Shield Synthesis:

Runtime Enforcement for Reactive Systems
  • Roderick Bloem
  • Bettina Könighofer
  • Robert Könighofer
  • Chao Wang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9035)


Scalability issues may prevent users from verifying critical properties of a complex hardware design. In this situation, we propose to synthesize a “safety shield” that is attached to the design to enforce the properties at run time. Shield synthesis can succeed where model checking and reactive synthesis fail, because it only considers a small set of critical properties, as opposed to the complex design, or the complete specification in the case of reactive synthesis. The shield continuously monitors the input/output of the design and corrects its erroneous output only if necessary, and as little as possible, so other non-critical properties are likely to be retained. Although runtime enforcement has been studied in other domains such as action systems, reactive systems pose unique challenges where the shield must act without delay. We thus present the first shield synthesis solution for reactive hardware systems and report our experimental results.


  1. 1.
    CUDD: CU Decision Diagram Package,
  2. 2.
  3. 3.
    Bloem, R., Chatterjee, K., Greimel, K., Henzinger, T., Hofferek, G., Jobstmann, B., Könighofer, B., Könighofer, R.: Synthesizing robust systems. Acta Inf. 51, 193–220 (2014)CrossRefzbMATHGoogle Scholar
  4. 4.
    Bloem, R., Jobstmann, B., Piterman, N., Pnueli, A., Sa’ar, Y.: Synthesis of reactive(1) designs. J. Comput. Syst. Sci. 78(3), 911–938 (2012)CrossRefzbMATHMathSciNetGoogle Scholar
  5. 5.
    Bloem, R., Könighofer, B., Könighofer, R., Wang, C.: Shield synthesis: Runtime enforcement for reactive systems. CoRR, abs/1501.02573 02573 (2015)Google Scholar
  6. 6.
    Brayton, R.K., et al.: VIS: A system for verification and synthesis. In: Alur, R., Henzinger, T.A. (eds.) CAV 1996. LNCS, vol. 1102, pp. 428–432. Springer, Heidelberg (1996)Google Scholar
  7. 7.
    Brayton, R., Mishchenko, A.: ABC: An academic industrial-strength verification tool. In: Touili, T., Cook, B., Jackson, P. (eds.) CAV 2010. LNCS, vol. 6174, pp. 24–40. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  8. 8.
    Büchi, J.R., Landweber, L.H.: Solving sequential conditions by finite-state strategies. Trans. Amer. Math. Soc. 138, 367–378 (1969)CrossRefGoogle Scholar
  9. 9.
    Church, A.: Logic, arithmetic, and automata. Int. Congr. Math, 23–35 (1962,1963)Google Scholar
  10. 10.
    Clarke, E.M., Emerson, E.A.: Design and synthesis of synchronization skeletons using branching time temporal logic. In: Kozen, D. (ed.) Logic of Programs 1981. LNCS, vol. 131, pp. 52–71. Springer, Heidelberg (1982)Google Scholar
  11. 11.
    Dwyer, M.B., Avrunin, G.S., Corbett, J.C.: Patterns in property specifications for finite-state verification. In: ICSE, pp. 411–420. ACM (1999)Google Scholar
  12. 12.
    Ehlers, R., Topcu, U.: Resilience to intermittent assumption violations in reactive synthesis. In: HSCC, pp. 203–212. ACM (2014)Google Scholar
  13. 13.
    Falcone, Y., Fernandez, J.-C., Mounier, L.: What can you verify and enforce at runtime? STTT 14(3), 349–382 (2012)CrossRefGoogle Scholar
  14. 14.
    Ligatti, J., Bauer, L., Walker, D.: Run-time enforcement of nonsafety policies. ACM Trans. Inf. Syst. Secur. 12(3) (2009)Google Scholar
  15. 15.
    Mazala, R.: 2 infinite games. In: Grädel, E., Thomas, W., Wilke, T. (eds.) Automata, Logics, and Infinite Games. LNCS, vol. 2500, pp. 23–38. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  16. 16.
    Mead, C., Conway, L.: Introduction to VLSI systems. Addison-Wesley (1980)Google Scholar
  17. 17.
    Pnueli, A., Rosner, R.: On the synthesis of a reactive module. In: POPL, pp. 179–190. ACM (1989)Google Scholar
  18. 18.
    Quielle, J.P., Sifakis, J.: Specification and verification of concurrent systems in CESAR. In: Dezani-Ciancaglini, M., Montanari, U. (eds.) Programming 1982. LNCS, vol. 137, Springer, Heidelberg (1982)Google Scholar
  19. 19.
    Rabin, M.O.: Automata on Infinite Objects and Church’s Problem. In: Regional Conference Series in Mathematics, American Mathematical Society (1972)Google Scholar
  20. 20.
    Schneider, F.B.: Enforceable security policies. ACM Trans. Inf. Syst. Secur. 3, 30–50 (2000)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2015

Authors and Affiliations

  • Roderick Bloem
    • 1
  • Bettina Könighofer
    • 1
  • Robert Könighofer
    • 1
  • Chao Wang
    • 2
  1. 1.IAIK, Graz University of TechnologyGrazAustria
  2. 2.Department of ECEVirginia TechBlacksburgUSA

Personalised recommendations