Abstract
Runtime enforcement is a methodology used to enforce that the output of a running system satisfies a desired property. Given a property, an enforcement monitor modifies an (untrusted) sequence of events into a sequence that complies to that property. In practice, we may have not one, but many properties to enforce. Moreover, new properties may arise as new capabilities are added to the system. It is thus important to construct not a single, i.e., monolithic monitor, but rather several monitors, one for each property. The question is to what extent such monitors can be composed, and how. In this paper, we study two enforcement monitor composition schemes, serial and parallel composition. We show that, runtime enforcement is compositional for general regular properties with respect to one of the parallel composition schemes defined. We also show that runtime enforcement is not compositional with respect to serial composition for general regular properties, but it is for certain subclasses of regular properties. The proposed compositional runtime enforcement framework is formalized and implemented. Our experimental results demonstrate the pros and cons of using the compositional approach versus the monolithic with respect to performance.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
In the rest of the paper the term automaton refers to a deterministic and complete automaton.
These examples are reused throughout the paper.
In the predictive setting, soundness is restricted to input words that belong to \(\psi\).
Note that in order to compute \(E_{{\varphi _1\triangleright \varphi _2}}\) both \(\varphi _1\) and \(\varphi _2\) need to be known.
References
Aceto L, Achilleos A, Francalanza A, Ingólfsdóttir A, Lehtinen K (2019) Adventures in monitorability: from branching to linear time and back again. Proc ACM Program Lang 3(POPL):1–29
Aceto L, Achilleos A, Francalanza A, Ingólfsdóttir A, Lehtinen K (2021) An operational guide to monitorability with applications to regular properties. Softw Syst Model 20(2):335–361
Bauer L, Ligatti J, Walker D (2009) Composing expressive runtime security policies. ACM Trans Softw Eng Methodol 18(3):1–43
Bloem R, Könighofer B, Könighofer R, Wang C (2015) Shield synthesis: runtime enforcement for reactive systems. In: TACAS. LNCS, vol 9035. Springer
Bocchi L, Chen TC, Demangeon R, Honda K, Yoshida N (2017) Monitoring networks through multiparty session types. Theor Comput Sci 669:33–58
Clarke E, Long D, McMillan K (1989) Compositional model checking. In: Logic in computer science, 1989. LICS ’89, Proceedings., Fourth annual symposium on, pp 353–362
Falcone Y, Jaber M, Nguyen TH, Bozga M, Bensalem S (2015) Runtime verification of component-based systems in the BIP framework with formally-proved sound and complete instrumentation. Softw Syst Model 14(1):173–199
Falcone Y, Mounier L, Fernandez JC, Richier JL (2011) Runtime enforcement monitors: composition, synthesis, and enforcement abilities. FMSD 38(3):223–262
Falcone Y, Jéron T, Marchand H, Pinisetty S (2016) Runtime enforcement of regular timed properties by suppressing and delaying events. Sci Comput Program 123:2–41
Francalanza A, Seychell A (2015) Synthesising correct concurrent runtime monitors. Form Methods Syst Des 46(3):226–261
Godefroid P (2007) Compositional dynamic test generation. In: Proceedings of the 34th annual ACM SIGPLAN-SIGACT, POPL, ACM, New York, pp 47–54
Grumberg O, Long DE (1994) Model checking and modular verification. ACM Trans Program Lang Syst 16(3):843–871
Hu C, Dong W, Yang Y, Shi H, Deng F (2020) Decentralized runtime enforcement for robotic swarms. Front Inf Technol Electron Eng 21:1591–1606
Könighofer B, Alshiekh M, Bloem R, Humphrey LR, Könighofer R, Topcu U, Wang C (2017) Shield synthesis. Form Methods Syst Des 51(2):332–361
Kugler H, Segall I (2009) Compositional synthesis of reactive systems from live sequence chart specifications. In: TACAS, York, Proceedings, pp 77–91
Levy J, Saïdi H, Uribe TE (2002) Combining monitors for runtime system verification. Electron Notes Theor Comput Sci 70(4):112–127
Ligatti J, Bauer L, Walker D (2009) Run-time enforcement of nonsafety policies. ACM Trans Inf Syst Secur 12(3):19:1-19:41
Pinisetty S, Falcone Y, Jéron T, Marchand H, Rollet A, Nguena Timo O (2014) Runtime enforcement of timed properties revisited. FMSD 45(3):381–422
Pinisetty S, Preoteasa V, Tripakis S, Jéron T, Falcone Y, Marchand H (2016) Predictive runtime enforcement. In: Symposium on applied computing (SAC-SVT). ACM
Pinisetty S, Preoteasa V, Tripakis S, Jéron T, Falcone Y, Marchand H (2017) Predictive runtime enforcement. Form Methods Syst Des 51(1):154–199
Pinisetty S, Roop PS, Smyth S, Allen N, Tripakis S, von Hanxleden R (2017) Runtime enforcement of cyber-physical systems. ACM Trans Embed Comput Syst 16(5s):178:1-178:25
Pinisetty S, Roop PS, Smyth S, Tripakis S, von Hanxleden R (2017) Runtime enforcement of reactive systems using synchronous enforcers. In: Erdogmus, H, Havelund, K (eds) Proceedings of the 24th ACM SIGSOFT International SPIN Symposium on Model Checking of Software, Santa Barbara, ACM, pp 80–89 https://doi.org/10.1145/3092282.3092291
Pinisetty S, Tripakis S (2016) Compositional runtime enforcement. In: NASA formal methods, Springer International Publishing, pp 82–99
Pop P, Eles P, Zebo P, Pop T (2004) Scheduling and mapping in an incremental design methodology for distributed real-time embedded systems. IEEE Trans Very Large Scale Integr (VLSI) Syst 12(8):793–811
Renard M, Rollet A, Falcone Y (2017) Runtime enforcement using büchi games. In: Erdogmus H, Havelund K (eds) Proceedings of the 24th ACM SIGSOFT international SPIN symposium on model checking of software, Santa Barbara 2017, ACM, pp 70–79 https://doi.org/10.1145/3092282.3092296
Samadi M, Ghassemi F, Khosravi R (2020) Decentralized runtime enforcement of message sequences in message-based systems. In: 24th International conference on principles of distributed systems, OPODIS 2020. LIPIcs, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, vol 184. pp 21:1–21:18
Schneider FB (2000) Enforceable security policies. ACM Trans Inf Syst Secur 3(1):30–50
Sinha R, Girault A, Goessler G, Roop PS (2014) A formal approach to incremental converter synthesis for system-on-chip design. ACM Trans Des Autom Electr Syst 20(1):13:1-13:30
Tripakis S (2016) Compositionality in the science of system design. Proc IEEE 104(5):960–972
Funding
This work has been partially supported by The Ministry of Human Resource Development, Government of India (SPARC P#701), NSF SaTC Award #1801546, IIT Bhubaneswar Seed Grant (SP093).
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Proofs
Proofs
In Sect. 2.2 we informally discussed about the soundness, transparency and monotonicity constraints that an enforcement function for a given property \(\varphi\) should satisfy. Enforcement function definition (Definition 2) satisfies these constraints. In Theorem 6, we recall formal definitions of these constraints. More details and proofs are available in [20].
Theorem 6
(Soundness, transparency, and monotonicity) Given a property \(\varphi\), the enforcement function \(E_{{\varphi }}\) as per Definition 2 is a enforcer satisfying the following soundness, transparency and monotonicity constraints.
Soundness
Transparency
Monotonicity
Proof
(of Theorem 6) This result is proved in [20]. \(\square\)
In the predictive setting, soundness is restricted to input words that belong to the input property \(\psi\). As discussed briefly in Sect. 2.2, a predictive enforcer should satisfy another additional constraint called urgency.
Theorem 7
(Soundness, transparency, monotonicity and urgency (Predictive enforcer)) Given two properties \(\psi\), and \(\varphi\), the predictive enforcement function \(E_{{\psi \triangleright \varphi }}\) as per Definition 4 is a predictive enforcer satisfying constraints (SndP), (Tr1P), (Tr2P), (Ur) and (MoP).
Soundness
Transparency
Urgency
Monotonicity
Proof
(of Theorem 6) This result is proved in [20]. \(\square\)
We introduce some lemmas used later in proving some of the theorems. Lemma 1 states that for both predictive and non-predictive enforcement functions, for any input sequence \(\sigma\), the concatenation of the two output words \(\sigma _s\cdot \sigma _c\) of the function store will be equal to the input word \(\sigma\).
Lemma 1
For all \(\sigma , \sigma _s, \sigma _c \in \varSigma ^*\), we have
-
1.
\(\mathrm {store_{\varphi }}(\sigma ) = (\sigma _s,\sigma _c) \implies \sigma = \sigma _s\cdot \sigma _c\)
-
2.
\(\mathrm {store_{\psi \triangleright \varphi }}(\sigma ) = (\sigma _s,\sigma _c) \implies \sigma = \sigma _s\cdot \sigma _c\)
Proof
(of Lemma 1) Proof of this lemma is straightforward by using induction on the length of the input word. \(\square\)
1.1 Proof of Theorem 1 (p. 17)
Proof
We shall prove that given any two regular properties \(\varphi _1\) and \(\varphi _2\),
We prove using induction on the length of the input word \(\sigma\).
Induction basis. If \(\sigma = \epsilon\), from Definitions 2 and 4, \(E_{{\varphi _1\triangleright \varphi _2}}(E_{{\varphi _1}}(\sigma )) = E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma ))= \epsilon\).
Induction step. Assume that for every \(\sigma \in \varSigma ^*\) of some length \(n \in {\mathbb {N}}\), Theorem 1 holds. That is, \(E_{{\varphi _1\triangleright \varphi _2}}(E_{{\varphi _1}}(\sigma )) = E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma ))\). We now prove that for any \(a\in \varSigma\), Theorem 1 holds for \(\sigma \cdot a\). We have the following three possible cases:
-
Case \(\sigma \cdot a \not \in \varphi _1\).
In this case, from Definition 2 we have \(E_{{\varphi _1}}(\sigma \cdot a) = \sigma _s= E_{{\varphi _1}}(\sigma )\). Thus we have \(E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma \cdot a)) = E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma ))\) and \(E_{{\varphi _1\triangleright \varphi _2}}(E_{{\varphi _1}}(\sigma \cdot a)) = E_{{\varphi _1\triangleright \varphi _2}}(E_{{\varphi _1}}(\sigma ))\). Using induction hypothesis, we can conclude that \(E_{{\varphi _1\triangleright \varphi _2}}(E_{{\varphi _1}}(\sigma \cdot a)) = E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma \cdot a))\).
-
Case \(\sigma \cdot a \in \varphi _1\) and \(\sigma \cdot a \not \in \varphi _2\).
Since \(\sigma \cdot a \in \varphi _1\), from Definition 2, using Theorem 6 (Tr2) and Lemma 1, we have \(E_{{\varphi _1}}(\sigma \cdot a) = \sigma \cdot a\).
Let us first examine \(E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma \cdot a)) = E_{{\varphi _2}}(\sigma \cdot a)\). From Definition 2, \(\kappa _{\varphi _2}(\sigma \cdot a)\) evaluates to \(\mathsf {false}\) in this case since \(\sigma \cdot a\not \in \varphi _2\). Thus, \(E_{{\varphi _2}}(\sigma \cdot a)= E_{{\varphi _2}}(\sigma )\).
Let us examine \(E_{{\varphi _1\triangleright \varphi _2}}(E_{{\varphi _1}}(\sigma \cdot a)) = E_{{\varphi _1\triangleright \varphi _2}}(\sigma \cdot a)\). From Definition 4, \(\kappa _{\varphi _1\triangleright \varphi _2}(\sigma \cdot a)\) evaluates to \(\mathsf {false}\) since \(\sigma \cdot a \in \varphi _1\), there is an extension \(\epsilon\) such that \(\sigma \cdot a \cdot \epsilon \in \varphi _1\), and there is no prefix \(\sigma '\) of \(\epsilon\) such that \(\sigma \cdot a \cdot \sigma ' \in \varphi _2\). Thus, \(E_{{\varphi _1\triangleright \varphi _2}}(\sigma \cdot a)= E_{{\varphi _1\triangleright \varphi _2}}(\sigma )\).
-
Case \(\sigma \cdot a \in \varphi _1\) and \(\sigma \cdot a \in \varphi _2\).
Since \(\sigma \cdot a \in \varphi _1\), from Definition 2, using Lemma 1 and Theorem 6 (Tr2), we have \(E_{{\varphi _1}}(\sigma \cdot a) = \sigma \cdot a\).
Let us first examine \(E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma \cdot a)) = E_{{\varphi _2}}(\sigma \cdot a)\). From Definition 2, \(\kappa _{\varphi _2}(\sigma \cdot a)\) evaluates to \(\mathsf {true}\) in this case since \(\sigma \cdot a\in \varphi _2\). Using Lemma 1 and Theorem 6 (Tr2), we have \(E_{{\varphi _2}}(\sigma \cdot a)=\sigma \cdot a\).
Let us examine \(E_{{\varphi _1\triangleright \varphi _2}}(E_{{\varphi _1}}(\sigma \cdot a)) = E_{{\varphi _1\triangleright \varphi _2}}(\sigma \cdot a)\). From Definition 4, \(\kappa _{\varphi _1\triangleright \varphi _2}(\sigma \cdot a)\) evaluates to \(\mathsf {true}\) since \(\sigma \cdot a \in \varphi _2\), for every continuation \(\sigma _{con}\) such that \(\sigma \cdot a\cdot \sigma _{con}\in \varphi _1\), \(\epsilon\) is a prefix of \(\sigma _{con}\) such that \(\sigma \cdot a \cdot \epsilon \in \varphi _2\). Using Lemma 1 and Theorem 7 (Tr2P), we have \(E_{{\varphi _1\triangleright \varphi _2}}(\sigma \cdot a)= \sigma \cdot a\).
\(\square\)
1.2 Proof of Theorem 2 (p. 21)
Proof
We shall prove that given any two regular properties \(\varphi _1\) and \(\varphi _2\), \(\forall \sigma \in \varSigma ^*\):
We prove using induction on the length of the input word \(\sigma\).
Induction basis. If \(\sigma = \epsilon\), from Definition 8, we have \((E_{{\varphi _1}}~||_{2}~E_{{\varphi _2}})(\sigma ) = \epsilon\). We also have \(E_{{\varphi _1\cap \varphi _2}}(\sigma ) = \epsilon\). Theorem 2 holds when \(\sigma = \epsilon\).
Induction step. Assume that for every \(\sigma \in \varSigma ^*\) of some length \(n \in {\mathbb {N}}\), Theorem 2 holds. That is, \((E_{{\varphi _1}}||_2E_{{\varphi _2}})(\sigma ) = E_{{\varphi _1\cap \varphi _2}}(\sigma )\), and it is the maximal prefix of \(\sigma\) that belongs to \(\varphi _1 \cap \varphi _2\). We now prove that for any \(a\in \varSigma\), Theorem 2 holds for \(\sigma \cdot a\). We have the following four possible cases:
-
Case \(\sigma \cdot a \in \varphi _1\) and \(\sigma \cdot a \in \varphi _2\).
Let us first examine \(E_{{\varphi _1\cap \varphi _2}}(\sigma \cdot a)\). Since \(\sigma \cdot a \in \varphi _1\) and \(\sigma \cdot a \in \varphi _2\), \(\sigma \cdot a \in \varphi _1 \cap \varphi _2\). From Definition 2, Theorem 6 (Tr2) and Lemma 1, we can derive that \(E_{{\varphi _1\cap \varphi _2}}(\sigma \cdot a) = \sigma \cdot a\).
Let us now examine \((E_{{\varphi _1}}||_2 E_{{\varphi _2}})(\sigma \cdot a)\). Since \(\sigma \cdot a \in \varphi _1\), from Definition 2 Theorem 6 (Tr2) and Lemma 1, we have \(E_{{\varphi _1}}(\sigma \cdot a) = \sigma \cdot a\). Similarly, we have \(E_{{\varphi _2}}(\sigma \cdot a) = \sigma \cdot a\). Thus, as per the Definition 8, since \(E_{{\varphi _1}}(\sigma \cdot a)= E_{{\varphi _2}}(\sigma \cdot a)= \sigma \cdot a\), we have \((E_{{\varphi _1}}||_2 E_{{\varphi _2}})(\sigma \cdot a) = \sigma \cdot a\). Thus, Theorem 2 holds in this case.
-
Case \(\sigma \cdot a \in \varphi _1\) and \(\sigma \cdot a \not \in \varphi _2\).
Let us first examine \(E_{{\varphi _1\cap \varphi _2}}(\sigma \cdot a)\). Since \(\sigma \cdot a \not \in \varphi _2\), \(\sigma \cdot a \not \in \varphi _1 \cap \varphi _2\). From Definition 2, we can derive that \(E_{{\varphi _1\cap \varphi _2}}(\sigma \cdot a) = E_{{\varphi _1\cap \varphi _2}}(\sigma )\).
Let us now examine \((E_{{\varphi _1}}||_2 E_{{\varphi _2}})(\sigma \cdot a)\). Since \(\sigma \cdot a \in \varphi _1\), from Definition 2 Theorem 6 (Tr2) and Lemma 1, we have \(E_{{\varphi _1}}(\sigma \cdot a) = \sigma \cdot a\). Since, \(\sigma \cdot a \not \in \varphi _2\), we can derive that \(E_{{\varphi _2}}(\sigma \cdot a) = E_{{\varphi _2}}(\sigma )\).
Thus, as per the Definition 8, since \(E_{{\varphi _1}}(\sigma \cdot a) \ne E_{{\varphi _2}}(\sigma \cdot a)\), we have \((E_{{\varphi _1}}||_2 E_{{\varphi _2}})(\sigma \cdot a) = (E_{{\varphi _1}}||_2 E_{{\varphi _2}})(\sigma )\).
Using induction hypothesis, we have \((E_{{\varphi _1}}||_2 E_{{\varphi _2}})(\sigma ) = E_{{\varphi _1\cap \varphi _2}}(\sigma ) = E_{{\varphi _1\cap \varphi _2}}(\sigma \cdot a)\). Thus, the theorem holds in this case.
-
Case \(\sigma \cdot a \not \in \varphi _1\) and \(\sigma \cdot a \in \varphi _2\). Similar to the previous case.
-
Case \(\sigma \cdot a \not \in \varphi _1\) and \(\sigma \cdot a \not \in \varphi _2\). Let us first examine \(E_{{\varphi _1\cap \varphi _2}}(\sigma \cdot a)\). Since \(\sigma \cdot a \not \in \varphi _1\), and \(\sigma \cdot a \not \in \varphi _2\), we have \(\sigma \cdot a \not \in \varphi _1 \cap \varphi _2\). From the definition of the enforcement function, we can derive that \(E_{{\varphi _1\cap \varphi _2}}(\sigma \cdot a) = E_{{\varphi _1\cap \varphi _2}}(\sigma )\).
Let us now examine \((E_{{\varphi _1}}||_2 E_{{\varphi _2}})(\sigma \cdot a)\). Since, \(\sigma \cdot a \not \in \varphi _1\), we can derive that \(E_{{\varphi _1}}(\sigma \cdot a) = E_{{\varphi _1}}(\sigma )\). Similarly, we can also derive that \(E_{{\varphi _2}}(\sigma \cdot a) = E_{{\varphi _2}}(\sigma )\).
Thus, as per the Definition 8, since \(E_{{\varphi _1}}(\sigma \cdot a)= E_{{\varphi _1}}(\sigma )\) and \(E_{{\varphi _2}}(\sigma \cdot a)= E_{{\varphi _2}}(\sigma )\), we have \((E_{{\varphi _1}}||_2 E_{{\varphi _2}})(\sigma \cdot a) = (E_{{\varphi _1}}||_2 E_{{\varphi _2}})(\sigma )\).
Using induction hypothesis we can conclude that \((E_{{\varphi _1}}||_2E_{{\varphi _2}})(\sigma \cdot a)= E_{{\varphi _1\cap \varphi _2}}(\sigma \cdot a)\).
\(\square\)
1.3 Proof of Theorem 3 (p. 23)
Proof
We shall prove that given a safety property \(\varphi _1\) and a regular property \(\varphi _2\),
We prove using induction on the length of the input word \(\sigma\).
Induction basis. If \(\sigma = \epsilon\), from Definition 2, \(E_{{\varphi _1}}(\sigma )= \epsilon\) and \(E_{{\varphi _2}}(\sigma )= \epsilon\). Thus, \(E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma )) = E_{{\varphi _1}}(E_{{\varphi _2}}(\sigma )) = \epsilon\). We also have \(E_{{\varphi _1\cap \varphi _2}}(\sigma ) = \epsilon\).
Induction step. Assume that for every \(\sigma \in \varSigma ^*\) of some length \(n \in {\mathbb {N}}\), Theorem 3 holds. That is, \(E_{{\varphi _1}}(E_{{\varphi _2}}(\sigma )) = E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma )) = E_{{\varphi _1\cap \varphi _2}}(\sigma )\). We now prove that for any \(a\in \varSigma\), theorem holds for \(\sigma \cdot a\). We have the following four possible cases:
-
Case \(\sigma \cdot a \in \varphi _1\) and \(\sigma \cdot a \in \varphi _2\).
Let us first examine \(E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma \cdot a))\). Since \(\sigma \cdot a \in \varphi _1\), from Definition 2, using Theorem 6 (Tr2) and Lemma 1, we have \(E_{{\varphi _1}}(\sigma \cdot a) =\sigma \cdot a\). Thus, \(E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma \cdot a)) = E_{{\varphi _2}}(\sigma \cdot a)\). Since \(\sigma \cdot a \in \varphi _2\), we can derive that \(E_{{\varphi _2}}(\sigma \cdot a) = \sigma \cdot a\).
Regarding \(E_{{\varphi _1\cap \varphi _2}}\), in this case, we know that \(\sigma \cdot a\) belongs to both \(\varphi _1\) and \(\varphi _2\). from Definition 2, using Theorem 6 (Tr2) and Lemma 1, we have \(E_{{\varphi _1\cap \varphi _2}} (\sigma \cdot a) = \sigma \cdot a\).
We thus have \(E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma \cdot a)) = E_{{\varphi _1\cap \varphi _2}} (\sigma \cdot a) = \sigma \cdot a\).
-
Case \(\sigma \cdot a \in \varphi _1\) and \(\sigma \cdot a \not \in \varphi _2\).
Let us first examine \(E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma \cdot a))\). Since \(\sigma \cdot a \in \varphi _1\), similar to the previous case we have \(E_{{\varphi _1}}(\sigma \cdot a) = \sigma \cdot a\), and thus \(E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma \cdot a))= E_{{\varphi _2}}(\sigma \cdot a)\). Since \(\sigma \cdot a\not \in \varphi _2\), \(E_{{\varphi _2}}(\sigma \cdot a) = E_{{\varphi _2}}(\sigma )\). Since \(\varphi _1\) is a safety property and \(\sigma \cdot a \in \varphi _1\), using Theorem 6 (Tr2) we have \(E_{{\varphi _1}}(\sigma ) = \sigma\). So, \(E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma \cdot a)) = E_{{\varphi _2}}(\sigma )=E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma ))\).
Regarding \(E_{{\varphi _1 \cap \varphi _2}}(\sigma \cdot a)\), since \(\sigma \cdot a \not \in \varphi _1\cap \varphi _2\), we have \(E_{{\varphi _1 \cap \varphi _2}}(\sigma \cdot a) = E_{{\varphi _1 \cap \varphi _2}}(\sigma )\). Thus, using induction hypothesis we can conclude that \(E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma \cdot a)) = E_{{\varphi _1 \cap \varphi _2}}(\sigma \cdot a)\).
-
Case \(\sigma \cdot a \not \in \varphi _1\).
Let us first examine \(E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma \cdot a))\). Since \(\sigma \cdot a \not \in \varphi _1\), according to the definition of the enforcement function, \(E_{{\varphi _1}}(\sigma \cdot a) = E_{{\varphi _1}}(\sigma )\). Thus, \(E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma \cdot a)) = E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma ))\). Since \(\sigma \cdot a \not \in \varphi 1\), we have \(\sigma \cdot a \not \in \varphi _1\cap \varphi _2\), and \(E_{{\varphi _1 \cap \varphi _2}}(\sigma \cdot a) = E_{{\varphi _1\cap \varphi _2}}(\sigma )\).
Using induction hypothesis, we can thus conclude that \(E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma \cdot a)) = E_{{\varphi _1\cap \varphi _2}}(\sigma \cdot a)\).
\(\square\)
1.4 Proof of Theorem 4 (p. 24)
Proof
We shall prove that given any two safety (prefix-closed) properties \(\varphi _1\) and \(\varphi _2\), then
We prove this using induction on the length of the input word \(\sigma\).
Induction basis. If \(\sigma = \epsilon\), from Definition 2, \(E_{{\varphi _1}}(\epsilon )= \epsilon\) and \(E_{{\varphi _2}}(\epsilon )= \epsilon\). Since \(merge(\epsilon , \epsilon ) = \epsilon\), we have \((E_{{\varphi _1}}||_1E_{{\varphi _2}})(\epsilon ) = \epsilon\). We also have \(E_{{\varphi _1\cap \varphi _2}}(\sigma ) = \epsilon\). For safety properties, Theorem 4 holds when \(\sigma = \epsilon\).
Induction step. Assume that for every \(\sigma \in \varSigma ^*\) of some length \(n \in {\mathbb {N}}\), Theorem 4 holds. That is, \((E_{{\varphi _1}}||_1E_{{\varphi _2}})(\sigma ) = E_{{\varphi _1\cap \varphi _2}}(\sigma )\), and it is the maximal prefix of \(\sigma\) that belongs to \(\varphi _1 \cap \varphi _2\). We now prove that for any \(a\in \varSigma\), Theorem 4 holds for \(\sigma \cdot a\). We have the following four possible cases:
-
Case \(\sigma \cdot a \in \varphi _1\) and \(\sigma \cdot a \in \varphi _2\).
Let us first examine \(E_{{\varphi _1\cap \varphi _2}}(\sigma \cdot a)\). Since \(\sigma \cdot a \in \varphi _1\) and \(\sigma \cdot a \in \varphi _2\), \(\sigma \cdot a \in \varphi _1 \cap \varphi _2\). From Definition 2, Theorem 6 (Tr2) and Lemma 1, we can derive that \(E_{{\varphi _1\cap \varphi _2}}(\sigma \cdot a) = \sigma \cdot a\).
Let us now examine \((E_{{\varphi _1}}||_1E_{{\varphi _2}})(\sigma \cdot a)\). Since \(\sigma \cdot a \in \varphi _1\), from Definition 2 Theorem 6 (Tr2) and Lemma 1, we have \(E_{{\varphi _1}}(\sigma \cdot a) = \sigma \cdot a\). Similarly, we have \(E_{{\varphi _2}}(\sigma \cdot a) = \sigma \cdot a\). Since \(merge(\sigma \cdot a, \sigma \cdot a) = \sigma \cdot a\), we have \((E_{{\varphi _1}}||_1 E_{{\varphi _2}})(\sigma \cdot a) = \sigma \cdot a\). Thus, Theorem 4 holds in this case.
-
Case \(\sigma \cdot a \in \varphi _1\) and \(\sigma \cdot a \not \in \varphi _2\).
Let us first examine \(E_{{\varphi _1\cap \varphi _2}}(\sigma \cdot a)\). Since \(\sigma \cdot a \not \in \varphi _2\), \(\sigma \cdot a \not \in \varphi _1 \cap \varphi _2\). From Definition 2, we can derive that \(E_{{\varphi _1\cap \varphi _2}}(\sigma \cdot a) = E_{{\varphi _1\cap \varphi _2}}(\sigma )\).
Let us now examine \((E_{{\varphi _1}}||_1E_{{\varphi _2}})(\sigma \cdot a)\). Since \(\sigma \cdot a \in \varphi _1\), from Definition 2 Theorem 6 (Tr2) and Lemma 1, we have \(E_{{\varphi _1}}(\sigma \cdot a) = \sigma \cdot a\). Since, \(\sigma \cdot a \not \in \varphi _2\), we can derive that \(E_{{\varphi _2}}(\sigma \cdot a) = E_{{\varphi _2}}(\sigma )\).
We also know that \(E_{{\varphi _2}}(\sigma ) \preccurlyeq \sigma\) (from Tr1 of Theorem 6), thus \(merge(\sigma \cdot a, E_{{\varphi _2}}(\sigma )) \preccurlyeq E_{{\varphi _2}}(\sigma )\). Since \(\varphi _1\) is a safety property, and \(\sigma \cdot a \in \varphi _1\), we have \(\sigma \in \varphi _1\) and we can derive that \(E_{{\varphi _1}}(\sigma ) = \sigma\) (from Tr2 of Theorem 6). So, we have \((E_{{\varphi _1}}||_1E_{{\varphi _2}})(\sigma \cdot a)= merge(\sigma \cdot a, E_{{\varphi _2}}(\sigma )) = merge(\sigma , E_{{\varphi _2}}(\sigma )) = merge(E_{{\varphi _1}}(\sigma ), E_{{\varphi _2}}(\sigma )) = (E_{{\varphi _1}}||E_{{\varphi _2}})(\sigma )\).
Using induction hypothesis, we have \((E_{{\varphi _1}}||_1E_{{\varphi _2}})(\sigma ) = E_{{\varphi _1\cap \varphi _2}}(\sigma ) = E_{{\varphi _1\cap \varphi _2}}(\sigma \cdot a)\). Thus, the theorem holds in this case.
-
Case \(\sigma \cdot a \not \in \varphi _1\) and \(\sigma \cdot a \in \varphi _2\). Similar to the previous case.
-
Case \(\sigma \cdot a \not \in \varphi _1\) and \(\sigma \cdot a \not \in \varphi _2\). Let us first examine \(E_{{\varphi _1\cap \varphi _2}}(\sigma \cdot a)\). Since \(\sigma \cdot a \not \in \varphi _1\), and \(\sigma \cdot a \not \in \varphi _2\), we have \(\sigma \cdot a \not \in \varphi _1 \cap \varphi _2\). From the definition of the enforcement function, we can derive that \(E_{{\varphi _1\cap \varphi _2}}(\sigma \cdot a) = E_{{\varphi _1\cap \varphi _2}}(\sigma )\).
Let us now examine \((E_{{\varphi _1}}||_1E_{{\varphi _2}})(\sigma \cdot a)\). Since, \(\sigma \cdot a \not \in \varphi _1\), we can derive that \(E_{{\varphi _1}}(\sigma \cdot a) = E_{{\varphi _1}}(\sigma )\). Similarly, we can also derive that \(E_{{\varphi _2}}(\sigma \cdot a) = E_{{\varphi _2}}(\sigma )\). So, we have \((E_{{\varphi _1}}||_1E_{{\varphi _2}})(\sigma \cdot a) = merge(E_{{\varphi _1}}(\sigma ), E_{{\varphi _2}}(\sigma )) = (E_{{\varphi _1}}||_1E_{{\varphi _2}})(\sigma )\).
Using induction hypothesis we can conclude that \((E_{{\varphi _1}}||_1E_{{\varphi _2}})(\sigma \cdot a)= E_{{\varphi _1\cap \varphi _2}}(\sigma \cdot a)\).
\(\square\)
1.5 Proof of Theorem 5 (p. 25)
Proof
(of Theorem 5 - item 1 (serial composition))
We shall prove that given any two co-safety properties \(\varphi _1\) and \(\varphi _2\), \(\forall \sigma \in \varSigma ^*: E_{{\varphi _1}}(E_{{\varphi _2}}(\sigma )) = E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma )) = E_{{\varphi _1\cap \varphi _2}}(\sigma )\). We prove this using induction on the length of the input word \(\sigma\).
Induction basis. If \(\sigma = \epsilon\), from Definition 2, \(E_{{\varphi _1}}(\sigma )= \epsilon\) and \(E_{{\varphi _2}}(\sigma )= \epsilon\). Thus, \(E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma )) = E_{{\varphi _1}}(E_{{\varphi _2}}(\sigma )) = \epsilon\). We also have \(E_{{\varphi _1\cap \varphi _2}}(\sigma ) = \epsilon\). Item 1 of Theorem 5 trivially holds.
Induction step. Assume that item 1 of Theorem 5 holds for every \(\sigma \in \varSigma ^*\) of some length \(n \in {\mathbb {N}}\). That is, \(E_{{\varphi _1}}(E_{{\varphi _2}}(\sigma )) = E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma )) = E_{{\varphi _1\cap \varphi _2}}(\sigma )\), and it is the maximal prefix of \(\sigma\) that satisfies both \(\varphi _1\) and \(\varphi _2\). We now prove that for any \(a\in \varSigma\), item 1 of Theorem 5 holds for \(\sigma \cdot a\). We have the following four possible cases:
-
Case \(\sigma \cdot a \in \varphi _1\) and \(\sigma \cdot a \in \varphi _2\).
Let us first examine \(E_{{\varphi _1}}(E_{{\varphi _2}}(\sigma \cdot a))\). Since \(\sigma \cdot a \in \varphi _2\), from Definition 2, using Theorem 6 (Tr2) and Lemma 1, \(E_{{\varphi _2}}(\sigma \cdot a) = \sigma \cdot a\). Thus, \(E_{{\varphi _1}}(E_{{\varphi _2}}(\sigma \cdot a)) = E_{{\varphi _1}}(\sigma \cdot a)\). Since \(\sigma \cdot a \in \varphi _1\), again from Definition 2, using Theorem 6 (Tr2) and Lemma 1, we have \(E_{{\varphi _1}}(\sigma \cdot a) = \sigma \cdot a\). We can similarly show that \(E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma \cdot a)) = \sigma \cdot a\). Since \(\sigma \cdot a \in \varphi _1\cap \varphi _2\), from Definition 2, using Theorem 6 (Tr2) and Lemma 1, we also have \(E_{{\varphi _1\cap \varphi _2}}(\sigma \cdot a) = \sigma \cdot a\).
We thus have \(E_{{\varphi _1}}(E_{{\varphi _2}}(\sigma \cdot a))=E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma \cdot a)) =E_{{\varphi _1\cap \varphi _2}}(\sigma \cdot a) = \sigma \cdot a\).
-
Case \(\sigma \cdot a \in \varphi _1\) and \(\sigma \cdot a \not \in \varphi _2\).
Let us first examine \(E_{{\varphi _1}}(E_{{\varphi _2}}(\sigma \cdot a))\). Since \(\sigma \cdot a \not \in \varphi _2\), according to Definition 2, \(E_{{\varphi _2}}(\sigma \cdot a) = E_{{\varphi _2}}(\sigma )\). Thus, \(E_{{\varphi _1}}(E_{{\varphi _2}}(\sigma \cdot a)) = E_{{\varphi _1}}(E_{{\varphi _2}}(\sigma ))\). Note that since \(\varphi _2\) is a co-safety property, and \(\sigma \cdot a \not \in \varphi _2\), we can in fact also show that \(E_{{\varphi _2}}(\sigma ) = \epsilon\), and thus \(E_{{\varphi _1}}(E_{{\varphi _2}}(\sigma ))= \epsilon\).
Let us now examine \(E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma \cdot a))\). Since \(\sigma \cdot a \in \varphi _1\), from Definition 2, Theorem 6 (Tr2) and Lemma 1, we have \(E_{{\varphi _1}}(\sigma \cdot a) = \sigma \cdot a\). Thus we have \(E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma \cdot a)) = E_{{\varphi _2}}(\sigma \cdot a)\). Since \(\sigma \cdot a \not \in \varphi _2\), from Definition 2, \(E_{{\varphi _2}}(\sigma \cdot a) =E_{{\varphi _2}}(\sigma )\). Since \(\varphi _2\) is a co-safety property, and \(\sigma \cdot a \not \in \varphi _2\), we can show that \(E_{{\varphi _2}}(\sigma \cdot a) = \epsilon\). Thus \(E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma \cdot a)) = \epsilon\).
We showed that \(E_{{\varphi _1}}(E_{{\varphi _2}}(\sigma \cdot a)) =E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma \cdot a)) = \epsilon\). Regarding \(E_{{\varphi _1 \cap \varphi _2}}(\sigma \cdot a)\), we know that \(\varphi _1\cap \varphi _2\) (since both \(\varphi _1\) and \(\varphi _2\) are co-safety) is a co-safety property. Since \(\sigma \cdot a \not \in \varphi _1\cap \varphi _2\), we can show that \(E_{{\varphi _1 \cap \varphi _2}}(\sigma \cdot a) = \epsilon\).
-
Case \(\sigma \cdot a \not \in \varphi _1\) and \(\sigma \cdot a \in \varphi _2\).
Similar to the previous case.
-
Case \(\sigma \cdot a \not \in \varphi _1\) and \(\sigma \cdot a \not \in \varphi _2\).
Let us first examine \(E_{{\varphi _1}}(E_{{\varphi _2}}(\sigma \cdot a))\). Since \(\sigma \cdot a \not \in \varphi _2\), according to the definition of the enforcement function, \(E_{{\varphi _2}}(\sigma \cdot a) = E_{{\varphi _2}}(\sigma )\). Thus, \(E_{{\varphi _1}}(E_{{\varphi _2}}(\sigma \cdot a)) = E_{{\varphi _1}}(E_{{\varphi _2}}(\sigma ))\). Similarly, we can show that \(E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma \cdot a)) = E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma ))\). Since \(\sigma \cdot a \not \in \varphi _1\cap \varphi _2\), we have \(E_{{\varphi _1 \cap \varphi _2}}(\sigma \cdot a) = E_{{\varphi _1 \cap \varphi _2}}(\sigma )\).
Using induction hypothesis, we can thus conclude that \(E_{{\varphi _1}}(E_{{\varphi _2}}(\sigma \cdot a)) = E_{{\varphi _2}}(E_{{\varphi _1}}(\sigma \cdot a)) = E_{{\varphi _1 \cap \varphi _2}}(\sigma \cdot a)\).
\(\square\)
Proof
(of Theorem 5 - item 2 (parallel composition))
We shall prove that given any two co-safety (extension-closed) properties \(\varphi _1\) and \(\varphi _2\), then \(\forall \sigma \in \varSigma ^*: (E_{{\varphi _1}}||_1E_{{\varphi _2}})(\sigma ) = E_{{\varphi _1\cap \varphi _2}}(\sigma )\). We prove this using induction on the length of the input word \(\sigma\).
Induction basis. Similar to induction basis in Proof of Theorem 4.
Induction step. Assume that for every \(\sigma \in \varSigma ^*\) of some length \(n \in {\mathbb {N}}\), item 2 of Theorem 5 holds. That is, \((E_{{\varphi _1}}||_1E_{{\varphi _2}})(\sigma ) = E_{{\varphi _1\cap \varphi _2}}(\sigma )\). We now prove that for any \(a\in \varSigma\), item 2 of Theorem 5 holds for \(\sigma \cdot a\). We have the following four possible cases:
-
Case \(\sigma \cdot a \in \varphi _1\) and \(\sigma \cdot a \in \varphi _2\).
Similar to the first case in Proof A.4, using Theorem 6 (Tr2) and Lemma 1, we can derive that \(E_{{\varphi _1\cap \varphi _2}}(\sigma \cdot a)= (E_{{\varphi _1}}||_1E_{{\varphi _2}})(\sigma \cdot a) = \sigma \cdot a\).
-
Case \(\sigma \cdot a \in \varphi _1\) and \(\sigma \cdot a \not \in \varphi _2\).
Let us first examine \(E_{{\varphi _1\cap \varphi _2}}(\sigma \cdot a)\). Since \(\sigma \cdot a \not \in \varphi _2\), \(\sigma \cdot a \not \in \varphi _1 \cap \varphi _2\). From Definition 2, we can derive that \(E_{{\varphi _1\cap \varphi _2}}(\sigma \cdot a) = E_{{\varphi _1\cap \varphi _2}}(\sigma )\). Since \(\varphi _1\) and \(\varphi _2\) are co-safety properties, \(\varphi _1 \cap \varphi _2\) is a co-safety property and since \(\sigma \cdot a \not \in \varphi _1 \cap \varphi _2\), \(\forall \sigma '\preccurlyeq \sigma \cdot a\), \(\sigma ' \not \in \varphi _1 \cap \varphi _2\). We can thus derive that \(E_{{\varphi _1\cap \varphi _2}}(\sigma \cdot a) = \epsilon\).
Let us now examine \((E_{{\varphi _1}}||_1 E_{{\varphi _2}})(\sigma \cdot a)\). Since \(\sigma \cdot a \in \varphi _1\), from Definition 2, Theorem 6 (Tr2) and Lemma 1, we can derive that \(E_{{\varphi _1}}(\sigma \cdot a) = \sigma \cdot a\). Since, \(\sigma \cdot a \not \in \varphi _2\), we can derive that \(E_{{\varphi _2}}(\sigma \cdot a) = E_{{\varphi _2}}(\sigma )\). Since \(\varphi _2\) is a co-safety property and \(\sigma \cdot a \not \in \varphi _2\), \(\forall \sigma '\preccurlyeq \sigma \cdot a\), we have \(\sigma ' \not \in \varphi _2\) and we can thus derive that \(E_{{\varphi _2}}(\sigma \cdot a) = \epsilon\). Thus \(merge(\sigma \cdot a, \epsilon ) = \epsilon\).
Since \((E_{{\varphi _1}}||_1E_{{\varphi _2}})(\sigma \cdot a) = E_{{\varphi _1\cap \varphi _2}}(\sigma \cdot a) = \epsilon\), the theorem holds in this case.
-
Case \(\sigma \cdot a \not \in \varphi _1\) and \(\sigma \cdot a \in \varphi _2\). Similar to the previous case.
-
Case \(\sigma \cdot a \not \in \varphi _1\) and \(\sigma \cdot a \not \in \varphi _2\). Let us first examine \(E_{{\varphi _1\cap \varphi _2}}(\sigma \cdot a)\). Since \(\sigma \cdot a \not \in \varphi _1\), and \(\sigma \cdot a \not \in \varphi _2\), we have \(\sigma \cdot a \not \in \varphi _1 \cap \varphi _2\). From the definition of the enforcement function, we can derive that \(E_{{\varphi _1\cap \varphi _2}}(\sigma \cdot a) = E_{{\varphi _1\cap \varphi _2}}(\sigma )\).
Let us now examine \((E_{{\varphi _1}}||_1E_{{\varphi _2}})(\sigma \cdot a)\). Since, \(\sigma \cdot a \not \in \varphi _1\) and \(\varphi _1\) is a co-safety property, we can derive that \(E_{{\varphi _1}}(\sigma \cdot a) = E_{{\varphi _1}}(\sigma )\). Similarly we can also derive that \(E_{{\varphi _2}}(\sigma \cdot a) = E_{{\varphi _2}}(\sigma )\).
Using induction hypothesis, we can conclude that \((E_{{\varphi _1}}||_1E_{{\varphi _2}})(\sigma \cdot a)= E_{{\varphi _1\cap \varphi _2}}(\sigma \cdot a)\).
\(\square\)
Rights and permissions
Springer Nature or its licensor holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Pinisetty, S., Pradhan, A., Roop, P. et al. Compositional runtime enforcement revisited. Form Methods Syst Des 59, 205–252 (2021). https://doi.org/10.1007/s10703-022-00401-y
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10703-022-00401-y