This document summarizes a runtime verification framework that monitors network applications using CSP (Communicating Sequential Processes) notation. It currently implements a monitor for system calls in dtruss output to check if open and close calls are matched. The goals are natural concurrency notations, integration with web servers, databases and syslog. Future work includes completing the file descriptor model, improving error reporting, and interfacing with Fluentd for log parsing.

1. Runtime verification based on
CSP
TSSS-3
AIST, Mar. 23, 2015
Yoriyuki Yamagata, Artho Cyrille, Masami Hagiya, Alexander Kohan,
Lei Ma, Nazim Sebih, Yoshinori Tanabe, Mitsuharu Yamamoto

2. Web servers
Backend server
Internet

3. Web servers
Backend serverMonitoring server
Log
Log
Internet

4. Goal
Runtime monitoring framework with
• natural notations for concurrency
• integration to the network applications
• web server, DB, syslog, etc…

5. Current status
• A monitor for dtruss output is implemented
• Check whether open/close system calls are
matched or not

6. Monitor definition

7. Command line
stracematch yoriyuki$ time target/pack/bin/strace-match <
wget.log > trace.wget
SLF4J: Failed to load class
"org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger
implementation
SLF4J: See http://www.slf4j.org/
codes.html#StaticLoggerBinder for further details.
real 0m1.219s
user 0m2.595s
sys 0m0.165s

8. Output trace
open("/dev/dtracehelper0", 0x2, 0x7FFF4FF071A0)
= 3 0
{Set(||Set() Bag(jp.go.aist.cspe.Rec0@57536d79;
jp.go.aist.cspe.ParamPrefix@2473b9ce))}
…
close(0x5) = 0 0
{Set()}
…
{Set()}
false

9. State explosion

10. Observation
• Parsing log file is not trivial
• use of fluentd?
• Writing down a correct monitor is not easy
• State explosion easily occurs

11. Future works
• Complete modeling of the file descriptor life cycle
• Improve error reporting
• Interface to fluentd