1 / 17

Verification of Information Flow Properties in Cyber-Physical Systems

Verification of Information Flow Properties in Cyber-Physical Systems. Ravi Akella, Bruce McMillin Department of Computer Science Missouri University of Science & Technology Rolla, MO, USA.

dane
Download Presentation

Verification of Information Flow Properties in Cyber-Physical Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Verification of Information Flow Properties in Cyber-Physical Systems Ravi Akella, Bruce McMillin Department of Computer Science Missouri University of Science & Technology Rolla, MO, USA This work was supported in part by the Future Renewable Electric Energy Delivery and Management Systems Center (FREEDM); a National Science Foundation supported Engineering Research Center, under grant NSF EEC-0812121 and in part by the Missouri S&T Intelligent Systems Center. CPS Week 2011: Workshop on Foundations of Dependable and Secure Cyber-Physical Systems April 11, 2011 Chicago, Illinois

  2. Cyber-Physical Systems (CPS) • Integrations of computational and physical processes • An example CPS is the FREEDM system: a smart grid managed with Distributed Grid Intelligence (DGI) • DGI consists of cyber processes that perform distributed computation to efficiently manage distributed energy resources by interfacing with Intelligent Energy Management (IEM) • There is an inter-dependence of events within the physical and cyber processes

  3. CPS Interactions • Cyber events within a CPS involve: • distributed computation, • communication with other cyber components, and • communication with the physical component that it controls. • Physical events include: • a local state change of the physical subsystem resulting from a cyber component controlling it, • a local physical state change resulting from the dynamics of the physical system, and • the observability of the physical system modeled as events

  4. CPS Smart grid Interactions IEM1 IEM2 IEM3 c DGI DGI DGI b a e SST SST SST d PHEV Load PV PHEV Load Wind Battery Load PV e Read state of Physical system a a At this IEM, information obtained from the observable physical event yields information about the cyber command (b) Issue command to make a setting b a c c Message exchange including partial state information b e c d Power draw or contribution on the shared power bus Event due to physical flow on the shared power bus b e d e d

  5. Information flow usecase of a CPS

  6. Objective: Analyze Information Flow Security in CPS • Information Flow Security aims at guaranteeing that no high level (confidential) information is revealed to users at a low level, even in the presence of any possible cyber/physical process • Potential information flow models for CPSs: • Non-Interference: Information does not flow from high to low if the high behavior has no effect on what low level observer can observe • Non-Inference: leaves a low level observer in doubt about high level events. • Non-deducibility: Given a set of low-level outputs, no low-level subject should be able to deduce anything about the high-level inputs [Sutherland]. • Composition of deduciblysecure systems: not composable [McCullough] • McCullough`s Generalized noninterference-secure property considers non-determinism of real systems

  7. Information Flow Security for CPSProcess Algebra Approach • A unified approach to deal with CPSs is necessary that can encompass the cyber and physical events • We propose a process algebraic approach adopted to analyze the information flow in CPSs • Security process algebra provides an abstract description for nondeterministic and concurrent systems with actions belonging to different levels of confidentiality (Low and High) • Using process algebra, bisimulation provides a formal method to determine nondeducibility.

  8. Bisimulation-based NonDeducibility on Composition (BNDC) A system E is BNDC if for every high level process ∏, a low level user cannot distinguish E from E|∏ E| ∏ : Parallel Composition of E1& ∏ where executions of the two systems are interleaved

  9. Bisimulation • Two processes are weakly bisimilarif they are able to mutually simulate their behavior step by step. • In a weak bisimilarity relation, internal silent actions (τ) between processes is ignored. E1 and E2 are bisimilar and they both simulate E3E3 is not bisimilar to E1

  10. Strong BNDC (SBNDC) The system before and after execution of a high level event remains indistinguishable to the low level domain E E’ E’’ h E’\H E’’\H

  11. Simplification of SBNDC: BisimulationuptoH The problem of verifying weak bisimulation for all high level transitions of the system can be transformed into finding a bisimulation up to H relation E\H E

  12. Invariance of Flow in a CPS DGI DGI DGI SST SST SST Battery Load PV Battery Load PV Battery Load PV Power shared between 1 and 2 due to DGI algorithm Power flow satisfies the Kirchhoff's law of invariance on the bus that can be represented as a physical event

  13. Smart grid in terms of SPA DGI DGI DGI SST SST SST Battery Load PV Battery Load PV Battery Load PV

  14. SBNDC for FREEDM The system before and after execution of a high level event remains indistinguishable to the low level domain E E’ E’’ h E’\H E’’\H

  15. SBNDC for FREEDM • Such processes can be modified to satisfy SBNDC by inserting a complementary High level output, to make an internal action (τ) that is not observable • Such compensating events hide the physically observable effects

  16. Our Current Work • Prototype DGI for FREEDM – IEEE SmartGridComm 2010 Akella/Ditch/McMillin/Meng/Crow • Full Specification of DGI in SPA – EWICS SAFECOMP 2010 Akella/McMillin • Formal Verification of Transmission Grid/Pipeline Network Security with SPA/CoPS – J. of Critical Infrastructure Protection – Akella/Tang/McMillin 2010 • Component Construction for Constructing Secure Smart Grid Systems – IEEE COMPSAC 2011 Gamage/Roth/McMillin

  17. Directions for future work • Information flow analysis, with its origins in computational systems, can be extended to the realm of cyber-physical systems to verify their security • Representation of physical events including attributes such as invariance and physical observability expose potential confidentiality violations • Process algebra presents a uniform model of defining cyber and physical processes that can be mechanically verified • Model checking complexity incurred in automating the verification of CPS processes can be reduced using techniques like partial order reduction and new bisimulation techniques to reduce state space

More Related