Upload
sylvain-halle
View
473
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Requirements on message-based interactions can be formalized as an interface contract that specifies constraints on the sequence of possible messages that can be exchanged by multiple parties. At runtime, each peer can monitor incoming messages and check that the contract is correctly being followed by their respective senders. We introduce cooperative runtime monitoring, where a recipient “delegates” its monitoring task to the sender, which is required to provide evidence that the message it sends complies with the contract. In turn, this evidence can be quickly checked by the recipient, which is then guaranteed of the sender’s compliance to the contract without doing the monitoring computation by itself. A particular application of this concept is shown on web services, where service providers can monitor and enforce contract compliance of third-party clients at a small cost on the server side, while avoiding to certify or digitally sign them.
Citation preview
Sylvain Hallé
NOSHOW
Fonds de recherchesur la natureet les technologies
CRSNGNSERC
Sylvain Hallé
For more information
Visit my web site
www.leduotang.com/sylvain
Sylvain Hallé
SHOW
TheClient
Context
2
Sylvain Hallé
NOINC
TheServer
TheClient
Context
2
Sylvain Hallé
NOINC
TheServer
TheClient
A
Context
2
Sylvain Hallé
NOINC
TheServer
TheClient
RequestmessageA
Context
2
Sylvain Hallé
NOINC
TheServer
TheClient
B
A
Context
2
Sylvain Hallé
Context
NOINC
TheServer
TheClient
BResponsemessage
A
2
Sylvain Hallé
Alphabet (A)Set of possible messages
Context
SHOW
3
Sylvain Hallé
Alphabet (A)Set of possible messages
Trace (A*)Sequence of messages
Context
NOINC
3
Sylvain Hallé
Alphabet (A)Set of possible messages
Trace (A*)Sequence of messages
Context
NOINC
StateAbstraction of a trace
3
Sylvain Hallé
Context
NOINC
Transition function ( )d
d
3
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
d
3
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
S
s
d
3
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
S
s
s’d
3
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
S
s
s’dÆ
3
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
S
s
s’d
d : A ́S ® S
Æ
d ddd(a a ... a ) º (a , (... ( , a )...))0 1 n n 0s0
3
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
S
s
s’d
d : A ́S ® S
Æ
Interface contract ( )Defines valid traces
k
k : A* ® {T, F}
d ddd(a a ... a ) º (a , (... ( , a )...))0 1 n n 0s0
3
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
S
s
s’d
d : A ́S ® S
Æ
Interface contract ( )Defines valid traces
k
k : A* ® {T, F}
k(a a ...a )=0 1 n T
d ddd(a a ... a ) º (a , (... ( , a )...))0 1 n n 0s0
3
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
S
s
s’d
d : A ́S ® S
Æ
Interface contract ( )Defines valid traces
k
k : A* ® {T, F}
Û
k(a a ...a )=0 1 n T
d ddd(a a ... a ) º (a , (... ( , a )...))0 1 n n 0s0
3
Sylvain Hallé
Context
NOINC
Transition function ( )d
A
S
s
s’dÆ
Interface contract ( )Defines valid traces
k
k : A* ® {T, F}
d ddd(a a ... a ) º (a , (... ( , a )...))0 1 n n 0s0
d(a a ... a ) ¹ 0 1 n Æ
Û
k(a a ...a )=0 1 n T
d : A ́S ® S
3
Sylvain Hallé
A general framework
SHOW
A
Interface contract
MessageServer
Client
4
Sylvain Hallé
NOINC
A
Two calls of the method must be separated by at least one occurrence of
.
next()
hasNext()
Methodcall
Iterator class
Java program
A general framework
4
Sylvain Hallé
SHOW
A
If is invoked, no or can occur before a new
.
CartClear CartModifyCartRemoveCartAdd
XML message
Ajax web client
webservice
A general framework
5
Sylvain Hallé
What happens when the contract is violated?
- Error messages- Non-sensical data returned- Compensation mechanisms- Wasted processing time- Security breaches- Etc.
Contract violations
SHOW
6
Sylvain Hallé
The big question
SHOW
Prevent contract
violations
7
Sylvain Hallé
1. A priori certification
A trustworthy authority assesses the client’s compliance to the contract...
Current solutions
SHOW
Testing, staticverificationetc.
8
Sylvain Hallé
1. A priori certification
A trustworthy authority assesses the client’s compliance to the contract...
...and grants a digital certificate
Current solutions
NOINC
8
Sylvain Hallé
1. A priori certification
Current solutions
NOINC
A+
The service needs a certificate to start an exchange with a client
8
Sylvain Hallé
The service needs a certificate to start an exchange with a client
Example: iPhone app certification
1. A priori certification
Current solutions
NOINC
A+
8
Sylvain Hallé
1. A priori certification
Current solutions
NOINC
Z+
Problem: the client can change after certification
iPhone jailbreaking,Javascript prototype hijacking, ...
8
Sylvain Hallé
2. Server-side RuntimeMonitoring
A separate process checks each incoming message...
Current solutions
SHOW
A
9
Sylvain Hallé
2. Server-side RuntimeMonitoring
A separate process checks each incoming message...
Current solutions
NOINC
The message is relayed to the application proper when it complies with the contract
A
9
Sylvain Hallé
2. Server-side RuntimeMonitoring
A separate process checks each incoming message...
Current solutions
NOINC
...and is discarded when it violates the contract
9
Sylvain Hallé
Current solutions
NOINC
Problem: computational load on the server side
2. Server-side RuntimeMonitoring
9
Sylvain Hallé
3. Client-side RuntimeMonitoring
Each client has a separate process that validates its messages before sending them
Current solutions
A
SHOW
10
Sylvain Hallé
3. Client-side RuntimeMonitoring
Current solutions
NOINC
Problem: server has no guarantee that monitoring actually takes place
ZZ
Z
10
Sylvain Hallé
Processing savings ofclient-side monitoring
Goal
SHOW
Guarantees of server-sidemonitoring
11
Sylvain Hallé
Processing savings ofclient-side monitoring
Goal
NOINC
Guarantees of server-sidemonitoring
COOPERATIVERUNTIME MONITORING
COOPERATIVERUNTIME MONITORING
11
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Goal
SHOW
12
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Goal
NOINC
12
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Goal
NOINC
12
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Goal
?
NOINC
12
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Goal
NOINC
12
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
No wayto preservecompleteguarantees
Goal
NOINC
12
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Goal
NOINC
12
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Potential forcooperation
Goal
NOINC
12
Sylvain Hallé
Cooperative runtime monitoring
SHOW
Both the server- and client-side monitors maintain the current of the message exchange
state
s
s
13
Sylvain Hallé
A
Cooperative runtime monitoring
NOINC
From its current state ( ) and new message ( ), the client-side monitor computes ( )...
sA
g
13
Sylvain Hallé
From its current state ( ) and new message ( ), the client-side monitor computes ( )...
sA
g
Cooperative runtime monitoring
NOINC
g(,) = (, )s A s’
The new contract state
A ‘‘proof’’ that is a valid extension of the message exchange
A
s’
13
Sylvain Hallé
A
Cooperative runtime monitoring
NOINC
The proof is sent with the message
+
13
Sylvain Hallé
From its current state ( ), incoming message ( ) and proof ( ), the server-side monitor computes ( and )...
sA
mn
Cooperative runtime monitoring
NOINC
13
Sylvain Hallé
Cooperative runtime monitoring
NOINC
From its current state ( ), incoming message ( ) and proof ( ), the server-side monitor computes ( and )...
sA
mn
n(, ) = s s’
If the proof is consistent with the accompanying message
The new contract states’
m(, ) = A T/F
T/F
13
Sylvain Hallé
Both sides agree on the new current state ( )s’
Cooperative runtime monitoring
SHOW
s’
s’
14
Sylvain Hallé
Both sides agree on the new current state ( )s’
Cooperative runtime monitoring
NOINC
s’
s’
The client computes it from and s A
14
Sylvain Hallé
Both sides agree on the new current state ( )s’
Cooperative runtime monitoring
NOINC
s’
s’
The client computes it from and s A
The server computes it from and s
14
Sylvain Hallé
Requirements
SHOW
g(, ) = (, )s A s’
A+
n(, ) = s s’m(, ) = A T/F
15
Sylvain Hallé
1. The proof must be unspoofableIf A is not a valid continuation from state s, then for any , either m(A , ) = F or n(s , ) = ?
2. The proof must be equivalent to contract monitoringIf A is a valid continuation from state s to state s’, then
, m(A , ) = T and n(s , ) = s’
3. Checking the proof must be easy (i.e. polynomial)
Requirements
NOINC
g(, ) = (, )s A s’
A+
n(, ) = s s’m(, ) = A T/F
15
Sylvain Hallé
1. The proof must be unspoofable
2. The proof must be equivalent to contract monitoring
If A is not a valid continuation from state s, then for any , either m(A , ) = F or n(s , ) = ?
If A is a valid continuation from state s to state s’, then , m(A , ) = T and n(s , ) = s’
3. Checking the proof must be easy (i.e. polynomial)
Requirements
NOINC
g(, ) = (, )s A s’
A+
n(, ) = s s’m(, ) = A T/F
15
Sylvain Hallé
1. The proof must be unspoofable
2. The proof must be equivalent to contract monitoring
3. Checking the proof must be easy (i.e. polynomial)
If A is not a valid continuation from state s, then for any , either m(A , ) = F or n(s , ) = ?
If A is a valid continuation from state s to state s’, then , m(A , ) = T and n(s , ) = s’
Requirements
NOINC
g(, ) = (, )s A s’
A+
n(, ) = s s’m(, ) = A T/F
15
Sylvain Hallé
Requirements
NOINC
g(, ) = (, )s A s’
A+
n(, ) = s s’m(, ) = A T/F
1. The proof must be unspoofableIf is not a valid continuation from state ( ),then for any , either (, ) = F or (, ) =
2. The proof must be equivalent to contract monitoring
3. Checking the proof must be easy (i.e. polynomial)
AA
ss m n ?
If A is a valid continuation from state s to state s’, then , m(A , ) = T and n(s , ) = s’
d( , )s A = Æ
15
Sylvain Hallé
Requirements
NOINC
g(, ) = (, )s A s’
A+
n(, ) = s s’m(, ) = A T/F
1. The proof must be unspoofableIf is not a valid continuation from state ( ),then for any , either (, ) = F or (, ) =
2. The proof must be equivalent to contract monitoringIf is a valid continuation from state to state , then
, (, ) = T and (, ) =
3. Checking the proof must be easy (i.e. polynomial)
AA
AA
ss
ss
m
m
n
n
?
s’s’g(, ) = (, )s A s’
d( , )s A = Æ
15
Sylvain Hallé
1. The proof must be unspoofableIf is not a valid continuation from state ( ),then for any , either (, ) = F or (, ) =
2. The proof must be equivalent to contract monitoringIf is a valid continuation from state to state , then
, (, ) = T and (, ) =
3. Checking the proof must be easy (i.e. polynomial)
AA
AA
ss
ss
m and n must be in NP
m
m
n
n
?
s’s’
Requirements
NOINC
g(, ) = (, )s A s’
g(, ) = (, )s A s’
A+
n(, ) = s s’m(, ) = A T/F
Þ
d( , ) = Æs A
15
Sylvain Hallé
LTL formula= assertion on a (of messages)
Gerth, Peled, Vardi, Wolper (PSTV 1995): on-the-fly runtime monitoring algorithm for LTL
trace
a "always a" a "the next message is a" a "eventually a"
a b "a until b
GXF
W
abacdcbaqqtam...G (a ® b)X (q cÚ t) WØFALSE TRUE
Expressing an interface contract
SHOW
16
Sylvain Hallé
Classical LTL runtime monitoring
SHOW
Algorithm overview:
1. An LTL formula is decomposed into nodes of the form
sub-formulas thatmust be true now
sub-formulas that mustbe true in the next state
17
Sylvain Hallé
Algorithm overview:
1. An LTL formula is decomposed into nodes of the form
Example:
sub-formulas thatmust be true now
sub-formulas that mustbe true in the next state
Classical LTL runtime monitoring
NOINC
17
Sylvain Hallé
2. Negations pushed inside (classical identities + dual of = )
3. At the leaves, G contains atoms + negations of atoms:we evaluate them
Verdict:
! All leaves contain : formula is false! A leaf is : formula is true! Otherwise:
4. Next event: D copied into G and we continue
U V
FALSEempty
Classical LTL runtime monitoring
SHOW
18
Sylvain Hallé
Example:
G (p Ù ( ÚX q s))F
Classical LTL runtime monitoring
G
X
F1 F2
p
p
1
2
SHOW
19
Sylvain Hallé
Example:
If p is true and s is false in thecurrent message m, then...
G (p Ù ( ÚX q s))F
Classical LTL runtime monitoring
s
G
X
F1 F2
p
p
p
p
1
2
SHOW
20
Sylvain Hallé
1. This algorithm computes
Intuition for g
SHOW
s
G
X
F1 F2
p
p
p
p
1
2
s
s’
s’
d( , ) = s A s’
21
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
NOINC
=
s
F1 F2
p
p
p
2
p
X
1
G
d( , ) = s A s’
Intuition for g
21
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
G=
s
F1 F2
p
p
p
2
p
X
1
NOINC
d( , ) = s A s’
Intuition for g
G
21
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
G, Ù=
s
G
F1 F2
p
p
p
2
p
X
1
NOINC
d( , ) = s A s’
Intuition for g
21
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
G, Ù, Ú1=
s
G
F1 F2
p
p
p
2
p
X
NOINC
d( , ) = s A s’
Intuition for g
1
21
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
G, Ù, Ú, 1 X=
s
G
F1 F2
p
p
p
1
2
p
NOINC
d( , ) = s A s’
Intuition for g
X
21
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
G X, Ù, Ú, , 1 p=
s
G
X
F1 F2
p
p
p
1
2
NOINC
d( , ) = s A s’
Intuition for g
p
21
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
d( , ) = s A s’
G X
G X F
, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
=
s
G
X
F1 F2
p
p
p
p
1
2
NOINC
Intuition for g
21
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
G X
G X F
, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
s
G
X
F1 F2
p
p
p
p
1
2
NOINC
d( , ) = s A s’
Intuition for g
21
Sylvain Hallé
1. This algorithm computes
2. The proof is thepath to each valid leaf
3. The combination gives us
G X
G X F
, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
s
G
X
F1 F2
p
p
p
p
1
2
NOINC
g(, ) = (, )s A s’
d( , ) = s A s’
Intuition for g
21
Sylvain Hallé
Given a message ( ) and a proof ( ), one can check that the atoms in the paths are indeed true in the message...
A
SHOW
G X
G X F
, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
g(, ) = (, )s A s’
A+
n(, ) = s s’m(, ) = A T/F
m(, )A
Is p truein A?
...this computes
Intuition for m
22
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
SHOW
G X
G X F
, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G X F (p Ù ( q Ú s))
Intuition for n
23
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
X
G X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G p Ù ( q Ú s)( )X F
Intuition for n
G
G
23
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
X
G X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G ( ) p Ù ( q Ú s)X F
Intuition for n
23
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
X
G X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G ( Ù ) p ( q Ú s)X F
Intuition for n
Ù
Ù
23
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, , p1
{q, (p Ù ( q Ú s))}
X
G X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G ( Ù( )) p q Ú sX F
Intuition for n
,
23
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, 1 , p
{q, (p Ù ( q Ú s))}
X
G X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G ( Ù( Ú)) p q sX F
Intuition for n
,
Ú1
Ú
23
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, 1 , p
{q, (p Ù ( q Ú s))}
X
G X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G ( Ù( p qX
Intuition for n
,
23
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, X, 1 p
{q, (p Ù ( q Ú s))}G X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G ( Ù(X p q
Intuition for n
,
X
X
23
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, X, 1 p
{q, (p Ù ( q Ú s))}G X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
G ( Ù(X q p
Intuition for n
q
23
Sylvain Hallé
q
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, X, 1
{q, (p )}G Ù ( q Ú s)X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
Intuition for n
p
p
23
Sylvain Hallé
q
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, X, 1
{q, (p )}G Ù ( q Ú s)X F
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
Intuition for n
23
Sylvain Hallé
From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...
s
NOINC
G, Ù, Ú, X, 1
G F
F G X F
, Ù, Ú, , p2 2
{ q, (p Ù ( q Ú s))}
=
+
...if the operation comes to an end, we accept the leaf given in as the resulting end state s’
Intuition for n
{q, G (p Ù (X q Ú F s))}
n(, ) = s s’...this computes
q
23
Sylvain Hallé
What about complexity?
g(, ) s A( )n(, )s ( )
number of witnesses total number of leaves
SHOW
Does not expand‘‘dead-end’’ branches
<<
<<
24
Sylvain Hallé
What about complexity?
number of witnesses total number of leaves
number of witnesses total number of leaves
<<
NOINC
g(, ) s A( )
g(, ) s A( )
n(, )s ( )
n(, )s ( )
<<
24
Sylvain Hallé
What about complexity?
number of witnesses total number of leaves
number of witnesses total number of leaves
<<
NOINC
g(, ) s A( )
g(, ) s A( )
n(, )s ( )
n(, )s ( )
<<
check the proof compute the proof
No gain...
{Solution: restrict LTL to fragment that produces at most one witness at every step
Non-branching LTLÞ
24
Sylvain Hallé
Non-branching LTL
SHOW
Follows three conditions:
25
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. ( ... ) Ú ( ... )
25
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. ( ... ) Ú ( ... )
No temporal operator
25
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. 2. ( ... )F( ... ) Ú ( ... )
No temporal operator
25
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. 2. F ( ... )( ... ) Ú ( ... )
No temporal operator
25
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. 2. 3.F ( ... )( ... ) Ú ( ... ) ( ... ) ( ... )U
No temporal operator
25
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. 2. 3.F ( ... )( ... ) Ú ( ... ) ( ... ) ( ... )U
No temporal operator
25
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. 2. 3.F ( ... )( ... ) Ú ( ... ) ( ... )( ... ) U
No temporal operator
25
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. 2. 3.
Theorem: a non-branching LTL formula produces a proof ( )linear in the length of the interface contract (see the paper!)
F ( ... )( ... ) Ú ( ... ) ( ... )( ... ) U
No temporal operator
25
Sylvain Hallé
Non-branching LTL
NOINC
Follows three conditions:
1. 2. 3.
Theorem: a non-branching LTL formula produces a proof ( )linear in the length of the interface contract (see the paper!)
Non-branching LTL contracts can be efficiently enforcedthrough cooperative runtime monitoring
F ( ... )( ... ) Ú ( ... ) ( ... )( ... ) U
No temporal operator
Þ
25
Sylvain Hallé
Experimental results
SHOW
26
Sylvain Hallé
Experimental results
NOINC
A
26
Sylvain Hallé
Experimental results
NOINC
g(,) = (, )s A s’
26
Sylvain Hallé
Experimental results
NOINC
g(,) = (, )s A s’
= 5.08 ms
26
Sylvain Hallé
Experimental results
NOINC
A+
= 5.08 ms
26
Sylvain Hallé
Experimental results
NOINC
n(, ) = s s’m(, ) = A T/F
= 5.08 ms
26
Sylvain Hallé
Experimental results
NOINC
n(, ) = s s’m(, ) = A T/F
= 5.08 ms
= 0.35 ms
26
Sylvain Hallé
Experimental results
NOINC
= 0.35 ms
= 5.08 msServer is spared of 90% of the computation
26
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Experimental results
SHOW
27
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Cooperativemonitoring
Experimental results
NOINC
27
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Expressiveness
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Cooperativemonitoring
Experimental results
NOINC
27
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Expressiveness
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Cooperativemonitoring
Non-branching LTL
Experimental results
NOINC
27
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Expressiveness
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Cooperativemonitoring
Non-branching LTL
LTL
Experimental results
NOINC
27
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Expressiveness
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Cooperativemonitoring
Non-branching LTL
LTL
First-order logic
Experimental results
NOINC
27
Sylvain Hallé
0 100%
Complete
None
Computationalsavings
Expressiveness
Gu
aran
tees
Client-sidemonitoring
Server-sidemonitoring
Cooperativemonitoring
Theoreticalupper bound
Non-branching LTL
LTL
First-order logic
Experimental results
NOINC
27
Sylvain Hallé
Take-home points
SHOW
28
Sylvain Hallé
Take-home points
NOINC
1. An specifies valid sequences of ‘‘messages’’ between a client and a server
interface contract
.
28
Sylvain Hallé
Take-home points
NOINC
1. An specifies valid sequences of ‘‘messages’’ between a client and a server
2. allows the enforcement ofthe contract to be split between both parties
interface contract
Cooperative runtime monitoring.
.
28
Sylvain Hallé
Take-home points
NOINC
1. An specifies valid sequences of ‘‘messages’’ between a client and a server
2. allows the enforcement ofthe contract to be split between both parties
3. For a fragment of Linear Temporal Logic, empirical testsshow that can be outsourced to the client...
interface contract
Cooperative runtime monitoring
90% of the work
.
..
28
Sylvain Hallé
Take-home points
NOINC
1. An specifies valid sequences of ‘‘messages’’ between a client and a server
2. allows the enforcement ofthe contract to be split between both parties
3. For a fragment of Linear Temporal Logic, empirical testsshow that can be outsourced to the client...
4. ...while preserving the as withserver-side monitoring
interface contract
Cooperative runtime monitoring
90% of the work
same guarantees
.
..
.
28
Sylvain Hallé
Take-home points
NOINC
1. An specifies valid sequences of ‘‘messages’’ between a client and a server
2. allows the enforcement ofthe contract to be split between both parties
3. For a fragment of Linear Temporal Logic, empirical testsshow that can be outsourced to the client...
4. ...while preserving the as withserver-side monitoring
5. This is a : guarantees, computationalload and expressiveness can be modulated
interface contract
Cooperative runtime monitoring
90% of the work
same guarantees
3D problem
.
..
.
.
28
Sylvain Hallé
For more information
Visit my web site
www.leduotang.com/sylvain