# Transforming opacity verification to nonblocking verification in modular systems

We consider the verification of current-state and K-step opacity for systems modeled as interacting non-deterministic finite-state automata. We describe a new methodology for compositional opacity verification that employs abstraction, in the form of a notion called opaque observation equivalence, and that leverages existing compositional nonblocking verification algorithms. The compositional approach is based on a transformation of the system, where the transformed system is nonblocking if and only if the original one is current-state opaque. Furthermore, we prove that K-step opacity can also be inferred if the transformed system is nonblocking. We provide experimental results where current-state opacity is verified efficiently for a large scaled-up system.

## Authors

• 2 publications
• 3 publications
12/16/2018

### Incremental Observer Reduction Applied to Opacity Verification and Synthesis

With the proliferation of communication networks and mobile devices, the...
12/03/2020

### Towards Compositional Verification for Modular Robotic Systems

Software engineering of modular robotic systems is a challenging task, h...
10/01/2019

### Compositional and Abstraction-Based Approach for Synthesis of Edit Functions for Opacity Enforcement

This paper develops a novel compositional and abstraction-based approach...
10/09/2017

### Verification of Binarized Neural Networks

We study the problem of formal verification of Binarized Neural Networks...
09/05/2021

### K-Step Opacity in Discrete Event Systems: Verification, Complexity, and Relations

Opacity is a property expressing whether a system may reveal its secret ...
02/06/2018

### Deciding Detectability for Labeled Petri Nets

Detectability of discrete event systems (DESs) is a property to determin...
03/03/2022

### AlgebraicSystems: Compositional Verification for Autonomous System Design

Autonomous systems require the management of several model views to assu...
##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## 1 Abstract

We consider the verification of current-state and -step opacity for systems modeled as interacting non-deterministic finite-state automata. We describe a new methodology for compositional opacity verification that employs abstraction, in the form of a notion called opaque observation equivalence, and that leverages existing compositional nonblocking verification algorithms. The compositional approach is based on a transformation of the system, where the transformed system is nonblocking if and only if the original one is current-state opaque. Furthermore, we prove that -step opacity can also be inferred if the transformed system is nonblocking. We provide experimental results where current-state opacity is verified efficiently for a large scaled-up system.

Finite-state automataabstractionopacitynonblocking verificationmodular systems.

## 2 Introduction

While there is a large amount of information people willingly release everyday, there is some information that we wish to remain secret. Thus, various notions of security have been studied in the past decades; opacity is one such example. Opacity is an information flow property that identifies whether or not a secret is released to an external observer of the behavior of a known dynamic system. We refer to the external observer as the intruder in this paper.

The notion of opacity was introduced in the field of discrete event systems in [1], where the system is modeled as a Petri net. Later, a variety of notions of opacity were introduced to cope with different security requirements. Current-state opacity [2], initial-state opacity [3], initial-and-final-state opacity [4], -step opacity [5, 6], infinite-step opacity [7], and language-based opacity [8] are some examples of state-based and language-based opacity notions. In [4], polynomial-time algorithms are presented to transform the verification of current-state, initial-state, initial-and-final-state opacity, and language based-opacity to one another. In this paper, we study the verification of current-state and -step opacity under the framework of modular discrete event systems. A system is said to be current-state opaque if the intruder can never know for sure that the current state of the system is a secret state. On the other hand, a system is -step opaque if the intruder cannot determine if the system had entered a secret state within the previous steps of its observed behavior (i.e., it is a smoothing property in system-theoretic terminology).

In this paper, we consider a class of modular systems that are modeled as partially observed (or non-deterministic) interacting finite state automata. The monolithic approach to verify any opacity property for modular systems is to synchronize all the components of the system and then use the corresponding verification algorithm on the resulting monolithic system. This approach is limited by the well-known state-space explosion problem, when composing a large number of system components.

Abstraction and modular approaches are standard techniques that can be used to alleviate the state-space explosion problem, either independently or jointly. In the opacity verification problem domain, the verification of initial-state opacity in a modular setting was studied in [9], where it is shown that the system is initial-state opaque if and only if the strings causing violations of opacity are disabled by synchronization. Abstraction-based bisimulation was used in [10] to reduce the complexity of the system when verifying infinite-step opacity. One method to alleviate the state-space explosion problem is the compositional approach based on abstraction. This approach is well-developed for nonblocking verification and supervisor synthesis in modular systems; see, e.g., [11, 12, 13, 14]. The compositional approach seeks to remove and merge states that are redundant for the purpose of verification or synthesis, and it proceeds in an incremental manner in terms of system components.

This paper presents a novel compositional approach for the verification of current-state, infinite-step, and -step opacity. As infinite-step opacity is a limiting case of -step opacity, we mainly focus on current-state and -step opacity. In our framework, each system component is abstracted using a restricted version of observation equivalence or weak bisimulation [15], that we call opaque observation equivalence

. After such abstraction, the current-state estimator

[16] or the two-way observer [17] of each component is generated, depending on which opacity property is to be verified, either current-state or -step. Next, the opacity verification problem is transformed to a suitable nonblocking verification problem. This makes it possible to use well-developed nonblocking verification algorithms to verify the different notions of opacity. In the case of current-state opacity, we show that the transformation to nonblocking leads to an equivalent problem, i.e., we show necessity and sufficiency. In the case of -step opacity, we show sufficiency of the transformation. We used the software tool Supremica [18] to verify current-state opacity of a large modular system using our compositional approach. Specifically, we have successfully verified current-state opacity for a large system containing 43 automata under one minute on a standard laptop computer.

The presentation of our results is organized as follows.  3 gives a brief background about different notions of opacity.  4 explains the general compositional opacity problem. Next, Sections 5 and 7 explain the compositional approach for current-state and -step opacity, respectively. Our experimental results on a scaled-up example are presented in  8. Finally, some concluding remarks can be found in  9.

## 3 Modeling framework

### 3.1 Automata and their composition

Discrete system behaviors can be modeled by deterministic or nondeterministic automata.

A (nondeterministic) finite-state automaton is a tuple , where is a finite set of events, is a finite set of states, is the state transition relation, and is the set of initial states.  is deterministic if and if and always implies that . When marking is important the above definition can be extended to , where is the set of marked states. In this paper, we identify marked states in the figures using gray shading.

We assume that the intruder can only partially observe the system. Thus, is partitioned into two disjoint subsets, the set of observable events and the set of unobservable events. Since the identity of unobservable events are irrelevant they are all replaced by a special event . The event is never included in the alphabet , unless explicitly mentioned. For this, is used [11]. Nondeterministic automata hereafter may contain transitions labeled by . However, since represents unobservable events, deterministic automata will never have transitions. In opacity problems, the set of states is also partitioned into two disjoint subsets: the set of secret states and the set of non-secret states.

When automata are brought together to interact, lock-step synchronization in the style of [19] is used. Let and be two nondeterministic automata, with sets of secret states and . The synchronous composition of and is defined as

 G=G1\syncG2=⟨Σ1∪Σ2,Q1×Q2,\intrans,\initstateset[1]×\initstateset[2],Qm1×Qm2⟩ (1)

where

 (x1,x2)\trans[σ](y1,y2)if σ∈(\ACT1∩\ACT2),x1\trans[σ]1y1, and x2\trans[σ]2y2;(x1,x2)\trans[σ](y1,x2)if σ∈(\ACT1∖\ACT2) ∪{τ}and x1\trans[σ]1y1;(x1,x2)\trans[σ](x1,y2)if σ∈(\ACT2∖\ACT1) ∪{τ}and x2\trans[σ]2y2;

and where the set of secret states of , , is defined in one of the two following ways:

1. ,

2. .

Importantly, this definition of synchronous composition only imposes lock-step synchronization on common events in .

In the following, whenever necessary, we use the notations and to show that the secret states of synchronous composition are defined as in  3.1 1 or 2, respectively. When is used, a synchronized state is considered secret if all the composed states are secret. In however, if one of the states of the synchronized state is secret, then the synchronized state is considered secret. and are the first natural constructs for joint secrecy.

is the set of all finite traces of events from , including the empty trace . The natural projection is the operation that removes from traces all events not in , which affects only event in our setting.

The transition relation of an automaton is written in infix notation , and it is extended to strings in by letting for all , and if and for some . Furthermore, means that for some , and means that for some . These notations also apply to state sets, where for means that for some and , and to automata, where means that , etc.

For brevity, , with , denotes the existence of a string such that and . Thus, , , means a path containing exactly the events in , while , , means existence of a path between and with arbitrary number of events between the events of . Similarly, denotes the existence of a string such that .

The language of an automaton  is defined as and the language generated by from is . Thus we do not include event in the strings in the language of an automaton. Moreover, from  3.1, it follows that if and only if and , where , for (and these functions are extended to strings in the usual manner).

Renamings and are two maps such that and . Renamings are extended to traces by applying them to each event, and to languages by applying them to all traces. They are also extended to automata with alphabet  by replacing all transitions with and .

Given an automaton the reversed automaton of is a non-deterministic automaton where and all states are considered to be initial [4]. For non-deterministic automaton , the set of unobservably reached states of , is . The observer automaton is a deterministic automaton, where and , and , where , if and only if . By convention, in this paper only reachable states from under are considered in . Also, we will refer to the observer automaton as the current-state estimator, abbreviated as CSE.

In this paper, the special blocking event is used to label additional transitions going out of a special set of states, termed -states and denoted by . Let be a deterministic automaton with set of -states . Then is a deterministic automaton such that is a new state, , which means that all the original states are marked, and

 \transψ=\trans∪{(x,ψ,\dumpstate) | x∈Xψ} (2)

This “-transformation” will be used later on to transform opacity verification to nonblocking verification. To check if a specific state of the system can be reached, the state can be considered as a -state and nonblocking verification can be done on the transformed system, termed the -system. In our setting the -states are the states that violate opacity.

Another common automaton operation is the quotient modulo an equivalence relation on the state set.

Let be a set. A relation is called an equivalence relation on  if it is reflexive, symmetric, and transitive. Given an equivalence relation  on , the equivalence class of is , and is the set of all equivalence classes modulo .

Let be an automaton and let be an equivalence relation. The quotient automaton of modulo  is

 ~G=⟨Στ,~Q,\intrans\modsim,~Q\init⟩ , (3)

where and .

### 3.2 Notions of opacity

In general, opacity addresses the issue whether an intruder observing the system, and knowing the model of the system, can determine for sure if the system is in a secret state. There are different notions of opacity in the literature. It is shown in [4] that initial, final, current-state, and language-based opacity can be transformed to one another with polynomial-time algorithms for verification purposes. Moreover, infinite-step opacity is a limiting case of -step opacity. Thus, in this paper, we mainly address the verification of current-state opacity first, and then that of -step opacity, which cannot be transformed to current-state opacity for verification purposes. We recall the formal definitions of these properties in the context of the framework of this paper. A non-deterministic automaton with event set and set of secret states is current-state opaque, with respect to if and only if

 (∀q0∈Qo,∀s∈\LANG(G,q∘) : q∘\ttrans[s]QS)(∃q′∘∈Qo) such~{}that [ q′∘\ttrans[s]QNS]

The system is current-state opaque if an intruder cannot determine whether the system is currently in a secret state or not.

A non-deterministic automaton with event set and set of secret states is infinite-step opaque, with respect to

 (∀q0∈Qo,∀st∈\LANG(G,q∘) : q∘\ttrans[s]QS)(∃q′∘∈Qo) such~{}that [ q′∘\ttrans[s]QNS∧q′∘\ttrans[st]]

The system is infinite-step opaque if an intruder cannot determine whether the system ever was in a secret state or not at any time in the past.

A non-deterministic automaton with event set and set of secret states is -step opaque, with respect to

 (∀q0∈Qo,∀st∈\LANG(G,q∘) : q∘\ttrans[s]QS∧|t|≤K)(∃q′∘∈Qo) such~{}that [ q′∘\ttrans[s]QNS∧q′∘\ttrans[st]]

The system is -step opaque if the entrance of the system into a secret state remains uncertain for an intruder after up to future observations. Hence, 0-step opacity is equivalent to current-state opacity, and when , then -step opacity becomes infinite-step opacity [7].

It is shown in [16] that current-state opacity can be verified by building the standard observer automaton. [16] Let be a non-deterministic automaton with set of secret states . Let be the current-state estimator of . Then is current-state opaque with respect to if and only if for all it holds that .

The verification of infinite-step and -step opacity is considered in [5] and [7], respectively, where these properties were first introduced. Recently, a new approach for the verification of infinite and -step opacity was introduced, which relies on building the so-called two-way observer of the system [17]. We will leverage this latter approach in the development of our results. Again, we recall relevant definitions and results, restated in the context of our framework. [17] Let be a non-deterministic automaton and be the reversed automaton of . Let and . The two-way observer of is the deterministic automaton obtained by:

 H=Δ(det(G))\syncΔR(det(GR))

[17] Let be a non-deterministic automaton with set of secret states . Let and and let be the two-way observer of . Then is infinite-step opaque with respect to if and only if

 H\trans[s](h1,h2) implies [h1∩h2⊈QS∨h1∩h2=∅] (4)

The system is infinite-step opaque if for all the reachable states of the two-way observer, the intersection of the first with the second components is not a subset of the secret states of the system or it is empty.

[17] Let be a non-deterministic automaton with set of secret states . Let and and let , with , be the two-way observer of . Let . Then is -step opaque with respect to if and only if, for any string such that , we have that

 [ h1∩ h2⊆QS∧ h1∩h2≠∅ ] ⇒ |PΔ(s)|>K.

Consider automaton in  1. Assume that the set of secret states is ; we have that and . In the figure and are the current-state estimator and the two-way observer of , respectively. In the states are:

• ,

• ,

• ,

• ,

• ,

• ,

• ,

• ,

• .

The system is current-state opaque as the intruder cannot distinguish between and . Automaton confirms that the system is current-state opaque since there is no state in which is subset of 3.2). However, the system is not infinite-step opaque, because after observing event the intruder will know that system was in and . The two-way observer confirms this result as in the state we have 3.2). The system is not step opaque either since and but and 3.2).

## 4 Compositional opacity verification

This section describes the general framework of transforming current-state opacity and -step opacity to nonblocking verification. Since infinite-step opacity is a limiting case of -step opacity, a specific treatment of this property is omitted hereafter; instead, we make relevant observations about it in our discussion; see  7. Note that current-state opacity is also a special case of -step opacity. However, since verification of current-state opacity requires building the current state estimator and not the two-way observer, we address current-state opacity separately from -step opacity.

The input to the algorithm is a modular nondeterministic system. A modular system is a collection of interacting components

 \SYSG=G1\sync⋯\syncGn . (5)

The compositional opacity verification algorithm is summarized in  2 and the steps are as follow:

1. At the first of the compositional opacity verification, the modular system (5) is abstracted, using opaque observation equivalence. Each automaton may be replaced by an abstracted version, , with less states or transitions.

2. Next, the current-state estimators, in the case of current-state opacity verification, or the two-way observers, in the case of -step opacity verification, of the individual abstracted components are built, in  2.

3. Next, the opacity verification problem is transformed to nonblocking verification problem. The states of the individual current-state estimators or the two-way observers that violate opacity are identified and transitions to blocking states from those states are added, resulting in in  2.

4. Compositional nonblocking verification is used to verified opacity problem. In compositional nonblocking verification, the synchronous composition is computed gradually, abstracting each intermediate result again. Eventually, the procedure leads to a single automaton, denoted by , which due to the abstraction process has less states and transitions compared to the original system. Once is found, it is used for nonblocking verification. The system is current-state opaque if and only if is nonblocking and it is -step opaque if is nonblocking.

Our motivation for proceeding as above is that compositional nonblocking verification has been well studied and it has shown very promising results [11, 12].

The monolithic approach to verify opacity, first synchronizes all the component of the system and builds the monolithic current-state estimator or two-way observer of the system. As the number of the states of the synchronized product grows exponentially with the number of components, the complexity of building the CSE or the two-way observer of the whole system is . In contrast, the complexity of generating modular CSEs or two-way observers, instead of their monolithic counterparts, is , which is significantly smaller. In addition, the proposed approach in this paper not only avoid building synchronized product of the whole system, but it also abstracts the components and reduces the number of the states of each component before the construction of CSEs or two-way observers.  2 illustrates the steps of compositional opacity verification for the two cases of and . The subsequent sections formally develop this approach.

## 5 Compositional current-state opacity verification

This section describes compositional current-state opacity verification. First,  5.1 describes the abstraction methods that preserve current-state opacity. Next,  5.2 describes that individual current-state estimators can be built instead of the monolithic current-state estimator. Finally,  5.3 explains the transformation of current-state opacity verification to compositional nonblocking verification.

### 5.1 Opaque observation equivalence

At the first stage of compositional opacity verification, individual nondeterministic components are replaced by their abstracted opaque equivalent components, step (i) in  2.

Bisimulation equivalence and observation equivalence are two well-known abstraction methods [20] to abstract the state space of an automaton. Bisimulation considers states to be equivalent if they have outgoing transitions with the same events, including unobservable events, to equivalent states. Observation equivalence is more general than bisimulation as it ignores the unobservable events (namely, event in our set-up).

[20] Let be a non-deterministic automaton. An equivalence relation is called an observation equivalence on , if the following holds for all such that : if for some , then there exists such that , and .

In order to use observation equivalence for abstraction in our compositional opacity verification methodology, the set of secret states needs to be taken into account. For this purpose, a restricted version of observation equivalence called opaque observation equivalence is defined.

Let be a non-deterministic automaton with set of secret states and set of non-secret states . An equivalence relation is called an opaque observation equivalence on  if the following holds for all such that :

1. if for some , then there exists such that , and ,

2. if and only if .

Opaque observation equivalence considers two states to be equivalent if they have the same secret property and from both of them equivalent states can be reached by the same sequences of events aside from the event.

We present our first result on the use of opaque observation equivalence in the verification of opacity. (In the sequel, for the sake of simplicity of notation, we will denote the event set of non-deterministic automata by , with the understanding that some transitions may be labeled by .)

Let be a non-deterministic system with for interaction, where each automaton has set of secret states . Hence, the set of secret states of the system is , where . Let be an opaque observation equivalence on such that . Then is current-state opaque if and only if is current-state opaque.

Proof:

Consider . Then , where . Let and . It suffices to show that if is not current-state opaque then is not current-state opaque either, and vice versa.

1. Assume that is not current-state opaque. Then there exists such that and or , and there does not exist such that . From it follows that and .

From there does not exist such that , it follows that for all such that it holds that or for all such that it holds that . Moreover, since and are opaque observation equivalent from and based on  5.1, it follows that such that . Now, consider three cases:

1. and . Then from and , it follows that . State is also considered secret as . Since for all such that it holds that , then such that does not exist. Thus, is not current-state opaque.

2. and . Then from and , it follows that . As based on Definition 5.1, it holds that for all , and , which implies that is a secret state. Since for all such that it holds that , based on Definition 5.1 it follows that for all such that it holds that . Thus, such that does not exist, which means that is not current-state opaque.

3. and . Then the proof follows from 1a and 1b.

2. Assume that is not current-state opaque. Then there exists such that or and there does not exists such that and . From , it follows that and . From there does not exist such that , it follows that for all such that it holds that or for all such that it holds that . Moreover, since and are opaque observation equivalent from and based on Definition 5.1, it follows that there exists such that .

Again, consider three cases:

1. and . The proof is similar to 1a.

2. and . Then as it holds that for all also . Thus, from and it follows that there exists , where is considered a secret state. Since for all such that it holds that , then by Definition 5.1 it holds that for all such that it holds that . This means that such that does not hold, which implies that is not current-state opaque.

3. and . Then the proof follows from 2a and 2b.

5.1 illustrates that the components of a modular system that are interacting by can be abstracted using opaque observation equivalence while preserving the current-state opacity property. If is used for interaction, a similar result holds and the following corollary can be proved.

Let be a non-deterministic system with for interaction and with the set of secret states . Let be an opaque observation equivalence on such that . Then is current-state opaque if and only if is current-state opaque. Proof:

Consider . It suffices to show that if is not current-state opaque then is not current-state opaque either and vice versa. Let and .

1. If is not current-state opaque. Then there exists such that and , and there does not exist such that and or . This means, there does not exist or such that