Abstract
Runtime verification is a complementary approach to testing, model checking and other static verification techniques to verify software properties. Monitorability characterizes what can be verified (monitored) at run time. Different definitions of monitorability have been given both for trace properties and for hyperproperties (properties defined over sets of traces), but these definitions usually cover only some aspects of what is important when characterizing the notion of monitorability. The first contribution of this paper is a refinement of classic notions of monitorability both for trace properties and hyperproperties, taking into account, among other things, the computability of the monitor. A second contribution of our work is to show that black-box monitoring of HyperLTL (a logic for hyperproperties) is in general unfeasible, and to suggest a gray-box approach in which we combine static and runtime verification. The main idea is to call a static verifier as an oracle at run time allowing, in some cases, to give a final verdict for properties that are considered to be non-monitorable under a black-box approach. Our third contribution is the instantiation of this solution to a privacy property called distributed data minimization which cannot be verified using black-box runtime verification. We use an SMT-based static verifier as an oracle at run time. We have implemented our gray-box approach for monitoring data minimization into the proof-of-concept tool Minion. We describe the tool and apply it to a few case studies to show its feasibility.
Highlights
Imagine yourself organizing an international conference on formal methods with parallel tracks spread over multiple conference venues
We prove in this paper that a large class of hyperproperties that involve quantifier alternations are not back-box monitorable in general. To work around this discouraging result, we propose a gray-box approach based on a combination of static and runtime verification that allows us to still give a definitive verdict for certain properties that are not black-box monitorable
We have addressed the issue of monitorability with four main contributions
Summary
Imagine yourself organizing an international conference on formal methods with parallel tracks spread over multiple conference venues. A property expressed in LTL is monitorable (after observing a prefix trace u) if there is an extension of u that would violate or satisfy the property [38] We call this notion semantic black-box monitorability. Defines a decision problem (the existence of a satisfying or violating trace extension) without requiring a corresponding decision procedure It is black-box because this definition only considers the property without further information about the program/system being monitored, so every extended observation is possible and must be considered. We prove in this paper that a large class of hyperproperties that involve quantifier alternations are not back-box monitorable in general To work around this discouraging result, we propose a gray-box approach based on a combination of static and runtime verification that allows us to still give a definitive verdict (violation or satisfaction) for certain properties that are not black-box monitorable. Comparison with related work and our conclusions are presented in the last two sections of the paper
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
