/ PSWLAB Efficient Decentralized Monitoring of Safety in Distributed System K Sen, A Vardhan, G Agha, G Rosu 20 th July 2007 Presented by Shin Hong at PSWLAB, KAIST 1Efficient Decentralized Monitoring of Safety in Distributed System

/ PSWLAB Contents Introduction Distributed System Past-time Linear Temporal Logic Past-time Distributed Temporal Logic Monitoring Algorithm for PT-DTL Conclusion Efficient Decentralized Monitoring of Safety in Distributed System2

/ PSWLAB Introduction (1/6) The correctness of a software is very important today.  Model Checking and Testing are two approaches to assure the correctness of software. Model Checking  The size of systems for which model checking is feasible remains limited. Traditional Testing  Ad-hoc  Test coverage is limited. 3Efficient Decentralized Monitoring of Safety in Distributed System

/ PSWLAB Introduction (2/6) Runtime Verification Dynamic monitoring of target system with formal specifications.  Monitors are automatically synthesized from formal specifications.  Scalable Efficient Decentralized Monitoring of Safety in Distributed System4

/ PSWLAB Introduction (3/6) Runtime Verification has been used to monitor distributed systems that have concurrency and asynchrony. In many distributed systems, it’s quite impractical to monitor requirements expressed in classical temporal logics such as LTL Efficient Decentralized Monitoring of Safety in Distributed System5

/ PSWLAB Introduction (4/6) Ex. Mobile Networks Requirement: No node receives a reply from a node to which is has not previously issued a request. How to specify this requirement with LTL? Efficient Decentralized Monitoring of Safety in Distributed System6 Reques t Reply

/ PSWLAB Introduction (5/6) Propositional LTL is impractical to specify the requirements in distributed systems. –Not scalable –Hard to capture global snapshot To address these difficulties, introduce new specification logic for runtime verification in distributed system, Past-time Distributed Temporal Logic Efficient Decentralized Monitoring of Safety in Distributed System7

/ PSWLAB Introduction (6/6) Past-time DTL specifies requirements in local monitor on each node. Previous Mobile Networks example Requirement can be re-written : If Node A has received a value, then it must be the case that previously in the past, Node B has computed the value and at Node A a request to Node B was made. ReceivedValue NodeB ( ◈ (computedValue NodeA ( ◈ requestedValue))) Efficient Decentralized Monitoring of Safety in Distributed System8

/ PSWLAB Contents Introduction Distributed System Past-time Linear Temporal Logic Past-time Distributed Temporal Logic Monitoring Algorithm for PT-DTL Conclusion Efficient Decentralized Monitoring of Safety in Distributed System9

/ PSWLAB Distributed System (1/5) Characteristics of Distributed System A collection of n processes (p 1, p 2, … p n ) each with its own local state. No global or shared variables. A process communicates with others using asynchronous messages whose order of arrival is indeterminate Efficient Decentralized Monitoring of Safety in Distributed System10

/ PSWLAB Distributed System (2/5) Modeling of Distributed System Event: a computation of each process. internal events send events receive events Process: A set of events Efficient Decentralized Monitoring of Safety in Distributed System11

/ PSWLAB Distributed System (3/5) Partial Order ≺ E i : set of events of process p i E : U i E i ⋖ : E ✕ E e ⋖ e’ if e, e’ ∈ E i then e happens immediately before e’ e ⋖ e’ if e is the send event of a message at some process and e’ is the corresponding receive event of the message at the recipient process. ≺ : transtive closure of ⋖ relation. ≼ : reflexive and transitive closure of ⋖ relation Efficient Decentralized Monitoring of Safety in Distributed System12

/ PSWLAB Distributed System (4/5) ↓ e := { e’ | e’ ≼ e } can be thought as the local state LS i := {↓ e | e ∈ E i } the set of local states of a process p i causal j (s i ) : the latest state of process p j that the process p i knows while in state s i ∈ LS i Efficient Decentralized Monitoring of Safety in Distributed System13

/ PSWLAB Distributed System (5/5) Efficient Decentralized Monitoring of Safety in Distributed System14 causal p1 ( ↓ e 23 ) = ↓ e 12

/ PSWLAB Contents Introduction Distributed System Past-time Linear Temporal Logic Past-time Distributed Temporal Logic Monitoring Algorithm for PT-DTL Conclusion Efficient Decentralized Monitoring of Safety in Distributed System15

/ PSWLAB Past-Time Linear Temporal Logic (1/3) PT-LTL has been used to express, monitor, and predict violation of safety properties of software system. Syntax F ::= true | false | a ∈ A | ￢ F | F ∧ F | F ∨ F | F → F | ⊙ F | ⊡ F | ◈ F | F S F where A is the set of atomic propositions Efficient Decentralized Monitoring of Safety in Distributed System16

/ PSWLAB Past-Time Linear Temporal Logic (2/3) Temporal Logics in PT-LTL ⊙ : previously ρ ⊨ ⊙ F iff ρ’ ⊨ F where ρ’= ρ n-1 if n>1, and ρ’=ρ if n=1 ⊡ : always in the past ρ ⊨ ⊡ F iff ρ i ⊨ F for all 1≤ i < n, ◈ : eventually in the past ρ ⊨ ◈ F iff ρ i ⊨ F for some 1≤ i < n, S : since ρ ⊨ F 1 S F 2 iff ρ j ⊨ F 2 for some 1≤ j ≤ n and ρ i ⊨ F 1 for all j ≤ i ≤ n Efficient Decentralized Monitoring of Safety in Distributed System17

/ PSWLAB Past-Time Linear Temporal Logic (3/3) ⊡ ((action ∧ ⊙￢ action) → ￢ Stop S Start)) Efficient Decentralized Monitoring of Safety in Distributed System18

/ PSWLAB Contents Introduction Distributed System Past-time Linear Temporal Logic Past-time Distributed Temporal Logic Monitoring Algorithm for PT-DTL Conclusion Efficient Decentralized Monitoring of Safety in Distributed System19

/ PSWLAB Past-Time Distributed Temporal Logic (1/4) Distributed systems are usually asynchronous and the absolute global state of the system is not available to processes. The best thing that each process can do is to reason about the global state that it is aware of. PT-DTL expresses safety properties of distributed message passing system Efficient Decentralized Monitoring of Safety in Distributed System20

/ PSWLAB Past-Time Distributed Temporal Logic (2/4) PT-DTL extends PT-LTL Remote Evaluate an expression or a formula in the last known state of a remote process x j y a j b Efficient Decentralized Monitoring of Safety in Distributed System21

/ PSWLAB Past-Time Distributed Temporal Logic (3/4) Syntax op : ∧, ∨, → ξ i is a tuple of expressions on process p i. f is function over tuples Efficient Decentralized Monitoring of Safety in Distributed System22

/ PSWLAB Past-Time Distributed Temporal Logic (4/4) Semantics The semantics of PT-DTL is a natural extension of PT-LTL. the value of the expression ξ j in the state s j =causal j (s i ) which is the latest state of process p j of which process p i is aware of Efficient Decentralized Monitoring of Safety in Distributed System23

/ PSWLAB Monitoring algorithm for PT-DTL (1/6) Synthesized monitor is distributed local monitors running on each processes. Goal  Monitoring should be fast.  Little memory overhead.  # of messages that need to be sent between process for monitoring purpose should be minimal Efficient Decentralized Monitoring of Safety in Distributed System24

/ PSWLAB Monitoring algorithm for PT-DTL (2/6) A local monitor may attach additional information to every outgoing message. Evaluating a remote expression at process p i, process p j send the value of the expression attached on every messages with sequence number Efficient Decentralized Monitoring of Safety in Distributed System25

/ PSWLAB Monitoring algorithm for PT-DTL (3/6) Knowledge Vector At process p i, KV i [j]: the entry for process p j on a vector KV. KV i [j].seq: the sequence number of the last event seen at p j. KV i [j].values : storing the values remote expressions and remote formulas on process j. The monitor of process p i attaches a copy of KV i with every outgoing messages Efficient Decentralized Monitoring of Safety in Distributed System26

/ PSWLAB Monitoring algorithm for PT-DTL (4/6) for internal event update KV i [i] for send event KV i [i].seq := KV i [i].seq + 1 ; for receive event KV m : given KV from received message. for all j, KV m [j].seq > KV i [j].seq → KV i [j] := KV m [j] ; Every process should know initial value of all variables. Initial value of all variables can be found by initial broadcast or static analysis Efficient Decentralized Monitoring of Safety in Distributed System27

/ PSWLAB Monitoring algorithm for PT-DTL (5/6) Once KV is properly updated, the local monitor can compute the boolean value of the formula to be monitored, by recursively evaluating the boolean value of each of its subformulae in the current state Efficient Decentralized Monitoring of Safety in Distributed System28

/ PSWLAB Monitoring algorithm for PT-DTL (6/6) Efficient Decentralized Monitoring of Safety in Distributed System29 Example 3 processes p 1 has a local variable x whose initial value is 5. p 2 has a local variable y with initial value 7. And p 2 monitors the formula

/ PSWLAB Conclusion DIANA – Distributed Analysis based on Java using Actor formalism instrumentation at bytecode Efficient Decentralized Monitoring of Safety in Distributed System30