scispace - formally typeset
Search or ask a question
Author

Moonjoo Kim

Bio: Moonjoo Kim is an academic researcher from University of Pennsylvania. The author has contributed to research in topics: Correctness & Formal verification. The author has an hindex of 11, co-authored 11 publications receiving 911 citations.

Papers
More filters
Journal ArticleDOI
01 Oct 2001
TL;DR: The paper presents an overview of the MaC architecture and a prototype implementation of the Monitoring and Checking (MaC) architecture, a lightweight formal method solution as a viable complement to the current heavyweight formal methods.
Abstract: We describe Java-MaC, a prototype implementation of the Monitoring and Checking (MaC) architecture for Java programs. The MaC architecture provides assurance about the correct execution of target programs at run-time. Monitoring and checking is performed based on a formal specification of system requirements. MaC bridges the gap between formal verification, which ensures the correctness of a design rather than an implementation, and testing, which only partially validates an implementation. Java-MaC provides a lightweight formal method solution as a viable complement to the current heavyweight formal methods. An important aspect of the architecture is the clear separation between monitoring implementation-dependent low-level behaviors and checking high-level behaviors against a formal requirements specification. Another salient feature is automatic instrumentation of executable codes. The paper presents an overview of the MaC architecture and a prototype implementation Java-MaC.

200 citations

Proceedings Article
01 Jan 1999
TL;DR: The Monitoring and Checking (MaC) framework which assures the correctness of the current execution at run-time and two languages to specify monitoring scripts and requirements are presented.
Abstract: We describe the Monitoring and Checking (MaC) framework which assures the correctness of the current execution at run-time Monitoring is performed based on a formal specification of system requirements MaC bridges the gap between formal specification and verification, which ensures the correctness of a design rather than an implementation, and testing, which partially validates an implementation An important aspect of the framework is a clear separation between implementation-dependent description of monitored objects and high-level requirements specification Another salient feature is automatic instrumentation of executable code The paper presents an overview of the framework and two languages to specify monitoring scripts and requirements, and briefly explain our on-going prototype implementation Comments Postprint version Published in 1999 International Conference on Parallel and Distributed Processing Techniques and Applications PDPTA99, 1999, Volume 1, pages 279-287 Publisher URL: http://wwwinformatikuni-trierde/~ley/db/conf/pdpta/pdpta1999-1html This conference paper is available at ScholarlyCommons: http://repositoryupennedu/cis_papers/294 Runtime Assurance Based On Formal Speci cations I Lee, S Kannan, M Kim, O Sokolsky, and M Viswanathan Department of Computer and Information Science University of Pennsylvania Philadelphia, PA 19104

191 citations

Proceedings ArticleDOI
09 Jun 1999
TL;DR: The MaC framework provides assurance on the correctness of an execution of a real-time system at runtime and bridges the gap between formal specification and testing, which validates implementations but lacks formality.
Abstract: We describe the Monitoring and Checking (MaC) framework which provides assurance on the correctness of an execution of a real-time system at runtime. Monitoring is performed based on a formal specification of system requirements. MaC bridges the gap between formal specification, which analyzes designs rather than implementations, and testing, which validates implementations but lacks formality. An important aspect of the framework is a clear separation between implementation-dependent description of monitored objects and high-level requirements specification. Another salient feature is automatic instrumentation of executable code. The paper presents an overview of the framework, languages to express monitoring scripts and requirements, and a prototype implementation of MaC targeted at systems implemented in Java.

141 citations

Journal ArticleDOI
TL;DR: Novel aspects of the approach include modest integration costs with other simulation objectives such as performance evaluation, greatly increased flexibility in specifying properties to be checked and techniques for analyzing complex traces of alarms raised by the monitoring software.
Abstract: Network protocols are often analyzed using simulations. We demonstrate how to extend such simulations to check propositions expressing safety properties of network event traces in an extended form of linear temporal logic. Our technique uses the INS simulator together with a component of the MaC system to provide a uniform framework. We demonstrate its effectiveness by analyzing simulations of the ad hoc on-demand distance vector (AODV) routing protocol for packet radio networks. Our analysis finds violations of significant properties and we discuss the faults that cause them. Novel aspects of our approach include modest integration costs with other simulation objectives such as performance evaluation, greatly increased flexibility in specifying properties to be checked and techniques for analyzing complex traces of alarms raised by the monitoring software.

91 citations

Proceedings ArticleDOI
01 Aug 2000
TL;DR: This talk focuses on program analysis tools, and proposes a surprisingly simple explanation with interesting ramifications of why there are so few successful "real-world" programming and testing tools based on academic research.
Abstract: Why are there so few successful "real-world" programming and testing tools based on academic research? This talk focuses on program analysis tools, and proposes a surprisingly simple explanation with interesting ramifications.For a tool aimed at developers or testers to be successful, people must use it - and must use it to help accomplish their existing tasks, rather than as an end in itself. If the tool does not help them get their job done, or the effort to learn and/or use the tool is too great, users will not perceive enough value; the tool will not get significant usage, even if it is free.This talk focuses on the often-overlooked consequences of this seemingly basic statement in two major areas: program analysis, and the work beyond core analysis that must be done to make a successful tool. Examples will be drawn from tools that have been successfully used in industry (sold commercially, and developed for internal use).

90 citations


Cited by
More filters
Journal ArticleDOI
11 Sep 2000
TL;DR: A verification and testing environment for Java, called Java PathFinder (JPF), which integrates model checking, program analysis and testing, and uses state compression to handle big states and partial order and symmetry reduction, slicing, abstraction, and runtime analysis techniques to reduce the state space.
Abstract: The majority of the work carried out in the formal methods community throughout the last three decades has (for good reasons) been devoted to special languages designed to make it easier to experiment with mechanized formal methods such as theorem provers and model checkers. In this paper, we give arguments for why we believe it is time for the formal methods community to shift some of its attention towards the analysis of programs written in modern programming languages. In keeping with this philosophy, we have developed a verification and testing environment for Java, called Java PathFinder (JPF), which integrates model checking, program analysis and testing. Part of this work has consisted of building a new Java Virtual Machine that interprets Java bytecode. JPF uses state compression to handle large states, and partial order reduction, slicing, abstraction and run-time analysis techniques to reduce the state space. JPF has been applied to a real-time avionics operating system developed at Honeywell, illustrating an intricate error, and to a model of a spacecraft controller, illustrating the combination of abstraction, run-time analysis and slicing with model checking.

1,459 citations

Book ChapterDOI
TL;DR: A variant of temporal logic tailored for specifying desired properties of continuous signals, based on a bounded subset of the real-time logic mitl, augmented with a static mapping from continuous domains into propositions is introduced.
Abstract: In this paper we introduce a variant of temporal logic tailored for specifying desired properties of continuous signals. The logic is based on a bounded subset of the real-time logic mitl, augmented with a static mapping from continuous domains into propositions. From formulae in this logic we create automatically property monitors that can check whether a given signal of bounded length and finite variability satisfies the property. A prototype implementation of this procedure was used to check properties of simulation traces generated by Matlab/Simulink.

1,067 citations

Journal ArticleDOI
TL;DR: In this paper, a three-valued semantics (with truth values true, false, inconclusive) is introduced as an adequate interpretation as to whether a partial observation of a running system meets an LTL or TLTL property.
Abstract: This article studies runtime verification of properties expressed either in lineartime temporal logic (LTL) or timed lineartime temporal logic (TLTL). It classifies runtime verification in identifying its distinguishing features to model checking and testing, respectively. It introduces a three-valued semantics (with truth values true, false, inconclusive) as an adequate interpretation as to whether a partial observation of a running system meets an LTL or TLTL property.For LTL, a conceptually simple monitor generation procedure is given, which is optimal in two respects: First, the size of the generated deterministic monitor is minimal, and, second, the monitor identifies a continuously monitored trace as either satisfying or falsifying a property as early as possible. The feasibility of the developed methodology is demontrated using a collection of real-world temporal logic specifications. Moreover, the presented approach is related to the properties monitorable in general and is compared to existing concepts in the literature. It is shown that the set of monitorable properties does not only encompass the safety and cosafety properties but is strictly larger.For TLTL, the same road map is followed by first defining a three-valued semantics. The corresponding construction of a timed monitor is more involved, yet, as shown, possible.

533 citations

Proceedings ArticleDOI
21 Oct 2007
TL;DR: This paper proposes a parametric specification formalism-independent extension of MOP, together with an implementation of JavaMOP that supports parameters, and devised and implemented a decentralized indexing optimization.
Abstract: Monitoring-Oriented Programming (MOP1) [21, 18, 22, 19] is a formal framework for software development and analysis, in which the developer specifies desired properties using definable specification formalisms, along with code to execute when properties are violated or validated. The MOP framework automatically generates monitors from the specified properties and then integrates them together with the user-defined code into the original system. The previous design of MOP only allowed specifications without parameters, so it could not be used to state and monitor safety properties referring to two or more related objects. In this paper we propose a parametric specification formalism-independent extension of MOP, together with an implementation of JavaMOP that supports parameters. In our current implementation, parametric specifications are translated into AspectJ code and then weaved into the application using off-the-shelf AspectJ compilers; hence, MOP specifications can be seen as formal or logical aspects. Our JavaMOP implementation was extensively evaluated on two benchmarks, Dacapo [14] and Tracematches [8], showing that runtime verification in general and MOP in particular are feasible. In some of the examples, millions of monitor instances are generated, each observing a set of related objects. To keep the runtime overhead of monitoring and event observation low, we devised and implemented a decentralized indexing optimization. Less than 8% of the experiments showed more than 10% runtime overhead; in most cases our tool generates monitoring code as efficient as the hand-optimized code. Despite its genericity, JavaMOP is empirically shown to be more efficient than runtime verification systems specialized and optimized for particular specification formalisms. Many property violations were detected during our experiments; some of them are benign, others indicate defects in programs. Many of these are subtle and hard to find by ordinary testing.

396 citations