Statically-analyzed stream monitoring for cyber-physical Systems

Cyber-physical systems are digital systems interacting with the physical world. Even though this induces an inherent complexity, they are responsible for safety-critical tasks like governing nuclear power plants or controlling autonomous vehicles. To preserve trust into the safety of such systems, this thesis presents a runtime verification approach designed to generate trustworthy monitors from a formal specification. These monitors are responsible for observing the cyber-physical system during runtime and ensuring its safety. As underlying language, I present the asynchronous real-time specification language RTLola. It contains primitives for arithmetic properties and grants precise control over the timing of the monitor. With this, it enables specifiers to express properties relevant to cyber-physical systems. The thesis further presents a static analysis that identifies inconsistencies in the specification and provides insights into the dynamic behavior of the monitor. As a result, the resource consumption of the monitor becomes predictable. The generation of the monitor produces either a hardware description synthesizable onto programmable hardware, or Rust code with verification annotation. These annotations allow for proving the correctness of the monitor with respect to the semantics of RTLola. Last, I present the construction of a conservative hybrid model of the underlying system using information extracted from the specification. This model enables further verification steps.Cyber-physische Systeme sind digitale Systeme, die mit der physischen Welt interagieren. Obwohl das zu einer inhärenten Komplexität führt, sind sie verantwortlich für sicherheitskritische Aufgaben wie der Steuerung von Kernkraftwerken oder autonomen Fahrzeugen. Umdas Vertrauen in deren Sicherheit zu wahren, präsentiert diese Doktorarbeit einen Ansatz zur Laufzeitverifikation, konzipiert, um vertrauenswürdige Monitore aus einer formalen Spezifikation zu generieren. Diese Monitore sind dafür verantwortlich, das cyber-physische System zur Laufzeit zu überwachen und dessen Sicherheit zu gewährleisten. Als zugrundeliegende Sprache präsentiere ich die asynchrone Echtzeit-Spezifikationssprache RTLola. Sie enthält Primitiven für arithmetische Eigenschaften und gewährt präzise Kontrolle über das Timing des Monitors. Damit wird es Spezifizierenden ermöglicht Eigenschaften auszudrücken, die für Cyber-physische Systeme relevant sind. Weiterhin präsentiert diese Doktorarbeit eine statische Analyse, die Unstimmigkeiten in der Spezifikation identifiziert und Einblicke in das dynamische Verhalten des Monitors liefert. Aufgrund dessen wird der Ressourcenverbrauch des Monitors vorhersehbar. Die Generierung des Monitors erzeugt entweder eine Hardwarebeschreibung, die auf programmierbarer Hardware synthetisiert werden kann, oder Rust Code mit Verifikationsannotationen. Diese Annotationen erlauben es, die Korrektheit des Monitors bezogen auf die Semantik von RTLola zu beweisen. Abschließend präsentiere ich die Konstruktion von einem konservativen hybriden Modell des zugrundeliegenden Systems anhand von Informationen, die aus der Spezifikation gewonnen wurden. Dieses Modell ermöglicht weitere Verifikationsschritte

On the road with RTLola : Testing real driving emissions on your phone

This paper is about shipping runtime verification to the masses. It presents the crucial technology enabling everyday car owners to monitor the behaviour of their cars in-the-wild. Concretely, we present an Android app that deploys rtlola runtime monitors for the purpose of diagnosing automotive exhaust emissions. For this, it harvests the availability of cheap Bluetooth adapters to the On-Board-Diagnostics (obd) ports, which are ubiquitous in cars nowadays. The app is a central piece in a set of tools and services we have developed for black-box analysis of automotive vehicles. We detail its use in the context of real driving emission (rde) tests and report on sample runs that helped identify violations of the regulatory framework currently valid in the European Union

From LTL to rLTL monitoring

Runtime monitoring is commonly used to detect the violation of desired properties in safety critical systems by observing run prefixes of the system. Bauer et al. introduced an influential framework for monitoring Linear Temporal Logic (LTL) properties, which is based on a three-valued semantics: the formula is already satisfied by the given prefix, it is already violated, or it is still undetermined, i.e., it can be satisfied and violated. However, a wide range of formulas are not monitorable under this approach, meaning that every prefix is undetermined. In particular, Bauer et al. report that 44% of the formulas they consider in their experiments fall into this category. Recently, robust semantics for LTL were introduced to capture degrees of violation of universal properties. Here, we define robust semantics for run prefixes and show its potential in monitoring: every formula considered by Bauer et al. is monitorable under our approach. Furthermore, we show that properties expressed with the robust semantics can be monitored by deterministic automata

RTLola on Board: Testing Real Driving Emissions on your Phone

This paper is about shipping runtime verification to the masses. It presents the crucial technology enabling everyday car owners to monitor the behaviour of their cars in-the-wild. Concretely, we present an Android app that deploys RTLola runtime monitors for the purpose of diagnosing automotive exhaust emissions. For this, it harvests the availability of cheap bluetooth adapters to the On-Board-Diagnostics (OBD) ports, which are ubiquitous in cars nowadays. We detail its use in the context of Real Driving Emissions (RDE) tests and report on sample runs that helped identify violations of the regulatory framework currently valid in the European Union

When a Sentence Falls apart. Using Heuristically Guided Dead End Detection in Natural Language Processing.

In this thesis we approach the problem of automatically generating naturally sounding sentences. We discover the similarities between a search based realization process and searches in the field of artificial intelligence. These allow us to compile the problem of sentence realization into a representation on which we can use well established techniques from the automatic planning community. We introduce a polynomially space and time bound algorithm and proof its correctness. After various experiments we gathered empirical data, which allows an analysis regarding its practical relevance. Conclusively, we propose ways to further improve the process in the future

Let’s not Trust Experience Blindly: Formal Monitoring of Humans and other CPS

The control logic of complex systems is based on experience: Trained experts steer a machine directly until they help develop an automated controller. Recently, this process was further improved by successfully incorporating machine learning techniques, where the controller was learned from tremendous amounts of empirical data. The resulting controller excels most of the time, especially in situations similar to ones occurring in the training data. In a safety-critical context, however, this is not enough, so formal guarantees about the behavior of the controller become crucial. When a full static analysis and subsequent verification is infeasible due to the complexity of the system, runtime monitoring is still applicable. It acts as a connecting link between the efficiency of trained controllers and formally verifiable guarantees. A runtime monitor assesses the system health based on sensor readings by using a specification that contains information about desired system states and their expected evolution over time. When the monitor encounters a violation of the specification, it raises an alarm. For complex systems, characterizing the desired behavior requires an expressive language. Moreover, provably correct behavior requires formal semantics and an evaluation algorithm with static guarantees on resource consumption to prevent crashes during runtime. This thesis presents formal semantics for the specification language RTLola and shows that it satisfies the aforementioned criteria by introducing an evaluation algorithm with static time and space bounds. The approach is evaluated based on examples from health monitoring and aircraft controllers

Simplex Architecture Meets RTLola

Designing controllers for safety-critical cyber-physical systems is a challenging task due to their complex dynamics and only partial access to information. Despite these difficulties, machine learned controllers show remarkable success. Their outstanding performance is tarnished by an opaque structure that prohibits reasoning about their internals. A remedy for this problem is the Simplex architecture. It embeds an arbitrarily complex controller into a verifiable structure that monitors controller decisions. Upon detection of potentially harmful commands, the architecture falls back to a simple and safe controller. While validation of control decisions is easier than finding them, it still has to account for complex temporal dependencies. At the same time, deployment in embedded safety-critical system requires the monitor to be formally verifiable and to cope with strict resource limitations. In this talk we will discuss the monitoring module of the Simplex architecture on the example of an artificial pancreas and propose using the RTLOLA monitoring framework

Robust Monitoring for Medical Cyber-Physical Systems

Some medical implants act autonomously: they assess the current health status of a patient and administer treatment when appropriate. An improper treatment, however, can cause serious harm. Here, the decision logic leading to the treatment relies on data obtained from sensors — an inherently imperfect medium. Cop- ing with these inaccuracies requires the logic to be robust in the sense that slight perturbations in the measurements do not significantly alter the decision. Determining the extent to which an algorithm is robust automatically does not scale well for complex and opaque components. This is particularly problematic when ma- chine learning is involved. Yet, the analysis is feasible for simpler safety-related components such as a runtime monitor, which ob- serves the system and intervenes in a treatment when necessary. Its significantly lower complexity generally allows for providing static guarantees on the runtime behavior of the monitor. Complementing these guarantees with a robustness analysis constitutes a major step toward certifiable medical cyber-physical systems con- trolled by opaque, machine-learned components. Hence, this paper reports on ongoing research in the direction of a robustness analysis for the runtime monitoring framework RTLola