Distributed System Contract Monitoring

The use of behavioural contracts, to specify, regulate and verify systems, is particularly relevant to runtime monitoring of distributed systems. System distribution poses major challenges to contract monitoring, from monitoring-induced information leaks to computation load balancing, communication overheads and fault-tolerance. We present mDPi, a location-aware process calculus, for reasoning about monitoring of distributed systems. We define a family of Labelled Transition Systems for this calculus, which allow formal reasoning about different monitoring strategies at different levels of abstractions. We also illustrate the expressivity of the calculus by showing how contracts in a simple contract language can be synthesised into different mDPi monitors.

💡 Research Summary

The paper addresses the problem of runtime monitoring of behavioural contracts in distributed systems, where the lack of a global clock, heterogeneous locality of data, and the need for fault‑tolerance make traditional monolithic monitoring approaches inadequate. After surveying existing work, the authors classify distributed monitoring strategies into three families: orchestration‑based (centralised), choreography‑based (static distribution), and migrating monitors (dynamic distribution). Orchestration is simple and handles dynamic contracts well but suffers from data exposure, high communication overhead, and a single point of failure. Choreography keeps monitoring local, reducing exposure and traffic, yet requires upfront decomposition of contracts, incurs higher intrusion on each component, and struggles with dynamic topologies. Migrating monitors combine the benefits of both: a monitor resides where the relevant trace is generated and moves to other locations only when additional information is needed, thereby limiting instrumentation and preserving locality. The authors illustrate this with a hospital scenario where a nurse’s request to access patient records triggers a monitor that migrates from the nurse’s device to the central hospital system, then to the assigned doctors’ private clinics, and finally back, checking permissions at each step.

To reason formally about these strategies, the paper introduces mDPi, a location‑aware extension of the distributed π‑calculus. Processes are annotated with their hosting location (k ~ P) and can perform standard communication, name restriction, replication, and parallel composition. Each output generates a trace entity t(c, v̄, n) at the output’s location, where n is a local timestamp maintained by a per‑location counter, yielding a totally ordered trace per location and a partial order across locations. Monitors are first‑class entities, written as {M}(k,n), which carry an explicit monitoring context (location and trace index). The monitor language includes operations to query traces (q(c, x).M), retrieve or set the monitoring context (getI, setI), synchronize with a location’s current time (sync), migrate to another location (go k.M), and report success or failure (ok, fail). This design separates trace generation from trace consumption, reflecting the asynchronous nature of distributed monitoring, while providing primitives (sync, setI) to control relative timing and mitigate the lack of a global clock.

The authors define a family of labelled transition systems (LTS) for mDPi at increasing levels of abstraction. The base LTS captures process actions and trace creation; an extended LTS adds monitor‑specific transitions for querying, migration, and result signalling. These LTSs enable formal comparison of the three monitoring strategies within a single semantic framework, allowing reasoning about properties such as soundness, completeness, communication cost, and fault‑tolerance.

Finally, the paper demonstrates the expressiveness of mDPi by synthesising monitors from contracts expressed as regular expressions. The translation maps concatenation, choice, and Kleene star to sequential monitor composition, branching, and replication, respectively. By selecting different deployment patterns for the generated monitor components, the same contract can be realised as an orchestrated monitor, a choreographed set of local monitors, or a set of migrating monitors. The authors prove that the synthesized monitors preserve the semantics of the original contract.

In summary, the contribution is a unified, formally grounded calculus (mDPi) that models distributed contract monitoring, a suite of LTS semantics for rigorous analysis, and a concrete synthesis procedure that bridges high‑level contract specifications to concrete monitoring implementations across the three major strategies. This work lays a solid theoretical foundation for designing, analysing, and implementing secure and efficient runtime contract monitoring in modern distributed systems.