polylarva technology agnostic runtime verification

POLYLARVA Technology Agnostic Runtime Verification

A System’s Behaviour

Testing

Model Checking

Runtime Verification

Inputs to Runtime Verification System

•No more than 10 users can be logged onto the system at any one time

•A user cannot execute more than 3 failed transactions in one session

•A user which has been idle for more than 5 minutes should be logged out

Creating a Runtime Monitor

The LARVA Architecture

LARVA – JAVA SpecificProperty to be verified : New accounts can be added for a User if the User settings allowIt. Otherwise this should be disallowed.

before ( User u1) : (call(* User.addAccount(..)) && target(u1) && !cflow(adviceexecution())) {

Monitor monitor_instance = getMonitorInstance(u1); monitor_instance.call(thisJoinPoint.getSignature().toString(), 8/*addAccount*/);}

LARVA – JAVA SpecificProperty to be verified : New accounts can be added for a User if the User settings allowIt. Otherwise this should be disallowed.

if ((_occurredEvent(_event,8/*addAccount*/))

&& (!u .canAddAccounts ())){

_state_id_account = 5;//moving to state cannotadd

_goto_account(_info);}

Goals for PolyLARVA

1) Improve LARVA framework to become a customisable monitoring architecture supporting potentially numerous platforms and technologies

GeneratedMonitor

System(Any Language)

Notifies monitor when specificEvents take place

Evaluates monitoring logic

The PolyLARVA Specification Language

• The PolyLarva specification language proposed is an ECA (Event-Condition-Action) rule-based language

rule name : event \ condition action

ruleAddAccnt: addAccount(u2, a) \ isTooManyAccts -> logTooMany;



states { int accountCnt}

conditions{ isTooManyAccts = {accountCnt > 5;} }



states { int accountCnt}

conditions{ isTooManyAccts = {accountCnt > 5;} }

actions { logTooMany = {System.out.println("Account limit of 5 exceeded.");}}}

Evaluating Conditions & Actions

Keep Integer count of users in system - usercount

Increment counter on new user addition.

Compare this counter against a set limit on every new user addition

Log warning message

Monitor System

ruleAddUser: addUser( ) \ usercount > 5 logTooManyUsers

addUser()


canAddAccounts is a property of a User Instance

Monitor must refer to system to obtain evaluation of condition

Monitor System

ruleAddUser: addAccount( User u ) \ u.canAddAccounts() logNewAccount

addAccount(User u)

u.canAddAccounts()


canAddAccounts is a property of a User Instance

Monitor must refer to system to obtain evaluation of condition

Monitor System

ruleAddUser: addAccount( User u ) \ u.canAddAccounts() logNewAccountu.canAddAccounts()

System vs Monitor Conditions & Actions

Monitor Side System Side

Can be evaluated by monitor – no reference to system specific properties

Must be evaluated on the system – reference variables and methods declared in system code

Must be written in JAVA code Must be written in system language

Monitor System

conditions { monitorSide { isTooManyAccts = {accountCnt > 5;} } }

conditions { systemSide { cannotAddAccts = {return !user.canAddAcounts();} } }

The PolyLARVA Architecture

Phase 1: Creation of JAVA code which covers the monitor logic for validating properties


Phase 2: Creation of code which will be used to instrument the system code Creation of ‘Aspect’ code


Phase 2: Creation of code which will be used to instrument the system code Creation of code that adds monitor logic on system side

The PolyLARVA Architecture - Communication

Communication between Monitor and Instrumented System via Sockets

The PolyLARVA Language Specific Compiler

Generation of ‘Aspect’ Code

• The Runtime Monitor must be aware of any events, relevant to monitoring, that occur on the system

• Aspect Programming is ideal for use in Runtime Monitoring systems

• Can support a large number of programming languages , though not all

Aspect Code

Generation of JAVA ‘Aspect’ Code

Event Specification

Aspect Code

addAccount(User u2, Account a) = {execution Account a.new(User u2)}

Context_Aspect.ajbefore(Account a,User u2):target(a) && execution(Account.new(..)) && args (u2)&& !cflow(adviceexecution()){ LarvaCommClient.getClientConnection().sendMessage( LarvaCommClient.ASPECT_EVENT, 5,

UniqueIDGenerator.getIdentifier(a)+","+ UniqueIDGenerator.getIdentifier(u2)+",");}

What if our system program is written in PERL?

Event Specification

Aspect Code

addAccount(User u2, Account a) = {execution Account a.new(User u2)}

Context_Aspect.plPERL Aspect Code [uses Aspect.pm]

Uses socket connection to

communicate with monitor

Generation of Monitor ‘Helper’ Code(System Side)

Helper Code

conditions{ systemSide { cannotAddAccts = {!user.canAddAcounts();} } } %%conditions

System side code copied verbatim to

generated code. Helper code becomes

part of System.

PolyLARVA – A Flexible Runtime Monitoring System

QDDC Counterexample Formulas

LUSTRE DATEs RuleBased

JAVA C++

C#

PERL

...

PolyLARVA – A Flexible Runtime Monitoring System

QDDC Counterexample Formulas

LUSTRE DATEs RuleBased

JAVA C++ C# PERL ... ...

Future Work on PolyLARVA Runtime Monitor

• Implementation of other Language Specific Compilers

• Implementation of translator for specification in DATEs format to new PolyLarvaspecification

• Analysis of specification script for optimisation of rules

• Ability to save and load Monitor state • Any more?

THE ENDPOLYLARVA Technology Agnostic Runtime Verification

polylarva technology agnostic runtime verification

Documents

monitor monitor

getmonitorinstanceu1

runtime verification

system language

system implementation

system code

user u1

user settings allowit