167 research outputs found
Fully-automated Runtime Enforcement of Component-based Systems with Formal and Sound Recovery
International audienceWe introduce runtime enforcement of specifications on component-based systems (CBS) modeled in the BIP (Behavior, Interaction and Priority) framework. Runtime enforcement is an increasingly popular and effective dynamic validation technique aiming to ensure the correct runtime behavior (w.r.t. a formal specification) of a system using a so-called enforcement monitor. BIP is a powerful and expressive component-based framework for the formal construction of heterogeneous systems. Because of BIP expressiveness however , it is difficult to enforce complex behavioral properties at design-time. We first introduce a theoretical runtime enforcement framework for component-based systems where we delineate a hierarchy of enforceable properties (i.e., properties that can be enforced) according to the number of observational steps a system is allowed to deviate from the property (i.e., the notion of k-step enforceability). To ensure the observational equivalence between the correct executions of the initial system and the monitored system, we show that i) only stutter-invariant properties should be enforced on CBS with our monitors, and ii) safety properties are 1-step enforceable. Second, given an abstract enforcement monitor for some 1-step enforceable property, we define a series of formal transformations to instrument (at relevant locations) a CBS described in the BIP framework to integrate the monitor. At runtime, the monitor observes and automatically avoids any error in the behavior of the system w.r.t. the property. Third, our approach is fully implemented in RE-BIP, an available tool integrated in the BIP tool suite. Fourth, to validate our approach, we use RE-BIP to i) enforce deadlock-freedom on a dining philosophers benchmark, and ii) ensure the correct placement of robots on a map
Organising LTL monitors over distributed systems with a global clock
Users wanting to monitor distributed systems often prefer to abstract
away the architecture of the system, allowing them to directly specify correctness properties on the global system behaviour. To support this abstraction, a
compilation of the properties would not only involve the typical choice of monitoring algorithm, but also the organisation of submonitors across the component
network. Existing approaches, considered in the context of LTL properties over
distributed systems with a global clock, include the so-called orchestration and
migration approaches. In the orchestration approach, a central monitor receives
the events from all subsystems. In the migration approach, LTL formulae transfer
themselves across subsystems to gather local information.
We propose a third way of organising submonitors: choreography — where monitors are orgnized as a tree across the distributed system, and each child feeds
intermediate results to its parent. We formalise this approach, proving its correctness and worst case performance, and report on an empirical investigation
comparing the three approaches on several concerns of decentralised monitoring.peer-reviewe
Dynamic Detection and Mitigation of DMA Races in MPSoCs
International audience—Explicitly managed memories have emerged as a good alternative for multicore processors design in order to reduce energy and performance costs. Memory transfers then rely on Direct Memory Access (DMA) engines which provide a hardware support for accelerating data. However, programming explicit data transfers is very challenging for developers who must manually orchestrate data movements through the memory hierarchy. This is in practice very error-prone and can easily lead to memory inconsistency. In this paper, we propose a runtime approach for monitoring DMA races. The monitor acts as a safeguard for programmers and is able to enforce at runtime a correct behavior w.r.t the semantics of the program execution. We validate the approach using traces extracted from industrial benchmarks and executed on the multiprocessor system-on-chip platform STHORM. Our experiments demonstrate that the monitoring algorithm has a low overhead (less than 1.5 KB) of on-chip memory consumption and an overhead of less than 2% of additional execution time. I. INTRODUCTION In recent Multiprocessor Systems-on-Chip (MPSoCs) design , a combination of Scratchpad Memories (SPM) [1] and Direct Memory Access (DMA) engines have been proposed as an alternative to traditional caches, where data (and sometimes code) transfers through the memory hierarchy are explicitly managed by the software. This is promising in terms of performance, energy, and silicon area. However the price to pay is clearly programming complexity, since the program-mer/software has a disjoint view of the different levels of memories and must manually orchestrate data movements using explicit DMA operations. In this context, DMA races emerge as one of the regular issues programmers have to face
Second School on Runtime Verification, as part of the ArVi COST Action 1402 Overview and Reflections
International audienceThis paper briefly reports on the second international school on Run-time Verification, co-organized and sponsored by Inria and COST Action IC1402 ArVi. The school was held March 19-21 2018, in Praz sur Arly (near Grenoble) in the French Alps. Most of the lectures dealt with introductory and advanced topics on Runtime Verification from the first tutorial book on Runtime Verification [2]. Additional lectures were given on cutting-edge research topics. We report the context and objectives of the school, overview its program, and propose outlooks for the future editions of the school
Organising LTL monitors over distributed systems with a global clock
Users wanting to monitor distributed systems often prefer to abstract
away the architecture of the system, allowing them to directly specify correctness properties on the global system behaviour. To support this abstraction, a
compilation of the properties would not only involve the typical choice of monitoring algorithm, but also the organisation of submonitors across the component
network. Existing approaches, considered in the context of LTL properties over
distributed systems with a global clock, include the so-called orchestration and
migration approaches. In the orchestration approach, a central monitor receives
the events from all subsystems. In the migration approach, LTL formulae transfer
themselves across subsystems to gather local information.
We propose a third way of organising submonitors: choreography — where monitors are orgnized as a tree across the distributed system, and each child feeds
intermediate results to its parent. We formalise this approach, proving its correctness and worst case performance, and report on an empirical investigation
comparing the three approaches on several concerns of decentralised monitoring.peer-reviewe
Detecting Fault Injection Attacks with Runtime Verification
International audienceFault injections are increasingly used to attack/test secure applications. In this paper, we define formal models of runtime monitors that can detect fault injections that result in test inversion attacks and arbitrary jumps in the control flow. Runtime verification monitors offer several advantages. The code implementing a monitor is small compared to the entire application code. Monitors have a formal semantics; and we prove that they effectively detect attacks. Each monitor is a module dedicated to detecting an attack and can be deployed as needed to secure the application. A monitor can run separately from the application or it can be weaved inside the application. Our monitors have been validated by detecting simulated attacks on a program that verifies a user PIN
Decentralised LTL Monitoring
Users wanting to monitor distributed or component-based systems often
perceive them as monolithic systems which, seen from the outside, exhibit a
uniform behaviour as opposed to many components displaying many local
behaviours that together constitute the system's global behaviour. This level
of abstraction is often reasonable, hiding implementation details from users
who may want to specify the system's global behaviour in terms of an LTL
formula. However, the problem that arises then is how such a specification can
actually be monitored in a distributed system that has no central data
collection point, where all the components' local behaviours are observable. In
this case, the LTL specification needs to be decomposed into sub-formulae
which, in turn, need to be distributed amongst the components' locally attached
monitors, each of which sees only a distinct part of the global behaviour. The
main contribution of this paper is an algorithm for distributing and monitoring
LTL formulae, such that satisfac- tion or violation of specifications can be
detected by local monitors alone. We present an implementation and show that
our algorithm introduces only a minimum delay in detecting
satisfaction/violation of a specification. Moreover, our practical results show
that the communication overhead introduced by the local monitors is
considerably lower than the number of messages that would need to be sent to a
central data collection point
Runtime Enforcement for Component-Based Systems
Runtime enforcement is an increasingly popular and effective dynamic
validation technique aiming to ensure the correct runtime behavior (w.r.t. a
formal specification) of systems using a so-called enforcement monitor. In this
paper we introduce runtime enforcement of specifications on component-based
systems (CBS) modeled in the BIP (Behavior, Interaction and Priority)
framework. BIP is a powerful and expressive component-based framework for
formal construction of heterogeneous systems. However, because of BIP
expressiveness, it remains difficult to enforce at design-time complex
behavioral properties.
First we propose a theoretical runtime enforcement framework for CBS where we
delineate a hierarchy of sets of enforceable properties (i.e., properties that
can be enforced) according to the number of observational steps a system is
allowed to deviate from the property (i.e., the notion of k-step
enforceability). To ensure the observational equivalence between the correct
executions of the initial system and the monitored system, we show that i) only
stutter-invariant properties should be enforced on CBS with our monitors, ii)
safety properties are 1-step enforceable. Given an abstract enforcement monitor
(as a finite-state machine) for some 1-step enforceable specification, we
formally instrument (at relevant locations) a given BIP system to integrate the
monitor. At runtime, the monitor observes and automatically avoids any error in
the behavior of the system w.r.t. the specification. Our approach is fully
implemented in an available tool that we used to i) avoid deadlock occurrences
on a dining philosophers benchmark, and ii) ensure the correct placement of
robots on a map.Comment: arXiv admin note: text overlap with arXiv:1109.5505 by other author
- …