~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/Documentation/trace/rv/runtime-verification.rst

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /Documentation/trace/rv/runtime-verification.rst (Version linux-6.12-rc7) and /Documentation/trace/rv/runtime-verification.rst (Version linux-6.4.16)


  1 ====================                                1 ====================
  2 Runtime Verification                                2 Runtime Verification
  3 ====================                                3 ====================
  4                                                     4 
  5 Runtime Verification (RV) is a lightweight (ye      5 Runtime Verification (RV) is a lightweight (yet rigorous) method that
  6 complements classical exhaustive verification       6 complements classical exhaustive verification techniques (such as *model
  7 checking* and *theorem proving*) with a more p      7 checking* and *theorem proving*) with a more practical approach for complex
  8 systems.                                            8 systems.
  9                                                     9 
 10 Instead of relying on a fine-grained model of      10 Instead of relying on a fine-grained model of a system (e.g., a
 11 re-implementation a instruction level), RV wor     11 re-implementation a instruction level), RV works by analyzing the trace of the
 12 system's actual execution, comparing it agains     12 system's actual execution, comparing it against a formal specification of
 13 the system behavior.                               13 the system behavior.
 14                                                    14 
 15 The main advantage is that RV can give precise     15 The main advantage is that RV can give precise information on the runtime
 16 behavior of the monitored system, without the      16 behavior of the monitored system, without the pitfalls of developing models
 17 that require a re-implementation of the entire     17 that require a re-implementation of the entire system in a modeling language.
 18 Moreover, given an efficient monitoring method     18 Moreover, given an efficient monitoring method, it is possible execute an
 19 *online* verification of a system, enabling th     19 *online* verification of a system, enabling the *reaction* for unexpected
 20 events, avoiding, for example, the propagation     20 events, avoiding, for example, the propagation of a failure on safety-critical
 21 systems.                                           21 systems.
 22                                                    22 
 23 Runtime Monitors and Reactors                      23 Runtime Monitors and Reactors
 24 =============================                      24 =============================
 25                                                    25 
 26 A monitor is the central part of the runtime v     26 A monitor is the central part of the runtime verification of a system. The
 27 monitor stands in between the formal specifica     27 monitor stands in between the formal specification of the desired (or
 28 undesired) behavior, and the trace of the actu     28 undesired) behavior, and the trace of the actual system.
 29                                                    29 
 30 In Linux terms, the runtime verification monit     30 In Linux terms, the runtime verification monitors are encapsulated inside the
 31 *RV monitor* abstraction. A *RV monitor* inclu     31 *RV monitor* abstraction. A *RV monitor* includes a reference model of the
 32 system, a set of instances of the monitor (per     32 system, a set of instances of the monitor (per-cpu monitor, per-task monitor,
 33 and so on), and the helper functions that glue     33 and so on), and the helper functions that glue the monitor to the system via
 34 trace, as depicted below::                     !!  34 trace, as depicted bellow::
 35                                                    35 
 36  Linux   +---- RV Monitor --------------------     36  Linux   +---- RV Monitor ----------------------------------+ Formal
 37   Realm  |                                         37   Realm  |                                                  |  Realm
 38   +-------------------+     +----------------+     38   +-------------------+     +----------------+     +-----------------+
 39   |   Linux kernel    |     |     Monitor    |     39   |   Linux kernel    |     |     Monitor    |     |     Reference   |
 40   |     Tracing       |  -> |   Instance(s)  |     40   |     Tracing       |  -> |   Instance(s)  | <-  |       Model     |
 41   | (instrumentation) |     | (verification) |     41   | (instrumentation) |     | (verification) |     | (specification) |
 42   +-------------------+     +----------------+     42   +-------------------+     +----------------+     +-----------------+
 43          |                          |              43          |                          |                       |
 44          |                          V              44          |                          V                       |
 45          |                     +----------+        45          |                     +----------+                 |
 46          |                     | Reaction |        46          |                     | Reaction |                 |
 47          |                     +--+--+--+-+        47          |                     +--+--+--+-+                 |
 48          |                        |  |  |          48          |                        |  |  |                   |
 49          |                        |  |  +-> tr     49          |                        |  |  +-> trace output ?  |
 50          +------------------------|--|--------     50          +------------------------|--|----------------------+
 51                                   |  +----> pa     51                                   |  +----> panic ?
 52                                   +-------> <u     52                                   +-------> <user-specified>
 53                                                    53 
 54 In addition to the verification and monitoring     54 In addition to the verification and monitoring of the system, a monitor can
 55 react to an unexpected event. The forms of rea     55 react to an unexpected event. The forms of reaction can vary from logging the
 56 event occurrence to the enforcement of the cor     56 event occurrence to the enforcement of the correct behavior to the extreme
 57 action of taking a system down to avoid the pr     57 action of taking a system down to avoid the propagation of a failure.
 58                                                    58 
 59 In Linux terms, a *reactor* is an reaction met     59 In Linux terms, a *reactor* is an reaction method available for *RV monitors*.
 60 By default, all monitors should provide a trac     60 By default, all monitors should provide a trace output of their actions,
 61 which is already a reaction. In addition, othe     61 which is already a reaction. In addition, other reactions will be available
 62 so the user can enable them as needed.             62 so the user can enable them as needed.
 63                                                    63 
 64 For further information about the principles o     64 For further information about the principles of runtime verification and
 65 RV applied to Linux:                               65 RV applied to Linux:
 66                                                    66 
 67   Bartocci, Ezio, et al. *Introduction to runt     67   Bartocci, Ezio, et al. *Introduction to runtime verification.* In: Lectures on
 68   Runtime Verification. Springer, Cham, 2018.      68   Runtime Verification. Springer, Cham, 2018. p. 1-33.
 69                                                    69 
 70   Falcone, Ylies, et al. *A taxonomy for class     70   Falcone, Ylies, et al. *A taxonomy for classifying runtime verification tools.*
 71   In: International Conference on Runtime Veri     71   In: International Conference on Runtime Verification. Springer, Cham, 2018. p.
 72   241-262.                                         72   241-262.
 73                                                    73 
 74   De Oliveira, Daniel Bristot. *Automata-based     74   De Oliveira, Daniel Bristot. *Automata-based formal analysis and
 75   verification of the real-time Linux kernel.*     75   verification of the real-time Linux kernel.* Ph.D. Thesis, 2020.
 76                                                    76 
 77 Online RV monitors                                 77 Online RV monitors
 78 ==================                                 78 ==================
 79                                                    79 
 80 Monitors can be classified as *offline* and *o     80 Monitors can be classified as *offline* and *online* monitors. *Offline*
 81 monitor process the traces generated by a syst     81 monitor process the traces generated by a system after the events, generally by
 82 reading the trace execution from a permanent s     82 reading the trace execution from a permanent storage system. *Online* monitors
 83 process the trace during the execution of the      83 process the trace during the execution of the system. Online monitors are said
 84 to be *synchronous* if the processing of an ev     84 to be *synchronous* if the processing of an event is attached to the system
 85 execution, blocking the system during the even     85 execution, blocking the system during the event monitoring. On the other hand,
 86 an *asynchronous* monitor has its execution de     86 an *asynchronous* monitor has its execution detached from the system. Each type
 87 of monitor has a set of advantages. For exampl     87 of monitor has a set of advantages. For example, *offline* monitors can be
 88 executed on different machines but require ope     88 executed on different machines but require operations to save the log to a
 89 file. In contrast, *synchronous online* method     89 file. In contrast, *synchronous online* method can react at the exact moment
 90 a violation occurs.                                90 a violation occurs.
 91                                                    91 
 92 Another important aspect regarding monitors is     92 Another important aspect regarding monitors is the overhead associated with the
 93 event analysis. If the system generates events     93 event analysis. If the system generates events at a frequency higher than the
 94 monitor's ability to process them in the same      94 monitor's ability to process them in the same system, only the *offline*
 95 methods are viable. On the other hand, if the      95 methods are viable. On the other hand, if the tracing of the events incurs
 96 on higher overhead than the simple handling of     96 on higher overhead than the simple handling of an event by a monitor, then a
 97 *synchronous online* monitors will incur on lo     97 *synchronous online* monitors will incur on lower overhead.
 98                                                    98 
 99 Indeed, the research presented in:                 99 Indeed, the research presented in:
100                                                   100 
101   De Oliveira, Daniel Bristot; Cucinotta, Tomm    101   De Oliveira, Daniel Bristot; Cucinotta, Tommaso; De Oliveira, Romulo Silva.
102   *Efficient formal verification for the Linux    102   *Efficient formal verification for the Linux kernel.* In: International
103   Conference on Software Engineering and Forma    103   Conference on Software Engineering and Formal Methods. Springer, Cham, 2019.
104   p. 315-332.                                     104   p. 315-332.
105                                                   105 
106 Shows that for Deterministic Automata models,     106 Shows that for Deterministic Automata models, the synchronous processing of
107 events in-kernel causes lower overhead than sa    107 events in-kernel causes lower overhead than saving the same events to the trace
108 buffer, not even considering collecting the tr    108 buffer, not even considering collecting the trace for user-space analysis.
109 This motivated the development of an in-kernel    109 This motivated the development of an in-kernel interface for online monitors.
110                                                   110 
111 For further information about modeling of Linu    111 For further information about modeling of Linux kernel behavior using automata,
112 see:                                              112 see:
113                                                   113 
114   De Oliveira, Daniel B.; De Oliveira, Romulo     114   De Oliveira, Daniel B.; De Oliveira, Romulo S.; Cucinotta, Tommaso. *A thread
115   synchronization model for the PREEMPT_RT Lin    115   synchronization model for the PREEMPT_RT Linux kernel.* Journal of Systems
116   Architecture, 2020, 107: 101729.                116   Architecture, 2020, 107: 101729.
117                                                   117 
118 The user interface                                118 The user interface
119 ==================                                119 ==================
120                                                   120 
121 The user interface resembles the tracing inter    121 The user interface resembles the tracing interface (on purpose). It is
122 currently at "/sys/kernel/tracing/rv/".           122 currently at "/sys/kernel/tracing/rv/".
123                                                   123 
124 The following files/folders are currently avai    124 The following files/folders are currently available:
125                                                   125 
126 **available_monitors**                            126 **available_monitors**
127                                                   127 
128 - Reading list the available monitors, one per    128 - Reading list the available monitors, one per line
129                                                   129 
130 For example::                                     130 For example::
131                                                   131 
132    # cat available_monitors                       132    # cat available_monitors
133    wip                                            133    wip
134    wwnr                                           134    wwnr
135                                                   135 
136 **available_reactors**                            136 **available_reactors**
137                                                   137 
138 - Reading shows the available reactors, one pe    138 - Reading shows the available reactors, one per line.
139                                                   139 
140 For example::                                     140 For example::
141                                                   141 
142    # cat available_reactors                       142    # cat available_reactors
143    nop                                            143    nop
144    panic                                          144    panic
145    printk                                         145    printk
146                                                   146 
147 **enabled_monitors**:                             147 **enabled_monitors**:
148                                                   148 
149 - Reading lists the enabled monitors, one per     149 - Reading lists the enabled monitors, one per line
150 - Writing to it enables a given monitor           150 - Writing to it enables a given monitor
151 - Writing a monitor name with a '!' prefix dis    151 - Writing a monitor name with a '!' prefix disables it
152 - Truncating the file disables all enabled mon    152 - Truncating the file disables all enabled monitors
153                                                   153 
154 For example::                                     154 For example::
155                                                   155 
156    # cat enabled_monitors                         156    # cat enabled_monitors
157    # echo wip > enabled_monitors                  157    # echo wip > enabled_monitors
158    # echo wwnr >> enabled_monitors                158    # echo wwnr >> enabled_monitors
159    # cat enabled_monitors                         159    # cat enabled_monitors
160    wip                                            160    wip
161    wwnr                                           161    wwnr
162    # echo '!wip' >> enabled_monitors              162    # echo '!wip' >> enabled_monitors
163    # cat enabled_monitors                         163    # cat enabled_monitors
164    wwnr                                           164    wwnr
165    # echo > enabled_monitors                      165    # echo > enabled_monitors
166    # cat enabled_monitors                         166    # cat enabled_monitors
167    #                                              167    #
168                                                   168 
169 Note that it is possible to enable more than o    169 Note that it is possible to enable more than one monitor concurrently.
170                                                   170 
171 **monitoring_on**                                 171 **monitoring_on**
172                                                   172 
173 This is an on/off general switcher for monitor    173 This is an on/off general switcher for monitoring. It resembles the
174 "tracing_on" switcher in the trace interface.     174 "tracing_on" switcher in the trace interface.
175                                                   175 
176 - Writing "0" stops the monitoring                176 - Writing "0" stops the monitoring
177 - Writing "1" continues the monitoring            177 - Writing "1" continues the monitoring
178 - Reading returns the current status of the mo    178 - Reading returns the current status of the monitoring
179                                                   179 
180 Note that it does not disable enabled monitors    180 Note that it does not disable enabled monitors but stop the per-entity
181 monitors monitoring the events received from t    181 monitors monitoring the events received from the system.
182                                                   182 
183 **reacting_on**                                   183 **reacting_on**
184                                                   184 
185 - Writing "0" prevents reactions for happening    185 - Writing "0" prevents reactions for happening
186 - Writing "1" enable reactions                    186 - Writing "1" enable reactions
187 - Reading returns the current status of the re    187 - Reading returns the current status of the reaction
188                                                   188 
189 **monitors/**                                     189 **monitors/**
190                                                   190 
191 Each monitor will have its own directory insid    191 Each monitor will have its own directory inside "monitors/". There the
192 monitor-specific files will be presented. The     192 monitor-specific files will be presented. The "monitors/" directory resembles
193 the "events" directory on tracefs.                193 the "events" directory on tracefs.
194                                                   194 
195 For example::                                     195 For example::
196                                                   196 
197    # cd monitors/wip/                             197    # cd monitors/wip/
198    # ls                                           198    # ls
199    desc  enable                                   199    desc  enable
200    # cat desc                                     200    # cat desc
201    wakeup in preemptive per-cpu testing monito    201    wakeup in preemptive per-cpu testing monitor.
202    # cat enable                                   202    # cat enable
203    0                                              203    0
204                                                   204 
205 **monitors/MONITOR/desc**                         205 **monitors/MONITOR/desc**
206                                                   206 
207 - Reading shows a description of the monitor *    207 - Reading shows a description of the monitor *MONITOR*
208                                                   208 
209 **monitors/MONITOR/enable**                       209 **monitors/MONITOR/enable**
210                                                   210 
211 - Writing "0" disables the *MONITOR*              211 - Writing "0" disables the *MONITOR*
212 - Writing "1" enables the *MONITOR*               212 - Writing "1" enables the *MONITOR*
213 - Reading return the current status of the *MO    213 - Reading return the current status of the *MONITOR*
214                                                   214 
215 **monitors/MONITOR/reactors**                     215 **monitors/MONITOR/reactors**
216                                                   216 
217 - List available reactors, with the select rea    217 - List available reactors, with the select reaction for the given *MONITOR*
218   inside "[]". The default one is the nop (no     218   inside "[]". The default one is the nop (no operation) reactor.
219 - Writing the name of a reactor enables it to     219 - Writing the name of a reactor enables it to the given MONITOR.
220                                                   220 
221 For example::                                     221 For example::
222                                                   222 
223    # cat monitors/wip/reactors                    223    # cat monitors/wip/reactors
224    [nop]                                          224    [nop]
225    panic                                          225    panic
226    printk                                         226    printk
227    # echo panic > monitors/wip/reactors           227    # echo panic > monitors/wip/reactors
228    # cat monitors/wip/reactors                    228    # cat monitors/wip/reactors
229    nop                                            229    nop
230    [panic]                                        230    [panic]
231    printk                                         231    printk
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php