Koushik Sen Abhay Vardhan Gul Agha Grigore Rosu On Specifying and Monitoring Epistemic Properties of Distributed Systems Koushik Sen Abhay Vardhan Gul Agha Grigore Rosu University of Illinois at Urbana-Champaign, USA

Software Reliability Software Validation Rigorous and Complete Methods Model Checking Theorem Proving Infeasible for large-scale open distributed systems (Actors) Non-determinism and Asynchrony Testing Widely used Ad-Hoc Good Test Coverage Required Runtime Monitoring Adds rigor to Testing 11/13/2018

Centralized Monitoring Approach Monitoring – Use Formal Methods in Testing Synthesize light-weight Monitors from Specification Automata, Rewriting-based Monitors Instrument code to insert monitors Execute instrumented code Distributed System Monitoring Global state is distributed For every state update send state to a central monitor Central monitor assembles them to form consistent execution traces Sequence of global states Monitor execution traces 11/13/2018

An Example Mobile node a requests certain value from node b b computes the value and sends it to a Property: no node receives a value from another node to which it had not sent a request 11/13/2018

Centralized Monitoring Example “If a receives a value from b then b calculated the value after receiving request from a” valRcv → (valComputed  valReq) valReq valReq valComputed  valReq valRcv → (valComputed  valReq) (valComputed  valReq) b valComputed a valReq valRcv 11/13/2018

Decentralized Monitoring Approach “If a receives a value from b then b calculated the value after receiving request from a” valRcv → @b((valComputed  @a(valReq))) valComputed  @a(valReq) @a(valReq) (valComputed  @a(valReq)) b valComputed a valReq valRcv valReq valRcv → @b((valComputed  @a(valReq))) 11/13/2018

Past time Distributed Temporal Logic (pt-DTL) Based on epistemic logic [Aumann76][Meenakshi et al. 00] Properties with respect to a process, say p 11/13/2018

Leader Election Example “If a leader is elected then if the current process is a leader then, at its knowledge, none of the other processes (b and c) is a leader” elected → (state=leader → (@b(state ≠ leader) Æ @c(state ≠ leader))) 11/13/2018

Leader Election (Stronger Property) Every process must know the name of the process that has been elected leader elected → (let k=leaderName in (@b(leaderName = k) Æ @c(leaderName = k))) 11/13/2018

Leader Election (Open System) There are arbitrary number of processes whose names are not known before-hand elected → (let k=leaderName in @8 {j | j  i}(leaderName = k)) 11/13/2018

Extended Distributed Temporal Logic (xDTL) Suitable for Open Distributed Systems (Actors) Ids of all processes are not known before-hand Quantification over processes All processes satisfying a predicate @8 {j | pred(j)} Some process satisfying a predicate @9 {j | pred(j)} Value-binding (Increases Expressive Power) let k = x in F To refer to values in remote states 11/13/2018

xDTL syntax Fi ::= true | false | P(Ei) | : Fi | Fi Æ Fi propositional | ¯ Fi | ¡ Fi | Fi | Fi S Fi temporal | @8 JFj | @9 JFj epistemic | let k = Ei in Fi binding Ei ::= c | vi 2 Vi | f(Ei) | k functional | @jEj epistemic 11/13/2018

Interpretation of @8 JEj at process i m4 m1 m2 p2 @ {1}(x=9) m3 p1 x=7 x=9 11/13/2018

Monitoring Algorithm Requirements Monitoring using KnowledgeVector Should be fast so that online monitoring is possible Little memory overhead Additional messages sent should be minimal; ideally zero Monitoring using KnowledgeVector Maintain knowledge of global state at each process Update knowledge with incoming messages Attach knowledge with outgoing messages At each process monitor local knowledge 11/13/2018

Conclusion Decentralized Technique to effectively verify open distributed systems at runtime No extra message over-head for monitoring xDTL can express interesting and useful safety properties of distributed systems How to instrument code running on all processes so that monitoring can be done? 11/13/2018