Covert channel detection using Information Theory

This paper presents an information theory based detection framework for covert channels. We first show that the usual notion of interference does not characterize the notion of deliberate information flow of covert channels. We then show that even an enhanced notion of "iterated multivalued interference" can not capture flows with capacity lower than one bit of information per channel use. We then characterize and compute the capacity of covert channels that use control flows for a class of systems.Comment: In Proceedings SecCo 2010, arXiv:1102.516

Waiting Nets: State Classes and Taxonomy

In time Petri nets (TPNs), time and control are tightly connected: time measurement for a transition starts only when all resources needed to fire it are available. Further, upper bounds on duration of enabledness can force transitions to fire (this is called urgency). For many systems, one wants to decouple control and time, i.e. start measuring time as soon as a part of the preset of a transition is filled, and fire it after some delay \underline{and} when all needed resources are available. This paper considers an extension of TPN called waiting nets that dissociates time measurement and control. Their semantics allows time measurement to start with incomplete presets, and can ignore urgency when upper bounds of intervals are reached but all resources needed to fire are not yet available. Firing of a transition is then allowed as soon as missing resources are available. It is known that extending bounded TPNs with stopwatches leads to undecidability. Our extension is weaker, and we show how to compute a finite state class graph for bounded waiting nets, yielding decidability of reachability and coverability. We then compare expressiveness of waiting nets with that of other models w.r.t. timed language equivalence, and show that they are strictly more expressive than TPNs

Distributed Implementation of Message Sequence Charts

International audienc

Realizability of Schedules by Stochastic Time Petri Nets with Blocking Semantics: (Extended Version)

This paper considers realizability of expected schedules by production systemswith concurrent tasks, bounded resources that have to be shared among tasks,and random behaviors and durations. Schedules are high level views of desiredexecutions of systems represented as partial orders decorated with timing con-straints. Production systems (production cells,train networks. . . ) are modeled asstochastic time Petri nets STPNs with an elementary (1-bounded) semantics. Wedetail their interleaved operational semantics, and then propose a non-interleavedsemantics through the notion of time processes. We then consider boolean re-alizability: a schedule S is realizable by a net N if S embeds in a time processof N that satisfies all its constraints. However, with continuous time domains,the probability of a time process with exact dates is null. We hence considerprobabilistic realizability up to α time units, that holds if the probability that Nrealizes S with constraints enlarged by α is strictly positive. Upon a sensiblerestriction guaranteeing time progress, boolean and probabilistic realizabilityof a schedule can be checked on the finite set of symbolic prefixes extractedfrom a bounded unfolding of the net. We give a construction technique for theseprefixes and show that they represent all time processes of a net occurring up toa given maximal date. We then show how to verify existence of an embeddingand compute the probability of its realization

Scenario realizability with constraint optimization

This work considers implementation of requirements expressed as High-level Message Sequence Charts (HMSCs). All HMSCs are not implementable, and the question of whether an HMSC speci cation can be implemented by communicating machines is undecidable in general. However, several subclasses such as local HMSCs can be implemented using a simple projection operation. This paper proposes a new technique to transform an arbitrary HMSC speci cation into a local HMSC, hence allowing implementation.We show that this transformation can be automated as a constraint optimization problem. The impact of modi cations brought to the original speci cation can be minimized w.r.t. a cost function. The approach was evaluated on a large number of randomly generated HMSCs. The results of this experimentation are presented and analyzed. In particular, the evaluation shows an average runtime of a few seconds, which demonstrates applicability of the technique

Scenario Realizability with Constraint Optimization

International audienceThis work considers implementation of requirements expressed as High-level Message Sequence Charts (HMSCs). All HMSCs are not implementable, but a particular subclass called local HMSCs can be implemented using a simple projection operation. This paper proposes a new technique to transform an arbitrary HMSC specification into a local HMSC, hence allowing implementation. We show that this transformation can be automated as a constraint optimization problem. The impact of modifications brought to the original specification can be minimized w.r.t. a cost function. The approach was evaluated on a large number of randomly generated HMSCs. The results show an average runtime of a few seconds, which demonstrates applicability of the technique

Regular Set of Representatives for Time-Constrained MSC Graphs

Systems involving both time and concurrency are notoriously difficult to analyze. Existing decidability results apply in settings where clocks on different processes cannot be compared or where the set of timed executions is regular. We prove new decidability results for timed concurrent systems, requiring neither restriction. We consider the formalism of time-constrained MSC graphs (TC-MSC graphs for short), and study whether the set of timed executions generated by a TC-MSC graph is empty or not. This emptiness problem is known to be undecidable in general. Our approach for obtaining decidability consists of two steps: (i) find a subset R of representative timed executions, that is, for which every timed execution of the system has an equivalent, up to commutation, timed execution in R, and (ii) prove that R is regular. This allows us to solve the emptiness problem under the assumption that the TC-MSC graph G is well-formed. In particular, a well-formed TC-MSC graph is prohibited from forcing any basic scenario to take an arbitrarily long time to complete. Secondly, it is forbidden from enforcing unboundedly many events to occur within a single unit of time. We argue that these restrictions are indeed practically sensible.Il est notoirement difficile d'analyser les comportements de systémes décrits par des modèles qui comportent à la fois du temps et de la concurrence. Des résultats de décidabilité existent pour des modèles dans lesquels les valeurs des horloges sur différents processus ne peuvent pas être comparées, ou lorsque les modèles ont des ensembles d'exécutions temporisés réguliers. Dans ce travail, nous montrons de nouveaux résultats de décidabilité pour des modèles temporisés et concurrents, qui ne s'appuient sur aucune de ces restrictions. Nous étudions le formalisme des time-constrained MSC graphs (TC-MSC graphs), initalement proposés, et le problème qui consiste à savoir si l'ensemble des exécutions temporisées d'un modèle est vide ou non. Ce problème a été prouvé indécidable en général pour les TC-MSC graphs. Notre approche pour obtenir une procédure de décision comporte deux étapes : (i) trouver un sous-ensemble R d'exécutions temporisées appelé ensemble des représentants : pour toute exécution temporisée du système, on doit pouvoir trouver une exécution équivalente dans R modulo commutation, (ii) prouver que R est régulier. L'existence d'un ensemble de représentants régulier permet de résoudre le problème de la vacuité de l'ensemble des exécutions d'un TC-MSC graph. Nous proposons une restriction aux TC-MSC graphs, que nous appelons TC-MSC Graph bien formés. Dans un TC-MSC graph bien formé, on ne peut forcer le système à exécuter un nombre arbitrairement grand d'événements en un laps de temps fini. Il est également interdit qu'un MSC prenne obligatoirement un temps arbitrairement long pour être entièrement exécuté. Les restrictions imposées aux TC-MSC graph bien formés réduisent peu la puissance d'expression du langage, et permettent de garantir l'existence d'un ensemble régulier de représentants

A Grammatical Approach to Data-centric Case Management in a Distributed Collaborative Environment

This paper presents a purely declarative approach to artifact-centric case management systems, and a decentralization scheme for this model. Each case is presented as a tree-like structure; nodes bear information that combines data and computations. Each node belongs to a given stakeholder, and semantic rules govern the evolution of the tree structure, as well as how data values derive from information stemming from the context of the node. Stakeholders communicate through asynchronous message passing without shared memory, enabling convenient distribution

Optimization of traffic management with learning machines

This paper considers traffic management in metro networks, and techniques to allow fleets of trains to recover from bunching situations. We address this problem as a controller synthesis question. Controllers decide online train speeds and dwell durations to optimize the time needed to return to an ideal status of a network. We consider a formal model for metro lines based on a variant of Petri nets, and take as objective the minimization of the time needed to recover from a congestion. Though this is a standard timed game, the size of the state space for this model forbids standard synthesis techniques. We hence address the control question with ad-hoc local controllers, that take their decisions from neighbourhood of a train and ignore the rest of the network. We first propose a local controller that balances the headways w.r.t. the preceding and successor trains at each stop. The returned solution is obtained as the minimum of a quadratic cost function. We then replace the quadratic function minimization by a decision returned by a neural network trained on our metro model, and compare performances of both types of controllers on a case study