Enabling Trustworthy Systems with the DDS Quality of Service Modeling Language

1. Enabling Trustworthy Systems with the DDS Quality of Service Modeling Language Joe Hoffert, Aniruddha Gokhale, Doug Schmidt {joseph.w.hoffert,a.gokhale,d.schmidt}@vanderbilt.edu Joe Hoffert, Aniruddha Gokhale, Doug Schmidt

2. Outline • Trustworthy Systems via Model Driven Engineering (MDE) • Use Case: Data Distribution Service (DDS) • DDS QoS Modeling Language (DQML) • DQML Metamodel Overview • DQML Application: DDS Benchmark Environment (DBE) • DBE Interpreter • DQML Demonstration • Future Work Joe Hoffert, Aniruddha Gokhale, Doug Schmidt

3. Trustworthy Systems (1/2) TRUST Goals for Enterprise Publish/Subscribe DRE Systems • Security Technology • Software Security • Software design • specification languages, methods, and tools supporting security by design • Static code verification via: • security-friendly APIs • disciplined styles of programming • automated tools for lightweight static checking • Trusted Platforms • Understanding composition • Evaluating security and vulnerability • Examining minimal configurations (hardware & software) that provide trusted platforms • Systems Science • Model-Based Integration of Secure Systems • model-based design • model transformation technology • Quality of Service (QoS)-enabled component middleware Joe Hoffert, Aniruddha Gokhale, Doug Schmidt

4. Trustworthy Systems (2/2) Facilitation of TRUST Goals via Model Driven Engineering (MDE) • Manage inherent complexity • Scope models to area/level of concern • Compose larger scope using modeling artifacts (e.g., application infrastructure/framework, higher level tools) • Understand composition via separation of concerns • Simplify vulnerability, provability analysis • Reduce accidental complexity • Increase confidence, reuse via MDE tools • Close security loopholes via misused tools, software, and configurations Joe Hoffert, Aniruddha Gokhale, Doug Schmidt

5. Non-Trustworthy Systems Vulnerability, Lack of Confidence/Provability • Coupling of business logic, infrastructure, QoS configuration (i.e., all crafted in handwritten code) • Intermixing of concerns/areas of focus • Lack of composition understanding • “Provability” via testing • Potential loopholes in untested code paths • Unintended functionality (i.e., design != implementation) Joe Hoffert, Aniruddha Gokhale, Doug Schmidt

6. Application Application read write write Logical Data Store Application write write Application read read Application Use Case: The OMG Data Distribution Service (DDS) • Provides flexibility, power and modular structure by decoupling: • Location – anonymous pub/sub • Redundancy – any number of readers & writers • Time – asynchronous, time-independent data distribution • Platform – same as CORBA middleware • Architecturally Broken into: • Data Centric Publish/Subscribe (DCPS) • Lower layer APIs to exchange topic data based on QoS policies • Data Local Reconstruction Layer (DLRL) • Upper layer APIs that make topic data appear local Joe Hoffert, Aniruddha Gokhale, Doug Schmidt

7. QoS Policies Supported by DDS • DCPS entities (e.g., topics, data readers/writers) configurable via QoS policies • QoS tailored to data distribution in tactical information systems • Request/offered compatibility checked by DDS at Runtime • Consistency checked by DDS at Runtime • DEADLINE • Establishes contract regarding rate at which periodic data is refreshed • LATENCY_BUDGET • Establishes guidelines for acceptable end-to-end delays • TIME_BASED_FILTER • Mediates exchanges between slow consumers & fast producers • RESOURCE_LIMITS • Controls resources utilized by service • RELIABILITY (BEST_EFFORT, RELIABLE) • Enables use of real-time transports for data • HISTORY (KEEP_LAST, KEEP_ALL) • Controls which (of multiple) data values are delivered • DURABILITY (VOLATILE, TRANSIENT, PERSISTENT) • Determines if data outlives time when they are written • … and 15 more … • Implications for Trustworthiness Joe Hoffert, Aniruddha Gokhale, Doug Schmidt

8. DataWriter DataReader Durability- Volatile Durability- Transient Deadline- 20ms Deadline- 10ms Timebased- 15ms Topic DataWriter Liveliness- Manual By Topic Liveliness- Automatic Reliability- Best Effort Reliability- Reliable DDS QoS Policies • Interactions of QoS Policies have implications for: • Consistency/Validity • e.g., Deadline period < TimeBasedFilter minimum separation (for a DataReader) • Compatibility/Connectivity • e.g., best-effort communication offered (by DataWriter), reliable communication requested (by DataReader) Will Data Flow? Or Will QoS Settings Need Updating? DataReader Will Settings Be Consistent? Or Will QoS Settings Need Updating? Joe Hoffert, Aniruddha Gokhale, Doug Schmidt

9. DDS Trustworthiness Needs (1/2) • Compatibility and Consistency of QoS Settings • Data needs to flow as intended • Close software loopholes that might be maliciously exploited • Fixing at run-time untenable • Updating QoS settings on the fly • Introduces inherent complexity • Unacceptable for certain systems (e.g., RT, mission critical, provable properties) • Fixing at code time untenable • Implies long turn-around times • Code, compile, run, check status, iterate • Introduces accidental complexity • DDS QoS Modeling Language (DQML) models QoS configurations and allows checking at design/modeling time • Supports quick and easy fixes by “sharing” QoS policies • Supports correct-by-construction configurations Joe Hoffert, Aniruddha Gokhale, Doug Schmidt

10. QoS Settings DDS Trustworthiness Needs (2/2) • QoS configurations generated automatically • Eliminate accidental complexities • Close configuration loopholes for malicious exploitation • Decouple configurations from implementations • Refinement of configuration separate from refinement of code • DQML generates QoS settings files for DDS Applications • Creates consistent configurations • Promotes separation of concerns • Configuration changes orthogonal to business logic changes • Increases confidence Joe Hoffert, Aniruddha Gokhale, Doug Schmidt

11. QoS Configuration DDS Application Development • Business logic/application code mixed with QoS configuration code • Accidental complexity • Obfuscation of configuration concerns QoS configuration & publisher creation DataWriter QoS configuration & datawriter creation • DQML decouples QoS configuration from business logic • Facilitates configuration analysis • Reduces accidental complexity Business logic = Higher confidence DDS application Joe Hoffert, Aniruddha Gokhale, Doug Schmidt

12. DQML Design Decisions • No Abortive Errors • User can ignore constraint errors • Useful for developing pieces of a distributed application • Initially focused on flexibility • QoS Associations vs. Containment • Entities and QoS Policies associated via connections rather than containment • Provides flexibility, reusability • Eases resolution of constraint violations Joe Hoffert, Aniruddha Gokhale, Doug Schmidt

13. DataWriter DataWriter DataWriter DataWriter DataReader DataReader DataReader DataReader QoS QoS QoS QoS QoS QoS QoS QoS DQML Application: DDS Benchmark Environment (DBE) • Part of Real-Time DDS Examination & Evaluation Project (RT-DEEP) • http://www.dre.vanderbilt.edu/DDS • Developed by DRE Group at ISIS • DBE runs Perl scripts to deploy DataReaders and DataWriters onto nodes • Passes QoS settings files (generated by hand) • Requirement for testing and evaluating non-trivial QoS configurations Joe Hoffert, Aniruddha Gokhale, Doug Schmidt

14. QoS Settings QoS Settings Invoke the DBE Interpreter Model the Desired QoS Policies via DQML DataReader DataWriter DBE Interpreter Generates One QoS Settings File for Each DBE DataReader and DataWriter to Use No Manual Intervention DBE Have DBE Launch DataReaders and DataWriters with Generated QoS Settings Files Joe Hoffert, Aniruddha Gokhale, Doug Schmidt

15. DQML Demonstration • Create DDS entities, QoS policies, and connections • Run constraint checking • consistency check • compatibility check • fix at design time • Invoke DBE Interpreter • automatically generate QoS settings files Joe Hoffert, Aniruddha Gokhale, Doug Schmidt

16. Future Work • Incorporate with TRUST Trustworthy Systems • Combine QoS polices and patterns to provide higher level services • Build on DDS patterns1 • Continuous data, state data, alarm/event data, hot-swap and failover, controlled data access, filtered by data content • Fault-tolerance service (e.g., using ownership/ownership strength, durability policies, multiple readers and writers, hot-swap and failover pattern) • Security service (e.g., using time based filter, liveliness policies, controlled data access pattern) • Real-time data service (e.g., using deadline, transport priority, latency budget policies, continuous data pattern) • Incorporate into Larger Scale Tool Chains • e.g., Deployment and Configuration Engine (DAnCE) in CoSMIC Tool Chain DQML DAnCE 1 Gordon Hunt, OMG Workshop Presentation, 10-13 July, 2006 Joe Hoffert, Aniruddha Gokhale, Doug Schmidt

17. Backup Slides Joe Hoffert, Aniruddha Gokhale, Doug Schmidt

18. Domain 3 Domain 2 DDS Domains & Domain Participants • The Domain is the basic construct used to bind individual applications together for communication • Like a VPN 2 3 1 1 Node Node Node 3 2 1 1 Node Node Node DomainParticipant Domain 1 Joe Hoffert, Aniruddha Gokhale, Doug Schmidt

19. DCPS Entities • Data can be accessed in two ways • Wait-based (synchronous calls) • Listener-based (asynchronous callbacks) • Sophisticated support for filtering • e.g., Topic, Content-FilteredTopic, or MultiTopic • Configurable via (many) QoS policies DCPS Entities include • Topics • Typed data • Publishers • Contain DataWriters • Subscribers • Contain DataReaders • DomainParticipants • Entry points Topic Topic Topic Domain Participant Data Writer Data Reader Data Reader Data Reader Data Writer Data Writer Publisher Subscriber Publisher Subscriber Data Domain Joe Hoffert, Aniruddha Gokhale, Doug Schmidt