Advertisement

Correct-by-Construction Implementation of Runtime Monitors Using Stepwise Refinement

  • Teng ZhangEmail author
  • John Wiegley
  • Theophilos Giannakopoulos
  • Gregory Eakman
  • Clément Pit-Claudel
  • Insup Lee
  • Oleg Sokolsky
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10998)

Abstract

Runtime verification (RV) is a lightweight technique for verifying traces of computer systems. One challenge in applying RV is to guarantee that the implementation of a runtime monitor correctly detects and signals unexpected events. In this paper, we present a method for deriving correct-by-construction implementations of runtime monitors from high-level specifications using Fiat, a Coq library for stepwise refinement. SMEDL (Scenario-based Meta-Event Definition Language), a domain specific language for event-driven RV, is chosen as the specification language. We propose an operational semantics for SMEDL suitable to be used in Fiat to describe the behavior of a monitor in a relational way. Then, by utilizing Fiat’s refinement calculus, we transform a declarative monitor specification into an executable runtime monitor with a proof that the behavior of the implementation is strictly a subset of that provided by the specification. Moreover, we define a predicate on the syntax structure of a monitor definition to ensure termination and determinism. Most of the proof work required to generate monitor code has been automated.

Keywords

Runtime monitor SMEDL Formal semantics Coq Stepwise refinement 

References

  1. 1.
    Sokolsky, O., Havelund, K., Lee, I.: Introduction to the special section on runtime verification. Softw. Tools Technol. Transf. 14(3), 243–247 (2012)CrossRefGoogle Scholar
  2. 2.
    Zhang, T., Gebhard, P., Sokolsky, O.: SMEDL: combining synchronous and asynchronous monitoring. In: Falcone, Y., Sánchez, C. (eds.) RV 2016. LNCS, vol. 10012, pp. 482–490. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-46982-9_32CrossRefGoogle Scholar
  3. 3.
    Delaware, B., Pit-Claudel, C., Gross, J., Chlipala, A.: Fiat: Deductive synthesis of abstract data types in a proof assistant. In: ACM SIGPLAN Notices, vol. 50, pp. 689–700. ACM (2015)Google Scholar
  4. 4.
    The Coq Development Team: The Coq Proof Assistant Reference ManualGoogle Scholar
  5. 5.
    Chlipala, A., et al.: The end of history? using a proof assistant to replace language design with library design. In: SNAPL 2017: 2nd Summit on Advances in Programming Languages (2017)Google Scholar
  6. 6.
    Wiegley, J., Delaware, B.: Using Coq to write fast and correct Haskell. In: Proceedings of the 10th ACM SIGPLAN International Symposium on Haskell, pp. 52–62. ACM (2017)Google Scholar
  7. 7.
    Hoare, C., et al.: Data refinement refined (1985)Google Scholar
  8. 8.
    Cheng, K.T., Krishnakumar, A.S.: Automatic functional test generation using the extended finite state machine model. In: Proceedings of the 30th International Design Automation Conference, pp. 86–91. ACM (1993)Google Scholar
  9. 9.
    Newman, M.H.A.: On theories with a combinatorial definition of “equivalence”. Ann. Math. 43, 223–243 (1942)MathSciNetCrossRefGoogle Scholar
  10. 10.
    Oniguruma contributors: Oniguruma. https://github.com/kkos/oniguruma. Accessed 27 Mar 2018
  11. 11.
    Barringer, H., Goldberg, A., Havelund, K., Sen, K.: Rule-based runtime verification. In: Steffen, B., Levi, G. (eds.) VMCAI 2004. LNCS, vol. 2937, pp. 44–57. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-24622-0_5CrossRefzbMATHGoogle Scholar
  12. 12.
    Allan, C., et al.: Adding trace matching with free variables to AspectJ. In: ACM SIGPLAN Notices, vol. 40, pp. 345–364. ACM (2005)Google Scholar
  13. 13.
    Barringer, H., Rydeheard, D., Havelund, K.: Rule systems for run-time monitoring: from Eagle to RuleR. J. Log. Comput. 20(3), 675–706 (2010)MathSciNetCrossRefGoogle Scholar
  14. 14.
    Chen, F., Roşu, G.: Parametric trace slicing and monitoring. In: Kowalewski, S., Philippou, A. (eds.) TACAS 2009. LNCS, vol. 5505, pp. 246–261. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-00768-2_23CrossRefzbMATHGoogle Scholar
  15. 15.
    Lee, I., Kannan, S., Kim, M., Sokolsky, O., Viswanathan, M.: Runtime assurance based on formal specifications. In: Departmental Papers (CIS), pp. 294 (1999)Google Scholar
  16. 16.
    Giannakopoulou, D., Havelund, K.: Automata-based verification of temporal properties on running programs. In: 2001 Proceedings of 16th Annual International Conference on Automated Software Engineering. (ASE 2001), pp. 412–416. IEEE (2001)Google Scholar
  17. 17.
    Drusinsky, D.: Semantics and runtime monitoring of tlcharts: statechart automata with temporal logic conditioned transitions. Electron. Notes Theor. Comput. Sci. 113, 3–21 (2005)CrossRefGoogle Scholar
  18. 18.
    Roşu, G., Havelund, K.: Rewriting-based techniques for runtime verification. Autom. Softw. Eng. 12(2), 151–197 (2005)CrossRefGoogle Scholar
  19. 19.
    Colombo, C., Pace, G.J., Schneider, G.: Dynamic event-based runtime monitoring of real-time and contextual properties. In: Cofer, D., Fantechi, A. (eds.) FMICS 2008. LNCS, vol. 5596, pp. 135–149. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03240-0_13CrossRefGoogle Scholar
  20. 20.
    Havelund, K.: Runtime verification of C programs. In: Suzuki, K., Higashino, T., Ulrich, A., Hasegawa, T. (eds.) FATES/TestCom -2008. LNCS, vol. 5047, pp. 7–22. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-68524-1_3CrossRefGoogle Scholar
  21. 21.
    Meredith, P.O., Jin, D., Griffith, D., Chen, F., Roşu, G.: An overview of the MOP runtime verification framework. Int. J. Softw. Tools Technol. Transf. 14(3), 249–289 (2012)CrossRefGoogle Scholar
  22. 22.
    Luo, Q., et al.: RV-monitor: efficient parametric runtime verification with simultaneous properties. In: Bonakdarpour, B., Smolka, S.A. (eds.) RV 2014. LNCS, vol. 8734, pp. 285–300. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-11164-3_24CrossRefGoogle Scholar
  23. 23.
    Chen, Z., Wang, Z., Zhu, Y., Xi, H., Yang, Z.: Parametric runtime verification of C programs. In: Chechik, M., Raskin, J.-F. (eds.) TACAS 2016. LNCS, vol. 9636, pp. 299–315. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49674-9_17CrossRefGoogle Scholar
  24. 24.
    Reger, G., Cruz, H.C., Rydeheard, D.: MarQ: monitoring at runtime with QEA. In: Baier, C., Tinelli, C. (eds.) TACAS 2015. LNCS, vol. 9035, pp. 596–610. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46681-0_55CrossRefGoogle Scholar
  25. 25.
    Paulin-Mohring, C.: Modelisation of timed automata in Coq. In: Kobayashi, N., Pierce, B.C. (eds.) TACS 2001. LNCS, vol. 2215, pp. 298–315. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-45500-0_15CrossRefzbMATHGoogle Scholar
  26. 26.
    Kammüller, F., Helke, S.: Mechanical analysis of UML state machines and class diagrams. In: The Proceedings of Workshop on Precise Semantics for the UML. ECOOP2000. Citeseer (2000)Google Scholar
  27. 27.
    Harel, D.: Statecharts: a visual formalism for complex systems. Sci. Comput. Program. 8(3), 231–274 (1987)MathSciNetCrossRefGoogle Scholar
  28. 28.
    Nipkow, T., Paulson, L.C., Wenzel, M.: Isabelle/HOL: A Proof Assistant for Higher-Order Logic, vol. 2283. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-45949-9CrossRefzbMATHGoogle Scholar
  29. 29.
    Frana, R., Bodeveix, J.P., Filali, M., Rolland, J.F.: The AADL behaviour annex-experiments and roadmap. In: 2007 12th IEEE International Conference on Engineering Complex Computer Systems, 377–382. IEEE (2007)Google Scholar
  30. 30.
    Yang, Z., Hu, K., Ma, D., Bodeveix, J.P., Pi, L., Talpin, J.P.: From AADL to timed abstract state machines: a verified model transformation. J. Syst. Softw. 93, 42–68 (2014)CrossRefGoogle Scholar
  31. 31.
    Ouimet, M., Lundqvist, K., Nolin, M.: The timed abstract state machine language: an executable specification language for reactive real-time systems. In: RTNS 2007, p. 15 (2007)Google Scholar
  32. 32.
    Dijkstra, E.W.: A constructive approach to the problem of program correctness. BIT Numer. Math. 8(3), 174–186 (1968)CrossRefGoogle Scholar
  33. 33.
    Srinivas, Y.V., Jüllig, R.: Specware: formal support for composing software. In: Möller, B. (ed.) MPC 1995. LNCS, vol. 947, pp. 399–422. Springer, Heidelberg (1995).  https://doi.org/10.1007/3-540-60117-1_22CrossRefGoogle Scholar
  34. 34.
    Lammich, P., Tuerk, T.: Applying data refinement for monadic programs to Hopcroft’s algorithm. In: Beringer, L., Felty, A. (eds.) ITP 2012. LNCS, vol. 7406, pp. 166–182. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-32347-8_12CrossRefGoogle Scholar
  35. 35.
    Cohen, C., Dénès, M., Mörtberg, A.: Refinements for free!. In: Gonthier, G., Norrish, M. (eds.) CPP 2013. LNCS, vol. 8307, pp. 147–162. Springer, Cham (2013).  https://doi.org/10.1007/978-3-319-03545-1_10CrossRefGoogle Scholar
  36. 36.
    Lammich, P.: Refinement to imperative/HOL. In: Urban, C., Zhang, X. (eds.) ITP 2015. LNCS, vol. 9236, pp. 253–269. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-22102-1_17CrossRefGoogle Scholar
  37. 37.
    Abrial, J.R., Hallerstede, S.: Refinement, decomposition, and instantiation of discrete models: application to event-B. Fundam. Inform. 77, 1–28 (2007)MathSciNetzbMATHGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Teng Zhang
    • 1
    Email author
  • John Wiegley
    • 2
  • Theophilos Giannakopoulos
    • 2
  • Gregory Eakman
    • 2
  • Clément Pit-Claudel
    • 3
  • Insup Lee
    • 1
  • Oleg Sokolsky
    • 1
  1. 1.University of PennsylvaniaPhiladelphiaUSA
  2. 2.BAE SystemsBurlingtonUSA
  3. 3.MIT CSAILCambridgeUSA

Personalised recommendations