Preliminary investigations on runtime enforcement implementations

Abstract

Runtime Enforcement is a practical analysis technique that ensures the system behaves correctly, according to some behavioural specifications, via runtime checks. This technique adds an extra authentication layer that ensures that only correct information is exhibited by the system to the outside environment. There is little work on how to best conduct Runtime Enforcement in actor systems. Therefore it is not yet clear which technique one should employ when creating a runtime enforcement monitor in actor systems. This work investigates three novel instrumentation strategies of how to apply a runtime enforcement monitor with actor systems. The three strategies we put forth intend to achieve the instrumentation of the system in a distinct manner. The first implementation is that of a send intercept strategy which is able to intercept outgoing messages from the system. A second implementation concerns a serialised strategy that only allows one client to execute at any moment in time. This strategy switches the client’s address with its own as to deceive the system into communicating with the monitoring entity. The third and final strategy is similar to the serialised strategy in structure. This strategy assigns each client their own monitoring stub, and proceeds to swap the client’s address with the address belonging to the monitoring stub. This work continues by explaining the reasoning behind each instrumentation strategy and accompanies it with a detailed description of how their implementation is carried out. Finally these strategies are applied on a third party software where an analysis in terms of their efficiency, in terms of overheads, and their genericity, in terms of their ability to encapsulate different types of systems, is performed. Through our evaluation we conclude that the send intercept strategy yields the best results. However, this strategy induces the highest instrumentation burden and as a consequence it is not always viable to be used. In cases where the burden is too great to be handled it would be ideal to use the monitoring stubs as an alternate strategy.