Xiaoyan Li,Christoforos N. Hadjicostis,Zhiwu Li

DOI: https://doi.org/10.1109/tac.2023.3239433

IF: 6.549

2023-01-01

IEEE Transactions on Automatic Control

Abstract:Opacity is a confidentiality property capturing the fact that certain secret behavior of a system cannot be revealed under any system evolution. Current-state opacity can be enforced by using an extended insertion mechanism, which is capable of inserting fake symbols before and after an actual output, in real time as the system evolves. This paper studies the enforcement of current-state opacity for systems modeled by finite state automata using an extended insertion strategy under constraints on the way symbols can be inserted before and after an actual symbol generated by the system (e.g., constraints on the type, order, and number of inserted symbols). More specifically, we consider inserted language constraints captured by the notion of $(L_{b},L_{a})$-enforceability, where $L_{b}$ is the set of strings that can be inserted before, and $L_{a}$ is the set of strings that can be inserted after an observed event. If $L_{b}$ and $L_{a}$ are regular languages, a verifier is constructed to derive a necessary and sufficient condition for opacity enforceability, and also to formulate an extended insertion strategy (if viable).

automation & control systems,engineering, electrical & electronic

Wei Duan,Ruotian Liu,Maria Pia Fanti,Christoforos N. Hadjicostis,Zhiwu Li

2024-10-11

Abstract:As an information-flow privacy property, opacity characterizes whether a malicious external observer (referred to as an intruder) is able to infer the secret behavior of a system. This paper addresses the problem of opacity enforcement using edit functions in discrete event systems modeled by partially observed deterministic finite automata. A defender uses the edit function as an interface at the output of a system to manipulate actual observations through insertion, substitution, and deletion operations so that the intruder will be prevented from inferring the secret behavior of the system. Unlike existing work which usually assumes that the observation capabilities of the intruder and the defender are identical, we consider a more general setting where they may observe incomparable subsets of events generated by the <a class="link-external link-http" href="http://system.To" rel="external noopener nofollow">this http URL</a> characterize whether the defender has the ability to enforce opacity of the system under this setting, the notion of \emph{$ic$-enforceability} is introduced. Then, the opacity enforcement problem is transformed to a two-player game, with imperfect information between the system and the defender, which can be used to determine a feasible decision-making strategy for the defender. Within the game scheme, an edit mechanism is constructed to enumerate all feasible edit actions following system behavior. We further show that an $ic$-enforcing edit function (if one exists) can be synthesized from the edit mechanism to enforce opacity.

Formal Languages and Automata Theory,Systems and Control

Xiaoguang Han,Kuize Zhang,Zhiwu Li

2024-01-19

Abstract:In this paper, we investigate the verification and enforcement of strong state-based opacity (SBO) in discrete-event systems modeled as partially-observed (nondeterministic) finite-state automata, including strong K-step opacity (K-SSO), strong current-state opacity (SCSO), strong initial-state opacity (SISO), and strong infinite-step opacity (Inf-SSO). They are stronger versions of four widely-studied standard opacity notions, respectively. We firstly propose a new notion of K-SSO, and then we construct a concurrent-composition structure that is a variant of our previously-proposed one to verify it. Based on this structure, a verification algorithm for the proposed notion of K-SSO is designed. Also, an upper bound on K in the proposed K-SSO is derived. Secondly, we propose a distinctive opacity-enforcement mechanism that has better scalability than the existing ones (such as supervisory control). The basic philosophy of this new mechanism is choosing a subset of controllable transitions to disable before an original system starts to run in order to cut off all its runs that violate a notion of strong SBO of interest. Accordingly, the algorithms for enforcing the above-mentioned four notions of strong SBO are designed using the proposed two concurrent-composition structures. In particular, the designed algorithm for enforcing Inf-SSO has lower time complexity than the existing one in the literature, and does not depend on any assumption. Finally, we illustrate the applications of the designed algorithms using examples.

Formal Languages and Automata Theory

Weilin Deng,Daowen Qiu,Jingkai Yang

2023-07-08

Abstract:Finite automata (FAs) model is a popular tool to characterize discrete event systems (DESs) due to its succinctness. However, for some complex systems, it is difficult to describe the necessary details by means of FAs model. In this paper, we consider a kind of extended finite automata (EFAs) in which each transition carries a predicate over state and event parameters. We also consider a type of simplified EFAs, called Event-Parameters EFAs (EP-EFAs), where the state parameters are removed. Based upon these two parametric models, we investigate the problem of opacity analysis for parametric DESs. First of all, it is shown that EFAs model is more expressive than EP-EFAs model. Secondly, it is proved that the opacity properties for EFAs are undecidable in general. Moreover, the decidable opacity properties for EP-EFAs are investigated. We present the verification algorithms for current-state opacity, initial-state opacity and infinite-step opacity, and then discuss the complexity. This paper establishes a preliminary theory for the opacity of parametric DESs, which lays a foundation for the opacity analysis of complex systems.

Formal Languages and Automata Theory,Systems and Control

Wei Duan,Christoforos N. Hadjicostis,Zhiwu Li

2024-04-01

Abstract:Inspired by privacy problems where the behavior of a system should not be revealed to an external curious observer, we investigate event concealment and concealability enforcement in discrete event systems modeled as non-deterministic finite automata under partial observation. Given a subset of secret events in a given system, concealability holds if the occurrence of all secret events remains hidden to a curious observer (an eavesdropper). A secret event is said to be (at least under some executions) unconcealable (inferable) if its occurrence can be indirectly determined with certainty after a finite number of observations. When concealability of a system does not hold (i.e., one or more secret events are unconcealable), we analyze how a defender, placed at the interface of the system with the eavesdropper, can be used to enforce concealability. The defender takes as input each observed event of the system and outputs a carefully modified event sequence (seen by the eavesdropper) using event deletion, insertion, or replacement. The defender is said to be C-enforceable if, following the occurrence of the secret events and regardless of subsequent activity generated by the system, it can always deploy a strategy to manipulate observations and conceal the events perpetually. We discuss systematic procedures to detect the presence of unconcealable secret events and verify C-Enforceability using techniques from state estimation and event diagnosis. We also propose a polynomial complexity construction for obtaining one necessary and one sufficient condition for C-Enforceability.

Cryptography and Security,Systems and Control

Tareq Ahmad Al-Sarayrah,Zhiwu Li,Li Yin,Almetwally M. Mostafa

DOI: https://doi.org/10.1109/access.2024.3413070

IF: 3.9

2024-06-21

IEEE Access

Abstract:In the context of extended probabilistic automata, this study focuses on an information flow property, called opacity, of discrete event systems. The achievement of this research is the formulation and in-depth analysis of what is termed sequential k-opacity. This metric, through its detailed assessment, marks an explicit and visible advancement beyond the existing paradigms for measuring system opacity. It introduces an improved method for analyzing the probability of event sequences leading to confidential states within a system. An approach of such a comprehensive nature is essential for a detailed analysis of opacity in systems typified by deterministic and stochastic elements. Furthermore, this work incorporates a numerical case study that provides a baseline for further investigations in practical applications, thereby validating the proposed framework's usefulness. The research progresses to explore novel approaches to the reinforcement and persistence of system opacity within extended probabilistic automata. Among these approaches, the strategic use of fake events is critical as it is a fundamental tool for enhancing system security and secrecy, which plays an important role in protecting sensitive and secret data by effectively hiding the real status of the system from outside inspection.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xiaoyan Li,Christoforos N. Hadjicostis,Zhiwu Li

2023-10-18

Abstract:Opacity is a property that captures security concerns in cyber-physical systems and its verification plays a significant role. This paper investigates the verifications of K-step and infinite-step weak and strong opacity for partially observed nondeterministic finite state automata. K-step weak opacity is checked by constructing, for some states in the observer, appropriate state-trees, to propose a necessary and sufficient condition. Based on the relation between K-step weak and infinite-step weak opacity, a condition that determines when a system is not infinite-step weak opaque is presented. Regarding K-step and infinite-step strong opacity, we develop a secret-involved projected automaton, based on which we construct secret-unvisited state trees to derive a necessary and sufficient condition for K-step strong opacity. Furthermore, an algorithm is reported to compute a verifier that can be used to obtain a necessary and sufficient condition for infinite-step strong opacity. It is argued that, in some particular cases, the proposed methods achieve reduced complexity compared with the state of the art.

Formal Languages and Automata Theory

Wei Duan,Christoforos N. Hadjicostis,Zhiwu Li

DOI: https://doi.org/10.1016/j.ins.2024.121554

IF: 8.1

2024-10-20

Information Sciences

Abstract:In this paper, we study the problem of simultaneous public event information release and private event information hiding in discrete event systems modeled by partially observed non-deterministic finite automata, where the public and private event information is respectively defined as unobservable fault and secret events. The notion of D-C-compossibility is introduced to characterize whether a system simultaneously conceals the occurrences of secret events while releasing the occurrences of fault events. When such a property does not hold, we investigate its enforcement through a defensive function. This function takes each observable event of a system as input and generates a suitably modified event sequence at the system's output using event deletion, insertion, or substitution. Specifically, our focus is on prioritizing the concealment of the secret events while maximizing the detection of the fault events through the use of defensive functions. The notion of D-C-enforceability that refers to the capability of a defensive function to employ a strategy for manipulating observations of a system to enforce D - C -compossibility is proposed. That is, a D - C -enforcing defensive function ensures that all occurrences of fault events can be revealed while concealing all occurrences of secret events. A D - C -diagnoser construction is proposed to enumerate all feasible defensive actions following system behavior. By taking advantage of the D - C -diagnoser, we obtain a necessary and sufficient condition for D - C -enforceability, along with a corresponding obfuscation strategy for defensive functions.

computer science, information systems

Chunyan Mu,David Clark

DOI: https://doi.org/10.48550/arXiv.2206.14317

2022-06-29

Abstract:We delineate a methodology for the specification and verification of flow security properties expressible in the opacity framework. We propose a logic, OpacTL , for straightforwardly expressing such properties in systems that can be modelled as partially observable labelled transition <a class="link-external link-http" href="http://systems.We" rel="external noopener nofollow">this http URL</a> develop verification techniques for analysing property opacity with respect to observation notions. Adding a probabilistic operator to the specification language enables quantitative analysis and verification. This analysis is implemented as an extension to the PRISM model checker and illustrated via a number of examples. Finally, an alternative approach to quantifying the opacity property based on entropy is sketched.

Cryptography and Security

Huawei Xie,Jing Liu,Na Li

DOI: https://doi.org/10.1093/comjnl/bxae077

2024-08-23

The Computer Journal

Abstract:Abstract Opacity is an important system property that is particularly relevant in the context of system security and privacy. A system is considered opaque if the predefined secret behavior of the system is not leaked to an external intruder. In this work, the opacity property is studied in the framework of labeled Petri nets (LPNs). The secret in an LPN system is characterized by a subset of reachable markings. Firstly, an opacity basis reachability graph (OBRG) containing opacity information of the system is developed to denote a system’s reachability set without computing all reachable states. Then the observer of the OBRG is computed, based on which a necessary and sufficient condition is derived to verify the opacity of the LPN system. Finally, given an LPN that does not satisfy the opacity, a maximally permissive supervisor is introduced to guarantee that the controlled system is opaque.

computer science, information systems, theory & methods, software engineering, hardware & architecture

Li Jiang,Lingdi Ping,Xuezeng Pan

DOI: https://doi.org/10.1007/978-3-540-76788-6_6

2007-01-01

Abstract:Information flow and in particular noninterference ensure that sensitive information does not affect public information. But noninterference is too restrictive: real computing systems sometimes need to dynamically release certain amount of sensitive information. In this paper, we propose a new security property that requires the decision to perform information release have high integrity, and permits low integrity data which comes from untrusted sources to dynamically affect information release by upgrading (or endorsing) its integrity. To control such integrity upgrading, we introduce an endorsement mechanism that takes the form of a local integrity endorsing policy declaration. So the programmer can express more precise ways of endorsing, by specifying the integrity levels from which information may be endorsed. In addition, we show a new type system to enforce the security property.

Weiwei Han,Yi Li,Zhipeng Zhang,Chengyi Xia

DOI: https://doi.org/10.1016/j.ins.2023.119130

IF: 8.1

2023-05-12

Information Sciences

Abstract:Finite-state machines are among the most important models for studying the logic dynamic behavior of cyber–physical systems, and their security and privacy are urgent problems to be solved at present. This paper explores state-opacity-based privacy verification and synthesis problems for finite-state machines from an algebraic perspective. First, the dynamics of a finite-state machine can be established as an algebraic expression using the semi-tensor product of matrices. Beginning with this novel representation, we propose an algebraic criterion to verify whether the privacy state is opaque to intruders. Subsequently, we investigate the opacity-enhancement synthesis problem from two perspectives. On one hand, we design a feedback supervisory controller by disabling controllable events such that the closed-loop system is opaque with respect to privacy states; on the other hand, we investigate the editing of an observable function simply by assigning specific events in the observation channel instead of changing the transition behavior of the system. We observe that these synthesis problems can be addressed by calculating a system of algebraic equations, and we further develop two algorithms to obtain the controller or function. Finally, an interesting example is presented to demonstrate the validity of the proposed algebraic method. Taken together, these results are conducive to a systematic understanding of privacy enhancement problems.

computer science, information systems

Étienne André,Engel Lefaucheux,Dylan Marinho

DOI: https://doi.org/10.48550/arxiv.2403.07647

2024-03-12

Logic in Computer Science

Abstract:Information leakage can have dramatic consequences on the security of real-time systems. Timing leaks occur when an attacker is able to infer private behavior depending on timing information. In this work, we propose a definition of expiring timed opacity w.r.t. execution time, where a system is opaque whenever the attacker is unable to deduce the reachability of some private state solely based on the execution time; in addition, the secrecy is violated only when the private state was entered "recently", i.e., within a given time bound (or expiration date) prior to system completion. This has an interesting parallel with concrete applications, notably cache deducibility: it may be useless for the attacker to know the cache content too late after its observance. We study here expiring timed opacity problems in timed automata. We consider the set of time bounds (or expiration dates) for which a system is opaque and show when they can be effectively computed for timed automata. We then study the decidability of several parameterized problems, when not only the bounds, but also some internal timing constants become timing parameters of unknown constant values.

Zhipeng Zhang,Chengyi Xia,Guoyuan Qi,Jun Fu

DOI: https://doi.org/10.1007/s11432-023-4041-6

2024-10-26

Science China Information Sciences

Abstract:Opacity is a central concept in the issue of privacy security and has been studied extensively in fields such as finite automata, probabilistic automata, and stochastic automata. Here, we investigate the problem of validating multi-step opaque properties through unambiguous weighted machines from the perspective of cyber-physical systems. First, the notion of multi-step state-based opacity for unambiguous weighted machines is presented and defined. It includes two variants of delays with a finite K and infinite steps. Subsequently, the weighted state estimate with K (infinite)-step delay is established by abstracting the possible state set that the system could have through these weighted observations. Meanwhile, to keep the observable weighted sequence consistent between the bidirectional observers, the unobserved weights of the reverse weighted machine are assumed to be reserved. Subsequently, the existence conditions are developed, and the corresponding algorithms, termed the weighted bidirectional observer, are generalized to verify these properties. Finally, several numerical examples are illustrated to demonstrate the effectiveness of the proposed method. Taken together, the current approach will be conducive to a deep understanding of the security and privacy of cyber-physical systems.

computer science, information systems,engineering, electrical & electronic

Ruochen Tai,Liyong Lin,Yuting Zhu,Rong Su

DOI: https://doi.org/10.48550/arXiv.2104.04299

2021-04-09

Systems and Control

Abstract:This paper investigates the problem of co-synthesis of edit function and supervisor for opacity enforcement in the supervisory control of discrete-event systems (DES), assuming the presence of an external (passive) intruder, where the following goals need to be achieved: 1) the external intruder should never infer the system secret, i.e., the system is opaque, and never be sure about the existence of the edit function, i.e., the edit function remains covert; 2) the controlled plant behaviors should satisfy some safety and nonblockingness requirements, in the presence of the edit function. We focus on the class of edit functions that satisfy the following properties: 1) the observation capability of the edit function in general can be different from those of the supervisor and the intruder; 2) the edit function can implement insertion, deletion, and replacement operations; 3) the edit function performs bounded edit operations, i.e., the length of each string output of the edit function is upper bounded by a given constant. We propose an approach to solve this co-synthesis problem by modeling it as a distributed supervisor synthesis problem in the Ramadge-Wonham supervisory control framework. By taking the special structure of this distributed supervisor synthesis problem into consideration and to improve the possibility of finding a non-empty distributed supervisor, we propose two novel synthesis heuristics that incrementally synthesize the supervisor and the edit function. The effectiveness of our approach is illustrated on an example in the enforcement of the location privacy.

Xiang Yin,Majid Zamani,Siyuan Liu

DOI: https://doi.org/10.1109/tac.2020.2998733

IF: 6.549

2021-04-01

IEEE Transactions on Automatic Control

Abstract:Opacity is an important information-flow security property in the analysis of cyber-physical systems. It captures the plausible deniability of the system's secret behavior in the presence of an intruder that may access the information flow. Existing works on opacity only consider nonmetric systems by assuming that the intruder can always distinguish between two different outputs precisely. In this article, we extend the concept of opacity to systems whose output sets are equipped with metrics. Such systems are widely used in the modeling of many real-world systems whose measurements are physical signals. A new concept called approximate opacity is proposed in order to quantitatively evaluate the security guarantee level with respect to the measurement precision of the intruder. Then, we propose a new simulation-type relation, called approximate opacity-preserving simulation relation, which characterizes how close two systems are in terms of the satisfaction of approximate opacity. This allows us to verify approximate opacity for large-scale, or even infinite, systems using their abstractions. We also discuss how to construct approximate opacity-preserving symbolic models for a class of discrete-time control systems. Our results extend the definitions and analysis techniques for opacity from nonmetric systems to metric systems.

automation & control systems,engineering, electrical & electronic

Bohan Cui,Ziyue Ma,Shaoyuan Li,Xiang Yin

2024-09-10

Abstract:In this paper, we investigate the property verification problem for partially-observed DES from a new perspective. Specifically, we consider the problem setting where the system is observed by two agents independently, each with its own observation. The purpose of the first agent, referred to as the low-level observer, is to infer the actual behavior of the system, while the second, referred to as the high-level observer, aims to infer the knowledge of Agent 1 regarding the system. We present a general notion called the epistemic property capturing the inference from the high-level observer to the low-level observer. A typical instance of this definition is the notion of high-order opacity, which specifies that the intruder does not know that the system knows some critical information. This formalization is very general and supports any user-defined information-state-based knowledge between the two observers. We demonstrate how the general definition of epistemic properties can be applied in different problem settings such as information leakage diagnosis or tactical cooperation without explicit communications. Finally, we provide a systematic approach for the verification of epistemic properties. Particularly, we identify some fragments of epistemic properties that can be verified more efficiently.

Systems and Control

Siyuan Liu,Xiang Yin,Dimos V. Dimarogonas,Majid Zamani

2024-01-04

Abstract:This paper investigates an important class of information-flow security property called opacity for stochastic control systems. Opacity captures whether a system's secret behavior (a subset of the system's behavior that is considered to be critical) can be kept from outside observers. Existing works on opacity for control systems only provide a binary characterization of the system's security level by determining whether the system is opaque or not. In this work, we introduce a quantifiable measure of opacity that considers the likelihood of satisfying opacity for stochastic control systems modeled as general Markov decision processes (gMDPs). We also propose verification methods tailored to the new notions of opacity for finite gMDPs by using value iteration techniques. Then, a new notion called approximate opacity-preserving stochastic simulation relation is proposed, which captures the distance between two systems' behaviors in terms of preserving opacity. Based on this new system relation, we show that one can verify opacity for stochastic control systems using their abstractions (modeled as finite gMDPs). We also discuss how to construct such abstractions for a class of gMDPs under certain stability conditions.

Systems and Control

Anirban Majumdar,Clark Thomborson

DOI: https://doi.org/10.1109/tencon.2006.344217

2006-01-01

Abstract:The concept of opacity has been investigated in two different contexts as means of expressing security properties in distributed systems. Opacity in the context of information-hiding assumes the existence of a black-box and is concerned with enforcing properties such as anonymity and secrecy on collaborating processes in an untrusted distributed computing environment. In the context of software obfuscation, opacity is a measure of the difficulty of reverse engineering of object code under the assumption that the adversary has access to grey-box information. In this contribution, we bring together these two contexts in which opacity has been defined and discuss how a specialized technique, called opaque predicates, can deter malicious reverse engineering

Sahar Mohajerani,Stephane Lafortune

DOI: https://doi.org/10.48550/arXiv.1904.06242

2019-05-13

Abstract:We consider the verification of current-state and K-step opacity for systems modeled as interacting non-deterministic finite-state automata. We describe a new methodology for compositional opacity verification that employs abstraction, in the form of a notion called opaque observation equivalence, and that leverages existing compositional nonblocking verification algorithms. The compositional approach is based on a transformation of the system, where the transformed system is nonblocking if and only if the original one is current-state opaque. Furthermore, we prove that $K$-step opacity can also be inferred if the transformed system is nonblocking. We provide experimental results where current-state opacity is verified efficiently for a large scaled-up system.

Logic in Computer Science,Formal Languages and Automata Theory