Supervisory Control for Modal Specifications of Services

International audienceIn the service oriented architecture framework, a modal specification, as defined by Larsen in \cite{Lar89}, formalises how a service should interact with its environment. More precisely, a modal specification determines the events that the server may or must allow at each stage in an interactive session. Therefore, techniques to enforce a modal specification on a system would be useful for practical applications. In this paper, we investigate the adaptation of the supervisory control theory of Ramadge and Wonham to enforce a modal specification (with final states marking the ends of the sessions) on a system modelled by a finite LTS. We prove that there exists at most one most permissive solution to this control problem. We also prove that this solution is regular and we present an algorithm for the effective computation of the corresponding controlle

Synthesis of opaque systems with static and dynamic masks

International audienceOpacity is a security property formalizing the absence of secret information leakage and we address in this paper the problem of synthesizing opaque systems. A secret predicate S over the runs of a system G is opaque to an external user having partial observability over G, if s/he can never infer from the observation of a run of G that the run belongs to S. We choose to control the observability of events by adding a device, called a mask, between the system G and the users. We first investigate the case of static partial observability where the set of events the user can observe is fixed a priori by a static mask. In this context, we show that checking whether a system is opaque is PSPACE-complete, which implies that computing an optimal static mask ensuring opacity is also a PSPACE-complete problem. Next, we introduce dynamic partial observability where the set of events the user can observe changes over time and is chosen by a dynamic mask.We show how to check that a system is opaque w.r.t. to a dynamic mask and also address the corresponding synthesis problem: given a system G and secret states S, compute the set of dynamic masks under which S is opaque. Our main result is that the set of such masks can be finitely represented and can be computed in EXPTIME and this is a lower bound. Finally we also address the problem of computing an optimal mask

Environnement de conception d'automatismes discrets basé sur le langage Signal

Nous présentons l'intégration des techniques de vérification et de synthèse de contrôleurs dans l'environnement de programmation Signal à travers la description d'un prototype pour la conception d'automatismes et de logiciels sûrs les implémentant. Ce prototype est validé à travers divers exemples tirés du monde académique

Runtime Enforcement of Regular Timed Properties

International audienceRuntime enforcement is a verification/validation technique aiming at correcting (possibly incorrect) executions of a system of interest. In this paper, we consider enforcement monitoring for systems with timing specifications (modeled as timed automata). We consider runtime enforcement of any regular timed property specified by a timed automaton. To ease their design and their correctness-proof, enforcement mechanisms are described at several levels: enforcement functions that specify the input-output behavior, constraints that should be satisfied by such functions, enforcement monitors that implement an enforcement function as a transition system, and enforcement algorithms that describe the implementation of enforcement monitors. The feasibility of enforcement monitoring for timed properties is validated by prototyping the synthesis of enforcement monitors

Symbolic Supervisory Control of Distributed Systems with Communications

We consider the control of distributed systems composed of subsystems communicating asynchronously; the aim is to build local controllers that restrict the behavior of a distributed system in order to satisfy a global state avoidance property. We model distributed systems as \emph{communicating finite state machines} with reliable unbounded FIFO queues between subsystems. Local controllers can only observe the behavior of their proper subsystem and do not see the queue contents. To refine their control policy, controllers can use the FIFO queues to communicate by piggy-backing extra information (some timestamps and their state estimates) to the messages sent by the subsystems. We provide an algorithm that computes, for each local subsystem (and thus for each controller), during the execution of the system, an estimate of the current global state of the distributed system. We then define a synthesis algorithm to compute local controllers. Our method relies on the computation of (co-)reachable states. Since the reachability problem is undecidable in our model, we use abstract interpretation techniques to obtain overapproximations of (co-)reachable states. An implementation of our algorithms provides an empirical evaluation of our method

Synthesis of Communicating Controllers for Distributed Systems

International audienceWe consider the control of distributed systems composed of subsystems communicating asynchronously; the aim is to build local controllers that restrict the behavior of a distributed system in order to satisfy a global state avoidance property. We model our distributed systems as communicating finite state machines with reliable unbounded FIFO queues between subsystems. Local controllers can only observe their proper local subsystems and do not observe the queues. To refine their control policy, they can use the FIFO queues to communicate by piggybacking extra information to the messages sent by the subsystems. We define synthesis algorithms allowing to compute the local controllers. We explain how we can ensure the termination of this control algorithm by using abstract interpretation techniques, to overapproximate queue contents by regular languages. An implementation of our algorithms provides an empirical evaluation of our method

Automatic generation of safe handlers for multi-task systems

International audienceWe are interested in the programming of real-time embedded control systems, such as in robotic, automotive or avionic systems. They are designed with multiple tasks, each with multiple modes. It is complex to design task handlers that control the switching of activities in order to insure safety properties of the global system. We propose a model of tasks in terms of transition systems, designed especially with the purpose of applying existing discrete controller synthesis techniques. This provides us with a systematic methodology, for the automatic generation of safe task handlers, with the support of synchronous languages and associated tools

Various Notions of Opacity Verified and Enforced at Runtime

In this paper, we are interested in the validation of opacity where opacity means the impossibility for an attacker to retrieve the value of a secret in a system of interest. Roughly speaking, ensuring opacity provides confidentiality of a secret on the system that must not leak to an attacker. More specifically, we study how we can verify and enforce, at system runtime, several levels of opacity. Besides already considered notions of opacity, we also introduce a new one that provides a stronger level of confidentiality

A case study in applying discrete control synthesis to excavator operation

International audienceRobotic and control systems are ever more complex to design, program, as well as to operate. Existing theoretical work and tool support in discrete control synthesis can be applied to improve task-level robot programming. This requires to determine patterns of tasks and objectives, which are at once domain-specific to robotics, and generic enough to cover a broad class of control systems. We illustrate such a framework by a case study concerning the interactive discrete control of tasks in an excavating syste

An Efficient Modular Method for the Control of Concurrent Discrete Event Systems: A Language-Based Approach

International audienceIn this paper, we are interested in the control of a particular class of Concurrent Discrete Event Systems defined by a collection of components that interact with each other. We investigate the computation of the supremal controllable language contained in the language of the specification. We do not adopt the decentralized approach. Instead, we have chosen to use a modular centralized approach and to perform the control on some approximations of the plant derived from the behavior of each component. The behavior of these approximations is restricted so that they respect a new language property for discrete event systems called partial controllability condition that depends on the specification. It is shown that, under some assumptions, the intersection of these ``controlled approximations'' corresponds to the supremal controllable language contained in the specification with respect to the plant. This computation is performed without having to build the whole plant, hence avoiding the state space explosion induced by the concurrent nature of the plant. It is finally shown that the class of specifications on which our method can be applied strictly subsumes the class of separable specifications