Introduction Specifications BT Monitorability Linear Time Tightness Finfinite The End(?) Adventures in Monitorability Antonis Achilleos 1 joint work with: Luca Aceto 1,2 Adrian Francalanza 3 ottir 1 Anna Ing´ olfsd´ Karoliina Lehtinen 4,5 1: Reykjavik University 2: Gran Sasso Science Institute, L’Aquila 3: ICT, University of Malta 4: Christian-Albrechts University of Kiel 5: University of Liverpool NYCAC 2018 16 November 2018
Introduction Specifications BT Monitorability Linear Time Tightness Finfinite The End(?) Formal Verification • Question: is your system behaving correctly?
Introduction Specifications BT Monitorability Linear Time Tightness Finfinite The End(?) Formal Verification • Question: is your system behaving correctly? • Multiple verification techniques: Model-Checking, Theorem-Proving, Testing,. . .
Introduction Specifications BT Monitorability Linear Time Tightness Finfinite The End(?) Formal Verification • Question: is your system behaving correctly? • Multiple verification techniques: Model-Checking, Theorem-Proving, Testing,. . . • Issues: systems become (even) larger and more complicated, unexpected environments, opaque components
Introduction Specifications BT Monitorability Linear Time Tightness Finfinite The End(?) Formal Verification • Question: is your system behaving correctly? • Multiple verification techniques: Model-Checking, Theorem-Proving, Testing,. . . • Issues: systems become (even) larger and more complicated, unexpected environments, opaque components • A post-deployment technique: Runtime Verification
Introduction Specifications BT Monitorability Linear Time Tightness Finfinite The End(?) Runtime Verification • Runtime Verification uses monitors to detect at runtime whether a certain system satisfies/violates a specification. • A monitor runs together with a process and it observes the events the process generates. • When it detects a certain kind of behavior, it can reach a verdict ( yes , no , or end ). analyzes exhibits System Monitor e 1 e 2 e 3 · · · ✓ ✗ ?
Introduction Specifications BT Monitorability Linear Time Tightness Finfinite The End(?) Goals Automatic monitor synthesis from specifications Plausible monitorability guarantees for classes of properties To determine the limits of monitorability
Introduction Specifications BT Monitorability Linear Time Tightness Finfinite The End(?) Goals Automatic monitor synthesis from specifications Plausible monitorability guarantees for classes of properties To determine the limits of monitorability A choice to make: processes properties of infinite traces finite or infinite traces
Introduction Specifications BT Monitorability Linear Time Tightness Finfinite The End(?) Two Kinds of Models – Two Kinds of Properties Processes, Infinite Traces � P, Act , →� processes, actions, transitions α 1 α 2 p − → q − → · · · α 2 system graph α 1 α 3 α 4 trace of events α 5
Introduction Specifications BT Monitorability Linear Time Tightness Finfinite The End(?) Two Kinds of Models – Two Kinds of Properties Processes, Infinite Traces � P, Act , →� processes, actions, transitions α β α 1 α 2 p − → q − → · · · α α β α 2 system graph α 1 α 3 α 4 trace of events α 1 α 2 α 3 · · · ∈ Act ω α 5
Introduction Specifications BT Monitorability Linear Time Tightness Finfinite The End(?) Two Kinds of Models – Two Kinds of Properties Processes, Infinite Traces � P, Act , →� processes, actions, transitions α β α 1 α 2 p − → q − → · · · α α β α 2 system graph α 1 α 3 α 4 trace of events α 1 α 2 α 3 · · · ∈ Act ω α 5 Moral of the talk: The choice of model matters!
Introduction Specifications BT Monitorability Linear Time Tightness Finfinite The End(?) The Language ϕ, ψ ∈ µ HML ::= tt | � α � ϕ | ϕ ∨ ψ | min X.ϕ | X | ff | [ α ] ϕ | ϕ ∧ ψ | max X.ϕ
Introduction Specifications BT Monitorability Linear Time Tightness Finfinite The End(?) The Language ϕ, ψ ∈ µ HML ::= tt | � α � ϕ | ϕ ∨ ψ | min X.ϕ | X | ff | [ α ] ϕ | ϕ ∧ ψ | max X.ϕ A branching-time language. . . ϕ α α [ α ] ϕ � α � ϕ ϕ ϕ α α
Introduction Specifications BT Monitorability Linear Time Tightness Finfinite The End(?) The Language ϕ, ψ ∈ µ HML ::= tt | � α � ϕ | ϕ ∨ ψ | min X.ϕ | X | ff | [ α ] ϕ | ϕ ∧ ψ | max X.ϕ A branching-time language. . . ϕ α α [ α ] ϕ � α � ϕ ϕ ϕ α α . . . or, possibly, a linear-time language. . . s = α s ′ = ⇒ s ′ | s | =[ α ] ϕ : = ϕ s = α s ′ and s ′ | s | = � α � ϕ : = ϕ
Introduction Specifications BT Monitorability Linear Time Tightness Finfinite The End(?) The Language ϕ, ψ ∈ µ HML ::= tt | � α � ϕ | ϕ ∨ ψ | min X.ϕ | X | ff | [ α ] ϕ | ϕ ∧ ψ | max X.ϕ A branching-time language. . . ϕ α α [ α ] ϕ � α � ϕ ϕ ϕ α α . . . or, possibly, a linear-time language. . . s = α s ′ = ⇒ s ′ | s | =[ α ] ϕ : = ϕ s = α s ′ and s ′ | s | = � α � ϕ : = ϕ . . . with recursion min X.ϕ holds iff ϕ [min X.ϕ/X ] does and is a lfp max X.ϕ holds iff ϕ [max X.ϕ/X ] does and is a gfp
Introduction Specifications BT Monitorability Linear Time Tightness Finfinite The End(?) The Language ϕ, ψ ∈ µ HML ::= tt | � α � ϕ | ϕ ∨ ψ | min X.ϕ | X | ff | [ α ] ϕ | ϕ ∧ ψ | max X.ϕ An expressive language: can encode LTL, CTL, CTL ∗ , BA,. . . Shorthands from LTL on infinite traces: X ϕ :=[ Act ] ϕ (next step) F ϕ := min Y. ( ϕ ∨ X Y ) (in the future) G ϕ := max Y. ( ϕ ∧ X Y ) (generaly) ϕ U ψ := min Y. ( ψ ∨ ( ϕ ∧ X Y )) (until)
Introduction Specifications BT Monitorability Linear Time Tightness Finfinite The End(?) Regular Monitors Syntax: m, n ∈ Mon ::= end | no | α.m | m + n | rec x.m | x
Introduction Specifications BT Monitorability Linear Time Tightness Finfinite The End(?) Regular Monitors Syntax: m, n ∈ Mon ::= end | no | α.m | m + n | rec x.m | x Monitor LTS (verdicts are irrevocable): Rec m [ rec x.m/x ] α − → n Act Vrd α.m α rec x.m α no α − → m − → n − → no m α n α → m ′ → n ′ − − SelL SelR Vrd m + n α m + n α end α → m ′ → n ′ − − − → end
Introduction Specifications BT Monitorability Linear Time Tightness Finfinite The End(?) Regular Monitors Syntax: m, n ∈ Mon ::= end | no | α.m | m + n | rec x.m | x Monitor LTS (verdicts are irrevocable): Rec m [ rec x.m/x ] α − → n Act Vrd α.m α rec x.m α no α − → m − → n − → no m α n α → m ′ → n ′ − − SelL SelR Vrd m + n α m + n α end α → m ′ → n ′ − − − → end Instrumentation (follow the trace): iMon p α m α iTer p α m � α − → L q − → M n − → L q − → M m ⊳ p α m ⊳ p α − → I n ⊳ q − → I end ⊳ q
Introduction Specifications BT Monitorability Linear Time Tightness Finfinite The End(?) Formulas and Rejection-Monitors • Formulas specify process properties: p | = ϕ • Monitors run along a process and read its trace: m ⊳ p α 1 → n ⊳ q α 2 − − → · · · • A monitor can reach three possible verdicts: yes , no , end m ⊳ p α 1 → · · · α r • m accepts p when − − → yes ⊳ q m ⊳ p α 1 → · · · α r − − → no ⊳ q m rejects p when for some α 1 · · · α r and q • end is the inconclusive verdict. Definition (Complete Monitorability) m monitors completely for ϕ when • m accepts exactly the processes that satisfy ϕ ; and • m rejects exactly the ones that do not satisfy ϕ .
Introduction Specifications BT Monitorability Linear Time Tightness Finfinite The End(?) Complete Monitorability is Impossible say m accepts p and rejects q
Introduction Specifications BT Monitorability Linear Time Tightness Finfinite The End(?) Complete Monitorability is Impossible say m accepts p and rejects q p + q can produce all the traces of p and q
Introduction Specifications BT Monitorability Linear Time Tightness Finfinite The End(?) Complete Monitorability is Impossible say m accepts p and rejects q p + q can produce all the traces of p and q m must both accept and reject p + q
Introduction Specifications BT Monitorability Linear Time Tightness Finfinite The End(?) Complete Monitorability is Impossible say m accepts p and rejects q p + q can produce all the traces of p and q m must both accept and reject p + q a sound monitor can either accept or reject, but not both Definition (Partial Monitorability) • m is sound (s.) for ϕ if it only accepts (rejects) processes that satisfy (violate) ϕ ; • m is satisfaction-complete (s.c.) for ϕ when m accepts all the processes that satisfy ϕ ; and • m is violation-complete (v.c.) for ϕ when m rejects all the processes that do not satisfy ϕ .
Recommend
More recommend
