Fully automated runtime enforcement of component-based systems with formal and sound recovery

Abstract

We introduce runtime enforcement of specifications on component-based systems (CBS) modeled in the behavior, interaction and priority (BIP) framework. Runtime enforcement is an increasingly popular and effective dynamic validation technique aiming to ensure the correct runtime behavior (w.r.t. a formal specification) of a system using a so-called enforcement monitor. BIP is a powerful and expressive component-based framework for the formal construction of heterogeneous systems. Because of BIP expressiveness, however, it is difficult to enforce complex behavioral properties at design-time. We first introduce a theoretical runtime enforcement framework for component-based systems where we delineate a hierarchy of enforceable properties (i.e., properties that can be enforced) according to the number of observational steps a system is allowed to deviate from the property (i.e., the notion of k-step enforceability). To ensure the observational equivalence between the correct executions of the initial system and the monitored system, we show that (i) only stutter-invariant properties should be enforced on CBS with our monitors, and (ii) safety properties are 1-step enforceable. Second, given an abstract enforcement monitor for some 1-step enforceable property, we define a series of formal transformations to instrument (at relevant locations) a CBS described in the BIP framework to integrate the monitor. At runtime, the monitor observes and automatically avoids any error in the behavior of the system w.r.t. the property. Third, our approach is fully implemented in RE-BIP, an available tool integrated in the BIP tool suite. Fourth, to validate our approach, we use RE-BIP to (i) enforce deadlock-freedom on a dining philosophers benchmark, and (ii) ensure the correct placement of robots on a map.

Appendix 1: On the correctness and behavior of the supervised system

At an abstract level, the correctness of runtime enforcement of a property \(\varphi \) on a BIP system S stems from two facts regarding the behavior of the synthesized BIP enforcement monitor:

• the enforcement monitor correctly observes S (see “Correctness of the observation [26]”); and

• the enforcement monitor intervenes on S only when \(\varphi \) is violated and then restores S to the previous correct state (see “Correctness of the intervention”), otherwise it lets S execute normally.

Moreover, the observation and intervention of the monitor are done in such a way that the executions of S are preserved.

More precisely, from an input BIP system and a monitor, using the transformations in Sect. 6, we synthesize a system which runtime semantics is the composition between the initial system and the monitor, as described in Definition 16. Hence, the weak bisimulation and trace inclusion properties described at the abstract level in Sect. 5 apply to the transformed BIP system.

1.1 Correctness of the observation [26]

Correctly observing the system behavior relies on our instrumentation technique and follows the same correctness arguments as in [26]. We do not reiterate the proof but briefly recall the main arguments. First, in the instrumented system, the value of variables are the same as in the original system. Instrumentation only modifies the system to transfer the values of variables to the monitor. Second, the chosen priority model ensures the consistency of the events fed to the monitor: events are sent each time the system performs a transition relevant to the property, and the order of events faithfully reflects the execution.

1.2 Proof of Proposition 3 (p. 10)

Proof

Let us consider the smallest relation \(R\subseteq (\mathrm {Sta} \times (\varTheta ^{\mathcal {O}}\cup \overline{\varTheta }^{\mathcal {O}})) \times \mathrm {Sta}\) defined as follows: \(((q_0, {\theta _{{\scriptscriptstyle \mathrm {init}}}^{{\mathcal {O}}}}), q_0)\in R\) and:

1. (a)

   \((r, s) \in R \implies (r', s') \in R\), whenever \(s \xrightarrow { la }_{\mathrm {Trans}} s' \wedge r \xrightarrow { la }_{\mathrm {Mon}} r'\), or

2. (b)

   \((r, s) \in R \implies (r', s) \in R\), whenever \(r \xrightarrow {\epsilon }_{\mathrm {Mon}} r'\).

The proof is a direct consequence of Definition 16 and the chosen definition of R. The three conditions of Proposition 3 hold for relation R.

• Condition 1. holds because \(q_0\) and \({\theta _{{\scriptscriptstyle \mathrm {init}}}^{{\mathcal {O}}}}\) are the initial states of respectively \(\left\langle \mathrm {Lab}, \mathrm {Sta}, \mathrm {Trans} \right\rangle \) and the monitor.

• Let us consider \((r,s) \in R, la \in \mathrm {Lab}\), and \(r' \in \mathrm {Sta}\times (\varTheta ^{\mathcal {O}}\cup \overline{\varTheta }^{\mathcal {O}})\) such that \(r \xrightarrow { la }_{\mathrm {Mon}} r'\). Let r and \(r'\) be \(\left\langle q,\theta \right\rangle \) and \(\left\langle q',\theta ' \right\rangle \) for some \(q,q' \in \mathrm {Sta}\) and \(\theta , \theta ' \in \varTheta ^{\mathcal {O}}\cup \overline{\varTheta }^{\mathcal {O}}\). According to the semantics rules in Definition 16, \(r \xrightarrow { la }_{\mathrm {Mon}} r'\) is possible only at two conditions. The first case is when rule (1) applies, that is when L moves from q to \(q'\) by \( la \) and \(\theta = \theta '\) (i.e., the instrumentation function does not produce an event), for some \( la \in \mathrm {Lab}\). According to (a), we have \(\left( \left\langle q',\theta \right\rangle , q'\right) \in R\). Similarly, when rule (2) applies, we can find \(\left( \left\langle q',\theta ' \right\rangle , q'\right) \in R\) where \(\theta '\) is such that \(\exists \theta _c \in {\varTheta }^{{\mathcal {O}}}, \exists e \in \varSigma : \theta \xrightarrow {e}_{{\mathcal {E}}} \theta _c \wedge \theta _c \xrightarrow { com }_{{\mathcal {E}}} \theta '\), with \(\theta ' \in \varTheta ^{\mathcal {O}}\). Hence, condition 2. holds.

• Let us consider \((r,s) \in R\) and \(r' \in \mathrm {Sta} \times (\varTheta ^{\mathcal {O}}\cup \overline{\varTheta }^{\mathcal {O}})\) such that \(r \xrightarrow { \epsilon }_{\mathrm {Mon}} r'\). Let r and \(r'\) be \(\left\langle q,\theta \right\rangle \) and \(\left\langle q',\theta ' \right\rangle \) for some \(q,q' \in \mathrm {Sta}\) and \(\theta , \theta ' \in \varTheta ^{\mathcal {O}}\cup \overline{\varTheta }^{\mathcal {O}}\). According to the semantics rules in Definition 16, \(r \xrightarrow {\epsilon }_{\mathrm {Mon}} r'\) is possible only if \(q \xrightarrow { la }_{\mathrm {Trans}} q' \wedge \theta \xrightarrow {e}_{{\mathcal {E}}} \theta _e \wedge \theta _e\in \overline{\varTheta }^{\mathcal {O}}\wedge \theta _e \xrightarrow {\overline{e}}_{{\mathcal {E}}} \theta \), for some \( la \in \mathrm {Lab}, e = {{\mathrm{inst}}}( la , q'), \theta _e \in \overline{\varTheta }^{\mathcal {O}}\), and we have \(r = r'\). Hence, condition 3. holds. \(\square \)

1.3 Correctness of the intervention

In the following, we focus on the correctness of the behavior of enforcement monitors. The correctness stems from the fact that we consider safety properties and that, as it was similarly expressed at an abstract level in Proposition 1, enforcement monitors rollback the system by one step as soon as the system emits an event that violates the property.

Intuitively, the correctness proof of the transformations consists in showing that the supervised BIP system behaves in the same way as the composition of an abstract enforcement monitor with the LTS of the initial system. That is, the behavior of the supervised systems follows the semantics rules in Definition 16.

1.3.1 Preliminaries: partitioning interactions

Recall that a trace of length l of a BIP system \(\left\langle B, Init \right\rangle \) whose runtime semantics is \(\pi (C)=\left\langle Q, A, \mathop {\longrightarrow }\limits ^{}_\pi \right\rangle \) is the sequence of alternating states/configurations and interactions \(q^0\cdot a_0\cdot q^1\cdot a_1\cdots a_{l-1}\cdot q^l\) such that: \(q^0\) = \( Init \), and, \(\forall i\in [0,l-1]: q^i\in Q \wedge \exists a_i\in A: q^i \mathop {\longrightarrow }\limits ^{a_i}_\pi q^{i+1}\).

According to the transformations defined in Sect. 6, a trace \(q^0\cdot a_0\cdot q^1\cdot a_1\cdots a_{l-1}\cdot q^l\) of the monitored system \(C^\mathrm{rec}\) satisfies the following property.

Lemma 1

If \({\mathcal {E}}.p^m \in a^i\), then all other ports involved in \(a^i\) are \(p^m\) ports.

Proof

The lemma holds by construction, according to Definitions 21 (p. 13) and 23 (p. 14). \(\square \)

Similar lemmas hold for \({\mathcal {E}}.p^c\) and \({\mathcal {E}}.p^r\). A consequence of Lemma 1 is that the interactions of the supervised system can be grouped into four categories: the initial, recovery, continue, and monitor interactions. Consequently, we denote by \(\alpha _m\) (resp. \(\alpha _c\), \(\alpha _r\)) any interaction involving \({\mathcal {E}}.p^m\) (resp. \({\mathcal {E}}.p^c\), \({\mathcal {E}}.p^r\)).

Lemma 2

Let us consider \(i \in [1, m]\) s.t. \(q^i \cdot a^i \cdot q^{i+1}\), then \({\mathcal {E}}.p^m \in a^i\) iff \(q^{i+1} \cdot a^{i+1} \cdot q^{i+2}\) where \(\{{\mathcal {E}}.p^r, {\mathcal {E}}.p^c\} \cap a^{i+1} \ne \emptyset \).

Proof

First, according to Definitions 21 and 23 (p. 13 and 14), interactions \(\alpha ^c\) and \(\alpha ^r\) have more priority than the interactions of the initial BIP system. Second, according to Definition 17 (p. 11), any instrumented transition of an atomic component consists of two transitions (one for recovery and one for continue) just after a transition for interacting with the monitor (i.e., labeled with port \(p^m\)).

Lemma 2 states that, after an interaction with the monitor (\(a^i\) is an \(\alpha _m\) interaction), only two kinds of interactions can happen: either a recovery or a continue interaction (i.e., \(a_{i+1}\) is an \(\alpha _r\) or an \(\alpha _c\) interaction).

1.3.2 Proof of Proposition 4 (p. 15)

Let us consider a trace \(q^0\cdot a_0\cdot q^1\cdot a_1\cdots a_{l-1}\cdot q^l\) of the supervised system and the next step of the system after this trace which consists in performing an interaction a. We distinguish two cases according to whether a is connected to an instrumented transition (i.e., \(a \in {{\mathrm{rec\_i}}}\)) or not.

1. 1.

   If \(a \notin {{\mathrm{rec\_i}}}\), then the execution of a does not modify the variables that affect the satisfiability of the property. This stems from the following facts. First, according to Definitions 21 and 23 (p. 13 and 14 respectively), interaction \(\alpha ^m\) has more priority than the interactions of the initial BIP system. Second, according to Definition 17 (p. 11), any instrumented transition of an atomic component consists of its previous transition followed by a transition to interact with the monitor (i.e., labeled with port \(p^m\)). After instrumentation, such interaction and the following state are mapped to \(\epsilon \). Consequently the first rule in Definition 16 (p. 9) applies.

2. 2.

   If \(a \in {{\mathrm{rec\_i}}}\), then a is followed by the execution of an \(\alpha ^m\) interaction (i.e., an interaction with the enforcement monitor). After instrumentation, such interaction and the following state (where the values of variables are sent through port \(\mathcal{E}.p^m\) of the enforcement monitor) are mapped to an event \(e \in \varSigma \) in Definition 16. Recall that, according to Lemma 2, an \(\alpha _m\) interaction is followed by either an \(\alpha _c\) or an \(\alpha _r\) interaction. We distinguish two sub-cases:

   • The first sub-case is when a involves transitions that do not modify the variables of the property but at least one of these transitions has a port that is in an interaction modifying some variables of the property. Hence, e corresponds to the last emitted event in the trace. Because of stutter-invariance, the system keeps satisfying the property. Consequently, \(\alpha _m\) is followed by an \(\alpha _c\) interaction. This situation corresponds to rule number 2 in Definition 16.

   • The second sub-case is when a involves transitions that modify some variables of the property. We distinguish two subsub-cases.

     • The first subsub-case is when e brings the monitor to a good (with verdict \(\top \)) or currently good state (with verdict \(\top _c\)). Then, the system executes interaction \(\alpha ^c\) that moves the system to a next good state that is the same as in the original system. This situation is similar to the previous first sub-case and also corresponds to rule number 2 in Definition 16.

     • The second subsub-case is when e brings the monitor to a bad state (with verdict \(\bot \)). Then, the system executes interaction \(\alpha ^r\) that restores the values of the variables and brings the system back to its (correct) previous state. The execution of a recovery transition corresponds to \(\overline{e}\) in rule number 3 in Definition 16.