A Novel Approach for Supervisor Synthesis to Enforce Opacity of Discrete Event Systems

Abstract

Opacity is a property of information flow that characterizes the ability of a system to keep its secret information hidden from a third party called an attacker. In the state-of-the-art, opacity of Discrete Event Systems (DES) has been investigated using a variety of techniques. Methods based on Supervisory Control Theory (SCT) emerge as an efficient approach for enforcing this property. In this paper, we address the problem of enforcing the opacity of a DES through the definition of a supervisor whose role is to restrain the behavior of the system keeping “good” runs only i.e., executions that exactly correspond to the opaque subset of the system’s state space. The proposed approach is based on Symbolic Observation Graph: a hybrid graph where nodes are subsets of reachable states linked with unobservable actions. Encoding such nodes symbolically using binary decision diagrams allows to tackle the state space explosion problem.

We designed a reduced-cost algorithm that synthesizes an optimal supervisor (at design time) to ensure the opacity of the system (at runtime). Moreover, we implemented our approach in C++ language and we validated our proposition using a real-life case study.

A Appendix

1.1 A.1 Proof of Theorem 2

Proof

1. 1.

   K is prefix-closed i.e. the prefix of each element in K is an element of K:

   Let \(\sigma \in K\) and let \(\alpha \) be a prefix of \(\sigma \). Let us prove that \(\alpha \in K\).

   Assume \(\alpha \not \in K\). Then, there exists \((\alpha _1,c) \in L(\mathcal {T})\times \varSigma _c\) s.t. \(\alpha _1.c\) is a prefix of \(\alpha \) and \(c \in \gamma (\alpha _1)\). Since \(\alpha _1\) is a prefix of \(\alpha \) and \(\alpha \) is a prefix of \(\sigma \), \(\alpha _1\) is a prefix of \(\sigma \) as well. This is not possible, otherwise it contradicts, by definition, the membership of \(\sigma \) in K. Thus, \(\alpha \in K\).

2. 2.

   K is controllable i.e. \(K.(\varSigma \setminus \varSigma _c) \cap L(\mathcal {T}) \subseteq K\):

   Let \(\sigma \in K\) and let \(u \in (\varSigma \setminus \varSigma _c) \cap L(\mathcal {T})\). Let us prove that \(\sigma .u \in K\).

   Assume the opposite. Then, there exists \((\alpha _1,c) \in L(\mathcal {T})\times \varSigma _c\) s.t. \(\alpha _1.c\) is a prefix of \(\sigma .u\) and \(c \in \gamma (\alpha _1)\). Since \(c \ne u\) (\(c \in \varSigma _c\) while \(u\in \sigma \setminus \sigma _c\)), \(\alpha _1.c\) is a prefix of \(\sigma \) which contradicts, by definition, the membership of \(\sigma \) in K. Thus, \(\sigma .u \in K\).

3. 3.

   K is observable i.e., \(P^{-1}_{\varSigma _m}[P_{\varSigma _m}(K)] \cap L(\mathcal {T}) \subseteq K\).

   Let \(\sigma _1 \in K\) and let \(\sigma _2 \in L(\mathcal {T})\) s.t. \(P_{\varSigma _m}(\sigma _1)=P_{\varSigma _m}(\sigma _2)\). Assume that \(\sigma _2 \not \in K\). Then, there exists \((\alpha _2,c) \in L(\mathcal {T})\times \varSigma _c\) s.t. \(\alpha _2.c\) is a prefix of \(\sigma _2.u\) and \(c \in \gamma (\alpha _2)\). Let \(\alpha _1\) be the prefix of \(\sigma _1\) s.t. \(P_{\varSigma _m}(\alpha _1)=P_{\varSigma _m}(\alpha _2)\). The fact that \(c\in \gamma (\alpha _2)\) implies that the aggregate reached by \(P_{\varSigma _m}(\alpha _2).c\) is included in the set of secret states. However, such an aggregate is also reached by \(P_{\varSigma _m}(\alpha _1).c\) while \(c \not \in \gamma (\alpha _1)\) otherwise \(\sigma _1\) would not belong to K. Thus, \(\sigma _2 \in K\).

4. 4.

   K is supremal i.e. \(\not \exists K \subset L \subseteq L(\mathcal {T})\) s.t. L is a prefix-closed language that is controllable, observable and opaque w.r.t. the secret predicate \(\varphi \) and the attacker observation \(\varSigma _a\).

   Assume that such a language exists. Let \(\sigma \in L \setminus K\). Then, there exists \((\alpha ,c) \in L(\mathcal {T})\times \varSigma _c\) s.t. \(\alpha .c\) is a prefix of \(\sigma \) and \(c \in \gamma (\alpha )\). Thus, by definition, the aggregate reached by the trace \(\alpha .c\) is included in the set of secret states. This contradicts the membership of \(\alpha \) in L since L is a prefix-closed language. Thus, K is supremal.

5. 5.

   K ensures the opacity of the system. This is guaranteed by construction of the supervisor and by using the result of [6] stating that a \(\mathcal {T}\) is opaque iff the corresponding SOG does not contain any aggregate included in the set of secret states.    \(\square \)

Fig. 13.

A plan of the maze (Color figure online)

Fig. 14.

Petri net of the maze

1.2 A.2 Plan of the Maze

Figure 13 represents a building, observed by an attacker trying to find out if a tracked object/person is in a secret room. Secret rooms are marked by a little red circle (and white cross). These rooms can be dedicated to patients with contagious diseases in a hospital or rooms containing strongboxes or valuable possessions in any company or private household. Sensors are represented in blue and provide the interface of the attacker and the supervisor.

Figure 14 represents the Petri net of our use case. It is worth mentioning that the input of our implementation is a Petri net since the SOG implementation has been made using this model. However, the proposed algorithm is general and the implementation can be made using another model provided that it define an initial set of states and a transition function.