Étienne André,Marie Duflot,Laetitia Laversa,Engel Lefaucheux

2024-09-16

Abstract:Timing leaks in timed automata (TA) can occur whenever an attacker is able to deduce a secret by observing some timed behavior. In execution-time opacity, the attacker aims at deducing whether a private location was visited, by observing only the execution time. It can be decided whether a TA is opaque in this setting. In this work, we tackle control, and show that we are able to decide whether a TA can be controlled at runtime to ensure opacity. Our method is constructive, in the sense that we can exhibit such a controller. We also address the case when the attacker cannot have an infinite precision in its observations.

Cryptography and Security

Étienne André,Engel Lefaucheux,Didier Lime,Dylan Marinho,Jun Sun

DOI: https://doi.org/10.4204/EPTCS.392.1

2023-10-31

Abstract:Timing information leakage occurs whenever an attacker successfully deduces confidential internal information by observing some timed information such as events with timestamps. Timed automata are an extension of finite-state automata with a set of clocks evolving linearly and that can be tested or reset, making this formalism able to reason on systems involving concurrency and timing constraints. In this paper, we summarize a recent line of works using timed automata as the input formalism, in which we assume that the attacker has access (only) to the system execution time. First, we address the following execution-time opacity problem: given a timed system modeled by a timed automaton, given a secret location and a final location, synthesize the execution times from the initial location to the final location for which one cannot deduce whether the secret location was visited. This means that for any such execution time, the system is opaque: either the final location is not reachable, or it is reachable with that execution time for both a run visiting and a run not visiting the secret location. We also address the full execution-time opacity problem, asking whether the system is opaque for all execution times; we also study a weak counterpart. Second, we add timing parameters, which are a way to configure a system: we identify a subclass of parametric timed automata with some decidability results. In addition, we devise a semi-algorithm for synthesizing timing parameter valuations guaranteeing that the resulting system is opaque. Third, we report on problems when the secret has itself an expiration date, thus defining expiring execution-time opacity problems. We finally show that our method can also apply to program analysis with configurable internal timings.

Logic in Computer Science,Cryptography and Security,Software Engineering

Étienne André,Sarah Dépernet,Engel Lefaucheux

2024-09-27

Abstract:In 2009, Franck Cassez showed that the timed opacity problem, where an attacker can observe some actions with their timestamps and attempts to deduce information, is undecidable for timed automata (TAs). Moreover, he showed that the undecidability holds even for subclasses such as event-recording automata. In this article, we consider the same definition of opacity for several other subclasses of TAs: with restrictions on the number of clocks, of actions, on the nature of time, or on a new subclass called observable event-recording automata. We show that opacity can mostly be retrieved, except for one-action TAs and for one-clock TAs with $\epsilon$-transitions, for which undecidability remains. We then exhibit a new decidable subclass in which the number of observations made by the attacker is limited.

Logic in Computer Science,Cryptography and Security,Formal Languages and Automata Theory

Étienne André,Engel Lefaucheux,Dylan Marinho

DOI: https://doi.org/10.48550/arxiv.2403.07647

2024-03-12

Logic in Computer Science

Abstract:Information leakage can have dramatic consequences on the security of real-time systems. Timing leaks occur when an attacker is able to infer private behavior depending on timing information. In this work, we propose a definition of expiring timed opacity w.r.t. execution time, where a system is opaque whenever the attacker is unable to deduce the reachability of some private state solely based on the execution time; in addition, the secrecy is violated only when the private state was entered "recently", i.e., within a given time bound (or expiration date) prior to system completion. This has an interesting parallel with concrete applications, notably cache deducibility: it may be useless for the attacker to know the cache content too late after its observance. We study here expiring timed opacity problems in timed automata. We consider the set of time bounds (or expiration dates) for which a system is opaque and show when they can be effectively computed for timed automata. We then study the decidability of several parameterized problems, when not only the bounds, but also some internal timing constants become timing parameters of unknown constant values.

Yong Huang,Lingdi Ping,Shanping Li,Xuezeng Pan

DOI: https://doi.org/10.4304/jsw.4.1.90-97

2009-01-01

Journal of Software

Abstract:Real-time information flow security properties such as timed noninterference provide assurances that some time dependent information flows may not become possible. However, with transitive noninterference formulation, it is difficult to deal with intransitive flow policies like channel control and secure downgrading of information with time constraints. In this paper, we introduce the notion of trust domain into Timed Secure Process Algebra (tSPA), extending intransitive noninterference to real-time systems. Based on weak timed bisimulation equivalence, some security properties for intransitive flow are reformulated in a realtime setting, in particular one property which is persistent, meaning that if a system is secure then all of its reachable states are secure too. Furthermore, we prove that such persistent intransitive timed property is compositional, which is thus possible to alleviate the state space explosion problem caused by the interleaving of all the possible executions of parallel processes. Finally, we provide one case study showing that it is possible to model and analyze the real-time system through our approach.

Étienne André,Johan Arcile,Engel Lefaucheux

2024-10-02

Abstract:Parametric timed automata (PTAs) extend the concept of timed automata, by allowing timing delays not only specified by concrete values but also by parameters, allowing the analysis of systems with uncertainty regarding timing behaviors. The full execution-time opacity is defined as the problem in which an attacker must never be able to deduce whether some private location was visited, by only observing the execution time. The problem of full ET-opacity emptiness (i.e., the emptiness over the parameter valuations for which full execution-time opacity is satisfied) is known to be undecidable for general PTAs. We therefore focus here on one-clock PTAs with integer-valued parameters over dense time. We show that the full ET-opacity emptiness is undecidable for a sufficiently large number of parameters, but is decidable for a single parameter, and exact synthesis can be effectively achieved. Our proofs rely on a novel construction as well as on variants of Presburger arithmetics. We finally prove an additional decidability result on an existential variant of execution-time opacity.

Formal Languages and Automata Theory

Léo Henry,Thierry Jéron,Nicolas Markey

DOI: https://doi.org/10.1007/s10703-022-00403-w

2023-01-10

Formal Methods in System Design

Abstract:Partial observability and controllability are two well-known issues in test-case synthesis for reactive systems. We address the problem of partial control in the synthesis of test cases from timed-automata specifications. We extend a previous approach to this problem from the untimed to the timed setting. This extension requires a deep reworking of the models, game interpretation and test-synthesis algorithms. We exhibit strategies of a game that try to minimize both cooperations of the system and distance to the satisfaction of a test purpose or to the next cooperation, and prove they are winning under some fairness assumptions. This entails that when turning those strategies into test cases, we get properties such as soundness and exhaustiveness of the test synthesis method. We finally propose a symbolic algorithm to compute those strategies.

computer science, theory & methods

Sumukha Udupa,Jie Fu

2024-10-08

Abstract:Qualitative opacity of a secret is a security property, which means that a system trajectory satisfying the secret is observation-equivalent to a trajectory violating the secret. In this paper, we study how to synthesize a control policy that maximizes the probability of a secret being made opaque against an eavesdropping attacker/observer, while subject to other task performance constraints. In contrast to existing belief-based approach for opacity-enforcement, we develop an approach that uses the observation function, the secret, and the model of the dynamical systems to construct a so-called opaque-observations automaton which accepts the exact set of observations that enforce opacity. Leveraging this opaque-observations automaton, we can reduce the optimal planning in Markov decision processes(MDPs) for maximizing probabilistic opacity or its dual notion, transparency, subject to task constraints into a constrained planning problem over an augmented-state MDP. Finally, we illustrate the effectiveness of the developed methods in robot motion planning problems with opacity or transparency requirements.

Formal Languages and Automata Theory

Chunyan Mu,David Clark

DOI: https://doi.org/10.48550/arXiv.2206.14317

2022-06-29

Abstract:We delineate a methodology for the specification and verification of flow security properties expressible in the opacity framework. We propose a logic, OpacTL , for straightforwardly expressing such properties in systems that can be modelled as partially observable labelled transition <a class="link-external link-http" href="http://systems.We" rel="external noopener nofollow">this http URL</a> develop verification techniques for analysing property opacity with respect to observation notions. Adding a probabilistic operator to the specification language enables quantitative analysis and verification. This analysis is implemented as an extension to the PRISM model checker and illustrated via a number of examples. Finally, an alternative approach to quantifying the opacity property based on entropy is sketched.

Cryptography and Security

Wei Duan,Ruotian Liu,Maria Pia Fanti,Christoforos N. Hadjicostis,Zhiwu Li

2024-10-11

Abstract:As an information-flow privacy property, opacity characterizes whether a malicious external observer (referred to as an intruder) is able to infer the secret behavior of a system. This paper addresses the problem of opacity enforcement using edit functions in discrete event systems modeled by partially observed deterministic finite automata. A defender uses the edit function as an interface at the output of a system to manipulate actual observations through insertion, substitution, and deletion operations so that the intruder will be prevented from inferring the secret behavior of the system. Unlike existing work which usually assumes that the observation capabilities of the intruder and the defender are identical, we consider a more general setting where they may observe incomparable subsets of events generated by the <a class="link-external link-http" href="http://system.To" rel="external noopener nofollow">this http URL</a> characterize whether the defender has the ability to enforce opacity of the system under this setting, the notion of \emph{$ic$-enforceability} is introduced. Then, the opacity enforcement problem is transformed to a two-player game, with imperfect information between the system and the defender, which can be used to determine a feasible decision-making strategy for the defender. Within the game scheme, an edit mechanism is constructed to enumerate all feasible edit actions following system behavior. We further show that an $ic$-enforcing edit function (if one exists) can be synthesized from the edit mechanism to enforce opacity.

Formal Languages and Automata Theory,Systems and Control

Yifan Xie,Xiang Yin,Shaoyuan Li

DOI: https://doi.org/10.1109/tac.2021.3131125

2020-01-01

IFAC-PapersOnLine

Abstract:In this article, we investigate the enforcement of opacity via supervisory control in the context of discrete-event systems. A system is said to be opaque if the intruder, which is modeled as a passive observer, can never infer confidently that the system is at a secret state. The design objective is to synthesize a supervisor such that the closed-loop system is opaque even when the control policy is publicly known. In this article, we propose a new approach for enforcing opacity using nondeterministic supervisors. A nondeterministic supervisor is a decision mechanism that provides a set of control decisions at each instant, and randomly picks a specific control decision from the decision set to actually control the plant. Compared with the standard deterministic control mechanism, such a nondeterministic control mechanism can enhance the plausible deniability of the controlled system as the online control decision is a random realization and cannot be implicitly inferred from the control policy. We provide a sound and complete algorithm for synthesizing a nondeterministic opacity-enforcing supervisor. Furthermore, we show that nondeterministic supervisors are strictly more powerful than deterministic supervisors in the sense that there may exist a nondeterministic opacity-enforcing supervisor even when deterministic supervisors cannot enforce opacity.

Siyuan Liu,Xiang Yin,Dimos V. Dimarogonas,Majid Zamani

2024-01-04

Abstract:This paper investigates an important class of information-flow security property called opacity for stochastic control systems. Opacity captures whether a system's secret behavior (a subset of the system's behavior that is considered to be critical) can be kept from outside observers. Existing works on opacity for control systems only provide a binary characterization of the system's security level by determining whether the system is opaque or not. In this work, we introduce a quantifiable measure of opacity that considers the likelihood of satisfying opacity for stochastic control systems modeled as general Markov decision processes (gMDPs). We also propose verification methods tailored to the new notions of opacity for finite gMDPs by using value iteration techniques. Then, a new notion called approximate opacity-preserving stochastic simulation relation is proposed, which captures the distance between two systems' behaviors in terms of preserving opacity. Based on this new system relation, we show that one can verify opacity for stochastic control systems using their abstractions (modeled as finite gMDPs). We also discuss how to construct such abstractions for a class of gMDPs under certain stability conditions.

Systems and Control

Weiwei Han,Yi Li,Zhipeng Zhang,Chengyi Xia

DOI: https://doi.org/10.1016/j.ins.2023.119130

IF: 8.1

2023-05-12

Information Sciences

Abstract:Finite-state machines are among the most important models for studying the logic dynamic behavior of cyber–physical systems, and their security and privacy are urgent problems to be solved at present. This paper explores state-opacity-based privacy verification and synthesis problems for finite-state machines from an algebraic perspective. First, the dynamics of a finite-state machine can be established as an algebraic expression using the semi-tensor product of matrices. Beginning with this novel representation, we propose an algebraic criterion to verify whether the privacy state is opaque to intruders. Subsequently, we investigate the opacity-enhancement synthesis problem from two perspectives. On one hand, we design a feedback supervisory controller by disabling controllable events such that the closed-loop system is opaque with respect to privacy states; on the other hand, we investigate the editing of an observable function simply by assigning specific events in the observation channel instead of changing the transition behavior of the system. We observe that these synthesis problems can be addressed by calculating a system of algebraic equations, and we further develop two algorithms to obtain the controller or function. Finally, an interesting example is presented to demonstrate the validity of the proposed algebraic method. Taken together, these results are conducive to a systematic understanding of privacy enhancement problems.

computer science, information systems

Yuezhi Liu,Yong Chen

DOI: https://doi.org/10.1007/s11071-024-09319-y

IF: 5.741

2024-01-01

Nonlinear Dynamics

Abstract:This paper addresses the fast finite-time secure control problem for the nonlinear system in the presence of the deception attacks. Firstly, in order to suppress the deception attacks more rapidly, the secure controller is constructed in the sense of fast finite-time stability (FFTS), by which shorter convergence time and better system resilience can be achieved. Particularly, the adaptive compensation law is formulated in the secure controller design, which mitigates the damaging effect from the deception attacks (state parameterized attack and the uniformly bounded attack). Moreover, for the purpose of the network resource saving, a dynamic event-triggered mechanism (DETM) is established. The core innovation of the proposed DETM is that a fractional powered term is introduced in the internal variable generator. On the one hand, it renders the DETM suitable to the analysis of the FFTS; on the other hand, it enhances the dynamics of the internal variable. Furthermore, it is proved that the Zeno behavior will not happen and the fast finite-time stability of the closed-loop system can be guaranteed. Consequently, the experimental results demonstrate the effectiveness of the proposed method.

Jiří Balun,Tomáš Masopust,Petr Osička

2023-04-20

Abstract:Opacity is a property of privacy and security applications asking whether, given a system model, a passive intruder that makes online observations of system's behaviour can ascertain some "secret" information of the system. Deciding opacity is a PSpace-complete problem, and hence there are no polynomial-time algorithms to verify opacity under the assumption that PSpace differs from PTime. This assumption, however, gives rise to a question whether the existing exponential-time algorithms are the best possible or whether there are faster, sub-exponential-time algorithms. We show that under the (Strong) Exponential Time Hypothesis, there are no algorithms that would be significantly faster than the existing algorithms. As a by-product, we obtained a new conditional lower bound on the time complexity of deciding universality (and therefore also inclusion and equivalence) for nondeterministic finite automata.

Formal Languages and Automata Theory,Systems and Control

Ziteng Yang,Xiang Yin,Shaoyuan Li

DOI: https://doi.org/10.1016/j.ifacol.2020.12.2318

2020-01-01

Abstract:In this paper, we investigate the supervisory control problem for timed discrete-event systems (TDES) under partial observation. In the timed setting, the system consists of both standard logical events and time event, where the former can be disabled directly by the supervisor if it is controllable while the latter can only be preempted by forcing the occurrences of forcible events. We consider a general control mechanism where the supervisor can choose which events to force dynamically online at each instant. The design objective is to synthesize a maximally-permissive supervisor to restrict the behavior of the system such that the closed-loop language is within a safe specification language. Effective procedure is presented to synthesize such a supervisor. To our knowledge, how to synthesize a maximally-permissive partial-observation supervisor has not been solved for timed DES. We provide a solution to this problem under a general control mechanism.

Xiang Yin,Zhaojian Li,Weilin Wang,Shaoyuan Li

DOI: https://doi.org/10.1016/j.automatica.2018.10.049

IF: 6.4

2018-01-01

Automatica

Abstract:Opacity is an important information-flow property that arises in security and privacy analysis of cyber-physical systems. It captures the plausible deniability of the system's “secret” in the presence of a malicious intruder modeled as a passive observer. As a specific type of opacity, infinite-step opacity requires that the intruder can never determine unambiguously that the system was at a secret system for any specific instant in the past. Existing works on the analysis of infinite-step opacity only provide a binary characterization, i.e., a system is either opaque or non-opaque. However, a non-infinite-step-opaque system may only have a small probability of violation; this may be still tolerable in many applications. To analyze infinite-step opacity more quantitatively, in this paper, we investigate the verification of infinite-step opacity in the context of stochastic discrete-event systems. A new notion of opacity, called almost infinite-step opacity, is proposed to capture whether or not the probability of violating infinite-step opacity is smaller than a given threshold. This notion is weaker than its purely logical counter-part as it takes the transition probability of the system into account. We also provide an effective algorithm for the verification of almost infinite-step opacity.

Junyao Hou,Xiang Yin,Shaoyuan Li,Majid Zamani

DOI: https://doi.org/10.1109/cdc40024.2019.9029932

2019-01-01

Abstract:Opacity is an important information-flow security property that captures the plausible deniability for some "secret" of a system. In this paper, we investigate the problem of synthesizing controllers that enforce opacity for labeled transition systems (LTS). Most of the existing works on synthesis of opacity-enforcing controllers are based on the original system model, which may contain a large number of states. To mitigate the complexity of the controller synthesis procedure, we propose an abstraction-based approach for controller synthesis. Specifically, we propose notion of opacity-preserving alternating (bi)simulation relation for the purpose of abstraction. We show that, if the abstract system is opacity-preserving alternatingly simulated by the original system which may be significantly smaller, then we can synthesize an opacity-enforcing controller based on the abstract system and then refine it back to a controller enforcing opacity of the original system. We investigate both initial-state opacity and infinite-step opacity. We also show the effectiveness of the proposed approach by a set of examples.

Bohan Cui,Xiang Yin,Shaoyuan Li,Alessandro Giua

DOI: https://doi.org/10.1016/j.ifacol.2022.10.335

2022-01-01

Abstract:In this paper, we investigate a class of information-flow security properties called opacity in partial-observed discrete-event systems. Roughly speaking, a system is said to be opaque if the intruder, which is modeled by a passive observer, can never determine the “secret” of the system for sure. Most of the existing notions of opacity consider secrets related to the actual behaviors of the system. In this paper, we consider a new type of secret related to the knowledge of the system user. Specifically, we assume that the system user also only has partial observation of the system and has to reason the actual behavior of the system. We say a system is high-order opaque if the intruder can never determine that the system user knows some information of importance based on its own incomparable information. We provide the formal definition of high-order opacity. Two algorithms are provided for the verification of this new notion: one with doubly-exponential complexity for the worst case and the other with single-exponential complexity. Illustrative examples are provided for the new notion of high-order opacity.

Mei Liujuan,Liu Rongjian,Lu Jianquan,Qiu Jianlong

DOI: https://doi.org/10.1007/s00034-020-01462-2

2020-01-01

Abstract:Opacity is a confidential property characterizing whether the secret of a system can be inferred or not by an outside observer (also called an intruder). This paper focuses on presenting a matrix-based approach for verification of opacity of nondeterministic discrete event systems (DESs). Firstly, the given system is modeled as a finite-state automaton. Further, based on Boolean semi-tensor product (BSTP) of matrices, the algebraic expression of the observable dynamic of the system can be obtained. We, respectively, investigate current-state opacity and K-step opacity owing to the equivalence between a few opacity properties. Finally, necessary and sufficient conditions are presented to verify whether the secret is opaque for a given system, and the proposed methodology is tested effectively by examples. The matrix-based characterization of opacity proposed in this paper may provide a helpful angel for understanding the structure of this property.