232 lines
8.4 KiB
ReStructuredText
232 lines
8.4 KiB
ReStructuredText
====================
|
|
Runtime Verification
|
|
====================
|
|
|
|
Runtime Verification (RV) is a lightweight (yet rigorous) method that
|
|
complements classical exhaustive verification techniques (such as *model
|
|
checking* and *theorem proving*) with a more practical approach for complex
|
|
systems.
|
|
|
|
Instead of relying on a fine-grained model of a system (e.g., a
|
|
re-implementation a instruction level), RV works by analyzing the trace of the
|
|
system's actual execution, comparing it against a formal specification of
|
|
the system behavior.
|
|
|
|
The main advantage is that RV can give precise information on the runtime
|
|
behavior of the monitored system, without the pitfalls of developing models
|
|
that require a re-implementation of the entire system in a modeling language.
|
|
Moreover, given an efficient monitoring method, it is possible execute an
|
|
*online* verification of a system, enabling the *reaction* for unexpected
|
|
events, avoiding, for example, the propagation of a failure on safety-critical
|
|
systems.
|
|
|
|
Runtime Monitors and Reactors
|
|
=============================
|
|
|
|
A monitor is the central part of the runtime verification of a system. The
|
|
monitor stands in between the formal specification of the desired (or
|
|
undesired) behavior, and the trace of the actual system.
|
|
|
|
In Linux terms, the runtime verification monitors are encapsulated inside the
|
|
*RV monitor* abstraction. A *RV monitor* includes a reference model of the
|
|
system, a set of instances of the monitor (per-cpu monitor, per-task monitor,
|
|
and so on), and the helper functions that glue the monitor to the system via
|
|
trace, as depicted below::
|
|
|
|
Linux +---- RV Monitor ----------------------------------+ Formal
|
|
Realm | | Realm
|
|
+-------------------+ +----------------+ +-----------------+
|
|
| Linux kernel | | Monitor | | Reference |
|
|
| Tracing | -> | Instance(s) | <- | Model |
|
|
| (instrumentation) | | (verification) | | (specification) |
|
|
+-------------------+ +----------------+ +-----------------+
|
|
| | |
|
|
| V |
|
|
| +----------+ |
|
|
| | Reaction | |
|
|
| +--+--+--+-+ |
|
|
| | | | |
|
|
| | | +-> trace output ? |
|
|
+------------------------|--|----------------------+
|
|
| +----> panic ?
|
|
+-------> <user-specified>
|
|
|
|
In addition to the verification and monitoring of the system, a monitor can
|
|
react to an unexpected event. The forms of reaction can vary from logging the
|
|
event occurrence to the enforcement of the correct behavior to the extreme
|
|
action of taking a system down to avoid the propagation of a failure.
|
|
|
|
In Linux terms, a *reactor* is an reaction method available for *RV monitors*.
|
|
By default, all monitors should provide a trace output of their actions,
|
|
which is already a reaction. In addition, other reactions will be available
|
|
so the user can enable them as needed.
|
|
|
|
For further information about the principles of runtime verification and
|
|
RV applied to Linux:
|
|
|
|
Bartocci, Ezio, et al. *Introduction to runtime verification.* In: Lectures on
|
|
Runtime Verification. Springer, Cham, 2018. p. 1-33.
|
|
|
|
Falcone, Ylies, et al. *A taxonomy for classifying runtime verification tools.*
|
|
In: International Conference on Runtime Verification. Springer, Cham, 2018. p.
|
|
241-262.
|
|
|
|
De Oliveira, Daniel Bristot. *Automata-based formal analysis and
|
|
verification of the real-time Linux kernel.* Ph.D. Thesis, 2020.
|
|
|
|
Online RV monitors
|
|
==================
|
|
|
|
Monitors can be classified as *offline* and *online* monitors. *Offline*
|
|
monitor process the traces generated by a system after the events, generally by
|
|
reading the trace execution from a permanent storage system. *Online* monitors
|
|
process the trace during the execution of the system. Online monitors are said
|
|
to be *synchronous* if the processing of an event is attached to the system
|
|
execution, blocking the system during the event monitoring. On the other hand,
|
|
an *asynchronous* monitor has its execution detached from the system. Each type
|
|
of monitor has a set of advantages. For example, *offline* monitors can be
|
|
executed on different machines but require operations to save the log to a
|
|
file. In contrast, *synchronous online* method can react at the exact moment
|
|
a violation occurs.
|
|
|
|
Another important aspect regarding monitors is the overhead associated with the
|
|
event analysis. If the system generates events at a frequency higher than the
|
|
monitor's ability to process them in the same system, only the *offline*
|
|
methods are viable. On the other hand, if the tracing of the events incurs
|
|
on higher overhead than the simple handling of an event by a monitor, then a
|
|
*synchronous online* monitors will incur on lower overhead.
|
|
|
|
Indeed, the research presented in:
|
|
|
|
De Oliveira, Daniel Bristot; Cucinotta, Tommaso; De Oliveira, Romulo Silva.
|
|
*Efficient formal verification for the Linux kernel.* In: International
|
|
Conference on Software Engineering and Formal Methods. Springer, Cham, 2019.
|
|
p. 315-332.
|
|
|
|
Shows that for Deterministic Automata models, the synchronous processing of
|
|
events in-kernel causes lower overhead than saving the same events to the trace
|
|
buffer, not even considering collecting the trace for user-space analysis.
|
|
This motivated the development of an in-kernel interface for online monitors.
|
|
|
|
For further information about modeling of Linux kernel behavior using automata,
|
|
see:
|
|
|
|
De Oliveira, Daniel B.; De Oliveira, Romulo S.; Cucinotta, Tommaso. *A thread
|
|
synchronization model for the PREEMPT_RT Linux kernel.* Journal of Systems
|
|
Architecture, 2020, 107: 101729.
|
|
|
|
The user interface
|
|
==================
|
|
|
|
The user interface resembles the tracing interface (on purpose). It is
|
|
currently at "/sys/kernel/tracing/rv/".
|
|
|
|
The following files/folders are currently available:
|
|
|
|
**available_monitors**
|
|
|
|
- Reading list the available monitors, one per line
|
|
|
|
For example::
|
|
|
|
# cat available_monitors
|
|
wip
|
|
wwnr
|
|
|
|
**available_reactors**
|
|
|
|
- Reading shows the available reactors, one per line.
|
|
|
|
For example::
|
|
|
|
# cat available_reactors
|
|
nop
|
|
panic
|
|
printk
|
|
|
|
**enabled_monitors**:
|
|
|
|
- Reading lists the enabled monitors, one per line
|
|
- Writing to it enables a given monitor
|
|
- Writing a monitor name with a '!' prefix disables it
|
|
- Truncating the file disables all enabled monitors
|
|
|
|
For example::
|
|
|
|
# cat enabled_monitors
|
|
# echo wip > enabled_monitors
|
|
# echo wwnr >> enabled_monitors
|
|
# cat enabled_monitors
|
|
wip
|
|
wwnr
|
|
# echo '!wip' >> enabled_monitors
|
|
# cat enabled_monitors
|
|
wwnr
|
|
# echo > enabled_monitors
|
|
# cat enabled_monitors
|
|
#
|
|
|
|
Note that it is possible to enable more than one monitor concurrently.
|
|
|
|
**monitoring_on**
|
|
|
|
This is an on/off general switcher for monitoring. It resembles the
|
|
"tracing_on" switcher in the trace interface.
|
|
|
|
- Writing "0" stops the monitoring
|
|
- Writing "1" continues the monitoring
|
|
- Reading returns the current status of the monitoring
|
|
|
|
Note that it does not disable enabled monitors but stop the per-entity
|
|
monitors monitoring the events received from the system.
|
|
|
|
**reacting_on**
|
|
|
|
- Writing "0" prevents reactions for happening
|
|
- Writing "1" enable reactions
|
|
- Reading returns the current status of the reaction
|
|
|
|
**monitors/**
|
|
|
|
Each monitor will have its own directory inside "monitors/". There the
|
|
monitor-specific files will be presented. The "monitors/" directory resembles
|
|
the "events" directory on tracefs.
|
|
|
|
For example::
|
|
|
|
# cd monitors/wip/
|
|
# ls
|
|
desc enable
|
|
# cat desc
|
|
wakeup in preemptive per-cpu testing monitor.
|
|
# cat enable
|
|
0
|
|
|
|
**monitors/MONITOR/desc**
|
|
|
|
- Reading shows a description of the monitor *MONITOR*
|
|
|
|
**monitors/MONITOR/enable**
|
|
|
|
- Writing "0" disables the *MONITOR*
|
|
- Writing "1" enables the *MONITOR*
|
|
- Reading return the current status of the *MONITOR*
|
|
|
|
**monitors/MONITOR/reactors**
|
|
|
|
- List available reactors, with the select reaction for the given *MONITOR*
|
|
inside "[]". The default one is the nop (no operation) reactor.
|
|
- Writing the name of a reactor enables it to the given MONITOR.
|
|
|
|
For example::
|
|
|
|
# cat monitors/wip/reactors
|
|
[nop]
|
|
panic
|
|
printk
|
|
# echo panic > monitors/wip/reactors
|
|
# cat monitors/wip/reactors
|
|
nop
|
|
[panic]
|
|
printk
|