Runtime Contracts Checker: Increasing Robustness of Component-Based Software Systems (original) (raw)

Runtime Verification of Component-Based Embedded Software

Computer and Information Sciences II: 26th International Symposium on Computer and Information Sciences, 2011

To deal with increasing size and complexity, component-based software development has been employed in embedded systems. Due to several faults, components can make wrong assumptions about the working mode of the system and the working modes of the other components. To detect mode inconsistencies at runtime, we propose a ''lightweight''error detection mechanism, which can be integrated with component-based embedded systems. We define links among three levels of abstractions: the runtime ...

4 Runtime Enforcement for Component-Based Systems

2015

Runtime enforcement is an increasingly popular and effective dynamic validation technique aiming to ensure the correct runtime behavior (w.r.t. a formal specification) of systems using a so-called enforcement monitor. In this paper we introduce runtime enforcement of specifications on component-based systems (CBS) modeled in the BIP (Behavior, Interaction and Priority) framework. BIP is a powerful and expressive component-based framework for formal construction of heterogeneous systems. However, because of BIP expressiveness, it remains difficult to enforce at design-time complex behavioral properties. First we propose a theoretical runtime enforcement framework for CBS where we delineate a hierarchy of sets of enforceable properties (i.e., properties that can be enforced) according to the number of observational steps a system is allowed to deviate from the property (i.e., the notion of k-step enforceability). To ensure the observational equivalence between the correct executions of the initial system and the monitored system, we show that i) only stutter-invariant properties should be enforced on CBS with our monitors, ii) safety properties are 1-step enforceable. Given an abstract enforcement monitor (as a finite-state machine) for some 1-step enforceable specification, we formally instrument (at relevant locations) a given BIP system to integrate the monitor. At runtime, the monitor observes and automatically avoids any error in the behavior of the system w.r.t. the specification. Our approach is fully implemented in an available tool that we used to i) avoid deadlock occurrences on a dining philosophers benchmark, and ii) ensure the correct placement of robots on a map. 1 Introduction Users wanting to build complex, distributed, heterogeneous systems dispose of a variety of complementary verification techniques such as model-checking, static analysis, testing, and runtime verification to detect bugs and errors. Techniques are often categorized as static (e.g., model-checking, static analysis) or dynamic (e.g., testing, runtime verification) according to the sort of system information that is analyzed. Interestingly, these techniques are complementary to each other in terms of desirable features. For instance, dynamic techniques are scalable (they face the state-explosion problem) and can be applied when some parts of the system are unknown or when verification with other techniques is undecidable. Both types of techniques take as input some representation of the system, perform some analysis, and yield a verdict indicating the (partial) correctness of the system in addition to providing some form of feedback to the user. Upon the detection of an error in the system, the user's activity enters a new phase consisting in correcting the system and then submitting the corrected system to the analysis technique. This process is usually time-consuming and not guaranteed to converge within the time frame associated to system implementation. Motivations. We aim at marrying software synthesis and dynamic analysis to solve the aforementioned issue. While runtime verification complements model-checking, we propose runtime enforcement (RE) (cf. [1-3]) to complement model repair. While model repair targets correctness-by-construction, runtime enforcement, as proposed in this paper, targets correctness-at-operation. Runtime enforcement is an increasingly popular and effective dynamic technique aiming at ensuring the correct runtime behavior (w.r.t. a formal specification) of systems using a so-called enforcement monitor. At runtime, the monitor consumes information from the execution (e.g., events) and modifies it whenever it is necessary to comply with the specification by, e.g., suppressing forbidden events. To the best of our knowledge, enforcing properties at runtime has been only studied for monolithic systems. Moreover, these frameworks remain at an abstract level, and do not specify how systems should be instrumented. We target component-based systems (CBS) expressed in the BIP (Behavior, Interaction and Priority) framework (see Sec. 3) [4-6]. BIP uses a dedicated language and toolset supporting a rigorous design flow. The BIP language allows to build complex systems by coordinating the behavior of a set of atomic components. Behavior is described with Labelled Transition Systems extended with data and functions written in C. Coordination between components is layered. The first layer describes the interactions between components. The second layer describes dynamic priorities between the interactions to express scheduling policies. The combination of interactions and priorities characterizes the overall architecture of a system. This layered architecture confers a strong expressiveness to BIP [4]. Moreover, BIP has a rigorous operational semantics: the behavior of a composite component is formally described as the composition of the behaviors of its atomic components. This allows a direct relation between the underlying semantic model and its (automatically synthesized) implementation. Contributions. This paper proposes an effective runtime enforcement technique to easily integrate correctness properties into a component-based system. Our approach favors the design and correctness of safetycritical systems by allowing a separation of concerns for system designers. Indeed, the functional part of the system and its safety requirements can be designed in separation, and then latter integrated together with

Architectural Verification of Black-Box Component-Based Systems

Lecture Notes in Computer Science, 2007

We introduce an original approach, which combines monitoring and model checking techniques into a comprehensive methodology for the architectural verification of Component-based systems. The approach works by first capturing the traces of execution via the instrumented middleware; then, the observed traces are reverse engineered into Message Sequence Charts, which are then checked for compliance to the Component-based Software Architecture, using a model checker. The methodology has been conceived for being applied indifferently for validating the system in house before deployment and for continuous validation in the field following evolution. A case study for the first case is here illustrated.

Runtime observable and adaptable UML state machines

Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing

An embedded system is a self-contained system that incorporates elements of control logic and real-world interaction. UML State Machines constitute a powerful formalism to model the behaviour of these types of systems. In current industrial environments, the software of these embedded systems have to cope with the increasing complexity and robustness requirements at runtime. One way to manage these requirements is having the software component's behaviour model available at runtime (models@run.time). Thus, it is possible to enhance the safety of the software component by enabling verification and adaptation at runtime. In this paper, we present a model-driven approach to generate software components (namely, RESCO framework), which are able both to provide their internal information in model terms at runtime and adapt their behaviour automatically when an error or an unexpected situation is detected. The aforementioned runtime introspection and adaptation abilities are added automatically to the software component and it does not require the developer make any extra effort. The solution has been tested in the design and implementation of an industrial Burner controller. Results indicate that the software components generated by the presented solution provides introspection at runtime. Thanks to this introspection ability at runtime, the software components are able to adapt automatically from their normal-mode behaviour to a safe-mode behaviour which was defined to be used in erroneous or unexpected situations at runtime. Therefore, it is possible to enhance the safety of the systems consisting of these software components. CCS CONCEPTS • Computer systems organization → Dependable and faulttolerant systems and networks; Embedded software;

Architectural Runtime Verification

2019 IEEE International Conference on Software Architecture Companion (ICSA-C), 2019

Analyzing runtime behavior is an important part of developing and verifying software systems. This is especially true for complex component-based systems used in the vehicle industry. Here, locating the actual cause of (mis-)behavior can be time-consuming, because the analysis is usually not performed on the architecture level, where the system has initially been designed. Instead, it often relies on source code debugging or visualizing signals and events. The results must then be correlated to what is expected regarding the architecture. With an ever-growing complexity of the systems, the advent of model-based development, code generators and the distributed nature of the development process, this becomes increasingly difficult. This paper therefore presents Architectural Runtime Verification (ARV), a generic approach to analyze system behavior on architecture level using the principles of Runtime Verification. It relies on the architecture description and on the runtime information that is collected in simulationbased tests. This allows an analyst to easily verify or refute hypotheses about system behavior regarding the interaction of components, without the need to inspect the source code. We have instantiated ARV as a framework that allows a client to make queries about architectural elements using a timed LTL-based constraint language. From this, ARV generates a Runtime Verification monitor and applies it to runtime data stored in a database. We demonstrate the applicability of this approach with a running example from the automotive industry.

A Flexible Strategy for Embedding and Configuring Run-Time Contract Checks in .Net Components

International Journal of Software Engineering and Knowledge Engineering, 2007

In component-based systems, there are several obstacles to using Design by Contract (DbC), particularly with respect to third-party components. Contracts are particularly valuable when debugging or testing composite software structures that include third-party components. However, existing approaches have critical weaknesses. First, existing approaches typically require a component's source code to be available if you wish to strip (or re-insert) checks. Second, documentation of the contract is either distributed separately from the component or embedded in the component's source code. Third, enabling and disabling specific kinds of checks on separate components from independent vendors can be a significant challenge. This paper describes an approach to representing contracts for .NET components using attributes. This contract information can be retrieved from the compiled component's metadata and used for many purposes. The paper also describes nContract, a tool that automatically generates run-time checks from embedded contracts. Such run-time checks can be generated and added to a system without requiring source code access or recompilation. Further, when checks for a given component are excluded, they impose no run-time overhead. Finally, a highly expressive, fine-grained mechanism for controlling user preferences about which specific checks are enabled or disabled is presented.

An Assume-Guarantee Model Checker for Component-Based Systems (Tool Paper)

This paper introduces an assume-guarantee model checker, named AGMC, for verifying correctness of designs of component-based systems. Given UML 2.0 sequence diagrams that describe behaviors of the system components and a required property, AGMC generates accurate models of the components represented by labeled transition systems (LTSs) automatically. AGMC then model checks that whether the system satisfies the property. The implemented AGMC is not only useful to verify component-based systems in practice but also has a potential to solve the state space explosion problem in model checking.

Towards A Hybrid Approach to Software Verification (Extended Abstract)

2015

Model checking (MC) [6] is a widely accepted pre-deployment verification technique that checks whether a system satisfies or violates a property by potentially analysing all the possible system behaviours. By contrast, runtime verification (RV) [10, 14] is a lightweight verification technique aimed at mitigating scalability issues such state explosion problems, typically associated with traditional verification techniques like MC. RV attempts to infer the satisfaction (or violation) of a correctness property from the analysis of the current execution of the system under scrutiny. It is thus performed post-deployment (on actual system execution), which is appealing for component-based applications (parts of which may not be available for analysis pre-deployment), as well as for dynamic settings such as mobile computing (where components are downloaded and installed at runtime). The technique has fostered a number of verification tools, e.g., [2, 3, 8, 9, 12, 13, 16], and has proved e...

Model driven code checking

Automated Software Engineering, 2008

Model checkers were originally developed to support the formal verification of high-level design models of distributed system designs. Over the years, they have become unmatched in precision and performance in this domain. Research in model checking has meanwhile moved towards methods that allow us to reason also about implementation level artifacts (e.g., software code) directly, instead of hand-crafted representations of those artifacts. This does not mean that there is no longer a place for the use of high-level models, but it does mean that such models are used in a different way today. In the approach that we describe here, high-level models are used to represent the environment for which the code is to be verified, but not the application itself. The code of the application is now executed as is by the model checker, while using powerful forms of abstraction on-the-fly to build the abstract state space that guides the verification process. This model-driven code checking method allows us to verify implementation level code efficiently for high-level safety and liveness properties. In this paper, we give an overview of the methodology that supports this new paradigm of code verification.

Handling State Space Explosion in Component-Based Software Verification: A Review

IEEE Access

Component-based software development (CBSD) is an alternative approach to constructing software systems that offers numerous benefits, particularly in decreasing the complexity of system design. However, deploying components into a system is a challenging and error-prone task. Model-checking is one of the reliable methods to systematically analyze the correctness of a system. Its brute-force checking of the system's state space assists to significantly expand the level of confidence in the system. Nevertheless, model-checking is limited by a critical problem called state space explosion (SSE). To benefit from modelchecking, an appropriate method is required to reduce SSE. In the past two decades, a great number of SSE reduction methods have been proposed containing many similarities, dissimilarities, and unclear concepts in some cases. This research, firstly, plans to present a review of SSE handling methods and classify them based on their similarities, principle, and characteristics. Second, it investigates the methods for handling SSE problem in the verification process of CBSD and provides insight into the potential limitations, underlining the key challenges for future research efforts. INDEX TERMS Component-based software development, verification of software components, modelchecking, state space explosion.