Provably correct runtime monitoring (extended abstract)
2008 (English)In: Fm 2008: Formal Methods, Proceedings / [ed] Cuellar, J; Maibaum, T; Sere, K, 2008, Vol. 5014, 262-277 p.Conference paper (Refereed)
Runtime monitoring is an established technique for enforcing a wide range of program safety and security properties. We present a formalization of monitoring and monitor inlining, for the Java Virtual Machine. Monitors are security automata given in a special-purpose monitor specification language, ConSpec. The automata operate on finite or infinite strings of calls to a fixed API, allowing local dependencies on parameter values and heap content. We use a two-level class file annotation scheme to characterize two key properties: (i) that the program is correct with respect to the monitor as a constraint on allowed program behavior, and (ii) that the program has an instance of the given monitor embedded into it, which yields state changes at prescribed points according to the monitor's transition function. As our main application of these results we describe a concrete inliner, and use the annotation scheme to characterize its correctness. For this inliner, correctness of the level II annotations can be decided efficiently by a weakest precondition annotation checker, thus allowing on-device checking of inlining correctness in a proof-carrying code setting.
Place, publisher, year, edition, pages
2008. Vol. 5014, 262-277 p.
, Lecture Notes In Computer Science, ISSN 0302-9743 ; 5014
IdentifiersURN: urn:nbn:se:kth:diva-38138DOI: 10.1007/978-3-540-68237-0_19ISI: 000256247100019ScopusID: 2-s2.0-47249101556ISBN: 978-3-540-68235-6OAI: oai:DiVA.org:kth-38138DiVA: diva2:436062
15th International Symposium on Formal Methods Location: Turku, FINLAND Date: MAY 26-30, 2008