Runtime verification of component-based systems in the BIP framework with formally-proved sound and complete instrumentation

Yliès Falcone, Mohamad Jaber, Thanh-Hung Nguyen, Marius Bozga, Saddek Bensalem
2013 Journal of Software and Systems Modeling  
Verification of component-based systems still suffers from limitations such as state space explosion since a large number of different components may interact in an heterogeneous environment. These limitations entail the need for complementary verification methods such as runtime verification based on dynamic analysis and apt to scalability. In this paper, we integrate runtime verification into the BIP (Behavior, Interaction and Priority) framework. BIP is a powerful and expressive
more » ... ed framework for the formal construction of heterogeneous systems. Our method augments BIP systems with monitors to check specifications at runtime. This method has been implemented in RV-BIP, a prototype tool that we used to validate the whole approach on a robotic application. Labelled Transition Systems (LTS) extended with data and functions written in C. The description of coordination between components is layered. The first layer describes the interactions between components. The second layer describes dynamic priorities between the interactions and is used also to express scheduling policies. The combination of interactions and priorities characterizes the overall architecture of a system and confers strong expressiveness that cannot be matched by other existing formalism dedicated to CBS [1]. Moreover, BIP has a rigorous operational semantics: the behavior of a composite component is formally described as the composition of the behaviors of its atomic components. This allows a direct relation between the underlying semantic model and its implementation. Runtime verification (monitoring). Runtime Verification (RV) [2] [3] [4] is an effective technique to ensure, at runtime, that a system respects or meets a desirable behavior. It can be used in numerous application domains, and more particularly when integrating together unreliable software components. In RV, a run of the system under scrutiny is analyzed incrementally using a decision procedure: a monitor. This monitor may be generated from a user-provided high level specification (e.g., a temporal formula, an automaton). This monitor aims to detect violation or satisfaction w.r.t. the given specification. Generally, it is a state machine processing an execution sequence (step by step) of the monitored program, and producing a sequence of verdicts (truth-values taken from a truth-domain) indicating specification fulfillment or violation. Recently [4] a new framework has been introduced for runtime verification. This expressive framework, leveraged by a finite-trace semantics (initially proposed in [3] ) and an expressive truth-domain, allows to monitor all specifications expressing a linear temporal behavior. For a monitor to be able to observe runs of the system, the system should be instrumented in such a way that at runtime, the program sends relevant events that are consumed by the monitor. Usually, one of the main challenges when designing an RV framework is its performance. That is, adding a monitor in the system should not deteriorate executions of the initial system time and memory wise. Motivations for using monitoring to validate component-based systems. As is the case with monolithic systems, monitoring is a complementary technique to validate the behavior of component-based systems. Monitoring has several advantages when compared to static validation techniques. Compared to static analysis, monitoring allows to check more expressive behavioral specifications. Moreover, monitoring does not rely on abstracting or over-approximating the state-space, and thus does not produce false positives. Compared to model-checking, monitoring is less sensitive to the state-explosion problem which is rapidly occurring when composing the behavior of several components. Compared to compositional verification techniques, monitoring remains applicable for BIP component-based systems (where external functions can be called). Regarding BIP systems, classical model-checking techniques rapidly become unusable because of the state-explosion problem. Consequently, the currently available verification techniques are based on compositional/incremental verification. However, in the BIP framework, compositional verification is currently limited to the verification of safety properties, and, more expressive properties such as liveness properties remain out of the scope. In Section 7.1, we provide a more detailed comparison with static-verification techniques. 2 Challenges in monitoring component-based systems and BIP systems. Contrarily to monolithic systems (written for instance in Java), component-based systems are not endowed with an automatic and effective instrumentation technique. An automatic instrumentation technique allows the programmer to only indicate points of observation (in a more or less abstract fashion) and automatically adds observation code at relevant places in the original program. An effective instrumentation techniques ensures that the performance of the instrumented program is close to the performance of the original program. Such an instrumentation technique is required when designing or implementing a runtime verification framework for a target systemdomain. Consequently, we should design an instrumentation technique that should enjoy several features. As is the case with monolithic system, we require an automatic and efficient instrumentation technique. Moreover, we require a high-level of confidence on its correctness. The instrumentation technique should not alter the behavior of the initial system. Existing RV frameworks attempt to preserve the behavior of the system by performing only observations. For instance, using aspect-oriented programming, the used aspects only pick-up events without modifying the control-flow of the original program. However, in the context of component-based systems, such a desirable correctness property is harder to obtain. Indeed, to monitor a component-based system, one needs to add the monitor as a new component, which is allowed to observe the system by adding interactions. Such interactions should be inserted carefully because they could not only modify the existing interactions but also modify the internal behaviors of existing components. Finally, we aim at providing a method that can be used in critical systems and thus require a high-level of confidence on the proposed instrumentation technique. Consequently, the designed instrumentation technique should be defined formally and its correctness formally proved. Our approach (informal view). Let us depict a high-level view of our approach. On the one hand, we consider an initial component-based system C = (B 1 , . . . , B n ) built over existing atomic components B 1 , . . . , B n . The atomic components are designed independently regarding their data and their behavior but they can interact and synchronize at runtime. We assume a global clock operating on C in such a way that, at each execution step, each atomic component can perform one action independently. When components are interacting together, we assume this communication to be reliable and do not consider any issue regarding privacy or security. On the other hand, a property ϕ specifies the desired runtime behavior of C. The property ϕ is associated to an abstract decision procedure (a monitor) M ϕ which is generated using standard monitor synthesis techniques. Verdicts over the behavior are based on an expressive truth-domain as in [4] . Verdicts can indicate current satisfaction and violation, or, definitive satisfaction or violation (in which case no monitoring is needed). We shall transform C into a new component-based system C = (B 1 , . . . , B n , M ϕ ). C contains a monitor M ϕ as a component generated from M ϕ . Atomic components are instrumented (B i transformed to B i ) to interact with M ϕ . Moreover, we require some behavioral equivalence between the initial and transformed systems. This behavioral equivalence states that, up to some behavioral equivalence relation, not only the sets of possible behaviors in the initial and transformed system are equivalent, but, in addition, if the initial system produces any execution, then the transformed system produces an equivalent execution. At runtime, the component monitor M ϕ observes the relevant pieces of information in B 1 , . . . , B n and emits verdicts 3 hal-00972566, version 1 -3 Apr 2014 according to the satisfaction or violation of ϕ. The amount of information observed in the components B 1 , . . . , B n is kept minimal so as to minimize the overhead induced by the monitoring process. Contributions. We introduce a complementary validation technique for CBS in general and BIP systems in particular. More precisely, the contributions of this paper are as follows: 1. To propose a minimal formal introduction to BIP systems providing a framework for rigorous design of CBS. 2. To extend the BIP framework by integrating an expressive RV framework previously introduced in [4]. We extend this framework for CBS by proposing a formal instrumentation technique that allows to observe the relevant parts in the behavior of a BIP system. This instrumentation technique is formally defined, proved sound and complete, and leverages the formal semantics of BIP. Given a specification, our method uniformly integrates a monitor as an additional component in a BIP system that is able to runtime check the satisfaction or violation of the specification. 3. To propose an implementation of the RV framework, RV-BIP, allowing to automatically instrument BIP systems from the description of an abstract monitor. Thanks to the code generator of BIP, the generated self-monitoring system can be directly translated into an actual C module embedded in the global system whose behavior is checked at runtime against the specification. 4. To evaluate and validate the relevance of the whole approach on a real-world application. This paper extends a previous contribution [5] that appeared in the 9 th International Conference on Software Engineering and Formal Methods, with the following additional contributions: to propose a more complete and improved introduction to the BIP framework; to propose a detailed and rigorous proof of the correctness of the approach proposed in this paper; to improve the presentation and editorial quality of the previous paper by (i) formalizing some concepts that remained informal in the conference version, (ii) providing more detailed explanations in each section, (iii) correcting typos, (iv) and illustrating the concepts with additional examples; to propose additional experiments on our case study; to propose a deeper study of related work. Paper Organization. The paper is structured as follows. Section 2 introduces the preliminary concepts needed in this paper. In Section 3 we give a minimal introduction to the BIP framework. Section 4 defines an abstract RV framework for CBS described in BIP. Section 5 shows how the abstract RV framework is implemented for BIP systems. Section 6 describes RV-BIP, an implementation used to evaluate our method on a robot application. Section 7 is dedicated to related work. Section 8 raises some concluding remarks and open perspectives. Finally, to keep our RV framework for CBS intuitive, some proofs and proof-specific definitions are omitted in Section 5, complete proofs are given in Appendix A. Preliminaries and Notations We introduce some preliminary concepts and notation. 4
doi:10.1007/s10270-013-0323-y fatcat:2e27dekw3rcbbayrhmms2baeqq