Cesar Sanchez

Cesar Sanchez
Madrid Institute for Advanced Studies | IMDEA · IMDEA-Software

PhD

About

79
Publications
4,023
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
938
Citations
Additional affiliations
December 2013 - present
Madrid Institute for Advanced Studies
Position
  • Professor (Associate)
July 2009 - present
Spanish National Research Council
Position
  • Researcher
January 2008 - November 2013
Madrid Institute for Advanced Studies
Position
  • Research Assistant

Publications

Publications (79)
Chapter
Online runtime verification is a formal dynamic technique that studies how to monitor formal specifications incrementally against an input trace. Often, an observed prefix of a behavior is not enough to emit a definite verdict and the monitor must wait to receive more information. Monitorability classifies the set of properties depending on the fea...
Chapter
We present HStriver, an extensible stream runtime verification tool for event streams. The tool consists of a runtime verification engine for (1) real-time events streams where individual observations and verdicts can occur at arbitrary times, and (2) rich data in the observations and verdicts. This rich setting allows, for example, encoding as HSt...
Chapter
Stream runtime verification (SRV) is a formalism to express monitors as relations between typed input streams (observations) and typed output streams (data verdicts). In SRV, the actual data operations are separated from the temporal dependencies, therefore generalizing monitoring algorithms for temporal logics into the computation of richer verdic...
Article
Full-text available
Runtime verification is a complementary approach to testing, model checking and other static verification techniques to verify software properties. Monitorability characterizes what can be verified (monitored) at run time. Different definitions of monitorability have been given both for trace properties and for hyperproperties (properties defined o...
Preprint
Hyperproperties are properties of systems that relate multiple computation traces, including many important security and concurrency properties. In this paper, we present HyperQube, a fully automated QBF-based bounded model checker for hyperproperties. HyperQube supports one-click system verification of NuSMV models with hyperproperties specified a...
Chapter
Hyperproperties are properties of computational systems that require more than one trace to evaluate, e.g., many information-flow security and concurrency requirements. Where a trace property defines a set of traces, a hyperproperty defines a set of sets of traces. The temporal logics HyperLTL and HyperCTL* have been proposed to express hyperproper...
Preprint
Hyperproperties are properties of computational systems that require more than one trace to evaluate, e.g., many information-flow security and concurrency requirements. Where a trace property defines a set of traces, a hyperproperty defines a set of sets of traces. The temporal logics HyperLTL and HyperCTL* have been proposed to express hyperproper...
Article
Full-text available
In this paper, we study the problem of runtime verification of real-time event streams; in particular, we propose a language to describe monitors for real-time event streams that can manipulate data from rich domains. We propose a solution based on stream runtime verification (SRV), where monitors are specified by describing how output streams of d...
Chapter
Full-text available
This paper introduces a bounded model checking (BMC) algorithm for hyperproperties expressed in HyperLTL, which — to the best of our knowledge — is the first such algorithm. Just as the classic BMC technique for LTL primarily aims at finding bugs, our approach also targets identifying counterexamples. BMC for LTL is reduced to SAT solving, because...
Chapter
Full-text available
We present , an extensible Stream Runtime Verification (SRV) tool, that borrows from the functional language Haskell (1) rich types for data in events and verdicts; and (2) functional features for parametrization, libraries, high-order specification transformations, etc. SRV is a formal dynamic analysis technique that generalizes Runtime Verificati...
Chapter
Stream Runtime Verification (SRV) is a formal dynamic analysis technique that generalizes runtime verification algorithms from temporal logics like LTL to stream monitoring, allowing the computation of richer verdicts than Booleans (quantitative values or even arbitrary data). The core of SRV algorithms is a clean separation between temporal depend...
Chapter
The rise of smart contracts executed on blockchain and other distributed ledger technologies enabled trustless yet decentralised computation. Various applications take advantage of this computational model, including enforced financial contracts, self-sovereign identity and voting. But smart contracts are nothing but software running on a blockchai...
Chapter
We study the spectra of time-event and of synchronous-asynchronous models of computation for runtime verification, in particular in the context of stream runtime verification (SRV). Most runtime verification formalisms do not involve a notion of time, either by having inputs at all instants (like LTL or Lola) or by reacting to external events in an...
Preprint
This paper introduces the first bounded model checking (BMC) algorithm for hyperproperties expressed in HyperLTL. Just as the classic BMC technique for LTL primarily aiming at finding bugs, our approach also targets identifying counterexamples. LTL describes the property of individual traces and BMC for LTL is reduced to SAT solving. HyperLTL allow...
Chapter
Many important timed requirements of computing systems cannot be described by the behavior of individual execution traces. Examples include countermeasures to deal with side-channel timing attacks and service-level agreements, which are examples of timed hyperproperties. In this paper, we propose the temporal logic HyperMTL, that extends MTL by all...
Article
Full-text available
We study the problem of online runtime verification of real-time event streams. Our monitors can observe concurrent systems with a shared clock, but where each component reports observations as signals that arrive to the monitor at different speeds and with different and varying latencies. We start from specifications in a fragment of the TeSSLa sp...
Preprint
HyperLTL is an extension of linear-time temporal logic for the specification of hyperproperties, i.e., temporal properties that relate multiple computation traces. HyperLTL can express information flow policies as well as properties like symmetry in mutual exclusion algorithms or Hamming distances in error-resistant transmission protocols. Previous...
Article
Full-text available
Runtime verification is an area of formal methods that studies the dynamic analysis of execution traces against formal specifications. Typically, the two main activities in runtime verification efforts are the process of creating monitors from specifications, and the algorithms for the evaluation of traces against the generated monitors. Other acti...
Chapter
Runtime Verification (RV) studies how to analyze execution traces of a system under observation. Stream Runtime Verification (SRV) applies stream transformations to obtain information from observed traces. Incomplete traces with information missing in gaps pose a common challenge when applying RV and SRV techniques to real-world systems as RV appro...
Conference Paper
We study the problem of decentralized monitoring of stream runtime verification specifications. Decentralized monitoring uses distributed monitors that communicate via a synchronous network, a communication setting common in many cyber-physical systems like automotive CPSs. Previous approaches to decentralized monitoring were restricted to logics l...
Chapter
Many important system properties, particularly in security and privacy, cannot be verified statically. Therefore, runtime verification is an appealing alternative. Logics for hyperproperties, such as HyperLTL, support a rich set of such properties. We first show that black-box monitoring of HyperLTL is in general unfeasible, and suggest a gray-box...
Preprint
Runtime Verification (RV) studies how to analyze execution traces of a system under observation. Stream Runtime Verification (SRV) applies stream transformations to obtain information from observed traces. Incomplete traces with information missing in gaps pose a common challenge when applying RV and SRV techniques to real-world systems as RV appro...
Preprint
Many important system properties, particularly in security and privacy, cannot be verified statically. Therefore, runtime verification is an appealing alternative. Logics for hyperproperties, such as HyperLTL, support a rich set of such properties. We first show that black-box monitoring of HyperLTL is in general unfeasible, and suggest a gray-box...
Preprint
Full-text available
This report presents the activities of the first working group of the COST Action ArVI, Runtime Verification beyond Monitoring. The report aims to provide an overview of some of the major core aspects involved in Runtime Verification. Runtime Verification is the field of research dedicated to the analysis of system executions. It is often seen as a...
Preprint
Full-text available
Runtime verification is an area of formal methods that studies the dynamic analysis of execution traces against formal specifications. Typically, the two main activities in runtime verification efforts are the process of creating monitors from specifications, and the algorithms for the evaluation of traces against the generated monitors. Other acti...
Chapter
In this paper we report on COST Action IC1402 which studies Runtime Verification approaches beyond Monitoring. COST Actions are funded by the European Union and are an efficient networking instrument for researchers, engineers and scholars to cooperate and coordinate research activities. This COST action IC1402 lasted over the past four years, invo...
Chapter
The popularization of blockchain technologies have brought a sudden interest in software that executes on top of blockchain, the so called smart contracts, with many potential applications, from financial contracts to unforgeable elections. Smart contracts are pieces of software that manipulate the shared data stored in the blockchain, with the pro...
Chapter
Hyperproperties are properties whose reasoning involve sets of traces. Examples of hyperproperties include information-flow security properties, properties of coding/decoding systems, linearizability and other consistency criteria, as well as privacy properties like data minimality. We study the problem of runtime verification of hyperproperties ex...
Chapter
We present an epistemic logic equipped with time-stamps in atoms and epistemic operators, which enables reasoning about the moments at which events happen and knowledge is acquired or deduced. Our logic includes both an epistemic operator K and a belief operator B, to capture the disclosure of inaccurate information. Our main motivation is to descr...
Article
Full-text available
This article introduces the extended versions of selected papers from the refereed proceedings of the 16th International Conference on Runtime Verification (RV 2016) held in Madrid, Spain, in September 2016. Runtime verification encompasses all aspects of monitoring and analysis of hardware, software, and system executions in general. Runtime verif...
Conference Paper
Full-text available
We present TeSSLa, a specification language based on stream run-time verification, designed for monitoring a specific class of real-time signals. Our monitors can observe concurrent systems with a shared clock, but where each component reports observations as signals that arrive to the monitor at different speeds and with different and varying late...
Article
Full-text available
We introduce Visibly Linear Temporal Logic (VLTL), a linear-time temporal logic that captures the full class of Visibly Pushdown Languages over infinite words. The novel logic avoids fix points and instead provides natural temporal operators with simple and intuitive semantics. We prove that the complexities of the satisfiability and visibly pushdo...
Article
Full-text available
We present an epistemic logic equipped with time-stamps in the atoms and epistemic operators, which allows to reason not only about information available to the different agents, but also about the moments at which events happens and new knowledge is acquired or deduced. Our logic includes both an epistemic operator and a belief operator, which all...
Article
Full-text available
This paper studies the problem of verifying temporal properties (including liveness properties) of parametrized concurrent systems executed by an unbounded number of threads. To solve this problem we introduce parametrized verification diagrams (PVDs), that extend the so-called generalized verification diagrams (GVDs) adding support for parametrize...
Conference Paper
Online Social Networks are ubiquitous, bringing not only numerous new possibilities but also big threats and challenges. Privacy is one of them. Most social networks today offer a limited set of (static) privacy settings, not being able to express dynamic policies. For instance, users might decide to protect their location during the night, or shar...
Article
Stream runtime verification (SRV), pioneered by the tool LOLA, is a declarative formalism to specify synchronous monitors. In SRV, monitors are described by specifying dependencies between output streams of values and input streams of values. The declarative nature of SRV enables a separation between the evaluation algorithms, and the monitor stora...
Book
This book constitutes the refereed proceedings of the 16th International Conference on Runtime Verification, RV 2016, held in Madrid, Spain, in September 2016. The 18 revised full papers presented together with 4 short papers, 3 tool papers, 2 tool demonstration papers, and 5 tutorials, were carefully reviewed and selected from 72 submissions. The...
Conference Paper
We present an automata-based algorithm for checking finite state systems for hyperproperties specified in HyperLTL and HyperCTL\(^*\). For the alternation-free fragments of HyperLTL and HyperCTL\(^*\) the automaton construction allows us to leverage existing model checking technology. Along several case studies, we demonstrate that the approach ena...
Conference Paper
Stream runtime verification (SRV), pioneered by the tool LOLA, is a declarative approach to specify synchronous monitors. In SRV, monitors are described by specifying dependencies between output streams of values and input streams of values. The declarative nature of SRV enables a separation between (1) the evaluation algorithms, and (2) the monito...
Conference Paper
This paper introduces parametrized verification diagrams (PVDs), a formalism that allows to prove temporal properties of parametrized concurrent systems, in which a given program is executed by an unbounded number of processes. PVDs extend general verification diagrams (GVDs). GVDs encode succinctly a proof that a non-parametrized reactive system s...
Conference Paper
Full-text available
We introduce a robust and tractable temporal logic, we call visibly linear temporal logic (VLTL), which captures the full class of visibly pushdown languages. The novel logic avoids fix points and provides instead natural temporal operators with simple and intuitive semantics. We prove that the complexities of the satisfiability and visibly pushdow...
Conference Paper
This tool paper describes Leap, a tool for the verification of concurrent datatypes and parametrized systems composed by an unbounded number of threads that manipulate infinite data. Leap receives as input a concurrent program description and a specification and automatically generates a finite set of verification conditions which are then discharg...
Conference Paper
Full-text available
Two new logics for verification of hyperproperties are proposed. Hyperproperties characterize security policies, such as noninterference, as a property of sets of computation paths. Standard temporal logics such as LTL, CTL, and CTL* can refer only to a single path at a time, hence cannot express many hyperproperties of interest. The logics propose...
Article
We study the uniform verification problem for infinite state processes, which consists of proving that the parallel composition of an arbitrary number of processes satisfies a temporal property. Our practical motivation is to build a general framework for the temporal verification of concurrent datatypes. The contribution of this paper is a general...
Article
Full-text available
Hyperproperties, as introduced by Clarkson and Schneider, characterize the correctness of a computer program as a condition on its set of computation paths. Standard temporal logics can only refer to a single path at a time, and therefore cannot express many hyperproperties of interest, including noninterference and other important properties in se...
Article
This article presents FUSE, an approach for modeling and implementing embedded software components which starts from a main-stream programming language and brings some of the key concepts of Statecharts as first-class elements within this language. Our approach provides a unified programming environment which not only preserves some of the advantag...
Article
Full-text available
This paper presents a theory of skiplists of arbitrary height, and shows decidability of the satisfiability problem for quantifier-free formulas. A skiplist is an imperative software data structure that implements sets by maintaining several levels of ordered singly-linked lists in memory, where each level is a sublist of its lower levels. Skiplist...
Article
Full-text available
Ubiquitous sensor network deployments, such as the ones found in Smart cities and Ambient intelligence applications, require constantly increasing high computational demands in order to process data and offer services to users. The nature of these applications imply the usage of data centers. Research has paid much attention to the energy consumpti...
Conference Paper
This paper presents results that enable efficient translations of extensions of linear temporal logic (LTL) into alternating automata, which can be applied to improve algorithms for the automata-theoretic approach to model-checking. In particular, we introduce--using a game theoretic framework--a novel finer grain complementation theorem for the pa...
Conference Paper
Full-text available
We examine the problem of inferring invariants for parametrized systems. Parametrized systems are concurrent systems consisting of an a priori unbounded number of process instances running the same program. Such systems are commonly encountered in many situations including device drivers, distributed systems, and robotic swarms. In this paper we de...
Conference Paper
We study efficient translations of Regular Linear Temporal Logic (RLTL) into automata on infinite words. RLTL is a temporal logic that fuses Linear Temporal Logic (LTL) with regular expressions, extending its expressive power to all ω-regular languages. The first contribution of this paper is a novel bottom up translation from RLTL into alternating...
Article
Full-text available
The identification, isolation, and correction of program defects re-quire the understanding of both the algorithmic structure of the code as well as the data structures that are being manipulated. While modern development environments provide substantial sup-port for examining the program source code (the algorithmic aspect of the program), they pr...
Article
Full-text available
Modern programming environments provide extensive support for inspecting, analyzing, and testing programs based on the algorithmic structure of a program. Unfortunately, support for inspecting and understanding runtime data structures during execution is typically much more limited. This paper provides a general purpose technique for abstracting an...
Conference Paper
Regular expressions (RE) are an algebraic formalism for expressing regular languages, widely used in string search and as a specification language in verification. In this paper, we introduce and investigate visibly rational expressions (VRE), an extension of RE for the class of visibly pushdown languages (VPL). We show that VRE capture precisely t...
Conference Paper
Full-text available
This paper presents a theory of skiplists with a decidable satisfiability problem, and shows its applications to the verification of concurrent skiplist implementations. A skiplist is a data structure used to implement sets by maintaining several ordered singly-linked lists in memory, with a performance comparable to balanced binary trees. We defin...
Conference Paper
Full-text available
This paper studies the problem of formally verifying temporal properties of concurrent datatypes. Concurrent datatypes are implementations of classical data abstractions, specially designed to exploit the parallelism available in multiprocessor architectures. The correctness of concurrent datatypes is essential for the overall correctness of the cl...
Conference Paper
Full-text available
We introduce a technique for debugging multi-threaded C programs and analyzing the impact of source code changes, and its im- plementation in the prototype tool Direct. Our approach uses a com- bination of source code instrumentation and runtime management. The source code along with a test harness is instrumented to monitor Op- erating System (OS)...
Conference Paper
Full-text available
This extended abstract presents the main ideas behind regular linear-time temporal logic (RLTL), a logic that generalizes linear-time temporal logic (LTL) with the ability to use regular expressions arbitrarily as sub-expressions. Unlike LTL, RLTL can define all !-regular languages and unlike previous approaches, RLTL is defined with an algebraic s...
Conference Paper
Full-text available
This paper upgrades Regular Linear Temporal Logic (RLTL) with past operators and complementation. RLTL is a temporal logic that extends the expressive power of linear temporal logic (LTL) to all ω-regular languages. The syntax of RLTL consists of an algebraic signature from which expressions are built. In particular, RLTL does not need or expose f...
Conference Paper
Full-text available
Event-pattern reactive programs are small programs that process an input stream of events to detect and act upon given temporal patterns. These programs are used in distributed systems to notify components when they must react. We present the reaction algebra, a declarative language to define finite-state reactions. We prove that the reaction algeb...
Conference Paper
Full-text available
We present regular linear temporal logic (RLTL), a logic that generalizes linear temporal logic with the ability to use regular expressions arbitrarily as sub-expressions. Every LTL operator can be defined as a context in regular linear temporal logic. This implies that there is a (linear) translation from LTL to RLTL. Unlike LTL, regular linear te...
Conference Paper
Full-text available
We study resource management in distributed systems. Incorrect handling of resources may lead to deadlocks, missed deadlines, priority inversions, and other forms of incorrect behavior or degraded performance. While in centralized systems deadlock avoidance is commonly used to ensure correct and efficient resource allocation, distributed deadlock a...
Conference Paper
General solutions to deadlock avoidance in distributed systems are considered impractical due to the high communication overhead. In previous work we showed that practical solutions exist when all possible sequences of resource requests are known a priori in the form of call graphs; in this case protocols can be constructed that involve no communic...
Conference Paper
Full-text available
We study the problem of priority inversion in distributed real-time and embedded systems and propose a solution based on a distributed version of the priority inheritance protocol (PIP). Previous approaches to priority inversions in distributed systems use variations of the priority ceiling protocol (PCP), originally designed for centralized system...
Conference Paper
Full-text available
Thread allocation is an important problem in distributed real-time and embedded (DRE) systems. A thread allocation policy that is too liberal may cause deadlock, while a policy that is too conservative limits potential parallelism, thus wasting resources. However, achieving (globally) optimal thread utilization, while avoiding deadlock, has been pr...
Conference Paper
Full-text available
We present a deadlock avoidance algorithm for distributed systems that guarantees liveness. Deadlock avoidance in distributed systems is a hard problem and general solutions are considered impractical due to the high communication overhead. In previous work, however, we showed that prac- tical solutions exist when all possible sequences of resource...
Conference Paper
Full-text available
Distributed real-time and embedded (DRE) systems have stringent constraints on timeliness and other properties whose assurance is crucial to correct system behavior. Formal tools and techniques play a key role in verifying and validating system properties. How- ever, many DRE systems are built using middleware frameworks that have grown increasingl...
Conference Paper
Full-text available
Event-pattern reactive programs serve reactive components by pre-processing the input event stream and generating notifications according to temporal patterns. The declarative language PAR allows the expression of complex event-pattern reactions. Despite its simplicity and deterministic nature, PAR is expressively complete in the following sense: e...
Conference Paper
Full-text available
We study the problem of thread allocation in asynchronous distributed real-time and embedded systems. Each distributed node handles a limited set of resources, in particular a limited thread pool. Different methods can be invoked concurrently in each node, either by external agents or as a remote call during the execution of a method. In this pa- p...
Conference Paper
Full-text available
Event-pattern reactive programs are front-end programs for distributed reactive components that preprocess an incoming stream of event stimuli. Their purpose is to recognize temporal patterns of events that are relevant to the serviced program and ignore all other events, outsourcing some of the component’s complexity and shielding it from event ov...
Conference Paper
Full-text available
We present a specification language and algorithms for the online and offline monitoring of synchronous systems including circuits and embedded systems. Such monitoring is useful not only for testing, but also under actual deployment. The specification language is simple and expressive; it can describe both correctness/failure assertions along with...
Conference Paper
Full-text available
Event correlation is a service provided by middleware platforms that allows components in a publish/subscribe architecture to subscribe to patterns of events rather than individual events. Event correlation improves the scalability and performance of distributed systems, increases their analyzability, while reducing their complexity by moving funct...
Article
Full-text available
We study deadlock avoidance for resource allocation in dis-tributed systems. While a general solution of distributed deadlock avoid-ance is considered impractical, we propose an efficient solution of the important particular case where the possible sequences of remote calls, modeled as call graphs, are known a-priori. The algorithm presented here g...
Article
Middleware for distributed real-time embedded (DRE) sys- tems has grown more and more complex in recent years, to ad- dress functional and temporal requirements of complex real-time applications. While current approaches for modeling middle- ware have eased the task of assembling, deploying and config- uring middleware and applications, a more form...