154 research outputs found
Preliminary Results Towards Contract Monitorability
This paper discusses preliminary investigations on the monitorability of
contracts for web service descriptions. There are settings where servers do not
guarantee statically whether they satisfy some specified contract, which forces
the client (i.e., the entity interacting with the server) to perform dynamic
checks. This scenario may be viewed as an instance of Runtime Verification,
where a pertinent question is whether contracts can be monitored for adequately
at runtime, otherwise stated as the monitorability of contracts. We consider a
simple language of finitary contracts describing both clients and servers, and
develop a formal framework that describes server contract monitoring. We define
monitor properties that potentially contribute towards a comprehensive notion
of contract monitorability and show that our simple contract language satisfies
these properties.Comment: In Proceedings PrePost 2016, arXiv:1605.0809
The Cost of Monitoring Alone
We compare the succinctness of two monitoring systems for properties of
infinite traces, namely parallel and regular monitors. Although a parallel
monitor can be turned into an equivalent regular monitor, the cost of this
transformation is a double-exponential blowup in the syntactic size of the
monitors, and a triple-exponential blowup when the goal is a deterministic
monitor. We show that these bounds are tight and that they also hold for
translations between corresponding fragments of Hennessy-Milner logic with
recursion over infinite traces.Comment: 22 page
Monitoring for Silent Actions
Silent actions are an essential mechanism for system modelling and specification. They are used to abstractly report the occurrence of computation steps without divulging their precise details, thereby enabling the description of important aspects such as the branching structure of a system. Yet, their use rarely features in specification logics used in runtime verification. We study monitorability aspects of a branching-time logic that employs silent actions, identifying which formulas are monitorable for a number of instrumentation setups. We also consider defective instrumentation setups that imprecisely report silent events, and establish monitorability results for tolerating these imperfections
A foundation for runtime monitoring
Runtime Verification is a lightweight technique that complements other verification methods in an effort to ensure software correctness. The technique poses novel questions to software engineers: it is not easy to identify which specifications are amenable to runtime monitor-ing, nor is it clear which monitors effect the required runtime analysis correctly. This exposition targets a foundational understanding of these questions. Particularly, it considers an expressive specification logic (a syntactic variant of the modal ÎĽ-calculus) that is agnostic of the verification method used, together with an elemental framework providing an operational semantics for the runtime analysis performed by monitors. The correspondence between the property satisfactions in the logic on the one hand, and the verdicts reached by the monitors performing the analysis on the other, is a central theme of the study. Such a correspondence underpins the concept of monitorability, used to identify the subsets of the logic that can be adequately monitored for by RV. Another theme of the study is that of understanding what should be expected of a monitor in order for the verification process to be correct. We show how the monitor framework considered can constitute a basis whereby various notions of monitor correctness may be defined and investigated.peer-reviewe
Characteristic Formulae for Liveness Properties of Non-Terminating CakeML Programs
There are useful programs that do not terminate, and yet standard Hoare logics are not able to prove liveness properties about non-terminating programs. This paper shows how a Hoare-like programming logic framework (characteristic formulae) can be extended to enable reasoning about the I/O behaviour of programs that do not terminate. The approach is inspired by transfinite induction rather than coinduction, and does not require non-terminating loops to be productive. This work has been developed in the HOL4 theorem prover and has been integrated into the ecosystem of proof tools surrounding the CakeML programming language
If At First You Don't Succeed: Extended Monitorability through Multiple Executions
This paper investigates the observational capabilities of monitors that can
observe a system over multiple runs. We study how the augmented monitoring
setup affect the class of properties that can be verified at runtime, focussing
on branching-time properties expressed in the modal mu-calculus. Our results
show that the setup can be used to systematically extend previously established
monitorability limits. We also prove bounds that capture the correspondence
between the syntactic structure of a branching-time property and the number of
system runs required to conduct the verification
On the complexity of determinizing monitors
We examine the determinization of monitors. We demonstrate that every monitor is equivalent to a deterministic one, which is at most doubly exponential in size with respect to the original monitor. When monitors are described as CCS-like processes, this doubly-exponential bound is optimal. When (deterministic) monitors are described as finite automata (as their LTS), then they can be exponentially more succinct than their CCS process form.peer-reviewe
A Foundation for Runtime Monitoring
Runtime Verification is a lightweight technique that complements other
verification methods in an effort to ensure software correctness.
The technique poses novel questions to software engineers: it is not easy to
identify which specifications are amenable to runtime monitoring, nor is it
clear which monitors effect the required runtime analysis correctly.
This exposition targets a foundational understanding of these questions.
Particularly, it considers an expressive specification logic (a syntactic
variant of the mmucalc) that is agnostic of the verification method used,
together with an elemental framework providing an operational semantics for the
runtime analysis performed by monitors.
The correspondence between the property satisfactions in the logic on the one
hand, and the verdicts reached by the monitors performing the analysis on the
other, is a central theme of the study.
Such a correspondence underpins the concept of monitorability, used to identify
the subsets of the logic that can be adequately monitored for by RV.
Another theme of the study is that of understanding what should be expected of a
monitor in order for the verification process to be correct.
We show how the monitor framework considered can constitute a basis whereby
various notions of monitor correctness may be defined and investigated
Towards a hybrid approach to software verification
Despite its advantages, RV is limited when compared to MC because certain correctness
properties cannot be verified at runtime [5, 10, 15]. For instance, MC makes it possible to
check for both safety and liveness properties, by providing either a positive or a negative answer,
according to whether the system conforms with the specifications; RV, on the other hand, can
only return a positive verdict for certain liveness properties (called co-safety properties [5]) or a
negative one for safety conditions. Moreover, RV induces a runtime overhead over the execution
of a monitored system, which should ideally be kept to a minimum [14].peer-reviewe
- …