Shield Synthesis: Runtime Enforcement for Reactive Systems

TL;DR

This paper introduces a novel runtime enforcement method called shield synthesis for reactive hardware systems, enabling real-time correction of critical properties without extensive verification of the entire design.

Contribution

It presents the first shield synthesis approach tailored for reactive hardware systems, addressing unique challenges like delay and minimal intervention.

Findings

Successfully synthesizes safety shields for reactive hardware

Enables runtime correction of critical properties in hardware systems

Demonstrates effectiveness through experimental results

Abstract

Scalability issues may prevent users from verifying critical properties of a complex hardware design. In this situation, we propose to synthesize a "safety shield" that is attached to the design to enforce the properties at run time. Shield synthesis can succeed where model checking and reactive synthesis fail, because it only considers a small set of critical properties, as opposed to the complex design, or the complete specification in the case of reactive synthesis. The shield continuously monitors the input/output of the design and corrects its erroneous output only if necessary, and as little as possible, so other non-critical properties are likely to be retained. Although runtime enforcement has been studied in other domains such as action systems, reactive systems pose unique challenges where the shield must act without delay. We thus present the first shield synthesis solution for reactive hardware systems and report our experimental results. This is an extended version of [5], featuring an additional appendix.