Carlo Ghezzi

• Politecnico di Milano

Engineering cyber-physical systems inhabiting contemporary urban spatial environments demands software engineering facilities to support design and operation. Tools and approaches in civil engineering and architectural informatics produce artifacts that are geometrical or geographical representations describing physical spaces. The models we consid...

Cyber-physical space systems are engineered systems operating within physical space with design requirements that depend on space, e.g., regarding location or movement behavior. They are built from and depend upon the seamless integration of computation and physical components. Typical examples include systems where software-driven agents such as m...

Cyber-physical space systems are engineered systems operating within physical space with design requirements that depend on space, e.g., regarding location or movement behavior. They are built from and depend upon the seamless integration of computation and physical components. Typical examples include systems where software-driven agents such as m...

In modern societies, people live in spaces populated by a variety of computational elements, which generate new kinds of active cyber-entities interacting with each other and with humans, enabling new smart functionalities. Examples range from smart buildings such as modern office spaces, hospitals, airports and other public facilities up to entire...

Internet-enabled devices operating in the physical world are increasingly integrated in modern distributed systems. We focus on systems where the dynamics of spatial distribution is crucial; in such cases, devices may need to carry out complex computations (e.g., analyses) to check satisfaction of spatial requirements. The requirements are partly g...

Internet-enabled things and devices operating in the physical world are increasingly integrated in modern distributed systems, supporting functionalities that require assurances that certain critical requirements are satisfied by the overall system. We focus here on spatially-distributed Internet-of-Things systems such as smart environments, where...

Cyber-Physical Systems (CPS) are increasingly applied in critical contexts, where they have to support safe and secure operations, often subject to stringent timing requirements. Typical examples are scenarios involving automated living or working spaces in which humans operate, or human-robot collaborations (HRC) in modern manufacturing. Formal me...

Mobile and general-purpose robots increasingly support our everyday life, requiring dependable robotics control software. Creating such software mainly amounts to implementing their complex behaviors known as missions. Recognizing this need, a large number of domain-specific specification languages has been proposed. These, in addition to tradition...

Controllers often are large and complex reactive software systems and thus they typically cannot be developed as monolithic products. Instead, they are usually comprised of multiple components that interact to provide the desired functionality. Components themselves can be complex and in turn be decomposed into multiple sub-components. Designing su...

Providing assurances for self-adaptive systems is challenging. A primary underlying problem is uncertainty that may stem from a variety of different sources, ranging from incomplete knowledge to sensor noise and uncertain behavior of humans in the loop. Providing assurances that the self-adaptive system complies with its requirements calls for an e...

Providing assurances for self-adaptive systems is challenging. A primary underlying problem is uncertainty that may stem from a variety of different sources, ranging from incomplete knowledge to sensor noise and uncertain behavior of humans in the loop. Providing assurances that the self-adaptive system complies with its requirements calls for an e...

Mobile and general-purpose robots increasingly support our everyday life, requiring dependable robotics control software. Creating such software mainly amounts to implementing their complex behaviors known as missions. Recognizing the need, a large number of domain-specific specification languages has been proposed. These, in addition to traditiona...

Change makes software different from any other artifact created by humans. Although this is known since the 1970s, change is still often handled in an ad hoc manner. Agile development and, more recently, DevOps have been proposed as a solution, and success stories are reported from industry. Still, principled and rigorous foundations that can be ta...

Engineering dependable software for mobile robots is becoming increasingly important. A core asset in engineering mobile robots is the mission specification---a formal description of the goals that mobile robots shall achieve. Such mission specifications are used, among others, to synthesize, verify, simulate, or guide the engineering of robot soft...

Cyber-physical space systems are becoming increasingly important. Such systems have to satisfy requirements that are heavily affected by the physical space they operate in and by the active entities inhabiting the space, whose dynamic behaviors generate continuous topological changes. Reasoning about requirements in the early design phases is extre...

Software systems are usually formed by multiple components which interact with one another. In large systems, components themselves can be complex systems that need to be decomposed into multiple sub-components. Hence, system design must follow a systematic approach, based on a recursive decomposition strategy. This paper proposes a comprehensive v...

We present design concepts, programming constructs, and automatic verification techniques to support the development of adaptive Wireless Sensor Network (WSN) software. WSNs operate at the interface between the physical world and the computing machine and are hence exposed to unpredictable environment dynamics. WSN software must adapt to these dyna...

We increasingly live in cyber-physical spaces -- spaces that are both physical and digital, and where the two aspects are intertwined. Such spaces are highly dynamic and typically undergo continuous change. Software engineering can have a profound impact in this domain, by defining suitable modeling and specification notations as well as supporting...

Three-valued model checking has been proposed to support verification when some portions of the model are unspecified. Given a formal property, the model checker returns true if the property is satisfied, false and a violating behavior if it is not, maybe and a possibly violating behavior if it is possibly satisfied, i.e., its satisfaction may depe...

Change has been recognized as the distinguishing feature that makes software different from any other human‐produced artifacts. Initial reflections on the urgent and unavoidable need to master change date back to the 1970s. However, despite the continuous progress that characterized software technology since, in practice, software change is still o...

This paper describes in detail the example introduced in the preliminary evaluation of THRIVE. Specifically, it evaluates THRIVE over an abstraction of the ground model proposed for a critical component belonging to a medical device used by optometrists and ophtalmologits to dected visual problems.

In the real world practice, software systems are often built without developing any explicit upfront model. This can cause serious problems that may hinder the almost inevitable future evolution, since at best the only documentation about the software is in the form of source code comments. To address this problem, research has been focusing on aut...

Context and Motivation: Goal-oriented methods can be used by analysts to produce a set of system requirements that reflect the customer needs and are used as guidelines in the subsequent system design, in which a model of the system is produced. The design model is used to analyze the coherence of the system behavior with the requirements. Question...

Smart spaces are becoming increasingly vulnerable from the interplay of cyber and physical entities. A representation of the spaces' topology can reveal security-relevant contextual characteristics, and a visualization tool allows security analysts to edit space topology and verify that access-control policies meet security requirements.

Providing assurances for self-adaptive systems is challenging. A primary underlying problem is uncertainty that may stem from a variety of different sources, ranging from incomplete knowledge to sensor noise and uncertain behavior of humans in the loop. Providing assurances that the self-adaptive system complies with its requirements calls for an e...

Bigraphs are an emerging modeling formalism for structures in ubiquitous computing. Besides an algebraic notation, which can be adopted to provide an algebraic syntax for bigraphs, the bigraphical theory introduces a visual concrete syntax which is intuitive and unambiguous at the same time; the standard visual notation can be customized and thus t...

Bigraphs are an emerging modeling formalism for structures in ubiquitous computing. Besides an algebraic notation, which can be adopted to provide an algebraic syntax for bigraphs, the bigraphical theory introduces a visual concrete syntax which is intuitive and unambiguous at the same time; the standard visual notation can be customized and thus t...

A software specification is often the result of an iterative process that transforms an initial incomplete model through refinement decisions. A model is incomplete because the implementation of certain functionalities is postponed to a later development step or is delegated to third parties. An unspecified functionality may be later replaced by al...

We increasingly live in cyber-physical spaces: spaces that are both physical and digital, and where the two aspects are intertwined. Cyber-physical spaces may exhibit a range of behaviors, from smart control of heating, ventilation, and light to visionary multi-functional living spaces that can be spatially re-organized in a dynamic way. In contras...

Software development is an iterative process which includes a set of development steps that transform the initial high level specification of the system into its final, fully specified, implementation. This report discusses the theoretical foundations that allow Incomplete B\"uchi Automata (IBAs) to be used in the iterative development of a sequent...

Ubiquitous computing is resulting in a proliferation of cyber-physical systems that host or manage valuable physical and digital assets. These assets can be harmed by malicious agents through both cyber-enabled or physically-enabled attacks, particularly ones that exploit the often ignored interplay between the cyber and physical world. The explici...

This article is a tutorial on how to achieve software evolution and adaptation in a dependable manner, by systematically applying formal modelling and verification. It shows how software can be designed upfront to tolerate different sources of uncertainty that cause continuous future changes. If possible changes can be predicted, and their occurren...

The problem of checking a logged event trace against a temporal logic specification arises in many practical cases. Unfortunately, known algorithms for an expressive logic like MTL (Metric Temporal Logic) do not scale with respect to two crucial dimensions: the length of the trace and the size of the time interval of the formula to be checked. The...

Smart cyber-physical spaces indicate spatial environments which include both cyber and physical elements interacting with each other. In the construction industry, Building Information Models are the de facto standard for specifying complex information about building infrastructures, a representation which can also be extended for the specification...

Modern component-based distributed software systems are increasingly required to offer non-stop service and thus their updates must be carried out at runtime. Different authors have already proposed solutions for the safe management of dynamic updates. Our contribution aims at improving their efficiency without compromising safety. We propose a new...

Software systems are often built without developing any explicit model and therefore research has been focusing on automatic inference of models by applying machine learning to execution logs. However, the logs generated by a real software system may be very large and the inference algorithm can exceed the capacity of a single computer. This paper...

Modern iterative and incremental software development relies on continuous testing. The knowledge of test-to-code traceability links facilitates test-driven development and improves software evolution. Previous research identified traceability links between test cases and classes under test. Though this information is helpful, a finer granularity t...

The Future Internet is envisioned as a worldwide environment connecting a large open-ended collection of heterogeneous and autonomous resources, namely Things, Services and Contents, which interact with each other anywhere and anytime. Applications will possibly emerge dynamically as opportunistic aggregation of resources available at a given time,...

The problem of checking a logged event trace against a temporal logic specification arises in many practical cases. Unfortunately, known algorithms for an expressive logic like MTL (Metric Temporal Logic) do not scale with respect to two crucial dimensions: the length of the trace and the size of the time interval for which logged events must be bu...

Formal verification is used to establish the compliance of software and hardware systems with important classes of requirements. System compliance with functional requirements is frequently analyzed using techniques such as model checking, and theorem proving. In addition, a technique called quantitative verification supports the analysis of the re...

Self-adaptive software modifies its behavior at run time to satisfy changing requirements in a dynamic environment. Context-oriented programming (COP) has been recently proposed as a specialized programming paradigm for context-aware and adaptive systems. COP mostly focuses on run time adaptation of the application's behavior by supporting modular...

Modern software systems are increasingly required to run for a long time and deliver uninterrupted service. Their requirements or their environments, however, may change. Therefore, these systems must be updated dynamically, at run-time. Typical examples can be found in manufacturing, transportation, or space applications, where stopping the system...

Constraint solution reuse is an effective approach to save the time of constraint solving in symbolic execution. Most of the existing reuse approaches are based on syntactic or semantic equivalence of constraints; e.g. the Green framework is able to reuse constraints which have different representations but are semantically equivalent, through cano...

Modern software systems are continuously evolving, often because systems requirements change over time. Responding to requirements changes is one of the principles of agile methodologies. In this paper we envision the seamless integration of automated verification techniques within agile methodologies, thanks to the support for incrementality. Incr...

Modern software-intensive systems often interact with an environment whose behavior changes over time, often unpredictably. The occurrence of changes may jeopardize their ability to meet the desired requirements. It is therefore desirable to design software in a way that it can self-adapt to the occurrence of changes with limited, or even without,...

Software systems are usually developed to provide a fixed set of functionalities within given environmental conditions. However, in the last few years, there has been an increasing interest in systems that can autonomously modify their behavior in response to dynamic changes occurring in their execution environment. In one word, they must be self-a...

Autonomous drones are a powerful new breed of mobile sensing platform that can greatly extend the capabilities of traditional sensing systems. Unfortunately, it is still non-trivial to coordinate multiple drones to perform a task collaboratively. We present a novel programming model called team-level programming that can express collaborative sensi...

Modern enterprise information systems are built following the paradigm of service-orientation. This paradigm promotes workflow-based software composition, where complex business processes are realized by orchestrating different, heterogenous components. These workflow descriptions evolve continuously, to adapt to changes in the business goals or in...

Service-based applications are often developed as compositions of partner services. A service integrator needs precise methods to specify the quality attributes expected by each partner service, as well as effective techniques to verify these attributes. In previous work, we identified the most common specification patterns related to provisioning...

In this paper, we focus on the reliability and availability analysis of Web service (WS) compositions, orchestrated via the Business Process Execution Language (BPEL). Starting from the failure profiles of the services being composed, which take into account multiple possible failure modes, latent errors, and propagation effects, and from a BPEL pr...

The computing and networking capabilities of today's wireless mobile devices allow for seamlessly-networked, ubiquitous services, which may be dynamically composed at run-time to accomplish complex tasks. This vision, however, remains challenged by the inherent mobility of such devices, which makes services highly volatile. These issues call for a...

Adaptive security systems aim to protect critical assets in the face of changes in their operational environment. We have argued that incorporating an explicit representation of the environment's topology enables reasoning on the location of assets being protected and the proximity of potentially harmful agents. This paper proposes to engineer topo...

We present a context-oriented approach to design and implement self-adaptive component-based software in resource-constrained Cyber physical Systems (CPSs). Because of unpredictable environment dynamics, developers must design and implement CPS software to dynamically adapt to widely different situations. Our approach provides design concepts and l...

Modern complex software systems produce a large amount of execution data, often stored in logs. These logs can be analyzed using trace checking techniques to check whether the system complies with its requirements specifications. Often these specifications express quantitative properties of the system, which include timing constraints as well as hi...

Adaptive security systems aim to protect valuable assets in the face of changes in their operational environment. They do so by monitoring and analysing this environment, and deploying security functions that satisfy some protection (security, privacy, or forensic) requirements. In this paper, we suggest that a key characteristic for engineering ad...

Developers spend a significant portion of their time understanding and learning the correct usage of the APIs of libraries they want to integrate in their projects. However, learning how to effectively use APIs is complex and time consuming. Code recommendation systems play a crucial role facilitating developers in this task by providing to them re...

Modern society increasingly relies on mobile devices. This explains the growing demand for high quality software for such devices. To improve the efficiency of the development life-cycle, shortening time-to-market while keeping quality under control, mobile applications are typically developed by composing together ad-hoc developed components, serv...

Cloud-based elastic systems run on a cloud infrastructure and have the capability of dynamically adjusting the allocation of their resources in response to changes in the workload, in a way that balances the trade-off between the desired quality-of-service and the operational costs. The actual elastic behavior of these systems is determined by a co...

Many modern user-intensive applications, such as Web applications, must satisfy the interaction requirements of thousands if not millions of users, which can be hardly fully understood at design time. Designing applications that meet user behaviors, by efficiently supporting the prevalent navigation patterns, and evolving with them requires new app...

We present programming abstractions for implementing adaptive Wireless Sensor Network (WSN) software. The need for adaptability arises in WSNs because of unpredictable environment dynamics, changing requirements, and resource scarcity. However, after about a decade of research in WSN programming, developers are still left with no dedicated support....

SMT solvers have been recently applied to bounded model checking and satisfiability checking of metric temporal logic. In this paper we consider SOLOIST, an extension of metric temporal logic with aggregate temporal modalities; it has been defined based on a field study on the use of specification patterns in the context of the provisioning of serv...

Modern software systems are increasingly built by integrating different services implemented by independent organizations and offered in an open service marketplace. In such environment, multiple providers may compete with each other by publishing services that provide the same functionality, and export the same interface, but differ in the offered...

In the recent years, several research efforts have been devoted to developing approaches to synthesize specifications of software behavior. Most of the proposed approaches addressed the inference of finite-state abstractions. The synthesized abstractions have been integrated in different validation scenarios, such as testing. While finite-state mod...

Modern service oriented applications increasingly include publicly released services that impose novel and compelling requirements in terms of scalability and support to clients with limited capabilities such as mobile applications. To meet these requirements, service oriented applications require a careful optimisation of their provisioning mechan...

Advances in software verification techniques have been impressive in the past decade. Formal verification of large production software is now increasingly feasible and this is paving the way to transferring these techniques from research to practice. We argue, however, that there is still a serious mismatch between verification and modern developme...

We present our ongoing work on the design of macroprogramming abstractions to program sensing and actuating applications using robot swarms. Robots can sample the environment and act on it where no other sensor can reach, e.g., to monitor the environment at altitude with aerial robots. Programming the individual behavior of multiple coordinating ro...

Many product lines are critical, and therefore reliability is a vital part of their requirements. Reliability is a probabilistic property. We therefore propose a model for feature-aware discrete-time Markov chains as a basis for verifying probabilistic properties of product lines, including reliability. We compare three verification techniques: The...

This article provides an overall view of the research that has been done in the context of self-managing software within the SMScom project. We start by the motivations that inspired the research, and then we focus on a reference framework that explains its conceptual underpinnings and on the paradigm shift it calls for in the way we currently engi...

We present our ongoing work towards applying the context-oriented programming (COP) paradigm to wireless sensor networks (WSNs). Context---as a representation of the environment where the system operates---plays a key role in WSN applications, which must often adapt their operation depending on environmental conditions. We argue that promoting a no...

Software development processes have been evolving from rigid, pre-specified, and sequential to incremental, and iterative. This evolution has been dictated by the need to accommodate evolving user requirements and reduce the delay between design decision and feedback from users. Formal verification techniques, however, have largely ignored this ev...

Conventional formal verification techniques rely on the assumption that a system's specification is completely available so that the analysis can say whether or not a set of properties will be satisfied. On the contrary, modern development lifecycles call for agileincremental and iterativeapproaches to tame the boosting complexity of modern softwar...

Self-adaptive software has become increasingly important to address the new challenges of complex computing systems. To achieve adaptation, software must be designed and implemented by following suitable criteria, methods, and strategies. Past research has been mostly addressing adaptation by developing solutions at the software architecture level....

Modern software systems are often characterized by uncertainty and changes in the environment in which they are embedded. Hence, they must be designed as adaptive systems. We propose a framework that supports adaptation to non-functional manifestations of uncertainty. Our framework allows engineers to derive, from an initial model of the system, a...

Modern software-intensive systems often have to be updated to adapt to unpredicted changes in their environments or to satisfy unpredicted requirement changes. Many systems, however, cannot be easily shut down or are expected to run continuously. Therefore, they must be updated dynamically, at run-time. Especially for critical systems, dynamic upda...

Software verification of evolving systems is challenging mainstream methodologies and tools. Formal verification techniques often conflict with the time constraints imposed by change management practices for evolving systems. Since changes in these systems are often local to restricted parts, an incremental verification approach could be beneficial...

Evaluating quality attributes of a design model in the early stages of development can significantly reduce the cost and risks of developing a low quality product. To make this possible, software designers should be able to predict quality attributes by reasoning on a model of the system under development. Although there exists a variety of quality...

This paper focuses on the development of adaptive software, i.e., software that can automatically adapt its behavior at run-time in response to changes in the surrounding context in which it is situated. Furthermore, we focus on adaptation that is required to ensure continuous satisfaction of non-functional requirements. We propose that the impleme...

In this paper we present a novel approach for adaptive REST Web applications that focuses on adaptation against changes in the navigational behaviour of users. The proposed solution exploits the Web server's log file to infer a Markov model that captures the navigational behaviour of system users over time probabilistically. The model is inferred i...

Service-based applications are a new class of software systems that provide the basis for enterprises to build their information systems by following the principles of service-oriented architectures. These software systems are often realized by orchestrating remote, third-party services, to provide added-values applications that are called service...

This paper explores a formally grounded approach to solve the problem of dynamic binding in service-oriented software architecture. Dynamic binding is a widely adopted mean to automatically bind exposed software interfaces to actual implementations. The execution of an operation on one or another implementation, though providing the same result, co...

In this demo we present SelfMotion: a declarative language and a run-time system conceived to support the development of adaptive, mobile applications, built as compositions of ad-hoc components, existing services and third party applications. The advantages of the approach and the adaptive capabilities of SelfMotion are demonstrated in the demo by...

Discrete Time Markov Chains (DTMCs) and Continuous Time Markov Chains (CTMCs) are often used to model various types of phenomena, such as, for example, the behavior of software products. In that case, Markov chains are widely used to describe possible time-varying behavior of “self-adaptive” software systems, where the transition from one state to...

Human activity increasingly relies on software being able to make self-adaptation decisions. The only way to achieve dependable software adaptation is to unite autonomic computing and mathematically based modeling and analysis techniques. Quantitative verification and model checking must also be used at runtime to predict and identify requirement v...

Service oriented computing (SOC) has brought a simplification in the way distributed applications can be built. Mainstream approaches, however, failed to support dynamic, self-managed compositions that would empower even non-technical users to build their own orchestrations. Indeed, because of the changeable world in which they are embedded, servic...

We are concerned with software that can self-adapt to satisfy certain reliability requirements, in spite of adverse changes affecting the environment in which it is embedded. Self-adapting software architectures are heavily based on dynamic binding. The bindings among components are dynamically set as the conditions that require a self-adaptation a...

This paper describes a novel model for the service selection problem of workflow-based applications in the context of self-managing situated computing. In such systems, the execution environment includes different types of devices, from remote servers to personal notebooks, smartphones, and wireless sensors, which build an infrastructure that can d...

Specification patterns have proven to help developers to state precise system requirements, as well as formalize them by means of dedicated specification languages. Most of the past work has focused its applicability area to the specification of concurrent and real-time systems, and has been limited to a research setting. In this paper we present t...

We present Spy@Runtime, a tool to infer and work with behavior models. Spy@Runtime generates models through a dynamic black box approach and is able to keep them updated with observations coming from actual system execution. We also show how to use models describing the protocol of interaction of a software component to detect and report functional...

We present the workflow language DSOL, its runtime system and the tools available to support the development of dynamic service orchestrations. DSOL aims at supporting dynamic, self-managed service compositions that can adapt to changes occurring at runtime.