Abstract
Opacity is a property of information flow that characterizes the ability of a system to keep its secret information hidden from a third party called an attacker. In the state-of-the-art, opacity of Discrete Event Systems (DES) has been investigated using a variety of techniques. Methods based on Supervisory Control Theory (SCT) emerge as an efficient approach for enforcing this property. In this paper, we address the problem of enforcing the opacity of a DES through the definition of a supervisor whose role is to restrain the behavior of the system keeping “good” runs only i.e., executions that exactly correspond to the opaque subset of the system’s state space. The proposed approach is based on Symbolic Observation Graph: a hybrid graph where nodes are subsets of reachable states linked with unobservable actions. Encoding such nodes symbolically using binary decision diagrams allows to tackle the state space explosion problem.
We designed a reduced-cost algorithm that synthesizes an optimal supervisor (at design time) to ensure the opacity of the system (at runtime). Moreover, we implemented our approach in C++ language and we validated our proposition using a real-life case study.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Further details on the implementation can be found in our github repository “https://github.com/NourSouid/Opacity-Supervision”.
References
Badouel, E., Bednarczyk, M.A., Borzyszkowski, A.M., Caillaud, B., Darondeau, P.: Concurrent secrets. Discrete Event Dyn. Syst. 17(4), 425–446 (2007)
Bérard, B., Mullins, J., Sassolas, M.: Quantifying opacity. In: QEST 2010, Seventh International Conference on the Quantitative Evaluation of Systems, Williamsburg, Virginia, USA, pp. 263–272. IEEE Computer Society, 15–18 September 2010
Bourouis, A., Klai, K., El Touati, Y., Hadj-Alouane, N.B.: Opacity preserving abstraction for web services and their composition using sogs. In: 2015 IEEE International Conference on Web Services, pp. 313–320 (2015)
Bourouis, A., Klai, K., Hadj-Alouane, N.B.: Measuring opacity in web services. In: Proceedings of the 19th International Conference on Information Integration and Web-Based Applications & Services, iiWAS 2017, New York, NY, USA, pp. 530–534. Association for Computing Machinery (2017)
Bourouis, A., Klai, K., Hadj-Alouane, N.B.: Measuring opacity for non-probabilistic DES: a SOG-based approach. In: 24th International Conference on Engineering of Complex Computer Systems, ICECCS 2019, Guangzhou, China, 10–13 November, pp. 242–247. IEEE (2019)
Bourouis, A., Klai, K., Hadj-Alouane, N.B., El Touati, Y.: On the verification of opacity in web services and their composition. IEEE Trans. Serv. Comput. 10(1), 66–79 (2017)
Bourouis, A., Klai, K., El Touati, Y., Hadj-Alouane, N.B.: Checking opacity of vulnerable critical systems on-the-fly. IJITWE 10(1), 1–30 (2015)
Bryans, J.W., Koutny, M., Mazaré, L., Ryan, P.Y.A.: Opacity generalised to transition systems. In: Dimitrakos, T., Martinelli, F., Ryan, P.Y.A., Schneider, S. (eds.) FAST 2005. LNCS, vol. 3866, pp. 81–95. Springer, Heidelberg (2006). https://doi.org/10.1007/11679219_7
Bryans, J.W., Koutny, M., Mazaré, L., Ryan, P.Y.A.: Opacity generalised to transition systems. Int. J. Inf. Secur. 7(6), 421–435 (2008)
Bryans, J.W., Koutny, M., Ryan, P.Y.A.: Modelling dynamic opacity using Petri nets with silent actions. In: Dimitrakos, T., Martinelli, F. (eds.) Formal Aspects in Security and Trust. IIFIP, vol. 173, pp. 159–172. Springer, Boston (2005). https://doi.org/10.1007/0-387-24098-5_12
Bryans, J.W., Koutny, M., Ryan, P.Y.A.: Modelling opacity using Petri nets. Electron. Notes Theor. Comput. Sci. 121, 101–115 (2005)
Bryant, R.E.: Symbolic boolean manipulation with ordered binary-decision diagrams. ACM Comput. Surv. 24(3), 293–318 (1992)
Cassandras, C.G., Lafortune, S.: Introduction to Discrete Event Systems, 2nd edn. Springer, New York (2010)
Dubreil, J., Darondeau, P., Marchand, H.: Opacity enforcing control synthesis. In: 9th International Workshop on Discrete Event Systems, pp. 28–35, May 2008
Dubreil, J.: Monitoring and supervisory control for opacity properties. (Vérification et Synthèse de Contrôleur pour des Propriétés de Confidentialité). Ph.D. thesis, University of Rennes 1, France (2009)
Falcone, Y., Marchand, H.: Enforcement and validation (at runtime) of various notions of opacity. Discrete Event Dyn. Syst. 25(4), 531–570 (2014). https://doi.org/10.1007/s10626-014-0196-4
Haddad, S., Ilié, J.-M., Klai, K.: Design and evaluation of a symbolic and abstraction-based model checker. In: Wang, F. (ed.) ATVA 2004. LNCS, vol. 3299, pp. 196–210. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30476-0_19
Hadj-Alouane, N., Lafrance, S., Lin, F., Mullins, J., Yeddes, M.: On the verification of intransitive noninterference in mulitlevel security. IEEE Trans. Syst., Man, Cybern., Part B, Cybern. 35(5), 948–958 (2005)
Takos (2010). http://toolboxopacity.gforge.inria.fr/
Jacob, R., Lesage, J.-J., Faure, J.-M.: Overview of discrete event systems opacity: models, validation, and quantification. Annu. Rev. Control. 41, 135–146 (2016)
Klai, K., Hamdi, N., BenHadj-Alouane, N.: An on-the-fly approach for the verification of opacity in critical systems. In: 2014 IEEE 23rd International WETICE Conference, WETICE 2014, Parma, Italy, 23–25 June, pp. 345–350. IEEE Computer Society (2014)
Klai, K., Petrucci, L.: Modular construction of the symbolic observation graph. In 8th International Conference on Application of Concurrency to System Design (ACSD 2008), Xi’an, China, 23–27 June, pp. 88–97. IEEE (2008)
Klai, K., Poitrenaud, D.: MC-SOG: an LTL model checker based on symbolic observation graphs. In: van Hee, K.M., Valk, R. (eds.) PETRI NETS 2008. LNCS, vol. 5062, pp. 288–306. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68746-7_20
Software library (2009). http://www.eecs.umich.edu/umdes/toolboxes.html
Mazaré, L.: Decidability of opacity with non-atomic keys. In: Dimitrakos, T., Martinelli, F. (eds.) Formal Aspects in Security and Trust. IIFIP, vol. 173, pp. 71–84. Springer, Boston (2005). https://doi.org/10.1007/0-387-24098-5_6
O’Halloran, C.: A calculus of information flow. In: ESORICS 90 - First European Symposium on Research in Computer Security, Toulouse, France, 24–26 October, pp. 147–159. AFCET (1990)
Petri, C.A.: Concepts of net theory. In: MFCS 1973. Mathematical Institute of the Slovak Academy of Sciences (1973)
Ramadge, P.J., Wonham, W.M.: The control of discrete event systems. Proc. IEEE Spec. Issue Dyn. Discrete Event Syst. 77(1), 81–98 (1989)
Saboori, A., Hadjicostis, C.N.: Verification of initial-state opacity in security applications of DES. In: 2008 9th International Workshop on Discrete Event Systems, pp. 328–333 (2008)
Saboori, A.: Verification and enforcement of state-based notions of opacity in discrete event systems. Ph.D. thesis, University of Illinois at Urbana-Champaign (2011)
Saboori, A., Hadjicostis, C.: Verification of k-step opacity and analysis of its complexity. Autom. Sci. Eng. 8, 549–559 (2011)
Saboori, A., Hadjicostis, C.N.: Verification of infinite-step opacity and complexity considerations. IEEE Trans. Autom. Control. 57(5), 1265–1269 (2012)
Zinck, G., Ricker, L., Marchand, H., Hélouët, L.: Enforcing opacity in modular systems. In: IFAC 2020, Ifac world Congress, pp. 1–8, November 2020
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
A Appendix
A Appendix
1.1 A.1 Proof of Theorem 2
Proof
-
1.
K is prefix-closed i.e. the prefix of each element in K is an element of K:
Let \(\sigma \in K\) and let \(\alpha \) be a prefix of \(\sigma \). Let us prove that \(\alpha \in K\).
Assume \(\alpha \not \in K\). Then, there exists \((\alpha _1,c) \in L(\mathcal {T})\times \varSigma _c\) s.t. \(\alpha _1.c\) is a prefix of \(\alpha \) and \(c \in \gamma (\alpha _1)\). Since \(\alpha _1\) is a prefix of \(\alpha \) and \(\alpha \) is a prefix of \(\sigma \), \(\alpha _1\) is a prefix of \(\sigma \) as well. This is not possible, otherwise it contradicts, by definition, the membership of \(\sigma \) in K. Thus, \(\alpha \in K\).
-
2.
K is controllable i.e. \(K.(\varSigma \setminus \varSigma _c) \cap L(\mathcal {T}) \subseteq K\):
Let \(\sigma \in K\) and let \(u \in (\varSigma \setminus \varSigma _c) \cap L(\mathcal {T})\). Let us prove that \(\sigma .u \in K\).
Assume the opposite. Then, there exists \((\alpha _1,c) \in L(\mathcal {T})\times \varSigma _c\) s.t. \(\alpha _1.c\) is a prefix of \(\sigma .u\) and \(c \in \gamma (\alpha _1)\). Since \(c \ne u\) (\(c \in \varSigma _c\) while \(u\in \sigma \setminus \sigma _c\)), \(\alpha _1.c\) is a prefix of \(\sigma \) which contradicts, by definition, the membership of \(\sigma \) in K. Thus, \(\sigma .u \in K\).
-
3.
K is observable i.e., \(P^{-1}_{\varSigma _m}[P_{\varSigma _m}(K)] \cap L(\mathcal {T}) \subseteq K\).
Let \(\sigma _1 \in K\) and let \(\sigma _2 \in L(\mathcal {T})\) s.t. \(P_{\varSigma _m}(\sigma _1)=P_{\varSigma _m}(\sigma _2)\). Assume that \(\sigma _2 \not \in K\). Then, there exists \((\alpha _2,c) \in L(\mathcal {T})\times \varSigma _c\) s.t. \(\alpha _2.c\) is a prefix of \(\sigma _2.u\) and \(c \in \gamma (\alpha _2)\). Let \(\alpha _1\) be the prefix of \(\sigma _1\) s.t. \(P_{\varSigma _m}(\alpha _1)=P_{\varSigma _m}(\alpha _2)\). The fact that \(c\in \gamma (\alpha _2)\) implies that the aggregate reached by \(P_{\varSigma _m}(\alpha _2).c\) is included in the set of secret states. However, such an aggregate is also reached by \(P_{\varSigma _m}(\alpha _1).c\) while \(c \not \in \gamma (\alpha _1)\) otherwise \(\sigma _1\) would not belong to K. Thus, \(\sigma _2 \in K\).
-
4.
K is supremal i.e. \(\not \exists K \subset L \subseteq L(\mathcal {T})\) s.t. L is a prefix-closed language that is controllable, observable and opaque w.r.t. the secret predicate \(\varphi \) and the attacker observation \(\varSigma _a\).
Assume that such a language exists. Let \(\sigma \in L \setminus K\). Then, there exists \((\alpha ,c) \in L(\mathcal {T})\times \varSigma _c\) s.t. \(\alpha .c\) is a prefix of \(\sigma \) and \(c \in \gamma (\alpha )\). Thus, by definition, the aggregate reached by the trace \(\alpha .c\) is included in the set of secret states. This contradicts the membership of \(\alpha \) in L since L is a prefix-closed language. Thus, K is supremal.
-
5.
K ensures the opacity of the system. This is guaranteed by construction of the supervisor and by using the result of [6] stating that a \(\mathcal {T}\) is opaque iff the corresponding SOG does not contain any aggregate included in the set of secret states. \(\square \)
1.2 A.2 Plan of the Maze
Figure 13 represents a building, observed by an attacker trying to find out if a tracked object/person is in a secret room. Secret rooms are marked by a little red circle (and white cross). These rooms can be dedicated to patients with contagious diseases in a hospital or rooms containing strongboxes or valuable possessions in any company or private household. Sensors are represented in blue and provide the interface of the attacker and the supervisor.
Figure 14 represents the Petri net of our use case. It is worth mentioning that the input of our implementation is a Petri net since the SOG implementation has been made using this model. However, the proposed algorithm is general and the implementation can be made using another model provided that it define an initial set of states and a transition function.
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Souid, N.E., Klai, K. (2021). A Novel Approach for Supervisor Synthesis to Enforce Opacity of Discrete Event Systems. In: Gao, D., Li, Q., Guan, X., Liao, X. (eds) Information and Communications Security. ICICS 2021. Lecture Notes in Computer Science(), vol 12919. Springer, Cham. https://doi.org/10.1007/978-3-030-88052-1_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-88052-1_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-88051-4
Online ISBN: 978-3-030-88052-1
eBook Packages: Computer ScienceComputer Science (R0)