KASTEL Industry 4.0 Demonstrator: Provably Forgetting Information in PLC software

Im Zuge von industriellen Revolution 4.0 werden Fertigungsstraßen untereinander und mit der Außenwelt vernetzt. Dies erhöht das potenzielle Risiko für erfolgreiche Angriffe auf Fabrikanlagen. Fabrikanlagen sind ein lohnendes Angriffsziel, denn sie beherbergen Geschäftsgeheimnisse in Form von Prozessinformationen und -parametern. Im Rahmen von KASTEL SVI (Arbeitspaket 4.6) haben wir eine Methode entwickelt, mit der wir nachweisen können, dass eine Fabrikanlagensteuerung Geschäftsgeheimnisse vergisst. Dadurch erlangen erfolgreiche Angreifer nur einen limitierten Informationumfang und der Schaden wird begrenzt

Provably Forgetting of Information in Manufacturing Systems: Verification of the KASTEL Industry Demonstrator

During the manufacturing process, information are generated and aggregated that constitute a business secrets and therefore need a high protection. On the other hand, if we can prove, that an information is absented, the effort for the protection for this system could be invested on different information, aspects or systems. For this, we develop the notion of information forgetting of a reactive system. This notion describes that a reactive system needs to forget the information about a secret within a certain amount of cycles. This property limits the amount of historical information an attacker can learn by observing a manufacturing system. Moreover, we formalise and prove the notion of an information forgetting system with Relational Test Tables. We evaluate the verification on the industry demonstrator for \textsc{kastel svi} project, which was provided by the Fraunhofer IOSB and developed by industrial third-party contractor. In this demonstrator, we are able to show, that a selected business secret – the number of wheel turns – is not forgotten. We suggest and prove a fix of the leak. We close with an elaborate discussion on the verification and results and also with remarks to the how information forgetting relates supports quantifiable security

Formal Specification and Verification for Automated Production Systems

Complex industrial control software often drives safety- and mission-critical systems, like automated production plants or control units embedded into devices in automotive systems. Such controllers have in common that they are reactive systems, i.e., that they periodically read sensor stimuli and cyclically execute the same program to produce actuator signals. The correctness of software for automated production is rarely verified using formal techniques. Although, due to the Industrial Revolution 4.0 (IR4.0), the impact and importance of software have become an important role in industrial automation. What is used instead in industrial practice today is testing and simulation, where individual test cases are used to validate an automated production system. Three reasons why formal methods are not popular are: (a) It is difficult to adequately formulate the desired temporal properties. (b) There is a lack of specification languages for reactive systems that are both sufficiently expressive and comprehensible for practitioners. (c) Due to the lack of an environment model the obtained results are imprecise. Nonetheless, formal methods for automated production systems are well studied academically---mainly on the verification of safety properties via model checking. In this doctoral thesis we present the concept of (1) generalized test tables (GTTs), a new specification language for functional properties, and their extension (2) relational test tables (RTTs) for relational properties. The concept includes the syntactical notion, designed for the intuition of engineers, and the semantics, which are based on game theory. We use RTTs for a novel confidential property on reactive systems, the provably forgetting of information. Moreover, for regression verification, an important relational property, we are able to achieve performance improvements by (3) creating a decomposing rule which splits large proofs into small sub-task. We implemented the verification procedures and evaluated them against realistic case studies, e.g., the Pick-and-Place-Unit from the Technical University of Munich. The presented contribution follows the idea of lowering the obstacle of verifying the dependability of reactive systems in general, and automated production systems in particular for the engineer either by introducing a new specification language (GTTs), by exploiting existing programs for the specification (RTTs, regression verification), or by improving the verification performance

Are Formal Contracts a useful Digital Twin of Software Systems?

Digital Twins are a trend topic in the industry today to either manage runtime information or forecast properties of devices and products. The techniques for Digitial Twins are already employed in several disciplines of formal methods, in particular, formal verification, runtime verification and specification inference. In this paper, we connect the Digital Twin concept and existing research areas in the field of formal methods. We sketch how digital twins for software-centric systems can be forged from existing formal methods

The counterSharp Model Counting Benchmark

We present the counterSharp benchmark consisting of 123 projected model counting instances. The instances originate from work on the reliability quantification of programs written in C. We briefly introduce the application field and describe the benchmark selection process

Contract Machines: An Engineer-friendly Specification Language for Mode-Based Systems

The first step in developing safe and functioning systems is the specification of the intended behavior. The development, validation, and verification depend on clear and unambiguous specifications. Building understandable specification tools requires adequate formalisms and representation to express the expected functional behavior. We present contract machines: a graphical specification language based on the well-known modeling concept of state machines and the intuitive semantics of assume-guarantee contracts. Contract machines (CMs) build upon the logical foundation of contract automata (CA) which are non-deterministic finite automata over alphabets of contracts, and provide the formal semantics of CMs. CAs can be processed by (semi-)automated verification and validation tools, such as model checkers or test case generators. In contrast to contract automata, contract machines offer a more high-level view of the system under scrutiny by providing more features to ease usability. We present features for effective controlling of non-determinism, using recurring specification patterns, e.g.\ for fault modes and error recovery behavior, and handling different versions and variants of systems

Sound Probabilistic #SAT with Projection

We present an improved method for a sound probabilistic estimation of the model count of a boolean formula under projection. The problem solved can be used to encode a variety of quantitative program analyses, such as concerning security of resource consumption. We implement the technique and discuss its application to quantifying information flow in programs.Comment: In Proceedings QAPL'16, arXiv:1610.0769

Chronic low back pain: a prospective study with 4 to 15 years follow-up after a multidisciplinary biopsychosocial rehabilitation program

BACKGROUND: Multidisciplinary biopsychosocial rehabilitation (MBR) in patients with chronic low back pain (CLBP) is superior to less intensive treatments for at least one year, but the long-term course of the disease is largely unknown. The primary aim of this study was to describe the long-term course of an MBR in relation to pain, disability, and quality of life from the beginning of an MBR to between 4 to 15 years after participation. The secondary aim was to explore the long-term course of an MBR in relation to physiological outcomes of functioning. METHODS: This was a observational study conducted at a university hospital. The cohort consisted of participants of a 3-week, CLBP-specific MBR program between August 2001 and January 2013. The North American Spine Society questionnaire (NASS) pain and disability scale was the primary patient -reported outcome measure (PROM). The NASS neurogenic symptoms scale and the Short-Form 36 (SF-36) health survey were secondary PROMs. Patients were assessed before entry to the MBR (T0), at entry (T1), at discharge (T2) and 4 to 15 years after discharge (T3). Effects were quantified by effect size (ES). Score differences were tested for significance using parametric or non-parametric tests and linear mixed models. RESULTS: Of 299 consecutive patients from the MBR program, 229 could be contacted. Of these, 84 declined participation, five did not meet the inclusion criteria, and 26 had incomplete data. Thus, 114 patients were included. The mean follow-up time was 9.2 years. At T3, patients exhibited beneficial effects for NASS pain and disability with a moderate ES (ES = 0.63; p < 0.001). The NASS neurogenic symptoms scale was stable. The SF-36 scales showed an improvement in the bodily pain domain (ES = 1.02; p < 0.001), but no significant changes for physical functioning, physical role, general health, vitality, social functioning, emotional role, or mental health. The physical health component summary was improved (ES = 0.40, p = 0.002), and the mental health summary was unchanged. The linear mixed model analysis confirmed improvements in pain and disability between T1 and T3 (p = 0.010). CONCLUSIONS: The results of this study suggest that there is a long-term benefit of MBR participation in patients with CLBP