NASA / CP - 2008 - 215309 Proceedings of the Sixth NASA Langley

We describe a runtime verification approach to increase the safety of IVHM systems by an integration of TEAMS models and MOP (Monitor-Oriented Programming). The TEAMS model is used to automatically extract relevant runtime information from the controlled system by means of events. This information is passed on-line to the MOP engine, allowing to verify complex temporal properties and to discover running patterns which are of interest in detecting and preventing faulty behaviors. 1. Monitor-Oriented Programming (MOP) MOP [2, 1] has its roots in a runtime verification system, PathExplorer (PAX) [6, 5], developed jointly with former NASA colleagues. PAX has found mission critical errors in NASA software. In a recent OOPSLA’07 paper [2], it was shown that the MOP framework can monitor large programs against complex parametric temporal specifications at a typically unnoticeable runtime overhead. Many properties can be monitored in parallel in MOP. The execution trace against which the various properties are checked is extracted via automatic code instrumentation from the running program as a sequence of events – state snapshots. Events produce sufficient information about the concrete program state in order for the monitors to correctly check their properties. In MOP, the runtime monitoring of each property consists of two orthogonal mechanisms: observation and verification. The observation mechanism extracts property-relevant and filtered system states at designated points, e.g., when property-specific events happen. The verification mechanism checks the obtained abstract trace against the property and triggers desired actions in case of violations or validations. Observation and verification are therefore independent: the algorithm used within the monitor does not affect how the execution is observed, and vice versa. MOP is a highly configurable and extensible runtime verification framework. Depending upon configuration, the monitors can be separate programs reading events from a log file, from a socket or from a buffer, or can be in-lined within the program at the event observation points. Properties can be specified in MOP by means of logic plugins which essentially encapsulate and standardize monitor synthesis algorithms for various formalisms of interest. Here are several logic plugins currently provided by MOP: — Design by Contract: A JAVA logic plugin for JASS has been implemented in MOP. JASS supports the following types of assertions: method pre-conditions and post-conditions, loop variants and invariants, and class invariants. Proceedings of The Sixth NASA Langley Formal Methods Workshop 17 Sudipto Ghoshal et al.: Monitoring IVHM Systems Using a Monitor-Oriented Programming Framework — Temporal Logics: Temporal logics proved to be indispensable expressive formalisms in the field of formal specification and verification of systems. Many practical safety properties can be naturally expressed in temporal logics, making them desirable specification formalisms in the MOP framework. Login plugins for both future and past time temporal logics are available. — Extended Regular Expressions: Software engineers and programmers understand easily regular patterns, as shown by the interest in and the success of scripting languages like PERL. We believe that regular expressions provide an elegant and powerful specification language also for monitoring requirements, because an execution trace of a program is a string of states. Extended regular expressions (ERE) add complementation to regular expressions, allowing one to specify patterns that must not occur. An ERE logic plugin is available in MOP.