Apr 292017

The paper entitled Monitoring Decentralized Specifications has been accepted for publication in the proceedings of ISSTA 2017, the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis, which will be held in Santa Barbara, California, USA, on July 10–14, 2017.

The abstract of the paper is below:

We define two complementary approaches to monitor decentralized systems. The first relies on those with a centralized specification, i.e, when the specification is written for the behavior of the entire system. To do so, our approach introduces a data-structure that i) keeps track of the execution of an automaton, ii) has predictable parameters and size, and iii) guarantees strong eventual consistency. The second approach defines decentralized specifications wherein multiple specifications are provided for separate parts of the system. We study decentralized monitorability, and present a general algorithm for monitoring decentralized specifications. We map three existing algorithms to our approaches and provide a framework for analyzing their behavior. Lastly, we introduce our tool, which is a framework for designing such decentralized algorithms, and simulating their behavior.

This is joint work with Antoine El-Hokayem (Univ. Grenoble Alpes, Inria, Laboratoire d’Informatique de Grenoble).

Apr 172017

The paper entitled Formal analysis and offline monitoring of electronic exams has been accepted for publication in Formal Methods in System Design, a Springer journal.

The abstract of the paper is below:

More and more universities are moving toward electronic exams (in short e-exams). This migration exposes exams to additional threats, which may come from the use of the information and communication technology. In this paper, we identify and define several security properties for e-exam systems. Then, we show how to use these properties in two complementary approaches: model-checking and monitoring. We illustrate the validity of our definitions by analyzing a real e-exam used at the pharmacy faculty of University Grenoble Alpes (UGA ) to assess students. On the one hand, we instantiate our properties as queries for ProVerif, an automatic verifier of cryptographic protocols, and we use it to check our modeling of UGA exam specifications. ProVerif found some attacks. On the other hand, we express our properties as Quantified Event Automata (QEAs), and we synthesize them into monitors using MarQ, a Java tool designed to implement QEAs. Then, we use these monitors to verify real exam executions conducted by UGA. Our monitors found fraudulent students and discrepancies between the specifications of UGA exam and its implementation.

The preprint of the paper can be downloaded here.

This is joint work with Ali Kassem (Inria Grenoble) and Pascal Lafourcade (University of Clermont).

Apr 162017

The paper entitled Runtime Enforcement Using Büchi Games has been accepted for publication in SPIN 2017, the 24th International SPIN Symposium on Model Checking of Software.

Below is an abstract of the paper.

We leverage Büchi games for the runtime enforcement of regular properties with uncontrollable events. Runtime enforcement consists in modifying the execution of a running system to have it satisfy a given regular property, modelled by an automaton. We revisit runtime enforcement with uncontrollable events and propose a framework where we model the runtime enforcement problem as a Büchi game and synthesise sound, compliant, and optimal enforcement mechanisms as strategies. We present algorithms and a tool implementing enforcement mechanisms. We reduce the complexity of the computations performed by enforcement mechanisms at runtime by pre-computing decisions of enforcement mechanisms ahead of time.

The preprint of the paper can be downloaded here.

This is joint work with Matthieu Renard and Antoine Rollet from University of Bordeaux (France).

Apr 152017

The paper entitled Optimal Enforcement of (Timed) Properties with Uncontrollable Events has been accepted for publication in Mathematical Structures in Computer Science, a Cambridge University Press journal.

Below is the abstract of the paper:

This paper deals with runtime enforcement of untimed and timed properties with uncontrollable events. Runtime enforcement consists in defining and using mechanisms that modify the executions of a running system to ensure their correctness with respect to a desired property. We introduce a framework that takes as input any regular (timed) property described by a deterministic automaton over an alphabet of events, with some of these events being uncontrollable. An uncontrollable event cannot be delayed nor intercepted by an enforcement mechanism. Enforcement mechanisms should satisfy important properties, namely soundness, compliance, and optimality – meaning that enforcement mechanisms should output as soon as possible correct executions that are as close as possible to the input execution. We define the conditions for a property to be enforceable with uncontrollable events. Moreover, we synthesise sound, compliant, and optimal descriptions of runtime enforcement mechanisms at two levels of abstraction to facilitate their design and implementation.

This is joint work with Matthieu Renard and Antoine Rollet from University of Bordeaux, Thierry Jéron and Hervé Marchand from Inria Rennes.

Mar 152017

The manuscript entitled First International Competition on Runtime Verification – Rules, Benchmarks, Tools, and Final Results of CRV 2014 has been accepted for publication in Software Tools for Technology Transfer, a Springer journal.

Below is an abstract of the paper

The First International Competition on Runtime Verification (CRV) was held in September 2014, in Toronto, Canada, as a satellite event of the 14th international conference on Runtime Verification (RV’14). The event was organized in three tracks: (1) offline monitoring, (2) online monitoring of C programs, and (3) online monitoring of Java programs. In this paper we report on the phases and rules, a description of the participating teams and their submitted benchmark, the (full) results, as well as the lessons learned from the competition.

Supplementary material, that is the benchmarks and participant’s evaluation scripts on the Inria GitLab repositories available at:

This is joint work with Ezio Bartocci and Borzoo Bonakdarpour, greatly improved by the contributions of the participants to the competition Christian Colombo, Normann Decker, Klaus Havelund, Yogi Joshi, Felix Klaedtke, Reed Milewicz, Giles Reger, Grigore Rosu, Julien Signoles, Daniel Thoma, Eugen Zalinescu, and Yi Zhang.


The competition organizers, E. Bartocci, Y. Falcone, and B. Bonakdarpour, are grateful to many people. The competition organizers would like to warmly thank all participants for their hard work, the members of the runtime verification community who encouraged them to initiate this work, the Laboratoire d’Informatique de Grenoble and Christian Seguy for its support, Inria and its GitLab framework, and finally the DataMill team for providing us with such a nice experimentation platform to run all benchmarks.

All the authors acknowledge the support of the ICT COST Action IC1402 Runtime Verification beyond Monitoring (ARVI). Ezio Bartocci  acknowledges also the partial support of the Austrian FFG project HARMONIA (nr. 845631) and the Austrian National Research Network (nr. S 11405-N23) SHiNE funded by the Austrian Science Fund (FWF).

The authors are grateful to the insightful reviewers who helped improving the quality of this paper.

Feb 202017

The manuscript entitled Concurrency-preserving and sound monitoring of multi-threaded component-based systems: theory, algorithms, implementation, and evaluation has been accepted for publication in Formal Aspects of Computing, a Springer journal.

The abstract of the paper is below:

This paper addresses the monitoring of logic-independent linear-time user-provided properties in multi-threaded component-based systems. We consider intrinsically independent components that can be executed concurrently with a centralized coordination for multiparty interactions. In this context, the problem that arises is that a global state of the system is not available to the monitor. A naive solution to this problem would be to plug in a monitor which would force the system to synchronize in order to obtain the sequence of global states at runtime. Such a solution would defeat the whole purpose of having concurrent components. Instead, we reconstruct on-the-fly the global states by accumulating the partial states traversed by the system at runtime. We define transformations of components that preserve their semantics and concurrency and, at the same time, allow to monitor global-state properties. Moreover, we present RVMT-BIP, a prototype tool implementing the transformations for monitoring multi-threaded systems described in the Behavior, Interaction, Priority (BIP) framework, an expressive framework for the formal construction of heterogeneous systems. Our experiments on several multi-threaded BIP systems show that RVMT-BIP induces a cheap runtime overhead.

The publisher version is available as Online First and the author version is available on my Publications page.

This is joint work with Hosein Nazarpour, Saddek Bensalem, and Marius Bozga from Verimag.


Feb 152017

The manuscript entitled Predictive runtime enforcement has been accepted for publication in Formal Methods in System Design, a Springer journal.


Runtime enforcement (RE) is a technique to ensure that the (untrustworthy) output of a black-box system satisfies some desired properties. In RE, the output of the running system, modeled as a sequence of events, is fed into an enforcer. The enforcer ensures that the sequence complies with a certain property, by delaying or modifying events if necessary. This paper deals with predictive runtime enforcement, where the system is not entirely black-box, but we know something about its behavior. This a priori knowledge about the system allows to output some events immediately, instead of delaying them until more events are observed, or even blocking them permanently. This in turn results in better enforcement policies. We also show that if we have no knowledge about the system, then the proposed enforcement mechanism reduces to standard (non-predictive) runtime enforcement. All our results related to predictive RE of untimed properties are also formalized and proved in the Isabelle theorem prover. We also discuss how our predictive runtime enforcement framework can be extended to enforce timed properties.


Runtime monitoring; Runtime enforcement; Automata; Timed automata

The publisher version is available as Online First and the author version is available on my Publications page.

This is joint work with Srinivas Pinisetty, Viorel Preoteasa, Stavros Tripakis, Thierry Jéron, and Hervé Marchand.

Nov 112016

The paper entitled A high-level modeling language for the efficient design, implementation, and testing of Android applications has been accepted for publication in Software Tools for Technology Transfer, a Springer journal, and is now available for download.

Developing mobile applications remains difficult, time consuming, and error prone, in spite of the number of existing platforms and tools. In this paper, we develop MoDroid, a high-level modeling language to ease the development of Android applications. MoDroid allows developing models representing the core of applications. MoDroid provides Android programmers with the following advantages: (1) models are built using high-level primitives that abstract away several implementation details; (2) it allows the definition of interfaces between models to automatically compose them; (3) a native Android application can be automatically generated along with the required permissions definition; (4) it supports efficient testing execution that operates on models. MoDroid is fully implemented and was used to develop several non-trivial Android applications.

The paper is available as OnlineFirst on Springer Website and can be obtained by following this link. The pre-print can be downloaded by following this link.

This is joint work with Mohamad Jaber, Kinan Dak-Al-Bab, John Abou-Jaoudeh & Mostafa El-Katerji from American University of Beirut, Lebanon.


Jun 062016

The paper entitled “Decentralized Enforcement of Artifact Lifecycles” has been accepted for publication in EDOC 2016, the twentieth Entreprise Computing Conference.

The abstract of the paper is below:

Artifact-centric workflows describe possible executions of a business process through constraints expressed from the point of view of the documents exchanged between principals. A sequence of manipulations is deemed valid as long as every document in the workflow follows its prescribed lifecycle at all steps of the process. So far, establishing that a given workflow complies with artifact lifecycles has mostly been done through static verification, or by assuming a centralized access to all artifacts where these constraints can be monitored and enforced. We present in this paper an alternate method of enforcing document lifecycles that requires neither static verification nor single-point access. Rather, the document itself is designed to carry fragments of its history, protected from tampering using hashing and public-key encryption. Any principal involved in the process can verify at any time that a document’s history complies with a given lifecycle. Moreover, the proposed system also enforces access permissions: not all actions are visible to all principals, and one can only modify and verify what one is allowed to observe.

The pre-print of the paper can be retrieved here.

This is joint work with Sylvain Hallé, Raphaël Khoury from Université du Québec à Chicoutimi, and Antoine El-Hokayem from Univ. Grenoble Alpes.