Monitoring with Verified Guarantees

Dauer, Johann C.; Finkbeiner, Bernd; Schirmer, Sebastian

doi:10.1007/978-3-030-88494-9_4

Cited by 13 publications

(7 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Several of VeriMon's features, such as the non-recursive let operator and the improved algorithms for Since and Until, have been propagated back to MonPoly and have guided the design of a new monitoring tool implemented in C ++ , CPPMon. 7 We are happy to start seeing other work in the community that uses proof assistants [4][5][6]17], deductive verifiers [9], or SMT solvers [7,14] to improve the trustworthiness of monitors. We believe that formal verification is the only way towards a landscape of tools that are reliable and maintainable: not just one-paper wonders.…”

Section: Discussionmentioning

confidence: 99%

VeriMon: A Formally Verified Monitoring Tool

Basin

Dardinier

Hauser

et al. 2022

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

Section: Discussionmentioning

confidence: 99%

VeriMon: A Formally Verified Monitoring Tool

Basin

Dardinier

Hauser

et al. 2022

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Given a RTLola specification, the framework performs various static analyses to provide reliable guarantees prior to execution, e.g., to determine a memory bound or verify stream behaviors [22]. It then either directly executes the specification with the RTLola-Interpreter [23] or compiles it to software [24] or hardware [25].…”

Section: Safe Operation Monitoring With Rtlolamentioning

confidence: 99%

“…For instance, RTLola is designed to analyze the memory to give bounds on the memory consumption of the generated monitor implementation. Further, specification analysis can help to check consistency and to provide verified guarantees on the behavior of the monitor [22] that help argue ASTM monitor coverage. Automatic generation of monitor implementation.…”

Section: Advantagesmentioning

confidence: 99%

A Hierarchy of Monitoring Properties for Autonomous Systems

Schirmer

Torens

Dauer

et al. 2023

AIAA SCITECH 2023 Forum

View full text Add to dashboard Cite

Monitoring capabilities play a central role in mitigating safety risks of current, and especially future autonomous aircraft systems. These future systems are likely to include complex components such as neural networks for environment perception, which pose a challenge for current verification approaches; they are considered as black-box components. To assure that these black-boxes comply with their specification, they must be monitored to detect violations during execution with respect to their input and output behaviors. Such behavioral properties often include more complex aspects such as temporal or spatial notions. The outputs can also be compared to data from other assured sensors or components of the aircraft, making monitoring an integral part of the system, which ideally has access to all available resources to assess the overall health of the operation. Current approaches using handwritten code for monitoring functions run the risk of not being able to keep up with these challenges. Therefore, in this paper, we present a hierarchy of monitoring properties that provides a perspective for overall health. We also present a categorization of monitoring properties and show how different monitoring specification languages can be used for formalization. These monitoring languages represent a higher abstraction of general-purpose code and are therefore more compact and easier for a user to write and read, and we can validate their implementations independently from the systems they reason about. They improve the maintainability of monitoring properties that is required to handle the increased complexity of future autonomous aircraft systems.applied monitoring based on specification languages. Next, we present a hierarchy of monitoring properties that ranges from low-level sensor properties to high-level operation properties, giving a holistic perspective on possibilities for system monitoring. Further, we categorize different types of monitoring properties and showcase different monitoring specification languages. Finally, we discuss the advantages and disadvantage of using such formal languages. Related Work: Aerospace RegulationsAviation standards and regulations offer a perspective on target systems that informs their monitoring. For instance, Aerospace Recommended Practice (ARP) 4754A [3] from SAE International is the guidelines document for development of civil aircraft and systems. Additionally, SAE International's ARP4761 [4] provides guidelines for conducting the safety assessment process on civil airborne systems and equipment. The terms used in both documents for developing an aircraft as well as performing a safety assessment on the different process levels are item, system, and aircraft. An item, is one or more hardware and/or software elements treated as a unit. An item is the lowest level of abstraction during development. A system is a combination of inter-related items arranged to perform a specific function. A system therefore represents a higher abstraction level than an item. The aircraft is...

show abstract

“…Some verified monitors were developed recently using proof assistants, e.g., VeriMon [29] and Vydra [28] in Isabelle and lattice-mtl [8] in Coq. Others leveraged SMT technology to increase their trustworthiness [12,14]. To the best of our knowledge, we present the first verified checker for an online monitor's output, even though verified certifiers are standard practice in other areas such as distributed systems [35], model checking [37,38], and SAT solving [11,21].…”

Section: Introductionmentioning

confidence: 99%

Explainable Online Monitoring of Metric Temporal Logic

Lima

Herasimau

Raszyk³

et al. 2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Runtime monitors analyze system execution traces for policy compliance. Monitors for propositional specification languages, such as metric temporal logic (MTL), produce Boolean verdicts denoting whether the policy is satisfied or violated at a given point in the trace. Given a sufficiently complex policy, it can be difficult for the monitor’s user to understand how the monitor arrived at its verdict. We develop an MTL monitor that outputs verdicts capturing why the policy was satisfied or violated. Our verdicts are proof trees in a sound and complete proof system that we design. We demonstrate that such verdicts can serve as explanations for end users by augmenting our monitor with a graphical interface for the interactive exploration of proof trees. As a second application, our verdicts serve as certificates in a formally verified checker we develop using the Isabelle proof assistant.

show abstract

Monitoring with Verified Guarantees

Cited by 13 publications

References 20 publications

VeriMon: A Formally Verified Monitoring Tool

VeriMon: A Formally Verified Monitoring Tool

A Hierarchy of Monitoring Properties for Autonomous Systems

Explainable Online Monitoring of Metric Temporal Logic

Contact Info

Product

Resources

About