RML: RUNTIME MONITORING LANGUAGE

Luca Franceschini
Advisor: Prof. Davide Ancona
External reviewers: Ferruccio Damiani, Wolfgang Ahrendt, Adrian Francalanza

PhD defense, Genoa, 19/03/2020

RUNTIME VERIFICATION

Executions,
not programs

Still formal
verification

RUNTIME VERIFICATION

Why?

  • Too complex properties
  • Dynamic system
  • After-deployment verification
  • Complementary technique
  • Recovery (not today)

Easier than static verification?

PROPOSED ARCHITECTURE

RML LANGUAGE

Goals:

  • Instrumentation-independent
    (thus language-independent)
  • Programmer-friendly syntax
  • Expressive set of operators
  • JSON-encoded events
  • Deterministic, efficient semantics
  • Both offline and online RV

RML SPECIFICATION

Event specification

+

Property specification

EVENTS

... but they can be everything (JSON-encoded!)

Observations made on the system under scrutiny

{function∶ "open", args∶ ["john.txt", "r"]}

{function∶ "random", result∶ 7324}

{function∶ "httpRequest",
 args: [{
   url: "www.google.it",
   port: 8080
 }]}

EVENT PATTERNS

A concise syntax to describe a set of events...

{function: "sum"|"divide"|"round", args: [_, more]}

... and to capture relevant data

{function: "foo", args: [x, y], result: _}

EVENT MATCHING

Patterns can match events

{function: "foo", args: [x, y], result: _}
{function: "foo", args: [1, "hello"], result: true}

Event

Pattern

And produce substitutions

\{x \mapsto 1, y \mapsto \text{``}\mathit{hello}\text{''} \}

EVENT TYPES

acquire(id) matches {function∶ "lock", result∶ id};
use(id) matches {function∶ "foo"|"bar", args∶ [id, more]};
release(id) matches {function∶ "unlock", args∶ [id, more]};

relevant matches acquire(_) | use(_) | release(_);
irrelevant not matches relevant;

Semantics is fully formalized

RML SPECIFICATIONS

One or more (recursive) equations

// event types from previous example

Main = { let id; acquire(id) ((use(id)* release(id)) | Main )}?;
acquire(1) use(1) acquire(2) release(1) use(2) release(2)
acquire(3) release(3) use(3)
acquire(4) acquire(4)

RML SPECIFICATIONS

One or more (recursive) equations

// event types from previous example
acqRel(id) matches acquire(id) | release(id);

Main = {let id; acquire(id)
	((Main | use(id)* release(id))
	/\ (acqRel(id) >> release(id) all))
}?;
acquire(4) acquire(4)

RML SPECIFICATIONS

Stack (LIFO) specification

push(val) matches { ... };
pop(val) matches { ... };

Stack = { let val; push(val) Stack pop(val) }*;
push(7)
push(42)
pop(42)
pop(7)

push(7)
push(42)
pop(7)

push(7)
push(42)
pop(42)

RML SPECIFICATIONS

Stack (LIFO) specification (revisited)

push(val) matches { ... };
pop(val) matches { ... };

Main = Stack!;
Stack = { let val; push(val) Stack pop(val) }*;
push(7)
push(42)
pop(42)

RML SPECIFICATIONS

Stack (LIFO) specification (pt. 3)

push(val) matches { ... };
pop(val) matches { ... };
size(s) matches { ... };

Main = Stack<0>!;
Stack<s> = size(s)* { let val;
   push(val) Stack<s+1> pop(val) Stack<s>
}?;

TRACE CALCULUS

A simpler, fully formalized, core calculus

TRACE CALCULUS

A rewriting-based semantics

\phi \xrightarrow{ev} \phi' ; \sigma
\frac{\phi_1 \xrightarrow{ev} \phi_1'; \sigma}{\phi_1 \lor \phi_2 \xrightarrow{ev} \phi_1'; \sigma}
\frac{\phi_1 \xrightarrow{ev} \qquad \phi_1 \xrightarrow{ev} \phi_2';\sigma}{\phi_1 \lor \phi_2 \xrightarrow{ev} \phi_2';\sigma}

TRACE CALCULUS

A proof of determinism
(including event matching)

\phi \xrightarrow{ev} \phi_1 ; \sigma_1
\phi \xrightarrow{ev} \phi_2 ; \sigma_2
\land
\implies
\phi_1 = \phi_2\: \land\: \sigma_1 = \sigma_2

TRACE CALCULUS

A semantics in terms of traces

\llbracket\phi\rrbracket \in \wp(\mathcal{E}^\infty)

... and related algebraic properties: optimizations!

TRACE CALCULUS

A formalized translation from RML

\Gamma \vdash \mathit{Exp} \rightsquigarrow \phi

IMPLEMENTATION

BENCHMARKS

BENCHMARKS

CONTRIBUTIONS

  • Full formalization of event matching, trace calculus, and RML
  • Provably deterministic semantics
  • A new specification language
  • Prototype implementation (with Node.js instrumentation)
  • Proof-of-concept for a 3-tier modular architecture
  • Performance evaluation

FUTURE WORK

  • More platforms and languages (Node-RED, IoT systems, ROS, ...)
  • Distributed RV?
  • Static analysis tools
  • A formal assessment of expressivity...
  • ... including what is actually monitorable

https://github.com/RMLatDIBRIS/

 

https://rmlatdibris.github.io/

PhD defense

By Luca Franceschini

Made with Slides.com

PhD defense

  • 958

More from Luca Franceschini