Safe Environmental Envelopes of Discrete Systems

A safety verification task involves verifying a system against a desired safety property under certain assumptions about the environment. However, these environmental assumptions may occasionally be violated due to modeling errors or faults. Ideally, the system guarantees its critical properties even under some of these violations, i.e., the system is \emph{robust} against environmental deviations. This paper proposes a notion of \emph{robustness} as an explicit, first-class property of a transition system that captures how robust it is against possible \emph{deviations} in the environment. We modeled deviations as a set of \emph{transitions} that may be added to the original environment. Our robustness notion then describes the safety envelope of this system, i.e., it captures all sets of extra environment transitions for which the system still guarantees a desired property. We show that being able to explicitly reason about robustness enables new types of system analysis and design tasks beyond the common verification problem stated above. We demonstrate the application of our framework on case studies involving a radiation therapy interface, an electronic voting machine, a fare collection protocol, and a medical pump device.Comment: Full version of CAV23 pape

Resilience Against Sensor Deception Attacks at the Supervisory Control Layer of Cyber-Physical Systems: A Discrete Event Systems Approach

Cyber-Physical Systems (CPS) are already ubiquitous in our society and include medical devices, (semi-)autonomous vehicles, and smart grids. However, their security aspects were only recently incorporated into their design process, mainly in response to catastrophic incidents caused by cyber-attacks on CPS. The Stuxnet attack that successfully damaged a nuclear facility, the Maroochy water breach that released millions of gallons of untreated water, the assault on power plants in Brazil that disrupted the distribution of energy in many cities, and the intrusion demonstration that stopped the engine of a 2014 Jeep Cherokee in the middle of a highway are examples of well-publicized cyber-attacks on CPS. There is now a critical need to provide techniques for analyzing the behavior of CPS while under attack and to synthesize attack-resilient CPS. In this dissertation, we address CPS under the influence of an important class of attacks called sensor deception attacks, in which an attacker hijacks sensor readings to inflict damage to CPS. The formalism of regular languages and their finite-state automata representations is used to capture the dynamics of CPS and their attackers, thereby allowing us to leverage the theory of supervisory control of discrete event systems to pose our investigations. First, we focus on developing a supervisory control framework under sensor deception attacks. We focus on two questions: (1) Can we automatically find sensor deception attacks that damage a given CPS? and (2) Can we design a secure-by-construction CPS against sensor deception attacks? Answering these two questions is the main contribution of this dissertation. In the first part of the dissertation, using techniques from the fields of graph games and Markov decision processes, we develop algorithms for synthesizing sensor deception attacks in both qualitative and quantitative settings. Graph games provide the means of synthesizing sensor deception attacks that might damage the given CPS. In a second step, equipped with stochastic information about the CPS, we can leverage Markov decision processes to synthesize attacks with the highest likelihood of damage. In the second part of the dissertation, we tackle the problem of designing secure-by-construction CPS. We provide two different methodologies to design such CPS, in which there exists a trade-off between flexibility on selecting different designs and computational complexity of the methods. The first method is developed based on supervisory control theory, and it provides a computationally efficient way of designing secure CPS. Alternatively, a graph-game method is presented as a second solution for this investigated problem. The graph-game method grants flexible selection of the CPS at the cost of computational complexity. The first method finds one robust supervisor, whereas the second method provides a structure in which all robust supervisors are included. Overall, this dissertation provides a comprehensive set of algorithmic techniques to analyze and mitigate sensor deception attacks at the supervisory layer of cyber-physical control systems.PHDElectrical and Computer EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/166117/1/romulo_1.pd

Intelligent Management of Mobile Systems through Computational Self-Awareness

Runtime resource management for many-core systems is increasingly complex. The complexity can be due to diverse workload characteristics with conflicting demands, or limited shared resources such as memory bandwidth and power. Resource management strategies for many-core systems must distribute shared resource(s) appropriately across workloads, while coordinating the high-level system goals at runtime in a scalable and robust manner. To address the complexity of dynamic resource management in many-core systems, state-of-the-art techniques that use heuristics have been proposed. These methods lack the formalism in providing robustness against unexpected runtime behavior. One of the common solutions for this problem is to deploy classical control approaches with bounds and formal guarantees. Traditional control theoretic methods lack the ability to adapt to (1) changing goals at runtime (i.e., self-adaptivity), and (2) changing dynamics of the modeled system (i.e., self-optimization). In this chapter, we explore adaptive resource management techniques that provide self-optimization and self-adaptivity by employing principles of computational self-awareness, specifically reflection. By supporting these self-awareness properties, the system can reason about the actions it takes by considering the significance of competing objectives, user requirements, and operating conditions while executing unpredictable workloads

Robust decentralized supervisory control of discrete-event systems

In this thesis we study robust supervisory control of discrete event systems in two different settings. First, we consider the problem of synthesizing a set of decentralized supervisors when the precise model of the plant is not known, but it is known that it is among a finite set of plant models. To tackle this problem, we form the union of all possible behaviors and construct an appropriate specification, from the given set of specifications, and solve the conventional decentralized supervisory control associated with it. We also prove that the given robust problem has a solution if and only if this conventional decentralized supervisory control problem has a solution. In another setting, we investigate the problem of synthesizing a set of communicating supervisors in the presence of delay in communication channels, and call it Unbounded Communication Delay Robust Supervisory Control problem (UCDR-SC problem). In this problem, We assume that delay is unbounded but it is finite, meaning that any message sent from a local supervisor will be received by any other local supervisors after a finite but unknown delay. To solve this problem, we redefine the supervisory decision making rules, introduce a new language property called unbounded-communication-delay-robust (UCDR), and present a set of conditions on the specification of the problem. We also show that the new class of languages that is the solution to this problem has some interesting relations with other observational languages

Should Bank Supervisors in Developing Countries Exercise More or Less Forbearance?

Although forbearance has been associated with more costly financial crises, a triggerhappy approach to closing weak banks could also precipitate an avoidable systemic collapse. In sophisticated regulatory environments, there can be net benefits from at least occasional acts of forbearance. But we argue that three key structural weaknesses in developing countries suggest that their regulators should have less forbearance discretion. This is because financial systems in developing countries tend to have worse information, less interdependence and greater agency problems.

Creating shared value:An operations and supply chain management perspective

Focusing solely on short-term profits has caused social, environmental, and economic problems. Creating shared value integrates profitability with social and environmental objectives, offering a holistic solution. This dissertation examines two areas where this integration is crucial. The first topic explores servicizing business models for a transition to a more circular economy, emphasizing environmental benefits and firm profitability. Initially, we focus on pricing policies, comparing pricing schemes across consumer segments to identify win-win-win strategies that meet all people, planet, and profit objectives. Our research reveals that pay-per-use schemes outperform pay-per-period schemes for cost-inefficient or small-scale providers. A win-win (profit and planet) strategy can be achieved by offering a pay-per-use policy to high usage-valuation consumers, but a win-win-win strategy is unattainable. We then investigate consumer choices in servicizing models by conducting a conjoint experiment on payment scheme, price, minimum contract duration, and entry label attributes. The payment scheme emerges as the most influential attribute, with purchasing and pay-per-use schemes being popular options. The second topic focuses on drug shortages. Specifically, we examine the impact of tendering on shortages. Our findings demonstrate that tendering reduces prices but increases shortages, particularly at the beginning of contracts. However, shortages are less severe when alternative suppliers are available, and the market is less concentrated. To address this issue, we propose allowing multiple winners, regionalizing tenders, increasing the time between tender and contract initiation, and incorporating a reliability measure as a winning criterion to mitigate shortages