Saumya Shankar, Ankit Pradhan, Srinivas Pinisetty, Antoine Rollet, Yliès Falcone
{"title":"Bounded-memory runtime enforcement with probabilistic and performance analysis","authors":"Saumya Shankar, Ankit Pradhan, Srinivas Pinisetty, Antoine Rollet, Yliès Falcone","doi":"10.1007/s10703-024-00446-1","DOIUrl":null,"url":null,"abstract":"<p>Runtime Enforcement (RE) is a technique aimed at monitoring the executions of a system at runtime and ensure its compliance against a set of formal requirements (properties). RE employs an enforcer (a safety wrapper for the system) which modifies the (untrustworthy) output by performing actions such as delaying (by storing/buffering) and suppressing events, when needed. In this paper, to handle practical applications with memory constraints, we propose a new RE paradigm where the memory of the enforcer is bounded/finite. Besides the property to be enforced, the user specifies a bound on the enforcer memory. Bounding the memory poses various challenges such as how to handle the situation when the memory is full, how to optimally discard events from the buffer to accommodate new events and let the enforcer continue operating. We define the bounded-memory RE problem and develop a framework for any regular property. All of our results are formalized and proved. We also analyze probabilistically how much memory is required on an average case for a given regular property, such that the output of the bounded enforcer is equal to that of the unbounded enforcer up to a fixed probability. The proposed framework is implemented and a case study is worked out to show the practicability and usefulness of the bounded enforcer in the real-world and to show the usage of the aforementioned probabilistic analysis on them. The performance is evaluated via some examples from application scenarios and it indicates linear changes in the execution time of the enforcers in response to increases in trace length, property complexity, and buffer sizes.</p>","PeriodicalId":12430,"journal":{"name":"Formal Methods in System Design","volume":"18 1","pages":""},"PeriodicalIF":0.7000,"publicationDate":"2024-02-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Formal Methods in System Design","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1007/s10703-024-00446-1","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}
引用次数: 0
Abstract
Runtime Enforcement (RE) is a technique aimed at monitoring the executions of a system at runtime and ensure its compliance against a set of formal requirements (properties). RE employs an enforcer (a safety wrapper for the system) which modifies the (untrustworthy) output by performing actions such as delaying (by storing/buffering) and suppressing events, when needed. In this paper, to handle practical applications with memory constraints, we propose a new RE paradigm where the memory of the enforcer is bounded/finite. Besides the property to be enforced, the user specifies a bound on the enforcer memory. Bounding the memory poses various challenges such as how to handle the situation when the memory is full, how to optimally discard events from the buffer to accommodate new events and let the enforcer continue operating. We define the bounded-memory RE problem and develop a framework for any regular property. All of our results are formalized and proved. We also analyze probabilistically how much memory is required on an average case for a given regular property, such that the output of the bounded enforcer is equal to that of the unbounded enforcer up to a fixed probability. The proposed framework is implemented and a case study is worked out to show the practicability and usefulness of the bounded enforcer in the real-world and to show the usage of the aforementioned probabilistic analysis on them. The performance is evaluated via some examples from application scenarios and it indicates linear changes in the execution time of the enforcers in response to increases in trace length, property complexity, and buffer sizes.
运行时执行(RE)是一种技术,旨在监控系统在运行时的执行情况,并确保其符合一系列正式要求(属性)。RE 采用执行器(系统的安全封装器),在需要时通过执行延迟(通过存储/缓冲)和抑制事件等操作来修改(不可信的)输出。在本文中,为了处理有内存限制的实际应用,我们提出了一种新的 RE 范式,即执行者的内存是有界/无限的。除了要强制执行的属性外,用户还可以指定强制执行内存的边界。内存受限会带来各种挑战,例如如何处理内存已满的情况,如何以最佳方式从缓冲区中丢弃事件以容纳新事件并让执行器继续运行。我们定义了有界内存 RE 问题,并开发了一个适用于任何规则属性的框架。我们的所有结果都得到了形式化和证明。我们还从概率上分析了给定正则属性的平均情况下需要多少内存,从而使有界执行者的输出等于无界执行者的输出,达到一个固定的概率。为了展示有界执行器在现实世界中的实用性和有用性,并展示上述概率分析在其中的应用,我们实施了所提出的框架并进行了案例研究。通过应用场景中的一些示例对性能进行了评估,结果表明,随着跟踪长度、属性复杂度和缓冲区大小的增加,执行器的执行时间也会发生线性变化。
期刊介绍:
The focus of this journal is on formal methods for designing, implementing, and validating the correctness of hardware (VLSI) and software systems. The stimulus for starting a journal with this goal came from both academia and industry. In both areas, interest in the use of formal methods has increased rapidly during the past few years. The enormous cost and time required to validate new designs has led to the realization that more powerful techniques must be developed. A number of techniques and tools are currently being devised for improving the reliability, and robustness of complex hardware and software systems. While the boundary between the (sub)components of a system that are cast in hardware, firmware, or software continues to blur, the relevant design disciplines and formal methods are maturing rapidly. Consequently, an important (and useful) collection of commonly applicable formal methods are expected to emerge that will strongly influence future design environments and design methods.