1

Luigi LogrippoSITE

Feature Interactionsas Inconsistencies

luigi@site.uottawa.cahttp://www.site.uottawa.ca/~luigi/

2

Development

Early research on FI was based on the idea that Fis were the result of complex interleavings of features

See Feature Interaction contexts

Later it became understood that, more simply, if features are logically inconsistent then they cannot coexist

3

Main idea

Many software flaws can be discovered by making the logic precise and thoroughly examining it by the use of logic tools

Formal methodsFeature interactions are the result of logic flaws

Inconsistency of specsApplication areas:

New VoIP and Web based systemsSecurityMany others

Do this Do that

4

Feature Interaction in Automotive

Electronic Stability Program (ESP) and Cruise Control (CC)

ESP: Break if wheels slip on wet roadCC: Increase speed until cruise speed is reached

FI detectable by the fact that the two features have contradicting requirements

5

Protection rings in Bell-LaPadula security model

High security personnel can use delegation to transfer access rights to lower security personnel

FI: Delegation defeats BLP

6

C3. A gets connected to C

1. A calls B 2. B forwards to C

A has C in OCS list

A

B has CF to C

B

FI: CF defeats OCS.

OCS: Originating Call ScreeningCF: Call Forward

FI in communications

7

Infinite loops FIsCompanies A, B and C have policies where each of them uses the next in a loop as suppliers of parts in excess of inventoryThis can start a chain reaction with potentially disastrous effects!

Send 1000 hockey pucks

Send 800 pucks

Send 600 pucks

Send 400 pucks

Send 400

FI: subcontractingdefeats itself

8

Infinite loops FIsCompanies A, B and C have policies where each of them uses the next in a loop as suppliers of parts in excess of inventoryThis can start a chain reaction with potentially disastrous effects!

Send 1000 hockey pucks

Send 800 pucks

Send 600 pucks

Send 400 pucks

Send 400

FI: subcontractingdefeats itself

9

Presence communications features 1

Alice: call Bob urgently about meeting cancellationBob’s policy: send to voice mail all calls that arrive when I am moving faster than 50Km/h

FI: Bob’s policy defeats Alice’s urgent call policy

10

Presence communications features 2

Alice: call Bob as soon as he arrives in buildingBob: call Alice as soon as she arrives in building

One of the two policies will be defeated by the other

11

FIs as inconsistencies

There is FI when there is inconsistency between:Two simultaneous actions of one agent

• ESP – CC example

Two simultaneous actions of two different agents• ‘Call as soon as gets in the building’ example

An action and the requirements of a userActions and systems requirements

• Infinite loop example

Inconsistency of actions is

12

This idea is explicit in

Within an explicit logic framework:Felty and Namjoshi, FIW 2000Various papers of Aiguier and LeGall, e.g. Formal Methods 2006 (LNCS 4085)

More generally talking about ‘conflicts’, ‘broken assumptions’, etc.

Kolberg, Magill, Wilson, IEEE Comm., 2003Gorse, Logrippo, Sincennes, originally in Gorse’s Master’s thesis of 2000 and eventually published in SoSym 2006Metzger et al., FIW 2003 and 2005Turner, Blair 2006Etc.

13

Interesting aside on logic

Not all inconsistencies we have identified are straight logical inconsistencies…

Some are infinite loopsOthers may be deadlocks

What is the logic interpretation of an infinite loop or a deadlock?What is the computational interpretation of a logical inconsistency?

Subject of ongoing work on the relationship between lambda calculus and logic

14

How do we know about the conflicts

This can be obvious, in cases where there is a straight contradiction

A and not A• But this is rarely the case

Most papers leave it to the systems designer to state whether two actions or requirements are in contradiction,

E.g. accept call contradicts disconnect

15

Determining more precisely inconsistency of actions

So action inconsistency is usually a symptomBased on knowledge of expected systems behaviorDetection is tentative Detection tool identifies possible conflict scenarios and interaction must be confirmed by human inspection

16

Next step of analysis:Considering pre- & post-conditions

Wu and Schulzrinne have moved forward with this ideaNot entirely new…

Introducing the idea of conflicts between pre- and post-conditions of actions

Whether actions conflict can be determined on the basis of their pre-and post-conditionsThis can provide information also on possible FI resolution

17

Use of pre- and post-conditionsEnable(A,B) (positive interaction)

The post-condition of A is implied by the pre-condition of B

Disable(A,B) (negative interaction)The post-condition of A is not implied by the pre-condition of B

Conflict of post-conditions: (negative interactions) The expected postconditions of two actions conflict directly

• Special case: they request the same resources

The expected postconditions of two actions conflict because of parameters

18

How to choose pre- and post-condition

Communications systems are very complex and every action is the result of, also produces, very complex conditionsOnly few elements can be expressed in pre- and post-conditions that are meant for analysisThese elements can only be chosen in terms of broad generalizationsThe choice of these elements is of course vital for producing a useful analysisIn terms of the characteristics of APPEL, we have chosen to focus on two elements:

Call statesState of the media

19

How to determine conflicts

Similarly, conflicts must be determined in terms of broad generalizations

E.g. if one action requests a resource of a certain type, then it might disable another action that requires the same type of resources

These generalizations can be made more specific when more information is available

20

Example 1

21

How to detect

Specifications must be made precise!Sometimes they are already sufficiently precise, e.g. in a XML-based language

• E.g.BPEL

Constraint Logic Programming Given a set of logic constraints, CPL tools can tell whether

• There is a solution, constraints are satisfiable• There is no solution, in fact there is a counterexample

22

How to solve

Solution is a more complex problem, will depend from

User intentions,• Try to identify user goals

May require an interactive systemSolution methods will vary according to the application domain

23

Conclusions

Complex designs require the composition of complex features

With a lot of user control on what will happen in different situation (user policies)

Introduction of these features will require sophisticated methods to control different situations of feature conflicts