Extending the enforcement power of truncation monitors using static analysis

Runtime monitors are a widely used approach to enforcing security policies. Truncation monitors are based on the idea of truncating an execution before a violation occurs. Thus, the range of security policies they can enforce is limited to safety properties. The use of an a priori static analysis of the target program is a possible way of extending the range of monitorable properties. This paper presents an approach to producing an in-lined truncation monitor, which draws upon the above intuition. Based on an a priori knowledge of the program behavior, this approach allows, in some cases, to enforce more than safety properties and is more powerful than a classical truncation mechanism. We provide and prove a theorem stating that a truncation enforcement mechanism considering only the set of possible executions of a specific program is strictly more powerful than a mechanism considering all the executions over an alphabet of actions.     

Comparing controlled system synthesis and suppression enforcement

International Journal on Software Tools for Technology Transfer - Runtime enforcement and control system synthesis are two verification techniques that automate the process of transforming an...     

从设计到运行：如何避免系统运行故障

由于计算系统结构日趋复杂,系统可靠性技术研究面临新的挑战。为了把握这一技术的发展趋势,进行更深入的研究,需要清晰了解历史和现状。文中讨论如何从计算系统的设计开发到运行过程中保证系统可靠性,包括设计时对错误的避免、开发时对错误的排除和运行时对错误的处理。重点对系统运行时的软件容错技术从不同角度进行了分类,并对它们的优缺点进行了比较。这几类技术都是针对避免系统运行故障,从运行角度提高了系统可靠性。     

从设计到运行:如何避免系统运行故障

由于计算系统结构日趋复杂,系统可靠性技术研究面临新的挑战.为了把握这一技术的发展趋势,进行更深入的研究,需要清晰了解历史和现状.文中讨论如何从计算系统的设计开发到运行过程中保证系统可靠性,包括设计时对错误的避免、开发时对错误的排除和运行时对错误的处理.重点对系统运行时的软件容错技术从不同角度进行了分类,并对它们的优缺点进行了比较.这几类技术都是针对避免系统运行故障,从运行角度提高了系统可靠性.     

Color accurate monitors: Basic features and comparison of four monitors

Color accurate monitors are high resolution, luminance‐controlled displays with very large color gamut. They have internal controls to match specific color standards (e.g., sRGB, Adobe‐RGB, REC‐709) and well‐defined gamma functions (mostly γ = 2.2, but others such as Equal Probability of Detection, Digital Imaging and Communications in Medicine). Usually, they come with external tools for automatic calibration (like Chroma 5 or Spider) and for communicating with the host computer through USB port, and with software to control the calibration process. Most of them allow a calibration to a specific customer selected color gamut, besides the precalibrated standards, but limit the gray levels calibration to a gamma type function (typically γ = 2.2). Their unique properties, challenges, and applications will be discussed. A comparison between the properties of four monitors and optical test results of their parameters is presented.     

The solo operating system: Processes,monitors, and classes

This paper describes the implementation of the Solo operating system written in Concurrent Pascal.* It explains the overall structure and details of the system in which concurrent processes communicate by means of a hierarchy of monitors and classes. The concurrent program is a sequence of nearly independent components of less than one page of text each. The system has been operating since May 1975.     

Cilk: An Efficient Multithreaded Runtime System

Cilk (pronounced “silk”) is a C-based runtime system for multithreaded parallel programming. In this paper, we document the efficiency of the Cilk work-stealing scheduler, both empirically and analytically. We show that on real and synthetic applications, the “work” and “critical-path length” of a Cilk computation can be used to model performance accurately. Consequently, a Cilk programmer can focus on reducing the computation's work and critical-path length, insulated from load balancing and other runtime scheduling issues. We also prove that for the class of “fully strict” (well-structured) programs, the Cilk scheduler achieves space, time, and communication bounds all within a constant factor of optimal. The Cilk runtime system currently runs on the Connection Machine CM5 MPP, the Intel Paragon MPP, the Sun Sparcstation SMP, and the Cilk-NOW network of workstations. Applications written in Cilk include protein folding, graphic rendering, backtrack search, and the Socrates chess program, which won second prize in the 1995 ICCA World Computer Chess Championship.     

Runtime latency detection and analysis

Detecting latency‐related problems in production environments is usually carried out at the application level with custom instrumentation. This is enough to detect high latencies in instrumented applications but does not provide all the information required to understand the source of the latency and is dependent on manually deployed instrumentation. The abnormal latencies usually start in the operating system kernel because of contention on physical resources or locks. Hence, finding the root cause of a latency may require a kernel trace. This trace can easily represent hundreds of thousands of events per second. In this paper, we propose and evaluate a methodology, efficient algorithms, and concurrent data structures to detect and analyze latency problems that occur at the kernel level. We introduce a new kernel‐based approach that enables developers and administrators to efficiently track latency problems in production and trigger actions when abnormal conditions are detected. The result of this study is a working scalable latency tracker and an efficient approach to perform stateful tracing in production. Copyright © 2016 John Wiley & Sons, Ltd.     

Semantics and verification of monitors and systems of monitors and processes

In this paper we present a sound and complete semantics for the monitor concept of C.A.R. Hoare. First a method for specification of monitors, introduced by O.-J. Dahl, is reviewed. This method is based on the relation between the historic sequence of monitor procedure calls and the historic sequence of monitor procedure exits. Based on such specifications and our new monitor semantics we present a method by which it is possible to prove that a concrete monitor is an implementation of an abstract one. In the last part of the paper an axiomatic semantics for systems of concurrent processes and monitors is introduced. The method supports verification by separation of concerns: Properties of the communication to and from each process are proven in isolation by a usual Hoare style axiomatic semantics, while abstract monitors are also specified in isolation by the method reviewed in the first part of the paper. These properties of the components of the system are then used in a new proof rule to conclude properties of the complete system. Stein Gjessing received a Ph.D. (actually a Dr. philos.) from the University of Oslo (Norway) in 1985. Presently he is an Associate Professor at the Institute of informatics, University of Oslo, Norway. Dr. Gjessings research interests are in the area of concurrent and distributed programming, operating systems, formal specification and verification and programming languages.     

Mirrors of Meaning: Supporting Inspectable Runtime Models

Hierarchical graphs provide a data structure to support a programming model that aims to improve understandability by creating an architectural basis for building inspectable systems.We engage developers in constructing and exposing a runtime model of a system in a clear and structured way, thereby enabling them to build inspectable systems. This approach rests on the intuition that by supporting inspection at the developers' level of detail, for their own use and benefit, the system provides a sufficient basis for differently targeted accounts. The basic runtime model we rely on can be used to create system representations tailored to serve specialized application-specific purposes.Our approach centers on a reflective data structure we call an H-graph (short for hierarchical graph) and the programming model focused around it. Equally important, the data structure supplies part of the programming model to build reflective software in general.     

SDT：一个面向场景规约的运行时测试工具

利用设计模型信息，提高测试自动化程度是测试领域的重要课题。UML顺序图是广泛使用的场景规约语言。本文研究了面向场案规约的运行时测试方法，并应用该方法实现了一个基于UML顺序图场景规约的测试工具SDT；它从Ration Rose的规约文件中提取顺序图信息，生成表示预期行为属性的事件有向无环图，对代码进行插装，并利用随机测试用例执行代码，最后将反向工程得到的运行时轨迹与有向无环图进行比较，对实现和设计的一致性进行自动化验证。     

First international Competition on Runtime Verification: rules,benchmarks, tools,and final results of CRV 2014

International Journal on Software Tools for Technology Transfer - The first international Competition on Runtime Verification (CRV) was held in September 2014, in Toronto, Canada, as a satellite...     

运行时软件体系结构的建模与维护

运行时体系结构是系统运行时刻的一个动态、结构化的抽象,描述系统当前的组成成分、各成分的状态和配置以及不同成分之间的关系.运行时体系结构与目标系统间具有动态的因果关联,即系统的变化及时体现在体系结构上,而对体系结构的修改及时影响当前系统.运行时体系结构允许开发者以读写体系结构的方式实现系统的监测和调整,是体系结构层次系统动态适应与在线演化的基础.构造运行时体系结构的关键是针对不同的目标系统和体系结构风格实现合适的基础设施,以维护二者之间的因果关联.由于目标系统和体系结构的多样性以及因果关联维护逻辑的复杂性,这一构造过程往往过于繁琐、易错、难以复用和维护.提出一种模型驱动的运行时体系结构构造方法.开发者只需针对目标系统、体系结构以及两者之间的关系分别进行建模,根据这些模型,支撑框架自动构造合法而高效的运行时体系结构基础设施.基于MOF 和QVT 标准建模语言定义了一组运行时体系结构建模语言,并基于通用的模型与系统间同步技术实现了相应的支撑框架.一系列实例研究表明,该方法具有广泛的适用性,并显著提高了运行时体系结构构造过程的效率与可复用性.     

Virtual machine monitors: current technology and future trends

Developed more than 30 years ago to address mainframe computing problems, virtual machine monitors have resurfaced on commodity platforms, offering novel solutions to challenges in security, reliability, and administration. Stanford University researchers began to look at the potential of virtual machines to overcome difficulties that hardware and operating system limitations imposed: This time the problems stemmed from massively parallel processing (MPP) machines that were difficult to program and could not run existing operating systems. With virtual machines, researchers found they could make these unwieldy architectures look sufficiently similar to existing platforms to leverage the current operating systems. From this project came the people and ideas that underpinned VMware Inc., the original supplier of VMMs for commodity computing hardware. The implications of having a VMM for commodity platforms intrigued both researchers and entrepreneurs.     

VyrdMC: Driving Runtime Refinement Checking with Model Checkers

This paper presents VyrdMC, a runtime verification tool we are building for concurrent software components. The correctness criterion checked by VyrdMC is refinement: Each execution of the implementation must be consistent with an atomic execution of the specification. VyrdMC combines testing, model checking, and Vyrd, the runtime refinement checker we developed earlier. A test harness first drives the component to a non-trivial state which serves as the starting state for a number of simple, very small multi-threaded test cases. An execution-based model checker explores for each test case all distinct thread interleavings while Vyrd monitors executions for refinement violations. This combined approach has the advantage of improving the coverage of runtime refinement checking at modest additional computational cost, since model checkers are only used to explore thread interleavings of a small, fixed test program. The visibility and detailed checking offered by using refinement as the correctness criterion differentiate our approach from simply being a restricted application of model checking. An important side benefit is the reduction in program instrumentation made possible if VyrdMC is built using a model checker with its own virtual machine, such as Java PathFinder [Guillaume Brat, Klaus Havelund, Seung-Joon Park, and Willem Visser. Model Checking Programs. In IEEE International Conference on Automated Software Engineering (ASE), September 2000]. We are investigating the use of two different model checkers for building VyrdMC: Java PathFinder, an explicit-state model checker and Verisoft, a “stateless” model checker [P. Godefroid. Model Checking for Programming Languages using VeriSoft. In Proceedings of the 24th ACM Symposium on Principles of Programming Languages, pages 174–186, Paris, January 1997].     

SM@RT: Applying Architecture-Based Runtime Management into Internetware Systems

Architecture-based runtime management (ARM) is a promising approach for Internetware systems. The key enablement of ARM is runtime architecture infrastructure(RAI) that maintains the causal connection between runtime systems and architectural mod-els. An RAI is uneasy to implement and, more importantly, specific to the given system and model. In this paper, we propose a model-driven approach for automated generation of RAI implementation. Developers only need to define three MOF models for their preferred archi-tecture model and the target system (these models are reusable independently for di?erent pairs of the model and system), and one QVT transformation for the causal connection. Our Eclipse-based toolset, called SM@RT, will automatically generate the RAI implementation code without any modification on the source code of the target system, and automatically and properly deploy the generated RAI into the distributed systems. This approach is exper-imented on several runtime systems and architectural models, including ABC architectural models on Eclipse GUI and Android, C2 architectural models on JOnAS, Rainbow C/S style on PLASTIC and UML models on POJO.     

Kynoid: Real-time enforcement of fine-grained,user-defined,and data-centric security policies for Android

We introduce Kynoid, a real-time monitoring and enforcement framework for Android. Kynoid is based on user-defined security policies which are defined for data-items. This allows users to define temporal, spatial, and destination constraints which have to hold for single items. We introduce an innovative approach to allow for the real-time tracking and enforcement of such policies. In this way, Kynoid is the first extension for Android which enables the enforcement of security policies of data-items stored in shared resources. We outline Kynoid's architecture, present its operation and discuss it in terms of applicability, and performance. By providing a proof-of-concept implementation we further show the feasibility of our framework.     

Business case Roteb: recovery strategies for monitors

Due to the introduction of extended producer responsibility, European Original Equipment Manufacturers (OEMs) are forced to set up a reverse logistic system for their discarded products. As part of this set-up, OEMs or their service providers have to determine strategies for the recovery of these products. This involves determining an optimal degree of disassembly and assigning optimal recovery and disposal options. In this paper, optimisation models presented in some of our earlier work, are applied in a business case. The case concerns the recycling of PC-monitors and was part of a broader pilot project at Roteb (the municipal waste company of Rotterdam, The Netherlands). By using the models, it is shown that the recycling costs can be reduced by about 25%. Additional cost savings are also indicated, resulting in overall savings up to 40%. Also, modelling issues are discussed in relation to models that can be found in the literature and finally directions for further research are pointed out.