Introduction Enforcement of timed properties Enforcement of safety properties Conclusion Runtime Enforcement of Timed Properties Srinivas Pinisetty 1 ,Yli` es Falcone 2 , Thierry J´ eron 1 , Herv´ e Marchand 1 , Antoine Rollet 3 and Omer Nguena Timo 3 INRIA Rennes - Bretagne Atlantique, France LIG, Universit´ e Grenoble I, France LaBRI, Universit´ e de Bordeaux - CNRS, France MOVEP 2012, December 05, Marseille
Introduction Enforcement of timed properties Enforcement of safety properties Conclusion Outline Introduction 1 Enforcement of timed properties 2 Enforcement of safety properties 3 Conclusion 4
Introduction Enforcement of timed properties Enforcement of safety properties Conclusion Verification and enforcement monitors Runtime verification Runtime enforcement Verification verdicts Monitor events The run should satisfy the ω ∈ D ∞ σ ∈ Σ ∞ ϕ property. D σ | = ϕ ? Monitoring an executing system. Does the run satisfy the No system model. property? Input: stream of events (may Monitoring an executing violate the property). system. Output: stream of events No system model. (should satisfy the property). Input: stream of events. Output: stream of verdicts.
Introduction Enforcement of timed properties Enforcement of safety properties Conclusion Verification and enforcement monitors Runtime verification Runtime enforcement events events Verification EM ϕ verdicts Monitor events o | = ϕ σ | = ϕ ? ω ∈ D ∞ σ ∈ Σ ∞ ϕ o � σ memory D σ | = ϕ ? The run should satisfy the Does the run satisfy the property. property? Monitoring an executing Monitoring an executing system. system. No system model. No system model. Input: stream of events (may Input: stream of events. violate the property). Output: stream of verdicts. Output: stream of events (should satisfy the property).
Introduction Enforcement of timed properties Enforcement of safety properties Conclusion Enforcement monitor (untimed case) events Dedicated to a property ϕ . events EM ϕ Possibly augmented with a memorization o | σ | = ϕ = ϕ ? o � σ mechanism. memory Enforcement mechanism An EM modifies the current execution sequence (sometimes like a “filter”). reads an input sequence σ ∈ Σ ∗ . outputs a new sequence o ∈ Σ ∗ . endowed with a set of enforcement primitives. operates on the memorization mechanism. delete or insert events using the memory content and the current input. An EM behaves as a function E : Σ ∗ → Σ ∗ .
Introduction Enforcement of timed properties Enforcement of safety properties Conclusion Motivation for timed enforcement Specifying the timing behavior Allow specifying desired behavior of a system more precisely (time constraints between events). After an action “a”, action “b” should occur with a delay of at least 5 time units between them. Many application domains Domains: Real-time embedded systems, monitor hardware failures, communication protocols, web services and many more. Examples Monitor a firewall to prevent DOS attack ensuring minimal delay between input events. Monitor a web application to check if pre-conditions are met to provide a service.
Introduction Enforcement of timed properties Enforcement of safety properties Conclusion Motivation for timed enforcement Specifying the timing behavior Allow specifying desired behavior of a system more precisely (time constraints between events). After an action “a”, action “b” should occur with a delay of at least 5 time units between them. Many application domains Domains: Real-time embedded systems, monitor hardware failures, communication protocols, web services and many more. Examples Monitor a firewall to prevent DOS attack ensuring minimal delay between input events. Monitor a web application to check if pre-conditions are met to provide a service.
Introduction Enforcement of timed properties Enforcement of safety properties Conclusion Motivation for timed enforcement Specifying the timing behavior Allow specifying desired behavior of a system more precisely (time constraints between events). After an action “a”, action “b” should occur with a delay of at least 5 time units between them. Many application domains Domains: Real-time embedded systems, monitor hardware failures, communication protocols, web services and many more. Examples Monitor a firewall to prevent DOS attack ensuring minimal delay between input events. Monitor a web application to check if pre-conditions are met to provide a service.
Introduction Enforcement of timed properties Enforcement of safety properties Conclusion Motivation for timed enforcement Specifying the timing behavior Allow specifying desired behavior of a system more precisely (time constraints between events). After an action “a”, action “b” should occur with a delay of at least 5 time units between them. Many application domains Domains: Real-time embedded systems, monitor hardware failures, communication protocols, web services and many more. Examples Monitor a firewall to prevent DOS attack ensuring minimal delay between input events. Monitor a web application to check if pre-conditions are met to provide a service.
Introduction Enforcement of timed properties Enforcement of safety properties Conclusion Motivation for timed enforcement Specifying the timing behavior Allow specifying desired behavior of a system more precisely (time constraints between events). After an action “a”, action “b” should occur with a delay of at least 5 time units between them. Many application domains Domains: Real-time embedded systems, monitor hardware failures, communication protocols, web services and many more. Examples Monitor a firewall to prevent DOS attack ensuring minimal delay between input events. Monitor a web application to check if pre-conditions are met to provide a service.
Introduction Enforcement of timed properties Enforcement of safety properties Conclusion Outline Introduction 1 Enforcement of timed properties 2 Enforcement of safety properties 3 Conclusion 4
Introduction Enforcement of timed properties Enforcement of safety properties Conclusion Enforcement of timed properties From untimed to timed properties enforcement New elements have to be taken into account Input/output sequences are timed words: σ = ( δ 1 , a 1 ) · ( δ 2 , a 2 ) · · · ( δ n , a n ) , δ i ∈ R ≥ , a i ∈ Σ. Property ϕ described by a timed automaton or a timed logic. Synthesis of the corresponding enforcer? Class of enforceable properties? → Focus on safety and co-safety properties modeled by TA. Model of the enforcer? → Memory + similar operations (Store, Dump). → No finite structure. → Requirements (What should the enforcer do?).
Introduction Enforcement of timed properties Enforcement of safety properties Conclusion Enforcement of timed properties From untimed to timed properties enforcement New elements have to be taken into account Input/output sequences are timed words: σ = ( δ 1 , a 1 ) · ( δ 2 , a 2 ) · · · ( δ n , a n ) , δ i ∈ R ≥ , a i ∈ Σ. Property ϕ described by a timed automaton or a timed logic. Synthesis of the corresponding enforcer? Class of enforceable properties? → Focus on safety and co-safety properties modeled by TA. Model of the enforcer? → Memory + similar operations (Store, Dump). → No finite structure. → Requirements (What should the enforcer do?).
Introduction Enforcement of timed properties Enforcement of safety properties Conclusion Property Defined by a timed language ϕ ⊆ ( R ≥ 0 × Σ) ∗ . A timed word σ satisfies ϕ (noted σ | = ϕ ) if σ ∈ ϕ . Focus on properties specified by a TA A ϕ . Safety and co-safety properties specified by TA Safety: nothing bad should ever happen (prefix closed). Co-safety: something good will eventually happen within a finite amount of time (extension closed).
Introduction Enforcement of timed properties Enforcement of safety properties Conclusion Property Defined by a timed language ϕ ⊆ ( R ≥ 0 × Σ) ∗ . A timed word σ satisfies ϕ (noted σ | = ϕ ) if σ ∈ ϕ . Focus on properties specified by a TA A ϕ . Safety and co-safety properties specified by TA Safety: nothing bad should ever happen (prefix closed). Co-safety: something good will eventually happen within a finite amount of time (extension closed). Σ 1 Σ 1 \ { r } Σ 1 \ { r } r, x := 0 r, x< 5 l 0 l 1 l 2 r, x ≥ 5 , x := 0
Introduction Enforcement of timed properties Enforcement of safety properties Conclusion Property Defined by a timed language ϕ ⊆ ( R ≥ 0 × Σ) ∗ . A timed word σ satisfies ϕ (noted σ | = ϕ ) if σ ∈ ϕ . Focus on properties specified by a TA A ϕ . Safety and co-safety properties specified by TA Safety: nothing bad should ever happen (prefix closed). Co-safety: something good will eventually happen within a finite amount of time (extension closed). g, 10 ≤ x ≤ 15 r, x := 0 l 0 l 1 l 3 Σ 2 Σ 2 \ { g } ; g, x < 10 ∨ x > 15 Σ 2 \ { r } l 2 Σ 2
Recommend
More recommend