# Fully automated runtime enforcement of component-based systems with formal and sound recovery

- 140 Downloads
- 1 Citations

## Abstract

We introduce runtime enforcement of specifications on component-based systems (CBS) modeled in the behavior, interaction and priority (BIP) framework. Runtime enforcement is an increasingly popular and effective dynamic validation technique aiming to ensure the correct runtime behavior (w.r.t. a formal specification) of a system using a so-called enforcement monitor. BIP is a powerful and expressive component-based framework for the formal construction of heterogeneous systems. Because of BIP expressiveness, however, it is difficult to enforce complex behavioral properties at design-time. We first introduce a theoretical runtime enforcement framework for component-based systems where we delineate a hierarchy of enforceable properties (i.e., properties that can be enforced) according to the number of observational steps a system is allowed to deviate from the property (i.e., the notion of *k*-step enforceability). To ensure the observational equivalence between the correct executions of the initial system and the monitored system, we show that (i) only stutter-invariant properties should be enforced on CBS with our monitors, and (ii) safety properties are 1-step enforceable. Second, given an abstract enforcement monitor for some 1-step enforceable property, we define a series of formal transformations to instrument (at relevant locations) a CBS described in the BIP framework to integrate the monitor. At runtime, the monitor observes and automatically avoids any error in the behavior of the system w.r.t. the property. Third, our approach is fully implemented in RE-BIP, an available tool integrated in the BIP tool suite. Fourth, to validate our approach, we use RE-BIP to (i) enforce deadlock-freedom on a dining philosophers benchmark, and (ii) ensure the correct placement of robots on a map.

## Keywords

Runtime enforcement Component-based systems Monitoring*k*-step enforceability BIP

## References

- 1.Alur, R., Dill, D.L.: A theory of timed automata. Theor. Comput. Sci.
**126**, 183–235 (1994)MathSciNetCrossRefMATHGoogle Scholar - 2.Arora, A., Kulkarni, S.S.: Detectors and correctors: a theory of fault-tolerance components. In: ICDCS 98: Proceedings of the 18th International Conference on Distributed Computing Systems, pp. 436–443 (1998)Google Scholar
- 3.Basin, D.A., Jugé, V., Klaedtke, F., Zalinescu, E.: Enforceable security policies revisited. ACM Trans. Inf. Syst. Secur.
**16**(1), 3 (2013)CrossRefMATHGoogle Scholar - 4.Basu, A., Bensalem, S., Bozga, M., Combaz, J., Jaber, Mohamad, Nguyen, Thanh-Hung, Sifakis, Joseph: Rigorous component-based system design using the BIP framework. IEEE Softw.
**28**(3), 41–48 (2011)CrossRefGoogle Scholar - 5.Bauer, A., Leucker, M., Schallhart, C.: Comparing LTL semantics for runtime verification. J. Logic Comput.
**20**(3), 651–674 (2010)MathSciNetCrossRefMATHGoogle Scholar - 6.Bauer, A.K., Falcone, Y.: Decentralised LTL monitoring. In: FM 2012: Proceedings of 18th International Symposium on Formal Methods, pp. 85–100 (2012)Google Scholar
- 7.Bensalem, S., Bozga, M., Nguyen, T.-H., Sifakis, J.: D-finder: a tool for compositional deadlock detection and verification. In: Bouajjani, A., Maler, O. (eds.) Computer Aided Verification, 21st International Conference, CAV 2009, Grenoble, France, June 26–July 2, 2009. Proceedings of Lecture Notes in Computer Science, vol. 5643, pp. 614–619. Springer, Berlin (2009)Google Scholar
- 8.Bensalem, S., Griesmayer, A., Legay, A., Nguyen, T.H., Sifakis, J., Yan, R.: D-finder 2: towards efficient correctness of incremental design. In: Bobaru, M.G., Havelund, K., Holzmann, G.J., Joshi, R. (eds.) NASA Formal Methods—Third International Symposium, NFM 2011, Pasadena, CA, USA, April 18–20, 2011. Proceedings of Lecture Notes in Computer Science, vol. 6617, pp. 453–458. Springer, Berlin (2011)Google Scholar
- 9.Bliudze, S., Sifakis, J.: The algebra of connectors–structuring interaction in BIP. IEEE Trans. Comput.
**57**(10), 1315–1330 (2008)MathSciNetCrossRefMATHGoogle Scholar - 10.Bliudze, S., Sifakis, J.: A notion of glue expressiveness for component-based systems. In: CONCUR—Concurrency Theory, Proceedings of the 19th International Conference. LNCS, vol. 5201, pp. 508–522. Springer, Berlin (2008)Google Scholar
- 11.Bonakdarpour, B., Bozga, M., Gößler, G.: A theory of fault recovery for component-based models. In: SSS 2012: Proceedings of the 14th International Symposium on Stabilization, Safety, and Security of Distributed Systems. LNCS, vol. 7596, pp. 314–328. Springer, Berlin (2012)Google Scholar
- 12.Bonakdarpour, B., Bozga, M., Jaber, M., Quilbeuf, J., Sifakis, Joseph: A framework for automated distributed implementation of component-based models. Distrib. Comput.
**25**(5), 383–409 (2012)CrossRefMATHGoogle Scholar - 13.Bouhadiba, T., Sabah, Q., Delaval, G., Rutten, E.: Synchronous control of reconfiguration in fractal component-based systems: a case study. In: Chakraborty, S., Jerraya, A., Baruah, S.K., Fischmeister, S. (eds.) Proceedings of the 11th International Conference on Embedded Software, EMSOFT 2011, part of the Seventh Embedded Systems Week, ESWeek 2011, Taipei, Taiwan, October 9–14, 2011, pp. 309–318. ACM, New York (2011)Google Scholar
- 14.Boyer, F., Gruber, O., Pous, D.: Robust reconfigurations of component assemblies. In: Notkin, D., Cheng, B.H.C., Pohl, K. (eds.) 35th International Conference on Software Engineering, ICSE ’13, San Francisco, CA, USA, May 18–26, 2013, pp. 13–22. IEEE/ACM, New York (2013)Google Scholar
- 15.Bozga, M., Jaber, M., Maris, N., Sifakis, J.: Modeling dynamic architectures using Dy-BIP. In: SC: Proceedings of Conference on High Performance Computing Networking, Storage and Analysis. LNCS, vol. 7306, pp. 1–16. Springer, Berlin (2012)Google Scholar
- 16.Christos, G.C., Stephane, L.: Introduction to Discrete Event Systems. Springer, Secaucus (2006)Google Scholar
- 17.Charafeddine, H., El-Harake, K., Falcone, Y., Jaber, M.: Runtime enforcement for component-based systems. In: Proceedings of the 30th Annual ACM Symposium on Applied Computing, Salamanca, Spain, April 13–17, 2015, pp. 1789–1796 (2015). doi: 10.1145/2695664.2695879
- 18.Chatzieleftheriou, G., Bonakdarpour, B., Smolka, S.A., Katsaros, P.: Abstract model repair. In: NFM. LNCS, vol. 7226, pp. 341–355. Springer, Berlin (2012)Google Scholar
- 19.Colombo, C., Falcone, Y.: Organising LTL monitors over distributed systems with a global clock. In: Bonakdarpour, B., Smolka, S.A. (eds.) Runtime Verification—5th International Conference, RV 2014, Toronto, ON, Canada, September 22–25, 2014. Proceedings of Lecture Notes in Computer Science, vol. 8734, pp. 140–155. Springer, Berlin (2014)Google Scholar
- 20.Dormoy, J., Kouchnarenko, O., Lanoix, A.: Using temporal logic for dynamic reconfigurations of components. In: FACS 2010: Proceedings of the 7th International Symposium on Formal Aspects of Component Software. LNCS, vol. 6921, pp. 200–217. Springer, Berlin (2010)Google Scholar
- 21.Dormoy, J., Kouchnarenko, O., Lanoix, A.: Runtime verification of temporal patterns for dynamic reconfigurations of components. In: FACS 2011: Proceedings of 8th International Symposium on the Formal Aspects of Component Software. Revised Selected Papers. LNCS, vol. 7253, pp. 115–132. Springer, Berlin (2011)Google Scholar
- 22.Falcone, Y.: You Should Better Enforce than Verify. In: RV. LNCS, vol. 6418, pp. 89–105. Springer, Berlin (2010)Google Scholar
- 23.Falcone, Y., Cornebize, T., Fernandez, J.C.: Efficient and generalized decentralized monitoring of regular languages. In: Proceedings of Formal Techniques for Distributed Objects, Components, and Systems—34th IFIP WG 6.1 International Conference, FORTE 2014. LNCS, vol. 8461, pp. 66–83 (2014)Google Scholar
- 24.Falcone, Y., Fernandez, J.C., Mounier, L.: Runtime verification of safety-progress properties. In: RV 2009: Proceedings of the 9th International Workshop on Runtime Verification. Selected Papers. LNCS, vol. 5779, pp. 40–59. Springer, Berlin (2009)Google Scholar
- 25.Falcone, Y., Fernandez, J.C., Mounier, L.: What can you verify and enforce at runtime? STTT
**14**(3), 349–382 (2012)CrossRefGoogle Scholar - 26.Falcone, Y., Jaber, M., Nguyen, T.H., Bozga, M., Bensalem, S.: Runtime verification of component-based systems in the BIP framework with formally proved sound and complete instrumentation. SOSYM (2013)Google Scholar
- 27.Falcone, Y., Marchand, H.: Enforcement and validation (at runtime) of various notions of opacity. Discrete Event Dyn. Syst.
**25**(4), 531–570 (2015)MathSciNetCrossRefMATHGoogle Scholar - 28.Falcone, Y., Mounier, L., Fernandez, J.C., Richier, J.L.: Runtime enforcement monitors: composition, synthesis, and enforcement abilities. Formal Methods Syst. Des.
**38**(3), 223–262 (2011)CrossRefMATHGoogle Scholar - 29.Gueye, S.M., De Palma, N., Rutten, E.: Component-based autonomic managers for coordination control. In: De Nicola, R., Julien, C. (eds.) Coordination Models and Languages, 15th International Conference, COORDINATION 2013, Held as Part of the 8th International Federated Conference on Distributed Computing Techniques, DisCoTec 2013, Florence, Italy, June 3–5, 2013. Proceedings of Lecture Notes in Computer Science, vol. 7890, pp. 75–89. Springer, Berlin (2013)Google Scholar
- 30.Guillet, S., de Lamotte, F., Le Griguer, N., Rutten, E., Diguet, J.P., Gogniat, G.: Modeling and synthesis of a dynamic and partial reconfiguration controller. In: Koch, D., Singh, S., Tørresen, J. (eds.) 22nd International Conference on Field Programmable Logic and Applications (FPL), Oslo, Norway, August 29–31, 2012, pp. 703–706. IEEE, New York (2012)Google Scholar
- 31.Havelund, K., Goldberg, A.: Verify your runs. In: VSTTE 2005: Proceedings of the First IFIP TC 2/WG 2.3 Conference on Verified Software: Theories, Tools, Experiments. Revised Selected Papers and Discussions, pp. 374–383 (2008)Google Scholar
- 32.Kouchnarenko, O., Weber, J.-F.: Adapting component-based systems at runtime via policies with temporal patterns. In: Fiadeiro, J.L., Liu, Z., Xue, J. (eds.) Formal Aspects of Component Software—10th International Symposium, FACS 2013, Nanchang, China, October 27–29, 2013. Revised Selected Papers. Lecture Notes in Computer Science, vol. 8348, pp. 234–253. Springer, Berlin (2013)Google Scholar
- 33.Ligatti, J., Bauer, L., Walker, D.: Run-time enforcement of nonsafety policies. ACM Trans. Inf. Syst. Secur.
**12**(3), 19:1–19:41 (2009)CrossRefGoogle Scholar - 34.Manna, Z., Pnueli, A.: A hierarchy of temporal properties. In: PODC 90: Proceedings of the Ninth Annual ACM Symposium on Principles of Distributed Computing, pp. 377–410 (1990)Google Scholar
- 35.Matteucci, I.: Automated synthesis of enforcing mechanisms for security properties in a timed setting. Electron. Notes Theor. Comput. Sci.
**186**, 101–120 (2007)MathSciNetCrossRefMATHGoogle Scholar - 36.Pinisetty, S., Falcone, Y., Jéron, T., Marchand, H.: Runtime enforcement of parametric timed properties with practical applications. In: Lesage, J.J., Faure, J.M., Cury, J.E.R., Lennartson, B. (eds.) 12th International Workshop on Discrete Event Systems, WODES 2014, Cachan, France, May 14–16, 2014, pp. 420–427. International Federation of Automatic Control, USA (2014)Google Scholar
- 37.Pinisetty, S., Falcone, Y., Jéron, T., Marchand, H., Rollet, Antoine, Nguena-Timo, Omer: Runtime enforcement of timed properties revisited. Formal Meth. Syst. Des.
**45**(3), 381–422 (2014)CrossRefMATHGoogle Scholar - 38.Pnueli, A., Zaks, A.: PSL model checking and run-time verification via testers. In: Misra, J., Nipkow, T., Sekerinski, E. (eds.) FM 2006: Proceedings of the 14th International Symposium on Formal Methods. LNCS, vol. 4085, pp. 573–586. Springer, Berlin (2006)Google Scholar
- 39.Renard, M., Falcone, Y., Rollet, A., Pinisetty, S., Jéron, T., Marchand, H.: Enforcement of (timed) properties with uncontrollable events. In: Leucker, M., Rueda, C., Valencia, F.D. (eds.) Theoretical Aspects of Computing—ICTAC 2015—12th International Colloquium Cali, Colombia, October 29–31, 2015. Proceedings of Lecture Notes in Computer Science, vol. 9399, pp. 542–560. Springer, Berlin (2015)Google Scholar
- 40.Runtime Verification. http://www.runtime-verification.org (2001–2015)
- 41.Said, N.B., Abdellatif, T., Bensalem, S., Bozga, M.: Model-driven information flow security for component-based systems. In: Bensalem, S., Lakhneck, Y., Legay, A. (eds.) From Programs to Systems. The Systems perspective in Computing—ETAPS Workshop, FPS 2014. in Honor of Joseph Sifakis, Grenoble, France, April 6, 2014. Proceedings of Lecture Notes in Computer Science, vol. 8415, pp. 1–20. Springer, Berlin (2014)Google Scholar
- 42.Schneider, F.B.: Enforceable security policies. ACM Trans. Inf. Syst. Secur.
**3**(1), 30–50 (2000)CrossRefGoogle Scholar - 43.Wen, Q., Kumar, R., Huang, J., Liu, H.: A framework for fault-tolerant control of discrete event systems. IEEE Trans. Automat. Contr.
**53**(8), 1839–1849 (2008)Google Scholar - 44.Wilke, T.: Classifying discrete temporal properties. In: STACS. LNCS, vol. 1563, pp. 32–46. Springer, Berlin (1999)Google Scholar