Your search keyword '"runtime enforcement"' showing total 108 results

1. Runtime Enforcement with Event Reordering

Author

Pradhan, Ankit, Mitun Akil, C. G., Pinisetty, Srinivas, Goos, Gerhard, Series Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Anutariya, Chutiporn, editor, and Bonsangue, Marcello M., editor

Published

2025

2. A Formal Approach for Safe Reinforcement Learning: A Rate-Adaptive Pacemaker Case Study

Author

Vuppala, Sai Rohan Harshavardhan, Allen, Nathan, Pinisetty, Srinivas, Roop, Partha, Goos, Gerhard, Series Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Ábrahám, Erika, editor, and Abbas, Houssam, editor

Published

2025

3. Adaptive Industrial Control Systems via IEC 61499 and Runtime Enforcement.

Author

Faqrizal, Irman, Salaün, Gwen, and Falcone, Yliès

Abstract

This work envisions industrial control systems that can reliably adapt to requirements. We rely on the international standard IEC 61499 to achieve this goal. The standard allows downtimeless system evolution such that an application can be modified at runtime to satisfy the requirements. However, an IEC 61499 application consisting of multiple Function Blocks (FBs) can be modified in many different ways, such as inserting or deleting FBs, creating new FBs with their respective internal behaviours and adjusting the connections between FBs. These changes require considerable effort and cost, and there is no guarantee to satisfy the requirements. This article applies runtime enforcement techniques for supporting adaptive IEC 61499 applications. This set of techniques can modify the runtime behaviour of a system according to specific requirements. Our approach begins with specifying the requirements as a state machine-based notation called contract automaton. This automaton is then used to synthesise an enforcer as an FB. Finally, the new FB is integrated into the application to execute according to the requirements. A tool support is developed to automate the approach. Experiments were performed to evaluate the performance of enforcers by measuring the execution time of several applications before and after the integration of enforcers. [ABSTRACT FROM AUTHOR]

Published

2024

4. Proactive Real-Time First-Order Enforcement

Author

Hublet, François, Lima, Leonardo, Basin, David, Krstić, Srđan, Traytel, Dmitriy, Goos, Gerhard, Series Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Gurfinkel, Arie, editor, and Ganesh, Vijay, editor

Published

2024

5. Enforcing the GDPR

Author

Hublet, François, Basin, David, Krstić, Srđan, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Tsudik, Gene, editor, Conti, Mauro, editor, Liang, Kaitai, editor, and Smaragdakis, Georgios, editor

Published

2024

6. Bounded-memory runtime enforcement with probabilistic and performance analysis.

Author

Shankar, Saumya, Pradhan, Ankit, Pinisetty, Srinivas, Rollet, Antoine, and Falcone, Yliès

Subjects

SYSTEM safety, MARKOV processes

Abstract

Runtime Enforcement (RE) is a technique aimed at monitoring the executions of a system at runtime and ensure its compliance against a set of formal requirements (properties). RE employs an enforcer (a safety wrapper for the system) which modifies the (untrustworthy) output by performing actions such as delaying (by storing/buffering) and suppressing events, when needed. In this paper, to handle practical applications with memory constraints, we propose a new RE paradigm where the memory of the enforcer is bounded/finite. Besides the property to be enforced, the user specifies a bound on the enforcer memory. Bounding the memory poses various challenges such as how to handle the situation when the memory is full, how to optimally discard events from the buffer to accommodate new events and let the enforcer continue operating. We define the bounded-memory RE problem and develop a framework for any regular property. All of our results are formalized and proved. We also analyze probabilistically how much memory is required on an average case for a given regular property, such that the output of the bounded enforcer is equal to that of the unbounded enforcer up to a fixed probability. The proposed framework is implemented and a case study is worked out to show the practicability and usefulness of the bounded enforcer in the real-world and to show the usage of the aforementioned probabilistic analysis on them. The performance is evaluated via some examples from application scenarios and it indicates linear changes in the execution time of the enforcers in response to increases in trace length, property complexity, and buffer sizes. [ABSTRACT FROM AUTHOR]

Published

2024

7. Scalable Security Enforcement for Cyber Physical Systems

Author

Alex Baird, Abhinandan Panda, Hammond Pearce, Srinivas Pinisetty, and Partha Roop

Subjects

Security, runtime enforcement, synchronous programming, cyber-physical systems, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

The security of Cyber-Physical Systems (CPSs) is increasingly important as more and more of these systems are added to the Internet of Things (IoT). As we increase the complexity and connectivity of our smart systems, we likewise broaden their digital attack surface. Recorded attacks on CPSs have caused significant physical impacts making methods for mitigation of attacks of paramount importance. The use of runtime enforcement (RE) can prevent violation of security policies. Here, runtime enforcers intervene before the CPS is compromised. Two key challenges are presented: (1) for complex systems, methods for automatically composing multiple policies are lacking; and (2) runtime enforcers are themselves executed digitally—meaning they too could have potential security vulnerabilities. We present the first comprehensive runtime enforcement framework which addresses both challenges. It can compose a lot of security policies in parallel and synthesize these policies into the more trustworthy hardware layers of a system. This removes reliance on potentially vulnerable firmware and software layers. We demonstrate our approach with policies to mitigate a set of attacks on a Fused Filament Fabrication (FFF) 3D printer. The experimental results show linear growth in logic element and register usage as the number of policies increase. This compares favourably to the exponential state space explosion that occurs with the conventional approach of monolithic composition. Additionally, we find higher enforcer clock frequencies are possible with the proposed parallel approach compared to existing serial approaches.

Published

2024

8. Online shielding for reinforcement learning.

Author

Könighofer, Bettina, Rudolf, Julian, Palmisano, Alexander, Tappler, Martin, and Bloem, Roderick

Abstract

Besides the recent impressive results on reinforcement learning (RL), safety is still one of the major research challenges in RL. RL is a machine-learning approach to determine near-optimal policies in Markov decision processes (MDPs). In this paper, we consider the setting where the safety-relevant fragment of the MDP together with a temporal logic safety specification is given, and many safety violations can be avoided by planning ahead a short time into the future. We propose an approach for online safety shielding of RL agents. During runtime, the shield analyses the safety of each available action. For any action, the shield computes the maximal probability to not violate the safety specification within the next k steps when executing this action. Based on this probability and a given threshold, the shield decides whether to block an action from the agent. Existing offline shielding approaches compute exhaustively the safety of all state-action combinations ahead of time, resulting in huge computation times and large memory consumption. The intuition behind online shielding is to compute at runtime the set of all states that could be reached in the near future. For each of these states, the safety of all available actions is analysed and used for shielding as soon as one of the considered states is reached. Our approach is well-suited for high-level planning problems where the time between decisions can be used for safety computations and it is sustainable for the agent to wait until these computations are finished. For our evaluation, we selected a 2-player version of the classical computer game Snake. The game represents a high-level planning problem that requires fast decisions and the multiplayer setting induces a large state space, which is computationally expensive to analyse exhaustively. [ABSTRACT FROM AUTHOR]

Published

2023

9. Incremental Security Enforcement for Cyber-Physical Systems

Author

Abhinandan Panda, Alex Baird, Srinivas Pinisetty, and Partha Roop

Subjects

Cyber-physical systems, runtime enforcement, security, synchronous programming, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Cyber-Physical attacks (CP-attacks) are launched either from the cyber-space or from the physical-space to take control of a Cyber-Physical System (CPS). Unlike conventional cyber-attacks, which are prevented through new security patches as new attacks emerge, there are no known mechanisms for incrementally patching CPS in the event of new attacks. To this end, we develop a novel approach based on recent advances in mitigating CP-attacks using run-time enforcement (RE). RE-methods have been developed for CPS, such as industrial processes and pacemakers. However, the proposed solutions are not developed considering the need for future patching as new attacks emerge. To this end, we develop the first compositional RE framework, which is specifically developed to be able to add new security patches as new security policies are added. We illustrate our approach using the case study of a drone swarm. The experimental results show that the proposed compositional/incremental approach does not suffer from the state space explosion, unlike the monolithic composition. We demonstrate a linear relationship between compile time, compile size, and execution time as the number of policies increases in the proposed compositional scheme.

Published

2023

10. Correct-by-Construction Runtime Enforcement in AI – A Survey

Author

Könighofer, Bettina, Bloem, Roderick, Ehlers, Rüdiger, Pek, Christian, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Raskin, Jean-François, editor, Chatterjee, Krishnendu, editor, Doyen, Laurent, editor, and Majumdar, Rupak, editor

Published

2022

11. Non-functional Testing of Runtime Enforcers in Android

Author

Riganelli, Oliviero, Micucci, Daniela, Mariani, Leonardo, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, and Margaria, Tiziana, editor

Published

2022

12. Bounded-Memory Runtime Enforcement

Author

Shankar, Saumya, Rollet, Antoine, Pinisetty, Srinivas, Falcone, Yliès, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Legunsen, Owolabi, editor, and Rosu, Grigore, editor

Published

2022

13. Industrial Control Systems Security via Runtime Enforcement.

Author

LANOTTE, RUGGERO, MERRO, MASSIMO, and MUNTEANU, ANDREI

Subjects

INDUSTRY 4.0, CYBERTERRORISM, CONTROLLERSHIP, MALWARE, LANGUAGE & languages

Abstract

With the advent of Industry 4.0, industrial facilities and critical infrastructures are transforming into an ecosystem of heterogeneous physical and cyber components, such as programmable logic controllers, increasingly interconnected and therefore exposed to cyber-physical attacks, i.e., security breaches in cyberspace that may adversely affect the physical processes underlying industrial control systems. In this article, we propose a formal approach based on runtime enforcement to ensure specification compliance in networks of controllers, possibly compromised by colluding malware that may locally tamper with actuator commands, sensor readings, and inter-controller communications. Our approach relies on an adhoc sub-class of Ligatti et al.'s edit automata to enforce controllers represented in Hennessy and Regan's Timed Process Language. We define a synthesis algorithm that, given an alphabet P of observable actions and a timed correctness property e, returns a monitor that enforces the property e during the execution of any (potentially corrupted) controller with alphabet P, and complying with the property e. Our monitors do mitigation by correcting and suppressing incorrect actions of corrupted controllers and by generating actions in full autonomy when the controller under scrutiny is not able to do so in a correct manner. Besides classical requirements, such as transparency and soundness, the proposed enforcement enjoys deadlock- and diverge-freedom of monitored controllers, together with scalability when dealing with networks of controllers. Finally, we test the proposed enforcement mechanism on a non-trivial case study, taken from the context of industrialwater treatment systems, in which the controllers are injected with different malware with different malicious goals. [ABSTRACT FROM AUTHOR]

Published

2022

14. A multi-trace model for runtime enforcement and verification under uncertainty

Author

Taleb, Rania and Taleb, Rania

Abstract

Runtime Verification is the process of observing a sequence of events produced by a running software system and determining whether this sequence complies with a specified property expressed using a formal notation. It is commonly believed that a monitor possesses full access to the event trace. However, there are numerous scenarios where the monitor functions with a certain degree of uncertainty regarding the trace’s content. In this thesis, we define a logical framework where uncertainty is modeled by a stateful access control proxy that has the capacity to transform events into sets of possible events, resulting in what we refer to as a “multi-trace”. We also provide an algorithm to lift a classical monitor into a sound, loss-tolerant monitor. Both the proxy and the monitor are extensions of Mealy machines. Experiments conducted on various scenarios demonstrate that our approach can effectively account for various types of data degradation and access limitations. Furthermore, our approach provides a tighter verdict than existing works in some cases and preserves the scalable performance of the model. In other scenarios, it is crucial for the underlying system to adhere to specific security policies. In such cases, runtime enforcement can be employed to ensure the respect of a user-specified security policy by a program. This is achieved by providing a valid replacement for any misbehaving sequence of events that may occur during the program’s execution. However, depending on the capabilities of the enforcement mechanism, multiple possible replacement sequences may be available, and the current literature lacks guidance on how to choose the optimal one. Additionally, the current design of runtime monitors imposes a substantial burden on the designer, as the monitoring task is typically accomplished by a monolithic construct, often an automata-based model. This thesis addresses these issues by proposing a new modular model of enforcement monitors, where the tasks o

Published

2024

15. Automatic testing of runtime enforcers with Test4Enforcers

Author

Riganelli, O, Micucci, D, Mariani, L, Riganelli O., Micucci D., Mariani L., Riganelli, O, Micucci, D, Mariani, L, Riganelli O., Micucci D., and Mariani L.

Abstract

Users regularly use apps to access services in a range of domains, such as health, productivity, entertainment, and business. The safety and correctness of the runtime behavior of these apps is thus a key concern for users. Indeed, unreliable apps may generate dissatisfaction, frustration and issues to users. Runtime enforcement techniques can be used to implement software enforcers that monitor executions and apply corrective actions when needed, potentially preventing misbehaviors and failures. However, enforcers might be faulty themselves, applying the wrong actions or missing to apply the right actions. To address this problem, this paper presents Test4Enforcers, an approach to automatically test software enforces. Test4Enforcers relies on an enforcement model describing the strategy that shall be applied at runtime to correct misbehaviors. Test4Enforcers first uses the enforcement model to derive a specification of the test cases that shall be executed to validate any software enforcer implemented from the given model. Then, it automatically turns the test specification into a set of concrete test cases that can be executed against apps augmented with the enforcers. We evaluated Test4Enforces with a set of 3,135 faults injected in the enforcers derived from 13 enforcement models. Results show that Test4Enforcers can automatically reveal 64% of the faults, while existing approaches relying on crash detection can only reveal 6% of the faults. Test4Enforcers is also practical since testing an enforcer required 9 min, in the worst case.

Published

2024

16. Test4Enforcers: Test Case Generation for Software Enforcers

Author

Guzman, Michell, Riganelli, Oliviero, Micucci, Daniela, Mariani, Leonardo, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Deshmukh, Jyotirmoy, editor, and Ničković, Dejan, editor

Published

2020

17. A Formal Framework for Consent Management

Author

Tokas, Shukun, Owe, Olaf, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Gotsman, Alexey, editor, and Sokolova, Ana, editor

Published

2020

18. Decentralized deadlock-free enforcement of message orderings in message-based systems.

Author

Samadi, Mahboubeh, Ghassemi, Fatemeh, and Khosravi, Ramtin

Subjects

*SCALABILITY

Abstract

Message-based systems usually consist of distributed components that communicate using asynchronous message passing. In such systems, particular message orderings may violate some required properties. Given an automata-based specification of unwanted message sequences, we propose a decentralized deadlock-free runtime enforcement algorithm to prevent the formation of such sequences. In our approach, components are equipped with monitors executed concurrently. A component is only blocked before sending or receiving the last message of a sequence, until its associated monitor checks that such a message does not complete an unwanted sequence. According to the specification of unwanted sequences, some blocked components may suffer from a deadlock. Our deadlock-free algorithm guarantees that monitors detect and resolve such deadlocks by improving the existing deadlock detection algorithms. We evaluate the efficiency and scalability of our approach in terms of the communication overhead, the prevention latency, and the overhead of deadlock detection through simulation. [ABSTRACT FROM AUTHOR]

Published

2024

19. Compositional runtime enforcement revisited.

Author

Pinisetty, Srinivas, Pradhan, Ankit, Roop, Partha, and Tripakis, Stavros

Abstract

Runtime enforcement is a methodology used to enforce that the output of a running system satisfies a desired property. Given a property, an enforcement monitor modifies an (untrusted) sequence of events into a sequence that complies to that property. In practice, we may have not one, but many properties to enforce. Moreover, new properties may arise as new capabilities are added to the system. It is thus important to construct not a single, i.e., monolithic monitor, but rather several monitors, one for each property. The question is to what extent such monitors can be composed, and how. In this paper, we study two enforcement monitor composition schemes, serial and parallel composition. We show that, runtime enforcement is compositional for general regular properties with respect to one of the parallel composition schemes defined. We also show that runtime enforcement is not compositional with respect to serial composition for general regular properties, but it is for certain subclasses of regular properties. The proposed compositional runtime enforcement framework is formalized and implemented. Our experimental results demonstrate the pros and cons of using the compositional approach versus the monolithic with respect to performance. [ABSTRACT FROM AUTHOR]

Published

2022

20. A process calculus approach to detection and mitigation of PLC malware.

Author

Lanotte, Ruggero, Merro, Massimo, and Munteanu, Andrei

Subjects

*PROGRAMMABLE controllers, *MALWARE, *CALCULUS, *ALGORITHMS

Abstract

• Timed process calculi for expressing both genuine and malicious activities within a PLC. • Runtime enforcement based on Ligatti et al.'s edit automata. • Algorithms to synthesise edit automata from PLC specifications. • Simulation and bisimulation proof techniques. • Simulations of a significant use case in Simulink/Matlab. We define a simple process calculus, based on Hennessy and Regan's Timed Process Language , for specifying networks of communicating programmable logic controllers (PLCs) enriched with monitors enforcing specification compliance at runtime. We define a synthesis algorithm that given an uncorrupted PLC returns a monitor that enforces the correctness of the PLC, even when injected with malware that may forge/drop actuator commands and inter-controller communications. Then, we strengthen the capabilities of our monitors by allowing the insertion of actions to mitigate malware activities. This gives us deadlock-freedom monitoring : malware may not drag monitored controllers into deadlock states. Our enforcing monitors represent a formal mechanism for prompt detection of malicious activities within PLCs. Finally, we illustrate our results by implementing in Simulink a non-trivial Water Transmission Network (WTN) system, and testing the effectiveness of our monitors in detecting and mitigating three different attacks targeting the PLCs of our WTN. [ABSTRACT FROM AUTHOR]

Published

2021

21. Runtime Failure Prevention and Reaction

Author

Falcone, Yliès, Mariani, Leonardo, Rollet, Antoine, Saha, Saikat, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Bartocci, Ezio, editor, and Falcone, Yliès, editor

Published

2018

22. Increasing the Reusability of Enforcers with Lifecycle Events

Author

Riganelli, Oliviero, Micucci, Daniela, Mariani, Leonardo, Hutchison, David, Editorial Board Member, Kanade, Takeo, Editorial Board Member, Kittler, Josef, Editorial Board Member, Kleinberg, Jon M., Editorial Board Member, Mattern, Friedemann, Editorial Board Member, Mitchell, John C., Editorial Board Member, Naor, Moni, Editorial Board Member, Pandu Rangan, C., Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Terzopoulos, Demetri, Editorial Board Member, Tygar, Doug, Editorial Board Member, Weikum, Gerhard, Series Editor, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Woeginger, Gerhard, Editorial Board Member, Yung, Moti, Editorial Board Member, and Margaria, Tiziana, editor

Published

2018

23. Comparing controlled system synthesis and suppression enforcement.

Author

Aceto, Luca, Cassar, Ian, Francalanza, Adrian, and Ingólfsdóttir, Anna

Subjects

*EXECUTIONS & executioners

Abstract

Runtime enforcement and control system synthesis are two verification techniques that automate the process of transforming an erroneous system into a valid one. As both techniques can modify the behaviour of a system to prevent erroneous executions, they are both ideal for ensuring safety. In this paper, we investigate the interplay between these two techniques and identify control system synthesis as being the static counterpart to suppression-based runtime enforcement, in the context of safety properties. [ABSTRACT FROM AUTHOR]

Published

2021

24. GREP: Games for the Runtime Enforcement of Properties

Author

Renard, Matthieu, Rollet, Antoine, Falcone, Yliès, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Yevtushenko, Nina, editor, Cavalli, Ana Rosa, editor, and Yenigün, Hüsnü, editor

Published

2017

25. Verifying Policy Enforcers

Author

Riganelli, Oliviero, Micucci, Daniela, Mariani, Leonardo, Falcone, Yliès, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Lahiri, Shuvendu, editor, and Reger, Giles, editor

Published

2017

26. PolEnA: Enforcing Fine-grained Permission Policies in Android

Author

Costa, Gabriele, Sinigaglia, Federico, Carbone, Roberto, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Tonetta, Stefano, editor, Schoitsch, Erwin, editor, and Bitsch, Friedemann, editor

Published

2017

27. Decentralized runtime enforcement for robotic swarms.

Author

Hu, Chi, Dong, Wei, Yang, Yong-hui, Shi, Hao, and Deng, Fei

Abstract

Robotic swarms are usually designed in a bottom-up way, which can make robotic swarms vulnerable to environmental impact. It is particularly true for the widely used control mode of robotic swarms, where it is often the case that neither the correctness of the swarming tasks at the macro level nor the safety of the interaction among agents at the micro level can be guaranteed. To ensure that the behaviors are safe at runtime, it is necessary to take into account the property guard approaches for robotic swarms in uncertain environments. Runtime enforcement is an approach which can guarantee the given properties in system execution and has no scalability issue. Although some runtime enforcement methods have been studied and applied in different domains, they cannot effectively solve the problem of property enforcement on robotic swarm tasks at present. In this paper, an enforcement method is proposed on swarms which should satisfy multi-level properties in uncertain environments. We introduce a macro-micro property enforcing framework with the notion of agent shields and a discrete-time enforcing mechanism called D-time enforcing. To realize this method, a domain specification language and the corresponding enforcer synthesis algorithms are developed. We then apply the approach to enforce the properties of the simulated robotic swarm in the robotflocksim platform. We evaluate and show the effectiveness of the method with experiments on specific unmanned aerial vehicle swarm tasks. [ABSTRACT FROM AUTHOR]

Published

2020

28. Bounded-Memory Runtime Enforcement of Timed Properties

Author

Saumya Shankar and Srinivas Pinisetty and Thierry Jéron, Shankar, Saumya, Pinisetty, Srinivas, Jéron, Thierry, Saumya Shankar and Srinivas Pinisetty and Thierry Jéron, Shankar, Saumya, Pinisetty, Srinivas, and Jéron, Thierry

Abstract

Runtime Enforcement (RE) is a monitoring technique aimed at correcting possibly incorrect executions w.r.t. a set of formal requirements (properties) of a system. In this paper, we consider enforcement monitoring of real-time properties. Thus, executions are modelled as timed words and specifications as timed automata. Moreover, we consider that the enforcer has the ability to delay events by storing or buffering them into its internal memory (and releasing them when the property is finally satisfied) and suppressing events when no delaying is appropriate. Practically, in an implementation, the internal memory of the enforcer is finite. In this paper, we propose a new RE paradigm for timed properties, where the memory of the enforcer is bounded/finite, to address practical applications with memory constraints and timed specifications. Bounding the memory presents a number of difficulties, e.g., how to accommodate a timed event into the memory when the memory is full, s.t., regardless of the course of action we choose to handle this situation, the behaviour of the bounded enforcer should not significantly differ from that of the unbounded enforcer. The problem of how to optimally discard events when the buffer is full is significantly more difficult in a timed environment where the progress of time affects the satisfaction or violation of a property. We define the bounded-memory RE problem for timed properties and develop a framework for regular timed properties specified as timed automata. The proposed framework is implemented in Python, and its performance is evaluated. From experiments, we discovered that the enforcer has a reasonable execution time overhead.

Published

2023

29. Industrial Control Systems Security via Runtime Enforcement

Author

Ruggero Lanotte, Massimo Merro, and Andrei Munteanu

Subjects

PLC malware, Mitigation, General Computer Science, Runtime Enforcement, Industrial Control Systems Security, Safety, Risk, Reliability and Quality

Abstract

With the advent of Industry 4.0 , industrial facilities and critical infrastructures are transforming into an ecosystem of heterogeneous physical and cyber components, such as programmable logic controllers , increasingly interconnected and therefore exposed to cyber-physical attacks , i.e., security breaches in cyberspace that may adversely affect the physical processes underlying industrial control systems . In this article, we propose a formal approach based on runtime enforcement to ensure specification compliance in networks of controllers, possibly compromised by colluding malware that may locally tamper with actuator commands, sensor readings, and inter-controller communications. Our approach relies on an ad-hoc sub-class of Ligatti et al.’s edit automata to enforce controllers represented in Hennessy and Regan’s Timed Process Language . We define a synthesis algorithm that, given an alphabet 𝒫 of observable actions and a timed correctness property e , returns a monitor that enforces the property e during the execution of any (potentially corrupted) controller with alphabet 𝒫, and complying with the property e . Our monitors do mitigation by correcting and suppressing incorrect actions of corrupted controllers and by generating actions in full autonomy when the controller under scrutiny is not able to do so in a correct manner. Besides classical requirements, such as transparency and soundness , the proposed enforcement enjoys deadlock- and diverge-freedom of monitored controllers, together with scalability when dealing with networks of controllers. Finally, we test the proposed enforcement mechanism on a non-trivial case study, taken from the context of industrial water treatment systems, in which the controllers are injected with different malware with different malicious goals.

Published

2022

30. Compositional runtime enforcement revisited

Author

Pinisetty, Srinivas, Pradhan, Ankit, Roop, Partha, and Tripakis, Stavros

Published

2021

31. AppGuard – Fine-Grained Policy Enforcement for Untrusted Android Applications

Author

Backes, Michael, Gerling, Sebastian, Hammer, Christian, Maffei, Matteo, von Styp-Rekowsky, Philipp, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Kobsa, Alfred, Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Nierstrasz, Oscar, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Weikum, Gerhard, Series editor, Garcia-Alfaro, Joaquin, editor, Lioudakis, Georgios, editor, Cuppens-Boulahia, Nora, editor, Foley, Simon, editor, and Fitzgerald, William M., editor

Published

2014

32. Instrumenting Android and Java Applications as Easy as abc

Author

Arzt, Steven, Rasthofer, Siegfried, Bodden, Eric, Hutchison, David, editor, Kanade, Takeo, editor, Kittler, Josef, editor, Kleinberg, Jon M., editor, Mattern, Friedemann, editor, Mitchell, John C., editor, Naor, Moni, editor, Nierstrasz, Oscar, editor, Pandu Rangan, C., editor, Steffen, Bernhard, editor, Sudan, Madhu, editor, Terzopoulos, Demetri, editor, Tygar, Doug, editor, Vardi, Moshe Y., editor, Weikum, Gerhard, editor, Legay, Axel, editor, and Bensalem, Saddek, editor

Published

2013

33. Cost-Aware Runtime Enforcement of Security Policies

Author

Drábik, Peter, Martinelli, Fabio, Morisset, Charles, Hutchison, David, editor, Kanade, Takeo, editor, Kittler, Josef, editor, Kleinberg, Jon M., editor, Mattern, Friedemann, editor, Mitchell, John C., editor, Naor, Moni, editor, Nierstrasz, Oscar, editor, Pandu Rangan, C., editor, Steffen, Bernhard, editor, Sudan, Madhu, editor, Terzopoulos, Demetri, editor, Tygar, Doug, editor, Vardi, Moshe Y., editor, Weikum, Gerhard, editor, Jøsang, Audun, editor, Samarati, Pierangela, editor, and Petrocchi, Marinella, editor

Published

2013

34. A Quantitative Approach for Inexact Enforcement of Security Policies

Author

Drábik, Peter, Martinelli, Fabio, Morisset, Charles, Hutchison, David, editor, Kanade, Takeo, editor, Kittler, Josef, editor, Kleinberg, Jon M., editor, Mattern, Friedemann, editor, Mitchell, John C., editor, Naor, Moni, editor, Nierstrasz, Oscar, editor, Pandu Rangan, C., editor, Steffen, Bernhard, editor, Sudan, Madhu, editor, Terzopoulos, Demetri, editor, Tygar, Doug, editor, Vardi, Moshe Y., editor, Weikum, Gerhard, editor, Gollmann, Dieter, editor, and Freiling, Felix C., editor

Published

2012

35. Runtime Enforcement of Information Flow Security in Tree Manipulating Processes

Author

Kovács, Máté, Seidl, Helmut, Hutchison, David, Series editor, Kanade, Takeo, Series editor, Kittler, Josef, Series editor, Kleinberg, Jon M., Series editor, Mattern, Friedemann, Series editor, Mitchell, John C., Series editor, Naor, Moni, Series editor, Nierstrasz, Oscar, Series editor, Pandu Rangan, C., Series editor, Steffen, Bernhard, Series editor, Sudan, Madhu, Series editor, Terzopoulos, Demetri, Series editor, Tygar, Doug, Series editor, Vardi, Moshe Y., Series editor, Weikum, Gerhard, Series editor, Barthe, Gilles, editor, Livshits, Benjamin, editor, and Scandariato, Riccardo, editor

Published

2012

36. A process calculus approach to detection and mitigation of PLC malware

Author

Massimo Merro, Andrei Munteanu, and Ruggero Lanotte

Subjects

Programmable logic controller, Correctness, PLC correctness, Mitigation, General Computer Science, SIMPLE (military communications protocol), business.industry, Computer science, Process calculus, Process (computing), Deadlock, computer.software_genre, Theoretical Computer Science, Embedded system, Malware detection, Malware, Runtime enforcement, Actuator, business, computer

Abstract

We define a simple process calculus, based on Hennessy and Regan's Timed Process Language, for specifying networks of communicating programmable logic controllers (PLCs) enriched with monitors enforcing specification compliance at runtime. We define a synthesis algorithm that given an uncorrupted PLC returns a monitor that enforces the correctness of the PLC, even when injected with malware that may forge/drop actuator commands and inter-controller communications. Then, we strengthen the capabilities of our monitors by allowing the insertion of actions to mitigate malware activities. This gives us deadlock-freedom monitoring: malware may not drag monitored controllers into deadlock states. Our enforcing monitors represent a formal mechanism for prompt detection of malicious activities within PLCs. Finally, we illustrate our results by implementing in Simulink a non-trivial Water Transmission Network (WTN) system, and testing the effectiveness of our monitors in detecting and mitigating three different attacks targeting the PLCs of our WTN.

Published

2021

37. INVITED: Safety Guard: Runtime Enforcement for Safety-Critical Cyber-Physical Systems.

Author

Meng Wu, Haibo Zeng, Chao Wang, and Huafeng Yu

Subjects

COMPUTER security, COMPUTER systems, DATA privacy, DATA security, MALWARE

Abstract

Due to their safety-critical nature, cyber-physical systems (CPS) must tolerate faults and security attacks to remain fail-operational. However, conventional techniques for improving safety, such as testing and validation, do not meet this requirement, as shown by many of the real-world system failures in recent years, often with major economic and public-safety implications. We aim to improve the safety of critical CPS through synthesis of runtime enforcers, named safety guards, which are reactive components attached to the original systems to protect them against catastrophic failures. That is, even if the system occasionally malfunctions due to unknown defects, transient errors, or malicious attacks, the guard always reacts instantaneously to ensure that the combined system satisfies a predefined set of safety properties, and the deviation from the original system is kept at minimum. We illustrate the main ideas of this approach with examples, discuss the advantages compared to existing approaches, and point out some research challenges. [ABSTRACT FROM AUTHOR]

Published

2017

38. Non-functional Testing of Runtime Enforcers in Android

Author

Margaria, T, Steffen, B, Riganelli, O, Micucci, D, Mariani, L, Margaria, T, Steffen, B, Riganelli, O, Micucci, D, and Mariani, L

Abstract

Runtime enforcers can be used to ensure that running applications satisfy desired correctness properties. Although runtime enforcers that are correct-by-construction with respect to abstract behavioral models are relatively easy to specify, the concrete software enforcers generated from these specifications may easily introduce issues in the target application. Indeed developers can generate test suites to verify the functional behavior of the enforcers, for instance exploiting the same models used to specify them. However, it remains challenging and tedious to verify the behavior of enforcers in terms of non-functional performance characteristics. This paper describes a practical approach to reveal runtime enforcers that may introduce inefficiencies in the target application. The approach relies on a combination of automatic test generation and runtime monitoring of multiple key performance indicators. We designed our approach to reveal issues in four indicators for mobile systems: responsiveness, launch time, memory, and energy consumption. Experimental results show that our approach can detect performance issues that might be introduced by automatically generated enforcers.

Published

2022

39. Proactive Libraries: Enforcing Correct Behaviors in Android Apps

Author

Riganelli, O, Daniel Fagadau, I, Micucci, D, Mariani, L, Riganelli, O, Daniel Fagadau, I, Micucci, D, and Mariani, L

Abstract

The Android framework provides a rich set of APIs that can be exploited by developers to build their apps. However, the rapid evolution of these APIs jointly with the specific characteristics of the lifecycle of the Android components challenge developers, who may release apps that use APIs incorrectly.In this demo, we present Proactive Libraries, a tool that can be used to decorate regular libraries with the capability of proactively detecting and healing API misuses at runtime. Proactive Libraries blend libraries with multiple proactive modules that collect data, check the compliance of API usages with correctness policies, and heal executions as soon as the possible violation of a policy is detected. The results of our evaluation with 27 possible API misuses show the effectiveness of Proactive Libraries in correcting API misuses with negligible runtime overhead.Video: https://youtu.be/rkfZ38mPgV0Repo: https://gitlab.com/learnERC/proactivelibrary

Published

2022

40. Runtime enforcement of timed properties using games

Author

Renard, Matthieu, Rollet, Antoine, and Falcone, Yliès

Published

2020

41. Runtime Enforcement of Cyber-Physical Systems.

Author

PINISETTY, SRINIVAS, ROOP, PARTHA S., SMYTH, STEVEN, ALLEN, NATHAN, TRIPAKIS, STAVROS, and VON HANXLEDEN, REINHARD

Subjects

CYBER physical systems, EMBEDDED computer systems, MEDICAL equipment, COMPUTER systems, DISCRETE systems

Abstract

Many implantable medical devices, such as pacemakers, have been recalled due to failure of their embedded software. This motivates rethinking their design and certification processes. We propose, for the first time, an additional layer of safety by formalising the problem of run-time enforcement of implantable pacemakers. While recent work has formalised run-time enforcement of reactive systems, the proposed framework generalises existing work along the following directions: (1) we develop bi-directional enforcement, where the enforced policies depend not only on the status of the pacemaker (the controller) but also of the heart (the plant), thus formalising the run-time enforcement problem for cyber-physical systems (2) we express policies using a variant of discrete timed automata (DTA), which can cover all regular properties unlike earlier frameworks limited to safety properties, (3) we are able to ensure the timing safety of implantable devices through the proposed enforcement, and (4) we show that the DTA-based approach is efficient relative to its dense time variant while ensuring that the discretisation error is relatively small and bounded. The developed approach is validated through a prototype system implemented using the open source KIELER framework. The experiments show that the framework incurs minimal runtime overhead. [ABSTRACT FROM AUTHOR]

Published

2017

42. Predictive runtime enforcement.

Author

Pinisetty, Srinivas, Preoteasa, Viorel, Tripakis, Stavros, Jéron, Thierry, Falcone, Yliès, and Marchand, Hervé

Subjects

RUN time systems (Computer science), COMPUTER systems, MATHEMATICS theorems, PREDICTIVE validity, SEQUENCE analysis

Abstract

Runtime enforcement (RE) is a technique to ensure that the (untrustworthy) output of a black-box system satisfies some desired properties. In RE, the output of the running system, modeled as a sequence of events, is fed into an enforcer. The enforcer ensures that the sequence complies with a certain property, by delaying or modifying events if necessary. This paper deals with predictive runtime enforcement, where the system is not entirely black-box, but we know something about its behavior. This a priori knowledge about the system allows to output some events immediately, instead of delaying them until more events are observed, or even blocking them permanently. This in turn results in better enforcement policies. We also show that if we have no knowledge about the system, then the proposed enforcement mechanism reduces to standard (non-predictive) runtime enforcement. All our results related to predictive RE of untimed properties are also formalized and proved in the Isabelle theorem prover. We also discuss how our predictive runtime enforcement framework can be extended to enforce timed properties. [ABSTRACT FROM AUTHOR]

Published

2017

43. Fully automated runtime enforcement of component-based systems with formal and sound recovery.

Author

Falcone, Yliès and Jaber, Mohamad

Subjects

*HETEROGENEOUS computing, *ROBOTS, *SOFTWARE frameworks, *DEADLOCK prevention (Manufacturing), *BENCHMARKING (Management)

Abstract

We introduce runtime enforcement of specifications on component-based systems (CBS) modeled in the behavior, interaction and priority (BIP) framework. Runtime enforcement is an increasingly popular and effective dynamic validation technique aiming to ensure the correct runtime behavior (w.r.t. a formal specification) of a system using a so-called enforcement monitor. BIP is a powerful and expressive component-based framework for the formal construction of heterogeneous systems. Because of BIP expressiveness, however, it is difficult to enforce complex behavioral properties at design-time. We first introduce a theoretical runtime enforcement framework for component-based systems where we delineate a hierarchy of enforceable properties (i.e., properties that can be enforced) according to the number of observational steps a system is allowed to deviate from the property (i.e., the notion of k-step enforceability). To ensure the observational equivalence between the correct executions of the initial system and the monitored system, we show that (i) only stutter-invariant properties should be enforced on CBS with our monitors, and (ii) safety properties are 1-step enforceable. Second, given an abstract enforcement monitor for some 1-step enforceable property, we define a series of formal transformations to instrument (at relevant locations) a CBS described in the BIP framework to integrate the monitor. At runtime, the monitor observes and automatically avoids any error in the behavior of the system w.r.t. the property. Third, our approach is fully implemented in RE-BIP, an available tool integrated in the BIP tool suite. Fourth, to validate our approach, we use RE-BIP to (i) enforce deadlock-freedom on a dining philosophers benchmark, and (ii) ensure the correct placement of robots on a map. [ABSTRACT FROM AUTHOR]

Published

2017

44. Non-Functional Testing of Runtime Enforcers in Android

Author

Oliviero Riganelli, Daniela Micucci, Leonardo Mariani, Margaria, T, Steffen, B, Riganelli, O, Micucci, D, and Mariani, L

Subjects

Software Engineering (cs.SE), FOS: Computer and information sciences, Computer Science - Software Engineering, Formal Languages and Automata Theory (cs.FL), Computer Science - Formal Languages and Automata Theory, Non-functional testing, Testing enforcer, Android app, Runtime enforcement, ING-INF/05 - SISTEMI DI ELABORAZIONE DELLE INFORMAZIONI

Abstract

Runtime enforcers can be used to ensure that running applications satisfy desired correctness properties. Although runtime enforcers that are correct-by-construction with respect to abstract behavioral models are relatively easy to specify, the concrete software enforcers generated from these specifications may easily introduce issues in the target application. Indeed developers can generate test suites to verify the functional behavior of the enforcers, for instance exploiting the same models used to specify them. However, it remains challenging and tedious to verify the behavior of enforcers in terms of non-functional performance characteristics. This paper describes a practical approach to reveal runtime enforcers that may introduce inefficiencies in the target application. The approach relies on a combination of automatic test generation and runtime monitoring of multiple key performance indicators. We designed our approach to reveal issues in four indicators for mobile systems: responsiveness, launch time, memory, and energy consumption. Experimental results show that our approach can detect performance issues that might be introduced by automatically generated enforcers., Comment: paper accepted at the 11th International Symposium On Leveraging Applications of Formal Methods, Verification and Validation (ISoLA 2022). arXiv admin note: text overlap with arXiv:2010.04258

Published

2022

45. Runtime enforcement of regular timed properties by suppressing and delaying events.

Author

Falcone, Yliès, Jéron, Thierry, Marchand, Hervé, and Pinisetty, Srinivas

Subjects

*SOFTWARE verification, *SOFTWARE validation, *COMPUTER specifications, *ALGORITHMS, *COMPUTER programming

Abstract

Runtime enforcement is a verification/validation technique aiming at correcting possibly incorrect executions of a system of interest. In this paper, we consider enforcement monitoring for systems where the physical time elapsing between actions matters. Executions are thus modelled as timed words (i.e., sequences of actions with dates). We consider runtime enforcement for timed specifications modelled as timed automata. Our enforcement mechanisms have the power of both delaying events to match timing constraints, and suppressing events when no delaying is appropriate, thus possibly allowing for longer executions. To ease their design and their correctness-proof, enforcement mechanisms are described at several levels: enforcement functions that specify the input–output behaviour in terms of transformations of timed words, constraints that should be satisfied by such functions, enforcement monitors that describe the operational behaviour of enforcement functions, and enforcement algorithms that describe the implementation of enforcement monitors. The feasibility of enforcement monitoring for timed properties is validated by prototyping the synthesis of enforcement monitors from timed automata. [ABSTRACT FROM AUTHOR]

Published

2016

46. Decentralized Runtime Enforcement of Message Sequences in Message-Based Systems

Author

Mahboubeh Samadi and Fatemeh Ghassemi and Ramtin Khosravi, Samadi, Mahboubeh, Ghassemi, Fatemeh, Khosravi, Ramtin, Mahboubeh Samadi and Fatemeh Ghassemi and Ramtin Khosravi, Samadi, Mahboubeh, Ghassemi, Fatemeh, and Khosravi, Ramtin

Abstract

In the new generation of message-based systems such as network-based smart systems, distributed components collaborate via asynchronous message passing. In some cases, particular ordering among the messages may lead to violation of the desired properties such as data confidentiality. Due to the absence of a global clock and usage of off-the-shelf components, there is no control over the order of messages at design time. To make such systems safe, we propose a choreography-based runtime enforcement algorithm that given an automata-based specification of unwanted message sequences, prevents certain messages to be sent, and assures that the unwanted sequences are not formed. Our algorithm is fully decentralized in the sense that each component is equipped with a monitor, as opposed to having a centralized monitor. As there is no global clock in message-based systems, the order of messages cannot be determined exactly. In this way, the monitors behave conservatively in the sense that they prevent a message from being sent, even when the sequence may not be formed. We aim to minimize conservative prevention in our algorithm when the message sequence has not been formed. The efficiency and scalability of our algorithm are evaluated in terms of the communication overhead and the blocking duration through simulation.

Published

2021

47. Enforcing ω-regular properties in Markov chains by restarting

Author

Esparza, Javier, Kiefer, Stefan, Křetínský, Jan, and Weininger, Maximilian

Subjects

runtime enforcement, Theory of computation → Verification by model checking, Markov chains, omega-regular properties

Abstract

Restarts are used in many computer systems to improve performance. Examples include reloading a webpage, reissuing a request, or restarting a randomized search. The design of restart strategies has been extensively studied by the performance evaluation community. In this paper, we address the problem of designing universal restart strategies, valid for arbitrary finite-state Markov chains, that enforce a given ω-regular property while not knowing the chain. A strategy enforces a property φ if, with probability 1, the number of restarts is finite, and the run of the Markov chain after the last restart satisfies φ. We design a simple "cautious" strategy that solves the problem, and a more sophisticated "bold" strategy with an almost optimal number of restarts., LIPIcs, Vol. 203, 32nd International Conference on Concurrency Theory (CONCUR 2021), pages 5:1-5:22

Published

2021

48. Enforcement and validation (at runtime) of various notions of opacity.

Author

Falcone, Yliès and Marchand, Hervé

Abstract

We are interested in the validation of opacity. Opacity models the impossibility for an attacker to retrieve the value of a secret in a system of interest. Roughly speaking, ensuring opacity provides confidentiality of a secret on the system that must not leak to an attacker. More specifically, we study how we can model-check, verify and enforce at system runtime, several levels of opacity. Besides existing notions of opacity, we also introduce K-step strong opacity, a more practical notion of opacity that provides a stronger level of confidentiality. [ABSTRACT FROM AUTHOR]

Published

2015

49. Modeling runtime enforcement with mandatory results automata.

Author

Dolzhenko, Egor, Ligatti, Jay, and Reddy, Srikar

Subjects

*COMPUTER security, *COMPUTER security software, *MACHINE theory, *DATA security, *COMMON Language Runtime (Computer science), *DATA analysis

Abstract

This paper presents a theory of runtime enforcement based on mechanism models called mandatory results automata (MRAs). MRAs can monitor and transform security-relevant actions and their results. The operational semantics of MRAs is simple and enables straightforward definitions of concrete MRAs. Moreover, the definitions of policies and enforcement with MRAs are simple and expressive. Putting all of these features together, we argue that MRAs make good general models of runtime mechanisms, upon which a theory of runtime enforcement can be based. We develop some enforceability theory by characterizing the policies deterministic and non-deterministic MRAs can and cannot enforce. [ABSTRACT FROM AUTHOR]

Published

2015

50. Test4Enforcers: Test Case Generation for Software Enforcers

Author

Deshmukh, J, Nickovic, D, Guzman, M, Riganelli, O, Micucci, D, Mariani, L, Guzman M., Riganelli O., Micucci D., Mariani L., Deshmukh, J, Nickovic, D, Guzman, M, Riganelli, O, Micucci, D, Mariani, L, Guzman M., Riganelli O., Micucci D., and Mariani L.

Abstract

Software enforcers can be used to modify the runtime behavior of software applications to guarantee that relevant correctness policies are satisfied. Indeed, the implementation of software enforcers can be tricky, due to the heterogeneity of the situations that they must be able to handle. Assessing their ability to steer the behavior of the target system without introducing any side effect is an important challenge to fully trust the resulting system. To address this challenge, this paper presents Test4Enforcers, the first approach to derive thorough test suites that can validate the impact of enforcers on a target system. The paper also shows how to implement the Test4Enforcers approach in the DroidBot test generator to validate enforcers for Android apps.

Published

2020