Fully automated runtime enforcement of component-based systems with formal and sound recovery

  • Yliès FalconeEmail author
  • Mohamad Jaber
Regular Paper


We introduce runtime enforcement of specifications on component-based systems (CBS) modeled in the behavior, interaction and priority (BIP) framework. Runtime enforcement is an increasingly popular and effective dynamic validation technique aiming to ensure the correct runtime behavior (w.r.t. a formal specification) of a system using a so-called enforcement monitor. BIP is a powerful and expressive component-based framework for the formal construction of heterogeneous systems. Because of BIP expressiveness, however, it is difficult to enforce complex behavioral properties at design-time. We first introduce a theoretical runtime enforcement framework for component-based systems where we delineate a hierarchy of enforceable properties (i.e., properties that can be enforced) according to the number of observational steps a system is allowed to deviate from the property (i.e., the notion of k-step enforceability). To ensure the observational equivalence between the correct executions of the initial system and the monitored system, we show that (i) only stutter-invariant properties should be enforced on CBS with our monitors, and (ii) safety properties are 1-step enforceable. Second, given an abstract enforcement monitor for some 1-step enforceable property, we define a series of formal transformations to instrument (at relevant locations) a CBS described in the BIP framework to integrate the monitor. At runtime, the monitor observes and automatically avoids any error in the behavior of the system w.r.t. the property. Third, our approach is fully implemented in RE-BIP, an available tool integrated in the BIP tool suite. Fourth, to validate our approach, we use RE-BIP to (i) enforce deadlock-freedom on a dining philosophers benchmark, and (ii) ensure the correct placement of robots on a map.


Runtime enforcement Component-based systems Monitoring k-step enforceability BIP 


  1. 1.
    Alur, R., Dill, D.L.: A theory of timed automata. Theor. Comput. Sci. 126, 183–235 (1994)MathSciNetCrossRefzbMATHGoogle Scholar
  2. 2.
    Arora, A., Kulkarni, S.S.: Detectors and correctors: a theory of fault-tolerance components. In: ICDCS 98: Proceedings of the 18th International Conference on Distributed Computing Systems, pp. 436–443 (1998)Google Scholar
  3. 3.
    Basin, D.A., Jugé, V., Klaedtke, F., Zalinescu, E.: Enforceable security policies revisited. ACM Trans. Inf. Syst. Secur. 16(1), 3 (2013)CrossRefzbMATHGoogle Scholar
  4. 4.
    Basu, A., Bensalem, S., Bozga, M., Combaz, J., Jaber, Mohamad, Nguyen, Thanh-Hung, Sifakis, Joseph: Rigorous component-based system design using the BIP framework. IEEE Softw. 28(3), 41–48 (2011)CrossRefGoogle Scholar
  5. 5.
    Bauer, A., Leucker, M., Schallhart, C.: Comparing LTL semantics for runtime verification. J. Logic Comput. 20(3), 651–674 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Bauer, A.K., Falcone, Y.: Decentralised LTL monitoring. In: FM 2012: Proceedings of 18th International Symposium on Formal Methods, pp. 85–100 (2012)Google Scholar
  7. 7.
    Bensalem, S., Bozga, M., Nguyen, T.-H., Sifakis, J.: D-finder: a tool for compositional deadlock detection and verification. In: Bouajjani, A., Maler, O. (eds.) Computer Aided Verification, 21st International Conference, CAV 2009, Grenoble, France, June 26–July 2, 2009. Proceedings of Lecture Notes in Computer Science, vol. 5643, pp. 614–619. Springer, Berlin (2009)Google Scholar
  8. 8.
    Bensalem, S., Griesmayer, A., Legay, A., Nguyen, T.H., Sifakis, J., Yan, R.: D-finder 2: towards efficient correctness of incremental design. In: Bobaru, M.G., Havelund, K., Holzmann, G.J., Joshi, R. (eds.) NASA Formal Methods—Third International Symposium, NFM 2011, Pasadena, CA, USA, April 18–20, 2011. Proceedings of Lecture Notes in Computer Science, vol. 6617, pp. 453–458. Springer, Berlin (2011)Google Scholar
  9. 9.
    Bliudze, S., Sifakis, J.: The algebra of connectors–structuring interaction in BIP. IEEE Trans. Comput. 57(10), 1315–1330 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Bliudze, S., Sifakis, J.: A notion of glue expressiveness for component-based systems. In: CONCUR—Concurrency Theory, Proceedings of the 19th International Conference. LNCS, vol. 5201, pp. 508–522. Springer, Berlin (2008)Google Scholar
  11. 11.
    Bonakdarpour, B., Bozga, M., Gößler, G.: A theory of fault recovery for component-based models. In: SSS 2012: Proceedings of the 14th International Symposium on Stabilization, Safety, and Security of Distributed Systems. LNCS, vol. 7596, pp. 314–328. Springer, Berlin (2012)Google Scholar
  12. 12.
    Bonakdarpour, B., Bozga, M., Jaber, M., Quilbeuf, J., Sifakis, Joseph: A framework for automated distributed implementation of component-based models. Distrib. Comput. 25(5), 383–409 (2012)CrossRefzbMATHGoogle Scholar
  13. 13.
    Bouhadiba, T., Sabah, Q., Delaval, G., Rutten, E.: Synchronous control of reconfiguration in fractal component-based systems: a case study. In: Chakraborty, S., Jerraya, A., Baruah, S.K., Fischmeister, S. (eds.) Proceedings of the 11th International Conference on Embedded Software, EMSOFT 2011, part of the Seventh Embedded Systems Week, ESWeek 2011, Taipei, Taiwan, October 9–14, 2011, pp. 309–318. ACM, New York (2011)Google Scholar
  14. 14.
    Boyer, F., Gruber, O., Pous, D.: Robust reconfigurations of component assemblies. In: Notkin, D., Cheng, B.H.C., Pohl, K. (eds.) 35th International Conference on Software Engineering, ICSE ’13, San Francisco, CA, USA, May 18–26, 2013, pp. 13–22. IEEE/ACM, New York (2013)Google Scholar
  15. 15.
    Bozga, M., Jaber, M., Maris, N., Sifakis, J.: Modeling dynamic architectures using Dy-BIP. In: SC: Proceedings of Conference on High Performance Computing Networking, Storage and Analysis. LNCS, vol. 7306, pp. 1–16. Springer, Berlin (2012)Google Scholar
  16. 16.
    Christos, G.C., Stephane, L.: Introduction to Discrete Event Systems. Springer, Secaucus (2006)Google Scholar
  17. 17.
    Charafeddine, H., El-Harake, K., Falcone, Y., Jaber, M.: Runtime enforcement for component-based systems. In: Proceedings of the 30th Annual ACM Symposium on Applied Computing, Salamanca, Spain, April 13–17, 2015, pp. 1789–1796 (2015). doi: 10.1145/2695664.2695879
  18. 18.
    Chatzieleftheriou, G., Bonakdarpour, B., Smolka, S.A., Katsaros, P.: Abstract model repair. In: NFM. LNCS, vol. 7226, pp. 341–355. Springer, Berlin (2012)Google Scholar
  19. 19.
    Colombo, C., Falcone, Y.: Organising LTL monitors over distributed systems with a global clock. In: Bonakdarpour, B., Smolka, S.A. (eds.) Runtime Verification—5th International Conference, RV 2014, Toronto, ON, Canada, September 22–25, 2014. Proceedings of Lecture Notes in Computer Science, vol. 8734, pp. 140–155. Springer, Berlin (2014)Google Scholar
  20. 20.
    Dormoy, J., Kouchnarenko, O., Lanoix, A.: Using temporal logic for dynamic reconfigurations of components. In: FACS 2010: Proceedings of the 7th International Symposium on Formal Aspects of Component Software. LNCS, vol. 6921, pp. 200–217. Springer, Berlin (2010)Google Scholar
  21. 21.
    Dormoy, J., Kouchnarenko, O., Lanoix, A.: Runtime verification of temporal patterns for dynamic reconfigurations of components. In: FACS 2011: Proceedings of 8th International Symposium on the Formal Aspects of Component Software. Revised Selected Papers. LNCS, vol. 7253, pp. 115–132. Springer, Berlin (2011)Google Scholar
  22. 22.
    Falcone, Y.: You Should Better Enforce than Verify. In: RV. LNCS, vol. 6418, pp. 89–105. Springer, Berlin (2010)Google Scholar
  23. 23.
    Falcone, Y., Cornebize, T., Fernandez, J.C.: Efficient and generalized decentralized monitoring of regular languages. In: Proceedings of Formal Techniques for Distributed Objects, Components, and Systems—34th IFIP WG 6.1 International Conference, FORTE 2014. LNCS, vol. 8461, pp. 66–83 (2014)Google Scholar
  24. 24.
    Falcone, Y., Fernandez, J.C., Mounier, L.: Runtime verification of safety-progress properties. In: RV 2009: Proceedings of the 9th International Workshop on Runtime Verification. Selected Papers. LNCS, vol. 5779, pp. 40–59. Springer, Berlin (2009)Google Scholar
  25. 25.
    Falcone, Y., Fernandez, J.C., Mounier, L.: What can you verify and enforce at runtime? STTT 14(3), 349–382 (2012)CrossRefGoogle Scholar
  26. 26.
    Falcone, Y., Jaber, M., Nguyen, T.H., Bozga, M., Bensalem, S.: Runtime verification of component-based systems in the BIP framework with formally proved sound and complete instrumentation. SOSYM (2013)Google Scholar
  27. 27.
    Falcone, Y., Marchand, H.: Enforcement and validation (at runtime) of various notions of opacity. Discrete Event Dyn. Syst. 25(4), 531–570 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    Falcone, Y., Mounier, L., Fernandez, J.C., Richier, J.L.: Runtime enforcement monitors: composition, synthesis, and enforcement abilities. Formal Methods Syst. Des. 38(3), 223–262 (2011)CrossRefzbMATHGoogle Scholar
  29. 29.
    Gueye, S.M., De Palma, N., Rutten, E.: Component-based autonomic managers for coordination control. In: De Nicola, R., Julien, C. (eds.) Coordination Models and Languages, 15th International Conference, COORDINATION 2013, Held as Part of the 8th International Federated Conference on Distributed Computing Techniques, DisCoTec 2013, Florence, Italy, June 3–5, 2013. Proceedings of Lecture Notes in Computer Science, vol. 7890, pp. 75–89. Springer, Berlin (2013)Google Scholar
  30. 30.
    Guillet, S., de Lamotte, F., Le Griguer, N., Rutten, E., Diguet, J.P., Gogniat, G.: Modeling and synthesis of a dynamic and partial reconfiguration controller. In: Koch, D., Singh, S., Tørresen, J. (eds.) 22nd International Conference on Field Programmable Logic and Applications (FPL), Oslo, Norway, August 29–31, 2012, pp. 703–706. IEEE, New York (2012)Google Scholar
  31. 31.
    Havelund, K., Goldberg, A.: Verify your runs. In: VSTTE 2005: Proceedings of the First IFIP TC 2/WG 2.3 Conference on Verified Software: Theories, Tools, Experiments. Revised Selected Papers and Discussions, pp. 374–383 (2008)Google Scholar
  32. 32.
    Kouchnarenko, O., Weber, J.-F.: Adapting component-based systems at runtime via policies with temporal patterns. In: Fiadeiro, J.L., Liu, Z., Xue, J. (eds.) Formal Aspects of Component Software—10th International Symposium, FACS 2013, Nanchang, China, October 27–29, 2013. Revised Selected Papers. Lecture Notes in Computer Science, vol. 8348, pp. 234–253. Springer, Berlin (2013)Google Scholar
  33. 33.
    Ligatti, J., Bauer, L., Walker, D.: Run-time enforcement of nonsafety policies. ACM Trans. Inf. Syst. Secur. 12(3), 19:1–19:41 (2009)CrossRefGoogle Scholar
  34. 34.
    Manna, Z., Pnueli, A.: A hierarchy of temporal properties. In: PODC 90: Proceedings of the Ninth Annual ACM Symposium on Principles of Distributed Computing, pp. 377–410 (1990)Google Scholar
  35. 35.
    Matteucci, I.: Automated synthesis of enforcing mechanisms for security properties in a timed setting. Electron. Notes Theor. Comput. Sci. 186, 101–120 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  36. 36.
    Pinisetty, S., Falcone, Y., Jéron, T., Marchand, H.: Runtime enforcement of parametric timed properties with practical applications. In: Lesage, J.J., Faure, J.M., Cury, J.E.R., Lennartson, B. (eds.) 12th International Workshop on Discrete Event Systems, WODES 2014, Cachan, France, May 14–16, 2014, pp. 420–427. International Federation of Automatic Control, USA (2014)Google Scholar
  37. 37.
    Pinisetty, S., Falcone, Y., Jéron, T., Marchand, H., Rollet, Antoine, Nguena-Timo, Omer: Runtime enforcement of timed properties revisited. Formal Meth. Syst. Des. 45(3), 381–422 (2014)CrossRefzbMATHGoogle Scholar
  38. 38.
    Pnueli, A., Zaks, A.: PSL model checking and run-time verification via testers. In: Misra, J., Nipkow, T., Sekerinski, E. (eds.) FM 2006: Proceedings of the 14th International Symposium on Formal Methods. LNCS, vol. 4085, pp. 573–586. Springer, Berlin (2006)Google Scholar
  39. 39.
    Renard, M., Falcone, Y., Rollet, A., Pinisetty, S., Jéron, T., Marchand, H.: Enforcement of (timed) properties with uncontrollable events. In: Leucker, M., Rueda, C., Valencia, F.D. (eds.) Theoretical Aspects of Computing—ICTAC 2015—12th International Colloquium Cali, Colombia, October 29–31, 2015. Proceedings of Lecture Notes in Computer Science, vol. 9399, pp. 542–560. Springer, Berlin (2015)Google Scholar
  40. 40.
    Runtime Verification. (2001–2015)
  41. 41.
    Said, N.B., Abdellatif, T., Bensalem, S., Bozga, M.: Model-driven information flow security for component-based systems. In: Bensalem, S., Lakhneck, Y., Legay, A. (eds.) From Programs to Systems. The Systems perspective in Computing—ETAPS Workshop, FPS 2014. in Honor of Joseph Sifakis, Grenoble, France, April 6, 2014. Proceedings of Lecture Notes in Computer Science, vol. 8415, pp. 1–20. Springer, Berlin (2014)Google Scholar
  42. 42.
    Schneider, F.B.: Enforceable security policies. ACM Trans. Inf. Syst. Secur. 3(1), 30–50 (2000)CrossRefGoogle Scholar
  43. 43.
    Wen, Q., Kumar, R., Huang, J., Liu, H.: A framework for fault-tolerant control of discrete event systems. IEEE Trans. Automat. Contr. 53(8), 1839–1849 (2008)Google Scholar
  44. 44.
    Wilke, T.: Classifying discrete temporal properties. In: STACS. LNCS, vol. 1563, pp. 32–46. Springer, Berlin (1999)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2016

Authors and Affiliations

  1. 1.Univ. Grenoble-Alpes, Inria, LIGGrenobleFrance
  2. 2.American University of Beirut, CMPSBeirutLebanon

Personalised recommendations