1ff0aaf67SDaniel Bristot de Oliveira==================== 2ff0aaf67SDaniel Bristot de OliveiraRuntime Verification 3ff0aaf67SDaniel Bristot de Oliveira==================== 4ff0aaf67SDaniel Bristot de Oliveira 5ff0aaf67SDaniel Bristot de OliveiraRuntime Verification (RV) is a lightweight (yet rigorous) method that 6ff0aaf67SDaniel Bristot de Oliveiracomplements classical exhaustive verification techniques (such as *model 7ff0aaf67SDaniel Bristot de Oliveirachecking* and *theorem proving*) with a more practical approach for complex 8ff0aaf67SDaniel Bristot de Oliveirasystems. 9ff0aaf67SDaniel Bristot de Oliveira 10ff0aaf67SDaniel Bristot de OliveiraInstead of relying on a fine-grained model of a system (e.g., a 11ff0aaf67SDaniel Bristot de Oliveirare-implementation a instruction level), RV works by analyzing the trace of the 12ff0aaf67SDaniel Bristot de Oliveirasystem's actual execution, comparing it against a formal specification of 13ff0aaf67SDaniel Bristot de Oliveirathe system behavior. 14ff0aaf67SDaniel Bristot de Oliveira 15ff0aaf67SDaniel Bristot de OliveiraThe main advantage is that RV can give precise information on the runtime 16ff0aaf67SDaniel Bristot de Oliveirabehavior of the monitored system, without the pitfalls of developing models 17ff0aaf67SDaniel Bristot de Oliveirathat require a re-implementation of the entire system in a modeling language. 18ff0aaf67SDaniel Bristot de OliveiraMoreover, given an efficient monitoring method, it is possible execute an 19ff0aaf67SDaniel Bristot de Oliveira*online* verification of a system, enabling the *reaction* for unexpected 20ff0aaf67SDaniel Bristot de Oliveiraevents, avoiding, for example, the propagation of a failure on safety-critical 21ff0aaf67SDaniel Bristot de Oliveirasystems. 22ff0aaf67SDaniel Bristot de Oliveira 23ff0aaf67SDaniel Bristot de OliveiraRuntime Monitors and Reactors 24ff0aaf67SDaniel Bristot de Oliveira============================= 25ff0aaf67SDaniel Bristot de Oliveira 26ff0aaf67SDaniel Bristot de OliveiraA monitor is the central part of the runtime verification of a system. The 27ff0aaf67SDaniel Bristot de Oliveiramonitor stands in between the formal specification of the desired (or 28ff0aaf67SDaniel Bristot de Oliveiraundesired) behavior, and the trace of the actual system. 29ff0aaf67SDaniel Bristot de Oliveira 30ff0aaf67SDaniel Bristot de OliveiraIn Linux terms, the runtime verification monitors are encapsulated inside the 31ff0aaf67SDaniel Bristot de Oliveira*RV monitor* abstraction. A *RV monitor* includes a reference model of the 32ff0aaf67SDaniel Bristot de Oliveirasystem, a set of instances of the monitor (per-cpu monitor, per-task monitor, 33ff0aaf67SDaniel Bristot de Oliveiraand so on), and the helper functions that glue the monitor to the system via 34*d56b699dSBjorn Helgaastrace, as depicted below:: 35ff0aaf67SDaniel Bristot de Oliveira 36ff0aaf67SDaniel Bristot de Oliveira Linux +---- RV Monitor ----------------------------------+ Formal 37ff0aaf67SDaniel Bristot de Oliveira Realm | | Realm 38ff0aaf67SDaniel Bristot de Oliveira +-------------------+ +----------------+ +-----------------+ 39ff0aaf67SDaniel Bristot de Oliveira | Linux kernel | | Monitor | | Reference | 40ff0aaf67SDaniel Bristot de Oliveira | Tracing | -> | Instance(s) | <- | Model | 41ff0aaf67SDaniel Bristot de Oliveira | (instrumentation) | | (verification) | | (specification) | 42ff0aaf67SDaniel Bristot de Oliveira +-------------------+ +----------------+ +-----------------+ 43ff0aaf67SDaniel Bristot de Oliveira | | | 44ff0aaf67SDaniel Bristot de Oliveira | V | 45ff0aaf67SDaniel Bristot de Oliveira | +----------+ | 46ff0aaf67SDaniel Bristot de Oliveira | | Reaction | | 47ff0aaf67SDaniel Bristot de Oliveira | +--+--+--+-+ | 48ff0aaf67SDaniel Bristot de Oliveira | | | | | 49ff0aaf67SDaniel Bristot de Oliveira | | | +-> trace output ? | 50ff0aaf67SDaniel Bristot de Oliveira +------------------------|--|----------------------+ 51ff0aaf67SDaniel Bristot de Oliveira | +----> panic ? 52ff0aaf67SDaniel Bristot de Oliveira +-------> <user-specified> 53ff0aaf67SDaniel Bristot de Oliveira 54ff0aaf67SDaniel Bristot de OliveiraIn addition to the verification and monitoring of the system, a monitor can 55ff0aaf67SDaniel Bristot de Oliveirareact to an unexpected event. The forms of reaction can vary from logging the 56ff0aaf67SDaniel Bristot de Oliveiraevent occurrence to the enforcement of the correct behavior to the extreme 57ff0aaf67SDaniel Bristot de Oliveiraaction of taking a system down to avoid the propagation of a failure. 58ff0aaf67SDaniel Bristot de Oliveira 59ff0aaf67SDaniel Bristot de OliveiraIn Linux terms, a *reactor* is an reaction method available for *RV monitors*. 60ff0aaf67SDaniel Bristot de OliveiraBy default, all monitors should provide a trace output of their actions, 61ff0aaf67SDaniel Bristot de Oliveirawhich is already a reaction. In addition, other reactions will be available 62ff0aaf67SDaniel Bristot de Oliveiraso the user can enable them as needed. 63ff0aaf67SDaniel Bristot de Oliveira 64ff0aaf67SDaniel Bristot de OliveiraFor further information about the principles of runtime verification and 65ff0aaf67SDaniel Bristot de OliveiraRV applied to Linux: 66ff0aaf67SDaniel Bristot de Oliveira 67ff0aaf67SDaniel Bristot de Oliveira Bartocci, Ezio, et al. *Introduction to runtime verification.* In: Lectures on 68ff0aaf67SDaniel Bristot de Oliveira Runtime Verification. Springer, Cham, 2018. p. 1-33. 69ff0aaf67SDaniel Bristot de Oliveira 70ff0aaf67SDaniel Bristot de Oliveira Falcone, Ylies, et al. *A taxonomy for classifying runtime verification tools.* 71ff0aaf67SDaniel Bristot de Oliveira In: International Conference on Runtime Verification. Springer, Cham, 2018. p. 72ff0aaf67SDaniel Bristot de Oliveira 241-262. 73ff0aaf67SDaniel Bristot de Oliveira 74ff0aaf67SDaniel Bristot de Oliveira De Oliveira, Daniel Bristot. *Automata-based formal analysis and 75ff0aaf67SDaniel Bristot de Oliveira verification of the real-time Linux kernel.* Ph.D. Thesis, 2020. 76ff0aaf67SDaniel Bristot de Oliveira 77ff0aaf67SDaniel Bristot de OliveiraOnline RV monitors 78ff0aaf67SDaniel Bristot de Oliveira================== 79ff0aaf67SDaniel Bristot de Oliveira 80ff0aaf67SDaniel Bristot de OliveiraMonitors can be classified as *offline* and *online* monitors. *Offline* 81ff0aaf67SDaniel Bristot de Oliveiramonitor process the traces generated by a system after the events, generally by 82ff0aaf67SDaniel Bristot de Oliveirareading the trace execution from a permanent storage system. *Online* monitors 83ff0aaf67SDaniel Bristot de Oliveiraprocess the trace during the execution of the system. Online monitors are said 84ff0aaf67SDaniel Bristot de Oliveirato be *synchronous* if the processing of an event is attached to the system 85ff0aaf67SDaniel Bristot de Oliveiraexecution, blocking the system during the event monitoring. On the other hand, 86ff0aaf67SDaniel Bristot de Oliveiraan *asynchronous* monitor has its execution detached from the system. Each type 87ff0aaf67SDaniel Bristot de Oliveiraof monitor has a set of advantages. For example, *offline* monitors can be 88ff0aaf67SDaniel Bristot de Oliveiraexecuted on different machines but require operations to save the log to a 89ff0aaf67SDaniel Bristot de Oliveirafile. In contrast, *synchronous online* method can react at the exact moment 90ff0aaf67SDaniel Bristot de Oliveiraa violation occurs. 91ff0aaf67SDaniel Bristot de Oliveira 92ff0aaf67SDaniel Bristot de OliveiraAnother important aspect regarding monitors is the overhead associated with the 93ff0aaf67SDaniel Bristot de Oliveiraevent analysis. If the system generates events at a frequency higher than the 94ff0aaf67SDaniel Bristot de Oliveiramonitor's ability to process them in the same system, only the *offline* 95ff0aaf67SDaniel Bristot de Oliveiramethods are viable. On the other hand, if the tracing of the events incurs 96ff0aaf67SDaniel Bristot de Oliveiraon higher overhead than the simple handling of an event by a monitor, then a 97ff0aaf67SDaniel Bristot de Oliveira*synchronous online* monitors will incur on lower overhead. 98ff0aaf67SDaniel Bristot de Oliveira 99ff0aaf67SDaniel Bristot de OliveiraIndeed, the research presented in: 100ff0aaf67SDaniel Bristot de Oliveira 101ff0aaf67SDaniel Bristot de Oliveira De Oliveira, Daniel Bristot; Cucinotta, Tommaso; De Oliveira, Romulo Silva. 102ff0aaf67SDaniel Bristot de Oliveira *Efficient formal verification for the Linux kernel.* In: International 103ff0aaf67SDaniel Bristot de Oliveira Conference on Software Engineering and Formal Methods. Springer, Cham, 2019. 104ff0aaf67SDaniel Bristot de Oliveira p. 315-332. 105ff0aaf67SDaniel Bristot de Oliveira 106ff0aaf67SDaniel Bristot de OliveiraShows that for Deterministic Automata models, the synchronous processing of 107ff0aaf67SDaniel Bristot de Oliveiraevents in-kernel causes lower overhead than saving the same events to the trace 108ff0aaf67SDaniel Bristot de Oliveirabuffer, not even considering collecting the trace for user-space analysis. 109ff0aaf67SDaniel Bristot de OliveiraThis motivated the development of an in-kernel interface for online monitors. 110ff0aaf67SDaniel Bristot de Oliveira 111ff0aaf67SDaniel Bristot de OliveiraFor further information about modeling of Linux kernel behavior using automata, 112ff0aaf67SDaniel Bristot de Oliveirasee: 113ff0aaf67SDaniel Bristot de Oliveira 114ff0aaf67SDaniel Bristot de Oliveira De Oliveira, Daniel B.; De Oliveira, Romulo S.; Cucinotta, Tommaso. *A thread 115ff0aaf67SDaniel Bristot de Oliveira synchronization model for the PREEMPT_RT Linux kernel.* Journal of Systems 116ff0aaf67SDaniel Bristot de Oliveira Architecture, 2020, 107: 101729. 117ff0aaf67SDaniel Bristot de Oliveira 118ff0aaf67SDaniel Bristot de OliveiraThe user interface 119ff0aaf67SDaniel Bristot de Oliveira================== 120ff0aaf67SDaniel Bristot de Oliveira 121ff0aaf67SDaniel Bristot de OliveiraThe user interface resembles the tracing interface (on purpose). It is 122ff0aaf67SDaniel Bristot de Oliveiracurrently at "/sys/kernel/tracing/rv/". 123ff0aaf67SDaniel Bristot de Oliveira 124ff0aaf67SDaniel Bristot de OliveiraThe following files/folders are currently available: 125ff0aaf67SDaniel Bristot de Oliveira 126ff0aaf67SDaniel Bristot de Oliveira**available_monitors** 127ff0aaf67SDaniel Bristot de Oliveira 128ff0aaf67SDaniel Bristot de Oliveira- Reading list the available monitors, one per line 129ff0aaf67SDaniel Bristot de Oliveira 130ff0aaf67SDaniel Bristot de OliveiraFor example:: 131ff0aaf67SDaniel Bristot de Oliveira 132ff0aaf67SDaniel Bristot de Oliveira # cat available_monitors 133ff0aaf67SDaniel Bristot de Oliveira wip 134ff0aaf67SDaniel Bristot de Oliveira wwnr 135ff0aaf67SDaniel Bristot de Oliveira 136ff0aaf67SDaniel Bristot de Oliveira**available_reactors** 137ff0aaf67SDaniel Bristot de Oliveira 138ff0aaf67SDaniel Bristot de Oliveira- Reading shows the available reactors, one per line. 139ff0aaf67SDaniel Bristot de Oliveira 140ff0aaf67SDaniel Bristot de OliveiraFor example:: 141ff0aaf67SDaniel Bristot de Oliveira 142ff0aaf67SDaniel Bristot de Oliveira # cat available_reactors 143ff0aaf67SDaniel Bristot de Oliveira nop 144ff0aaf67SDaniel Bristot de Oliveira panic 145ff0aaf67SDaniel Bristot de Oliveira printk 146ff0aaf67SDaniel Bristot de Oliveira 147ff0aaf67SDaniel Bristot de Oliveira**enabled_monitors**: 148ff0aaf67SDaniel Bristot de Oliveira 149ff0aaf67SDaniel Bristot de Oliveira- Reading lists the enabled monitors, one per line 150ff0aaf67SDaniel Bristot de Oliveira- Writing to it enables a given monitor 151ff0aaf67SDaniel Bristot de Oliveira- Writing a monitor name with a '!' prefix disables it 152ff0aaf67SDaniel Bristot de Oliveira- Truncating the file disables all enabled monitors 153ff0aaf67SDaniel Bristot de Oliveira 154ff0aaf67SDaniel Bristot de OliveiraFor example:: 155ff0aaf67SDaniel Bristot de Oliveira 156ff0aaf67SDaniel Bristot de Oliveira # cat enabled_monitors 157ff0aaf67SDaniel Bristot de Oliveira # echo wip > enabled_monitors 158ff0aaf67SDaniel Bristot de Oliveira # echo wwnr >> enabled_monitors 159ff0aaf67SDaniel Bristot de Oliveira # cat enabled_monitors 160ff0aaf67SDaniel Bristot de Oliveira wip 161ff0aaf67SDaniel Bristot de Oliveira wwnr 162ff0aaf67SDaniel Bristot de Oliveira # echo '!wip' >> enabled_monitors 163ff0aaf67SDaniel Bristot de Oliveira # cat enabled_monitors 164ff0aaf67SDaniel Bristot de Oliveira wwnr 165ff0aaf67SDaniel Bristot de Oliveira # echo > enabled_monitors 166ff0aaf67SDaniel Bristot de Oliveira # cat enabled_monitors 167ff0aaf67SDaniel Bristot de Oliveira # 168ff0aaf67SDaniel Bristot de Oliveira 169ff0aaf67SDaniel Bristot de OliveiraNote that it is possible to enable more than one monitor concurrently. 170ff0aaf67SDaniel Bristot de Oliveira 171ff0aaf67SDaniel Bristot de Oliveira**monitoring_on** 172ff0aaf67SDaniel Bristot de Oliveira 173ff0aaf67SDaniel Bristot de OliveiraThis is an on/off general switcher for monitoring. It resembles the 174ff0aaf67SDaniel Bristot de Oliveira"tracing_on" switcher in the trace interface. 175ff0aaf67SDaniel Bristot de Oliveira 176ff0aaf67SDaniel Bristot de Oliveira- Writing "0" stops the monitoring 177ff0aaf67SDaniel Bristot de Oliveira- Writing "1" continues the monitoring 178ff0aaf67SDaniel Bristot de Oliveira- Reading returns the current status of the monitoring 179ff0aaf67SDaniel Bristot de Oliveira 180ff0aaf67SDaniel Bristot de OliveiraNote that it does not disable enabled monitors but stop the per-entity 181ff0aaf67SDaniel Bristot de Oliveiramonitors monitoring the events received from the system. 182ff0aaf67SDaniel Bristot de Oliveira 183ff0aaf67SDaniel Bristot de Oliveira**reacting_on** 184ff0aaf67SDaniel Bristot de Oliveira 185ff0aaf67SDaniel Bristot de Oliveira- Writing "0" prevents reactions for happening 186ff0aaf67SDaniel Bristot de Oliveira- Writing "1" enable reactions 187ff0aaf67SDaniel Bristot de Oliveira- Reading returns the current status of the reaction 188ff0aaf67SDaniel Bristot de Oliveira 189ff0aaf67SDaniel Bristot de Oliveira**monitors/** 190ff0aaf67SDaniel Bristot de Oliveira 191ff0aaf67SDaniel Bristot de OliveiraEach monitor will have its own directory inside "monitors/". There the 192ff0aaf67SDaniel Bristot de Oliveiramonitor-specific files will be presented. The "monitors/" directory resembles 193ff0aaf67SDaniel Bristot de Oliveirathe "events" directory on tracefs. 194ff0aaf67SDaniel Bristot de Oliveira 195ff0aaf67SDaniel Bristot de OliveiraFor example:: 196ff0aaf67SDaniel Bristot de Oliveira 197ff0aaf67SDaniel Bristot de Oliveira # cd monitors/wip/ 198ff0aaf67SDaniel Bristot de Oliveira # ls 199ff0aaf67SDaniel Bristot de Oliveira desc enable 200ff0aaf67SDaniel Bristot de Oliveira # cat desc 201ff0aaf67SDaniel Bristot de Oliveira wakeup in preemptive per-cpu testing monitor. 202ff0aaf67SDaniel Bristot de Oliveira # cat enable 203ff0aaf67SDaniel Bristot de Oliveira 0 204ff0aaf67SDaniel Bristot de Oliveira 205ff0aaf67SDaniel Bristot de Oliveira**monitors/MONITOR/desc** 206ff0aaf67SDaniel Bristot de Oliveira 207ff0aaf67SDaniel Bristot de Oliveira- Reading shows a description of the monitor *MONITOR* 208ff0aaf67SDaniel Bristot de Oliveira 209ff0aaf67SDaniel Bristot de Oliveira**monitors/MONITOR/enable** 210ff0aaf67SDaniel Bristot de Oliveira 211ff0aaf67SDaniel Bristot de Oliveira- Writing "0" disables the *MONITOR* 212ff0aaf67SDaniel Bristot de Oliveira- Writing "1" enables the *MONITOR* 213ff0aaf67SDaniel Bristot de Oliveira- Reading return the current status of the *MONITOR* 214ff0aaf67SDaniel Bristot de Oliveira 215ff0aaf67SDaniel Bristot de Oliveira**monitors/MONITOR/reactors** 216ff0aaf67SDaniel Bristot de Oliveira 217ff0aaf67SDaniel Bristot de Oliveira- List available reactors, with the select reaction for the given *MONITOR* 218ff0aaf67SDaniel Bristot de Oliveira inside "[]". The default one is the nop (no operation) reactor. 219ff0aaf67SDaniel Bristot de Oliveira- Writing the name of a reactor enables it to the given MONITOR. 220ff0aaf67SDaniel Bristot de Oliveira 221ff0aaf67SDaniel Bristot de OliveiraFor example:: 222ff0aaf67SDaniel Bristot de Oliveira 223ff0aaf67SDaniel Bristot de Oliveira # cat monitors/wip/reactors 224ff0aaf67SDaniel Bristot de Oliveira [nop] 225ff0aaf67SDaniel Bristot de Oliveira panic 226ff0aaf67SDaniel Bristot de Oliveira printk 227ff0aaf67SDaniel Bristot de Oliveira # echo panic > monitors/wip/reactors 228ff0aaf67SDaniel Bristot de Oliveira # cat monitors/wip/reactors 229ff0aaf67SDaniel Bristot de Oliveira nop 230ff0aaf67SDaniel Bristot de Oliveira [panic] 231ff0aaf67SDaniel Bristot de Oliveira printk 232