Abstract not found

Abstract not found

Computer systems play an increasingly prominent role in our daily lives. Interacting with these systems often involves disclosing personal data, i.e., data that can be traced back to particular individuals, collected in different contexts. For example, healthcare providers, insurance companies, and tax

Monitoring-oriented programming (MOP) is a software development and analysis technique in which monitoring plays a fundamental role. MOP users can add their favorite or domain-specific requirements specification formalisms into the framework by means of logic plug-ins, which essentially comprise monitor synthesis algorithms for properties expressed as formulae. The properties are specified together with declarations stating where and how to automatically integrate the corresponding monitor into the system, as well as what to do if the property is violated or validated. In this paper we present Java-MOP, an MOP environment for developing robust Java applications. Based upon a carefully designed specification schema and upon several logic plug-ins, Java-MOP allows users to specify and monitor properties which can refer not only to the current program state, but also to the entire execution trace of a program, including past and future behaviors. 1

Many distributed applications can be understood in terms of components interacting in an open environment such as the Internet. Open environments are subject to change in unpredictable ways, as other applications may arrive, evolve, or disappear. In order to validate components in such environments, it can be useful to build a simulation environment which reflects this highly unpredictable behavior. In this paper, the validation of components with respect to behavioral interfaces is considered. Behavioral interfaces specify semantic requirements on the observable behavior of components, expressed in an assume-guarantee style. In our approach, a rewriting logic model is transparently extended with the history of all observable communication, and metalevel strategies are used to guide the simulation of environment behavior. Over-specification of the environment is avoided by allowing arbitrary environment behavior within the bounds of the assumption on observable behavior, while the component is validated with respect to the guarantee of the behavioral interface.

The aim of the open distributed processing (ODP) information viewpoint is to describe the semantics of the information and of the information processing in a system, from a global point of view, without having to worry about other considerations, such as how the information will be finally distributed or implemented or the technology used to achieve such implementation. Although several notations have been proposed to model this ODP viewpoint, they are not expressive enough to faithfully represent all the information concepts, or they tend to suffer from a lack of (formal) support, or both. In this paper, we explore the use of Maude as a formal notation for writing ODP information specifications. Maude is an executable rewriting logic language especially well suited for the specification of object-oriented open and distributed systems. We show how Maude offers a simple, natural, and accurate way of modeling the ODP information viewpoint concepts, allows the execution of the specifications produced, and offers good tool support for reasoning about them.

ABSTRACT. We introduce a novel approach to the runtime monitoring of complex system properties. Inparticular,wepresentanonlinealgorithmforasafetyfragmentofmetricfirst-ordertemporal logic that is considerably more expressive than the logics supported by prior monitoring methods. Ourapproach,basedonautomaticstructures,allowstheunrestricteduseofnegation,universaland existential quantification over infinite domains, and the arbitrary nesting of both past and bounded future operators. Moreover, we show how to optimize our approach for the common case where structuresconsistofonlyfiniterelations,overpossiblyinfinitedomains. Underanadditionalrestriction, we prove that the space consumed by our monitor is polynomially bounded by the cardinality of the data appearing intheprocessed prefixof thetemporal structure being monitored.

The PSL-to-Verilog (P2V) compiler can translate a set of assertions about a block-structured software program into a hardware design to be executed concurrently with the execution of the software program. The assertions validate the correctness of the software program without altering its temporal behavior in any way, a result that has never been previously achieved by any online model-checking system. The technique and the implementation apply to any general purpose program and the absence of execution overheads makes the system ideal for the verification and debugging of real-time systems. The assertions are expressed in the simple subset of the Property Specification Language PSL, an IEEE standard originally intended for the behavioral specification of hardware designs. The target execution system is the eMIPS processor, a dynamically self-extensible processor realized with an FPGA. The system can concurrently execute and check multiple programs at a time. Assertions are compiled into eMIPS Extensions, which are loaded by the operating system software into a portion of the FPGA at program loading time, and discarded once the program terminates. If an assertion is violated the program receives an exception, otherwise it executes fully unaware of its verifier. The software program does not need to be modified in any way, it can be compiled separately with full optimizations and executes with or without the corresponding hardware checker. The P2V compiler is implemented in Python. It generates code for the implementation of the eMIPS processor running on the Xilinx ML401 development board. It is currently used to verify software properties in such areas as testing and debugging, intrusion detection, and the behavioral verification of concurrent and realtime programs. 1.

Abstract — We present a specification language and algorithms for the online and offline monitoring of synchronous systems including circuits and embedded systems. Such monitoring is useful not only for testing, but also under actual deployment. The specification language is simple and expressive; it can describe both correctness/failure assertions along with interesting statistical measures that are useful for system profiling and coverage analysis. The algorithm for online monitoring of queries in this language follows a partial evaluation strategy: it incrementally constructs output streams from input streams, while maintaining a store of partially evaluated expressions for forward references. We identify a class of specifications, characterized syntactically, for which the algorithm’s memory requirement is independent of the length of the input streams. Being able to bound memory requirements is especially important in online monitoring of large input streams. We extend the concepts used in the online algorithm to construct an efficient offline monitoring algorithm for large traces. We have implemented our algorithm and applied it to two industrial systems, the PCI bus protocol and a memory controller. The results demonstrate that our algorithms are practical and that our specification language is sufficiently expressive to handle specifications of interest to industry. I.

We present the design, implementation and evaluation of an algorithm that checks audit logs for compliance with privacy and security policies. The algorithm, which we name reduce, addresses two fundamental challenges in compliance checking that arise in practice. First, in order to be applicable to realistic policies, reduce operates on policies expressed in a first-order logic that allows restricted quantification over infinite domains. We build on ideas from logic programming to identify the restricted form of quantified formulas. The logic can, in particular, express all 84 disclosure-related clauses of the HIPAA Privacy Rule, which involve quantification over the infinite set of messages containing personal information. Second, since audit logs are inherently incomplete (they may not contain sufficient information to determine whether a policy is violated or not), reduce proceeds iteratively: in each iteration, it provably checks as much of the policy as possible over the current log and outputs a residual policy that can only be checked when the log is extended with additional information. We prove correctness, termination, time and space complexity results for reduce. We implement reduce and optimize the base implementation using two heuristics for database indexing that are guided by the syntactic structure of policies. The implementation is used to check simulated audit logs for compliance with the HIPAA Privacy Rule. Our experimental results demonstrate that the algorithm is fast enough to be used in practice.