Game semantic analysis of equivalence in IMJ

Using game semantics, we investigate the problem of verifying contextual equivalences in Interface Middleweight Java (IMJ), an imperative object calculus in which program phrases are typed using interfaces. Working in the setting where data types are non-recursive and restricted to finite domains, we identify the frontier between decidability and undecidability by reference to the structure of interfaces present in typing judgments. In particular, we show how to determine the decidability status of problem instances (over a fixed type signature) by examining the position of methods inside the term type and the types of its free identifiers. Our results build upon the recent fully abstract game semantics of IMJ. Decidability is proved by translation into visibly pushdown register automata over infinite alphabets with fresh-input recognition

Multilevel Runtime Verification for Safety and Security Critical Cyber Physical Systems from a Model Based Engineering Perspective

Advanced embedded system technology is one of the key driving forces behind the rapid growth of Cyber-Physical System (CPS) applications. CPS consists of multiple coordinating and cooperating components, which are often software-intensive and interact with each other to achieve unprecedented tasks. Such highly integrated CPSs have complex interaction failures, attack surfaces, and attack vectors that we have to protect and secure against. This dissertation advances the state-of-the-art by developing a multilevel runtime monitoring approach for safety and security critical CPSs where there are monitors at each level of processing and integration. Given that computation and data processing vulnerabilities may exist at multiple levels in an embedded CPS, it follows that solutions present at the levels where the faults or vulnerabilities originate are beneficial in timely detection of anomalies. Further, increasing functional and architectural complexity of critical CPSs have significant safety and security operational implications. These challenges are leading to a need for new methods where there is a continuum between design time assurance and runtime or operational assurance. Towards this end, this dissertation explores Model Based Engineering methods by which design assurance can be carried forward to the runtime domain, creating a shared responsibility for reducing the overall risk associated with the system at operation. Therefore, a synergistic combination of Verification & Validation at design time and runtime monitoring at multiple levels is beneficial in assuring safety and security of critical CPS. Furthermore, we realize our multilevel runtime monitor framework on hardware using a stream-based runtime verification language

A Taxonomy for and Analysis of Anonymous Communications Networks

Any entity operating in cyberspace is susceptible to debilitating attacks. With cyber attacks intended to gather intelligence and disrupt communications rapidly replacing the threat of conventional and nuclear attacks, a new age of warfare is at hand. In 2003, the United States acknowledged that the speed and anonymity of cyber attacks makes distinguishing among the actions of terrorists, criminals, and nation states difficult. Even President Obama’s Cybersecurity Chief-elect recognizes the challenge of increasingly sophisticated cyber attacks. Now through April 2009, the White House is reviewing federal cyber initiatives to protect US citizen privacy rights. Indeed, the rising quantity and ubiquity of new surveillance technologies in cyberspace enables instant, undetectable, and unsolicited information collection about entities. Hence, anonymity and privacy are becoming increasingly important issues. Anonymization enables entities to protect their data and systems from a diverse set of cyber attacks and preserves privacy. This research provides a systematic analysis of anonymity degradation, preservation and elimination in cyberspace to enhance the security of information assets. This includes discovery/obfuscation of identities and actions of/from potential adversaries. First, novel taxonomies are developed for classifying and comparing well-established anonymous networking protocols. These expand the classical definition of anonymity and capture the peer-to-peer and mobile ad hoc anonymous protocol family relationships. Second, a unique synthesis of state-of-the-art anonymity metrics is provided. This significantly aids an entity’s ability to reliably measure changing anonymity levels; thereby, increasing their ability to defend against cyber attacks. Finally, a novel epistemic-based mathematical model is created to characterize how an adversary reasons with knowledge to degrade anonymity. This offers multiple anonymity property representations and well-defined logical proofs to ensure the accuracy and correctness of current and future anonymous network protocol design

Formal Approaches to Control System Security From Static Analysis to Runtime Enforcement

With the advent of Industry 4.0, industrial facilities and critical infrastructures are transforming into an ecosystem of heterogeneous physical and cyber components, such as programmable logic controllers, increasingly interconnected and therefore exposed to cyber-physical attacks, i.e., security breaches in cyberspace that may adversely affect the physical processes underlying industrial control systems. The main contributions of this thesis follow two research strands that address the security concerns of industrial control systems via formal methodologies. As our first contribution, we propose a formal approach based on model checking and statistical model checking, within the MODEST TOOLSET, to analyse the impact of attacks targeting nontrivial control systems equipped with an intrusion detection system (IDS) capable of detecting and mitigating attacks. Our goal is to evaluate the impact of cyber-physical attacks, i.e., attacks targeting sensors and/or actuators of the system with potential consequences on the safety of the inner physical process. Our security analysis estimates both the physical impact of the attacks and the performance of the IDS. As our second contribution, we propose a formal approach based on runtime enforcement to ensure specification compliance in networks of controllers, possibly compromised by colluding malware that may tamper with actuator commands, sensor readings, and inter-controller communications. Our approach relies on an ad-hoc sub-class of Ligatti et al.’s edit automata to enforce controllers represented in Hennessy and Regan’s Timed Process Language. We define a synthesis algorithm that, given an alphabet P of observable actions and a timed correctness property e, returns a monitor that enforces the property e during the execution of any (potentially corrupted) controller with alphabet P, and complying with the property e. Our monitors correct and suppress incorrect actions coming from corrupted controllers and emit actions in full autonomy when the controller under scrutiny is not able to do so in a correct manner. Besides classical requirements, such as transparency and soundness, the proposed enforcement enjoys deadlock- and diverge-freedom of monitored controllers, together with compositionality when dealing with networks of controllers. Finally, we test the proposed enforcement mechanism on a non-trivial case study, taken from the context of industrial water treatment systems, in which the controllers are injected with different malware with different malicious goals

How To Touch a Running System

The increasing importance of distributed and decentralized software architectures entails more and more attention for adaptive software. Obtaining adaptiveness, however, is a difficult task as the software design needs to foresee and cope with a variety of situations. Using reconfiguration of components facilitates this task, as the adaptivity is conducted on an architecture level instead of directly in the code. This results in a separation of concerns; the appropriate reconfiguration can be devised on a coarse level, while the implementation of the components can remain largely unaware of reconfiguration scenarios. We study reconfiguration in component frameworks based on formal theory. We first discuss programming with components, exemplified with the development of the cmc model checker. This highly efficient model checker is made of C++ components and serves as an example for component-based software development practice in general, and also provides insights into the principles of adaptivity. However, the component model focuses on high performance and is not geared towards using the structuring principle of components for controlled reconfiguration. We thus complement this highly optimized model by a message passing-based component model which takes reconfigurability to be its central principle. Supporting reconfiguration in a framework is about alleviating the programmer from caring about the peculiarities as much as possible. We utilize the formal description of the component model to provide an algorithm for reconfiguration that retains as much flexibility as possible, while avoiding most problems that arise due to concurrency. This algorithm is embedded in a general four-stage adaptivity model inspired by physical control loops. The reconfiguration is devised to work with stateful components, retaining their data and unprocessed messages. Reconfiguration plans, which are provided with a formal semantics, form the input of the reconfiguration algorithm. We show that the algorithm achieves perceived atomicity of the reconfiguration process for an important class of plans, i.e., the whole process of reconfiguration is perceived as one atomic step, while minimizing the use of blocking of components. We illustrate the applicability of our approach to reconfiguration by providing several examples like fault-tolerance and automated resource control

Formal Methods for Wireless Systems

I sistemi wireless sono costituiti da dispositivi che comunicano tra loro per mezzo di un canale radio. Questo paradigma di rete presenta molti vantaggi, ma la presenza del canale radio lo rende intrinsecamente vulnerabile. Di conseguenza, in tale ambito la sicurezza rappresenta un tema importante. I meccanismi di sicurezza messi a punto per i sistemi cablati presentano molti limiti quando vengono utilizzati in una rete wireless. I problemi principali derivano dal fatto che essi operano in modo centralizzato e sotto l'ipotesi di un “mondo chiuso”. Pertanto tecniche formali sono necessarie per stabilire una connessione matematicamente rigorosa tra la modellazione e gli obiettivi di sicurezza. Nella presente tesi si applica il formalismo ben noto del "process calculus" per modellare le principali caratteristiche della comunicazione wireless. Il contributo scientifico è essenzialmente teorico. Verrà proposto un primo process calculus per modellare il passaggio del tempo nei sistemi wireless. Verranno dimostrate alcune interessanti proprietà relative al tempo. Inoltre verrà presentata una rigorosa trattazione dei problemi di collisione. Verranno fornite anche “equivalenze comportamentali” (behavioural equivalence) e verranno dimostrate una serie di leggi algebriche. L'usabilità del calcolo verrà mostrata modellando il Carrier Sense Multiple Access, un diffuso protocollo di livello MAC in cui un dispositivo ascolta il canale prima di trasmettere. Verranno poi analizzati alcuni aspetti di sicurezza, in particolare verrà proposto un modello di trust per le reti ad hoc mobili. Tali reti sono costituite da nodi mobili che comunicano senza l’ausilio di altre infrastrutture. Le reti di tale calcolo verranno modellate come sistemi multilivello perché le relazioni di trust associano ai nodi livelli di sicurezza in base al loro comportamento. Tale modello di trust verrà incluso in un process calculus per reti ad hoc che sarà dotato di equivalenze comportamentali a partire dalle quali verrà sviluppata una "teoria osservazionale" (observational theory). Saranno garantiti sia alcune interessanti proprietà relative alla sicurezza, come la safety in presenza di nodi compromessi, sia risultati di non interferenza. Tale calcolo verrà utilizzato per analizzare una versione “sicura” di un algoritmo per il leader election nelle reti ad hoc. Verrà fornita anche una codifica del protocollo di routing per reti ad hoc chiamato endairA. Infine, il calcolo sul trust verrà esteso con aspetti legati al tempo, per spiegare la relazione tra tempo e trust. Infine quest’ultimo calcolo verrà applicato per dare una codifica del protocollo di routing per reti ad hoc chiamato ARAN.Wireless systems consist of wireless devices which communicate with each other by means of a radio frequency channel. This networking paradigm offers much convenience, but because of the use of the wireless medium it is inherently vulnerable to many threats. As a consequence, security represents an important issue. Security mechanisms developed for wired systems present many limitations when used in a wireless context. The main problems stem from the fact that they operate in a centralised manner and under the assumption of a \closed world". Formal techniques are therefore needed to establish a mathematically rigorous connection between modelling and security goals. In the present dissertation we apply the well-known formalism of process calculus to model the features of wireless communication. The scientic contributions are primarily theoretical.We propose a timed process calculus modelling the communication features of wireless systems and enjoying some desirable time properties. The presence of time allows us to reason about communication collisions. We also provide behavioural equivalences and we prove a number of algebraic laws. We illustrate the usability of the calculus to model the Carrier Sense Multiple Access scheme, a widely used MAC level protocol in which a device senses the channel before transmitting. We then focus on security aspects, in particular we propose a trust model for mobile ad hoc networks, composed only of mobile nodes that communicate each other without relying on any base station. We model our networks as multilevel systems because trust relations associate security levels to nodes depending on their behaviour. Then we embody this trust model in a process calculus modelling the features of ad hoc networks. Our calculus is equipped with behavioural equivalences allowing us to develop an observational theory. We ensure safety despite compromised nodes and non interference results. We then use this calculus to analyse a secure version of a leader election algorithm for ad hoc networks. We also provide an encoding of the endairA routing protocol for ad hoc networks. Finally, we extend the trust-based calculus with timing aspects to reason about the relationship between trust and time. We then apply our calculus to formalise the routing protocol ARAN for ad hoc networks

Game Semantics for Interface Middleweight Java

We consider an object calculus in which open terms interact with the environment through interfaces. The calculus is intended to capture the essence of contextual interactions of Middleweight Java code. Using game semantics, we provide fully abstract models for the induced notions of contextual approximation and equivalence. These are the first denotational models of this kind

Leveraging deep reinforcement learning in the smart grid environment

L’apprentissage statistique moderne démontre des résultats impressionnants, où les or- dinateurs viennent à atteindre ou même à excéder les standards humains dans certaines applications telles que la vision par ordinateur ou les jeux de stratégie. Pourtant, malgré ces avancées, force est de constater que les applications fiables en déploiement en sont encore à leur état embryonnaire en comparaison aux opportunités qu’elles pourraient apporter. C’est dans cette perspective, avec une emphase mise sur la théorie de décision séquentielle et sur les recherches récentes en apprentissage automatique, que nous démontrons l’applica- tion efficace de ces méthodes sur des cas liés au réseau électrique et à l’optimisation de ses acteurs. Nous considérons ainsi des instances impliquant des unités d’emmagasinement éner- gétique ou des voitures électriques, jusqu’aux contrôles thermiques des bâtiments intelligents. Nous concluons finalement en introduisant une nouvelle approche hybride qui combine les performances modernes de l’apprentissage profond et de l’apprentissage par renforcement au cadre d’application éprouvé de la recherche opérationnelle classique, dans le but de faciliter l’intégration de nouvelles méthodes d’apprentissage statistique sur différentes applications concrètes.While modern statistical learning is achieving impressive results, as computers start exceeding human baselines in some applications like computer vision, or even beating pro- fessional human players at strategy games without any prior knowledge, reliable deployed applications are still in their infancy compared to what these new opportunities could fathom. In this perspective, with a keen focus on sequential decision theory and recent statistical learning research, we demonstrate efficient application of such methods on instances involving the energy grid and the optimization of its actors, from energy storage and electric cars to smart buildings and thermal controls. We conclude by introducing a new hybrid approach combining the modern performance of deep learning and reinforcement learning with the proven application framework of operations research, in the objective of facilitating seamlessly the integration of new statistical learning-oriented methodologies in concrete applications