Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)

Sylvain Hallé

NOSHOW

Fonds de recherchesur la natureet les technologies

CRSNGNSERC

Sylvain Hallé

For more information

Visit my web site

www.leduotang.com/sylvain

Sylvain Hallé

SHOW

TheClient

Context

2

Sylvain Hallé

NOINC

TheServer

TheClient

Context

2

Sylvain Hallé

NOINC

TheServer

TheClient

A

Context

2

Sylvain Hallé

NOINC

TheServer

TheClient

RequestmessageA

Context

2

Sylvain Hallé

NOINC

TheServer

TheClient

B

A

Context

2

Sylvain Hallé

Context

NOINC

TheServer

TheClient

BResponsemessage

A

2

Sylvain Hallé

Alphabet (A)Set of possible messages

Context

SHOW

3

Sylvain Hallé


Trace (A*)Sequence of messages

Context

NOINC

3

Sylvain Hallé


Trace (A*)Sequence of messages

Context

NOINC

StateAbstraction of a trace

3

Sylvain Hallé

Context

NOINC

Transition function ( )d

d

3

Sylvain Hallé

Context

NOINC


A

d

3

Sylvain Hallé

Context

NOINC


A

S

s

d

3

Sylvain Hallé

Context

NOINC


A

S

s

s’d

3

Sylvain Hallé

Context

NOINC


A

S

s

s’dÆ

3

Sylvain Hallé

Context

NOINC


A

S

s

s’d

d : A ́S ® S

Æ

d ddd(a a ... a ) º (a , (... ( , a )...))0 1 n n 0s0

3

Sylvain Hallé

Context

NOINC


A

S

s

s’d

d : A ́S ® S

Æ

Interface contract ( )Defines valid traces

k

k : A* ® {T, F}

d ddd(a a ... a ) º (a , (... ( , a )...))0 1 n n 0s0

3

Sylvain Hallé

Context

NOINC


A

S

s

s’d

d : A ́S ® S

Æ


k

k : A* ® {T, F}

k(a a ...a )=0 1 n T

d ddd(a a ... a ) º (a , (... ( , a )...))0 1 n n 0s0

3

Sylvain Hallé

Context

NOINC


A

S

s

s’d

d : A ́S ® S

Æ


k

k : A* ® {T, F}

Û

k(a a ...a )=0 1 n T

d ddd(a a ... a ) º (a , (... ( , a )...))0 1 n n 0s0

3

Sylvain Hallé

Context

NOINC


A

S

s

s’dÆ


k

k : A* ® {T, F}

d ddd(a a ... a ) º (a , (... ( , a )...))0 1 n n 0s0

d(a a ... a ) ¹ 0 1 n Æ

Û

k(a a ...a )=0 1 n T

d : A ́S ® S

3

Sylvain Hallé

A general framework

SHOW

A

Interface contract

MessageServer

Client

4

Sylvain Hallé

NOINC

A

Two calls of the method must be separated by at least one occurrence of

.

next()

hasNext()

Methodcall

Iterator class

Java program

A general framework

4

Sylvain Hallé

SHOW

A

If is invoked, no or can occur before a new

.

CartClear CartModifyCartRemoveCartAdd

XML message

Ajax web client

webservice

A general framework

5

Sylvain Hallé

What happens when the contract is violated?

- Error messages- Non-sensical data returned- Compensation mechanisms- Wasted processing time- Security breaches- Etc.

Contract violations

SHOW

6

Sylvain Hallé

The big question

SHOW

Prevent contract

violations

7

Sylvain Hallé

1. A priori certification

A trustworthy authority assesses the client’s compliance to the contract...

Current solutions

SHOW

Testing, staticverificationetc.

8

Sylvain Hallé


A trustworthy authority assesses the client’s compliance to the contract...

...and grants a digital certificate

Current solutions

NOINC

8

Sylvain Hallé


Current solutions

NOINC

A+

The service needs a certificate to start an exchange with a client

8

Sylvain Hallé

The service needs a certificate to start an exchange with a client

Example: iPhone app certification


Current solutions

NOINC

A+

8

Sylvain Hallé


Current solutions

NOINC

Z+

Problem: the client can change after certification

iPhone jailbreaking,Javascript prototype hijacking, ...

8

Sylvain Hallé

2. Server-side RuntimeMonitoring

A separate process checks each incoming message...

Current solutions

SHOW

A

9

Sylvain Hallé



Current solutions

NOINC

The message is relayed to the application proper when it complies with the contract

A

9

Sylvain Hallé



Current solutions

NOINC

...and is discarded when it violates the contract

9

Sylvain Hallé

Current solutions

NOINC

Problem: computational load on the server side


9

Sylvain Hallé

3. Client-side RuntimeMonitoring

Each client has a separate process that validates its messages before sending them

Current solutions

A

SHOW

10

Sylvain Hallé

3. Client-side RuntimeMonitoring

Current solutions

NOINC

Problem: server has no guarantee that monitoring actually takes place

ZZ

Z

10

Sylvain Hallé

Processing savings ofclient-side monitoring

Goal

SHOW

Guarantees of server-sidemonitoring

11

Sylvain Hallé

Processing savings ofclient-side monitoring

Goal

NOINC

Guarantees of server-sidemonitoring

COOPERATIVERUNTIME MONITORING

COOPERATIVERUNTIME MONITORING

11

Sylvain Hallé

0 100%

Complete

None

Computationalsavings

Gu

aran

tees

Goal

SHOW

12

Sylvain Hallé

0 100%

Complete

None


Gu

aran

tees

Client-sidemonitoring

Goal

NOINC

12

Sylvain Hallé

0 100%

Complete

None


Gu

aran

tees


Server-sidemonitoring

Goal

NOINC

12

Sylvain Hallé

0 100%

Complete

None


Gu

aran

tees



Goal

?

NOINC

12

Sylvain Hallé

0 100%

Complete

None


Gu

aran

tees



Goal

NOINC

12

Sylvain Hallé

0 100%

Complete

None


Gu

aran

tees



No wayto preservecompleteguarantees

Goal

NOINC

12

Sylvain Hallé

0 100%

Complete

None


Gu

aran

tees



Goal

NOINC

12

Sylvain Hallé

0 100%

Complete

None


Gu

aran

tees



Potential forcooperation

Goal

NOINC

12

Sylvain Hallé

Cooperative runtime monitoring

SHOW

Both the server- and client-side monitors maintain the current of the message exchange

state

s

s

13

Sylvain Hallé

A


NOINC

From its current state ( ) and new message ( ), the client-side monitor computes ( )...

sA

g

13

Sylvain Hallé

From its current state ( ) and new message ( ), the client-side monitor computes ( )...

sA

g


NOINC

g(,) = (, )s A s’

The new contract state

A ‘‘proof’’ that is a valid extension of the message exchange

A

s’

13

Sylvain Hallé

A


NOINC

The proof is sent with the message

+

13

Sylvain Hallé

From its current state ( ), incoming message ( ) and proof ( ), the server-side monitor computes ( and )...

sA

mn


NOINC

13

Sylvain Hallé


NOINC

From its current state ( ), incoming message ( ) and proof ( ), the server-side monitor computes ( and )...

sA

mn

n(, ) = s s’

If the proof is consistent with the accompanying message

The new contract states’

m(, ) = A T/F

T/F

13

Sylvain Hallé

Both sides agree on the new current state ( )s’


SHOW

s’

s’

14

Sylvain Hallé



NOINC

s’

s’

The client computes it from and s A

14

Sylvain Hallé



NOINC

s’

s’

The client computes it from and s A

The server computes it from and s

14

Sylvain Hallé

Requirements

SHOW

g(, ) = (, )s A s’

A+

n(, ) = s s’m(, ) = A T/F

15

Sylvain Hallé

1. The proof must be unspoofableIf A is not a valid continuation from state s, then for any , either m(A , ) = F or n(s , ) = ?

2. The proof must be equivalent to contract monitoringIf A is a valid continuation from state s to state s’, then

, m(A , ) = T and n(s , ) = s’

3. Checking the proof must be easy (i.e. polynomial)

Requirements

NOINC

g(, ) = (, )s A s’

A+

n(, ) = s s’m(, ) = A T/F

15

Sylvain Hallé

1. The proof must be unspoofable

2. The proof must be equivalent to contract monitoring

If A is not a valid continuation from state s, then for any , either m(A , ) = F or n(s , ) = ?

If A is a valid continuation from state s to state s’, then , m(A , ) = T and n(s , ) = s’


Requirements

NOINC

g(, ) = (, )s A s’

A+

n(, ) = s s’m(, ) = A T/F

15

Sylvain Hallé

1. The proof must be unspoofable



If A is not a valid continuation from state s, then for any , either m(A , ) = F or n(s , ) = ?


Requirements

NOINC

g(, ) = (, )s A s’

A+

n(, ) = s s’m(, ) = A T/F

15

Sylvain Hallé

Requirements

NOINC

g(, ) = (, )s A s’

A+

n(, ) = s s’m(, ) = A T/F

1. The proof must be unspoofableIf is not a valid continuation from state ( ),then for any , either (, ) = F or (, ) =



AA

ss m n ?


d( , )s A = Æ

15

Sylvain Hallé

Requirements

NOINC

g(, ) = (, )s A s’

A+

n(, ) = s s’m(, ) = A T/F


2. The proof must be equivalent to contract monitoringIf is a valid continuation from state to state , then

, (, ) = T and (, ) =


AA

AA

ss

ss

m

m

n

n

?

s’s’g(, ) = (, )s A s’

d( , )s A = Æ

15

Sylvain Hallé


2. The proof must be equivalent to contract monitoringIf is a valid continuation from state to state , then

, (, ) = T and (, ) =


AA

AA

ss

ss

m and n must be in NP

m

m

n

n

?

s’s’

Requirements

NOINC

g(, ) = (, )s A s’

g(, ) = (, )s A s’

A+

n(, ) = s s’m(, ) = A T/F

Þ

d( , ) = Æs A

15

Sylvain Hallé

LTL formula= assertion on a (of messages)

Gerth, Peled, Vardi, Wolper (PSTV 1995): on-the-fly runtime monitoring algorithm for LTL

trace

a "always a" a "the next message is a" a "eventually a"

a b "a until b

GXF

W

abacdcbaqqtam...G (a ® b)X (q cÚ t) WØFALSE TRUE

Expressing an interface contract

SHOW

16

Sylvain Hallé

Classical LTL runtime monitoring

SHOW

Algorithm overview:

1. An LTL formula is decomposed into nodes of the form

sub-formulas thatmust be true now

sub-formulas that mustbe true in the next state

17

Sylvain Hallé

Algorithm overview:

1. An LTL formula is decomposed into nodes of the form

Example:

sub-formulas thatmust be true now

sub-formulas that mustbe true in the next state


NOINC

17

Sylvain Hallé

2. Negations pushed inside (classical identities + dual of = )

3. At the leaves, G contains atoms + negations of atoms:we evaluate them

Verdict:

! All leaves contain : formula is false! A leaf is : formula is true! Otherwise:

4. Next event: D copied into G and we continue

U V

FALSEempty


SHOW

18

Sylvain Hallé

Example:

G (p Ù ( ÚX q s))F


G

X

F1 F2

p

p

1

2

SHOW

19

Sylvain Hallé

Example:

If p is true and s is false in thecurrent message m, then...

G (p Ù ( ÚX q s))F


s

G

X

F1 F2

p

p

p

p

1

2

SHOW

20

Sylvain Hallé

1. This algorithm computes

Intuition for g

SHOW

s

G

X

F1 F2

p

p

p

p

1

2

s

s’

s’

d( , ) = s A s’

21

Sylvain Hallé


2. The proof is thepath to each valid leaf

NOINC

=

s

F1 F2

p

p

p

2

p

X

1

G

d( , ) = s A s’

Intuition for g

21

Sylvain Hallé



G=

s

F1 F2

p

p

p

2

p

X

1

NOINC

d( , ) = s A s’

Intuition for g

G

21

Sylvain Hallé



G, Ù=

s

G

F1 F2

p

p

p

2

p

X

1

NOINC

d( , ) = s A s’

Intuition for g

21

Sylvain Hallé



G, Ù, Ú1=

s

G

F1 F2

p

p

p

2

p

X

NOINC

d( , ) = s A s’

Intuition for g

1

21

Sylvain Hallé



G, Ù, Ú, 1 X=

s

G

F1 F2

p

p

p

1

2

p

NOINC

d( , ) = s A s’

Intuition for g

X

21

Sylvain Hallé



G X, Ù, Ú, , 1 p=

s

G

X

F1 F2

p

p

p

1

2

NOINC

d( , ) = s A s’

Intuition for g

p

21

Sylvain Hallé



d( , ) = s A s’

G X

G X F

, Ù, Ú, , p1

{q, (p Ù ( q Ú s))}

=

s

G

X

F1 F2

p

p

p

p

1

2

NOINC

Intuition for g

21

Sylvain Hallé



G X

G X F

, Ù, Ú, , p1

{q, (p Ù ( q Ú s))}

G F

F G X F

, Ù, Ú, , p2 2

{ q, (p Ù ( q Ú s))}

=

+

s

G

X

F1 F2

p

p

p

p

1

2

NOINC

d( , ) = s A s’

Intuition for g

21

Sylvain Hallé



3. The combination gives us

G X

G X F

, Ù, Ú, , p1

{q, (p Ù ( q Ú s))}

G F

F G X F

, Ù, Ú, , p2 2

{ q, (p Ù ( q Ú s))}

=

+

s

G

X

F1 F2

p

p

p

p

1

2

NOINC

g(, ) = (, )s A s’

d( , ) = s A s’

Intuition for g

21

Sylvain Hallé

Given a message ( ) and a proof ( ), one can check that the atoms in the paths are indeed true in the message...

A

SHOW

G X

G X F

, Ù, Ú, , p1

{q, (p Ù ( q Ú s))}

G F

F G X F

, Ù, Ú, , p2 2

{ q, (p Ù ( q Ú s))}

=

+

g(, ) = (, )s A s’

A+

n(, ) = s s’m(, ) = A T/F

m(, )A

Is p truein A?

...this computes

Intuition for m

22

Sylvain Hallé

From an initial state ( ), one can ‘‘peel off’’ the formula according to the path given by the proof...

s

SHOW

G X

G X F

, Ù, Ú, , p1

{q, (p Ù ( q Ú s))}

G F

F G X F

, Ù, Ú, , p2 2

{ q, (p Ù ( q Ú s))}

=

+

G X F (p Ù ( q Ú s))

Intuition for n

23

Sylvain Hallé


s

NOINC

G, Ù, Ú, , p1

{q, (p Ù ( q Ú s))}

X

G X F

G F

F G X F

, Ù, Ú, , p2 2

{ q, (p Ù ( q Ú s))}

=

+

G p Ù ( q Ú s)( )X F

Intuition for n

G

G

23

Sylvain Hallé


s

NOINC

G, Ù, Ú, , p1

{q, (p Ù ( q Ú s))}

X

G X F

G F

F G X F

, Ù, Ú, , p2 2

{ q, (p Ù ( q Ú s))}

=

+

G ( ) p Ù ( q Ú s)X F

Intuition for n

23

Sylvain Hallé


s

NOINC

G, Ù, Ú, , p1

{q, (p Ù ( q Ú s))}

X

G X F

G F

F G X F

, Ù, Ú, , p2 2

{ q, (p Ù ( q Ú s))}

=

+

G ( Ù ) p ( q Ú s)X F

Intuition for n

Ù

Ù

23

Sylvain Hallé


s

NOINC

G, Ù, Ú, , p1

{q, (p Ù ( q Ú s))}

X

G X F

G F

F G X F

, Ù, Ú, , p2 2

{ q, (p Ù ( q Ú s))}

=

+

G ( Ù( )) p q Ú sX F

Intuition for n

,

23

Sylvain Hallé


s

NOINC

G, Ù, Ú, 1 , p

{q, (p Ù ( q Ú s))}

X

G X F

G F

F G X F

, Ù, Ú, , p2 2

{ q, (p Ù ( q Ú s))}

=

+

G ( Ù( Ú)) p q sX F

Intuition for n

,

Ú1

Ú

23

Sylvain Hallé


s

NOINC

G, Ù, Ú, 1 , p

{q, (p Ù ( q Ú s))}

X

G X F

G F

F G X F

, Ù, Ú, , p2 2

{ q, (p Ù ( q Ú s))}

=

+

G ( Ù( p qX

Intuition for n

,

23

Sylvain Hallé


s

NOINC

G, Ù, Ú, X, 1 p

{q, (p Ù ( q Ú s))}G X F

G F

F G X F

, Ù, Ú, , p2 2

{ q, (p Ù ( q Ú s))}

=

+

G ( Ù(X p q

Intuition for n

,

X

X

23

Sylvain Hallé


s

NOINC

G, Ù, Ú, X, 1 p

{q, (p Ù ( q Ú s))}G X F

G F

F G X F

, Ù, Ú, , p2 2

{ q, (p Ù ( q Ú s))}

=

+

G ( Ù(X q p

Intuition for n

q

23

Sylvain Hallé

q


s

NOINC

G, Ù, Ú, X, 1

{q, (p )}G Ù ( q Ú s)X F

G F

F G X F

, Ù, Ú, , p2 2

{ q, (p Ù ( q Ú s))}

=

+

Intuition for n

p

p

23

Sylvain Hallé

q


s

NOINC

G, Ù, Ú, X, 1

{q, (p )}G Ù ( q Ú s)X F

G F

F G X F

, Ù, Ú, , p2 2

{ q, (p Ù ( q Ú s))}

=

+

Intuition for n

23

Sylvain Hallé


s

NOINC

G, Ù, Ú, X, 1

G F

F G X F

, Ù, Ú, , p2 2

{ q, (p Ù ( q Ú s))}

=

+

...if the operation comes to an end, we accept the leaf given in as the resulting end state s’

Intuition for n

{q, G (p Ù (X q Ú F s))}

n(, ) = s s’...this computes

q

23

Sylvain Hallé

What about complexity?

g(, ) s A( )n(, )s ( )

number of witnesses total number of leaves

SHOW

Does not expand‘‘dead-end’’ branches

<<

<<

24

Sylvain Hallé




<<

NOINC

g(, ) s A( )

g(, ) s A( )

n(, )s ( )

n(, )s ( )

<<

24

Sylvain Hallé




<<

NOINC

g(, ) s A( )

g(, ) s A( )

n(, )s ( )

n(, )s ( )

<<

check the proof compute the proof

No gain...

{Solution: restrict LTL to fragment that produces at most one witness at every step

Non-branching LTLÞ

24

Sylvain Hallé

Non-branching LTL

SHOW

Follows three conditions:

25

Sylvain Hallé

Non-branching LTL

NOINC


1. ( ... ) Ú ( ... )

25

Sylvain Hallé

Non-branching LTL

NOINC


1. ( ... ) Ú ( ... )

No temporal operator

25

Sylvain Hallé

Non-branching LTL

NOINC


1. 2. ( ... )F( ... ) Ú ( ... )


25

Sylvain Hallé

Non-branching LTL

NOINC


1. 2. F ( ... )( ... ) Ú ( ... )


25

Sylvain Hallé

Non-branching LTL

NOINC


1. 2. 3.F ( ... )( ... ) Ú ( ... ) ( ... ) ( ... )U


25

Sylvain Hallé

Non-branching LTL

NOINC


1. 2. 3.F ( ... )( ... ) Ú ( ... ) ( ... ) ( ... )U


25

Sylvain Hallé

Non-branching LTL

NOINC


1. 2. 3.F ( ... )( ... ) Ú ( ... ) ( ... )( ... ) U


25

Sylvain Hallé

Non-branching LTL

NOINC


1. 2. 3.

Theorem: a non-branching LTL formula produces a proof ( )linear in the length of the interface contract (see the paper!)

F ( ... )( ... ) Ú ( ... ) ( ... )( ... ) U


25

Sylvain Hallé

Non-branching LTL

NOINC


1. 2. 3.

Theorem: a non-branching LTL formula produces a proof ( )linear in the length of the interface contract (see the paper!)

Non-branching LTL contracts can be efficiently enforcedthrough cooperative runtime monitoring

F ( ... )( ... ) Ú ( ... ) ( ... )( ... ) U


Þ

25

Sylvain Hallé

Experimental results

SHOW

26

Sylvain Hallé


NOINC

A

26

Sylvain Hallé


NOINC

g(,) = (, )s A s’

26

Sylvain Hallé


NOINC

g(,) = (, )s A s’

= 5.08 ms

26

Sylvain Hallé


NOINC

A+

= 5.08 ms

26

Sylvain Hallé


NOINC

n(, ) = s s’m(, ) = A T/F

= 5.08 ms

26

Sylvain Hallé


NOINC

n(, ) = s s’m(, ) = A T/F

= 5.08 ms

= 0.35 ms

26

Sylvain Hallé


NOINC

= 0.35 ms

= 5.08 msServer is spared of 90% of the computation

26

Sylvain Hallé

0 100%

Complete

None


Gu

aran

tees




SHOW

27

Sylvain Hallé

0 100%

Complete

None


Gu

aran

tees



Cooperativemonitoring


NOINC

27

Sylvain Hallé

0 100%

Complete

None


Expressiveness

Gu

aran

tees





NOINC

27

Sylvain Hallé

0 100%

Complete

None


Expressiveness

Gu

aran

tees




Non-branching LTL


NOINC

27

Sylvain Hallé

0 100%

Complete

None


Expressiveness

Gu

aran

tees




Non-branching LTL

LTL


NOINC

27

Sylvain Hallé

0 100%

Complete

None


Expressiveness

Gu

aran

tees




Non-branching LTL

LTL

First-order logic


NOINC

27

Sylvain Hallé

0 100%

Complete

None


Expressiveness

Gu

aran

tees




Theoreticalupper bound

Non-branching LTL

LTL

First-order logic


NOINC

27

Sylvain Hallé

Take-home points

SHOW

28

Sylvain Hallé

Take-home points

NOINC

1. An specifies valid sequences of ‘‘messages’’ between a client and a server

interface contract

.

28

Sylvain Hallé

Take-home points

NOINC


2. allows the enforcement ofthe contract to be split between both parties

interface contract

Cooperative runtime monitoring.

.

28

Sylvain Hallé

Take-home points

NOINC



3. For a fragment of Linear Temporal Logic, empirical testsshow that can be outsourced to the client...

interface contract


90% of the work

.

..

28

Sylvain Hallé

Take-home points

NOINC




4. ...while preserving the as withserver-side monitoring

interface contract


90% of the work

same guarantees

.

..

.

28

Sylvain Hallé

Take-home points

NOINC




4. ...while preserving the as withserver-side monitoring

5. This is a : guarantees, computationalload and expressiveness can be modulated

interface contract


90% of the work

same guarantees

3D problem

.

..

.

.

28

Sylvain Hallé

For more information

Visit my web site

www.leduotang.com/sylvain

Technology

Cooperative Runtime Monitoring of LTL Interface Contracts (EDOC 2010)