Partially-Observable Security Games for Automating Attack-Defense Analysis

Network systems often contain vulnerabilities that remain unfixed in a network for various reasons, such as the lack of a patch or knowledge to fix them. With the presence of such residual vulnerabilities, the network administrator should properly react to the malicious activities or proactively prevent them, by applying suitable countermeasures that minimize the likelihood of an attack by the attacker. In this paper, we propose a stochastic game-theoretic approach for analyzing network security and synthesizing defense strategies to protect a network. To support analysis under partial observation, where some of the attacker's activities are unobservable or undetectable by the defender, we construct a one-sided partially observable security game and transform it into a perfect game for further analysis. We prove that this transformation is sound for a sub-class of security games and a subset of properties specified in the logic rPATL. We implement a prototype that fully automates our approach, and evaluate it by conducting experiments on a real-life network

Symbolic Abstract Heaps for Polymorphic Information-flow Guard Inference (Extended Version)

In the realm of sound object-oriented program analyses for information-flow control, very few approaches adopt flow-sensitive abstractions of the heap that enable a precise modeling of implicit flows. To tackle this challenge, we advance a new symbolic abstraction approach for modeling the heap in Java-like programs. We use a store-less representation that is parameterized with a family of relations among references to offer various levels of precision based on user preferences. This enables us to automatically infer polymorphic information-flow guards for methods via a co-reachability analysis of a symbolic finite-state system. We instantiate the heap abstraction with three different families of relations. We prove the soundness of our approach and compare the precision and scalability obtained with each instantiated heap domain by using the IFSpec benchmarks and real-life applications

Notions of Conformance Testing for Cyber-Physical Systems: Overview and Roadmap (Invited Paper)

We review and compare three notions of conformance testing for cyber-physical systems. We begin with a review of their underlying semantic models and present conformance-preserving translations between them. We identify the differences in the underlying semantic models and the various design decisions that lead to these substantially different notions of conformance testing. Learning from this exercise, we reflect upon the challenges in designing an "ideal" notion of conformance for cyber-physical systems and sketch a roadmap of future research in this domain

Supervisory Controller Synthesis for Safe Software Adaptation

International audienc

Supervisory Controller Synthesis for Safe Software Adaptation

International audienc

AT-DIFC + : Toward Adaptive and Trust-Aware Decentralized Information Flow Control

Modern software systems and their corresponding architectures are increasingly decentralized, distributed, and dynamic. As a consequence, decentralized mechanisms are required to ensure security in such architectures. Decentralized Information Flow Control (DIFC) is a mechanism to control information flow in distributed systems. This article presents and discusses several improvements to an adaptive decentralized information flow approach that incorporates trust for decentralized systems to provide security. Adaptive Trust-Aware Decentralized Information Flow (AT-DIFC+) combines decentralized information flow control mechanisms, trust-based methods, and decentralized control architectures to control and enforce information flow in an open, decentralized system. We strengthen our approach against newly discovered attacks and provide additional information about its reconfiguration, decentralized control architectures, and reference implementation. We evaluate the effectiveness and performance of AT-DIFC+ on two case studies and perform additional experiments and to gauge the mitigations’ effectiveness against the identified attacks.PROSSESERE

Self-Adaptive Trust-aware Decentralized Information Flow Control, extended version

Modern software systems and their corresponding architectures are decentralized, distributed, and dynamic. As a consequence, decentralized mechanisms are also required to ensure security in such architectures. Decentralized Information Flow Control (DIFC) is a mechanism to control information flow in distributed systems. However, DIFC mechanisms require the resolution of specific centralized control and trust issues.In this paper, we propose an adaptive, trust-aware, decentralized information flow approach that incorporates trust in DIFC for decentralized systems. We employ decentralized feedback loops to enable decentralized control and adaptive trust assignments. In our approach, adaptivity mitigates two aspects of systems dynamics that cause uncertainty:  the ever-changing nature of trust and the system openness. We formalize our trust-aware DIFC model and instantiate two decentralized feedback loop architectures to implement it

Self-Adaptive Trust-aware Decentralized Information Flow Control, extended version

Modern software systems and their corresponding architectures are decentralized, distributed, and dynamic. As a consequence, decentralized mechanisms are also required to ensure security in such architectures. Decentralized Information Flow Control (DIFC) is a mechanism to control information flow in distributed systems. However, DIFC mechanisms require the resolution of specific centralized control and trust issues.In this paper, we propose an adaptive, trust-aware, decentralized information flow approach that incorporates trust in DIFC for decentralized systems. We employ decentralized feedback loops to enable decentralized control and adaptive trust assignments. In our approach, adaptivity mitigates two aspects of systems dynamics that cause uncertainty:  the ever-changing nature of trust and the system openness. We formalize our trust-aware DIFC model and instantiate two decentralized feedback loop architectures to implement it

Synthesizing structural and behavioral control for reconfigurations in component-based systems

International audienceCorrectness of the behavior of an adaptive system during dynamic adaptation is an important challengeto realize correct adaptive systems. Dynamic adaptation refers to changes to both the functionality ofthe computational entities that comprise a composite system, as well as the structure of their interconnections,in response to variations in the environment, e.g., the load of requests on a server system. In this research,we view the problem of correct structural adaptation as a supervisory control problem and synthesizea reconfiguration controller that guides the behavior of a system during adaptation. The reconfigurationcontroller observes the system behavior during an adaptation and controls the system behavior by allowing/disallowing actions in a way to ensure that a given property is satisfied and a deadlock is avoided. Thesystem during adaptation is modeled using a graph transition system and properties to be enforced are specifiedusing a graph automaton. We adapt a classical theory of supervisory control for synthesizing a controllerfor controlling the behavior of a system modeled using graph transition systems. This theory is used to synthesizea controller that can impose both behavioral and structural constraints on the system during an adaptation.We apply a tool that we have implemented to support our approach on a case study involving httpsservers