Model checking of mobile systems and diagnosability of weakly fair systems

PhD ThesisThis thesis consists of two independent contributions. The rst deals with model checking of reference passing systems, and the second considers diagnosability under the weak fairness assumption. Reference passing systems, like mobile and recon gurable systems are everywhere nowadays. The common feature of such systems is the possibility to form dynamic logical connections between the individual modules. However, such systems are very di cult to verify, as their logical structure is dynamic. Traditionally, decidable fragments of -calculus, e.g. the well-known Finite Control Processes (FCP), are used for formal modelling of reference passing systems. Unfortunately, FCPs allow only `global' concurrency between processes, and thus cannot naturally express scenarios involving `local' concurrency inside a process. This thesis proposes Extended Finite Control Processes (EFCP), which are more convenient for practical modelling. Moreover, an almost linear translation of EFCPs to FCPs is developed, which enables e cient model checking of EFCPs. In partially observed systems, diagnosis is the task of detecting whether or not the given sequence of observed labels indicates that some unobservable fault has occurred. Diagnosability is an associated property, stating that in any possible execution an occurrence of a fault can eventually be diagnosed. In this thesis, diagnosability is considered under the weak fairness (WF) assumption, which intuitively states that no transition from a given set can stay enabled forever - it must eventually either re or be disabled. A major aw in a previous approach to WF-diagnosability in the literature is identi ed and corrected, and an e cient method for verifying WF-diagnosability based on a reduction to LTL-X model checking is presented

Formal Verification of Secure Information Flow in Cloud Computing

Federated cloud systems increase the reliability and reduce the cost of computational support to an organization. However, the resulting combination of secure private clouds and less secure public clouds impacts on the overall security of the system as applications need to be located within di�erent clouds. In this paper, the entities of a federated cloud system as well as the clouds are assigned security levels of a given security lattice. Then a dynamic ow sensitive security model for a federated cloud system is introduced within which the Bell-LaPadula rules and cloud security rule can be captured. The rest of the paper demonstrates how Petri nets and the associated veri�cation techniques could be used to analyze the security of information ow in federated cloud systems

Une approche efficace pour l’étude de la diagnosticabilité et le diagnostic des SED modélisés par Réseaux de Petri labellisés : contextes atemporel et temporel

This PhD thesis deals with fault diagnosis of discrete event systems using Petri net models. Some on-the-fly and incremental techniques are developed to reduce the state explosion problem while analyzing diagnosability. In the untimed context, an algebraic representation for labeled Petri nets (LPNs) is developed for featuring system behavior. The diagnosability of LPN models is tackled by analyzing a series of K-diagnosability problems. Two models called respectively FM-graph and FM-set tree are developed and built on the fly to record the necessary information for diagnosability analysis. Finally, a diagnoser is derived from the FM-set tree for online diagnosis. In the timed context, time interval splitting techniques are developed in order to make it possible to generate a state representation of labeled time Petri net (LTPN) models, for which techniques from the untimed context can be used to analyze diagnosability. Based on this, necessary and sufficient conditions for the diagnosability of LTPN models are determined. Moreover, we provide the solution for the minimum delay ∆ that ensures diagnosability. From a practical point of view, diagnosability analysis is performed on the basis of on-the-fly building of a structure that we call ASG and which holds fault information about the LTPN states. Generally, using on-the-fly analysis and incremental technique makes it possible to build and investigate only a part of the state space, even in the case when the system is diagnosable. Simulation results obtained on some chosen benchmarks show the efficiency in terms of time and memory compared with the traditional approaches using state enumerationCette thèse s'intéresse à l'étude des problèmes de diagnostic des fautes sur les systèmes à événements discrets en utilisant les modèles réseau de Petri. Des techniques d'exploration incrémentale et à-la-volée sont développées pour combattre le problème de l'explosion de l'état lors de l'analyse de la diagnosticabilité. Dans le contexte atemporel, la diagnosticabilité de modèles RdP-L est abordée par l'analyse d'une série de problèmes K-diagnosticabilité. L'analyse de la diagnosticabilité est effectuée sur la base de deux modèles nommés respectivement FM-graph et FM-set tree qui sont développés à-la-volée. Un diagnostiqueur peut être dérivé à partir du FM-set tree pour le diagnostic en ligne. Dans le contexte temporel, les techniques de fractionnement des intervalles de temps sont élaborées pour développer représentation de l'espace d'état des RdP-LT pour laquelle des techniques d'analyse de la diagnosticabilité peuvent être utilisées. Sur cette base, les conditions nécessaires et suffisantes pour la diagnosticabilité de RdP-LT ont été déterminées. En pratique, l'analyse de la diagnosticabilité est effectuée sur la base de la construction à-la-volée d'une structure nommée ASG et qui contient des informations relatives à l'occurrence de fautes. D'une manière générale, l'analyse effectuée sur la base des techniques à-la-volée et incrémentale permet de construire et explorer seulement une partie de l'espace d'état, même lorsque le système est diagnosticable. Les résultats des simulations effectuées sur certains benchmarks montrent l'efficacité de ces techniques en termes de temps et de mémoire par rapport aux approches traditionnelles basées sur l'énumération des état

Hyper Partial Order Logic

We define HyPOL, a local hyper logic for partial order models, expressing properties of sets of runs. These properties depict shapes of causal dependencies in sets of partially ordered executions, with similarity relations defined as isomorphisms of past observations. Unsurprisingly, since comparison of projections are included, satisfiability of this logic is undecidable. We then address model checking of HyPOL and show that, already for safe Petri nets, the problem is undecidable. Fortunately, sensible restrictions of observations and nets allow us to bring back model checking of HyPOL to a decidable problem, namely model checking of MSO on graphs of bounded treewidth

The Complexity of Diagnosability and Opacity Verification for Petri Nets

International audienceDiagnosability and opacity are two well-studied problems in discrete-event systems. We revisit these two problems with respect to expressiveness and complexity issues. We first relate different notions of diagnosability and opacity. We consider in particular fairness issues and extend the definition of Germanos et al. [ACM TECS, 2015] of weakly fair diagnosability for safe Petri nets to general Petri nets and to opacity questions. Second, we provide a global picture of complexity results for the verification of diagnosability and opacity. We show that diagnosability is NL-complete for finite state systems, PSPACE-complete for safe Petri nets (even with fairness), and EXPSPACE-complete for general Petri nets without fairness, while non diagnosability is inter-reducible with reachability when fault events are not weakly fair. Opacity is ESPACE-complete for safe Petri nets (even with fairness) and undecidable for general Petri nets already without fairness

Supervisory Control and Analysis of Partially-observed Discrete Event Systems

Nowadays, a variety of real-world systems fall into discrete event systems (DES). In practical scenarios, due to facts like limited sensor technique, sensor failure, unstable network and even the intrusion of malicious agents, it might occur that some events are unobservable, multiple events are indistinguishable in observations, and observations of some events are nondeterministic. By considering various practical scenarios, increasing attention in the DES community has been paid to partially-observed DES, which in this thesis refer broadly to those DES with partial and/or unreliable observations. In this thesis, we focus on two topics of partially-observed DES, namely, supervisory control and analysis. The first topic includes two research directions in terms of system models. One is the supervisory control of DES with both unobservable and uncontrollable events, focusing on the forbidden state problem; the other is the supervisory control of DES vulnerable to sensor-reading disguising attacks (SD-attacks), which is also interpreted as DES with nondeterministic observations, addressing both the forbidden state problem and the liveness-enforcing problem. Petri nets (PN) are used as a reference formalism in this topic. First, we study the forbidden state problem in the framework of PN with both unobservable and uncontrollable transitions, assuming that unobservable transitions are uncontrollable. For ordinary PN subject to an admissible Generalized Mutual Exclusion Constraint (GMEC), an optimal on-line control policy with polynomial complexity is proposed provided that a particular subnet, called observation subnet, satisfies certain conditions in structure. It is then discussed how to obtain an optimal on-line control policy for PN subject to an arbitrary GMEC. Next, we still consider the forbidden state problem but in PN vulnerable to SD-attacks. Assuming the control specification in terms of a GMEC, we propose three methods to derive on-line control policies. The first two lead to an optimal policy but are computationally inefficient for large-size systems, while the third method computes a policy with timely response even for large-size systems but at the expense of optimality. Finally, we investigate the liveness-enforcing problem still assuming that the system is vulnerable to SD-attacks. In this problem, the plant is modelled as a bounded PN, which allows us to off-line compute a supervisor starting from constructing the reachability graph of the PN. Then, based on repeatedly computing a more restrictive liveness-enforcing supervisor under no attack and constructing a basic supervisor, an off-line method that synthesizes a liveness-enforcing supervisor tolerant to an SD-attack is proposed. In the second topic, we care about the verification of properties related to system security. Two properties are considered, i.e., fault-predictability and event-based opacity. The former is a property in the literature, characterizing the situation that the occurrence of any fault in a system is predictable, while the latter is a newly proposed property in the thesis, which describes the fact that secret events of a system cannot be revealed to an external observer within their critical horizons. In the case of fault-predictability, DES are modeled by labeled PN. A necessary and sufficient condition for fault-predictability is derived by characterizing the structure of the Predictor Graph. Furthermore, two rules are proposed to reduce the size of a PN, which allow us to analyze the fault-predictability of the original net by verifying that of the reduced net. When studying event-based opacity, we use deterministic finite-state automata as the reference formalism. Considering different scenarios, we propose four notions, namely, K-observation event-opacity, infinite-observation event-opacity, event-opacity and combinational event-opacity. Moreover, verifiers are proposed to analyze these properties

Fourier-Motzkin methods for fault diagnosis in discrete event systems

The problem of fault diagnosis under partial observation is a complex problem; and the challenge to solve this problem is to find a compromise between the space complexity and time complexity. The classic method to solve the problem is by constructing an automaton called a diagnoser. This method suffers from the state explosion problem which limits its application to large systems. In this thesis, the problem of fault diagnosis in partially observed discrete event systems is addressed. We assume that the system is modelled by Petri nets having no cycle of unobservable transitions. The class of labelled Petri nets is also considered with both bounded and unbounded cases. We propose a novel approach for fault diagnosis using the Integer Fourier-Motzkin Elimination method. The main idea is to reduce the problem of constructing the diagnoser to a problem of projecting between two spaces. In other words, we first obtain a set of inequalities derived from the state equation of Petri nets. Then, the elimination method is used to drop the variables corresponding to the unobservable transitions and we design two sets of inequalities in variables representing the observable transitions. One set ensures that the fault has occurred, whereas the other ensures that fault has not occurred. Given these two sets, we have proved that the occurrences of faults can be decided as any other diagnoser can do. The obtained result are extended to diagnose violations of constraints such as service level agreement and Quality of Service, which is of particular interested in telecommunication companies. We implement our approach and demonstrate gains in performance with respect to existing approaches on a benchmark example

Formal Techniques for Component-based Design of Embedded Systems

Embedded systems have become ubiquitous - from avionics and automotive over consumer electronics to medical devices. Failures may entailmaterial damage or compromise safety of human beings. At the same time, shorter product cycles, together with fast growing complexity of the systems to be designed, create a tremendous need for rigorous design techniques. The goal of component-based construction is to build complex systems from simpler components that are well understood and can be (re)used so as to accelerate the design process. This document presents a summary of the formal techniques for component-based design of embedded systems I have (co-)developed