Trace-Length Independent Runtime Monitoring of Quantitative Policies in LTL

  • Xiaoning Du
  • Yang Liu
  • Alwen Tiu
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9109)


Linear temporal logic (LTL) has been widely used to specify runtime policies. Traditionally this use of LTL is to capture the qualitative aspects of the monitored systems, but recent developments in metric LTL and its extensions with aggregate operators allow some quantitative policies to be specified. Our interest in LTL-based policy languages is driven by applications in runtime Android malware detection, which requires the monitoring algorithm to be independent of the length of the system event traces so that its performance does not degrade as the traces grow. We propose a policy language based on a past-time variant of LTL, extended with an aggregate operator called the counting quantifier to specify a policy based on the number of times some sub-policies are satisfied in the past. We show that a broad class of policies, but not all policies, specified with our language can be monitored in a trace-length independent way without sacrificing completeness, and provide a concrete algorithm to do so. We implement and test our algorithm in an existing Android monitoring framework and show that our approach can effectively specify and enforce quantitative policies drawn from real-world Android malware studies.


Policy Language Linear Temporal Logic Atomic Proposition Kernel Module Trace Length 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
    Tli monitoring of ltl extended with a counting quantifier (2015),
  3. 3.
    Arzt, S., Falzon, K., Follner, A., Rasthofer, S., Bodden, E., Stolz, V.: How useful are existing monitoring languages for securing android apps? In: ATPS, pp. 107–122 (2013)Google Scholar
  4. 4.
    Barringer, H., Goldberg, A., Havelund, K., Sen, K.: Rule-based runtime verification. In: Steffen, B., Levi, G. (eds.) VMCAI 2004. LNCS, vol. 2937, pp. 44–57. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  5. 5.
    Barringer, H., Rydeheard, D., Havelund, K.: Rule systems for run-time monitoring: from eagle to ruler. Journal of Logic and Computation 20(3), 675–706 (2010)CrossRefzbMATHMathSciNetGoogle Scholar
  6. 6.
    Basin, D., Klaedtke, F., Marinovic, S., Zălinescu, E.: Monitoring of temporal first-order properties with aggregations. In: Legay, A., Bensalem, S. (eds.) RV 2013. LNCS, vol. 8174, pp. 40–58. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  7. 7.
    Bauer, A., Goré, R., Tiu, A.: A first-order policy language for history-based transaction monitoring. In: Leucker, M., Morgan, C. (eds.) ICTAC 2009. LNCS, vol. 5684, pp. 96–111. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  8. 8.
    Bauer, A., Küster, J.-C., Vegliach, G.: From propositional to first-order monitoring. In: Legay, A., Bensalem, S. (eds.) RV 2013. LNCS, vol. 8174, pp. 59–75. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  9. 9.
    Bersani, M.M., Bianculli, D., Ghezzi, C., Krstić, S., San Pietro, P.: SMT-based checking of SOLOIST over sparse traces. In: Gnesi, S., Rensink, A. (eds.) FASE 2014. LNCS, vol. 8411, pp. 276–290. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  10. 10.
    Bersani, M.M., Frigeri, A., Morzenti, A., Pradella, M., Rossi, M., Pietro, P.S.: Constraint ltl satisfiability checking without automata. Journal of Applied Logic 12(4), 522–557 (2014)CrossRefzbMATHMathSciNetGoogle Scholar
  11. 11.
    Bianculli, D., Ghezzi, C., San Pietro, P.: The tale of SOLOIST: A specification language for service compositions interactions. In: Păsăreanu, C.S., Salaün, G. (eds.) FACS 2012. LNCS, vol. 7684, pp. 55–72. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  12. 12.
    Bianculli, D., Krstic, S., Ghezzi, C., San Pietro, P.: From soloist to cltlb (d): Checking quantitative properties of service-based applications (2013)Google Scholar
  13. 13.
    Colombo, C., Gauci, A., Pace, G.J.: LarvaStat: Monitoring of statistical properties. In: Barringer, H., et al. (eds.) RV 2010. LNCS, vol. 6418, pp. 480–484. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  14. 14.
    D’Angelo, B., Sankaranarayanan, S., Sanchez, C., Robinson, W., Finkbeiner, B., Sipma, H.B., Mehrotra, S., Manna, Z.: Lola: Runtime monitoring of synchronous systems. In: TIME, pp. 166–174 (2005)Google Scholar
  15. 15.
    Finkbeiner, B., Sankaranarayanan, S., Sipma, H.B.: Collecting statistics over runtime executions. Form. Methods Syst. Des. 27(3), 253–274 (2005)CrossRefzbMATHGoogle Scholar
  16. 16.
    Fitting, M.: First-Order Logic and Automated Theorem Proving. Springer (1996)Google Scholar
  17. 17.
    Gunadi, H., Tiu, A.: Efficient runtime monitoring with metric temporal logic: A case study in the android operating system. In: FM, pp. 296–311 (2014)Google Scholar
  18. 18.
    Havelund, K.: Rule-based runtime verification revisited. International Journal on Software Tools for Technology Transfer 17(2), 1–28 (2012)Google Scholar
  19. 19.
    Havelund, K., Roşu, G.: Synthesizing monitors for safety properties. In: Katoen, J.-P., Stevens, P. (eds.) TACAS 2002. LNCS, vol. 2280, pp. 342–356. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  20. 20.
    Laroussinie, F., Meyer, A., Petonnet, E.: Counting ltl. In: TIME, pp. 51–58 (2010)Google Scholar
  21. 21.
    Pieterse, H., Olivier, M.S.: Android botnets on the rise: Trends and characteristics. In: ISSA2, pp. 1–5 (2012)Google Scholar
  22. 22.
    Zhou, Y., Jiang, X.: Dissecting android malware: Characterization and evolution. In: SP, pp. 95–109 (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.School of Computer EngineeringNanyang Technological UniversitySingaporeSingapore

Personalised recommendations