I Introduction
Cybersecurity is increasingly becoming a great concern as networks of embeddedsystems and computers are integrated into almost all aspects of our daily life and society. Exchanging confidential information over these networks is crucial in many applications, ranging from smart phones and home automation to banking services. This raises a serious concern on the vulnerability of these systems.
Many efforts have been made to develop reliable and secure systems that led to various notions of security/privacy. One class of security/privacy notations is related to Information flow from the system to an external observer [focardi1994taxonomy]. Opacity is a type of informationflow property that characterizes whether the system’s secret information can be inferred by an external observer termed intruder with potentially malicious intentions [lin2011opacity]. It is usually assumed that the intruder knows the system’s structure but has only partial observation over its behavior [jacob2016overview]. The system is considered to be opaque if the intruder is not able to unambiguously determine the system secrets from its observations.
In recent years, opacity has been extensively studied in the discrete event system (DES) literature, and different notions of opacity have been proposed, including currentstate opacity [saboori2007notions], languagebased opacity [lin2011opacity], initialstate opacity [saboori2013verification], step, and infinitestep opacity [YIN2017162]. Interested readers may refer to [jacob2016overview] for a comprehensive review on various notions of opacity.
It is worthy pointing out that the intruder model considered in these methods is a passive observer who is only able to partially observe the system behavior. However, many realworld systems are interacting with malicious and hostile environments, whose capability is beyond a passive observation. A system’s malicious environment can act as an active intruder, who strategically injects a certain input to the system and observers the system’s response to infer its secret. For instance, web browsers and clientside web applications are typical cases of such systems since they interact with remote and possibly untrusted clients that raise a serious concern about the privacy of local users’ data [bohannon2009reactive].
In this paper, we aim at extending the opacity notion in the presence of an active intruder. In particular, who is capable of manipulating the system’s input and partially observing the system output. This setup naturally models reactive systems [partovi2019reactive], such as interactive programs [o2006information] and web services [bohannon2009reactive], where input provided by the environment (possibly intruder) and the output of the system is exchanged continuously throughout the indefinite execution of the system.
Toward this aim, we introduce reactive currentstate opacity (RCSO) characterizing the active intruder’s ability in manipulating the system’s input to certainly determine if the system’s currentstate is a secret state. We furthermore extend this notion to reactive languagebased opacity and reactive initialstate opacity. Reactive languagebased opacity requires the secret behavior of the system to be indistinguishable from a nonsecret one. Reactive initialstate opacity notions ensure the active intruder cannot unambiguously determine if the system starts from a secret initialstate. Upon these opacity notions, we present their relationship, the feasibility of each notion, and a procedure to transform one to the other. It turns out that all the proposed reactive opacity notions are equivalent to RCSO. We therefore focus on RCSO, and we study its verification problem.
Formal verification of currentstate opacity is addressed in [bryans2005opacity] and is further extended to other notions of opacity in [saboori2007notions, saboori2013verification]
. In analogs to verification of opacity with the passive intruder, here we propose to construct an observer automata. Given the intruder choice of input and the system response (the observable output event), the observer states capture the estimated currentstate of the system. Hence, the RCSO verification problem can be reduced to finding the observer states that include a singleton of the secret states.
The contribution of this paper can be summarized as follows. (i) Consider a new intruder model who has the capability of injecting input into the system; (ii) associated with the new intruder model, we introduce a new class of opacity definitions including the reactive currentstate, reactive initialstate, and reactive languagebased opacity notions and studies the relationship among them; (iii) provide necessary and sufficient conditions for verification of reactive currentstate opacity.
Ii Related Notations
In this section, we review some preliminary notations that will be used throughout the paper. For a given finite set (alphabet) of events , a finite word , , is a finite sequence of elements in , for all , and . We denote the length of by . Let , and be finite words, is their concatenations. The notation refers to the power set of , that is, the set of all subsets of . A set difference is . The free monoid generated by is the set of all finite sequences , including the empty sequence denoted by . A subset of is called a language over . The prefixclosure of a language , denoted as , is the set of all prefixes of words in , i.e., . is said to be prefixclosed if . Let’s consider alphabet sets , , and their set product . A relation over sets and is a subset of the Cartesian product . A regular (or rational) relation over the alphabets and is formed from a finite combination of the following rules: 1: ), 2: is a regular relation, and 3: If , are regular relations, then so are , , and . Projection function to sets and are respectively denoted as , , and inductively are defined by , and , and , we have , and .
A nondeterministic finite state automata (NFA) is a 4tuple composed of finite state , a finite set of event , a partial state transition function , and the set of initial states . The transition function can be extended to word in a standard recursive manner. The behavior of NFA is captured by , and for a given initial state is . is called deterministic finite automata (DFA) if for any and that is defined, .
Iii Open Discrete Event System
The finitestate transducers capture transformation of data that is realized by processing inputs and producing outputs using finite memory [mohri2004weighted]. We use nondeterministic finitestate transducer (NFT) to characterize the interaction between the system and its environment. Throughout this paper, we refer to NFT as an open DES to emphasize a system model which receives input from an active intruder.
Definition 1 (Nondeterministic FiniteState Transducer)
The nondeterministic finitestate transducer is defined by , where is the finite set of states, is finite set of external events, , is the finite set of output events which is partitioned to two disjoint sets of observable output events and unobservable output events . is the set of initial states. The state transition function is , and is the output function, where and .
The notation means that is defined for and state . The extension of to words is denoted as and can be defined recursively for all as if , and if and [khalili2014learning]. Here, for each , indicates that if the input is the empty word, we will remain at the current state. The extension of output function to words also is denoted as , and it can be defined as follows. Given any , and , we have for some , if and only if, either , or , for some , and , and there exists a state such that , , and . The recognized language of is . Throughout the paper, we use as a shorthand for , for , and for .
Given an input word , the output word will not be uniquely determined, due to the nondeterminism of the transition and output functions. For each and , a set of possible output words is defined inductively as follows:

,

, , such that :
.
We denote . The set of all possible output words in is denoted by , that is, . We call the output language of .
Example 1
Consider the open DES shown in Figure 1, where , , and the initial state is . An edge in the model is in the form of , where , represents the input event, and and denotes the set of possible output events. Multiple labels over an edge indicates multiple enabled transitions. For instance, for , we have , that is, two output words, , and are possible.
If there are marked states, we define open DES as , where are the marked states. The inputoutput language of , denoted as , is defined by , and its inputoutput marked language is given by . The inputoutput languages of is a regular relation over the set that can be conveniently recognized by an nondeterministic finitestate transducer [bouajjani2000regular].
The accessible part of an NFT is denoted by and is obtained by removing the states that cannot be reached from any initial state in finite number of steps. The coaccessible part of , denoted by is an NFT obtained by deleting the states that cannot reach to the marked states . The trim operation, denoted by , transforms to another NFT as a part of that is both accessible and coaccessible, formally [cassandras2009introduction]. Similarly, for an NFA , we can define , , and .
Iv Opacity Of DiscreteEvent Systems
Opacity is characterized by the system’s secret and the intruder’s observation mapping over the system’s executions. The system is opaque, if for any execution run that contains secret, there exists another nonsecret run which is observably equivalent. In the formalism of opacity, the intruder is considered as an observer who has full knowledge of the system structure but has a partial observability over it. Typically, the intruder’s partial observability is modeled by a natural projection function. The natural projection is , and for any , and , it is defined recursively by , and if and otherwise .
The system secret information or behavior can be represented in different ways, such as secret states and languages. In the conventional opacity of DESs with passive intruder, various opacity notions for different representation of secret have been introduced including but not limited to currentstate, languagebased, and initialstate opacity [jacob2016overview].
Iva CurrentState Opacity
Here, we first discuss the currentstate opacity (CSO) definition when the intruder is just a passive observer; and later, we will show how an active intruder can force a currentstate opaque system to expose its secret states.
Definition 2 (CurrentState Opacity)
Given a nondeterministic finitestate automata , and a passive intruder with projection function , a set of secret state , the system is currentstate opaque if and such that , there exists and , such that and .
Intuitively, when the intruder can only observe the system outputs with projection , is currentstate opaque if for every word leading to a secret state in , there exists at least another word that leads to nonsecret states whose projection is the same. Thus, the intruder can never determine that the system’s current state is in . One can check whether the system with a passive intruder is currentstate opaque by constructing a currentstate estimator (observer) and by verifying that no (nonempty) currentstate estimate lies entirely within the set of secret states [hadjicostis2014opacity].
Example 2
Consider the open DES depicted in Figure 1 with , , and . We first assume the intruder is passive and can only observe the observable outputs through projection function . In order to evaluate CSO on , we can associate a NFA with the open DES . Let’s consider the NFA , where the transition function , for any , and , is defined as , if there exists such that and ; otherwise is not defined. We can construct an observer automata to check if is currentstate opaque with respect to , and . The observer is shown in Figure 2. The observer shows the secret state never lies entirely on single state of the observer, and hence, is currentstate opaque with respect to and . However, if the intruder is capable of providing a certain input word to the system and observe the system’s output through , she can infer when the system is in the secret state. Specifically, consider the input word that drives the system to land on one of the states , and here, if the active intruder chooses , i.e., and observes , she can infer the currentstate of the system is certainly at the secret state . However, if is an unobservable event, the active intruder with the same input word , cannot determine whether the system is at or .
As Example 2 illustrates, an active intruder can force the open DES to expose his secretstate. We, therefore, need a new currentstate opacity notion that captures this active intruder ability. In particular, we consider an active intruder who has full knowledge of the open DES model; and is capable of injecting input to the system and (partially) observing the system output.
To evaluate an open DES currentstate opacity, we can construct a currentstate estimator that tracks the active intruder estimated states. Given an input word accepted by the system , and an observed word , the currentstate estimator is defined by:
The currentstate estimator essentially characterizes a set of states which the open DES lands on as a result of the input word , and meanwhile it produces the observable sequences . We also define the currentstate estimator for a given initial state , as . We use instead of , and for , when it is clear from the context. Upon this currentstate estimator, we define the reactive currentstate opacity in the following.
Definition 3 (Reactive CurrentState Opacity)
Given an open DES , projection function , and the set of secret states , the system is reactive currentstate opaque (RCSopaque) if for any there exists such that:

,

, we have .
Intuitively, the open DES is RCSopaque, if with any input word that is recognized by , i.e., , i) there exists an initial state such that the system with does not land entirely at the secret states, i.e., ; and ii) for any possible observable output word associated with the input, , we have , that is, the intruder cannot use the observed output events to resolve the nondeterminism of the transition function to infer the current secret state of the system.
Remark 1
In the definition of RCSO, the input word , is not required to be restricted to the recognized words by the open DES , , and it can be any . However, clearly does not accept any , and hence, it does not reveal any secret.
Example 3
Consider the system in Figure 1, with secret state set . In this case, is not RCSO since the intruder with input word , and regardless of the observed output events, can ensure the system currentstate is . However, if , the system with any , does not proceed solely to , and therefore, the intruder potentially can use the observed output events to infer the secret state from the system’s possible currentstates. For instance, with , the possible currentstates of the system are , and if the observed output word is , where is any , the intruder is able to certainly infer the currentstate of is the secret state , that indicates is not RCSopaque.
Remark 2
The proposed RCSO notion with an active intruder is a generalization of CSO notion with the passive intruder. As it is illustrated in Example 2, if we consider open DES with a passive intruder who has a partial observation on the system’s output, the proposed RCSO can capture the CSO notion.
IvB Other Opacity Notions
Other notions of opacity can be extended to the open DESs with an active intruder. In this paper, we introduce reactive languagebased and reactive initialstate opacity notions. The reactive languagebased opacity (RLBO) characterizes a secret run of the system that should be protected against an active intruder.
Definition 4 (Reactive LanguageBased Opacity)
Given an open DES , projection function , and secret output language , and nonsecret output language , is reactive languagebased opaque, if for all , and any that , there exists such that:

,

such that .
Intuitively, is reactive languagebased opaque with respect to the secret output language , nonsecret output language , and the projection function , if for any input word that generates secret output word, , there exists an initial state , such that the same input word from the intruder can be associated with a nonsecret output word, , and additionally, for any secret output word there exists a nonsecret output word , such that they have the same observation .
Initialstate opacity is another notion of opacity defined over the system secret initial states. For open DESs, reactive initialstate opacity (RISO) can be defined as follows.
Definition 5
(Reactive Initial State Opacity) Given an open DES , projection function , and secret initial state set , and nonsecret initial state set , is reactive initialstate opaque, if and any input words with any , there exists a nonsecret initialstate and such that .
An open DES is reactive initialstate opaque with respect to the secret initialstate set , nonsecret initialstate set , and the projection function , if for any secret initialstate , and any input word , that generates an output word , i.e., , there exists a nonsecret initial state , and an output word , associated with and , such that, and have the same observation, i.e., .
Similar to the opacity notions with a passive intruder [wu2013comparative], there is a relationship between the proposed reactive opacity notions. We call a problem of checking if a given open DES satisfies the RCSO conditions, a RCSO problem. Similarly, in the sequel, we use the terms RLBO and RISO problems. We mainly follow the idea proposed in [wu2013comparative] to transform the reactive opacity problems to each other.
Proposition 1
A RLBO problem can be converted to an equivalent RCSO problem.
Construct an NFT such that , and an NFT that accepts . Then consider and as single NFT by constructing , and define the secret and nonsecret state sets respectively as and . Therefore, for any , and , there exist and with and , such that ; and if and , indicating is reactive languagebased opaque, we have and with and , such that , which implies is RCSopaque.
The other direction of this transformation is also possible. A RCSO problem can be converted to an equivalent RLBO problem.
Proposition 2
A RCSO problem can be converted to an equivalent RLBO problem.
Given an RCSO problem with , secret states , and nonsecret states set . Construct an NFT with as the marked states, defined as , and another NFT with as the marked states, given by . Then define the secret and nonsecret output language respectively by and .
Proposition 3
RISO problem can be converted to an equivalent RLBO problem.
Given open RISO problem with , secret initialstate set , and nonsecret initial state set , construct an NFT by trimming to only the secret initialstate set , given as , and similarly construct another NFT with as initialstate set, . Then combine and as , and define the secret and nonsecret output languages respectively by , and .
The other direction of this transformation does not always hold. A RLBO problem can be transformed to an equivalent RISO only if and are prefixclosed.
Proposition 4
Given a RLBO problem with prefixclosed and , there exists an equivalent RISO problem.
Given an RLBO problem with the open DES , and prefixclosed secret output language , and prefixclosed nonsecret output language . Construct an NFT such that , and an NFT that accepts . Then consider and as single NFT by constructing , and define the secret and nonsecret initialstate sets respectively as and .
Remark 3
It is shown that the proposed RCSO and RLBO are equivalent properties for . The RISO can be transformed to a RLBO property, however, the reverse of this transformation (RLBO to RISO), only holds for prefixclosed secret and nonsecret languages. Therefore, if the prefixclosed conditions hold, RISO is also an equivalent property to RCSO. Figure 3 illustrates this relation.
V RCSO Verification
In this section, we present the verification of RCSO notion for open DESs. Similar to currentstate opacity with a passive intruder [saboori2007notions], we can construct an observer automata to verify if an open DES is RCSopaque. In conventional opacity with a passive intruder, the observer is constructed to track the system states based on the observable events [hadjicostis2014opacity]. In the reactive opacity formalism, however, the intruder knows the injected input word, and hence the system (nondeterministic) transitions. As it is illustrated in Example 3, the active intruder can utilize the system observable responses to resolve the ambiguity of his estimation caused by the system’s nondeterministic transition. The observer for RCSO verification ,therefore, should include both possible input and observable output behavior of the system to track the estimated states. Furthermore, an open DES may only have a single and perhaps unique unobservable output event for a given input that can reveal a secret state. Therefore, in contrary to the conventional opacity with passive intruder, an active intruder can even use an unobservable response to infer the open DES states. This ability should be encoded in the active intruder observer.
Definition 6 (Observer for RCSO)
Given an open DES , a projection function with respect to the observable output events , the observer automata is a deterministic finitestate automata with state set , the initial state set is . Let’s denote , the transition function is , that for any , , and an observable event is given by , and for an unobservable event, it is defined by .
The initial estimated states is constructed based on the combination of the possible initial states, , and any initial transitions with no input to the open DES, i.e., . Note that, based on the definition of open DES in Definition 1, for any , we have , and therefore, is solely defined based on and . In the constructed observer, captures the active intruder ability to infer the system transition when he injects input and receives no observable output.
Given the constructed observer , one can verify if is RCSopaque by checking if there exists any state which is reachable from and only contains the system secret states , i.e., . The RCSO verification based on the proposed observer construction is formally given in the following theorem.
Theorem 1
Given an open DES , the projection function , the secret state set , the associated observer can be constructed by following Definition 6. Then is RCSopaque if and only if for all either or holds.
Necessary: here we show if is RCSopaque, then there is no state in the constructed observer (following Definition 6) that . Let’s denote as the reachable states in . To prove this part, we only need to show that for any input word and the observed output word, the states in the observer are the estimated currentstate of the system. Consider any , such that , then since , there should exists , and such that , , and . In addition, following Definition 6, and provides the same estimated states, meaning, for any , we have with . Therefore, if is RCSopaque, then which implies .
Sufficiency: here we show if for all , we have then should be RCSopaque. We prove this part by contradiction. Let’s assume is not RCSopaque that implies there should exists a such that for some . Therefore, similar to the necessary part, we know and with and , provide the same estimated states. This implies, we have the observer state that which contradicts the first assumption.
The following example illustrates the observer construction described above.
Example 4
Vi Conclusion
In the conventional opacity formalism, the intruder is considered as a passive observer. In this paper, we studied opacity in the presence of an active intruder which beyond a passive observation, is capable of manipulating the system behavior. In this setup, the active intruder can inject a certain input to the system and combine it with the observed system response to infer the secrets. We therefore introduced reactive opacity notions which characterize a property that regardless of how the intruder selects the input word, the system’s secret property remains indistinguishable from the nonsecrets. We furthermore showed that all the proposed reactive opacity notions can be transformed into the RCSO. Given a RCSO notion and a system modeled as NFT, we proposed an automatabased method to verify if the system respects RCSO requirements. In the future works, we plan to study probabilistic reactive opacity for stochastic DESs.
Comments
There are no comments yet.