Gray-box Monitoring of Hyperproperties (Extended Version)
Sandro Stucki, C\'esar S\'anchez, Gerardo Schneider, Borzoo, Bonakdarpour

TL;DR
This paper introduces a gray-box runtime verification approach for hyperproperties like HyperLTL, refining monitorability notions and applying it to privacy properties using SMT-based verification.
Contribution
It proposes a feasible gray-box monitoring framework for hyperproperties, refining monitorability concepts and demonstrating practical application to privacy hyperproperties.
Findings
Gray-box monitoring is feasible where black-box is not.
Refined notions of monitorability for hyperproperties.
Successful runtime verification of a privacy hyperproperty.
Abstract
Many important system properties, particularly in security and privacy, cannot be verified statically. Therefore, runtime verification is an appealing alternative. Logics for hyperproperties, such as HyperLTL, support a rich set of such properties. We first show that black-box monitoring of HyperLTL is in general unfeasible, and suggest a gray-box approach. Gray-box monitoring implies performing analysis of the system at run-time, which brings new limitations to monitorabiliy (the feasibility of solving the monitoring problem). Thus, as another contribution of this paper we refine the classic notions of monitorability, both for trace properties and hyperproperties, taking into account the computability of the monitor. We then apply our approach to monitor a privacy hyperproperty called distributed data minimality, expressed as a HyperLTL property, by using an SMT-based static verifier…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
11institutetext: University of Gothenburg, Sweden, 11email: [email protected],[email protected] 22institutetext: IMDEA Software Institute, Spain, 22email: [email protected] 33institutetext: Iowa State University, USA, 33email: [email protected]
Gray-box Monitoring of Hyperproperties
Extended Version111This is an extended version of a paper presented at the 23rd International Symposium on Formal Methods (FM ’19). This version contains full proofs, a description of the proof-of-concept monitor for DDM, and experimental results that were not included in the original publication. The original publication is available from Springer at https://doi.org/10.1007/978-3-030-30942-8˙25
Sandro Stucki 11
César Sánchez 22
Gerardo Schneider 11
Borzoo Bonakdarpour 33
Abstract
Many important system properties, particularly in security and privacy, cannot be verified statically. Therefore, runtime verification is an appealing alternative. Logics for hyperproperties, such as HyperLTL, support a rich set of such properties. We first show that black-box monitoring of HyperLTL is in general unfeasible, and suggest a gray-box approach. Gray-box monitoring implies performing analysis of the system at run-time, which brings new limitations to monitorabiliy (the feasibility of solving the monitoring problem). Thus, as another contribution of this paper, we refine the classic notions of monitorability, both for trace properties and hyperproperties, taking into account the computability of the monitor. We then apply our approach to monitor a privacy hyperproperty called distributed data minimality, expressed as a HyperLTL property, by using an SMT-based static verifier at runtime.
1 Introduction
Consider a confidentiality policy that requires that every pair of separate executions of a system agree on the position of occurrences of some proposition . Otherwise, an external observer may learn some sensitive information about the system. We are interested in studying how to build runtime monitors for properties like , where the monitor receives independent executions of the system under scrutiny and intend to determine whether or not the system satisfies the property. While no such monitor can determine whether the system satisfies — as it cannot determine whether it has observed the whole (possibly infinite) set of traces — it may be able to detect violations. For example, if the monitor receives finite executions and , then it is straightforward to see that the pair violates (the traces do not agree on the truth value of in the second, fourth, and fifth positions).
Now, if we change the policy to requiring that, for every execution, there must exist a different one that agrees with the first execution on the position of occurrences of , the monitor cannot even detect violations of . Indeed, it is not possible to tell at run-time whether or not for each execution (from a possibly infinite set), there exists a related one. Such properties for which no monitor can detect satisfaction or violation are known as non-monitorable.
Monitorability was first defined in [pnueli06psl] as the problem of deciding whether any extension of an observed trace would violate or satisfy a property expressed in LTL. We call this notion semantic black-box monitorability. It is semantic because it defines a decision problem (the existence of a satisfying or violating trace extension) without requiring a corresponding decision procedure. In settings like LTL the problem is decidable and the decision procedures are well-studied, but in other settings, a property may be semantically monitorable even though no algorithm to monitor it exists. This notion of monitorability is “black-box” because it only considers the temporal logic formula to determine the plausibility of an extended observation that violates or satisfies the formula. This is the only sound assumption without looking inside the system. Many variants of this definition followed, mostly for trace logics [havelund18runtime] (see also [bartocci18introduction]).
The definition of semantic monitorability is extended in [agrawal16runtime] to the context of hyperproperties [cs10]. A hyperproperty is essentially a set of sets of traces, so monitoring hyperproperties involves reasoning about multiple traces simultaneously. The confidentiality example discussed above is a hyperproperty. The notion of monitorability for hyperproperties in [agrawal16runtime] also considers whether extensions of an observed trace, or of other additional observed traces, would violate or satisfy the property. An important drawback of these notions of monitorability is that they completely ignore the role of the system being monitored and the possible set of executions that it can exhibit to compute a verdict of a property.
In this paper, we consider a landscape of monitorability aspects along three dimensions, as depicted in Fig. 1. We explore the ability of the monitor to reason about multiple traces simultaneously (the trace/hyper dimension). We first show that a large class of hyperproperties that involve quantifier alternations are non-monitorable. That is, no matter the observation, no verdict can ever be declared. We then propose a solution based on a combination of static analysis and runtime verification. If the analysis of the system is completely precise, we call it white-box monitoring. Black-box monitoring refers to the classic approach of ignoring the system and crafting general monitors that provide sound verdicts for every system. In gray-box monitoring, the monitor uses an approximate set of executions, given for example as a model, in addition to the observed finite execution. The combination of static analysis and runtime verification allows to monitor hyperproperties of interest, but it involves reasoning about possible executions of the system (the black/gray dimension in Fig. 1). This, in turn, forces us to consider the computability limitations of the monitors themselves as programs (the computability dimension).
We apply this approach to monitoring a complex hyperproperty of interest in privacy, namely, data minimization. The principle of data minimization (introduced in Article 5 of the EU General Data Protection Regulation [gdpr2012]) from a software perspective requires that only data that is semantically used by a program should be collected and processed. When data is collected from independent sources, the property is called distributed data minimization (DDM) [ASS17dm, PSS18rvh]. Our approach for monitoring DDM is as follows. We focus on detecting violations of DDM (which we express in HyperLTL using one quantifier alternation). We then create a gray-box monitor that collects dynamically potential witnesses for the existential part. The monitor then invokes an oracle (combining symbolic execution trees and SMT solving) to soundly decide the universally quantified inner sub-formula. Our approach is sound but approximated, so the monitor may give an inconclusive answer, depending on the precision of the static verification.
Contributions.
In summary, the contributions of this paper are the following:
Novel richer definitions of monitorability that consider trace and hyper-properties, and the possibility of analyzing the system (gray-box monitoring). This enables the monitoring, via the combination of static analysis and runtime verification, of properties that are non-monitorable in a black-box manner. Our novel notions of monitorability also cover the computability limitations of monitors as programs, which is inevitable once the analysis is part of the monitoring process. 2.
We express DDM as a hyperproperty and study its monitorability within the richer landscape defined above. We then apply the combined approach where the static analysis in this case is based on symbolic execution (Sect. 4). 3.
We describe a proof-of-concept implementation of our gray-box monitor for DDM, apply it to some representative examples, and present empirical evaluation (Sect. 5).
The source code of our implementation is freely available online.222At https://github.com/sstucki/minion/
2 Background
Let be a finite set of atomic propositions and be the finite alphabet. We call each element of a letter (or an event). Throughout the paper, denotes the set of all infinite sequences (called traces) over , and denotes the set of all finite traces over . For a trace (or ), denotes the element of , where . We use to denote the length (finite or infinite) of trace . Also, denotes the subtrace of from position up to and including position (or if or if ). In this manner denotes the prefix of up to and including and denotes the suffix of from (including ).
Given a set , we use for the set of subsets of and for the set of finite subsets of . Let be a finite trace and a finite or infinite trace. We denote the concatenation of and by . Also, denotes the fact that is a prefix of . Given a finite set of finite traces and an arbitrary set of finite or infinite traces, we say that extends (written ) if, for all , there is a , such that . Note that every trace in is extended by some trace in (we call these trace extensions), and that may also contain additional traces with no prefix in (we call these set extensions).
2.1 LTL and HyperLTL
We now briefly introduce LTL and HyperLTL. The syntax of LTL [pnueli77temporal] is:
[TABLE]
where . The semantics of LTL is given by associating to a formula the set of traces that it accepts:
[TABLE]
We will also use the usual derived operators and . All properties expressible in LTL are trace properties (each individual trace satisfies the property or not, independently of any other trace). Some important properties, such as information-flow security policies (including confidentiality, integrity, and secrecy), cannot be expressed as trace properties but require reasoning about two (or more) independent executions (perhaps from different inputs) simultaneously. Such properties are called hyperproperties [cs10]. HyperLTL [cfkmrs14] is a temporal logic for hyperproperties that extends LTL by allowing explicit quantification over execution traces. The syntax of HyperLTL is:
[TABLE]
A trace assignment is a partial function mapping trace variables in to infinite traces. We use to denote the empty assignment, and for the same function as , except that is mapped to trace . The semantics of HyperLTL is defined by associating formulas with pairs , where is a set of traces and is a trace assignment:
[TABLE]
The semantics of the temporal inner formulas is defined in terms of the traces associated with each path (here denotes the map that assigns to if ):
[TABLE]
We say that a set of traces satisfies a HyperLTL formula (denoted ) if and only if .
Example 1
Consider the HyperLTL formula and , where , and Although traces and together satisfy , does not agree with the other two, i.e., , but . Hence, .
2.2 Semantic Monitorability
Runtime verification (RV) is concerned with (1) generating a monitor from a formal specification , and (2) using the monitor to detect whether or not holds by observing events generated by the system at run time. Monitorability refers to the possibility of monitoring a property. Some properties are non-monitorable because no finite observation can lead to a conclusive verdict. We now present some abstract definitions to encompass previous notions of monitorability in a general way. These definitions are made concrete by instantiating them for example to traces (for trace properties) or sets of traces (for hyperproperties), see Ex. 2 below.
- •
Observation. We refer to the finite information provided dynamically to the monitor up to a given instant as an observation. We use and to denote individual observations and to denote the set of all possible observations, equipped with an operator that captures the extension of an observation.
- •
System behavior. We use to denote the universe of all possible behaviors of a system. A behavior may, in general, be an infinite piece of information. By abuse of notation, denotes that observation can be extended to a behavior .
Example 2
When monitoring trace properties such as LTL, we have , an observation is a finite trace , is the prefix relation on finite strings, and . When monitoring hyperproperties such as HyperLTL, an observation is a finite set of finite traces , that is, . The relation is the prefix for finite sets of finite traces defined above. That is, whenever for all there is a such that . Finally, .
We say that an observation permanently satisfies a formula , if every that extends satisfies :
[TABLE]
where denotes the satisfaction relation in the semantics of the logic. Similarly, we say that an observation permanently violates a formula , if every extension violates :
[TABLE]
Monitoring a system for satisfaction (or violation) of a formula is to decide whether a finite observation permanently satisfies (resp. violates) .
Definition 1 (Semantic Monitorability)
A formula is (semantically) monitorable if every observation has an extended observation , such that or .
A similar definition of monitorability only for satisfaction or only for violation can be obtained by considering only or only . Instantiating this definition of monitorability for LTL and finite traces as observations ( and ) leads to the classic definitions of monitorability for LTL by Pnueli and Zaks [pnueli06psl] (see also [havelund18runtime]). Similarly, instantiating the definitions for HyperLTL and observations as finite sets of finite traces leads to monitorability as introduced by Agrawal and Bonakdarpour [agrawal16runtime].
Example 3
The LTL formula is not (semantically) monitorable since it requires an infinite-length observation, while formulas and are monitorable. Similarly, is monitorable, but is not, as it requires an observation set of infinite size. We will prove this claim in detail in Sect. 3.
3 The Notion of Gray-box Monitoring
Most of the previous definitions of monitorability make certain assumptions:
(1) the logics are trace logics, i.e. do not cover hyperproperties,
(2) the system under analysis is black-box in the sense that every further observation is possible,
(3) the logics are tractable, in that the decision problems of satisfiability, liveness, etc. are decidable.
We present here a more general notion of monitorability by challenging these assumptions.
3.1 The Limitations of Monitoring Hyperproperties
Earlier work on monitoring hyperproperties is restricted to the quantifier alternation-free fragment, that is either or properties. We establish now an impossibility result about the monitorability of formulas of the form , where is a state predicate. That is, is formed by atomic propositions, or and Boolean combinations thereof, and can be evaluated given two valuations of the propositions from , one from each path and at the current position. For example, the predicate for depends on the valuation of at the first state of paths and . We use and in to denote that uses two copies of the variables (one copy from and another from ). A predicate is reflexive if for all valuations , is true. A predicate is serial if, for all , there is a such that is true.
Theorem 3.1
A HyperLTL formula of the form is non-monitorable if and only if is non-reflexive and serial.
Proof
Let be . We first observe that if is serial, then the universal set is a model of , i.e. . We show the two directions separately.
- •
“”. Assume that is non-reflexive and serial, and let be an arbitrary observation. We show an infinite extension of that violates and another infinite extension of that satisfies , concluding that no observation has a finite extension that permanently satisfies or violates , that is, is not monitorable. As mentioned above, since is serial, is a model of and extends . Now, assume that all traces in have the same length (otherwise, extend the shorter traces arbitrarily). Then, pick such that is false (recall that is non-reflexive so such a must exist), and consider the set of infinite observations . Since appears at the same position in all strings in , it follows that .
- •
“”. If is reflexive then holds for every non-empty set of infinite words by picking the same trace for and . Therefore is monitorable (in fact, guaranteed to be permanently satisfied for any observation). Otherwise, assume that is not serial, so for some and for all , is false. Consider an arbitrary observation and extend one into . The observation obtained permanently violates because taking to be cannot be matched at the position where occurs by any trace for .
This finishes the proof. ∎
The fragment of properties captured by Theorem 3.1 is very general (and this result can be easily generalized to hyperproperties). First, the temporal operator is just safety (the result can be generalized for richer temporal formulas). Also, every binary predicate can be turned into a non-reflexive predicate by distinguishing the traces being related. Moroever, many relational properties, such as non-interference and DDM, contain a tacit assumption that only distinct traces are being related. Seriality simply establishes that cannot be falsified by only observing the local valuation of one of the traces. Intuitively, a predicate that is not serial can be falsified by looking only at one of the traces, so the property is not a proper hyperproperty. The practical consequence of Theorem 3.1 is that many hyperproperties involving one quantifier alternation cannot be monitored.
3.2 Gray-box Monitoring. Sound and Perfect Monitors
To overcome the negative non-monitorability result, we exploit knowledge about the set of traces that the system can produce (gray-box or white-box monitoring). Given a system that can produce the set of system behaviors , we parametrize the notions of permanent satisfaction and permanent violation to consider only behaviors in :
[TABLE]
First, we extend the definition of monitorability (Def. 1 above) to consider the system under observation.
Definition 2 (Semantic Gray-Box Monitorability)
A formula is semantically gray-box monitorable for a system if every observation has an extended observation in , such that or .
In this definition, monitors must now analyze and decide properties of extended observations which is computationally not possible with full precision for sufficiently rich system descriptions.
We now introduce a novel notion of monitors that consider and the computational power of monitors (the diagonal dimension in Fig. 1). A monitor for a property and a set of traces is a computable function that, given a finite observation , decides a verdict for : indicates success, indicates failure, and indicates that the monitor cannot declare a definite verdict given only . To avoid clutter, we write instead of when the system is clear from the context. The following definition captures when a monitor for a property can give a definite answer.
Definition 3 (Sound monitor)
Given a property and a set of behaviors , a monitor is sound whenever, for every observation ,
if , then or , 2. 2.
if , then or , 3. 3.
otherwise .
If a monitor is not sound then it is possible that an extension of forces to change a to a verdict, or vice-versa. The function that always outputs is a sound monitor for any property, but this is the least informative monitor. A perfect monitor precisely outputs whether satisfaction or violation is inevitable, which is the most informative monitor.
Definition 4 (Perfect Monitor)
Given a property and a set of traces , a monitor is perfect whenever, for every observation ,
if then , 2. 2.
if then , 3. 3.
otherwise .
Obviously, a perfect monitor is sound. Similar definitions of perfect monitor only for satisfaction (resp. violation) can be given by forcing the precise outcome only for satisfaction (resp. violation).
A black-box monitor is one where every behavior is potentially possible, that is . If the monitor uses information about the actual system, then we say it is gray-box (and we use white-box when the monitor can reason with absolute precision about the set of traces of the system). In some cases, for example to decide instantiations of a quantifier, a satisfaction verdict that is taken from can be concluded for all over-approximations (dually under-approximations for violation and for ). For space limitations, we do not give the formal details here.
Using Defs. 3 and 4, we can add the computability aspect to capture a stronger definition of monitorability. Abusing notation, we use to say that the observation can be extended to a trace allowed by the system.
Definition 5 (Strong Monitorability)
A property is strongly monitorable for a system if there is a sound monitor s.t. for all observations , there is an extended observation for which either or .
A property is strongly monitorable for satisfaction if the extension with always exists (and analogously for violation). In what follows we will use the term monitorability to refer to strong monitorability whenever no confusion may arise. It is easy to see that if a property is not semantically monitorable, then it is not strongly monitorable, but in rich domains, some semantically monitorable properties may not be strongly monitorable. One trivial example is termination for deterministic programs (that is, the halting problem). Given a prefix of the execution of a deterministic program, either the program halts or it does not, so termination is monitorable in the semantics sense. However, it is not possible to build a monitor that decides the halting problem.
Lemma 1
If is strongly monitorable, then is semantically monitorable.
A property may not be monitorable in a black-box manner, but monitorable in a gray-box manner. In the realm of monitoring of LTL properties, strong and semantic monitorability coincide for finite state systems (see [zhang12runtime]) both black-box and gray-box (for finite state systems), because model-checking and the problem of deciding whether a state of a Büchi automaton is live are decidable.
Following [bss18] we propose to use a combination of static analysis and runtime verification to monitor violations of properties (or dually, satisfactions of ). The main idea is to collect candidates for the outer part dynamically and use static analysis at runtime to over-approximate the inner quantifiers.
4 Monitoring Distributed Data Minimality
In this section, we describe how to monitor DDM, which can be expressed as a hyperproperty of the form . The negative non-monitotabiliy result from Sect. 3.1 can be generalized to hyperproperties. In the particular case of DDM, although we mainly deal with the input/output relation of functions and are not concerned with infinite temporal behavior, we still need to handle possibly infinite set extensions for black-box monitoring. In the remainder of this section, we discuss the following, seemingly contradictory aspects of DDM:
- (P1)
DDM is not semantically black-box monitorable, 2. (P2)
DDM is semantically white-box monitorable (for programs that are not DDM), 3. (P3)
checking DDM statically is undecidable, 4. (P4)
DDM is strongly gray-box monitorable for violation, and we give a sound monitor.
The apparent contradictions are resolved by careful analysis of DDM along the different dimensions of the monitorability cube (Fig. 1).
We will show how to monitor DDM and similar hyperproperties using a gray-box approach. In our approach, a monitor can decide at run time the existence of traces using a limited form of static analysis. The static analyzer receives the finite observation collected by the monitor, but not the future system behavior. Instead it must reason under the assumption that any system behavior in that is compatible with , may eventually occur. For example, given an formula, the outer existential quantifier is instantiated with a concrete set of runtime traces, while possible extensions of provided by static analysis can be used to instantiate the inner universal quantifier.
4.1 DDM Preliminaries
We briefly recapitulate the formal notion of data-minimality from [ASS17dm]. Given a function , the problem of data minimization consists in finding a preprocessor function , such that and . The goal of is to limit the information available to while preserving the behavior of .
There are many possible such preprocessors (e.g. the identity function), which can be ordered according to the information they disclose, that is, according to the subset relation on their kernels. The kernel of a function is defined as the equivalence relation . The smaller is, the more information discloses. The identity function is the worst preprocessor since it discloses all information (its kernel is equality — the least equivalence relation). An optimal preprocessor, or minimizer, is one that discloses the least amount of information.
A function is monolithic data-minimal (MDM), if it fulfills either of the following equivalent conditions:
the identity function is a minimizer for , 2. 2.
is injective.
Condition 1. is an information-flow-based characterization that can be generalized to more complicated settings in a straightforward fashion. Condition 2. is a purely logical or data-based characterization more suitable for implementation in e.g. a monitor.
MDM is the strongest form of data minimality, where one assumes that all input data is provided by a single source and thus a single preprocessor can be used to minimize the function. If inputs are provided by multiple sources (called a distributed setting) and access to the system implementing is restricted, it might be impossible to use a single preprocessor. For example, consider a web-based auction system that accepts bids from bidders, represented by distinct input domains , and where concrete bids are submitted remotely. The auction system must compute the function , which is clearly non-injective and, hence, non-MDM. In this case, a single, monolithic minimizer cannot be used since different bidders need not have any knowledge of each other’s bids. Instead, bidders must try to minimize the information contained in their bid locally, in a distributed way, before submitting it to the auction.
The problem of distributed data minimization consists in building a collection of independent preprocessors for a given function , such that their parallel composition is a preprocessor for . Such composite preprocessors are called distributed, and a distributed preprocessor for that discloses the least amount of information is called a distributed minimizer for . Then, one can generalize the (information-flow) notion of data-minimality to the distributed setting as follows. The function is distributed data-minimal (DDM) if the identity function is a distributed minimizer for . Returning to our example, the maximum function defined above is DDM. As for MDM, there is an equivalent, data-based characterization of DDM defined next.
Definition 6 (distributed data minimality [ASS17dm, PASS18corr])
A function is distributed data-minimal (DDM) if, for all input positions and all such that , there is some , such that .
We use Def. 6 to explore how to monitor DDM. In the following, we assume that the function has at least two arguments (). Note that for unary functions, DDM coincides with MDM. Since MDM is a -property (involving no quantifier alternations), most of the challenges to monitorability discussed here do not apply [PSS18rvh]. We also assume, without loss of generality, that the function being monitored has only nontrivial input domains, i.e. for all . If is trivial then this constant input can be ignored. Finally, note that checking DDM statically is undecidable (P3) for sufficiently rich programming languages [ASS17dm].
4.2 DDM as a Hyperproperty
We consider data-minimality for total functions . Our alphabet, or set of events, is the set of possible input-output (I/O) pairs of , i.e. . Since a single I/O pair captures an entire run of , we restrict ourselves to observing singleton traces, i.e. traces of length . In other words, we ignore any temporal aspects associated with the computation of . This allows us to use first-order predicate logic — without any temporal modalities — as our specification logic.
DDM is a hyperproperty, expressed as a predicate over sets of traces, even though the traces are I/O pairs. The set of observable behaviors of a given consists of all finite sets of I/O pairs . The set of all possible system behaviors additionally includes infinite sets of I/O pairs.
Example 4
Let be the addition function on natural numbers, . Then , , and a valid trace takes the form , where , and are all naturals. Both and are considered observable behaviors , even though does not correspond to a valid system behavior since . Remember that we do not discriminate between valid and invalid system behaviors in a black-box setting.
We now express DDM as a hyperproperty, using HyperLTL, but with only state predicates (no temporal operators). Given a tuple , we write or simply for its -th projection. Given an I/O pair we use for the input component and for the output component (that is and ). Given trace variables , we define
[TABLE]
Example 5
Let , , and . Then , but and .
We define DDM for input argument as follows:
[TABLE]
In words: given any pair of traces and , if and differ in their -th position, then there must be some common values for the remaining inputs, such that the outputs of for and differ. Note that does not appear in directly, instead it is determined implicitly by the (existentially quantified) traces and . Finally, distributed data minimality for is defined as
[TABLE]
The property follows the same structure as the logical characterization of DDM from Sect. 4.1. The universally quantified variables range over the possible inputs at position , while the existentially quantified variables and range over the other inputs and the outputs. Note also that, given the input coordinates of , , and , all the output coordinates, as well as the input coordinates of , are uniquely determined.333For simplicity, even though is not in prenex normal form, it is a finite conjunction of formulas in prenex normal form so a finite number of monitors can be built and executed in parallel, one per input argument.
Example 6
Consider again and from Ex. 4. Then, trivially holds, but because when there is no choice of for which holds.
Note that, in the above example, holds despite the fact that is not a valid behavior of the example function . Indeed, whether or not holds for a given is independent of the choice of . In particular, , for any choice of regardless of whether is data-minimal or not. This is already a hint that the notion of semantic black-box monitorability is too weak to be useful when monitoring . Since is a model of , no observation can have an extension that permanently violates . As we will see shortly, gray-box monitoring does not suffer from this limitation. Monitorability of DDM for violations becomes possible once we exclude potential models such as which do not correspond to valid system behaviors.
Remark.
Note that though our definition and approach work for general (reactive) systems, the DDM example is admittedly a non-reactive system with traces of length 1. This, however, is not a limitation of the approach. Extending DDM for reactive systems is left as future work.
4.3 Properties of DDM
Since is a property, it should not come as a surprise that it is not semantically black-box monitorable in general (P1).
Lemma 2 (black-box non-monitorability)
Assume , then is semantically black-box monitorable iff is finite.
Proof
We first treat the case where is finite. Assume and each contain at least two elements. Smaller I/O domains correspond to degenerate cases for which semantic black-box monitorability is easy to show, so we omit them here.
Let be a finite set of traces. We need to show that there is a finite extension that permanently satisfies or violates . Pick . Clearly, this is the largest observation in , so any property satisfied by is also permanently satisfied by . Hence it suffices to show that .
Let , , be arbitrary I/O pairs, a pair of distinct outputs, and an arbitrary input position. Define and . Then , and , are all in , and it is easy to check that holds if the quantified variables are instantiated to these traces in the given order. In other words for all , and hence permanently satisfies .
Conversely, assume that is infinite, and let again be a finite set of traces. To show that neither permanently satisfies nor permanently violates , it is sufficient to exhibit a pair of extensions that satisfy and violate , respectively. For , we pick . By the same argument as given above (for the finite case), we have .
We have to work slightly harder to construct . Since is infinite but is finite, there must be an input position and a pair of distinct elements such that no trace in has or as its -th input. Pick some arbitrary trace , and let and . By construction, , so is a strict extension of . To show that does indeed violate , it is sufficient to show that . Pick to instantiate and . Then by construction, but there is no way to instantiate and : since they have to agree with and on the -th input position, the only candidates are and , but by construction. ∎
Perhaps surprisingly, is semantically white-box monitorable for violations (P2). That is, if is not DDM, there is hope to detect it. To make this statement more precise, we first need to identify the set of valid system behaviors of . We define to be the set of I/O pairs that correspond to executions of . Then precisely characterizes the set of valid system behaviors.
Example 7
Define as , i.e. simply ignores its second argument. Then . It is easy to show that DDM is white-box monitorable for . Any finite set of valid traces can be extended to include a pair of traces that only differ in their second input value, e.g. and . Now, consider any that extends . Clearly, cannot contain any trace for which but as that would constitute an invalid system behavior. But would have to contain such a trace to be a model of . Hence, for any such , which means permanently violates .
Note the crucial use of information about in the above example: it is the restriction to valid extensions that excludes trivial models such as and thereby restores (semantic) monitorability for violations. The apparent conflict between (P1) and (P2) is thus resolved.
With the extra information that gray-box monitoring affords, we can make more precise claims about properties like DDM: whether or not a property is monitorable may, for instance, depend on whether the property actually holds for the system under scrutiny. Concretely, for the case of DDM, we show the following.
Theorem 4.1
Given a function , the formula is semantically gray-box monitorable in if and only if either is distributed non-minimal or the input domain is finite.
Theorem 4.1 follows from the following two auxiliary lemmas.
Lemma 3 (semantic violation)
If is not DDM, then is semantically monitorable for violation (in ).
Proof
Assume a finite set of traces . We need to show that there is a finite extension permitted by that permanently violates . First, note that the task is trivial if is finite: we simply pick , i.e. the set of all possible executions, which is also finite. The only finite extension of permitted by is the complete set of traces itself, and since is not distributed minimal, cannot hold for .
Assume instead that is infinite. Since is distributed non-minimal, there must be some input position and some pair of distinct inputs , such that for any choice of . Let and for an arbitrary . Then any set that contains the traces and violates . To see this, assume instead that . Then there must be traces that agree on all but the -th input, such that , thus contradicting non-minimality of . Hence, by picking , we have . ∎
Lemma 4 (Semantic satisfaction)
If is DDM, then is semantic monitorable for satisfaction (in ) if and only if is finite.
Proof
First, if is finite the result follows by picking . Assume now that is distributed minimal, is semantically monitorable for satisfaction, and is infinite. Let be some non-empty, finite set of traces with some distinguished element . Since is monitorable for satisfaction, there must be a finite extension that permanently satisfies . To arrive at a contradiction, it suffices to construct a finite extension that does not satisfy .
Pick an input position for which is infinite. Such an must exist because otherwise would be the Cartesian product of finite sets, and is infinite by assumption. Next, pick a pair of distinct element such that there are no traces in with or as their -th input. Such must also exist because is infinite but is finite. Finally, pick an input position , and a such that . Such a must exist for to be non-trivial.
Now let , and , . Then and are clearly valid traces, i.e. , but since and have and as their -th inputs, respectively. Let . By construction, holds if we instantiate and to and , respectively, but there is no pair of traces to instantiate in such a way that , and all hold simultaneously. The former force the choice and but, by construction, . Hence and we arrive at a contradiction. ∎
Intuitively, Theorem 4.1 means that cannot be monitored for satisfaction. Note that the semantic monitorability property established by Theorem 4.1 is independent of whether we can actually decide DDM for the given . We address the question of strong monitorability later on in this section.
If is finite, it is easy to strengthen Theorem 4.1 by providing a perfect monitor for . Since is assumed to be a total function with a finite domain, we can simply check the validity of for every trace and tabulate the result. To do so, the and quantifiers in can be converted into conjunctions and disjunctions over .
Corollary 1
For with finite , is strongly monitorable in .
If is infinite, then is not semantically monitorable for satisfaction, but we can still hope to build a sound monitor for violation of .
4.4 Building a Gray-box Monitor for DDM
In what follows, we assume a computable function capable of deciding DDM only for some instances. This function, which we call oracle, will serve as the basis for a sound monitor for DDM (P4). This monitor will detect some, but not all, violations of DDM when given sets of observed traces, thus resolving the apparent tension between (P3) and (P4).
Given , we define the predicate as
[TABLE]
and assume a total computable function such that
[TABLE]
The function acts as our oracle to instantiate the existential quantifiers in . As discussed earlier, such oracles may be implemented by statically analyzing the system under observation (here, the function ). In our proof-of-concept implementation, we extract from using symbolic execution, and use an SMT solver to compute .
We now define a monitor for as follows:
[TABLE]
Intuitively, the monitor checks the set of traces for violations of DDM by verifying two conditions: the first condition ensures the consistency of , i.e. that every trace in does in fact correspond to a valid execution of ; the second condition is necessary for not to permanently violate . Hence, if it fails, must permanently violate . Since is computable, so is . Note that never gives a positive verdict . This is a consequence of Theorem 4.1: if is DDM, then is not monitorable in . In other words, DDM is not monitorable for satisfaction.
The second condition in the definition of is an approximation of : the universal quantifiers are replaced by conjunctions over the finite set of input traces , while the existential quantifiers are replaced by a single quantifier ranging over all of (not just ). This approximation is justified formally by the following theorem.
Theorem 4.2 (soundness)
The monitor is sound. Formally,
* if , and* 2. 2.
* if .*
Proof
The monitor never gives a verdict, so the first half of the theorem (satisfaction) holds vacuously. For the second part (violation), we have
[TABLE]
and
[TABLE]
∎
We describe a prototype implementation of in Sect. 5.
5 Implementation and Prototype
We have implemented the ideas described in Sect. 4 in a proof-of-concept monitor for DDM called minion. The monitor uses the symbolic execution API and the SMT backend of the KeY deductive verification system [ahrendt16deductive, KeYproject] to extract logical characterizations of Java programs (their symbolic execution trees). It then extends them to first-order formulas over sets of observed traces, and checks the result using the state-of-the-art SMT solver Z3 [DeMouraB08tacas, Z3github]. The minion monitor is written in Scala and provides a simple command-line interface (CLI). Its source code is freely available online at https://github.com/sstucki/minion/.
Before we describe minion in more detail, we introduce a running example illustrating the principles of both monolithic and distributed data minimality. For an example of monolithic data minimization, first consider the method rate shown in Fig. 2. The purpose of this method is to compute the baseline rate to be paid by the driver of a vehicle on a toll road. The rate depends on the time of day and the number of passengers in the vehicle. The range of the output is , and consequently the data processor does not need to know the precise hour of the day, nor the exact number of passengers. A vehicle might pass a toll station at any time between 9pm and 5am to be subject to a the higher daytime rates (72, 90), and at any other time to benefit from the lower nighttime rates (56, 70). Also, any vehicle occupied by three or more passengers is eligible for a 20% carpool discount. Giving the actual hour and number of passengers violates the principle of data minimality because more information than necessary is collected. Data minimization is the process of ensuring that the range of inputs provided is reduced, such that different inputs result in different outputs.
In a distributed setting, the concept of minimization is more complex as input data may be collected from multiple independent sources. Consider the method fee in Fig. 2. This method computes the total fee for a trip on a toll road, based on the hours at which a vehicle passes three consecutive toll stations, and on the number of passengers in the vehicle. The overall fee depends on the total time spent on the toll road, which is data collected from all three toll stations. In particular, if a vehicle enters a section of the toll road during a low-rate early morning hour, but fails to reach the next station before 9pm, the driver will be charged the more expensive daytime rate for the entire section. DDM requires minimizing each input parameter (i.e. the information collected at separate toll stations) individually. A preprocessor or data minimizer [ASS17dm] located at any given toll station can easily minimize the individual inputs (hour, passengers) at that station. But an individual minimizer cannot guarantee minimization with respect to the overall fee since it has no information about the input data collected at the other stations. DDM therefore constitutes merely a “best effort” to minimize inputs given the inherently distributed nature of the system.
When running minion on the fee method of the class Toll, the tool builds first the symbolic execution tree. Then, the monitor reads and parses traces from an input file or standard input. Whenever minion parses a new trace, it rechecks the entire set of traces read thus far for violation, thereby supporting both online and offline monitoring. Traces are read from CSV files, where the number and format of the inputs is determined automatically from the method signature. Fig. 3a shows example traces for the fee method. Columns 1–4 correspond to the parameters h1, h2, h3 and p, respectively, while column 5 contains the result computed by fee for the given values.
By default, minion monitors traces for DDM. Thus, when processing the traces given in Fig. 3a, it signals a violation after reading the second line because feefee irrespective of the choice of , , and . In contrast, all traces listed in Fig. 3b are accepted by minion since they have been preprocessed by a distributed minimizer. Alternatively, minion can be instructed to monitor traces for monolithic data minimality (MDM) in which case a violation is signaled when processing the last line of Fig. 3b, whereas all traces in Fig. 3c are accepted.
5.1 Lazy vs. Eager Monitoring
Perhaps surprisingly, there are cases where minion will detect a violation of DDM whereas it will not detect a violation of MDM. Consider the function . Since simply ignores its second argument, it is clearly neither distributed nor monolithic minimal. When monitoring the pair of traces and for DDM, minion detects a violation because for any choice of . Note, however, that this situation does not appear among the observed traces since the two values for in the respective traces differ. The tool reports a violation because a common value for is found by our oracle when monitoring for DDM. When monitoring for MDM minion does not detect the violation, because in this case there is no need to invoke the oracle.
Whether or not this is the intended behavior of the monitor depends on the assumption of whether the traces are collected from a program or from the combined program ( being a minimizer). In the latter case, some combinations of inputs may never be observed as the inputs have been minimized. On the other hand, if traces are not considered preprocessed, we may wish to explore the behavior of more exhaustively. For this purpose, minion can be instructed to monitor a set of traces eagerly for MDM, resp. lazily for DDM. For the former, minion considers not just the observed traces, but any combination of observed input values—even if that combination does not actually correspond to an observed trace. For the latter, minion only considers combinations of inputs originating from traces with the same result value. For example, for the pair of input traces and , minion is able to find a violation in eager MDM mode since , but not in lazy DDM mode since .
