Tobias Runge, Alexander Knüppel, Thomas Thüm, Ina Schaefer
Many software applications contain confidential information, which has to be prevented from leaking through unauthorized access. To enforce confidentiality, there are language-based security mechanisms that rely on information flow control. Typically, these mechanisms work post-hoc by checking whether confidential data is accessed unauthorizedly after the complete program is written. The disadvantage is that incomplete programs cannot be interpreted properly and information flow properties cannot be built in constructively. In this work, we present a methodology to construct programs incrementally using refinement rules to follow a lattice-based information flow policy. In every refinement step, confidentiality and functional correctness of the program is guaranteed, such that insecure programs are prohibited by construction. Our contribution is fourfold. We formalize refinement rules for the constructive information flow control methodology, prove soundness of the refinement rules, show that our approach is at least as expressive as standard language-based mechanisms for information flow, and implement it in a graphical editor called CorC. Our methodology is also usable for integrity properties, which are dual to confidentiality.
{"title":"Lattice-Based Information Flow Control-by-Construction for Security-by-Design","authors":"Tobias Runge, Alexander Knüppel, Thomas Thüm, Ina Schaefer","doi":"10.1145/3372020.3391565","DOIUrl":"https://doi.org/10.1145/3372020.3391565","url":null,"abstract":"Many software applications contain confidential information, which has to be prevented from leaking through unauthorized access. To enforce confidentiality, there are language-based security mechanisms that rely on information flow control. Typically, these mechanisms work post-hoc by checking whether confidential data is accessed unauthorizedly after the complete program is written. The disadvantage is that incomplete programs cannot be interpreted properly and information flow properties cannot be built in constructively. In this work, we present a methodology to construct programs incrementally using refinement rules to follow a lattice-based information flow policy. In every refinement step, confidentiality and functional correctness of the program is guaranteed, such that insecure programs are prohibited by construction. Our contribution is fourfold. We formalize refinement rules for the constructive information flow control methodology, prove soundness of the refinement rules, show that our approach is at least as expressive as standard language-based mechanisms for information flow, and implement it in a graphical editor called CorC. Our methodology is also usable for integrity properties, which are dual to confidentiality.","PeriodicalId":448369,"journal":{"name":"2020 IEEE/ACM 8th International Conference on Formal Methods in Software Engineering (FormaliSE)","volume":"5 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129098607","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Damiano Torre, Y. Labiche, M. Genero, M. Elaasar, C. Menghi
UML models are standard artifacts used by software engineers for designing software. As software is designed, different UML diagram types (e.g., class diagrams and sequence diagrams) are produced by software designers. Since the various UML diagram types describe different aspects of a software system, they are not independent but strongly depend on each other, hence they must be consistent. Inconsistencies cause faults in the final software systems. It is, therefore, paramount that they get detected, analyzed, and fixed. Consistency rules are a useful tool proposed in the literature to detect inconsistencies. They categorize constraints that help in identifying inconsistencies when violated. This case study aims at collecting and analyzing UML models with OCL consistency rules proposed in the literature and at promoting the development of a reference benchmark that can be reused by the (FM-)research community. We collected 33 UML consistency rules and 206 different UML diagrams contained in 34 open-source UML models presented in the literature. We propose an FM-based encoding of the consistency rules in OCL. This encoding allows analyzing whether the consistency rules are satisfied or violated within the 34 UML models. To assess the proposed benchmark, we analyzed how the UML models, consistency rules, diagram types contained in the benchmark help in assessing the consistency of UML models, and the consistency of diagrams across the different software development phases. Our results show that the considered UML models and consistency rules allowed identifying 2731 inconsistencies and that those inconsistencies refer to different software development phases. We concluded that the considered UML models and consistency rules could be considered as an initial benchmark that can be further extended by the research community.
{"title":"UML Consistency Rules: a Case Study with Open-Source UML Models","authors":"Damiano Torre, Y. Labiche, M. Genero, M. Elaasar, C. Menghi","doi":"10.1145/3372020.3391554","DOIUrl":"https://doi.org/10.1145/3372020.3391554","url":null,"abstract":"UML models are standard artifacts used by software engineers for designing software. As software is designed, different UML diagram types (e.g., class diagrams and sequence diagrams) are produced by software designers. Since the various UML diagram types describe different aspects of a software system, they are not independent but strongly depend on each other, hence they must be consistent. Inconsistencies cause faults in the final software systems. It is, therefore, paramount that they get detected, analyzed, and fixed. Consistency rules are a useful tool proposed in the literature to detect inconsistencies. They categorize constraints that help in identifying inconsistencies when violated. This case study aims at collecting and analyzing UML models with OCL consistency rules proposed in the literature and at promoting the development of a reference benchmark that can be reused by the (FM-)research community. We collected 33 UML consistency rules and 206 different UML diagrams contained in 34 open-source UML models presented in the literature. We propose an FM-based encoding of the consistency rules in OCL. This encoding allows analyzing whether the consistency rules are satisfied or violated within the 34 UML models. To assess the proposed benchmark, we analyzed how the UML models, consistency rules, diagram types contained in the benchmark help in assessing the consistency of UML models, and the consistency of diagrams across the different software development phases. Our results show that the considered UML models and consistency rules allowed identifying 2731 inconsistencies and that those inconsistencies refer to different software development phases. We concluded that the considered UML models and consistency rules could be considered as an initial benchmark that can be further extended by the research community.","PeriodicalId":448369,"journal":{"name":"2020 IEEE/ACM 8th International Conference on Formal Methods in Software Engineering (FormaliSE)","volume":"2 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131549750","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Joel D. Day, Mitja Kulczynski, F. Manea, Dirk Nowotka, D. B. Poulsen
We present a transformation-system-based technique in the framework of string solving, by reformulating a classical combinatorics on words result, the Lemma of Levi. We further enrich the induced rules by simplification steps based on results from the combinatorial theory of word equations, as well as by the addition of linear length constraints. This transformation-system approach cannot solve all equations efficiently by itself. To improve the efficiency of our transformation-system approach we integrate existing successful string solvers, which are called based on several heuristics. The experimental evaluation we performed shows that integrating our technique as an inprocessing step improves in general the performance of existing solvers.
{"title":"Rule-based Word Equation Solving","authors":"Joel D. Day, Mitja Kulczynski, F. Manea, Dirk Nowotka, D. B. Poulsen","doi":"10.1145/3372020.3391556","DOIUrl":"https://doi.org/10.1145/3372020.3391556","url":null,"abstract":"We present a transformation-system-based technique in the framework of string solving, by reformulating a classical combinatorics on words result, the Lemma of Levi. We further enrich the induced rules by simplification steps based on results from the combinatorial theory of word equations, as well as by the addition of linear length constraints. This transformation-system approach cannot solve all equations efficiently by itself. To improve the efficiency of our transformation-system approach we integrate existing successful string solvers, which are called based on several heuristics. The experimental evaluation we performed shows that integrating our technique as an inprocessing step improves in general the performance of existing solvers.","PeriodicalId":448369,"journal":{"name":"2020 IEEE/ACM 8th International Conference on Formal Methods in Software Engineering (FormaliSE)","volume":"3 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124311244","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Software smells have negative impacts on the reliability and modifiability of software systems. The smells in architecture design can be cascaded down to the implementation level and cause issues that require much effort to fix. Therefore, early detection of the architecture smells can benefit the overall quality of the software system. This paper presents an integration of methods that formally define the software architecture design towards architecture smell detection. Our approach serves as a framework that allows the architectural structures and behaviours to be formally analysed based on a coherent technique. We evaluated the accuracy and performance of our approach with the models generated from open source projects. The results show that our approach is effective and functions well.
{"title":"Semantic-based Architecture Smell Analysis","authors":"Nacha Chondamrongkul, Jing Sun, I. Warren, S. Lee","doi":"10.1145/3372020.3391564","DOIUrl":"https://doi.org/10.1145/3372020.3391564","url":null,"abstract":"Software smells have negative impacts on the reliability and modifiability of software systems. The smells in architecture design can be cascaded down to the implementation level and cause issues that require much effort to fix. Therefore, early detection of the architecture smells can benefit the overall quality of the software system. This paper presents an integration of methods that formally define the software architecture design towards architecture smell detection. Our approach serves as a framework that allows the architectural structures and behaviours to be formally analysed based on a coherent technique. We evaluated the accuracy and performance of our approach with the models generated from open source projects. The results show that our approach is effective and functions well.","PeriodicalId":448369,"journal":{"name":"2020 IEEE/ACM 8th International Conference on Formal Methods in Software Engineering (FormaliSE)","volume":"26 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123668643","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
M. Askarpour, C. Menghi, Gabriele Belli, M. Bersani, Patrizio Pelliccione
In the context of robotic software, the selection of an appropriate planner is one of the most crucial software engineering decisions. Robot planners aim at computing plans (i.e., blueprint of actions) to accomplish a complex mission. While many planners have been proposed in the robotics literature, they are usually evaluated on showcase examples, making hard to understand whether they can be effectively (re)used for realising complex missions, with heterogeneous robots, and in real-world scenarios. In this paper we propose ENFORCE, a framework which allows wrapping FM-based planners into comprehensive software engineering tools, and considers complex robotic missions. ENFORCE relies on (i) realistic maps (e.g, fire escape maps) that describe the environment in which the robots are deployed; (ii) temporal logic for mission specification; and (iii) Uppaal model checker to compute plans that satisfy mission specifications. We evaluated ENFORCE by analyzing how it supports computing plans in real case scenarios, and by evaluating the generated plans in simulated and real environments. The results show that while ENFORCE is adequate for handling single-robot applications, the state explosion still represents a major barrier for reusing existing planners in multi-robot applications.
{"title":"Mind the gap: Robotic Mission Planning Meets Software Engineering","authors":"M. Askarpour, C. Menghi, Gabriele Belli, M. Bersani, Patrizio Pelliccione","doi":"10.1145/3372020.3391561","DOIUrl":"https://doi.org/10.1145/3372020.3391561","url":null,"abstract":"In the context of robotic software, the selection of an appropriate planner is one of the most crucial software engineering decisions. Robot planners aim at computing plans (i.e., blueprint of actions) to accomplish a complex mission. While many planners have been proposed in the robotics literature, they are usually evaluated on showcase examples, making hard to understand whether they can be effectively (re)used for realising complex missions, with heterogeneous robots, and in real-world scenarios. In this paper we propose ENFORCE, a framework which allows wrapping FM-based planners into comprehensive software engineering tools, and considers complex robotic missions. ENFORCE relies on (i) realistic maps (e.g, fire escape maps) that describe the environment in which the robots are deployed; (ii) temporal logic for mission specification; and (iii) Uppaal model checker to compute plans that satisfy mission specifications. We evaluated ENFORCE by analyzing how it supports computing plans in real case scenarios, and by evaluating the generated plans in simulated and real environments. The results show that while ENFORCE is adequate for handling single-robot applications, the state explosion still represents a major barrier for reusing existing planners in multi-robot applications.","PeriodicalId":448369,"journal":{"name":"2020 IEEE/ACM 8th International Conference on Formal Methods in Software Engineering (FormaliSE)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129589592","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Sara Belluccini, R. Nicola, M. Dumas, Pille Pullonen, B. Re, F. Tiezzi
In a distributed scenario it is possible to find systems consisting of independent parties that collaboratively execute a business process, but cannot disclose a subset of the data used in this process to each other. Such systems can be modelled using the PE-BPMN notation: a privacy-enhanced extension of the BPMN process modeling notation. Given a PE-BPMN model, we address the problem of verifying that the content of certain data objects is not leaked to unauthorized parties. To this end, we formalise the semantics of PE-BPMN collaboration diagrams via a translation into process algebraic specifications. This formalisation enables us to apply model checking to detect unintended data leakages in a PE-BPMN model. We specifically consider data leakages in the context of secret sharing technology. The approach has been implemented on top of the mCRL2 toolset, and integrated into the Pleak toolset supporting privacy analysis of business processes. The proposal has been evaluated using real scenarios.
{"title":"Verification of Privacy-Enhanced Collaborations","authors":"Sara Belluccini, R. Nicola, M. Dumas, Pille Pullonen, B. Re, F. Tiezzi","doi":"10.1145/3372020.3391553","DOIUrl":"https://doi.org/10.1145/3372020.3391553","url":null,"abstract":"In a distributed scenario it is possible to find systems consisting of independent parties that collaboratively execute a business process, but cannot disclose a subset of the data used in this process to each other. Such systems can be modelled using the PE-BPMN notation: a privacy-enhanced extension of the BPMN process modeling notation. Given a PE-BPMN model, we address the problem of verifying that the content of certain data objects is not leaked to unauthorized parties. To this end, we formalise the semantics of PE-BPMN collaboration diagrams via a translation into process algebraic specifications. This formalisation enables us to apply model checking to detect unintended data leakages in a PE-BPMN model. We specifically consider data leakages in the context of secret sharing technology. The approach has been implemented on top of the mCRL2 toolset, and integrated into the Pleak toolset supporting privacy analysis of business processes. The proposal has been evaluated using real scenarios.","PeriodicalId":448369,"journal":{"name":"2020 IEEE/ACM 8th International Conference on Formal Methods in Software Engineering (FormaliSE)","volume":"75 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124176274","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Adoption of new digital technologies is impacting all aspects of society. While these new technologies are accepted rapidly within the consumer segment, in the area of industrial control systems the pace of change in computing is slower. This is often due to the criticality and security constraints of such systems, since degraded or hijacked control could lead to injuries or competitive disadvantages. Nowadays a critical component of control systems is the key management protocol for protecting communication. This is specifically important as more and more devices become part of industrial control networks. The key management system must be reliable and robust in order to ensure stable operation of the system with minimum downtime. This often means that the system needs to be autonomous and dynamic, capable of periodically changing the keys automatically and authenticating the system components. Different techniques have been used to examine the reliability and robustness of the key management systems, one promising approach is by using formal methods. In this paper we present a formally verified key management system for use within distributed industrial control systems. We demonstrate that the key management system can reliably handle authentication/communication operations in real-time as well as joining/leaving of control units within the system. We use UPPAAL to analyse several security properties, showing that our models satisfy a collection of requirements defined by our industrial partner and are viable for dynamic key management applications.CCS CONCEPTS• Security and privacy $rightarrow$ Key management; Formal security models; Authorization; Security protocols;
{"title":"Towards Formally Verified Key Management for Industrial Control Systems","authors":"T. Kulik, Jalil Boudjadar, Diego F. Aranha","doi":"10.1145/3372020.3391555","DOIUrl":"https://doi.org/10.1145/3372020.3391555","url":null,"abstract":"Adoption of new digital technologies is impacting all aspects of society. While these new technologies are accepted rapidly within the consumer segment, in the area of industrial control systems the pace of change in computing is slower. This is often due to the criticality and security constraints of such systems, since degraded or hijacked control could lead to injuries or competitive disadvantages. Nowadays a critical component of control systems is the key management protocol for protecting communication. This is specifically important as more and more devices become part of industrial control networks. The key management system must be reliable and robust in order to ensure stable operation of the system with minimum downtime. This often means that the system needs to be autonomous and dynamic, capable of periodically changing the keys automatically and authenticating the system components. Different techniques have been used to examine the reliability and robustness of the key management systems, one promising approach is by using formal methods. In this paper we present a formally verified key management system for use within distributed industrial control systems. We demonstrate that the key management system can reliably handle authentication/communication operations in real-time as well as joining/leaving of control units within the system. We use UPPAAL to analyse several security properties, showing that our models satisfy a collection of requirements defined by our industrial partner and are viable for dynamic key management applications.CCS CONCEPTS• Security and privacy $rightarrow$ Key management; Formal security models; Authorization; Security protocols;","PeriodicalId":448369,"journal":{"name":"2020 IEEE/ACM 8th International Conference on Formal Methods in Software Engineering (FormaliSE)","volume":"283 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122958055","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
A challenge that has gathered much attention in recent years is automated synthesis of correct-by-construction software systems from declarative specifications. The specification language is typically a subset of linear temporal logic called generalized reactivity of rank 1, for which there exists an efficient synthesis algorithm. Specifications in this language model the system as the interaction between an environment and a controller, the former satisfying a set of assumptions and the latter a set of guarantees. In order for a solution to exist, a sufficient set of assumptions implying the guarantees must be provided. The assumptions must be as general as possible and small enough to be intelligible by engineers that need to assess their consistency with the true environment where the synthesized controller will operate.The search for such assumptions is generally a refinement approach driven by counterstrategies, characterizations of undesirable environment behaviors that force the violation of the guarantees; assumptions are progressively refined in order to exclude such behaviors. In this work we provide a heuristic to drive this counterstrategy-guided search towards smaller refinements. We define a concept of minimality of refinements with respect to counterstrategies and provide an algorithm that provably finds minimal refinements with little time overhead. We show experimentally that it consistently produces one or more shorter solutions than state of the art for a set of popular case studies. We also demonstrate that in a popular case study (AMBA-AHB protocol) our heuristic finds a close-to-optimal solution that cannot be found by previous fully automated approaches.CCS CONCEPTS•Software and its engineering $rightarrow$ Formal software verification; Requirements analysis;•Hardware $rightarrow$ Buses and high-speed links.
{"title":"Minimal Assumptions Refinement for Realizable Specifications","authors":"D. Cavezza, Dalal Alrajeh, A. György","doi":"10.1145/3372020.3391557","DOIUrl":"https://doi.org/10.1145/3372020.3391557","url":null,"abstract":"A challenge that has gathered much attention in recent years is automated synthesis of correct-by-construction software systems from declarative specifications. The specification language is typically a subset of linear temporal logic called generalized reactivity of rank 1, for which there exists an efficient synthesis algorithm. Specifications in this language model the system as the interaction between an environment and a controller, the former satisfying a set of assumptions and the latter a set of guarantees. In order for a solution to exist, a sufficient set of assumptions implying the guarantees must be provided. The assumptions must be as general as possible and small enough to be intelligible by engineers that need to assess their consistency with the true environment where the synthesized controller will operate.The search for such assumptions is generally a refinement approach driven by counterstrategies, characterizations of undesirable environment behaviors that force the violation of the guarantees; assumptions are progressively refined in order to exclude such behaviors. In this work we provide a heuristic to drive this counterstrategy-guided search towards smaller refinements. We define a concept of minimality of refinements with respect to counterstrategies and provide an algorithm that provably finds minimal refinements with little time overhead. We show experimentally that it consistently produces one or more shorter solutions than state of the art for a set of popular case studies. We also demonstrate that in a popular case study (AMBA-AHB protocol) our heuristic finds a close-to-optimal solution that cannot be found by previous fully automated approaches.CCS CONCEPTS•Software and its engineering $rightarrow$ Formal software verification; Requirements analysis;•Hardware $rightarrow$ Buses and high-speed links.","PeriodicalId":448369,"journal":{"name":"2020 IEEE/ACM 8th International Conference on Formal Methods in Software Engineering (FormaliSE)","volume":"40 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127739842","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Active automata learning is a technique of querying black box systems and modelling their behaviour. In this paper, we aim to apply active learning in parts. We formalise the conditions on systems—with a decomposable set of actions—that make learning in parts possible. The systems are themselves decomposable through nonintersecting subsets of actions. Learning these subsystems/components requires less time and resources. We prove that the technique works for both two components as well as an arbitrary number of components. We illustrate the usefulness of this technique through a classical example and through a real example from the industry.CCS CONCEPTS• Computing methodologies $rightarrow$Model development and analysis;• Theory of computation $rightarrow$Formal languages and automata theory; Active learning;• Software and its engineering $rightarrow$ Model-driven software engineering.
{"title":"Active Learning of Decomposable Systems","authors":"Omar al Duhaiby, J. F. Groote","doi":"10.1145/3372020.3391560","DOIUrl":"https://doi.org/10.1145/3372020.3391560","url":null,"abstract":"Active automata learning is a technique of querying black box systems and modelling their behaviour. In this paper, we aim to apply active learning in parts. We formalise the conditions on systems—with a decomposable set of actions—that make learning in parts possible. The systems are themselves decomposable through nonintersecting subsets of actions. Learning these subsystems/components requires less time and resources. We prove that the technique works for both two components as well as an arbitrary number of components. We illustrate the usefulness of this technique through a classical example and through a real example from the industry.CCS CONCEPTS• Computing methodologies $rightarrow$Model development and analysis;• Theory of computation $rightarrow$Formal languages and automata theory; Active learning;• Software and its engineering $rightarrow$ Model-driven software engineering.","PeriodicalId":448369,"journal":{"name":"2020 IEEE/ACM 8th International Conference on Formal Methods in Software Engineering (FormaliSE)","volume":"21 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133195008","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Cyber-Physical Systems (CPSs) are integrations of distributed computing systems with physical processes that monitor and control entities in a physical environment. Although the range of their applications include several critical domains, the current trend is to verify CPSs with simulation-test systems rather than formal methodologies. In this paper, we test the effectiveness of statistical model checking, within the MODEST TOOLSET, when analyzing the security of a non-trivial quadruple-tank water system equipped with an ad-hoc intrusion detection system (IDS) capable of mitigating attacks. Our goal is to evaluate the impact of three carefully chosen cyber-physical attacks, i. e., attacks targeting sensors and/or actuators of the system with potential consequences on the safety of the inner physical process. Our security analysis estimates both the physical impact of the attacks and the performance of the proposed IDS.CCS CONCEPTS•Computer systems organization $rightarrow$ Sensors and actuators;•Software and its engineering $rightarrow$ Model checking.
{"title":"Impact Analysis of Cyber-Physical Attacks on a Water Tank System via Statistical Model Checking","authors":"A. Munteanu, Michele Pasqua, Massimo Merro","doi":"10.1145/3372020.3391563","DOIUrl":"https://doi.org/10.1145/3372020.3391563","url":null,"abstract":"Cyber-Physical Systems (CPSs) are integrations of distributed computing systems with physical processes that monitor and control entities in a physical environment. Although the range of their applications include several critical domains, the current trend is to verify CPSs with simulation-test systems rather than formal methodologies. In this paper, we test the effectiveness of statistical model checking, within the MODEST TOOLSET, when analyzing the security of a non-trivial quadruple-tank water system equipped with an ad-hoc intrusion detection system (IDS) capable of mitigating attacks. Our goal is to evaluate the impact of three carefully chosen cyber-physical attacks, i. e., attacks targeting sensors and/or actuators of the system with potential consequences on the safety of the inner physical process. Our security analysis estimates both the physical impact of the attacks and the performance of the proposed IDS.CCS CONCEPTS•Computer systems organization $rightarrow$ Sensors and actuators;•Software and its engineering $rightarrow$ Model checking.","PeriodicalId":448369,"journal":{"name":"2020 IEEE/ACM 8th International Conference on Formal Methods in Software Engineering (FormaliSE)","volume":"153 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132152617","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: