Verification of Information Flow Properties in Cyber-Physical Systems
description
Transcript of Verification of Information Flow Properties in Cyber-Physical Systems
![Page 1: Verification of Information Flow Properties in Cyber-Physical Systems](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168e1550346895ddfdc1c/html5/thumbnails/1.jpg)
Verification of Information Flow Properties in Cyber-Physical Systems
Ravi Akella, Bruce McMillinDepartment of Computer Science
Missouri University of Science & Technology Rolla, MO, USA
CPS Week 2011: Workshop on Foundations of Dependable and Secure Cyber-Physical SystemsApril 11, 2011 Chicago, Illinois
This work was supported in part by the Future Renewable Electric Energy Delivery and Management Systems Center (FREEDM); a National Science Foundation supported Engineering Research Center, under grant NSF EEC-0812121 and in part by the Missouri S&T Intelligent Systems Center.
![Page 2: Verification of Information Flow Properties in Cyber-Physical Systems](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168e1550346895ddfdc1c/html5/thumbnails/2.jpg)
Cyber-Physical Systems (CPS)oIntegrations of computational and
physical processes
oAn example CPS is the FREEDM system: a smart grid managed with Distributed Grid Intelligence (DGI)
oDGI consists of cyber processes that perform distributed computation to efficiently manage distributed energy resources by interfacing with Intelligent Energy Management (IEM)
oThere is an inter-dependence of events within the physical and cyber processes
![Page 3: Verification of Information Flow Properties in Cyber-Physical Systems](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168e1550346895ddfdc1c/html5/thumbnails/3.jpg)
• Cyber events within a CPS involve:1) distributed computation,2) communication with other cyber components, and 3) communication with the physical component that it controls.
• Physical events include: 1) a local state change of the physical subsystem resulting from a cyber
component controlling it, 2) a local physical state change resulting from the dynamics of the physical
system, and3) the observability of the physical system modeled as events
CPS Interactions
![Page 4: Verification of Information Flow Properties in Cyber-Physical Systems](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168e1550346895ddfdc1c/html5/thumbnails/4.jpg)
CPS Smart grid Interactions
ea c
b d e
ac
b d e
At this IEM, information obtained from the observable physical event yields
information about the cyber command (b)
SST
PHEV Load PV
DGI
SST
PHEV Load Wind
DGI
SST
Battery Load PV
DGI
ab
c
d
Read state of Physical systemaIssue command to make a settingbMessage exchange including partial state information
c
Power draw or contribution on the shared power bus
d
e
Event due to physical flow on the shared power bus
e
IEM1 IEM2 IEM3
![Page 5: Verification of Information Flow Properties in Cyber-Physical Systems](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168e1550346895ddfdc1c/html5/thumbnails/5.jpg)
Information flow usecase of a CPS
![Page 6: Verification of Information Flow Properties in Cyber-Physical Systems](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168e1550346895ddfdc1c/html5/thumbnails/6.jpg)
• Information Flow Security aims at guaranteeing that no high level (confidential) information is revealed to users at a low level, even in the presence of any possible cyber/physical process
• Potential information flow models for CPSs:– Non-Interference: Information does not flow from high to low if the high
behavior has no effect on what low level observer can observe– Non-Inference: leaves a low level observer in doubt about high level events.– Non-deducibility: Given a set of low-level outputs, no low-level subject
should be able to deduce anything about the high-level inputs [Sutherland].– Composition of deducibly secure systems: not composable [McCullough]– McCullough`s Generalized noninterference-secure property considers non-
determinism of real systems
Objective: Analyze Information Flow Security in CPS
![Page 7: Verification of Information Flow Properties in Cyber-Physical Systems](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168e1550346895ddfdc1c/html5/thumbnails/7.jpg)
• A unified approach to deal with CPSs is necessary that can encompass the cyber and physical events
• We propose a process algebraic approach adopted to analyze the information flow in CPSs
• Security process algebra provides an abstract description for nondeterministic and concurrent systems with actions belonging to different levels of confidentiality (Low and High)
• Using process algebra, bisimulation provides a formal method to determine nondeducibility.
Information Flow Security for CPSProcess Algebra Approach
![Page 8: Verification of Information Flow Properties in Cyber-Physical Systems](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168e1550346895ddfdc1c/html5/thumbnails/8.jpg)
A system E is BNDC if for every high level process ∏, a low level user cannot distinguish E from E|∏
E| ∏ : Parallel Composition of E1& ∏ where executions of the two systems are interleaved
Bisimulation-based NonDeducibility on Composition (BNDC)
![Page 9: Verification of Information Flow Properties in Cyber-Physical Systems](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168e1550346895ddfdc1c/html5/thumbnails/9.jpg)
Bisimulation oTwo processes are weakly bisimilar if they are able to mutually simulate their behavior step by step.
oIn a weak bisimilarity relation, internal silent actions (τ) between processes is ignored.
E1 and E2 are bisimilar and they both simulate E3
E3 is not bisimilar to E1
![Page 10: Verification of Information Flow Properties in Cyber-Physical Systems](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168e1550346895ddfdc1c/html5/thumbnails/10.jpg)
Strong BNDC (SBNDC)The system before and after execution of a high level event remains
indistinguishable to the low level domain
E
E’’\H
E’
E’\H
E’’h
![Page 11: Verification of Information Flow Properties in Cyber-Physical Systems](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168e1550346895ddfdc1c/html5/thumbnails/11.jpg)
Simplification of SBNDC: Bisimulation up to H
The problem of verifying weak bisimulation for all high level transitions of the system can be transformed into finding a bisimulation up to H relation
E E\H
![Page 12: Verification of Information Flow Properties in Cyber-Physical Systems](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168e1550346895ddfdc1c/html5/thumbnails/12.jpg)
SST
Battery Load PV
DGI
SST
Battery Load PV
DGI
SST
Battery Load PV
DGI
Invariance of Flow in a CPS
Power shared between 1 and 2 due to DGI algorithm
• Power flow satisfies the Kirchhoff's law of invariance on the bus that can be represented as a physical event
![Page 13: Verification of Information Flow Properties in Cyber-Physical Systems](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168e1550346895ddfdc1c/html5/thumbnails/13.jpg)
SST
Battery Load PV
DGI
SST
Battery Load PV
DGI
SST
Battery Load PV
DGI
Smart grid in terms of SPA
![Page 14: Verification of Information Flow Properties in Cyber-Physical Systems](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168e1550346895ddfdc1c/html5/thumbnails/14.jpg)
SBNDC for FREEDMThe system before and after execution of a high level event remains
indistinguishable to the low level domain
E
E’’\H
E’
E’\H
E’’h
![Page 15: Verification of Information Flow Properties in Cyber-Physical Systems](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168e1550346895ddfdc1c/html5/thumbnails/15.jpg)
SBNDC for FREEDM
o Such processes can be modified to satisfy SBNDC by inserting a complementary High level output, to make an internal action (τ) that is not observable
o Such compensating events hide the physically observable effects
d
d
![Page 16: Verification of Information Flow Properties in Cyber-Physical Systems](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168e1550346895ddfdc1c/html5/thumbnails/16.jpg)
Our Current Work
Prototype DGI for FREEDM – IEEE SmartGridComm 2010 Akella/Ditch/McMillin/Meng/Crow
Full Specification of DGI in SPA – EWICS SAFECOMP 2010 Akella/McMillin
Formal Verification of Transmission Grid/Pipeline Network Security with SPA/CoPS – J. of Critical Infrastructure Protection – Akella/Tang/McMillin 2010 Component Construction for Constructing Secure Smart Grid Systems –
IEEE COMPSAC 2011 Gamage/Roth/McMillin
![Page 17: Verification of Information Flow Properties in Cyber-Physical Systems](https://reader035.fdocuments.us/reader035/viewer/2022070500/568168e1550346895ddfdc1c/html5/thumbnails/17.jpg)
Directions for future work
Information flow analysis, with its origins in computational systems, can be extended to the realm of cyber-physical systems to verify their security
Representation of physical events including attributes such as invariance and physical observability expose potential confidentiality violations
Process algebra presents a uniform model of defining cyber and physical processes that can be mechanically verified Model checking complexity incurred in automating the verification of CPS
processes can be reduced using techniques like partial order reduction and new bisimulation techniques to reduce state space