1 Abstract
We consider the verification of currentstate and step opacity for systems modeled as interacting nondeterministic finitestate automata. We describe a new methodology for compositional opacity verification that employs abstraction, in the form of a notion called opaque observation equivalence, and that leverages existing compositional nonblocking verification algorithms. The compositional approach is based on a transformation of the system, where the transformed system is nonblocking if and only if the original one is currentstate opaque. Furthermore, we prove that step opacity can also be inferred if the transformed system is nonblocking. We provide experimental results where currentstate opacity is verified efficiently for a large scaledup system.
Finitestate automataabstractionopacitynonblocking verificationmodular systems.
2 Introduction
While there is a large amount of information people willingly release everyday, there is some information that we wish to remain secret. Thus, various notions of security have been studied in the past decades; opacity is one such example. Opacity is an information flow property that identifies whether or not a secret is released to an external observer of the behavior of a known dynamic system. We refer to the external observer as the intruder in this paper.
The notion of opacity was introduced in the field of discrete event systems in [1], where the system is modeled as a Petri net. Later, a variety of notions of opacity were introduced to cope with different security requirements. Currentstate opacity [2], initialstate opacity [3], initialandfinalstate opacity [4], step opacity [5, 6], infinitestep opacity [7], and languagebased opacity [8] are some examples of statebased and languagebased opacity notions. In [4], polynomialtime algorithms are presented to transform the verification of currentstate, initialstate, initialandfinalstate opacity, and language basedopacity to one another. In this paper, we study the verification of currentstate and step opacity under the framework of modular discrete event systems. A system is said to be currentstate opaque if the intruder can never know for sure that the current state of the system is a secret state. On the other hand, a system is step opaque if the intruder cannot determine if the system had entered a secret state within the previous steps of its observed behavior (i.e., it is a smoothing property in systemtheoretic terminology).
In this paper, we consider a class of modular systems that are modeled as partially observed (or nondeterministic) interacting finite state automata. The monolithic approach to verify any opacity property for modular systems is to synchronize all the components of the system and then use the corresponding verification algorithm on the resulting monolithic system. This approach is limited by the wellknown statespace explosion problem, when composing a large number of system components.
Abstraction and modular approaches are standard techniques that can be used to alleviate the statespace explosion problem, either independently or jointly. In the opacity verification problem domain, the verification of initialstate opacity in a modular setting was studied in [9], where it is shown that the system is initialstate opaque if and only if the strings causing violations of opacity are disabled by synchronization. Abstractionbased bisimulation was used in [10] to reduce the complexity of the system when verifying infinitestep opacity. One method to alleviate the statespace explosion problem is the compositional approach based on abstraction. This approach is welldeveloped for nonblocking verification and supervisor synthesis in modular systems; see, e.g., [11, 12, 13, 14]. The compositional approach seeks to remove and merge states that are redundant for the purpose of verification or synthesis, and it proceeds in an incremental manner in terms of system components.
This paper presents a novel compositional approach for the verification of currentstate, infinitestep, and step opacity. As infinitestep opacity is a limiting case of step opacity, we mainly focus on currentstate and step opacity. In our framework, each system component is abstracted using a restricted version of observation equivalence or weak bisimulation [15], that we call opaque observation equivalence
. After such abstraction, the currentstate estimator
[16] or the twoway observer [17] of each component is generated, depending on which opacity property is to be verified, either currentstate or step. Next, the opacity verification problem is transformed to a suitable nonblocking verification problem. This makes it possible to use welldeveloped nonblocking verification algorithms to verify the different notions of opacity. In the case of currentstate opacity, we show that the transformation to nonblocking leads to an equivalent problem, i.e., we show necessity and sufficiency. In the case of step opacity, we show sufficiency of the transformation. We used the software tool Supremica [18] to verify currentstate opacity of a large modular system using our compositional approach. Specifically, we have successfully verified currentstate opacity for a large system containing 43 automata under one minute on a standard laptop computer.The presentation of our results is organized as follows. 3 gives a brief background about different notions of opacity. 4 explains the general compositional opacity problem. Next, Sections 5 and 7 explain the compositional approach for currentstate and step opacity, respectively. Our experimental results on a scaledup example are presented in 8. Finally, some concluding remarks can be found in 9.
3 Modeling framework
3.1 Automata and their composition
Discrete system behaviors can be modeled by deterministic or nondeterministic automata.
A (nondeterministic) finitestate automaton is a tuple , where is a finite set of events, is a finite set of states, is the state transition relation, and is the set of initial states. is deterministic if and if and always implies that . When marking is important the above definition can be extended to , where is the set of marked states. In this paper, we identify marked states in the figures using gray shading.
We assume that the intruder can only partially observe the system. Thus, is partitioned into two disjoint subsets, the set of observable events and the set of unobservable events. Since the identity of unobservable events are irrelevant they are all replaced by a special event . The event is never included in the alphabet , unless explicitly mentioned. For this, is used [11]. Nondeterministic automata hereafter may contain transitions labeled by . However, since represents unobservable events, deterministic automata will never have transitions. In opacity problems, the set of states is also partitioned into two disjoint subsets: the set of secret states and the set of nonsecret states.
When automata are brought together to interact, lockstep synchronization in the style of [19] is used. Let and be two nondeterministic automata, with sets of secret states and . The synchronous composition of and is defined as
(1) 
where
and where the set of secret states of , , is defined in one of the two following ways:

,

.
Importantly, this definition of synchronous composition only imposes lockstep synchronization on common events in .
In the following, whenever necessary, we use the notations and to show that the secret states of synchronous composition are defined as in 3.1 1 or 2, respectively. When is used, a synchronized state is considered secret if all the composed states are secret. In however, if one of the states of the synchronized state is secret, then the synchronized state is considered secret. and are the first natural constructs for joint secrecy.
is the set of all finite traces of events from , including the empty trace . The natural projection is the operation that removes from traces all events not in , which affects only event in our setting.
The transition relation of an automaton is written in infix notation , and it is extended to strings in by letting for all , and if and for some . Furthermore, means that for some , and means that for some . These notations also apply to state sets, where for means that for some and , and to automata, where means that , etc.
For brevity, , with , denotes the existence of a string such that and . Thus, , , means a path containing exactly the events in , while , , means existence of a path between and with arbitrary number of events between the events of . Similarly, denotes the existence of a string such that .
The language of an automaton is defined as and the language generated by from is . Thus we do not include event in the strings in the language of an automaton. Moreover, from 3.1, it follows that if and only if and , where , for (and these functions are extended to strings in the usual manner).
Renamings and are two maps such that and . Renamings are extended to traces by applying them to each event, and to languages by applying them to all traces. They are also extended to automata with alphabet by replacing all transitions with and .
Given an automaton the reversed automaton of is a nondeterministic automaton where and all states are considered to be initial [4]. For nondeterministic automaton , the set of unobservably reached states of , is . The observer automaton is a deterministic automaton, where and , and , where , if and only if . By convention, in this paper only reachable states from under are considered in . Also, we will refer to the observer automaton as the currentstate estimator, abbreviated as CSE.
In this paper, the special blocking event is used to label additional transitions going out of a special set of states, termed states and denoted by . Let be a deterministic automaton with set of states . Then is a deterministic automaton such that is a new state, , which means that all the original states are marked, and
(2) 
This “transformation” will be used later on to transform opacity verification to nonblocking verification. To check if a specific state of the system can be reached, the state can be considered as a state and nonblocking verification can be done on the transformed system, termed the system. In our setting the states are the states that violate opacity.
Another common automaton operation is the quotient modulo an equivalence relation on the state set.
Let be a set. A relation is called an equivalence relation on if it is reflexive, symmetric, and transitive. Given an equivalence relation on , the equivalence class of is , and is the set of all equivalence classes modulo .
Let be an automaton and let be an equivalence relation. The quotient automaton of modulo is
(3) 
where and .
3.2 Notions of opacity
In general, opacity addresses the issue whether an intruder observing the system, and knowing the model of the system, can determine for sure if the system is in a secret state. There are different notions of opacity in the literature. It is shown in [4] that initial, final, currentstate, and languagebased opacity can be transformed to one another with polynomialtime algorithms for verification purposes. Moreover, infinitestep opacity is a limiting case of step opacity. Thus, in this paper, we mainly address the verification of currentstate opacity first, and then that of step opacity, which cannot be transformed to currentstate opacity for verification purposes. We recall the formal definitions of these properties in the context of the framework of this paper. A nondeterministic automaton with event set and set of secret states is currentstate opaque, with respect to if and only if
The system is currentstate opaque if an intruder cannot determine whether the system is currently in a secret state or not.
A nondeterministic automaton with event set and set of secret states is infinitestep opaque, with respect to
The system is infinitestep opaque if an intruder cannot determine whether the system ever was in a secret state or not at any time in the past.
A nondeterministic automaton with event set and set of secret states is step opaque, with respect to
The system is step opaque if the entrance of the system into a secret state remains uncertain for an intruder after up to future observations. Hence, 0step opacity is equivalent to currentstate opacity, and when , then step opacity becomes infinitestep opacity [7].
It is shown in [16] that currentstate opacity can be verified by building the standard observer automaton. [16] Let be a nondeterministic automaton with set of secret states . Let be the currentstate estimator of . Then is currentstate opaque with respect to if and only if for all it holds that .
The verification of infinitestep and step opacity is considered in [5] and [7], respectively, where these properties were first introduced. Recently, a new approach for the verification of infinite and step opacity was introduced, which relies on building the socalled twoway observer of the system [17]. We will leverage this latter approach in the development of our results. Again, we recall relevant definitions and results, restated in the context of our framework. [17] Let be a nondeterministic automaton and be the reversed automaton of . Let and . The twoway observer of is the deterministic automaton obtained by:
[17] Let be a nondeterministic automaton with set of secret states . Let and and let be the twoway observer of . Then is infinitestep opaque with respect to if and only if
(4) 
The system is infinitestep opaque if for all the reachable states of the twoway observer, the intersection of the first with the second components is not a subset of the secret states of the system or it is empty.
[17] Let be a nondeterministic automaton with set of secret states . Let and and let , with , be the twoway observer of . Let . Then is step opaque with respect to if and only if, for any string such that , we have that
Consider automaton in 1. Assume that the set of secret states is ; we have that and . In the figure and are the currentstate estimator and the twoway observer of , respectively. In the states are:

,

,

,

,

,

,

,

,

.
The system is currentstate opaque as the intruder cannot distinguish between and . Automaton confirms that the system is currentstate opaque since there is no state in which is subset of ( 3.2). However, the system is not infinitestep opaque, because after observing event the intruder will know that system was in and . The twoway observer confirms this result as in the state we have ( 3.2). The system is not step opaque either since and but and ( 3.2).
4 Compositional opacity verification
This section describes the general framework of transforming currentstate opacity and step opacity to nonblocking verification. Since infinitestep opacity is a limiting case of step opacity, a specific treatment of this property is omitted hereafter; instead, we make relevant observations about it in our discussion; see 7. Note that currentstate opacity is also a special case of step opacity. However, since verification of currentstate opacity requires building the current state estimator and not the twoway observer, we address currentstate opacity separately from step opacity.
The input to the algorithm is a modular nondeterministic system. A modular system is a collection of interacting components
(5) 
The compositional opacity verification algorithm is summarized in 2 and the steps are as follow:

At the first of the compositional opacity verification, the modular system (5) is abstracted, using opaque observation equivalence. Each automaton may be replaced by an abstracted version, , with less states or transitions.

Next, the currentstate estimators, in the case of currentstate opacity verification, or the twoway observers, in the case of step opacity verification, of the individual abstracted components are built, in 2.

Next, the opacity verification problem is transformed to nonblocking verification problem. The states of the individual currentstate estimators or the twoway observers that violate opacity are identified and transitions to blocking states from those states are added, resulting in in 2.

Compositional nonblocking verification is used to verified opacity problem. In compositional nonblocking verification, the synchronous composition is computed gradually, abstracting each intermediate result again. Eventually, the procedure leads to a single automaton, denoted by , which due to the abstraction process has less states and transitions compared to the original system. Once is found, it is used for nonblocking verification. The system is currentstate opaque if and only if is nonblocking and it is step opaque if is nonblocking.
Our motivation for proceeding as above is that compositional nonblocking verification has been well studied and it has shown very promising results [11, 12].
The monolithic approach to verify opacity, first synchronizes all the component of the system and builds the monolithic currentstate estimator or twoway observer of the system. As the number of the states of the synchronized product grows exponentially with the number of components, the complexity of building the CSE or the twoway observer of the whole system is . In contrast, the complexity of generating modular CSEs or twoway observers, instead of their monolithic counterparts, is , which is significantly smaller. In addition, the proposed approach in this paper not only avoid building synchronized product of the whole system, but it also abstracts the components and reduces the number of the states of each component before the construction of CSEs or twoway observers. 2 illustrates the steps of compositional opacity verification for the two cases of and . The subsequent sections formally develop this approach.
5 Compositional currentstate opacity verification
This section describes compositional currentstate opacity verification. First, 5.1 describes the abstraction methods that preserve currentstate opacity. Next, 5.2 describes that individual currentstate estimators can be built instead of the monolithic currentstate estimator. Finally, 5.3 explains the transformation of currentstate opacity verification to compositional nonblocking verification.
5.1 Opaque observation equivalence
At the first stage of compositional opacity verification, individual nondeterministic components are replaced by their abstracted opaque equivalent components, step (i) in 2.
Bisimulation equivalence and observation equivalence are two wellknown abstraction methods [20] to abstract the state space of an automaton. Bisimulation considers states to be equivalent if they have outgoing transitions with the same events, including unobservable events, to equivalent states. Observation equivalence is more general than bisimulation as it ignores the unobservable events (namely, event in our setup).
[20] Let be a nondeterministic automaton. An equivalence relation is called an observation equivalence on , if the following holds for all such that : if for some , then there exists such that , and .
In order to use observation equivalence for abstraction in our compositional opacity verification methodology, the set of secret states needs to be taken into account. For this purpose, a restricted version of observation equivalence called opaque observation equivalence is defined.
Let be a nondeterministic automaton with set of secret states and set of nonsecret states . An equivalence relation is called an opaque observation equivalence on if the following holds for all such that :

if for some , then there exists such that , and ,

if and only if .
Opaque observation equivalence considers two states to be equivalent if they have the same secret property and from both of them equivalent states can be reached by the same sequences of events aside from the event.
We present our first result on the use of opaque observation equivalence in the verification of opacity. (In the sequel, for the sake of simplicity of notation, we will denote the event set of nondeterministic automata by , with the understanding that some transitions may be labeled by .)
Let be a nondeterministic system with for interaction, where each automaton has set of secret states . Hence, the set of secret states of the system is , where . Let be an opaque observation equivalence on such that . Then is currentstate opaque if and only if is currentstate opaque.
Proof:
Consider . Then , where . Let and . It suffices to show that if is not currentstate opaque then is not currentstate opaque either, and vice versa.

Assume that is not currentstate opaque. Then there exists such that and or , and there does not exist such that . From it follows that and .
From there does not exist such that , it follows that for all such that it holds that or for all such that it holds that . Moreover, since and are opaque observation equivalent from and based on 5.1, it follows that such that . Now, consider three cases:

and . Then from and , it follows that . State is also considered secret as . Since for all such that it holds that , then such that does not exist. Thus, is not currentstate opaque.

and . Then from and , it follows that . As based on Definition 5.1, it holds that for all , and , which implies that is a secret state. Since for all such that it holds that , based on Definition 5.1 it follows that for all such that it holds that . Thus, such that does not exist, which means that is not currentstate opaque.


Assume that is not currentstate opaque. Then there exists such that or and there does not exists such that and . From , it follows that and . From there does not exist such that , it follows that for all such that it holds that or for all such that it holds that . Moreover, since and are opaque observation equivalent from and based on Definition 5.1, it follows that there exists such that .
Again, consider three cases:

and . The proof is similar to 1a.

and . Then as it holds that for all also . Thus, from and it follows that there exists , where is considered a secret state. Since for all such that it holds that , then by Definition 5.1 it holds that for all such that it holds that . This means that such that does not hold, which implies that is not currentstate opaque.

5.1 illustrates that the components of a modular system that are interacting by can be abstracted using opaque observation equivalence while preserving the currentstate opacity property. If is used for interaction, a similar result holds and the following corollary can be proved.
Let be a nondeterministic system with for interaction and with the set of secret states . Let be an opaque observation equivalence on such that . Then is currentstate opaque if and only if is currentstate opaque. Proof:
Consider . It suffices to show that if is not currentstate opaque then is not currentstate opaque either and vice versa. Let and .

If is not currentstate opaque. Then there exists such that and , and there does not exist such that and or . This means, there does not exist or such that
Comments
There are no comments yet.