Apr 132016

The paper entitled “Modularizing Crosscutting Concerns in Component-Based Systems” has been accepted for publication in SEFM 2016, the 14th International Conference on Software Engineering and Formal Methods.

Below is the abstract of the paper:

We define a method to modularize crosscutting concerns in Behavior Interaction Priority (BIP) component-based framework. Our method is inspired from the Aspect Oriented Programming (AOP) paradigm which was initially conceived to support the separation of concerns during the development of monolithic systems. BIP has a formal operational semantics and makes a clear separation between architecture and behavior to allow for compositional and incremental design and analysis of systems. We thus distinguish local from global aspects. Local aspects model concerns at the component level and are used to refine the behavior of components. Global aspects model concerns at the architecture level, and hence refine communications (synchronization and data transfer) between components. We formalize global aspects as well as their integration into a BIP system through rigorous transformation primitives and overview local aspects. We present AOP-BIP, a tool for Aspect-Oriented Programming of BIP systems, and demonstrate its use to modularize logging, security, and fault-tolerance in a network protocol.

This is joint work with Antoine El-Hokayem (Univ. Grenoble Alpes) and Mohamad Jaber (American University of Beirut).

Feb 292016

The paper entitled “Monitoring Multi-threaded Component-based Systems” has been accepted for publication in the proceedings of iFM 16, the 12th International Conference on integrated Formal Methods, June 1st – 5th, 2016, Reykjavik, Iceland.

Below is the abstract of the paper:

This paper addresses the monitoring of logic-independent linear-time user-provided properties on multi-threaded component-based systems. We consider intrinsically independent components that can be executed concurrently with a centralized coordination for multiparty interactions. In this context, the problem that arises is that a global state of the system is not available to the monitor. A naive solution to this problem would be to plug a monitor which would force the system to synchronize in order to obtain the sequence of global states at runtime. Such solution would defeat the whole purpose of having concurrent components. Instead, we reconstruct on-the-fly the global states by accumulating the partial states traversed by the system at runtime. We define formal transformations of components that preserve the semantics and the concurrency and, at the same time, allow to monitor global-state properties. Moreover, we present RVMT-BIP, a prototype tool implementing the transformations for monitoring multi-threaded systems described in the BIP (Behavior, Interaction, Priority) framework, an expressive framework for the formal construction of hetero- geneous systems. Our experiments on several multi-threaded BIP systems show that RVMT-BIP induces a cheap runtime overhead.

This is joint work with Hosein Nazarpour, Saddek Bensalem, Marius Bozga and Jacques Combaz, from Vérimag, Grenoble, France.

A pre-print of the paper can be found here.

One can find the necessary information to download and play with RVMT-BIP by following this link to Hosein’s webpage.

Feb 292016

The paper entitled “Runtime Enforcement of Regular Timed Properties by Suppressing and Delaying Events” has been accepted for publication in SCP, Science of Computer Programming, an Elsevier journal.

Here is the abstract of the paper:

Runtime enforcement is a verification/validation technique aiming at correcting possibly incorrect executions of a system of interest. In this paper, we consider enforcement monitoring for systems where the physical time elapsing between actions matters. Executions are thus modelled as timed words (i.e., sequences of actions with dates). We consider runtime enforcement for timed specifications modelled as timed automata. Our enforcement mechanisms have the power of both delaying events to match timing constraints, and suppressing events when no delaying is appropriate, thus possibly allowing for longer executions. To ease their design and their correctness-proof, enforcement mechanisms are described at several levels: enforcement functions that specify the input-output behaviour in terms of transformations of timed words, constraints that should be satisfied by such functions, enforcement monitors that describe the operational behaviour of enforcement functions, and enforcement algorithms that describe the implementation of enforcement monitors. The feasibility of enforcement monitoring for timed properties is validated by prototyping the synthesis of enforcement monitors from timed automata.

This is joint work with T. Jéron, H. Marchand, and S. Pinisetty.

Online version at Elsevier can be found here.

A pre-print of the paper can be found here.


Feb 032016

The paper entitled “Fully-automated Runtime Enforcement of Component-based Systems with Formal and Sound Recovery” has been accepted for publication in the Springer journal Software Tools for Technology Transfer.


We introduce runtime enforcement of specifications on component-based systems (CBS) modeled in the behavior, interaction and priority (BIP) framework. Runtime enforcement is an increasingly popular and effective dynamic validation technique aiming to ensure the correct runtime behavior (w.r.t. a formal specification) of a system using a so-called enforcement monitor. BIP is a powerful and expressive component-based framework for the formal construction of heterogeneous systems. Because of BIP expressiveness, however, it is difficult to enforce complex behavioral properties at design-time. We first introduce a theoretical runtime enforcement framework for component-based systems where we delineate a hierarchy of enforceable properties (i.e., properties that can be enforced) according to the number of observational steps a system is allowed to deviate from the property (i.e., the notion of k-step enforceability). To ensure the observational equivalence between the correct executions of the initial system and the monitored system, we show that (i) only stutter-invariant properties should be enforced on CBS with our monitors, and (ii) safety properties are 1-step enforceable. Second, given an abstract enforcement monitor for some 1-step enforceable property, we define a series of formal transformations to instrument (at relevant locations) a CBS described in the BIP framework to integrate the monitor. At runtime, the monitor observes and automatically avoids any error in the behavior of the system w.r.t. the property. Third, our approach is fully implemented in RE-BIP, an available tool integrated in the BIP tool suite. Fourth, to validate our approach, we use RE-BIP to (i) enforce deadlock-freedom on a dining philosophers benchmark, and (ii) ensure the correct placement of robots on a map.


Runtime enforcement Component-based systems Monitoring k-step enforceability BIP

Online version at Springer available here.

This is joint work with Mohamad Jaber from American University of Beirut, Lebanon.


Jan 012016

I am happy to announce RV 2016 which I will be PC chairing with César Sanchez (IMDEA Madrid, Spain).

This year, RV will be supported by a strong program committee and will take place in a wonderful venue. RV will feature 3 keynote talks from world-class researchers, a summer school on Runtime Verification, a competition on tools for runtime verification, tutorials, and workshops.

Below are the important dates:

  • Abstract deadline: May 8, 2016
  • Paper and tutorial deadline: May 15, 2016
  • Tutorial notification: June 1, 2016
  • Paper notification: July 11, 2016
  • Camera ready: August 8, 2016
  • Summer school on Runtime Verification: September 23-25, 2016
  • Workshops and tutorials: September 26-27, 2016
  • Conference: September 28-30, 2016

Complete information about RV 2016 can be found at:



Dec 012015

The paper Predictive Runtime Enforcement has been accepted for publication in the proceedings of the 31st ACM Symposium on Applied Computing – Software Verification and Testing track.

Below is the abstract of the paper:

Runtime enforcement (RE) is a technique to ensure that the (un- trustworthy) output of a black-box system satisfies some desired properties. In RE, the output of the running system, modeled as a stream of events, is fed into an enforcement monitor. The monitor ensures that the stream complies with a certain property, by delaying or modifying events if necessary. This paper deals with predictive runtime enforcement, where the system is not entirely black-box, but we know something about its behavior. This a-priori knowledge about the system allows to output some events immediately, instead of delaying them until more events are observed, or even blocking them permanently. This in turn results in better enforcement policies. We also show that if we have no knowledge about the system, then the proposed enforcement mechanism reduces to a classical non-predictive RE framework. All our results are formalized and proved in the Isabelle theorem prover.

This is joint work with S. Pinisetty, V. Priotessa, S. Tripakis, T. Jéron, and H. Marchand.

Jul 282015

The paper Enforcement of (Timed) Properties with Uncontrollable Events has been accepted to ICTAC 2015.

Below is the abstract to the paper:

This paper deals with runtime enforcement of untimed and timed properties with uncontrollable events. Runtime enforcement consists in modifying the executions of a running system to ensure their correctness with respect to a desired property. We introduce a framework that takes as input any regular (timed) property over an alphabet of events, with some of these events being uncontrollable. An uncontrollable event cannot be delayed nor intercepted by an enforcement mechanism. Enforcement mechanisms satisfy important properties, namely soundness and compliance – meaning that enforcement mechanisms output correct executions that are close to the input execution. We discuss the conditions for a property to be enforceable with uncontrollable events, and we define enforcement mechanisms that modify executions to obtain a correct output, as soon as possible. Moreover, we synthesize sound and compliant descriptions of runtime enforcement mechanisms at two levels of abstraction to facilitate their design and implementation.

This is joint work with M. Renard and A. Rollet from LaBRI, S. Pinisetty from U of Aalto, T. Jéron and H. Marchand from Inria Rennes.

Jun 112015

The paper Monitoring Electronic Exams has been accepted for publication in the proceedings of RV 2015, the 15th international conference on Runtime Verification.

Here is the abstract of the paper:

Universities and other educational organizations are adopting com- puter-based assessment tools (herein called e-exams) to reach larger and ubiquitous audiences. While this makes examination tests more accessible, it exposes them to unprecedented threats not only from candidates but also from authorities, which organize exams and deliver marks. Thus, e-exams must be checked to detect potential irregularities. In this paper, we propose several monitors, expressed as Quantified Event Automata (QEA), to monitor the main properties of e-exams. Then, we implement the monitors using MarQ, a recent Java tool designed to support QEAs. Finally, we apply our monitors to logged data from real e-exams conducted by Université Joseph Fourier at pharmacy faculty, as a part of Epreuves Classantes Nationales informatisées, a pioneering project which aims to realize all french medicine exams electronically by 2016. Our monitors found discrepancies between the specification and the implementation.

This is joint work with Ali Kassem and Pascal Lafourcade from Univ. Grenoble Alpes, Vérimag.