c hanged b y b oth assignmen t and the flo w defined on the v ariable. The assignment of a real v alue to float is managed implicitly in the semantics and no explicit casting is needed. Ev ery class definition must ha v e at least one message server, named initial . In the initial state of the mo del, an initial message is put in all reb ecs’s message queue. The state v ariables and b eha vior of reb ecs are initialized by executing this message server. The keyw ord self is used for sending a message to the reb ec itself. Reb ecs are instan tiated in the main blo c k of the mo del. T o instantiate a rebec, its known rebecs m ust b e sp ecified to b e binded to the appropriate instances. F urthermore for eac h known reb ec, the connection type must also b e specified, which can either b e CAN or Wir e . F or example, by the statemen t A a (@ Wir e b, @ CAN c ) : (), a reb ec named a is instan tiated from the class A 8 Iman Jahandideh and F atemeh Ghassemi Marjan Sirjani that its known reb ecs are b and c while the communication from a to b is through wire and a to c through CAN. W e remark that the connection type b et ween t w o reb ecs can b e differen t for eac h comm unication direction. The pair of parenthesizes () after the colon represents the parameters of the initial message serv er (which is empty in this case). After instantiation, the CAN sp ecification is defined on the messages that may b e transmitted through CAN. This sp ecification consists of t wo parts. First the priorities of these messages must b e sp ecified. T o this aim, a unique priority is assigned to a message. F or example the statement a b.m 1; means that a message sent from reb ec a to reb ec b containing the message server name m has a priority of 1. A lesser num b er indicates a higher priority . After the priorities, the netw ork delays of CAN comm unications are sp ecified. F or instance the statemen t a b.m 0 . 01; expresses that the communication delay of sending a message from a to b con taining the message server name m is 0 . 01. Mo del : : = (SClass | PClass ) + Main Main : : = main { InstanceDcl ∗ CANSp ec } InstanceDcl : : = C r ( h @ CAN | @ Wire r i ∗ ) : ( h c i ∗ ) CANSp ec : : = CAN { Priorities Delays } Priorities : : = p riorities {h r r . m c ; i ∗ } Dela ys : : = dela ys {h r r . m c ; i ∗ } SClass : : = soft wa reclass C { KnownRebecs Va rs MsgSrv ∗ } PClass : : = physicalclass C { KnownRebecs Va rs MsgSrv ∗ Mo de ∗ } Kno wReb ecs : : = kno wnreb ecs { V arDcl ∗ } V ars : : = stateva rs { V arDcl ∗ } V arDcl : : = T h v i + ; MesgSrv : : = msgsrv m ( h T v i ∗ ) { Stmt ∗ } Mo de : : = mode m { inv (e) ( v 0 = e ) + gua rd (e) MSt } Stm t : : = v = e; | Call; | if (e) MSt [ else MSt] | delay (t); | setmo de ( m ); Call : : = r . m ( h e i ∗ ) | r . setMo de ( m ) MSt : : = { Stm t ∗ } | Stmt Fig. 3. Abstract syntax of Hybrid Reb eca. The main differences in syntax compared to Timed Reb eca, are highligh ted with color green . Angle brack ets h i denotes meta parenthesis, superscripts + and ∗ respectively are used for repetition of one or more and rep etition of zero or more times. Combination of h i with rep etition is used for comma separated list. Brack ets [ ] are used for optional syntax. Identifiers C , T , m , m , v , c , r and e resp ectiv ely denote class, primitive type, method name, mo de name, v ariable, constan t, and reb ec name, resp ectiv ely; and e denotes an expression. Example Here we use a part of our case study to sho w the basics of our language. The mo del of the case study is presented in Fig. 5. Our case study is a Brak e-By-Wire (BBW) with an Anti- lo c k Braking System (ABS). Here we only describ e tw o classes Whe el and WCtlr which define the b eha vior of wheels and wheel controllers, resp ectiv ely . The physical class Whe el has one kno wn Hybrid Reb eca: Mo deling and Analyzing of Cyb er-Ph ysical Systems 9 reb ec ctlr , whic h is the wheel controller of the wheel. It also has three v ariables tr q , sp d and t which are resp ectiv ely the amoun t of torque that must be applied during brak e, the sp eed of the wheel and an auxiliary timer for p eriodic b eha vior of the wheel’s sensor. In its initial message server, the sp d is initialized to the given v alue and the active mo de of the reb ec is set to R ol ling mode by using the setmo de statement. Whe el defines a setter message server setT r q for updating the v alue of tr q . This class has one mo de named R ol ling . This mo de has a p eriodic b ehavior that ev ery 50 milliseconds, sends the v alue of sp d to its wheel controller defined by ctlr . F or the p eriodic b ehavior the inv ariant t < = 0 . 05, the flo w t 0 = 1 and the guard t == 0 . 05 are defined. The flo w equation for sp d v ariable is defined simply as sp d 0 = − 0 . 1 − tr q . The constant − 0 . 1 mo dels the friction of the wheel with the road. In the actions of this mo de, after reseting the timer v alue and sending the wheel’s sp eed to its controller, the reb ec’s mo de is again set to the R ol ling mo de if the wheel’s sp eed is greater than zero. The ABS b eha vior is defined b y the softw are class WCtlr . It has tw o known reb ecs w and b ctrl , which are the controlled wheel of the controller and the global brake controller of the system, resp ectiv ely . It also has three state v ariables id , wsp d and slprt . The v ariable id is the identifier of the wheel controller and is used to differen tiate b etw een m ultiple wheel con trollers in the mo del, wsp d is the speed of the controlled wheel, and slprt is an auxiliary v ariable for calculating the slip rate. The v ariable slprt is used to determine whether the brake m ust b e applied or not (this will b e explained more in section 5). The wsp d v ariable gets up dated by setWsp d message serv er. This message server also sends the wheel’s sp eed along side the con troller’s identifier, to the b ctrl . T o calculate the brake torque for wheels, the global brake con troller sends an applyT r q message to eac h WCtlr in the system. The corresp onding message server has tw o parameters named r e qT r q and vsp d which are the requeste d braking torque and the estimated v ehicle sp eed, resp ectiv ely . In this message server first the slip rate, denoted by the v ariable slprt , is calculated. Here the constant WRAD denotes the radius of the wheel. After calculating the slip rate, if the v alue of slprt is greater than 0 . 2, it sets its wheel’s brake torque to zero by using the setT r q message. Otherwise it sets the wheels brak e torque to the requested torque. In the main blo c k, tw o reb ecs of type Whe el and tw o reb ecs of t yp e WCtlr are instantiated. Here we explain one instan tiation of eac h class. The term Whe el wR ( @Wir e wctlrR ) : (1); is used to instantiate a reb ec named wR of type Whe el . The known reb ec of wR is assigned to wctlrR . The tag @Wir e is used to indicate that the comm unications of this reb ec to wctlrR are via wire. The parameter (1) is the parameter of the initial message server of the reb ec, whic h is the initial sp eed of the wheel. The term WCtlr wctlrR ( @Wir e wR , @CAN b ctlr ) : (0); is used to instantiate a reb ec named wctlrR of type WCtlr . The known rebecs of wctlrR are assigned to wR and b ctlr . F or the second known reb ec, the tag @CAN is used to indicate that the comm unications of this reb ec to b ctlr are via CAN. The parameter (0) is the identifier of the wheel controller. In the priorities of CAN sp ecification, the term wctlrR b ctlr . setWsp d 3, sp ecifies that the priority of a message sent from wctlrR to b ctlr containing the message serv er name setWsp d is 3. The term wctlrR b ctlr . setWsp d - > 0 . 01 in the delays of CAN sp ecification, sp ecifies that the delay of the same message is 0 . 01. 4.2 Op erational Seman tics Reb ecs are executed concurren tly in response to a physical mo de b eing finished or by taking a message from their message queues. The actions of a ph ysical mo de are executed when its b eha vior is finished, and eac h message is pro cessed b y executing its corresp onding message server. The execution 10 Iman Jahandideh and F atemeh Ghassemi Marjan Sirjani of all the statements except the delay statement is instantaneous. T o mo del communication via CAN, a netw ork en tit y is considered in the seman tics whic h buffers the messages from the rebecs and deliv ers them one-b y-one to the resp ectiv e receiv ers based on the messages’ priorities and delays sp ecified in the mo del. The message selection mechanism of CAN proto col is time consuming. W e assume that this time is negligible. W e abstract aw ay from this time by considering the effect of the netw ork entit y when no actor can progress instan taneously . F or communication via wire, the message is directly inserted in to the receiver’s message queue instantaneously . A Hybrid Reb eca mo del consists of the reb ecs of the mo del and the net work sp ecification. A softw are reb ec consists of the definitions of its v ariables, message servers and known reb ecs. A physical reb ec is defined lik e a softw are reb ec plus the definitions of its mo des. The netw ork sp ecification consists of the comm unication types of reb ecs, which can either b e CAN or wire, the message priorities and message deliv ery delays. Definition 1 (Hybrid Reb eca mo del). A Hybrid R eb e c a mo del is define d as a tuple ( R s , R p , N ) wher e R s and R p ar e the set of softwar e and physic al r eb e cs in the mo del, r esp e ctively, and N is the network sp e cific ation. The set R = R s ∪ R p denotes the set of al l r eb e cs in the mo del. A softwar e r eb e c r s i ∈ R s and physic al r eb e c r p i ∈ R p with a unique identifier i , ar e define d by tuples ( i, V i , msgsrvs i , K i ) and ( i, V i , msgsrvs i , mo des i , K i ) , r esp e ctively, wher e V i is the set of its variables, msgsrvs i is the set of its message servers, K i is the set of its known r eb e cs, and mo des i is the set of mo des. A network sp e cific ation is define d as a tuple N = ( c onn , netPriority , netDelay ) wher e c onn is a p artial function R × R → { Wir e , CAN } which defines the one way c onne ction typ e fr om a r eb e c to another r eb e c, netPriority : Msg → N and netDelay : Msg → R define the priority and the network delivery delay for a message, r esp e ctively. Msg denotes the set of al l messages in the mo del. Definition 2 (Message). A message is define d as a tuple ( sender, m, receiv er ) ∈ R × Name × R wher e sender is the sending r eb e c, m is the name of the message server in the r e c eiver, and r eceiv er is the r e c eiving r eb e c. The op erational seman tics of a Hybrid Rebeca mo del is defined as a monolithic h ybrid au- tomaton. The semantics could b e defined in a comp ositional wa y by providing a translation for constitutiv e elements of a hybrid rebeca mo del. By comp osing the translations with the op erational seman tics of hybrid automata, the final model can b e derived. How ever, this approach will lead to man y real-v alued v ariables which reduces analyzability of the resulting mo del. Definition 3 (Hybrid automaton for Hybrid Reb eca mo del). Given a Hybrid R eb e c a mo del H = ( R s , R p , N ) , its formal semantics b ase d on hybrid automata is define d by H H = ( L o c , V ar , L ab , ⇒ , Flws , Inv , Init ) , wher e V ar is the set of al l c ontinuous variables in the mo del (variables of typ es flo at or r e al), L ab is the set of lab els which is empty as we gener ate a monolithic hybrid automaton. The set of lo c ations L o c , tr ansitions ⇒ , flows Flws , invariants Inv , and initial c onditions Init ar e define d in the fol lowing. Lo cations Each lo cation has four en tities: the states of softw are reb ecs, physical reb ecs, netw ork, and p ending even t list. The state of a soft w are reb ec consists of the v aluation of its discrete v ariables, the state of its message queue and a program counter. The program counter p oin ts to a stateme n t that the reb ec m ust execute. The state of a physical reb ec consists of its active mo de, the state of its message queue and a program counter. The state of a physical reb ec do es not contain an y Hybrid Reb eca: Mo deling and Analyzing of Cyb er-Ph ysical Systems 11 v aluation since discrete v ariables are not defined for ph ysical reb ecs and the con tin uous v ariables are handled in the hybrid automaton. A softw are reb ec has the notion of b eing susp ended (due to the execution of a dela y statement). The susp ension status is main tained by a reserved v ariable in the v aluation of the reb ec. Delay statements are not allow ed in physical reb ecs. Definition 4 (State of a reb ec). The state of a softwar e r eb e c is denote d by the tuple ( v , q , c ) wher e v is the valuation of its variables, q is the message queue of the r eb e c, and c denotes the pr o gr am c ounter. The state of a physic al r eb e c is a tuple of the form ( M , q , c ) wher e M is the active mo de and q and c ar e define d as in the softwar e r eb e c’s state. The netw ork state, whic h is the state of the CAN netw ork, consists of the buffered messages in the net work and the status of the net w ork which indicates that the net w ork is busy sending a message or is ready to send one. Definition 5 (State of net work). The network state is define d by the p air ( B , r ) , wher e B is the network buffer and the b o ole an flag r indic ates the status of the network, which c an b e r e ady or busy. The forth entit y , p ending even t list, represen ts the sequence of p ending even ts. Even ts are used for time consuming actions. F or a time consuming action an even t is stored, to b e triggered at the time that the action is ov er. Two types of ev ents are defined in the semantics of Hybrid Reb ca: R esume and T r ansfer . A p ending even t with even t R esume is generated and inserted into the p ending even t list when a delay statement is seen in Reb eca mo del, and the corresp onding reb ec is susp ended. T o mo del the passage of time for the dela y statemen t, a timer v ariable is used by the p ending ev ent. After the sp ecified delay has passed, the even t is triggered, and consequently the b eha vior of the giv en reb ec is resumed by up dating the suspension status of the reb ec. A pending ev ent with ev ent T r ansfer is generated when a message from the netw ork buffer is c hosen to b e sent to its receiv er. A timer is assigned to mo del the message delivery dela y , and the p ending ev en t is inserted in to the p ending ev ent list. Up on triggering of a T r ansfer ev ent, the sp ecified message is enqueued in the receiver’s message queue, and the netw ork status is set to ready which means the net work is ready to send another message. Definition 6 (P ending even t). A p ending event is a tuple ( d, e, t ) wher e d is the delay of the event e and t is a timer variable that is assigne d to this event. The event e c an either b e a R esume or T r ansfer event. The timer variable is use d for defining the timing b ehavior for the delay of the p ending event. The event is trigger e d (and exe cute d) after d units of time after the p ending event is cr e ate d. T ransitions W e define tw o general t yp es of transitions: urgen t and nonurgen t transitions. The urgen t transitions are further divided to message, statemen t and netw ork transitions whic h are resp ectiv ely shown as = ⇒ m , = ⇒ s and = ⇒ n . The nonurgen t transitions are shown as = ⇒ N . W e use these transitions to differentiate b et w een differen t t yp es of actions. Message transitions are only for taking a message. Statement transitions are for executing the statemen ts. A netw ork transition chooses a message from the buffer of the net work to b e sent. This transition is only ab out c ho osing the message and not the act of sending. Non-urgent transitions are used to mo del the passage of time. These transitions include the b eha viors of physical actors’ active mo des and p ending time of even ts since they are time consuming. 12 Iman Jahandideh and F atemeh Ghassemi Marjan Sirjani An ordering is defined among these transitions. The ordering is = ⇒ m = = ⇒ s > = ⇒ n > = ⇒ N . Whenev er a higher order transition is enabled in a lo cation, no low er order transition can b e taken in that lo cation. The seman tics of the actions in Hybrid Reb eca are defined using these transitions on the lo cations. In the following we define these transitions. Message T r ansitions: Message transitions define the act of taking a message. A message transition can tak e place whenev er a reb ec is not suspended. A rebec is susp ended when it executes a dela y statemen t. Let the tuples ( v , q , c ) and ( M , q , c ) denote the state of a softw are reb ec and a physical reb ec resp ectiv ely . The message transition is defined as follows: – T aking a Message: A reb ec tak es a message from the head of its message queue q , whenever the reb ec has no statement to execute. When a message is taken, the program counter c is up dated to point to the beginning of the corresp onding message serv er, and the message is remo ved from the message queue q . Statement T r ansitions: Statemen t transitions define the act of executing the statements. Like mes- sage transitions, a statement transition can take place whenever a reb ec is not susp ended. Consider the tuples ( v , q , c ) and ( M , q , c ) as the states of a softw are reb ec and a physical reb ec resp ectiv ely . The statemen t transitions include the followings: – Assignment Statement: This statement has t wo cases. When assigning to a discrete v ariable, the v alue of the v ariable is up date in the v aluation v of the reb ec. When assigning to a contin uous v ariable, since its v alue is not determined (it may dep end on the contin uous b eha viors), the assignmen t is transfered o ver to the transition to b e handled b y the resulting hybrid automaton. – Conditional Statement: This statement has tw o cases. If the v alue of the condition is determined, the program coun ter c is up dated to p oin t to the appropriate statement blo c k. If the v alue of the condition is not determined (b ecause of contin uous v ariables used in the condition), b oth p ossible paths are considered by creating tw o separate transitions. The condition and its negation act as the guards for these transitions. – Send Statement: This statement, dep ending on the communication type, has tw o b eha viors. When the comm unication is via wire, the message is directly added to the receiv er’s message queue. When the communication is via CAN, the message is added to the CAN buffer to b e handled b y the CAN b eha vior. – Delay Statement: This statement suspends the softw are reb ec b y up dating the corresp onding v ariable (suspension status) in the v aluation v and creates a p ending ev ent ( d, R esume , t ) for resuming the reb ec after d units of time. d is the delay sp ecified in the delay statement and t is a timer v ariable. – Set Mo de Statement: This statemen t changes the active mo de M of the physical reb ec to the sp ecified mo de. Network T r ansitions: These transitions define the behavior of the CAN net w ork whic h only includes the behavior of choosing a message from the netw ork buffer to b e sen t. Since net work transitions ha ve a low er priority than message and statement transitions, this makes the choosing b eha vior to happ en only when no reb ec can progress instantaneously . Let ( B , r ) be the netw ork state. The c ho osing transition is as follows: – Cho osing a Message: F or this b eha vior, the message with the highest priorit y is remov ed from the net work buffer B , a p ending ev en t ( d, T r ansfer , t ) for sending the message is created, and the flag r of the netw ork is up dated to indicate that the net work is busy . The dela y d for the created p ending even t is the netw ork delay of the message. Hybrid Reb eca: Mo deling and Analyzing of Cyb er-Ph ysical Systems 13 Nonur gent T r ansitions: Non urgent transitions are used to define the end of activ e physical mo des and triggering p ending ev ents. These transitions are defined only when no urgent transition is p ossible. These transitions are as follows: – End of an A ctive Mo de: F or a physical reb ec ( M , q , c ) if M is not none , the guard of the active mo de M is transfered to the transition, and the program counter c of the rebec is up dated to p oin t to the actions of this active mo de, and the active mo de is set to none . – T riggering of an Event: F or a p ending even t ( d, e, t ), the guard t == d is defined on the transition where t and d are the timer and the dela y of the p ending ev ent resp ectively . The ev ent e is executed as a result of this transition and the p ending even t is remov ed from the p ending even t list. Flo ws and In v arian ts T o define flo ws and in v arian ts for eac h location w e need to consider con- tin uous and instantaneous b eha viors separately . There are tw o kinds of contin uous b ehaviors in the mo del, b ehaviors regarding physical reb ecs’ mo des and behaviors regarding pending ev en ts. Phys- ical modes hav e all the necessary information in themselves and the p ending even ts ha ve simple timing b eha viors. The functions flows ( r p , M ) and invariant ( r p , M ) return the flo w and in v ariant of a mo de M in a physical reb ec r p resp ectiv ely . Instantaneous b eha viors should b e executed without allo wing the time passage. So time should not b e passed when the system resides in the source lo cations of such transitions, called ur gent lo cations. Definition 7 (Urgen t lo cation flow and inv arian t). A p ossible implementation for an ur gent lo c ation is ur g 0 = 1 as flow and ur g < = 0 as invariant, wher e ur g is a sp e cific variable. Note that in this metho d, this new variable must b e adde d to the set V ar of the hybrid automaton. Also the assignment ur g = 0 must b e adde d to al l inc oming tr ansitions to an ur gent lo c ation. The define d invariant pr events the mo del fr om staying in the lo c ation as the value of ur g wil l b e incr e ase d by the define d flow. If a lo cation is urgen t, the urgency flo w, as defined abov e, should b e set as its flo ws. In case a lo cation is not urgent, it inherits the flows of all physical reb ecs’ active mo des, the flows for timers of p ending ev ents, and a flo w of zero for each float v ariable to freeze its v alue. The flow of a p ending ev ent is simply defined as t 0 = 1 where t is the timer v ariable of the p ending ev ent. Similarly , if a lo cation is urgen t, its inv ariant is set to urgency in v ariant, otherwise it inherits the inv ariants of all physical reb ecs’ active mo des, and the inv ariants for corresp onding p ending ev ents’ timers. The inv ariant of a p ending even t is defined as t ≤ d where t and d are the timer v ariable and the delay of the p ending even t, resp ectiv ely . Initial Lo cation and Initial Condition F or the initial lo cation l 0 , w e initialize all discrete v ariables of rebecs to the v alue zero. F urthermore, the initial message for eac h instan tiated reb ec, is put into its message queue. W e also set the v alue of all contin uous v ariable to zero in the initial condition of the initial lo cation. 4.3 T ec hnical Details F or simplicity some details w ere omitted from our semantics. Here we describ e these details infor- mally . 14 Iman Jahandideh and F atemeh Ghassemi Marjan Sirjani Limited Size for Message Queues: In the semantics of Hybrid Reb eca, the message queues of reb ecs are considered un b ounded. But in practice a sp ecific size m ust b e sp ecified for message queues of reb ecs. Message Arguments: T o incorp orate message arguments, we must consider discrete and con- tin uous arguments separately . F or discrete arguments, since their v alues are known in the state, that v alue is included in the message and when the message is tak en, its argumen ts are added to the reb ec’s v aluation. When the execution of the message is finished, the argumen ts are remov ed from the v aluation. F or con tin uous argumen ts, the v alues are not generally determined during the translation to hybrid automata, so it’s not possible to send the v alue within the message. T o this aim, a non-evolving auxiliary v ariable is used. Before sending a message, each contin uous argument is assigned to an auxiliary v ariable (by using contin uous v ariable assignment). Then, a reference to the auxiliary v ariable is included in the message. When the message is taken, for eac h contin- uous argument, an assignment from the auxiliary v ariable to its resp ective parameter v ariable is implicitly executed. Con tinuous V ariable Pools: When creating a new ev ent (for a dela y statemen t or for sending a message from CAN), a new timer is assigned to each ev en t. But in h ybrid automata all con tin uous v ariables must b e defined statically . T o handle this, v ariable p ools with fixed sizes are used. There are tw o v ariable p o ols in our semantics, one for timer v ariables and one for the auxiliary v ariables of message argumen ts (as mentioned ab o ve). The size of the v ariable po ols affects the b eha vior of the mo del. A small size will lead to an incomplete mo del, and a large size will lead to a h uge mo del whic h can not b e easily analyzed. 5 Case Study W e demonstrate the applicability of our language on a simplified Brake-b y-Wire (BBW) system with Anti-lock Braking System (ABS) [12,16,8]. In a BBW system instead of using mechanical parts, braking is managed b y electronic sensors and actuators. In ABS, the safet y is increased by releasing the brak e based on the slip rate to preven t uncontrolled skidding. In this system, the brake p edal sensor calculates the brake p ercen tage based on the p osition of the brake p edal. A global brak e controller computes the brake torque and sends this v alue to eac h wheel controllers in the vehicle. Each wheel con troller monitors the slip rate of its controlled wheel and releases the brak e if the slip rate is greater than 0 . 2. There is a nonlinear relationship b et w een the friction coefficient of the wheel and the slip rate. When the slip rate is b etw een zero and around 0 . 2, any increase in the slip rate increases the friction co efficien t, but after 0 . 2, further increase in the slip rate, leads to a reduction in the friction co efficient. F or this reason when the slip rate is greater than 0 . 2, no brake will b e applied to the wheel. In this system, eac h pair of wheel and its wheel controller are connected directly by wire. F urthermore, the brake p edal sensor sends the brak e p ercentage v alue to the global brake controller through wire. All other comm unications are done through a shared CAN net work. A representation of the system is shown in Figure 4. Hybrid Reb eca: Mo deling and Analyzing of Cyb er-Ph ysical Systems 15 Fig. 4. The schematic of the BBW system. The physical comp onents are shown as ellipses and computa- tional comp onen ts are shown as rectangles. 5.1 Mo del Definition The mo del is defined in Fig. 5. Note that F or simplicit y , we hav e considered tw o wheels in our mo del. The mo del consists of 5 classes. Whe el and WCtlr classes were defined previously in 4.1. Whe el class models the sensors and actuators of the wheel. It p eriodically sends the speed of the wheel to the controller and defines the effect of braking on the wheel speed. WCtlr class defines the b ehavior of the wheel controller. It monitors the slip rate of the wheel and decides to apply the brak e based on its v alue. Br ake class defines the b eha vior for the brak e p edal. Here we assume a simple b ehavior where the brak e p ercen tage is increased by a constan t rate until it reaches a predefined max p ercen tage. The class hav e one kno wn reb ec b ctrl which is the global brak e controller. It defines four state v ariables bpr cnt , mxpr cnt , t and r whic h are the brake p ercentage, maximum brake p ercentage, an auxiliary timer v ariable and a v ariable that defines the rate for the brake p ercen tage. In the initial message serv er, the v alues of the initial and maximum brake p ercen tage are initialized with the given v alues and the rate v ariable is set to 1 and the activ e mode of the reb ec is set to Br aking . Br aking mo de defines a p eriodic b eha vior where the v alue of bpr cnt is sen t to b ctrl and the brake percentage is increased b y the rate defined by r . In the actions of this b eha vior, if the brak e p ercen tage is equal or greater than mxpr cnt , the rate v ariable r is set to zero to stop the brake p ercentage from changing b y time. Br akeCtrl class is the global brake controller and has the resp onsibilit y of delegating the brake torque to wheel controllers. It defines tw o known reb ecs for each wheel controller named wctlrR and wctlrL . Br akeCtrl class has fiv e state v ariables for the speed of the righ t and left wheels, the brak e p ercen tage from the brake p edal, the global torque calculated from the brake p ercen tage and the estimated v ehicle sp eed. In the message serv er c ontr ol , first the estimated speed of the vehicle is computed based on the sp eed of individual wheels and the desired brake torque is calculated based on the brak e p ercen tage. Here we simply assume that the brake percentage is equal to the brak e torque. Then, the estimated sp eed and global torque are sen t to each wheel con troller. The initial , setWsp d and setBpr cnt message servers are omitted for brevit y . The setWsp d message serv er 16 Iman Jahandideh and F atemeh Ghassemi Marjan Sirjani up dates the correct wheel sp eed v ariable based on the input identifier. The message server c ontr ol m ust b e executed p eriodically , so an auxiliary Clo ck class is used to p erio dically send a c ontr ol message to Br akeCtrl . In the main blo c k, all necessary reb ecs are instantiated. The wheels wR and wL are wired to their resp ecting wheel controllers by using the tag @Wire. Both wheels are initialized with the sp eed of 1 4 . The wheel con trollers wctlrR and wctlrL are connected to their corresp onding wheels b y wire and are connected to the global brake controller through CAN by using the tag @CAN. Iden tifiers of 0 and 1 are giv en to reb ecs wctlrR and wctlrL as initial parameters, resp ectively . The brak e controller b ctlr is connected to b oth wheel controllers through the CAN netw ork and the brak e br ake is initialized with the brake p ercent 60 and maximum brake p ercen t of 65. Both brake br ake and clock clo ck are connected to b ctlr by wire. There are four CAN messages in the model. The brake controller b ctlr sends applyT r q message to the wheel controllers wctlrR and wctlrL . The wheels wR and wL send setWsp d message to b ctlr resp ectiv ely . A higher priority is defined for applyT r q messages. Note that a low er num b er indicates a higher priority . The net w ork delay of all four CAN messages is sp ecified as 10 milliseconds. 5.2 Analysis and V erification F or the analysis of this mo del the queue size of b ctlr is set to 4, the queue sizes of b oth wctlrR and wctlrL is set to 2, and for o ther reb ecs the queue size is set to 1. The size of timer v ariable p ool is set to 1 and the size of arguments v ariable p o ol is set to 11. The hybrid automaton derived from the mo del consists of 10097 lo cations and 25476 transitions. W e use SpaceEx [9] to ol to v erify our mo del. Note that the slip rate equation used in the mo del is not supp orted b y SpaceEx, since it’s a nonlinear equation. W e simplified this equation for analysis. By sp ecifying a set of forbidden states, safety prop erties can b e verified by SpaceEx. W e developed an initial to ol 5 for our language that automatically translates a Hybrid Reb eca model to a SpaceEx model based on the seman tics of our language. W e v erified three properties for our case study . The first property is “design-fault freedom”. Here by design-fault w e mean a fault caused b y follo wing situations: exceeding the capacity of a message queue, running out of po oled v ariables, and ha ving messages with same priority in CAN buffer. W e assume the message with the highest priority m ust alwa ys b e unique in CAN buffer. Note that in practice, this prop ert y m ust b e implicitly c heck ed for all models in Hybrid Reb eca, but for no w it must b e man ually v erified by SpaceEx. The second prop ert y is a timing constrain t. This prop ert y states that the time b etw een the transmission of the brak e p ercen tage from the brake p edal, and its reaction by wheel actuators, must not exceed 0 . 2 seconds. The third prop ert y states that whenever the slip rate of a wheel exceeds 0 . 2, the brake actuator of that wheel m ust immediately b e released. 4 As the properties to b e verified do not dep end on the v alue of the sp eed, to minimize the analysis time, this v alue has b een chosen. 5 The implementation can b e found in https://gith ub.com/jahandideh-iman/HybridReb eca Hybrid Reb eca: Mo deling and Analyzing of Cyb er-Ph ysical Systems 17 1 physicalclass Wheel { 2 knownrebecs { WCtlr ctlr; } 3 statev ars { float trq ; real spd; real t ; } 4 msgsrv initial ( float sp d ) { 5 spd = spd ; 6 setmode(Rolling); 7 } 8 msgsrv setT rq( float trq ) { 9 trq = trq ; 10 } 11 mode Rolling { 12 inv ( t < = 0.05) { 13 t ’ = 1; 14 spd’ = − 0.1 − trq; 15 } 16 guard (t == 0.05) { 17 t = 0; 18 ctlr . setWspd(sp d); 19 if (sp d > 0) 20 setmode(Rolling); 21 }}} 23 softw areclass WCtlr { 24 knownrebecs { Wheel w; BrakeCtlr b ctlr; } 25 statev ars { int id ; float wspd; float slprt ; } 26 msgsrv initial ( in t id ) { 27 id = id ; 28 } 29 msgsrv setWsp d( float wspd ) { 30 wspd = wspd ; 31 bctlr . setWspd(id,wsp d); 32 } 33 msgsrv applyT rq( float reqT rq, float vsp d) { 34 if ( vspd == 0) 35 slprt = 0; 36 else 37 slprt = (vsp d − wsp d ∗ WRAD)/vspd; 38 if ( slprt > 0.2) 39 wheel.setT rq(0) ; 40 else 41 wheel.setT rq(reqT rq); 42 }} 44 physicalclass Brake { 45 knownrebecs { BrakeCtlr bctlr; } 46 statev ars { real bprcnt; real t ; float mxprcnt; float r } 47 msgsrv initial ( float bprcnt , float mxprcnt ) { 48 bprcnt = bprcnt ; 49 mxprcnt = mxprcnt ; 50 r = 1; 51 setmode(Braking); 52 } 53 mode Braking { 54 inv ( t < = 0.05) { 55 t ’ = 1; 56 bprcn t’ = r ; 57 } 58 guard (t == 0.05) { 59 t = 0; 60 bctrl . setBprcnt(bprcn t); 61 if (bprcnt > =mxprcn t) 62 r = 0; 63 setmode(Braking); 64 }}} 66 softw areclass BrakeCtlr { 67 knownrebecs { 68 WCtlr wctlrR;WCtlr wctlrL; } 69 statev ars { float wspdR; float wspdL; float bprcnt; float gtrq ; float espd; } 70 msgsrv control() { 71 espd = (wspdR + wspdL)/2; 72 gtrq = bprcnt; 73 wctlrR.applyT rq(gtrq, esp d); 74 wctlrL.applyT rq(gtrq, esp d); 75 } 76 // Setters for wsp dR, wsp dL and bpr cnt 77 ... 78 } 80 physicalclass Clo ck { 81 knownrebecs { BrakeCtlr bctlr; } 82 statev ars { real t ; } 83 msgsrv initial () { 84 setmode(Running) 85 } 86 mode Running() { 87 inv ( t < = 0.05) { 88 t ’ = 1; 89 } 90 guard(t == 0.05) { 91 t = 0; 92 bctlr . control () ; 93 setmode(Running); 94 }}} 96 main { 97 Wheel wR ( @ Wire wctlrR):(1); 98 Wheel wL ( @ Wire wctlrL):(1); 99 WCtlr wctlrR ( @ Wire wR, @ CAN b ctlr):(0); 100 WCtlr wctlrL ( @ Wire wL, @ CAN b ctlr):(1); 101 BrakeCtlr b ctlr ( @ CAN wctlrR, @ CAN wctlrL):(); 102 Brake brake( @ Wire bctlr):(60,65); 103 Clock clo c k( @ Wire bctlr):() ; 105 CAN { 106 priorities { 107 bctlr wctlrR.applyT rq 1; 108 bctlr wctlrL.applyT rq 2; 109 w ctlrR bctlr . setWspd 3; 110 w ctlrL b ctlr . setWsp d 4; 111 } 112 delays { 113 bctlr wctlrR.applyT rq 0.01; 114 bctlr wctlrL.applyT rq 0.01; 115 w ctlrR bctlr . setWspd 0.01; 116 w ctlrL b ctlr . setWsp d 0.01; 117 }}} Fig. 5. The mo del definition of the BBW mo del. F or the first prop ert y , a sp ecific location, called F ault , is created for the mentioned situations, and during the semantic deriv ation, o ccurrences of such design-faults are handled by generating a transition to the sp ecified lo cation F ault . The verified forbidden condition in SpaceEx for this prop ert y is lo c () == F ault , where the term lo c () sp ecifies the curren t lo cation in SpaceEx. The second prop ert y can not directly b e sp ecified with a set of forbidden states, since there is no direct c oncept of time in hybrid automata. T o this aim, a monitor class is added to the mo del to measure the time betw een t wo even ts. Here the ev en ts are sending the brak e percentage from the brak e pedal to the global brak e con troller and processing the received brake torque in the wheels. The monitor class is a simple physical class with one physical mode and t wo stop and start message 18 Iman Jahandideh and F atemeh Ghassemi Marjan Sirjani serv ers. The physical mo de tracks the time and the message serv ers are used to stop and start the trac king. Note that in the start message server the track ed time is reset. F or the second prop ert y , one monitor reb ec is instantiated and is wired to the brake p edal and one of the wheels. A start message is sen t in the actions of the Br aking mode of the brake p edal after the brake p ercentage is sen t to the brak e controller and a stop message is sen t b y setT r q message serv er of the wired wheel. In SpaceEx the forbidden condition monitor time > 0 . 2 is verified where monitor time is the name of the monitor’s timer in the resulted hybrid automaton. The third prop erty may see m to b e straigh tforward, but b ecause the semantics of our language is fine-grained, the request of releasing the brak e and the actual act, tak e place in differen t locations, ev en though the time do es not adv ance b etw een these lo cations b ecause they are urgen t lo cations. F or this prop ert y , the monitor class is used again. This time, a monitor reb ec is wired to one of the wheels and its wheel controller. A start message is sent from the wheel controller when the slip rate is greater than 0 . 2 and a stop message is sent like the second prop ert y . By using the monitor reb ec, the states which the brake is not released and time has not progressed while the slip rate is greater than 0 . 2 can b e considered safe. The verified forbidden condition in SpaceEx is wctlr slpr ate > 0 . 2 ∧ whe el tor que > 0 ∧ monitor time > 0 where wctlr slpr ate , whe el tor que and monitor time are the names of the slip rate of the wheel, the brake torque of the wheel and the timer of the monitor, resp ectiv ely , in the resulted hybrid automaton. The resulted hybrid automaton for the first prop ert y has 10097 lo cations and 25476 transitions, whic h is huge for v erification purp oses. This huge size stems from the fine-grained seman tics of our language. But most of these lo cations are urgent locations where time do es not adv ance and can b e aggregated for the prop erties mentioned here. After aggregating these urgen t lo cations, the size of the resulting hybrid automaton is reduced to 21 lo cations and 1148 transitions. The aggregation pro cess is implemented in our to ol. The three prop erties are v erified on their resp ectiv e reduced h ybrid automaton. The verification result of these prop erties are provided in the T able 1. Prop ert y Deriv ed HA Gen Time (s) Red HA V erif Result V erif Duration (s) Design-fault F reedom 10097 25476 12 21 1148 P assed 3705 Reaction Time 16317 42976 20 21 1168 Passed 7521 Brak e Release 54097 175036 64 21 1168 P assed 3541 T able 1. The verification result of the case study . Legends: Prop ert y : v erified property , Derived HA : deriv ed h ybrid automaton size where the first and second columns are the num b er of locations and tran- sitions, resp ectiv ely , Gen Time : duration of hybrid automaton generation in seconds, Red HA : reduced h ybrid automaton size, V erif Result : result of verified prop ert y , V erif Duration : duration of verification in seconds. 6 Related W ork There are some frameworks for mo deling and analyzing cyb er-physical systems. Some of these framew orks rely on simulation for analysis and others offer formal verification. Hybrid Reb eca: Mo deling and Analyzing of Cyb er-Ph ysical Systems 19 Ptolem y I I [19] relies on sim ulation for analysis and is a framework that uses the concept of mo del of c omputation (MoC) which defines the rules for concurrent execution of comp onen ts and their comm unications. Ptolem y supp orts many models of computation lik e pro cess netw orks, discrete even ts, dataflow and contin uous time. Heterogeneous mo del can b e made by nesting these mo dels of computations in a hierarc hical structure. As far as we know there is no formal semantics for the h ybrid mo dels of Ptolem y framework to enable formal verification. In [4] an agent-based and control centric metho dology is presented for developmen t of CPSs. This approach includes all dev elopment stages of a system from analysis by sim ulation to the execution of the final system. F or the mo deling phase concepts like actors, message, actions, pro cessing units and envir onmental gatew ay are presented in this metho dology . The message passing among actors is asynchronous and the computations of the model tak e place in the actions that are submitted to the processing units by the actor for execution. The environmen tal gatewa y is used for abstracting the physical pro cesses where in later stages is replaced by the real en tities. This approac h relies on sim ulation to analyze a system, and no formal analysis is supp orted. In [17] a mo dular approach for sp ecifying and v alidating CPSs using rewriting logic-based technique is purp osed. In this work a CPS is describ ed as a linear hybrid automata in rewriting logic where the comp onen ts of the system comm unicate asynchronously . Timed h ybrid P etri nets [5] can also be used to mo del h ybrid systems and CPSs. F or analysis of these hybrid Petri nets in [5] a translation to hybrid automata is presen ted. Ho wev er, Petri-net based approaches prohibit modular specification of systems. The framew ork of [13] provides a h ybrid pro cess calculus tailored for mo deling CPSs and analyzing their security prop erties [14,15]. In this approach netw ork gov erning the in teractions b et w een ph ysical and cyb er en tities is not addressed. 7 Discussions In Section 3 w e presented our extended actor model for cyber-physical systems. In our mo del, the soft ware and physical actors are separated and mo des are added to physical actors for specifying the con tinuous behaviors. The separation of soft w are and physical rebecs preven ts the in terference of con tinuous b eha viors with softw are b ehaviors. In Reb eca, each actor has only one thread of execution and its lo cal state is encapsulated from other actors. This greatly simplifies the in teractions b et w een actors. But having b oth con tinuous and discrete b eha viors in one actor, can b e considered as ha ving multiple threads of execution in the actor. Since these threads share the s ame v ariables, this approac h is inconsistent with Reb eca and can surprise the mo deler. A simple example to highligh t this issue is to consider the follo wing co de segmen t of a message server: a = k; dela y (2) ; b = a + c; The constant k is assigned to the v ariable a . The delay statement is used to abstractly mo del the computation time of complex computations. After the specified delay , the v alue of v ariable a is used to up date the v ariable b . Assume the reb ec has a contin uous b eha vior and during the execution of the delay statement, the con tin uous behavior is finished and changes the v alue of v ariable a in its actions. This affects the v alue of the v ariable b when the dela y statement is ov er and can lead to a fault y behavior. T he separation of soft ware and ph ysical actors, solv es this issue. Note that the dela y statement is not allow ed in the physical actors. 20 Iman Jahandideh and F atemeh Ghassemi Marjan Sirjani 8 Conclusion and F uture W ork In this pap er we presen ted an extended actor mo del for mo deling hybrid systems and CPSs, where b oth contin uous and discrete pro cesses can b e defined. In this actor mo del, tw o kinds of actors are defined: softw are actors and ph ysical actors. The softw are actors con tain the softw are b eha viors of the model and similarly , physical actors contain the physical b eha viors. W e also introduced a net work entit y to the actor mo del, for mo deling the b eha vior of the net work of the model. W e implemen ted this extended actor mo del in Hybrid Reb eca language. This language is an extension of Timed Reb eca language and allows defining classes to mak e mo dels mo dular and reusable. The seman tics of the language is defined based on h ybrid automata, to allo w for formal verification of the mo dels. Since our fo cus was automotive domain, CAN netw ork is mo deled in this version of the language. T o show the applicabilit y of our language, we modeled and analyzed a Brake-b y-Wire system. F or the verification of the mo del, three safet y prop erties w ere considered. W e used SpaceEx framew ork to verify these properties. It w as sho wn that for some properties new entities were needed to mak e the verification feasible. Since we fo cused on the automotiv e domain, only CAN netw ork was defined in our current v ersion of the language. Other net work mo dels are needed for differen t applications of CPSs. Instead of defining multiple netw ork mo dels, it’s also p ossible to allow for user-defined net work mo dels. T o this aim, a set of basic functionalities must be defined to enable defining most net work mo dels. Also, defining m ultiple instances of a netw ork model (e.g. multipl e CAN netw orks) ma y b e needed in some systems. Like net work mo dels, it’s p ossible to allo w for defining new internal message schedulers for the reb ecs, since the FIFO scheduler can b e inadequate for some systems. Ac kno wledgmen ts W e would like to thank Edward Lee for his supp orts and patien t guidance on mo deling and analyzing CPSs, T om Henzinger for his fruitful discussion on the extended actor mo del, and MohammadReza Mousa vi and Ehsan Khamespanah for their useful contributions. References 1. Aceto, L., Cimini, M., Ing´ olfsd´ ottir, A., Reynisson, A.H., Sigurdarson, S.H., Sirjani, M.: Mo delling and sim ulation of asynchronous real-time systems using timed reb eca. In: 10th International W orkshop on the F oundations of Co ordination Languages and Softw are Architectures. EPTCS, vol. 58, pp. 1–19 (2011) 2. Agha, G.A.: ACTORS - a model of concurrent computation in distributed systems. MIT Press series in artificial intelligence, MIT Press (1990) 3. Alur, R., Courcoub etis, C., Halbw achs, N., Henzinger, T.A., Ho, P ., Nicollin, X., Olivero, A., Sifakis, J., Y ovine, S.: The algorithmic analysis of hybrid systems. Theoretical Computer Science 138 (1), 3–34 (1995) 4. Cicirelli, F., Nigro, L., Sciammarella, P .F.: Mo del contin uit y in cyber-physical systems: A control- cen tered metho dology based on agents. Simulation Mo delling Practice and Theory 83 , 93–107 (2018) 5. Da vid, R., Alla, H.: On hybrid p etri nets. Discrete Even t Dynamic Systems 11 (1-2), 9–40 (2001) 6. Da vis, R.I., Burns, A., Bril, R.J., Lukkien, J.J.: Controller area netw ork (CAN) schedulabilit y analysis: Refuted, revisited and revised. Real-Time Systems 35 (3), 239–272 (2007) 7. Derler, P ., Lee, E.A., Sangio v anni-Vincen telli, A.L.: Mo deling cyb er-physical systems. Proceedings of the IEEE 100 (1), 13–28 (2012) Hybrid Reb eca: Mo deling and Analyzing of Cyb er-Ph ysical Systems 21 8. Filip o vikj, P ., Mahm ud, N., Marinescu, R., Secelean u, C., Ljungkrantz, O., L¨ onn, H.: Sim ulink to UPP AAL statistical mo del chec ker: Analyzing automotive industrial systems. In: 21st International Symp osium on F ormal Metho ds. LNCS, vol. 9995, pp. 748–756 (2016) 9. F rehse, G., Guernic, C.L., Donz´ e, A., Cotton, S., Ray , R., Leb eltel, O., Ripado, R., Girard, A., Dang, T., Maler, O.: Spaceex: Scalable verification of hybrid systems. In: 23rd International Conference on Computer Aided V erification. LNCS, vol. 6806, pp. 379–395. Springer (2011) 10. Henzinger, T.A.: The theory of hybrid automata. In: 11th Ann ual IEEE Symp osium on Logic in Com- puter Science. pp. 278–292. IEEE Computer So ciet y (1996) 11. Hewitt, C.: Description and theoretical analysis (using schemata) of planner: A language for prov- ing theorems and manipulating mo dels in a robot. T ech. rep., Massach usetts Institute of T ec hnology , Artificial Intelligence Lab oratory (1972) 12. Kang, E., Enoiu, E.P ., Marinescu, R., Seceleanu, C.C., Schobbens, P ., Pettersson, P .: A metho dology for formal analysis and verification of EAST-ADL mo dels. Reliability Engineering & System Safet y 120 , 127–138 (2013) 13. Lanotte, R., Merro, M.: A calculus of cyb er-ph ysical systems. In: Language and Automata Theory and Applications - 11th International Conference. LNCS, vol. 10168, pp. 115–127 (2017) 14. Lanotte, R., Merro, M., Muradore, R., Vigan` o, L.: A formal approac h to cyb er-ph ysical attac ks. In: 30th IEEE Computer Security F oundations Symp osium. pp. 436–450. IEEE Computer So ciety (2017) 15. Lanotte, R., Merro, M., Tini, S.: T ow ards a formal notion of impact metric for cyb er-ph ysical attacks. In: 14th International Conference on integrated F ormal Metho ds. to app ear (2018) 16. Marinescu, R., Mub een, S., Seceleanu, C.: Pruning architectural mo dels of automotive embedded sys- tems via dep endency analysis. In: 42th Euromicro Conference on Softw are Engineering and Adv anced Applications. pp. 293–302. IEEE Computer So ciet y (2016) 17. Metelo, A., Braga, C., Brand˜ ao, D.N.: T ow ards the mo dular sp ecification and v alidation of cyb er- ph ysical systems - A case-study on reservoir modeling with h ybrid automata. In: 18th In ternational Con- ference on Computational Science and Its Applications, Part I. LNCS, vol. 10960, pp. 80–95. Springer (2018) 18. Pfeiffer, O., Ayre, A., Keydel, C.: Em b edded Netw orking with CAN and CANop en. Copp erhill Media Corp oration, 1st edn. (2008) 19. Ptolemaeus, C. (ed.): System Design, Mo deling, and Simulation using Ptolemy I I. Ptolemy .org (2014) 20. Sab ouri, H., Khosravi, R.: Delta mo deling and model c hecking of product families. In: 5th In ternational Conference on F undamentals of Softw are Engineering. LNCS, vol. 8161, pp. 51–65. Springer (2013) 21. Sirjani, M.: Po wer is o verrated, go for friendliness! expressivness versus faithfulness and usability in mo deling-actor exp erience. In: Edward A. Lee F estschrift. pp. 1–21. LNCS, Springer (2018) 22. Sirjani, M., Jagho ori, M.M.: T en years of analyzing actors: Reb eca exp erience. In: F ormal Modeling: Actors, Op en Systems, Biological Systems - Essays Dedicated to Carolyn T alcott on the Occasion of Her 70th Birthday . LNCS, vol. 7000, pp. 20–56. Springer (2011) 23. Sirjani, M., Mov aghar, A., Shali, A., de Bo er, F.S.: Mo deling and verification of reactive systems using reb eca. F undamenta Informaticae 63 (4), 385–410 (2004) 24. V arshosaz, M., Khosravi, R.: Modeling and verification of probabilistic actor systems using preb eca. In: 14th In ternational Conference on F ormal Engineering Methods. LNCS, vol. 7635, pp. 135–150. Springer (2012) 25. W olf, W., Madsen, J.: Embedded systems education for the future. Pro ceedings of the IEEE 88 (1), 23–30 (2000) 26. Y ousefi, B., Ghassemi, F., Khosravi, R.: Mo deling and efficient verification of broadcasting actors. In: 6th International Conference on F undamen tals of Softw are Engineering. LNCS, v ol. 9392, pp. 69–83. Springer (2015)