Efficient Decentralized Monitoring of Safety in Distributed System

/ 30Hong,Shin @ PSWLAB

Efficient Decentralized Monitoring of Safety in Distributed System

K Sen, A Vardhan, G Agha, G Rosu

20th July 2007Presented by Shin Hong at PSWLAB, KAIST

1Efficient Decentralized Monitoring of Safety in Distributed System23年 4月 21日


Contents• Introduction• Distributed System• Past-time Linear Temporal Logic• Past-time Distributed Temporal Logic• Monitoring Algorithm for PT-DTL• Conclusion

23年 4月 21日


2


Introduction (1/6)• The correctness of a software is very important

today. Model Checking and Testing are two approaches to assure the correctness of software.

• Model Checking The size of systems for which model checking is feasible remains limited.

• Traditional Testing Ad-hoc Test coverage is limited.

3Efficient Decentralized Monitoring of Safety in Distributed System

23年 4月 21日


Introduction (2/6)• Runtime Verification

Dynamic monitoring of target system with formal specifications. Monitors are automatically synthesized from formal specifications. Scalable

23年 4月 21日


4


Introduction (3/6)• Runtime Verification has been used

to monitor distributed systems that have concurrency and asynchrony.

• In many distributed systems,it’s quite impractical to monitor requirements expressed in classical temporal logics such as LTL.

23年 4月 21日


5


Introduction (4/6)Ex. Mobile Networks

Requirement:

No node receives a reply from a node to which is has not previously issued a request.

How to specify this requirement with LTL?

23年 4月 21日


6

Reque

s

t

Reply


Introduction (5/6)• Propositional LTL is impractical to specify

the requirements in distributed systems.– Not scalable– Hard to capture global snapshot

• To address these difficulties,introduce new specification logic for runtime verification in distributed system,Past-time Distributed Temporal Logic.

23年 4月 21日


7


Introduction (6/6)• Past-time DTL specifies requirements in

local monitor on each node.

Previous Mobile Networks exampleRequirement can be re-written :

If NodeA has received a value, then it must be the case that previously in the past, NodeB has computed the value and at NodeA a request to NodeB was made.

ReceivedValue →@NodeB(◈ (computedValue && @NodeA(◈requestedValue)))

23年 4月 21日


8



23年 4月 21日


9


Distributed System (1/5)

Characteristics of Distributed System

• A collection of n processes (p1, p2, … pn) each with its own local state.

• No global or shared variables.

• A process communicates with others using asynchronous messages whose order of arrival is indeterminate.

23年 4月 21日


10


Distributed System (2/5)• Modeling of Distributed System

Event: a computation of each process.

internal eventssend eventsreceive events

Process: A set of events.

23年 4月 21日


11


Distributed System (3/5)Partial Order ≺Ei: set of events of process pi

E : Ui Ei

⋖ : E ✕ Ee ⋖ e’ if e, e’∈ Ei then e happens immediately before e’

e ⋖ e’ if e is the send event of a message at some process and e’ is the corresponding receive event of the message at the recipient process.

≺ : transtive closure of ⋖ relation.

≼ : reflexive and transitive closure of ⋖ relation.23年 4月 21日


12


Distributed System (4/5)↓e := {e’ | e’ ≼ e}

can be thought as the local state

LSi := {↓e | e∈ Ei }

the set of local states of a process pi

causalj(si) : the latest state of process pj that the process pi knows while in state si ∈ LSi .

23年 4月 21日


13


Distributed System (5/5)

23年 4月 21日


14

causalp1(↓e23) = ↓e12



23年 4月 21日


15


Past-Time Linear Temporal Logic (1/3)• PT-LTL has been used to express,

monitor, and predict violation of safety properties of software system.

• SyntaxF ::= true | false | a ∈ A | ￢ F |

F ∧ F | F ∨ F | F → F |⊙ F | ⊡ F | ◈ F | F S F

where A is the set of atomic propositions

23年 4月 21日


16


Past-Time Linear Temporal Logic (2/3)• Temporal Logics in PT-LTL

⊙ : previouslyρ ⊨ ⊙F iff ρ’ ⊨ F where ρ’= ρn-1 if n>1, and ρ’=ρ

if n=1

⊡ : always in the past ρ ⊨ ⊡F iff ρi ⊨ F for all 1≤ i < n,

◈: eventually in the pastρ ⊨ ◈ F iff ρi ⊨ F for some 1≤ i < n,

S : sinceρ ⊨ F1 S F2 iff ρj ⊨ F2 for some 1≤ j ≤ n

and ρi ⊨ F1 for all j ≤ i ≤ n

23年 4月 21日


17


Past-Time Linear Temporal Logic (3/3)

⊡((action ∧ ⊙ ￢ action) → ￢ Stop S Start))

23年 4月 21日


18



23年 4月 21日


19


Past-Time Distributed Temporal Logic (1/4)• Distributed systems are usually

asynchronous and the absolute global state of the system is not available to processes.

• The best thing that each process can do is to reason about the global state that it is aware of.

• PT-DTL expresses safety properties of distributed message passing system.

23年 4月 21日


20


Past-Time Distributed Temporal Logic (2/4)• PT-DTL extends PT-LTL

• Remote operator @ Evaluate an expression or a formula in

the last known state of a remote process

x > @j y

a → @j b

23年 4月 21日


21


Past-Time Distributed Temporal Logic (3/4)• Syntax

op : ∧ , ∨ , → ξi is a tuple of expressions on process pi.

f is function over tuples.

23年 4月 21日


22


Past-Time Distributed Temporal Logic (4/4)• Semantics

The semantics of PT-DTL is a natural extension of PT-LTL.

the value of the expression ξj in the state

sj=causalj(si) which is the latest state of process pj of which process pi is aware of.

23年 4月 21日


23


Monitoring algorithm for PT-DTL (1/6)• Synthesized monitor is distributed local

monitors running on each processes.

• Goal Monitoring should be fast.

Little memory overhead.

# of messages that need to be sent between process for monitoring purpose should be minimal.

23年 4月 21日


24


Monitoring algorithm for PT-DTL (2/6)• A local monitor may attach additional

information to every outgoing message.

• Evaluating a remote expression at process pi, process pj send the value

of the expression attached on every messages with sequence number.

23年 4月 21日


25


Monitoring algorithm for PT-DTL (3/6)• Knowledge VectorAt process pi ,

KVi[j]: the entry for process pj on a vector KV.

KVi[j].seq: the sequence number of the last event seen at pj.

KVi[j].values : storing the values remote expressions and remote formulas on processj.

The monitor of process pi attaches a copy of KVi with every outgoing messages.

23年 4月 21日


26


Monitoring algorithm for PT-DTL (4/6)for internal event

update KVi[i]

for send eventKVi[i].seq := KVi[i].seq + 1 ;

for receive eventKVm : given KV from received message.

for all j, KVm[j].seq > KVi[j].seq → KVi[j] := KVm[j] ;

Every process should know initial value of all variables.

Initial value of all variables can be found by initial broadcast or static analysis.

23年 4月 21日


27


Monitoring algorithm for PT-DTL (5/6)• Once KV is properly updated, the local

monitor can compute the boolean value of the formula to be monitored, by recursively evaluating the boolean value of each of its subformulae in the current state.

23年 4月 21日


28


Monitoring algorithm for PT-DTL (6/6)

23年 4月 21日


29

Example3 processesp1 has a local variable x whose initial value is 5.p2 has a local variable y with initial value 7.And p2 monitors the formula


Conclusion

DIANA – Distributed Analysisbased on Javausing Actor formalisminstrumentation at bytecode

23年 4月 21日


30

Documents

Efficient Decentralized Monitoring of Safety in Distributed System