Monitoring with Verified Guarantees

TL;DR

This paper introduces a verification extension to the Lola monitoring language, enabling guarantees of monitor correctness through annotations and SMT solving, crucial for safety-critical systems like avionics.

Contribution

It adds assume and assert operators to Lola, integrating formal verification into runtime monitoring for safety-critical applications.

Findings

Discovered safety-critical errors in avionics specifications

Validated the approach with real-world avionics examples

Enhanced monitor reliability through formal guarantees

Abstract

Runtime monitoring is generally considered a light-weight alternative to formal verification. In safety-critical systems, however, the monitor itself is a critical component. For example, if the monitor is responsible for initiating emergency protocols, as proposed in a recent aviation standard, then the safety of the entire system critically depends on guarantees of the correctness of the monitor. In this paper, we present a verification extension to the Lola monitoring language that integrates the efficient specification of the monitor with Hoare-style annotations that guarantee the correctness of the monitor specification. We add two new operators, assume and assert, which specify assumptions of the monitor and expectations on its output, respectively. The validity of the annotations is established by an integrated SMT solver. We report on experience in applying the approach to specifications from the avionics domain, where the annotation with assumptions and assertions has lead to the discovery of safety-critical errors in the specifications. The errors range from incorrect default values in offset computations to complex algorithmic errors that result in unexpected temporal patterns.