Section: New Results

Control and enforcement

Runtime enforcement of timed properties

Participants : Thierry Jéron, Hervé Marchand, Srinivas Pinisetty.

Runtime enforcement is a powerful technique to ensure that a running system satisfies some desired properties. Using an enforcement monitor, an (untrustworthy) input execution (in the form of a sequence of events) is modified into an output sequence that complies with a property. Over the last decade, runtime enforcement has been mainly studied in the context of untimed properties. The contributions [26] and [34] deal with runtime enforcement of timed properties by revisiting the founda-tions of runtime enforcement when time between events matters. We propose a new enforcement paradigm where enforcement mechanisms are time retardants: to produce a correct output sequence, additional delays are introduced between the events of the input sequence. We consider runtime enforcement of any regular timed property defined by a timed automaton. We prove the correctness of enforcement mechanisms and prove that they enjoy two usually expected features, revisited here in the context of timed properties. The first one is soundness meaning that the output sequences (eventually) satisfy the required property. The second one is transparency, meaning that input sequences are modified in a minimal way. We also introduce two new features, i) physical constraints that describe how a time retardant is physically constrained when delaying a sequence of timed events, and ii) optimality, meaning that output sequences are produced as soon as possible. To facilitate the adoption and implementation of enforcement mechanisms, we describe them at several complementary abstraction levels. Our enforcement mechanisms have been implemented and our experimental results demonstrate the feasibility of runtime enforcement in a timed context and the effectiveness of the mechanisms. Finally, in [33] , we considered more practical applications. Indeed, in network security, RE monitors can detect and prevent Denial-of-Service attacks. In resource allocation, RE monitors can ensure fairness. Specifications in these domains express data-constraints over the received events where the timing between events matters. To formalize these requirements, we introduce Parameterized Timed Automata with Variables (PTAVs), an extension of Timed Automata (TAs) with internal and external variables. We then extend enforcement for TAs to enforcement for PTAVs for safety properties. We model requirements from the considered application domains and show how enforcement monitors can ensure system correctness w.r.t. these requirements.

Enforcing opacity

Participant : Hervé Marchand.

In [22] , we have been interested in enforcing opacity of regular predicates on modal transition systems. Intuitively, a labelled transition system $𝒯$ partially observed by an attacker, and a regular predicate $S$ over the runs of $𝒯$, enforcing opacity of the secret $S$ in $𝒯$ means computing a supervisory controller $K$ such that an attacker who observes a run of the controlled system $K\setminus 𝒯$ cannot ascertain that the trace of this run belongs to $S$ based on the knowledge of $𝒯$ and $K$. We lift the problem from a single labelled transition system $𝒯$ to the class of all labelled transition systems specified by a Modal Transition System $ℳ$. The lifted problem is to compute the maximally permissive controller $K$ such that $S$ is opaque in $K/𝒯$ for every labelled transition system $𝒯$ which is a model of $ℳ$. The situations of the attacker and of the controller are asymmetric: at run time, the attacker may fully know $𝒯$ and $K$ whereas the controller knows only $ℳ$ and the sequence of actions executed so far by the unknown $𝒯$.

In [23] , we provided a different solution by enforcing and validate ay runtime various notion of opacity. More specically, we studied how we can model-check, verify and enforce at system runtime, several levels of opacity. Besides existing notions of opacity, we also introduce K-step strong opacity, a more practical notion of opacity that provides a stronger level of confidentiality.

Discrete Controller Synthesis for Infinite State Systems with ReaX

Participants : Nicolas Berthier, Hervé Marchand.

This year, we investigated the control of infinite reactive synchronous systems modeled by arithmetic symbolic transition systems for safety properties handling numerical variable. We provide effective algorithms allowing to solve the safety control problem, and report on experiments based on ReaX, our tool implementing these algorithms [28] .