ITLTracer: Runtime Verification of Properties expressed in ITL Dr. - PowerPoint PPT Presentation

ITLTracer: Runtime Verification of Properties expressed in ITL Dr. Helge Janicke ( heljanic@dmu.ac.uk ) De Montfort University Version: 906913f9b356(September 30, 2010) heljanic@dmu.ac.uk (DMU) ITLTracer 1 / 29 906913f9b356

Introduction Runtime Verification Definition (Runtime Verification) Combines formal verification and Program Execution . Detects faults by passively observing system behaviour during normal operation. Validates that the system under test (SuT) satisfies formally expressed requirements (e.g. in Interval Temporal Logic (ITL)). Pros Cons Testing in the real world! Failure Recovery. No (little) overhead during Performance overhead. development. Not a substitute for rigorous Reactive Systems. testing. heljanic@dmu.ac.uk (DMU) ITLTracer 2 / 29 906913f9b356

Introduction Runtime Verification in Context When is Runtime Verification useful? Information only available at run-time. Dependent on environment (reactive system). (security) critical system. heljanic@dmu.ac.uk (DMU) ITLTracer 3 / 29 906913f9b356

Introduction Runtime Verification in Context When is Runtime Verification useful? Information only available at run-time. Dependent on environment (reactive system). (security) critical system. heljanic@dmu.ac.uk (DMU) ITLTracer 3 / 29 906913f9b356

Introduction Problem Statement Currently we use AnaTempura for Runtime Verification. AnaTempura uses information obtained from the system via assertion points as input to Tempura which computes a trace . Properties are then evaluated as state invariants 1 . Tempura does not allow properties to contain negation of formulae, non-deterministic choice or implication, as these are not executable. (David’s Functional Programming implementation may be an alternative!) Properties, such as SANTA Policies, use some of these, which made their encoding cumbersome and lead to restrictions in the language. 1 This including references to next or previous states heljanic@dmu.ac.uk (DMU) ITLTracer 4 / 29 906913f9b356

Introduction Contribution and Applications Semantics based on partitions instead of states. This allows for a more efficient evaluation of formulae containing sequential compositions (Chop). Efficient encoding of partitions. Traces are stored in a compacted form saving space and access time. Prototype of a Runtime Monitor (pure Java). See www.tech.dmu.ac.uk/~heljanic Applications include: Runtime Verification, where temporal assertions are needed. SANTA Policy Enforcement. Formal Log-File/ Attack analysis. ... heljanic@dmu.ac.uk (DMU) ITLTracer 5 / 29 906913f9b356

Framework Overview Motivation Observation Most programs are sequential, or contain large parts that are executed sequentially. In a sequential program only few variables can change at a time (typically only one). Depending on the interpretation of states this means that only very few variables are changed from one state to the next. Storing all variable/value mappings for each state can be expensive and it is more sensible to store only the changes. This is what partitions do ... heljanic@dmu.ac.uk (DMU) ITLTracer 6 / 29 906913f9b356

Semantics Definition (Partitioning) Let a partitioning part x ( σ ) for a variable x ∈ Var be a nonempty, finite sequence of tuples ( l 0 , r 0 ) , ( l 1 , r 1 ) , ..., ( l n , r n ) where: l 0 = 0 start at 0 r n = | σ | end with length of sigma ∀ 0 ≤ i ≤ n · l i ≤ r i order ∀ 0 ≤ i < n · r i + 1 = l i +1 progression ∀ 0 ≤ i ≤ n · ∀ l i ≤ t ≤ r i · σ l ( x ) = σ t ( x ) constant mapping Example heljanic@dmu.ac.uk (DMU) ITLTracer 7 / 29 906913f9b356

Semantics Definition (Partitioning) Let a partitioning part x ( σ ) for a variable x ∈ Var be a nonempty, finite sequence of tuples ( l 0 , r 0 ) , ( l 1 , r 1 ) , ..., ( l n , r n ) where: l 0 = 0 start at 0 r n = | σ | end with length of sigma ∀ 0 ≤ i ≤ n · l i ≤ r i order ∀ 0 ≤ i < n · r i + 1 = l i +1 progression ∀ 0 ≤ i ≤ n · ∀ l i ≤ t ≤ r i · σ l ( x ) = σ t ( x ) constant mapping Example grouping of states heljanic@dmu.ac.uk (DMU) ITLTracer 7 / 29 906913f9b356

Semantics Definition (Partitioning) Let a partitioning part x ( σ ) for a variable x ∈ Var be a nonempty, finite sequence of tuples ( l 0 , r 0 ) , ( l 1 , r 1 ) , ..., ( l n , r n ) where: l 0 = 0 start at 0 r n = | σ | end with length of sigma ∀ 0 ≤ i ≤ n · l i ≤ r i order ∀ 0 ≤ i < n · r i + 1 = l i +1 progression ∀ 0 ≤ i ≤ n · ∀ l i ≤ t ≤ r i · σ l ( x ) = σ t ( x ) constant mapping Example partitioning heljanic@dmu.ac.uk (DMU) ITLTracer 7 / 29 906913f9b356

Semantics Definition (Partitioning) Let a partitioning part x ( σ ) for a variable x ∈ Var be a nonempty, finite sequence of tuples ( l 0 , r 0 ) , ( l 1 , r 1 ) , ..., ( l n , r n ) where: l 0 = 0 start at 0 r n = | σ | end with length of sigma ∀ 0 ≤ i ≤ n · l i ≤ r i order ∀ 0 ≤ i < n · r i + 1 = l i +1 progression ∀ 0 ≤ i ≤ n · ∀ l i ≤ t ≤ r i · σ l ( x ) = σ t ( x ) constant mapping Example alternative partitioning heljanic@dmu.ac.uk (DMU) ITLTracer 7 / 29 906913f9b356

Semantics Definition (Partition) Let δ x map from any given partition in the partition interval of part x ( σ ) and variable x ∈ Var to the set of values ( Val ). δ x : part x ( σ ) �→ Val such that: ∀ l ≤ t ≤ r · δ x ( l , r ) = σ t ( x ) Definition (Unrolling) We define unrol ( δ x ) as a function:  if ( l 0 ≤ i ≤ r 0 → δ x ( l 0 , r 0 )    [] ( l 1 ≤ i ≤ r 1 → δ x ( l 1 , r 1 )     unrol ( δ x ) = λ i · ...  [] ( l k ≤ i ≤ r k → δ x ( l k , r k )      fi  heljanic@dmu.ac.uk (DMU) ITLTracer 8 / 29 906913f9b356

Semantics Definition (Equivalence) Two partitions are equivalent δ x ≈ δ ′ x iff unrol ( δ x ) = unrol ( δ ′ x ) δ ′ δ x (0 , 1) = 0 x (0 , 1) = 0 δ ′ δ x (2 , 4) = 1 x (2 , 3) = 1 δ ′ δ x (5 , 5) = 0 x (4 , 4) = 1 δ ′ x (5 , 5) = 0 The partitions contain sufficient information to reconstruct the underlying σ via unrolling. Equivalence with respect to a variable x is established by checking if both underlying intervals σ and σ ′ are identical w.r.t. the variable x . heljanic@dmu.ac.uk (DMU) ITLTracer 9 / 29 906913f9b356

Semantics Definition (Aligned) We say any two partitions part x ( σ ) and part y ( σ ) are aligned iff: | part x ( σ ) | = | part y ( σ ) | ∀ 0 ≤ i ≤| part x ( σ ) | · ( l i , r i ) ∈ part x ≡ ( l i , r i ) ∈ part y ( σ ) Example Not aligned! heljanic@dmu.ac.uk (DMU) ITLTracer 10 / 29 906913f9b356

Semantics Definition (Aligned) We say any two partitions part x ( σ ) and part y ( σ ) are aligned iff: | part x ( σ ) | = | part y ( σ ) | ∀ 0 ≤ i ≤| part x ( σ ) | · ( l i , r i ) ∈ part x ≡ ( l i , r i ) ∈ part y ( σ ) Example Aligned. heljanic@dmu.ac.uk (DMU) ITLTracer 10 / 29 906913f9b356

Semantics Definition Let the partition interval δ be defined as a tuple of all partitions. δ = � δ x 0 , δ x 1 , ..., δ xn � where xi ∈ Var . With the restriction that all partitions are of equal length: ∀ xi ∈ Var · len ( δ x 0 ) = len ( δ xi ) where len ( δ x ) = r x n is the right index of the last tuple in the partitioning. We also use len ( δ ) to denote the length of the partition interval. We refer to ∆ x ( σ ) as the set of all possible partitionings for the variable x . Correspondingly to ∆ for the set of all possible partition intervals. heljanic@dmu.ac.uk (DMU) ITLTracer 11 / 29 906913f9b356

Semantics The syntax below: e ::= g ( e 1 , ..., e n ) | fin v | � v | v | µ p ( e 1 , ..., e n ) | f 1 ; f 2 | f 1 ∗ | skip | f 1 ∧ f 2 | ¬ f 1 f ::= heljanic@dmu.ac.uk (DMU) ITLTracer 12 / 29 906913f9b356

Semantics Semantics of Expressions The semantics of expressions is defined by induction over the syntax: δ v (0 , r v E [ [ v ] ]( δ ) = 0 ) E [ [ g ( e 1 , ..., e n )] ]( δ ) = g ( E [ ˆ [ e 1 ] ]( δ ) , ..., E [ [ e n ] ]( δ )) δ v ( l v n , r v E [ [ fin v ] ]( δ ) = n )  r v χ ( Val ) if n = 0   δ v (0 , r v r v E [ [ � v ] ]( δ ) = 0 ) if 0 > 0  δ v (1 , r v 1 ) otherwise  E [ [ µ ] ]( δ ) = µ Where l v i and r v i are the left element and the right element of the i ’s tuple in the partition part v ( σ ). heljanic@dmu.ac.uk (DMU) ITLTracer 13 / 29 906913f9b356

Semantics Semantics of Formulae The semantics of formulae is defined by induction over the syntax: ∃ δ ′ ∈ ∆ · δ ′ ≈ δ and δ ′ is aligned. And δ � f 1 ; f 2 iff δ ′ [0 , k ] � f 1 and δ ′ [ k , | δ ′ | ] � f 2 for some k , 0 ≤ k ≤ | δ ′ | δ � f 1 ∧ f 2 iff δ � f 1 and δ � f 2 δ � ¬ f iff σ � f δ � skip iff len ( δ ) equal to 1 δ � empty iff len ( δ ) equal to 0 δ � p ( e 1 , ..., e n ) iff ˆ p ( E [ [ e 1 ] ]( δ ) , ..., E [ [ e n ] ]( δ )) δ � empty or δ � f ∗ ; f δ � f ∗ iff The complexity of the chop is now reduced from being proportional to the interval length len ( δ ) to the number of partitions | δ | . heljanic@dmu.ac.uk (DMU) ITLTracer 14 / 29 906913f9b356

Tool-Support Tool-Support Pure Java implementation javacc for parsing and rewriting. Java interface as well as stdin option. Evaluation of properties on demand. heljanic@dmu.ac.uk (DMU) ITLTracer 15 / 29 906913f9b356