On Specifying and Monitoring Epistemic Properties of Distributed

On Specifying and Monitoring Epistemic Properties of Distributed Systems Koushik Sen Abhay Vardhan Gul Agha Grigore Rosu University of Illinois at Urbana-Champaign, USA

Software Reliability § Software Validation § Rigorous and Complete Methods l l § Infeasible for large-scale open distributed systems (Actors) l § Non-determinism and Asynchrony Testing l l l § Model Checking Theorem Proving Widely used Ad-Hoc Good Test Coverage Required Runtime Monitoring l Adds rigor to Testing 2 9/9/2020

Centralized Monitoring Approach § Monitoring – Use Formal Methods in Testing § Synthesize light-weight Monitors from Specification l Automata, Rewriting-based Monitors § Instrument code to insert monitors § Execute instrumented code § Distributed System Monitoring § Global state is distributed § For every state update send state to a central monitor § Central monitor assembles them to form consistent execution traces l § Sequence of global states Monitor execution traces 3 9/9/2020

An Example § Mobile node a requests certain value from node b § b computes the value and sends it to a § Property: no node receives a value from another node to which it had not sent a request 4 9/9/2020

Centralized Monitoring Example “If a receives a value from b then b calculated the value after receiving request from a” val. Rcv → (val. Computed val. Req) val. Rcv (val. Computed → (val. Computed val. Req) val. Reqval. Computed b a val. Computed val. Req val. Rcv 5 9/9/2020

Decentralized Monitoring Approach “If a receives a value from b then b calculated the value after receiving request from a” val. Rcv → @b( (val. Computed @a( val. Req))) val. Computed @a( val. Req) (val. Computed @a( val. Req)) b a val. Computed val. Req val. Rcv → @b( (val. Computed @a( val. Req))) 6 9/9/2020

Past time Distributed Temporal Logic (pt-DTL) § Based on epistemic logic § [Aumann 76][Meenakshi et al. 00] § Properties with respect to a process, say p 7 9/9/2020

Leader Election Example “If a leader is elected then if the current process is a leader then, at its knowledge, none of the other processes (b and c) is a leader” elected → (state=leader → (@b(state ≠ leader) Æ @c(state ≠ leader))) 8 9/9/2020

Leader Election (Stronger Property) § Every process must know the name of the process that has been elected leader elected → (let k=leader. Name in (@b(leader. Name = k) Æ @c(leader. Name = k))) 9 9/9/2020

Leader Election (Open System) § There arbitrary number of processes whose names are not known before-hand elected → (let k=leader. Name in @8 {j | j i}(leader. Name = k)) 10 9/9/2020

Extended Distributed Temporal Logic (x. DTL) § Suitable for Open Distributed Systems (Actors) § Ids of all processes are not known before-hand § Quantification over processes § All processes satisfying a predicate l @8 {j | pred(j)} § Some process satisfying a predicate l @9 {j | pred(j)} § Value-binding (Increases Expressive Power) § let k = x in F § To refer to values in remote states 11 9/9/2020

x. DTL syntax § Fi : : = true | false | P(Ei) | : Fi | Fi Æ Fi | ¯ Fi | ¡ Fi | Fi S Fi propositional temporal | @ 8 JF j | @ 9 JF j epistemic | let k = Ei in Fi binding § Ei : : = c | vi 2 Vi | f(Ei) | k | @ j. E j functional epistemic 12 9/9/2020

Interpretation of @8 JEj at process i p 3 m 1 m 4 m 2 p 2 @ {1}(x=9) m 3 p 1 x=7 x=9 13 9/9/2020

Monitoring Algorithm § Requirements § Should be fast so that online monitoring is possible § Little memory overhead § Additional messages sent should be minimal; ideally zero § Monitoring using Knowledge. Vector § Maintain knowledge of global state at each process § Update knowledge with incoming messages § Attach knowledge with outgoing messages § At each process monitor local knowledge 14 9/9/2020

Conclusion § Decentralized Technique to effectively verify open distributed systems at runtime § No extra message over-head for monitoring § x. DTL can express interesting and useful safety properties of distributed systems § How to instrument code running on all processes so that monitoring can be done? 15 9/9/2020