Apr 172017
 

The paper entitled Formal analysis and offline monitoring of electronic exams has been accepted for publication in Formal Methods in System Design, a Springer journal.

The abstract of the paper is below:

More and more universities are moving toward electronic exams (in short e-exams). This migration exposes exams to additional threats, which may come from the use of the information and communication technology. In this paper, we identify and define several security properties for e-exam systems. Then, we show how to use these properties in two complementary approaches: model-checking and monitoring. We illustrate the validity of our definitions by analyzing a real e-exam used at the pharmacy faculty of University Grenoble Alpes (UGA ) to assess students. On the one hand, we instantiate our properties as queries for ProVerif, an automatic verifier of cryptographic protocols, and we use it to check our modeling of UGA exam specifications. ProVerif found some attacks. On the other hand, we express our properties as Quantified Event Automata (QEAs), and we synthesize them into monitors using MarQ, a Java tool designed to implement QEAs. Then, we use these monitors to verify real exam executions conducted by UGA. Our monitors found fraudulent students and discrepancies between the specifications of UGA exam and its implementation.

This is joint work with Ali Kassem (Inria Grenoble) and Pascal Lafourcade (University of Clermont).

Apr 152017
 

The paper entitled Optimal Enforcement of (Timed) Properties with Uncontrollable Events has been accepted for publication in Mathematical Structures in Computer Science, a Cambridge University Press journal.

Below is the abstract of the paper:

This paper deals with runtime enforcement of untimed and timed properties with uncontrollable events. Runtime enforcement consists in defining and using mechanisms that modify the executions of a running system to ensure their correctness with respect to a desired property. We introduce a framework that takes as input any regular (timed) property described by a deterministic automaton over an alphabet of events, with some of these events being uncontrollable. An uncontrollable event cannot be delayed nor intercepted by an enforcement mechanism. Enforcement mechanisms should satisfy important properties, namely soundness, compliance, and optimality – meaning that enforcement mechanisms should output as soon as possible correct executions that are as close as possible to the input execution. We define the conditions for a property to be enforceable with uncontrollable events. Moreover, we synthesise sound, compliant, and optimal descriptions of runtime enforcement mechanisms at two levels of abstraction to facilitate their design and implementation.

This is joint work with Matthieu Renard and Antoine Rollet from University of Bordeaux, Thierry Jéron and Hervé Marchand from Inria Rennes.

Mar 152017
 

The manuscript entitled First International Competition on Runtime Verification – Rules, Benchmarks, Tools, and Final Results of CRV 2014 has been accepted for publication in Software Tools for Technology Transfer, a Springer journal.

Below is an abstract of the paper

The First International Competition on Runtime Verification (CRV) was held in September 2014, in Toronto, Canada, as a satellite event of the 14th international conference on Runtime Verification (RV’14). The event was organized in three tracks: (1) offline monitoring, (2) online monitoring of C programs, and (3) online monitoring of Java programs. In this paper we report on the phases and rules, a description of the participating teams and their submitted benchmark, the (full) results, as well as the lessons learned from the competition.

Supplementary material, that is the benchmarks and participant’s evaluation scripts on the Inria GitLab repositories available at:

This is joint work with Ezio Bartocci and Borzoo Bonakdarpour, greatly improved by the contributions of the participants to the competition Christian Colombo, Normann Decker, Klaus Havelund, Yogi Joshi, Felix Klaedtke, Reed Milewicz, Giles Reger, Grigore Rosu, Julien Signoles, Daniel Thoma, Eugen Zalinescu, and Yi Zhang.

Acknowledgment

The competition organizers, E. Bartocci, Y. Falcone, and B. Bonakdarpour, are grateful to many people. The competition organizers would like to warmly thank all participants for their hard work, the members of the runtime verification community who encouraged them to initiate this work, the Laboratoire d’Informatique de Grenoble and Christian Seguy for its support, Inria and its GitLab framework, and finally the DataMill team for providing us with such a nice experimentation platform to run all benchmarks.

All the authors acknowledge the support of the ICT COST Action IC1402 Runtime Verification beyond Monitoring (ARVI). Ezio Bartocci  acknowledges also the partial support of the Austrian FFG project HARMONIA (nr. 845631) and the Austrian National Research Network (nr. S 11405-N23) SHiNE funded by the Austrian Science Fund (FWF).

The authors are grateful to the insightful reviewers who helped improving the quality of this paper.


Feb 202017
 

The manuscript entitled Concurrency-preserving and sound monitoring of multi-threaded component-based systems: theory, algorithms, implementation, and evaluation has been accepted for publication in Formal Aspects of Computing, a Springer journal.

The abstract of the paper is below:

This paper addresses the monitoring of logic-independent linear-time user-provided properties in multi-threaded component-based systems. We consider intrinsically independent components that can be executed concurrently with a centralized coordination for multiparty interactions. In this context, the problem that arises is that a global state of the system is not available to the monitor. A naive solution to this problem would be to plug in a monitor which would force the system to synchronize in order to obtain the sequence of global states at runtime. Such a solution would defeat the whole purpose of having concurrent components. Instead, we reconstruct on-the-fly the global states by accumulating the partial states traversed by the system at runtime. We define transformations of components that preserve their semantics and concurrency and, at the same time, allow to monitor global-state properties. Moreover, we present RVMT-BIP, a prototype tool implementing the transformations for monitoring multi-threaded systems described in the Behavior, Interaction, Priority (BIP) framework, an expressive framework for the formal construction of heterogeneous systems. Our experiments on several multi-threaded BIP systems show that RVMT-BIP induces a cheap runtime overhead.

The publisher version is available as Online First and the author version is available on my Publications page.

This is joint work with Hosein Nazarpour, Saddek Bensalem, and Marius Bozga from Verimag.

 

Feb 152017
 

The manuscript entitled Predictive runtime enforcement has been accepted for publication in Formal Methods in System Design, a Springer journal.

Abstract:

Runtime enforcement (RE) is a technique to ensure that the (untrustworthy) output of a black-box system satisfies some desired properties. In RE, the output of the running system, modeled as a sequence of events, is fed into an enforcer. The enforcer ensures that the sequence complies with a certain property, by delaying or modifying events if necessary. This paper deals with predictive runtime enforcement, where the system is not entirely black-box, but we know something about its behavior. This a priori knowledge about the system allows to output some events immediately, instead of delaying them until more events are observed, or even blocking them permanently. This in turn results in better enforcement policies. We also show that if we have no knowledge about the system, then the proposed enforcement mechanism reduces to standard (non-predictive) runtime enforcement. All our results related to predictive RE of untimed properties are also formalized and proved in the Isabelle theorem prover. We also discuss how our predictive runtime enforcement framework can be extended to enforce timed properties.

Keywords

Runtime monitoring; Runtime enforcement; Automata; Timed automata

The publisher version is available as Online First and the author version is available on my Publications page.

This is joint work with Srinivas Pinisetty, Viorel Preoteasa, Stavros Tripakis, Thierry Jéron, and Hervé Marchand.

Nov 112016
 

The paper entitled A high-level modeling language for the efficient design, implementation, and testing of Android applications has been accepted for publication in Software Tools for Technology Transfer, a Springer journal, and is now available for download.

Developing mobile applications remains difficult, time consuming, and error prone, in spite of the number of existing platforms and tools. In this paper, we develop MoDroid, a high-level modeling language to ease the development of Android applications. MoDroid allows developing models representing the core of applications. MoDroid provides Android programmers with the following advantages: (1) models are built using high-level primitives that abstract away several implementation details; (2) it allows the definition of interfaces between models to automatically compose them; (3) a native Android application can be automatically generated along with the required permissions definition; (4) it supports efficient testing execution that operates on models. MoDroid is fully implemented and was used to develop several non-trivial Android applications.

The paper is available as OnlineFirst on Springer Website and can be obtained by following this link. The pre-print can be downloaded by following this link.

This is joint work with Mohamad Jaber, Kinan Dak-Al-Bab, John Abou-Jaoudeh & Mostafa El-Katerji from American University of Beirut, Lebanon.

sttt-logo

Jun 062016
 

The paper entitled “Decentralized Enforcement of Artifact Lifecycles” has been accepted for publication in EDOC 2016, the twentieth Entreprise Computing Conference.

The abstract of the paper is below:

Artifact-centric workflows describe possible executions of a business process through constraints expressed from the point of view of the documents exchanged between principals. A sequence of manipulations is deemed valid as long as every document in the workflow follows its prescribed lifecycle at all steps of the process. So far, establishing that a given workflow complies with artifact lifecycles has mostly been done through static verification, or by assuming a centralized access to all artifacts where these constraints can be monitored and enforced. We present in this paper an alternate method of enforcing document lifecycles that requires neither static verification nor single-point access. Rather, the document itself is designed to carry fragments of its history, protected from tampering using hashing and public-key encryption. Any principal involved in the process can verify at any time that a document’s history complies with a given lifecycle. Moreover, the proposed system also enforces access permissions: not all actions are visible to all principals, and one can only modify and verify what one is allowed to observe.

The pre-print of the paper can be retrieved here.

This is joint work with Sylvain Hallé, Raphaël Khoury from Université du Québec à Chicoutimi, and Antoine El-Hokayem from Univ. Grenoble Alpes.
CS4WW8JUwAAwfCs

Apr 132016
 

The paper entitled “Modularizing Crosscutting Concerns in Component-Based Systems” has been accepted for publication in SEFM 2016, the 14th International Conference on Software Engineering and Formal Methods.

Below is the abstract of the paper:

We define a method to modularize crosscutting concerns in Behavior Interaction Priority (BIP) component-based framework. Our method is inspired from the Aspect Oriented Programming (AOP) paradigm which was initially conceived to support the separation of concerns during the development of monolithic systems. BIP has a formal operational semantics and makes a clear separation between architecture and behavior to allow for compositional and incremental design and analysis of systems. We thus distinguish local from global aspects. Local aspects model concerns at the component level and are used to refine the behavior of components. Global aspects model concerns at the architecture level, and hence refine communications (synchronization and data transfer) between components. We formalize global aspects as well as their integration into a BIP system through rigorous transformation primitives and overview local aspects. We present AOP-BIP, a tool for Aspect-Oriented Programming of BIP systems, and demonstrate its use to modularize logging, security, and fault-tolerance in a network protocol.

This is joint work with Antoine El-Hokayem (Univ. Grenoble Alpes) and Mohamad Jaber (American University of Beirut).

Feb 292016
 

The paper entitled “Monitoring Multi-threaded Component-based Systems” has been accepted for publication in the proceedings of iFM 16, the 12th International Conference on integrated Formal Methods, June 1st – 5th, 2016, Reykjavik, Iceland.

Below is the abstract of the paper:

This paper addresses the monitoring of logic-independent linear-time user-provided properties on multi-threaded component-based systems. We consider intrinsically independent components that can be executed concurrently with a centralized coordination for multiparty interactions. In this context, the problem that arises is that a global state of the system is not available to the monitor. A naive solution to this problem would be to plug a monitor which would force the system to synchronize in order to obtain the sequence of global states at runtime. Such solution would defeat the whole purpose of having concurrent components. Instead, we reconstruct on-the-fly the global states by accumulating the partial states traversed by the system at runtime. We define formal transformations of components that preserve the semantics and the concurrency and, at the same time, allow to monitor global-state properties. Moreover, we present RVMT-BIP, a prototype tool implementing the transformations for monitoring multi-threaded systems described in the BIP (Behavior, Interaction, Priority) framework, an expressive framework for the formal construction of hetero- geneous systems. Our experiments on several multi-threaded BIP systems show that RVMT-BIP induces a cheap runtime overhead.

This is joint work with Hosein Nazarpour, Saddek Bensalem, Marius Bozga and Jacques Combaz, from Vérimag, Grenoble, France.

A pre-print of the paper can be found here.

One can find the necessary information to download and play with RVMT-BIP by following this link to Hosein’s webpage.