Describing secure interfaces with interface automata

Interface automata are a model that allows for the representation of stateful interfaces. In this paper we introduce a variant of interface automata, which we call interface structure for security (ISS), that allows for the modelling of security. We focus on the property of non interference, more precisely in bisimulation-based non interference for reactive systems. We define the notion of compatible interfaces in this setting meaning that they can be composed so that a secure interface can be synthesized from the composition. In fact, we provide an algorithm that determines whether an ISS can be made secure by controlling (more specifically, pruning) some public input actions, and if so, synthesize the secure ISS. In addition, we also provide some sufficient conditions on the components ISS to ensure that their composition is secure (and hence no synthesis process is needed).Fil: Lee, Matias David. Consejo Nacional de Investigaciones Científicas y Técnicas. Centro Científico Tecnológico Conicet - Córdoba; Argentina. Universidad Nacional de Córdoba. Facultad de Matemática, Astronomía y Física; ArgentinaFil: D'argenio, Pedro Ruben. Universidad Nacional de Córdoba. Facultad de Matemática, Astronomía y Física; Argentina. Consejo Nacional de Investigaciones Científicas y Técnicas. Centro Científico Tecnológico Conicet - Córdoba; Argentin

Bisimulations for non-deterministic labelled Markov processes

We extend the theory of labelled Markov processes to include internal non-determinism, which is a fundamental concept for the further development of a process theory with abstraction on non-deterministic continuous probabilistic systems. We define non-deterministic labelled Markov processes (NLMP) and provide three definitions of bisimulations: a bisimulation following a traditional characterisation; a state-based bisimulation tailored to our 'measurable' non-determinism; and an event-based bisimulation. We show the relations between them, including the fact that the largest state bisimulation is also an event bisimulation. We also introduce a variation of the Hennessy-Milner logic that characterises event bisimulation and is sound with respect to the other bisimulations for an arbitrary NLMP. This logic, however, is infinitary as it contains a denumerable. We then introduce a finitary sublogic that characterises all bisimulations for an image finite NLMP whose underlying measure space is also analytic. Hence, in this setting, all the notions of bisimulation we consider turn out to be equal. Finally, we show that all these bisimulation notions are different in the general case. The counterexamples that separate them turn out to be non-probabilistic NLMPs.Fil: D'argenio, Pedro Ruben. Universidad Nacional de Córdoba. Facultad de Matemática, Astronomía y Física. Sección Ciencias de la Computación; Argentina. Consejo Nacional de Investigaciones Científicas y Técnicas. Centro Científico Tecnológico Conicet - Córdoba; ArgentinaFil: Sanchez Terraf, Pedro Octavio. Universidad Nacional de Córdoba. Facultad de Matemática, Astronomía y Física. Sección Ciencias de la Computación; Argentina. Consejo Nacional de Investigaciones Científicas y Técnicas. Centro Científico Tecnológico Conicet - Córdoba; ArgentinaFil: Wolovick, Nicolás. Universidad Nacional de Córdoba. Facultad de Matemática, Astronomía y Física. Sección Ciencias de la Computación; Argentina. Consejo Nacional de Investigaciones Científicas y Técnicas. Centro Científico Tecnológico Conicet - Córdoba; Argentin

MaskD : a tool for measuring masking fault-tolerance

Fil: Putruele, Luciano. Universidad Nacional de Rı́o Cuarto. Facultad de Ciencias Exactas, Físico-Químicas y Naturales. Departamento de Computación; Argentina.Fil: Putruele, Luciano. Consejo Nacional de Investigaciones Científicas y Técnicas; Argentina.Fil: Demasi, Ramiro Adrián. Universidad Nacional de Córdoba. Facultad de Matemática, Astronomía, Física y Computación; Argentina.Fil: Demasi, Ramiro Adrián. Consejo Nacional de Investigaciones Científicas y Técnicas; Argentina.Fil: Castro, Pablo Francisco. Universidad Nacional de Rı́o Cuarto. Facultad de Ciencias Exactas, Físico-Químicas y Naturales. Departamento de Computación; Argentina.Fil: Castro, Pablo Francisco. Consejo Nacional de Investigaciones Científicas y Técnicas; Argentina.Fil: D'Argenio, Pedro Ruben. Universidad Nacional de Córdoba. Facultad de Matemática, Astronomía, Física y Computación; Argentina.Fil: D'Argenio, Pedro Ruben. Consejo Nacional de Investigaciones Científicas y Técnicas; Argentina.Fil: D'Argenio, Pedro Ruben. Saarland University. Saarland Informatics Campus; Germany.We present MaskD, an automated tool designed to measure the level of fault-tolerance provided by software components. The tool focuses on measuring masking fault-tolerance, that is, the kind of fault-tolerance that allows systems to mask faults in such a way that they cannot be observed by the users. The tool takes as input a nominal model (which serves as a specification) and its fault-tolerant implementation, described by means of a guarded-command language, and automatically computes the masking distance between them. This value can be understood as the level of fault-tolerance provided by the implementation. The tool is based on a sound and complete framework we have introduced in previous work. We present the ideas behind the tool by means of a simple example and report experiments realized on more complex case studies.This work was supported by ANPCyT PICT-2017-3894 (RAFTSys), ANPCyT PICT 2019-03134, SeCyT-UNC 33620180100354CB (ARES), and EU Grant agreement ID: 101008233 (MISSION).publishedVersionFil: Putruele, Luciano. Universidad Nacional de Rı́o Cuarto. Facultad de Ciencias Exactas, Físico-Químicas y Naturales. Departamento de Computación; Argentina.Fil: Putruele, Luciano. Consejo Nacional de Investigaciones Científicas y Técnicas; Argentina.Fil: Demasi, Ramiro Adrián. Universidad Nacional de Córdoba. Facultad de Matemática, Astronomía, Física y Computación; Argentina.Fil: Demasi, Ramiro Adrián. Consejo Nacional de Investigaciones Científicas y Técnicas; Argentina.Fil: Castro, Pablo Francisco. Universidad Nacional de Rı́o Cuarto. Facultad de Ciencias Exactas, Físico-Químicas y Naturales. Departamento de Computación; Argentina.Fil: Castro, Pablo Francisco. Consejo Nacional de Investigaciones Científicas y Técnicas; Argentina.Fil: D'Argenio, Pedro Ruben. Universidad Nacional de Córdoba. Facultad de Matemática, Astronomía, Física y Computación; Argentina.Fil: D'Argenio, Pedro Ruben. Consejo Nacional de Investigaciones Científicas y Técnicas; Argentina.Fil: D'Argenio, Pedro Ruben. Saarland University. Saarland Informatics Campus; Germany

Reconciling real and stochastic time: The need for probabilistic refinement

We conservatively extend anACP-style discrete-time process theorywith discrete stochastic delays. The semantics of the timed delays relies on time additivity and time determinism, which are properties that enable us to merge subsequent timed delays and to impose their synchronous expiration. Stochastic delays, however, interact with respect to a so-called race condition that determines the set of delays that expire first, which is guided by an (implicit) probabilistic choice. The race condition precludes the property of time additivity as the merger of stochastic delays alters this probabilistic behavior. To this end, we resolve the race condition using conditionally- distributed unit delays. We give a sound and ground-complete axiomatization of the process theory comprising the standard set of ACP-style operators. In this generalized setting, the alternative composition is no longer associative, so we have to resort to special normal forms that explicitly resolve the underlying race condition. Our treatment succeeds in the initial challenge to conservatively extend standard time with stochastic time. However, the 'dissection' of the stochastic delays to conditionally-distributed unit delays comes at a price, as we can no longer relate the resolved race condition to the original stochastic delays. We seek a solution in the field of probabilistic refinements that enable the interchange of probabilistic and non deterministic choices.Fil: Markovski, J.. Technische Universiteit Eindhoven; Países BajosFil: D'argenio, Pedro Ruben. Universidad Nacional de Córdoba. Facultad de Matemática, Astronomía y Física; Argentina. Consejo Nacional de Investigaciones Científicas y Técnicas; ArgentinaFil: Baeten, J. C. M.. Technische Universiteit Eindhoven; Países Bajos. Centrum Wiskunde & Informatica; Países BajosFil: De Vink, E. P.. Technische Universiteit Eindhoven; Países Bajos. Centrum Wiskunde & Informatica; Países Bajo

Doping Tests for Cyber-physical Systems

The software running in embedded or cyber-physical systems is typically of proprietary nature, so users do not know precisely what the systems they own are (in)capable of doing. Most malfunctionings of such systems are not intended by the manufacturer, but some are, which means these cannot be classified as bugs or security loopholes. The most prominent examples have become public in the diesel emissions scandal, where millions of cars were found to be equipped with software violating the law, altogether polluting the environment and putting human health at risk. The behaviour of the software embedded in these cars was intended by the manufacturer, but it was not in the interest of society, a phenomenon that has been called software doping. Due to the unavailability of a specification, the analysis of doped software is significantly different from that for buggy or insecure software and hence classical verification and testing techniques have to be adapted. The work presented in this article builds on existing definitions of software doping and lays the theoretical foundations for conducting software doping tests, so as to enable uncovering unethical manufacturers. The complex nature of software doping makes it very hard to effectuate doping tests in practice. We explain the main challenges and provide efficient solutions to realise doping tests despite this complexity.Fil: Biewer, Sebastian. Universitat Saarland; AlemaniaFil: D'argenio, Pedro Ruben. Universidad Nacional de Córdoba. Facultad de Matemática, Astronomía y Física; Argentina. Universitat Saarland; Alemania. Consejo Nacional de Investigaciones Científicas y Técnicas. Centro Científico Tecnológico Conicet - Córdoba; ArgentinaFil: Hermanns, Holger. Universitat Saarland; Alemani

On the probabilistic bisimulation spectrum with silent moves

In this paper we look at one of the seminal works of Rob van Glabbeek from a probabilistic angle. We develop the bisimulation spectrum with silent moves for probabilistic models, namelyMarkov decision processes. Especially the treatment of divergence makes this endeavour challenging. We provide operational as well as logical characterisations of a total of 32 bisimilarities.Fil: Baier, Christel. Technische Universität Dresden; AlemaniaFil: D'argenio, Pedro Ruben. Universitat Saarland; Alemania. Universidad Nacional de Córdoba. Facultad de Matemática, Astronomía y Física; Argentina. Consejo Nacional de Investigaciones Científicas y Técnicas. Centro Científico Tecnológico Conicet - Córdoba; ArgentinaFil: Hermanns, Holger. Universitat Saarland; Alemania. Institute of Intelligent Software; Chin

Better automated importance splitting for transient rare events

Statistical model checking uses simulation to overcome the state space explosion problem in formal verification. Yet its runtime explodes when faced with rare events, unless a rare event simulation method like importance splitting is used. The effectiveness of importance splitting hinges on nontrivial model-specific inputs: an importance function with matching splitting thresholds. This prevents its use by non-experts for general classes of models. In this paper, we propose new method combinations with the goal of fully automating the selection of all parameters for importance splitting. We focus on transient (reachability) properties, which particularly challenged previous techniques, and present an exhaustive practical evaluation of the new approaches on case studies from the literature. We find that using Restart simulations with a compositionally constructed importance function and thresholds determined via a new expected success method most reliably succeeds and performs very well. Our implementation within the Modest Toolset supports various classes of formal stochastic models and is publicly available.Fil: Budde, Carlos Ernesto. Universiteit Twente; Países Bajos. Universidad Nacional de Córdoba; ArgentinaFil: D'argenio, Pedro Ruben. Consejo Nacional de Investigaciones Científicas y Técnicas. Centro Científico Tecnológico Conicet - Córdoba; Argentina. Universidad Nacional de Córdoba; ArgentinaFil: Hartmanns, Arnd. Universiteit Twente; Países Bajo

Automated compositional importance splitting

In the formal verification of stochastic systems, statistical model checking usessimulation to overcome the state space explosion problem of probabilistic modelchecking. Yet its runtime explodes when faced with rare events, unless a rareevent simulation method like importance splitting is used. The effectiveness ofimportance splitting hinges on nontrivial model-specific inputs: an importancefunction with matching splitting thresholds. This prevents its use by non-expertsfor general classes of models. In this paper, we present an automated methodto derive the importance function. It considers both the structure of the modeland of the formula characterising the rare event. It is memory-efficient by ex-ploiting the compositional nature of formal models. We experimentally evaluateit in various combinations with two approaches to threshold selection as well asdifferent splitting techniques for steady-state and transient properties. We findthatRestartsplitting combined with thresholds determined via a new expectedsuccess method most reliably succeeds and performs very well for transient proper-ties. It remains competitive in the steady-state case, which is however challengingto all combinations we consider. All methods are implemented in themodes tool of the Modest Toolset and the Figrare event simulator.Fil: Budde, Carlos E.. Universiteit Twente; Países BajosFil: D'argenio, Pedro Ruben. Universidad Nacional de Córdoba. Facultad de Matemática, Astronomía y Física; Argentina. Consejo Nacional de Investigaciones Científicas y Técnicas; ArgentinaFil: Hartmanns, Arnd. Universiteit Twente; Países Bajo

A general SOS theory for the specification of probabilistic transition systems

This article focuses on the formalization of the structured operational semantics approach for languages with primitives that introduce probabilistic and non-deterministic behavior. We define a general theoretic framework and present the ntμfθ/ntμxθ rule format that guarantees that bisimulation equivalence (in the probabilistic setting) is a congruence for any operator defined in this format. We show that the bisimulation is fully abstract w.r.t. the ntμfθ/ntμxθ format and (possibilistic) trace equivalence in the sense that bisimulation is the coarsest congruence included in trace equivalence for any operator definable within the ntμfθ/ntμxθ format (in other words, bisimulation is the smallest congruence relation guaranteed by the format). We also provide a conservative extension theorem and show that languages that include primitives for exponentially distributed time behavior (such as IMC and Markov automata based language) fit naturally within our framework.Fil: D'argenio, Pedro Ruben. Universidad Nacional de Córdoba. Facultad de Matemática, Astronomía y Física. Sección Ciencias de la Computación; Argentina. Consejo Nacional de Investigaciones Científicas y Técnicas; ArgentinaFil: Gebler, Daniel. Vrije Universiteit Amsterdam; Países BajosFil: Lee, Matias David. Universidad Nacional de Córdoba. Facultad de Matemática, Astronomía y Física. Sección Ciencias de la Computación; Argentina. Consejo Nacional de Investigaciones Científicas y Técnicas; Argentin