Cybersecurity is increasingly becoming a great concern as networks of embedded-systems and computers are integrated into almost all aspects of our daily life and society. Exchanging confidential information over these networks is crucial in many applications, ranging from smart phones and home automation to banking services. This raises a serious concern on the vulnerability of these systems.
Many efforts have been made to develop reliable and secure systems that led to various notions of security/privacy. One class of security/privacy notations is related to Information flow from the system to an external observer [focardi1994taxonomy]. Opacity is a type of information-flow property that characterizes whether the system’s secret information can be inferred by an external observer termed intruder with potentially malicious intentions [lin2011opacity]. It is usually assumed that the intruder knows the system’s structure but has only partial observation over its behavior [jacob2016overview]. The system is considered to be opaque if the intruder is not able to unambiguously determine the system secrets from its observations.
In recent years, opacity has been extensively studied in the discrete event system (DES) literature, and different notions of opacity have been proposed, including current-state opacity [saboori2007notions], language-based opacity [lin2011opacity], initial-state opacity [saboori2013verification], step, and infinite-step opacity [YIN2017162]. Interested readers may refer to [jacob2016overview] for a comprehensive review on various notions of opacity.
It is worthy pointing out that the intruder model considered in these methods is a passive observer who is only able to partially observe the system behavior. However, many real-world systems are interacting with malicious and hostile environments, whose capability is beyond a passive observation. A system’s malicious environment can act as an active intruder, who strategically injects a certain input to the system and observers the system’s response to infer its secret. For instance, web browsers and client-side web applications are typical cases of such systems since they interact with remote and possibly untrusted clients that raise a serious concern about the privacy of local users’ data [bohannon2009reactive].
In this paper, we aim at extending the opacity notion in the presence of an active intruder. In particular, who is capable of manipulating the system’s input and partially observing the system output. This setup naturally models reactive systems [partovi2019reactive], such as interactive programs [o2006information] and web services [bohannon2009reactive], where input provided by the environment (possibly intruder) and the output of the system is exchanged continuously throughout the indefinite execution of the system.
Toward this aim, we introduce reactive current-state opacity (RCSO) characterizing the active intruder’s ability in manipulating the system’s input to certainly determine if the system’s current-state is a secret state. We furthermore extend this notion to reactive language-based opacity and reactive initial-state opacity. Reactive language-based opacity requires the secret behavior of the system to be indistinguishable from a non-secret one. Reactive initial-state opacity notions ensure the active intruder cannot unambiguously determine if the system starts from a secret initial-state. Upon these opacity notions, we present their relationship, the feasibility of each notion, and a procedure to transform one to the other. It turns out that all the proposed reactive opacity notions are equivalent to RCSO. We therefore focus on RCSO, and we study its verification problem.
Formal verification of current-state opacity is addressed in [bryans2005opacity] and is further extended to other notions of opacity in [saboori2007notions, saboori2013verification]
. In analogs to verification of opacity with the passive intruder, here we propose to construct an observer automata. Given the intruder choice of input and the system response (the observable output event), the observer states capture the estimated current-state of the system. Hence, the RCSO verification problem can be reduced to finding the observer states that include a singleton of the secret states.
The contribution of this paper can be summarized as follows. (i) Consider a new intruder model who has the capability of injecting input into the system; (ii) associated with the new intruder model, we introduce a new class of opacity definitions including the reactive current-state, reactive initial-state, and reactive language-based opacity notions and studies the relationship among them; (iii) provide necessary and sufficient conditions for verification of reactive current-state opacity.
Ii Related Notations
In this section, we review some preliminary notations that will be used throughout the paper. For a given finite set (alphabet) of events , a finite word , , is a finite sequence of elements in , for all , and . We denote the length of by . Let , and be finite words, is their concatenations. The notation refers to the power set of , that is, the set of all subsets of . A set difference is . The free monoid generated by is the set of all finite sequences , including the empty sequence denoted by . A subset of is called a language over . The prefix-closure of a language , denoted as , is the set of all prefixes of words in , i.e., . is said to be prefix-closed if . Let’s consider alphabet sets , , and their set product . A relation over sets and is a subset of the Cartesian product . A regular (or rational) relation over the alphabets and is formed from a finite combination of the following rules: 1: ), 2: is a regular relation, and 3: If , are regular relations, then so are , , and . Projection function to sets and are respectively denoted as , , and inductively are defined by , and , and , we have , and .
A non-deterministic finite state automata (NFA) is a 4-tuple composed of finite state , a finite set of event , a partial state transition function , and the set of initial states . The transition function can be extended to word in a standard recursive manner. The behavior of NFA is captured by , and for a given initial state is . is called deterministic finite automata (DFA) if for any and that is defined, .
Iii Open Discrete Event System
The finite-state transducers capture transformation of data that is realized by processing inputs and producing outputs using finite memory [mohri2004weighted]. We use non-deterministic finite-state transducer (NFT) to characterize the interaction between the system and its environment. Throughout this paper, we refer to NFT as an open DES to emphasize a system model which receives input from an active intruder.
Definition 1 (Non-deterministic Finite-State Transducer)
The nondeterministic finite-state transducer is defined by , where is the finite set of states, is finite set of external events, , is the finite set of output events which is partitioned to two disjoint sets of observable output events and unobservable output events . is the set of initial states. The state transition function is , and is the output function, where and .
The notation means that is defined for and state . The extension of to words is denoted as and can be defined recursively for all as if , and if and [khalili2014learning]. Here, for each , indicates that if the input is the empty word, we will remain at the current state. The extension of output function to words also is denoted as , and it can be defined as follows. Given any , and , we have for some , if and only if, either , or , for some , and , and there exists a state such that , , and . The recognized language of is . Throughout the paper, we use as a shorthand for , for , and for .
Given an input word , the output word will not be uniquely determined, due to the non-determinism of the transition and output functions. For each and , a set of possible output words is defined inductively as follows:
, , such that :
We denote . The set of all possible output words in is denoted by , that is, . We call the output language of .
Consider the open DES shown in Figure 1, where , , and the initial state is . An edge in the model is in the form of , where , represents the input event, and and denotes the set of possible output events. Multiple labels over an edge indicates multiple enabled transitions. For instance, for , we have , that is, two output words, , and are possible.
If there are marked states, we define open DES as , where are the marked states. The input-output language of , denoted as , is defined by , and its input-output marked language is given by . The input-output languages of is a regular relation over the set that can be conveniently recognized by an non-deterministic finite-state transducer [bouajjani2000regular].
The accessible part of an NFT is denoted by and is obtained by removing the states that cannot be reached from any initial state in finite number of steps. The coaccessible part of , denoted by is an NFT obtained by deleting the states that cannot reach to the marked states . The trim operation, denoted by , transforms to another NFT as a part of that is both accessible and coaccessible, formally [cassandras2009introduction]. Similarly, for an NFA , we can define , , and .
Iv Opacity Of Discrete-Event Systems
Opacity is characterized by the system’s secret and the intruder’s observation mapping over the system’s executions. The system is opaque, if for any execution run that contains secret, there exists another non-secret run which is observably equivalent. In the formalism of opacity, the intruder is considered as an observer who has full knowledge of the system structure but has a partial observability over it. Typically, the intruder’s partial observability is modeled by a natural projection function. The natural projection is , and for any , and , it is defined recursively by , and if and otherwise .
The system secret information or behavior can be represented in different ways, such as secret states and languages. In the conventional opacity of DESs with passive intruder, various opacity notions for different representation of secret have been introduced including but not limited to current-state, language-based, and initial-state opacity [jacob2016overview].
Iv-a Current-State Opacity
Here, we first discuss the current-state opacity (CSO) definition when the intruder is just a passive observer; and later, we will show how an active intruder can force a current-state opaque system to expose its secret states.
Definition 2 (Current-State Opacity)
Given a non-deterministic finite-state automata , and a passive intruder with projection function , a set of secret state , the system is current-state opaque if and such that , there exists and , such that and .
Intuitively, when the intruder can only observe the system outputs with projection , is current-state opaque if for every word leading to a secret state in , there exists at least another word that leads to non-secret states whose projection is the same. Thus, the intruder can never determine that the system’s current state is in . One can check whether the system with a passive intruder is current-state opaque by constructing a current-state estimator (observer) and by verifying that no (nonempty) current-state estimate lies entirely within the set of secret states [hadjicostis2014opacity].
Consider the open DES depicted in Figure 1 with , , and . We first assume the intruder is passive and can only observe the observable outputs through projection function . In order to evaluate CSO on , we can associate a NFA with the open DES . Let’s consider the NFA , where the transition function , for any , and , is defined as , if there exists such that and ; otherwise is not defined. We can construct an observer automata to check if is current-state opaque with respect to , and . The observer is shown in Figure 2. The observer shows the secret state never lies entirely on single state of the observer, and hence, is current-state opaque with respect to and . However, if the intruder is capable of providing a certain input word to the system and observe the system’s output through , she can infer when the system is in the secret state. Specifically, consider the input word that drives the system to land on one of the states , and here, if the active intruder chooses , i.e., and observes , she can infer the current-state of the system is certainly at the secret state . However, if is an unobservable event, the active intruder with the same input word , cannot determine whether the system is at or .
As Example 2 illustrates, an active intruder can force the open DES to expose his secret-state. We, therefore, need a new current-state opacity notion that captures this active intruder ability. In particular, we consider an active intruder who has full knowledge of the open DES model; and is capable of injecting input to the system and (partially) observing the system output.
To evaluate an open DES current-state opacity, we can construct a current-state estimator that tracks the active intruder estimated states. Given an input word accepted by the system , and an observed word , the current-state estimator is defined by:
The current-state estimator essentially characterizes a set of states which the open DES lands on as a result of the input word , and meanwhile it produces the observable sequences . We also define the current-state estimator for a given initial state , as . We use instead of , and for , when it is clear from the context. Upon this current-state estimator, we define the reactive current-state opacity in the following.
Definition 3 (Reactive Current-State Opacity)
Given an open DES , projection function , and the set of secret states , the system is reactive current-state opaque (RCS-opaque) if for any there exists such that:
, we have .
Intuitively, the open DES is RCS-opaque, if with any input word that is recognized by , i.e., , i) there exists an initial state such that the system with does not land entirely at the secret states, i.e., ; and ii) for any possible observable output word associated with the input, , we have , that is, the intruder cannot use the observed output events to resolve the non-determinism of the transition function to infer the current secret state of the system.
In the definition of RCSO, the input word , is not required to be restricted to the recognized words by the open DES , , and it can be any . However, clearly does not accept any , and hence, it does not reveal any secret.
Consider the system in Figure 1, with secret state set . In this case, is not RCSO since the intruder with input word , and regardless of the observed output events, can ensure the system current-state is . However, if , the system with any , does not proceed solely to , and therefore, the intruder potentially can use the observed output events to infer the secret state from the system’s possible current-states. For instance, with , the possible current-states of the system are , and if the observed output word is , where is any , the intruder is able to certainly infer the current-state of is the secret state , that indicates is not RCS-opaque.
The proposed RCSO notion with an active intruder is a generalization of CSO notion with the passive intruder. As it is illustrated in Example 2, if we consider open DES with a passive intruder who has a partial observation on the system’s output, the proposed RCSO can capture the CSO notion.
Iv-B Other Opacity Notions
Other notions of opacity can be extended to the open DESs with an active intruder. In this paper, we introduce reactive language-based and reactive initial-state opacity notions. The reactive language-based opacity (RLBO) characterizes a secret run of the system that should be protected against an active intruder.
Definition 4 (Reactive Language-Based Opacity)
Given an open DES , projection function , and secret output language , and non-secret output language , is reactive language-based opaque, if for all , and any that , there exists such that:
such that .
Intuitively, is reactive language-based opaque with respect to the secret output language , non-secret output language , and the projection function , if for any input word that generates secret output word, , there exists an initial state , such that the same input word from the intruder can be associated with a non-secret output word, , and additionally, for any secret output word there exists a non-secret output word , such that they have the same observation .
Initial-state opacity is another notion of opacity defined over the system secret initial states. For open DESs, reactive initial-state opacity (RISO) can be defined as follows.
(Reactive Initial State Opacity) Given an open DES , projection function , and secret initial state set , and non-secret initial state set , is reactive initial-state opaque, if and any input words with any , there exists a non-secret initial-state and such that .
An open DES is reactive initial-state opaque with respect to the secret initial-state set , non-secret initial-state set , and the projection function , if for any secret initial-state , and any input word , that generates an output word , i.e., , there exists a non-secret initial state , and an output word , associated with and , such that, and have the same observation, i.e., .
Similar to the opacity notions with a passive intruder [wu2013comparative], there is a relationship between the proposed reactive opacity notions. We call a problem of checking if a given open DES satisfies the RCSO conditions, a RCSO problem. Similarly, in the sequel, we use the terms RLBO and RISO problems. We mainly follow the idea proposed in [wu2013comparative] to transform the reactive opacity problems to each other.
A RLBO problem can be converted to an equivalent RCSO problem.
Construct an NFT such that , and an NFT that accepts . Then consider and as single NFT by constructing , and define the secret and non-secret state sets respectively as and . Therefore, for any , and , there exist and with and , such that ; and if and , indicating is reactive language-based opaque, we have and with and , such that , which implies is RCS-opaque.
The other direction of this transformation is also possible. A RCSO problem can be converted to an equivalent RLBO problem.
A RCSO problem can be converted to an equivalent RLBO problem.
Given an RCSO problem with , secret states , and non-secret states set . Construct an NFT with as the marked states, defined as , and another NFT with as the marked states, given by . Then define the secret and non-secret output language respectively by and .
RISO problem can be converted to an equivalent RLBO problem.
Given open RISO problem with , secret initial-state set , and non-secret initial state set , construct an NFT by trimming to only the secret initial-state set , given as , and similarly construct another NFT with as initial-state set, . Then combine and as , and define the secret and non-secret output languages respectively by , and .
The other direction of this transformation does not always hold. A RLBO problem can be transformed to an equivalent RISO only if and are prefix-closed.
Given a RLBO problem with prefix-closed and , there exists an equivalent RISO problem.
Given an RLBO problem with the open DES , and prefix-closed secret output language , and prefix-closed non-secret output language . Construct an NFT such that , and an NFT that accepts . Then consider and as single NFT by constructing , and define the secret and non-secret initial-state sets respectively as and .
It is shown that the proposed RCSO and RLBO are equivalent properties for . The RISO can be transformed to a RLBO property, however, the reverse of this transformation (RLBO to RISO), only holds for prefix-closed secret and non-secret languages. Therefore, if the prefix-closed conditions hold, RISO is also an equivalent property to RCSO. Figure 3 illustrates this relation.
V RCSO Verification
In this section, we present the verification of RCSO notion for open DESs. Similar to current-state opacity with a passive intruder [saboori2007notions], we can construct an observer automata to verify if an open DES is RCS-opaque. In conventional opacity with a passive intruder, the observer is constructed to track the system states based on the observable events [hadjicostis2014opacity]. In the reactive opacity formalism, however, the intruder knows the injected input word, and hence the system (non-deterministic) transitions. As it is illustrated in Example 3, the active intruder can utilize the system observable responses to resolve the ambiguity of his estimation caused by the system’s non-deterministic transition. The observer for RCSO verification ,therefore, should include both possible input and observable output behavior of the system to track the estimated states. Furthermore, an open DES may only have a single and perhaps unique unobservable output event for a given input that can reveal a secret state. Therefore, in contrary to the conventional opacity with passive intruder, an active intruder can even use an unobservable response to infer the open DES states. This ability should be encoded in the active intruder observer.
Definition 6 (Observer for RCSO)
Given an open DES , a projection function with respect to the observable output events , the observer automata is a deterministic finite-state automata with state set , the initial state set is . Let’s denote , the transition function is , that for any , , and an observable event is given by , and for an unobservable event, it is defined by .
The initial estimated states is constructed based on the combination of the possible initial states, , and any initial transitions with no input to the open DES, i.e., . Note that, based on the definition of open DES in Definition 1, for any , we have , and therefore, is solely defined based on and . In the constructed observer, captures the active intruder ability to infer the system transition when he injects input and receives no observable output.
Given the constructed observer , one can verify if is RCS-opaque by checking if there exists any state which is reachable from and only contains the system secret states , i.e., . The RCSO verification based on the proposed observer construction is formally given in the following theorem.
Given an open DES , the projection function , the secret state set , the associated observer can be constructed by following Definition 6. Then is RCS-opaque if and only if for all either or holds.
Necessary: here we show if is RCS-opaque, then there is no state in the constructed observer (following Definition 6) that . Let’s denote as the reachable states in . To prove this part, we only need to show that for any input word and the observed output word, the states in the observer are the estimated current-state of the system. Consider any , such that , then since , there should exists , and such that , , and . In addition, following Definition 6, and provides the same estimated states, meaning, for any , we have with . Therefore, if is RCS-opaque, then which implies .
Sufficiency: here we show if for all , we have then should be RCS-opaque. We prove this part by contradiction. Let’s assume is not RCS-opaque that implies there should exists a such that for some . Therefore, similar to the necessary part, we know and with and , provide the same estimated states. This implies, we have the observer state that which contradicts the first assumption.
The following example illustrates the observer construction described above.
In the conventional opacity formalism, the intruder is considered as a passive observer. In this paper, we studied opacity in the presence of an active intruder which beyond a passive observation, is capable of manipulating the system behavior. In this setup, the active intruder can inject a certain input to the system and combine it with the observed system response to infer the secrets. We therefore introduced reactive opacity notions which characterize a property that regardless of how the intruder selects the input word, the system’s secret property remains indistinguishable from the non-secrets. We furthermore showed that all the proposed reactive opacity notions can be transformed into the RCSO. Given a RCSO notion and a system modeled as NFT, we proposed an automata-based method to verify if the system respects RCSO requirements. In the future works, we plan to study probabilistic reactive opacity for stochastic DESs.