A Survey of Runtime Verification Jonathan Amir 2004.

Slides:

Advertisements

Similar presentations

Basics of Recursion Programming with Recursion

Advertisements

1 Verification by Model Checking. 2 Part 1 : Motivation.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.

1 Data Link Protocols By Erik Reeber. 2 Goals Use SPIN to model-check successively more complex protocols Using the protocols in Tannenbaums 3 rd Edition.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Data Structures Using C++

Two algorithms for checking emptiness. How to check for emptiness? Is L (A) = ; ? Need to check if there exists an accepting computation (passes through.

Introduction to Recursion and Recursive Algorithms

1 October 16 th, 2009 Meaning to motion: Transforming specifications to provably-correct control Hadas Kress-Gazit Cornell University George Pappas University.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

Partial Order Reduction: Main Idea

Part 3: Safety and liveness

Runtime Verification Ali Akkaya Boğaziçi University.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

UPPAAL Introduction Chien-Liang Chen.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.

SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.

/ PSWLAB Efficient Decentralized Monitoring of Safety in Distributed System K Sen, A Vardhan, G Agha, G Rosu 20 th July 2007 Presented by.

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed.

Temporal Logic Model- checking with SPIN COMP6004 Stéphane Lo Presti Part 4: Specifications.

System Design Research Laboratory Model-based Testing and Monitoring for Hybrid Embedded Systems Li Tan Jesung Kim Oleg Sokolsky Insup Lee University of.

1 Completeness and Complexity of Bounded Model Checking.

Automata and Formal Lanugages Büchi Automata and Model Checking Ralf Möller based on slides by Chang-Beom Choi Provable Software Lab, KAIST.

1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.

Formal verification Marco A. Peña Universitat Politècnica de Catalunya.

LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.

Flavio Lerda 1 LTL Model Checking Flavio Lerda. 2 LTL Model Checking LTL –Subset of CTL* of the form: A f where f is a path formula LTL model checking.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.

1 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching SPIN An explicit state model checker.

15-820A 1 LTL to Büchi Automata Flavio Lerda A 2 LTL to Büchi Automata LTL Formulas Subset of CTL* –Distinct from CTL AFG p  LTL  f  CTL. f.

ECE 720T5 Winter 2014 Cyber-Physical Systems Rodolfo Pellizzoni.

Static and Dynamic Analysis at JPL Klaus Havelund.

Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.

5/27/03MDES Supporting Model-Based Validation at Run-time Insup Lee and Oleg Sokolsky Department of Computer and Information Science University of.

CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: LTL Model Checking Copyright , Matt Dwyer, John Hatcliff,

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

Introduction to Problem Solving. Steps in Programming A Very Simplified Picture –Problem Definition & Analysis – High Level Strategy for a solution –Arriving.

Allen Linear Temporal Logic Translation to LTL and Monitor Synthesis Grigore Rosu (University of Illinois at U-C) Saddek Bensalem (VERIMAG)

Lecture 3: Uninformed Search

Dynamic Program Analysis Klaus Havelund Kestrel Technology NASA Ames Research Center Motivation for writing specs: Instant gratification.

Learning Symbolic Interfaces of Software Components Zvonimir Rakamarić.

Deadlock Analysis with Fewer False Positives Thread T1: sync(G){ sync(L1){ sync(L2){} } }; T3 = new T3(); j3.start(); J3.join(); sync(L2){ sync(L1){} }

Verification & Validation By: Amir Masoud Gharehbaghi

Constraints Assisted Modeling and Validation Presented in CS294-5 (Spring 2007) Thomas Huining Feng Based on: [1]Constraints Assisted Modeling and Validation.

VIS Technology Transfer Course Session 7 Fairness Constraints and Monitors Serdar Tasiran.

Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.

1 Temporal logic. 2 Prop. logic: model and reason about static situations. Example: Are there truth values that can be assigned to x,y simultaneously.

Model Checking Lecture 1. Model checking, narrowly interpreted: Decision procedures for checking if a given Kripke structure is a model for a given formula.

Variants of LTL Query Checking Hana ChocklerArie Gurfinkel Ofer Strichman IBM Research SEI Technion Technion - Israel Institute of Technology.

From Natural Language to LTL: Difficulties Capturing Natural Language Specification in Formal Languages for Automatic Analysis Elsa L Gunter NJIT.

About Alternating Automata Daniel Choi Provable Software Laboratory KAIST.

Today’s Agenda  Quiz 4  Temporal Logic Formal Methods in Software Engineering1.

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

Automatic Verification

Efficient Decentralized Monitoring of Safety in Distributed Systems

Koushik Sen Abhay Vardhan Gul Agha Grigore Rosu

Monitoring Programs using Rewriting

Generating Optimal Linear Temporal Logic Monitors by Coinduction

Program Monitoring with LTL in EAGLE

Translating Linear Temporal Logic into Büchi Automata

Runtime Safety Analysis of Multithreaded Programs

Presentation transcript:

A Survey of Runtime Verification Jonathan Amir 2004

2 Background  Model checking: Formal, sound, provides guarantees. Doesn’t scale well - state explosion problem. Checks a model, not an implementation. Some people fear it – too much formalism.  Software testing (ad-hoc checking): Most widely used technique in the industry. Scales well, usually inexpensive. Test an implementation directly. Informal, doesn’t provide guarantees.

3 Runtime Verification  Attempt to bridge the gap between formal methods and software testing. A program is monitored while it is running and checked against properties of interest. Properties are specified in a formal notation. Dealing only with finite traces.  Considered as a light-weight formal method technique. Testing with formal “flavour”. Still doesn’t provide full guarantees.

4 Runtime Verification, cont’d  How to monitor a program? Need to extract events from the program while it is running. code instrumentation. Static phase Dynamic phase Program Specifications Code Instrumentation Instrumented Program Runtime Checker Stream of events

5 Property of interest is [](x>0). Search code for assignments to x. Insert code stubs that communicate with the monitor. Three means of communication:  Networking.  Shared memory.  File system. An (informal) example x = 5 // code stub here // reports to monitor … x = -1 // code stub here // reports to monitor. // monitor detects // violation

6 Finite traces  Trace semantics are different for finite traces. Can fake infinite trace by stuttering.  Stutter the last state, or  stutter a “dummy” state that doesn’t fulfill any proposition. Problem: meaning of [] operator changes. A more accepted alternative: define different acceptance condition.

7 Finite traces, Cont’d  Acceptance condition: A trace is acceptable if all its eventualities have been fulfilled. Example: [](x -> <>y). What if every occurrence of x is followed by a y later on except for the last one?  One can gather statistics about how a trace “performs” w.r.t the formula. Even if a trace is acceptable, it might have been rejected if we waited long enough.

8 Finite traces, cont’d  Safety properties are usually in the form of “something bad never happens”. Acceptance condition is trivial: if the “bad” thing doesn’t happen along the trace, the trace is accepted. Still no guarantees that “bad” thing won’t happen elsewhere.  However, if trace is rejected, clearly there is something wrong in the program.

9 Efficient monitors  An efficient monitor should have the following properties: Forward design. No backtracking.  Memory-less: doesn’t store the trace. Space efficiency. Runtime efficiency.  A monitor that runs in time exponential in the size of the trace is unacceptable.  A monitor that runs in time exponential in the size of the formula is usable, but should be avoided.

10 Monitors, Automata approach  Automata approach: Generate an automaton for the LTL property.  Alternating automaton is preferred, because its size is linear to the size of LTL formula. Use a modified version of alternating automata, suitable for finite traces.  Each node is labelled as “acc” or “rej”, and possibly “fin”.  If eventualities are not fulfilled the automaton will finish the trace at a rejecting state.  How to traverse the automaton: Depth first? Breadth first?

11 Automata approach, Cont’d  Depth first algorithm Problem: need to backtrack the trace. Example: [](x -> <>y), where y only holds in the last state, and x holds everywhere else.  For every state in the trace, the algorithm needs to visit the rest of the trace looking for y.  Breadth first algorithm Memory-less. Each state of the trace is visited only once. Maintains a list of all nodes that are currently “running”. Problem is that the list of nodes can grow exponentially.  Algorithm becomes relatively slow for longer traces.

12 Symbolic approach  Formula manipulation Rewriting logic  Given a formula and a trace, the formula “consumes” the first state in the trace, and produces a new formula. For example, the formula [](x -> <>y) and given that the first state in the trace is x.  [](x -> <>y){x} = [](x -> <>y) /\ <>y  Intuition: In order for [](x -> <>y) to hold when the first state is x, the formula [](x -> <>y) /\ <>y needs to hold at the rest of the trace after the first state.

13 Symbolic approach, Cont’d  Formula manipulation is applied iteratively while consuming states from the trace. The formula grows in size. At each iteration more rewriting rules are used to simplify the formula. At the end of the of the trace, the formula is reduced to either true or false. If eventualities are not fulfilled, formula will be false.

14 Java PathExplorer (JPaX) Developed at NASA Ames Research Center, by Grigore Rosu and Klaus Havelund. Intruments bytecode directly, not source code. Can use different logics simultaneously. Uses Maude as its logic rewriting engine. The definition of LTL (Future and Past) and rewriting rules is only 130 lines.

15 Future directions  Explore other logics that might be more suitable for runtime monitoring. Real-time logic, interval logic, timed-ltl.  Instead of instrumenting code, monitor the runtime environment of the program.  In Java, this means using JDI.  In C/C++, this means monitoring binary code.  Monitoring and Steering (Java-MaC).  Temporal debuggers.

16 Conclusion  Similar to bounded model checking, suitable for safety property.  Most tools use symbolic approach instead of automata approach.  Some case-studies already published show practical use in the industry (Java PathExplorer, Java-MaC).