Analysis of Noninterference in Water Distribution System Using Petri Net Huiqun YU I, Chunxia Leng i, Jingming WANG 1 ' 2, Guilin CHEN 2 1 Department of.

Slides:



Advertisements
Similar presentations
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
Advertisements

Functional Verification III Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture Notes 23.
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.
LIFE CYCLE MODELS FORMAL TRANSFORMATION
Outline. Theorem For the two processor network, Bit C(Leader) = Bit C(MaxF) = 2[log 2 ((M + 2)/3.5)] and Bit C t (Leader) = Bit C t (MaxF) = 2[log 2 ((M.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
1 Flexible Subtyping Relations for Component- Oriented Formalisms and their Verification David Hurzeler PhD Examination, 9/11/2004.
1 Introduction to Computability Theory Lecture3: Regular Expressions Prof. Amos Israeli.
A Semantic Characterization of Unbounded-Nondeterministic Abstract State Machines Andreas Glausch and Wolfgang Reisig 1.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture4: Regular Expressions Prof. Amos Israeli.
Introduction to Computability Theory
A denotational framework for comparing models of computation Daniele Gasperini.
Firewall Policy Queries Author: Alex X. Liu, Mohamed G. Gouda Publisher: IEEE Transaction on Parallel and Distributed Systems 2009 Presenter: Chen-Yu Chang.
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
Design of Fault Tolerant Data Flow in Ptolemy II Mark McKelvin EE290 N, Fall 2004 Final Project.
Robust Declassification Steve Zdancewic Andrew Myers Cornell University.
A Denotational Semantics For Dataflow with Firing Edward A. Lee Jike Chong Wei Zheng Paper Discussion for.
1 Ivan Lanese Computer Science Department University of Bologna Italy Concurrent and located synchronizations in π-calculus.
CS 711 Fall 2002 Programming Languages Seminar Andrew Myers 2. Noninterference 4 Sept 2002.
7/16/2015 3:58 AM Lecture 4: Bell LaPadula James Hook CS 591: Introduction to Computer Security.
Induction and recursion
Toward A Mathematical Model of Computer Security Gina Duncanson Kevin Jonas Ben Lange John Loff-Peterson Ben Neigebauer.
Formal Methods 1. Software Engineering and Formal Methods  Every software engineering methodology is based on a recommended development process  proceeding.
An Information Theory based Modeling of DSMLs Zekai Demirezen 1, Barrett Bryant 1, Murat M. Tanik 2 1 Department of Computer and Information Sciences,
Security Policy What is a security policy? –Defines what it means for a system to be secure Formally: Partition system into –Secure (authorized) states.
Verification of Information Flow Properties in Cyber-Physical Systems Ravi Akella, Bruce McMillin Department of Computer Science Missouri University of.
The Architecture of Secure Systems Jim Alves-Foss Laboratory for Applied Logic Department of Computer Science University of Idaho By, Nagaashwini Katta.
A Z Approach in Validating ORA-SS Data Models Scott Uk-Jin Lee Jing Sun Gillian Dobbie Yuan Fang Li.
MATH 224 – Discrete Mathematics
An Introduction to Petri Nets Marjan Sirjani Formal Methods Laboratory University of Tehran.
Introduction to Formal Methods Based on Jeannette M. Wing. A Specifier's Introduction to Formal Methods. IEEE Computer, 23(9):8-24, September,
On Reducing the Global State Graph for Verification of Distributed Computations Vijay K. Garg, Arindam Chakraborty Parallel and Distributed Systems Laboratory.
University of Paderborn Software Engineering Group Prof. Dr. Wilhelm Schäfer Towards Verified Model Transformations Holger Giese 1, Sabine Glesner 2, Johannes.
Stochastic Activity Networks ( SAN ) Sharif University of Technology,Computer Engineer Department, Winter 2013 Verification of Reactive Systems Mohammad.
Dr. Fei Hu { Department of Electrical and Computer Engineering University of Alabama Tuscaloosa, Alabama Introduction to.
Verification of behavioural elements of UML models using B Truong, Ninh-Thuan and Souquieres, Jeanine In Proceedings of the 2005 ACM Symposium on.
Reading and Writing Mathematical Proofs Spring 2015 Lecture 4: Beyond Basic Induction.
CS 267: Automated Verification Lecture 3: Fixpoints and Temporal Properties Instructor: Tevfik Bultan.
Programming Languages and Design Lecture 3 Semantic Specifications of Programming Languages Instructor: Li Ma Department of Computer Science Texas Southern.
ICS 253: Discrete Structures I Induction and Recursion King Fahd University of Petroleum & Minerals Information & Computer Science Department.
Mathematical Preliminaries
Presenter : Kuang-Jui Hsu Date : 2011/3/24(Thur.).
Software Engineering Education Framework Sun-Myung Hwang Computer Engineering Dept, Daejeon University, Republic of Korea Abstract. Software.
12/13/20151 Computer Security Security Policies...
Analysis of Non-Deducibility in Water Distribution System Using Security Process Algebra Jingming WANG 1 ' 2, Huiqun YU% Guilin CHEN 2, Chunxia Leng i.
- 1 -  P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund Validation - Formal verification -
School of Computer Science, The University of Adelaide© The University of Adelaide, Control Data Flow Graphs An experiment using Design/CPN Sue Tyerman.
Time-Space Trust in Networks Shunan Ma, Jingsha He and Yuqiang Zhang 1 College of Computer Science and Technology 2 School of Software Engineering.
Finite State Machines (FSM) OR Finite State Automation (FSA) - are models of the behaviors of a system or a complex object, with a limited number of defined.
SAFEWARE System Safety and Computers Chap18:Verification of Safety Author : Nancy G. Leveson University of Washington 1995 by Addison-Wesley Publishing.
Requirements Engineering Methods for Requirements Engineering Lecture-31.
Program Correctness. The designer of a distributed system has the responsibility of certifying the correctness of the system before users start using.
CompSci 102 Discrete Math for Computer Science March 13, 2012 Prof. Rodger Slides modified from Rosen.
Error Explanation with Distance Metrics Authors: Alex Groce, Sagar Chaki, Daniel Kroening, and Ofer Strichman International Journal on Software Tools for.
Reinforcement Learning for Mapping Instructions to Actions S.R.K. Branavan, Harr Chen, Luke S. Zettlemoyer, Regina Barzilay Computer Science and Artificial.
Section Recursion 2  Recursion – defining an object (or function, algorithm, etc.) in terms of itself.  Recursion can be used to define sequences.
 The contribution of this work has been the application of formal methods for secure operations of cyber- physical systems  External observer in above.
Proof And Strategies Chapter 2. Lecturer: Amani Mahajoub Omer Department of Computer Science and Software Engineering Discrete Structures Definition Discrete.
Formal methods: Lecture
Deadlock Freedom by Construction
Information Security CS 526
Decentralized Model-Based Testing of Distributed Systems
Information Security CS 526
Department of Computer Science Abdul Wali Khan University Mardan
An Introduction to Petri Nets
Information Security CS 526
Survey on Coverage Problems in Wireless Sensor Networks
Presentation transcript:

Analysis of Noninterference in Water Distribution System Using Petri Net Huiqun YU I, Chunxia Leng i, Jingming WANG 1 ' 2, Guilin CHEN 2 1 Department of Computer Science and Engineering, East China University of Science and Technology, Shanghai , China 2 School of Computer and Information Engineering, Chuzhou University, Anhui , China Abstract. Cyber-physical systems (CPSs) are one of the most important system design areas. A considerable challenge to model theses systems is how to represent the interactions between the cyber level and the physical level. Now researchers are confronted with the difficulty in the analysis and verification of information confidentiality in the complex CPSs owing to physical observable behavior and physical components appended to cyber systems. A technique for solving this problem effectively by using some simple or small systems to compose the complex systems while achieving the confidentiality of the composite system based on Petri net is proposed. This paper has analyzed the noninterference security property and the cascade composition in water distribution system based on the technique. This study is to provide a formal method and foundation for exploring the confidentiality and information security in cyber-physical systems composition. Keywords: Cyber-Physical Systems; Information Flow Security; Petri Net; Noninterference Model; Water Distribution System 1 Introduction In recent years, the design of systems has developed in the area of CPSs [1]. CPSs are integrations of computation and physical processes [2]. Now researchers are confronted with the analysis and verification of confidentiality of complex CPSs owing to physical observable behavior and physical components appended to cyber systems. A considerable difficulty to analyze security model is the representation of interactions between physical level and cyber level. Access control security modes are unsatisfactory since they are only to solve direct information flow. One better approach to computer security is to control both the direct and indirect information by applying some information flow rules [6], which are called information flow security models. Noninterference model was first proposed by Meseguer and Goguen [3-4]. A lot Corresponding author: Huiqun Yu, Ph.D., Professor, 130 Meilong Road, Shanghai , China. Session6C789

of works about this property were done [5-11]. However, there is little research for cyber-physical systems on noninterference composition. This paper has defined the noninterference model based on Petri net and has analyzed the property in water distribution system, and which will be preserved after cascade composition. 2 Basic definitions 2.1 Petri net As a formal tool with rigorous semantics, Petri net can be efficiently used to model and verify the security properties of system models [4-7]. Definition 1 A tuple N=(S,T,F) is a net, where 1.s and T are the sets of places and transitions, and S nT =0 2.F c (2 s x T x 2 S ) is the set of flow relation Definition 2 Let N=(S,T,F) be a net. A multiset over the set s is called marking. Given a marking in and a places, m(s) denotes the tokens number of places. A pair (N, m o ) is a net system, where N is a net and m o is a marking of N, which is called initial marking in general. With abuse of notation, (S,T,F,m o ) is used to denote the Petri net system. 2.2 Operations on Petri net This paper aims to analyze multilevel systems that can perform different levels of actions. For example, the interaction of the system with high-level actions represents the interaction with high level users and the interaction of the system with low-level actions represents the interaction with low level users. This paper is to verify if the interplay between the high-level user and the high part of the system can affect a low-level user's view of the system. Thereby, the set of transitions of Petri net is partitioned into two disjointed subsets: the set of high level transitions denoted by H and the set of low level transitions denoted by L, we use (S,L,H,F,m0) to denote the net system mentioned above. Definition 3 Let N=(S,HuL,F,m 0 ), the operation of a transition sequence of net system is defined as follows [8]: e/H=e { elL=e gtIH = (5 I H)t t E L gtIL = 5/H teH {(g I L)t t c H g I L t e L For a non-determined system the result statement will not be unique after the firing of a transition of a net system N=(S,HuL,F,m0). We call it result statement set 790 Computers, Networks, Systems, and Industrial Appications

denoted by next(m 0, a), o - ETS(N). However, for determined systems the result statement is unique, denoted by step(mo,o-). Definition 4 Net system N=(S,HuL,F,m0), mE[mo), View L (m) = {(s,m(s)) 3t E L,Q,Q'E2 s,(Q,t,Q 1 )EF As EQ}. Two statements of Petri net are low-level equal if the tokens of all places are same from a low-level user's view. Definition 5 To a net system N=(S,HuL,F,m0), two statements are low-level equal,, m 2 E [m o ), m l L m 2 iff View L (m i ) = View L (m 2 ) Definition 6 To a net system N=(S,HuL,F,m0), two results statement sets are low- level equal, if and only if: V A,Bc[m o ),A L B,ff3m, EA,m 2 EB, s.t. View L (m i )=View L (m 2 ) 3 Model the noninterference property in water distribution system 3.1 The definition of noninterference model If low level users observe that information flows from high level users to low level users, then confidentiality of system can be deduce by the low level observer. The original definition is defined for deterministic systems, now the model is extended for nondeterministic systems (NNI). The generalization is as follows. The high level does not interfere with the low level if and only if for any trace a, there is always a trace a with no same high level input actions. Furthermore, a and a ' are low view trace equivalent. NNI is defined as follows based on Petri net. Definition 6 E e NNI (E \, Act H ) / Act H L E I Act H Where, the function of the operation of is similar to the operation in process algebra [10], Act h represents the set of high level actions, I represents the set of input actions. 3.2 Abstract water distribution system Water distribution system, as one of typical cyber-physical systems, provides rich computational and physical processes and their interactivity [5]. Flow control systems (FCSs) in the system automate or control the state of water or other fluid in the pipeline. LTCs execute two commands of raise and lower the flow. Fig.1 shows a water distribution system network with three LTCs that control the sub- networks A, B, and C respectively, which are geographically separated in large distances. Either of the raise and lower flow commands will affect neighbouring sub- networks necessarily, resulting in observable actions at location A and location B in the network of pipes, and the following invariant holds: Vc = Va + Vb (1) Where Va, Vb and Vc represent the changes or volumes of water flow of the pipes controlled at A, B, and C respectively. Session 6C 791

Fig.1. Pipeline network with three sub-networks controlled by LTCs ___ High - Level Event _________Low - Level Event Fig.2. Information flow in the water distribution system e,.Flow change in neighboring pipeline eLTC setting at controlled line e,Flow change in controlled line Stochastic demand at controlled pipeline 3.3 Analysis of NNI in water distribution system The water distribution system, which is a non-deterministic system, shown in Fig.1 consists of interacting LTCs whose flow is governed by Eq. (1). The water distribution system with FCSs and their interconnectivity is NNI secure. Theorem 1 The water flow in the pipeline system is NNI secure. Proof. As shown in Fig.2, the significant events in the pipeline system are flow change in the neighbouring pipeline, stochastic demand at the controlled pipeline, LTC setting at the controlled line, and flow change in the controlled line, which are represented by e l : e 2 :e 3 : ez t. And e l is a low-level input event, e 2 is a high-level input event, e 3 is a high-level output event, and e 4 is a low-level output event. The set of valid traces of the system are {{}, e l, e2, e3, eie4, e2e4, e3e4, e1e4e3, e1e3e4, e1e2e4, e2e3e4, e 2 e 4 e 3, e 2 e i e 4, eie2e4e3, e2e1e4e3, e2e1e3e4...} where... represents interleavings of listed traces in the system. It is obvious that for any valid trace 0-, there always exists a valid trace 0., such that there is no same high-level input actions between c and 0-. Furthermore, a and CT are low-view trace equivalent. That is to say, (E \ Act H ) / Act„ = E / Act, the water distribution system denoted by E. So, the system is NNI secure. 4 Analysis the composition for water distribution system Feedback free or Cascade composition [11] is formed by connecting two systems S i and S2, and some of S 1's output events become S2's input events. The formal definition of feedback composition is as follows. Definition 7 Let N i =(s i LA I, Fi, mo1), N2=(s2,H2(.)1,2,F2,0102) be two Petri net systems, such that Si nS2 =0 and (H i )n(H 2uL2)=0. For N=(S,HuL,F,m 0 ), if (1) S= S l u S 2 (2) H=H 1 uH 2, L=L 1 uL 2 o{t} (3) F=F 1 uF 2 o{(0 1,t),(t,i 2 )} We say N is the sequence composition of N 1 and N 2, denoted by N=N1.N2. Fig. 3 demonstrates the composition. 792 Computers, Networks, Systems, and Industrial Appications

Theorem 2 A system composed with NNI secure subsystems like water distribution system by feedback free composition is also NNI secure. Fig.3. Cascade composition Proof. The proof will be done by induction on the number of subsystems. Base case: One subsystem is NNI secure. This follows directly from the premise of the theorem. Induction hypothesis: system composed of k NNI secure subsystems by cascade composition is NNI secure. Induction step: Consider a system comprised of k+1 subsystems. Without loss of generality, consider the first subsystem to be composed of the k previously composed system and the second subsystem to be the new system that is added to the system. Let Act i be the set of events for the first subsystem and Act 2 be the set of events for the second subsystem. By the definition of NNI, proving the composed system is NNI secure is equal to prove there exists a trace a '. of the composed system for any trace a of the composed system, such that T (vI Act H ) L T (cr "I Act H ) A cr "I (Act L u (Act H n I)) = 0. We will construct a valid trace a " with the following two steps. First step, construct the valid trace o" such that: ' I Act 2 = a l, such that T ( o - I ( Act iH u Act 2 ) ) L o - T(o - 1 / ( 1 ) ( Act 1H u A c t 2 ) ) A o - / ( Act lL v ( Act IH n I ) ) = 0. ( 2 ) 0 - v Act 1 = a I Act 1 Condition (1) is guaranteed by the induction hypothesis of the first subsystem is NNI secure. Condition (2) ensures that all the events in the second subsystem are left unchanged. This condition is satisfied because 0- could not affect any events in Act 2. Second step, construct the trace c" such that: (3) ct “I Act 1 = cr 2, such that T(o - 'I (Act s u Act 2H ))L T(o - 2 IAct 2H ) A o- 2 / ( Act 2H n I)) = 0. (4) a "1 Act 2 = 6'l Act 2 Condition (3) is guaranteed because the second component is non-interference secure. Condition (4) ensures that all other events are unchanged. This construction may change the output events of the second subsystem, but because the composition involves no feedback, it will have no effect on the input or output events of the first subsystem. Therefore, by induction, a system composed with NNI secure subsystems is also NNI secure by cascade composition. Session 6C 793

5 Conclusions In this paper, Petri net provides a rigorous formal method for CPSs security model specification and is shown to be applicable to abstract water distribution flow network system. The results allow a system designer to connect certain small subsystems verified to be NNI secure to form a NNI secure cyber-physical system. We believe that the present study provides a formal method and the foundation for exploring confidentiality and information security in CPSs. 6 Acknowledgements The work was supported by the NSF of China under grants No , and , Shanghai Shuguang Program under grant No. 07SG32, and the NSF of high education of Anhui province, China under Grant No. KJ2011Z279, and the NSF of Chuzhou University, Anhui, China under Grant No.2010kj008Z. References 1.T. T. Gamage and B. M. McMillin. Observing for Changes: Non-Deducibility Based Analysis of Cyber-Physical Systems. In Proceedings of the 3rd International Federation for Information Processing Conference (IFIP WG 11.10). Hanover, NH: Springer Boston, pp , April E. Lee. Cyber Physical Systems: Design Challenges. University of California, Berkeley Technical Report No. UCB/EECS , J. A. Goguen, J. Meseguer. Security policies and security models. Proc IEEE Symposium on Security and Privacy, IEEE Press, pp 11-20, J. A. Goguen, J. Meseguer. Inference control and unwinding. Proc IEEE Symposium on Security and Privacy, IEEE Press, pp , Ravi Akella, Han Tang, Bruce M. McMillin. Analysis of information flow security in cyber- physical system. Analysis of information flow security in cyber-physical systems. International Journal of Critical Infrastructure Protection. 3: , Simone Frau, Roberto Gorrieri, Carlo Ferigato. Petri Net Security Checker: Structural Non- interference at Work. Formal Aspects in Security and Trust, Springer LNCS 5491: , N. Busi, R. Gorrieri. A Survey on Noninterference with Petri Nets. Advanced Course on Petri Nets 2003, Springer LNCS 3098: , R. Focardi, R. Gorrieri. Classification of Security Properties (Part I: Information Flow), Foundations of Security Analysis and Design - Tutorial Lectures (R. Focardi and R.Gorrieri, Eds.), Springer LNCS 2171: , Song Chen, Cong-hua Zhou, Shi-guang Ju, Hai-yang Li. Analysis for the composition of information flow security properties on Petri net. In Proceedings of the 3rd IEEE International Conference on Information Science and Engineering, Hefei, china, Dec, R. Focardi, R. Gorrieri. A Classification of Security Properties. Journal of Computer Security. 3 (1): 5-33, A. Zakinthinos. On The Composition of Security Properties. Ph.D. dissertation, University of Toronto, Toronto. Ontario Computers, Networks, Systems, and Industrial Appications

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.