A process calculus approach to correctness enforcement of PLCs (full version)
AA process calculus approach to correctnessenforcement of PLCs (full version) (cid:63)
Ruggero Lanotte , Massimo Merro , and Andrei Munteanu Università dell’Insubria, Como, Italy Università degli Studi di Verona, Verona, Italy
Abstract.
We define a simple process calculus, based on Hennessy andRegan’s
Timed Process Language , for specifying networks of commu-nicating programmable logic controllers (PLCs) enriched with monitorsenforcing specification compliance at runtime. We define a synthesis al-gorithm that given an uncorrupted PLC returns a monitor that en-forces the correctness of the PLC, even when injected with malware that may forge/drop actuator commands and inter-controller commu-nications. Then, we strengthen the capabilities of our monitors by al-lowing the insertion of actions to mitigate malware activities. This givesus deadlock-freedom monitoring : malware may not drag monitored con-trollers into deadlock states. Last but not least, our enforcing monitorsrepresent an effective formal mechanism for prompt detection of mali-cious activities within PLCs.
Keywords:
Process calculus · PLC correctness · Runtime enforcement · Mal-ware detection.
Industrial Control System (ICSs) are distributed systems controlling physicalprocesses via programmable logic controllers (PLCs) connected to sensors and actuators . PLCs have an ad-hoc architecture to execute simple processes knownas scan cycles . Each scan cycle consists of three phases: (i) reading of the sen-sor measurements of the physical process; (ii) derivation of the commands toguide the evolution of the physical process; (iii) transmission of the calculated commands to the actuator devices .Published scan data show how thousands of PLCs are directly accessible fromthe Internet [28]. When this is not the case, PLCs are often connected to eachother in field communications networks , opening the way to the spreading ofworms such as the PLC-Blaster worm [30] or the PLC PIN Control attack [3].As a consequence, extra trusted hardware components have been proposed toenhance the security of ICS architectures [25,26]. In this respect, McLaughlin [25]proposed to add a policy-based enforcement mechanism to mediate the actuator (cid:63)
An extended abstract will appear in the CEUR Workshop Proceedings of the a r X i v : . [ c s . L O ] S e p ommands transmitted by the PLC to the physical plant, whereas Mohan etal. [26] introduced an architecture in which every PLC runs under the scrutinyof a monitor which looks for deviations with respect to safe behaviours ; if thebehaviour of the PLC is not as expected then the control passes to a safetycontroller which maintains the plant within the required safety margins.Both architectures above have been validated by means of simulation-basedtechniques. However, as far as we know, formal methodologies have not beenused yet to model and formally verify security-oriented architectures for ICSs.The goal of the paper is to verify the effectiveness of a process calculusapproach to formalise runtime enforcement of specification compliance in net-works of PLCs injected with colluding malware that may forge/drop both actu-ator commands and inter-controller communications . Process calculi representa successful and widespread formal approach in concurrency theory relying on avariety of behavioural equivalences ( e.g. , trace equivalence and bisimilarity) forstudying complex systems, such as IoT systems [16,9,17] and cyber-physical sys-tems [21], and used in many areas, including verification of security protocols [1,2]and security analysis of cyber-physical attacks [20]. On the other hand, runtimeenforcement [29,22,12] is a powerful verification/validation technique aiming atcorrecting possibly-incorrect executions of a system-under-scrutiny (SuS) via akind of monitor that acts as a proxy between the SuS and its environment.Thus, we propose to synthesise a proxy from an uncorrupted PLC, to forma monitored PLC ensuring: – observation-based monitoring , i.e. , the proxy should only look at the observ-ables of the PLC, and not at its internal execution; – transparency , i.e. , the semantics of the monitored PLC must not differ fromthe semantics of the genuine ( i.e. , uncorrupted) PLC; – sound execution of the monitored PLC, to prevent incorrect executions; – deadlock-freedom , i.e. , an injected malware may not drag a monitored PLCinto a deadlock state; – prompt detection of PLC misbehaviours to rise alarms addressed to systemengineers (who will reinstall an obfuscated variation of the code of the PLC); – mitigation of malicious activities within the monitored PLC.Obviously, if the PLC is compromised then its correct execution can onlybe enforced with the help of an extra component, a secured proxy , as advocatedby McLaughlin [25] and Mohan et al. [26]. This means that any implementa-tion of our proposed proxy should be bug-free to deal with possible infiltrationsof malware. This may seem like we just moved the problem over to securing theproxy. However, this is not the case because the proxy only needs to enforcecorrectness at runtime, while the PLC controls its physical process relying onmalware-prone communications via the Internet or the USB ports. Of course, byno means runtime reconfigurations of the secure proxy should be allowed. We do not deal with alterations of sensor signals within a PLC, as they can alreadybe altered either at the network level or within the sensor devices [13]. ontribution. We define a simple timed process calculus, based on Hennessy andRegan’s
Timed Process Language (TPL) [14], for specifying networks of commu-nicating monitored controllers, possibly injected with colluding malware thatmay forge/drop both actuator commands and inter-controller communications.Monitors are formalised in terms of a sub-class of finite-state Ligatti et al.’s editautomata [22]. A network composed of n PLCs
Ctrl i , running in parallel, eachof which injected with a malware Malw i , and enforced by a monitor Mon i , isrepresented as: Mon (cid:96) { Ctrl | Malw } (cid:107) . . . (cid:107) Mon n (cid:96) { Ctrl n | Malw n } . Here, the parallel process
Ctrl i | Malw i is a formal abstraction of the sequentialexecution of the PLC code Ctrl i injected with the malware Malw i .Then, we propose a synthesis function (cid:113) − (cid:121) that, given an uncorrupted deter-ministic PLC Ctrl returns, in polynomial time , a syntactically deterministic [4]edit automaton (cid:113)
Ctrl (cid:121) to form a monitored PLC that ensures: observation-basedmonitoring , transparency , sound execution of the monitored PLC, prompt detec-tion of alterations of the behaviour of the monitored PLC. All these propertiescan be expressed with a single algebraic equation: n (cid:89) i =1 (cid:113) Ctrl i (cid:121) (cid:96) { Ctrl i | Malw i } (cid:39) n (cid:89) i =1 go (cid:96) { Ctrl i } (1) for arbitrary malware Malw i , where (cid:39) denotes trace equivalence and go is themonitor that allows any action. Here, intuitively, each monitor (cid:113) Ctrl i (cid:121) preventsincorrect executions of the compromised controller Ctrl i | Malw i .However, our monitors do not protect against malware that may drag a mon-itored PLC into a deadlock state. In fact, Equation 1 does not hold with respectto weak bisimilarity , which is a notoriously deadlock-sensitive semantic equiva-lence. Thus, in order to achieve deadlock-freedom we equip our monitors with thesemantic capability to mitigate those malicious activities that may deadlock thecontroller. In practice, our monitors will be able to insert actions, i.e. , to emitcorrect actions in full autonomy to complete scan cycles. The enforcement re-sulting from the introduction of mitigation allows us to recover deadlock-freedommonitoring by proving Equation 1 with respect to weak bisimilarity. Outline.
Section 2 defines our process calculus to express monitored controllersinjected with malware. Section 3 provides a non-trivial and modular use casein the context of water transmission networks . Section 4 defines an algorithmto synthesise our monitors. Section 5 introduces mitigation to recover deadlock-freedom. Section 6 draws conclusions and discusses related work. Full proofs canbe found in the appendix.
We define our process calculus as an extension of Hennessy and Regan’s TPL [14].Let us start with some preliminary notation. We use s, s k ∈ Sens for sensorsignals , a, a k ∈ Act for actuator commands , and c, c k ∈ Chn for channel names .3 able 1. LTS for controllers(Rec) S { rec X .S / X } α −−→ S (cid:48) rec X .S α −−→ S (cid:48) (TimeS) − tick .S tick −−−→ S (ReadS) j ∈ I (cid:98) (cid:80) i ∈ I s i .S i (cid:99) S s j −−−→ S j (TimeoutS) −(cid:98) (cid:80) i ∈ I s i .S i (cid:99) S tick −−−→ S (InC) j ∈ I (cid:98) (cid:80) i ∈ I c i .C i (cid:99) C c j −−−→ C j (TimeoutInC) −(cid:98) (cid:80) i ∈ I c i .C i (cid:99) C tick −−−→ C (OutC) −(cid:98) c.C (cid:99) C (cid:48) c −−→ C (TimeoutOutC) −(cid:98) c.C (cid:99) C (cid:48) tick −−−→ C (cid:48) (WriteA) − a.A a −−→ A (End) − end .P end −−−→ P Controller.
In our setting, controllers are nondeterministic sequential timed pro-cesses evolving through three different phases: sensing of sensor signals, com-munication with other controllers, and actuation . For convenience, we use fourdifferent syntactic categories to distinguish the four main states of a controller:
Ctrl for initial states,
Sens for sensing states,
Com for communication states,and
Act for actuation states. In its initial state, a controller is a recursive processstarting its scan cycle in the sensing phase : Ctrl (cid:51) P ::= rec X .S Notice that due to the cyclic behaviour of controllers, the process variable X maysyntactically occur only in the last phase, actuation. We assume time guarded re-cursion to avoid undesired zeno behaviours . Intuitively, in time guarded recursionthe process variable must occur prefixed by at least one timed action tick .During the sensing phase, the controller waits for a finite number of admis-sible sensor signals. If none of those signals arrives in the current time slot thenthe controller will timeout moving to the following time slot (we adopt the TPLconstruct (cid:98)·(cid:99)· for timeout). The controller may also sleep for a while, waiting forsensor signals to become stable. The syntax is the following: Sens (cid:51) S ::= (cid:98) (cid:80) i ∈ I s i .S i (cid:99) S (cid:12)(cid:12) tick .S (cid:12)(cid:12) C Once the sensing phase is concluded, the controller starts its calculations thatmay depend on communications with other controllers. Controllers communicateto each other for mainly two reasons: either to receive notice about the state ofother physical sub-processes or to require an actuation on a different physicalprocess that will have an influence on the physical process governed by thecontroller. We adopt a channel-based handshake point-to-point communicationparadigm. As PLCs usually work under timing constraints, our communicationis always under timeout. The syntax for the communications phase is:
Comm (cid:51) C ::= (cid:98) (cid:80) i ∈ I c i .C i (cid:99) C (cid:12)(cid:12) (cid:98) c.C (cid:99) C (cid:12)(cid:12) A finite number of communicationchannels or transmit on specific channels to pass some local information.Finally, in the actuation phase the controller eventually transmits a finite sequence of commands to a number of different actuators, and then, it emits aspecial signal end to denote the end of the scan cycle. After that, it restarts itscycle in the sensing phase via a recursive call denoted with a process variable X .In order to ensure semantics closure, we also have a construct end .P which willbe only generated at runtime but never used to write PLC programs. Act (cid:51) A ::= a.A (cid:12)(cid:12) end . X (cid:12)(cid:12) end .P Remark 1 (Scan cycle duration and maximum cycle limit).
Notice that any scancycle of a PLC must be completed within a maximum cycle limit which dependson the controlled physical process; if this time limit is violated the PLC stopsand throws an exception [30]. Thus, the signal end must occur well before the maximum cycle limit . We assume that our PLCs successfully complete theirscan cycle in less than half of the maximum cycle limit.The operational semantics of controllers is given in Table 1. This is verymuch along the lines of Hennessy and Regan’s TPL [14]. In the following,we use the metavariables α and β to range over the set of possible actions: { s, a, a, c, c, τ, tick , end } . These actions denote: sensor readings, actuator commands,drops of actuator commands, channel transmissions, channel receptions/drops,internal actions, passage of time, and end of a scan cycle, respectively. Malware.
Let us provide a formalisation of the malware code that we assumemay be injected in a controller to compromise its runtime behaviour. The kindof malware we wish to deal with may perform the following malicious activities: – forging fake channel transmissions towards other controllers (via actions c ); – dropping incoming communications from other controllers (via actions c ); – forging fake actuator commands (via actions a ); – dropping actuator commands launched by the controller (via actions a ).The formal syntax of the admitted malware is the following: Malw (cid:51) M ::= (cid:98) (cid:80) i ∈ I µ i .M i (cid:99) M (cid:12)(cid:12) rec X .M (cid:12)(cid:12) X (cid:12)(cid:12) tick .M (cid:12)(cid:12) nil where the prefixes µ i ∈ { c, c, a, a } , for i ∈ I , denote the possible malicious actionsmentioned above. Again, we assume time guarded recursion to avoid undesired zeno behaviours introduced by the malware, that is, a malware can never preventthe passage of time ad infinitum in a controller .A straightforward operational semantics is given in Table 2. In general, malware that aims to take control of the plant has no interest in de-laying the scan cycle and risking the violation of the maximum cycle limit whoseconsequence would be the immediate controller shutting down [30]. able 2. LTS for malware code(Malware) j ∈ I (cid:98) (cid:80) i ∈ I µ i .M i (cid:99) M µ j −−−→ M j (TimeoutM) −(cid:98) (cid:80) i ∈ I µ i .M i (cid:99) M tick −−−→ M (RecM) M { rec X .M / X } α −−→ M (cid:48) rec X .M α −−→ M (cid:48) (TimeM) − tick .M tick −−−→ M (TimeNil) − nil tick −−−→ nil Table 3.
LTS for compromised controllers(Ctrl) Z α −−→ Z (cid:48) α (cid:54) = tick Z | M α −−→ Z (cid:48) | M (Inject) M α −−→ M (cid:48) α (cid:54)∈ { tick , a } Z | M α −−→ Z | M (cid:48) (DropAct) Z a −−→ Z (cid:48) M a −−→ M (cid:48) Z | M τ −−→ Z (cid:48) | M (cid:48) (TimePar) Z tick −−−→ Z (cid:48) M tick −−−→ M (cid:48) Z | M tick −−−→ Z (cid:48) | M (cid:48) Compromised controller.
In our setting, a compromised controller is a controllerthat may potentially run in parallel with an arbitrary piece of malware. Thesyntax is the following: Z ::= P (cid:12)(cid:12) S (cid:12)(cid:12) C (cid:12)(cid:12) A CCrtl (cid:51) J ::= Z (cid:12)(cid:12) Z | M where Z ∈ Ctrl ∪ Sens ∪ Comm ∪ Act denotes a controller in an arbitrarystate, and | is the standard process algebra construct for parallel composition.The operational semantics of a compromised controller is given by the tran-sition rules of Table 3. Rule (Ctrl) models the genuine behaviour of the controllereven in the presence of the malware (possibly waiting for a proper trigger). Rule (Inject) denotes the injection of a malicious action fabricated by the malware.Rule (DropAct) models the drop of an actuator command a ; in this manner, thecommand a never reaches its intended actuator device. Rule (TimePar) models time synchronisation between the controller and the malware (we recall thatmalware cannot exhibit zeno behaviours). Remark 2 (Attacks on channels).
Notice that injection/drop on communicationchannels affects the interaction between controllers and not within them. For thisreason, we do not have a rule for channels similar to (DropAct) . Inter-controllermalicious activities on communication channels will be prevented by the monitor.
Monitored controller(s).
The core of our runtime enforcement relies on a (timed)sub-class of finite-state Ligatti et al.’s edit automata [22], i.e. , a particular classof automata specifically designed to modify/suppress/insert actions in a genericsystem in order to preserve its correct behaviour. Their syntax follows:
Edit (cid:51) E ::= go (cid:12)(cid:12) (cid:80) i ∈ I α i / β i . E i (cid:12)(cid:12) rec X . E (cid:12)(cid:12) X able 4. LTS for monitored field communications networks(ParL) N α −−→ N (cid:48) N (cid:107) N α −−→ N (cid:48) (cid:107) N (ParR) N α −−→ N (cid:48) N (cid:107) N α −−→ N (cid:107) N (cid:48) (ChnSync) N c −−→ N (cid:48) N c −−→ N (cid:48) N (cid:107) N τ −−→ N (cid:48) (cid:107) N (cid:48) (TimeSync) N tick −−−→ N (cid:48) N tick −−−→ N (cid:48) N (cid:107) N τ −−→(cid:54) N (cid:107) N tick −−−→ N (cid:48) (cid:107) N (cid:48) Intuitively, the automaton go will admit any action of the monitored system,while the edit automaton (cid:80) i ∈ I α i / β i . E i replaces actions α i with β i , and thencontinues as E i , for any i ∈ I , with I finite. The operational semantics of ouredit automata is the following: (Go) − go α/α −−−−→ go (Edit) j ∈ I (cid:80) i ∈ I α i / β i . E i α j / β j −−−−−→ E j (recE) E { rec X . E / X } α / β −−−−→ E (cid:48) rec X . E α / β −−−−→ E (cid:48) When an edit automaton performs a transition labeled α / β , with α (cid:54) = τ and β = τ , we say that the automaton suppresses the observable action α .Our monitored controllers , written E (cid:96) { J } , are constituted by a (potentially)compromised controller J and an edit automaton E enforcing the behaviour of J according to the following transition rule for correction/suppression: (Enforce) J α −−→ J (cid:48) E α/β −−−→ E (cid:48) E (cid:96) { J } β −−→ E (cid:48) (cid:96) { J (cid:48) } . In a monitored controller E (cid:96) { J } with no malware inside, the enforcement neveroccurs, i.e. , in rule (Enforce) we always have α = β , and the two components E and J evolve in a tethered fashion, moving through related correct states.We can easily generalise the concept of monitored controller to a field commu-nications network of parallel monitored controllers, each one acting on differentactuators, and exchanging information via channels. These networks are formallydefined via the grammar: FNet (cid:51) N ::= E (cid:96) { J } (cid:12)(cid:12) N (cid:107) N and described via the operational semantics given in Table 4. Notice that moni-tored controllers may interact with each other via channel communication. More-over, they may evolve in time when no communication occurs (we recall thatneither controllers nor malware admit zeno behaviours). This ensures us maxi-mal progress [14], a desirable time property when modelling real-time systems:communications are never postponed to future time slots.Having defined operational semantics of a monitored field network, we caneasily concatenate single transitions to define execution traces .7 efinition 1 (Execution traces). Given a trace t = α . . . α k , we write N t −−→ N (cid:48) as an abbreviation for N = N α −−−→ N α −−−→ · · · α k − −−−−−→ N k − α k −−−→ N k = N (cid:48) . Execution traces can be used to formally define both notions of anomalydetection and correction , achieved by the monitoring edit automaton. Intuitively,the detection occurs whenever the edit automaton does not allow the executionof a certain observable action α proposed by a compromised controller; if α isreplaced with a different action β then the automaton does: (i) correction , if β (cid:54) = τ , and (ii) suppression , if β = τ . Definition 2 (Anomaly detection and correction).
Let E (cid:96) { J } be a mon-itored controller, with J = P | M being a compromised controller. We say thatthe edit automaton E detects an anomaly of J during the execution of some observable action α in the trace tα , only if: – P t −−→ Z ( i.e. , t is a genuine trace of P ); – J tα −−−→ J (cid:48) , for some J (cid:48) ; – E (cid:96) { J } t −−→ N , for some N ( i.e. , E does allow the trace t ), and E (cid:96) { J } tα −−−→ N , for no N ( i.e. , E does not allow the trace tα ).We say that E corrects ( resp. , suppresses ) the observable action α of the trace tα of J only if E (cid:96) { J } tβ −−−→ N (cid:48) , for some action β , with τ (cid:54) = β (cid:54) = α ( resp. , with β = τ ). If P tα −−−→ Z , for some Z , then we say that there is a false positive whentrying the execution of α .Behavioural equalities. In the paper, we adopt standard behavioural equivalencesbetween (networks of) monitored controllers. In particular, we use trace equiva-lence , written (cid:39) , weak similarity , denoted (cid:118) , and weak bisimilarity , written ≈ . In this section, we describe how to specify in our calculus
TCMC a non-trivialnetwork of PLCs to control a water transmission network (WTN).Typical WTNs are composed of the following main physical elements: (i)tanks, (ii) pumping stations, (iii) water sources ( e.g. , boreholes), and (iv) pipes.In order, to monitor the status of each element, sensor devices are used to collectmeasurements regarding flow, pressure, level, and quality of the water that flowsin the system. Figure 1 gives us a typical configuration found in several waterutilities, with the same structure replicated in larger infrastructures. In thissetup, borrowed from [6], water is extracted from a water source (e.g., a boreholeor another tank) using a pump. The pumps increase the water pressure whichpushes the water into others tanks, which may be located a few kilometers awayat a higher elevation. Each tank is equipped with a valve for the elimination ofexceeding water.The finite-state machine control logic for WTNs is quite simple. In Table 5,we provide a possible code P i for the controller PLC i managing the tank T i ig. 1. The typical structure of water transport networks P i (cid:44) rec X . (cid:0) tick . (cid:98) l. (cid:98) turnon i − . (cid:98) turnon i . on . close . end . X + turnoff i . off . close . end . X (cid:99) ( close . end . X ) (cid:99) ( close . end . X )+ h. (cid:98) turnoff i − . (cid:98) turnon i . on . open . end . X + turnoff i . off . open . end . X (cid:99) ( open . end . X ) (cid:99) ( open . end . X ) (cid:99) ( end . X ) (cid:1) + m. (cid:98) turnon i . on . end . X + turnoff i . off . end . X (cid:99) ( end . X ) Table 5.
The code of
PLC i together with its physical devices (sensors and actuators). Here, the PLC waitsfor one time slot (to get stable sensor signals) and then checks the water levelof the tank T i , distinguishing between three possible states. If the water levelis low (signal l ) then the PLC sends a request of water to the sub-system i − via a channel transmission turnon i − , addressed to PLC i − , requiring to turn onits pump. If the request is accepted then PLC i listens at both channels turnon i and turnoff i for water requests coming from PLC i +1 . Depending on whether theserequests are accepted or not, PLC i will turn on/off its pump (via commands on or off , respectively), close the valve (via command close ), and it will end its scancycle. If there are no incoming requests from PLC i +1 then PLC i times out, closesthe valve, and then ends the scan cycle. Similarly, if the water request turnon i − is not accepted by PLC i − in the current time slot then it times out, closes thevalve, and finally ends its scan cycle.If the water level of the tank T i is high (signal h ) then the behaviour of PLC i is specular to the previous case when a low level is detected (signal l ).Finally, if the water of tank T i is at some intermediate level between l and h (signal m ) then PLC i listens for water requests originating from PLC i +1 toturn on/off the pump. If it gets one of those requests in the current time slotthen it reacts accordingly, otherwise it times out and ends the scan cycle. Moreprecisely, if PCL i gets a turnon i request then it turns on the pump, letting thewater flow from T i to T i +1 ; otherwise, if it gets a turnoff i request then it turns offthe pump; in both cases it ends the scan cycle and then returns.9 able 6. The synthesis algorithm (cid:113) − (cid:121)(cid:113) rec X .S (cid:121) (cid:44) rec X . (cid:113) S (cid:121)(cid:113) (cid:98) (cid:80) i ∈ I s i .S i (cid:99) S (cid:121) (cid:44) rec Y . (cid:0) (cid:80) i ∈ I s i / s i . (cid:113) S i (cid:121) + tick / tick . (cid:113) S (cid:121) + (cid:80) α ∈ Act ∗∪ Chn ∗ α / τ . Y (cid:1) (cid:113) tick .S (cid:121) (cid:44) rec Y . (cid:0) tick / tick . (cid:113) S (cid:121) + (cid:80) α ∈ Act ∗∪ Chn ∗ α / τ . Y (cid:1) (cid:113) (cid:98) (cid:80) i ∈ I c i .C i (cid:99) C (cid:121) (cid:44) rec Y . (cid:0) (cid:80) i ∈ I c i / c i . (cid:113) C i (cid:121) + tick / tick . (cid:113) C (cid:121) + (cid:80) α ∈ Act ∗ α / τ . Y + (cid:80) γ ∈ Chn ∗\∪ i ∈ I { ci } γ / τ . Y (cid:1) (cid:113) (cid:98) c.C (cid:99) C (cid:121) (cid:44) rec Y . (cid:0) c / c . (cid:113) C (cid:121) + tick / tick . (cid:113) C (cid:121) + (cid:80) α ∈ Act ∗ α / τ . Y + (cid:80) γ ∈ Chn ∗\{ c } γ / τ . Y (cid:1) (cid:113) a.A (cid:121) (cid:44) rec Y . (cid:0) a / a . (cid:113) A (cid:121) + τ / τ . Y + (cid:80) α ∈ Act ∗\{ a,a } α / τ . Y + (cid:80) γ ∈ Chn ∗ γ / τ . Y (cid:1) (cid:113) end . X (cid:121) (cid:44) rec Y . (cid:0) end / end . X + (cid:80) α ∈ Act ∗∪ Chn ∗ α / τ . Y (cid:1) Now, as our calculus can be also used to describe malicious code, in thefollowing we provide a malware M i for PLC i , whose target is to empty thewater tank T i . M i = rec X . (cid:0) tick . (cid:98) turnoff i − (cid:98) close . X (cid:99) X (cid:99) X (cid:1) The malware M i has a cyclic behaviour: it waits for one time slot and then sendsa request at channel turnoff i − to turn off the pump of the system i − , pumpingwater from T i − to T i ; if the request is accepted then it drop the commands sentby PLC i to close the valve, to completely empty the tank T i . In this manner, thetank T i will not receive incoming water from the contiguous system i − and, atthe same time, the closure of the valve of T i is prevented; as consequence, thetank will finally get empty. In Table 6, we provide a synthesis function (cid:113) − (cid:121) that given a deterministic con-troller P ∈ Ctrl returns a syntactically deterministic edit automaton E ∈ Edit enforcing the correct behaviour of P , independently of the presence of an arbi-trary malware M ∈ Malw that attempts to inject and/or drop both actuatorcommands and channel communications .In the definition of our synthesis, we adopt the following standard notationfor co-actions regarding actuator commands and channel communications:
Act (cid:44) { a | a ∈ Act } and Chn (cid:44) { c | c ∈ Chn } . Furthermore, we define Act ∗ (cid:44) Act ∪ Act and
Chn ∗ (cid:44) Chn ∪ Chn .Let us comment on the details of the synthesis function (cid:113) − (cid:121) of Table 6.The edit automaton associated to listening on sensor signals allows all incomingsignals expected by the controller, together with the passage of time due to even-tual timeouts. All other actions are suppressed. The edit automaton associated tothe listening on communication channels is similar, except that communicationsthat are not admitted by the controller are suppressed to prevent both drops andinjections on system channels , as well as, covert communications between collud-ing malware running in different PLCs. Channel transmissions are allowed only10 able 7. Edit automaton synthesised from the code P i of PLC i of Section 3 (cid:113) P i (cid:121) (cid:44) rec X . rec Y . (cid:0) tick / tick . ChkLvl + (cid:80) α ∈ Act ∗ ∪ Chn ∗ α / τ . Y (cid:1) ChkLvl (cid:44) rec Y . (cid:0) l / l . Req l + h / h . Req h + m / m . Req m + tick / tick . End + (cid:80) α ∈ Act ∗ ∪ Chn ∗ α / τ . Y (cid:1) Req l (cid:44) rec Y . (cid:0) turnoni − / turnoni − . C (cid:104) close (cid:105) + tick / tick . A (cid:104) close (cid:105) + (cid:80) α ∈ Act ∗ ∪ Chn ∗ \{ turnon i − } α / τ . Y (cid:1) Req h (cid:44) rec Y . (cid:0) turnoffi − / turnoffi − . C (cid:104) open (cid:105) + tick / tick . A (cid:104) open (cid:105) + (cid:80) α ∈ Act ∗ ∪ Chn ∗ \{ turnoff i − } α / τ . Y (cid:1) Req m (cid:44) rec Y . (cid:0) turnoni / turnoni . A (cid:104) on (cid:105) + turnoffi / turnoffi . A (cid:104) off (cid:105) + tick / tick . End + (cid:80) α ∈ Act ∗ ∪ Chn ∗ \{ turnon i , turnoff i } α / τ . Y (cid:1) A( a ) (cid:44) rec Y . (cid:0) a / a . End + τ / τ . Y + (cid:80) α ∈ Act ∗\{ a,a } α / τ . Y + (cid:80) γ ∈ Chn ∗ γ / τ . Y (cid:1) C( a ) (cid:44) rec Y . (cid:0) turnoni / turnoni . On (cid:104) a (cid:105) + turnoffi / turnoffi . Off (cid:104) a (cid:105) + tick / tick . A (cid:104) a (cid:105) + (cid:80) α ∈ Act ∗ ∪ Chn ∗ \{ turnon i , turnoff i } α / τ . Y (cid:1) On( a ) (cid:44) rec Y . (cid:0) on / on . A (cid:104) a (cid:105) + τ / τ . Y + (cid:80) α ∈ Act ∗\{ on , on } α / τ . Y + (cid:80) γ ∈ Chn ∗ γ / τ . Y (cid:1) Off( a ) (cid:44) rec Y . (cid:0) off / off . A (cid:104) a (cid:105) + τ / τ . Y + (cid:80) α ∈ Act ∗\{ off , off } α / τ . Y + (cid:80) γ ∈ Chn ∗ γ / τ . Y (cid:1) End (cid:44) rec Y . (cid:0) end / end . X + (cid:80) α ∈ Act ∗ ∪ Chn ∗ α / τ . Y (cid:1) when occurring, in the right order, on those channels intended by the controller;all other actions are suppressed. Only genuine actuator commands (again, in theright order) are allowed. Drops of actuator commands , the only possible intra-controller interaction occurring between the genuine controller and the malware,are allowed because we want an observation-based monitoring. Finally, the mon-itoring edit automaton and the associated controller do synchronise at the end ofeach controller cycle via the action end : all other actions emitted by the compro-mised controller are suppressed, included those actions coming from the genuinecontroller that was left behind in its execution due to some injection attack mim-icking (part of) some correct behaviour. We recall that only the construct end . X (and not end .P ) is used to write PLC programs.As an example, in Table 7 we provide the edit automaton resulting from oursynthesis algorithm applied to the PLC introduced in our use case. For simplicity,with a small abuse of notation, we used parametric processes.Before proving the technical properties of the enforcement mechanism in-duced by our synthesised monitors, we focus our attention on two easy observa-tions. Remark 3 (Observation-based monitoring).
Our monitoring is observation-based as the edit automata resulting from our synthesis never correct τ -actions ( i.e. ,non-observable actions). Remark 4 (Colluding malicious activities).
Any inter-controller activity whichdoes not comply with the genuine behaviour of the PLC under scrutiny is sup-pressed by the enforcement. 11he synthesis proposed in Table 6 is suitable for implementation.
Proposition 1 (Determinism preservation).
Let P ∈ Ctrl be a determinis-tic controller. The automaton (cid:113) P (cid:121) is syntactically deterministic in the sense of [4]. Furthermore, our synthesis algorithm is computationally feasible. The complex-ity of the synthesis is quadratic on the dimension of the controller, where, intu-itively, the dimension of a controller P ∈ Ctrl , written dim ( P ) , is given by thenumber of prefixes α ∈ Act ∪ Chn ∗ ∪ Sens ∪ { tick , end } occurring in it (its formaldefinition can be found in the appendix). Proposition 2 (Polynomial complexity).
Let P ∈ Ctrl be a deterministiccontroller, the complexity to synthesise (cid:113) P (cid:121) is O ( n ) , with n = dim ( P ) . As required at the beginning of this section, the synthesised edit automataare always transparent , i.e. , they never introduce non-genuine behaviours. Proposition 3 (Transparency). If P ∈ Ctrl then (cid:113) P (cid:121) (cid:96) { P } ≈ go (cid:96) { P } . Furthermore, our enforcement enjoys soundness preservation : in a monitoredcontroller, a malware may never trigger an incorrect behaviour.
Proposition 4 (Soundness).
Let P be an arbitrary controller and M be anarbitrary malware. Then, (cid:113) P (cid:121) (cid:96) { P | M } (cid:118) (cid:113) P (cid:121) (cid:96) { P } . In the next proposition, we provide a result that is somehow complementaryto Proposition 4. The intuition being that in a monitored controller (cid:113) P (cid:121) (cid:96) { P | M } the controller P may execute all its (genuine) execution traces even inthe presence of an arbitrary malware M . Said in other words, the controller P has always a chance to follow (and complete) its correct execution, even whencompromised by the presence of a malware M . Proposition 5.
Let P be an arbitrary controller and M be an arbitrary mal-ware. Then, (cid:113) P (cid:121) (cid:96) { P | M } (cid:119) (cid:113) P (cid:121) (cid:96) { P } . By applications of Propositions 3, 4, and 5 we can summarise our enforcementin a single equation.
Theorem 1 (Trace enforcement).
Let P ∈ Ctrl be an arbitrary controllerand M ∈ Malw be an arbitrary malware. Then, (cid:113) P (cid:121) (cid:96) { P | M } (cid:39) go (cid:96) { P } . An easy consequence of trace enforcement is the absence of false negatives . Proposition 6 (Anomaly detection).
Let P be an arbitrary controller, M bean arbitrary malware, J = P | M , and t be a genuine trace of P ( i.e. , P t −−→ Z ,for some Z ). If J tα −−−→ J (cid:48) , for some α and J (cid:48) , but P tα −−−→ Z for no Z , then (cid:113) P (cid:121) promptly detects an anomaly of J when trying the execution of α in the trace tα . Furthermore, trace enforcement scales to field communications networks ofcommunicating controllers compromised by the presence of colluding malware .12 roposition 7 (Trace enforcement of field networks).
Let P i ∈ Ctrl and M i ∈ Malw , for ≤ i ≤ n . Then, (cid:81) ni =1 (cid:113) P i (cid:121) (cid:96) { P i | M i } (cid:39) (cid:81) ni =1 go (cid:96) { P i } . However, trace enforcement has a non-trivial inconvenient: it does not enjoydeadlock-freedom in the presence of a malware injecting correct actions. Let usformalise such a situation in the next remark.
Remark 5 (Injection attacks may prevent deadlock-freedom).
In a monitored con-troller of the form (cid:113) P (cid:121) (cid:96) { P | M } , it may well happen that the malware M misleads the edit automaton (cid:113) P (cid:121) by injecting a trace M α −−−→ . . . α n −−−→ M (cid:48) ofactions, with α i (cid:54) = tick , compatible with the correct behaviour of the controller; inthe sense that the very same trace may be executed by P : P α −−−→ . . . α n −−−→ Q ,for some state Q . This would give rise to the following admissible execution tracefor the monitored controller: (cid:113) P (cid:121) (cid:96) { P | M } α −−−→ . . . α n −−−→ (cid:113) Q (cid:121) (cid:96) { P | M (cid:48) } , inwhich the actual controller P remains inactive. At that point, if the malware M (cid:48) suddenly stops mimicking an admissible behaviour of the controller, the edit au-tomaton (cid:113) Q (cid:121) will suppress all possible actions, even those proposed by P , whichwas left behind in its execution. Thus, the monitored controller will continue itsevolution as follows: (cid:113) Q (cid:121) (cid:96) { P | M (cid:48) } τ −−→ . . . τ −−→ (cid:113) Q (cid:121) (cid:96) { P (cid:48) | M (cid:48)(cid:48) } . In this case,as neither the controller nor the malware can give rise to zeno behaviours, theenforced system may eventually reach a deadlock state in which (i) P (cid:48) = end . X ,(ii) M (cid:48)(cid:48) = tick .M (cid:48)(cid:48)(cid:48) , for some M (cid:48)(cid:48)(cid:48) , or M (cid:48)(cid:48) = nil , and (iii) (cid:113) Q (cid:121) does not allow end -actions because it requires some actions ( e.g. , actuations) to be performedbefore ending the scan cycle.Notice that Remark 5 is not in contradiction with Proposition 5 because in thatproposition we proved that a controller has a chance to follow and completeits correct behaviour in the presence of an arbitrary malware. Here, we say adifferent thing: a malware has a chance to deadlock our monitored controllers. In this section, we introduce an extra transition rule for monitored controllersto implement mitigation , i.e. , the insertion of a sequence of activities drivenby the edit automaton in full autonomy, when the controller has lost contactwith its enforcer: (Mitigation) J end −−−→ J (cid:48) E α/α −−−→ E (cid:48) α ∈ Chn ∗ ∪ Act ∪ { tick } E (cid:96) { J } α −−→ E (cid:48) (cid:96) { J } Intuitively, if the compromised controller signals the end of the scan cycle byemitting the action end and, at the same time, the current edit automaton E isnot in the same state, then E will command the execution of a safe trace, withoutany involvement of the controller, to reach the end of the controller cycle. Whenboth the controller and the edit automaton will be aligned (at the end of the13ycle) they will synchronise on the action end , via an application of the transitionrule (Enforce) , and from then on they will continue in a tethered fashion.Notice that in a monitored controller E (cid:96) { J } where J is corrupted by somemalware, the two components E and J may get misaligned as they may reachunrelated states. For instance, in case of drop of actuator commands the cor-rupted controller J may reach an incorrect state, leaving behind its monitoringedit automata E . In this case, the remaining observable actions in the current cy-cle of the compromised controller will be suppressed until the controller reachesthe end of the scan cycle, signalled by the emission of an end -action (notice thatsince our malware are time-guarded they cannot introduce zeno behaviours toprevent a controller to reach the end of its scan cycle). Once the compromisedcontroller has been driven to the end of its cycle, the transition rule (Mitigation) goes into action. Remark 6.
The assumption made in Remark 1 ensures us enough time to com-plete the mitigation of the scan cycle, well before the maximum cycle limit.As a main result, we prove that with the introduction of the rule (Mitigation) our runtime enforcement for controllers works faithfully up to weak bisimilarity,ensuring deadlock-freedom.
Theorem 2 (Observational enforcement).
Let P ∈ Ctrl be an arbitrarycontroller and M ∈ Malw be an arbitrary malware. Then, (cid:113) P (cid:121) (cid:96) { P | M } ≈ go (cid:96) { P } . A consequence of Theorem 2 is the prompt detection and mitigation of al-terations of PLC behaviours in the presence of injected malware.
Proposition 8 (Anomaly detection and mitigation).
Let P ∈ Ctrl be anarbitrary controller, M ∈ Malw be an arbitrary malware, and J = P | M thederived compromised controller.1. If J tα −−−→ J (cid:48) for some genuine trace t of P ( i.e. , P t −−→ Z , for some Z ), forsome observable action α , but P tα −−−→ Z for no Z , then the monitor (cid:113) P (cid:121) detects an anomaly of J when trying the execution of the incorrect action α of the trace tα .2. Whenever (cid:113) P (cid:121) detects an anomaly α in J , it mitigates the anomaly eitherby correcting the action α with an action β , τ (cid:54) = β (cid:54) = α , or by suppress-ing the action α . As for trace enforcement, observational enforcement scales to field networks of communicating controllers compromised by the presence of (potentially) col-luding malware . Corollary 1 (Observational enforcement of field networks).
Let P i ∈ Ctrl and M i ∈ Malw , for ≤ i ≤ n . Then, (cid:81) ni =1 (cid:113) P i (cid:121) (cid:96) { P i | M i } ≈ (cid:81) ni =1 go (cid:96) { P i } . PLC i . Proposition 9.
For any arbitrary malware M i , for ≤ i ≤ n , n (cid:89) i =1 (cid:113) PLC i (cid:121) (cid:96) { PLC i | M i } ≈ n (cid:89) i =1 go (cid:96) { PLC i } . In particular, the proposition above holds for the example of malware code pro-posed at the end of Section 3.
We have defined a formal language to express networks of monitored PLCs,potentially compromised with colluding malware that may forge/drop actuatorcommands and inter-controller communications. We do not deal with alterationsof sensor signals within a PLC, as they can already be altered either at thenetwork level or within the sensor devices [13].The runtime enforcement has been achieved via a finite-state sub-class ofLigatti’s edit automata equipped with an ad-hoc operational semantics to dealwith system mitigation , by inserting actions in full autonomy when the monitoredcontroller is not able to do so in a correct manner.Then, we have provided a synthesis algorithm that, given a deterministicuncorrupted controller, returns, in polynomial time, a syntactically determin-istic edit automata to enforce the correctness of the controller. The proposedenforcement meets a number of requirements: observation-based monitoring,transparency, soundness, deadlock-freedom, and both detection and mitigationof alterations of the behaviour of the monitored PLC in case of injected malware.
Related work.
The notion of runtime enforcement was introduced by Schnei-der [29] to enforce security policies. These properties are enforced by means of truncation automata , a kind of automata that terminates the monitored systemin case of violation of the property. Thus, truncation automata can only enforcesafety properties. Ligatti et al. [22] extended Schneider’s work by proposingthe notion of edit automaton , i.e. , an enforcement mechanism able of replacing , suppressing , or even inserting system actions. Edit automata are capable of en-forcing instances of safety and liveness properties, along with other propertiessuch as renewal properties [7,22]. In general, Ligatti et al.’s edit automata havean enumerable number of states, whereas in the current paper we restrict our-selves to finite-state edit automata. Furthermore, in its original definition theinsertion of actions is possible at any moment, whereas our monitoring edit au-tomata can insert actions, via the rule (Mitigation) , only when the PLC underscrutiny reaches a specific state, i.e. , the end of the scan cycle. Notice that ouractions of the form α / β can be easily expressed in the original formulation byinserting the action β and then suppressing the action α . Unlike Schneider and15igatti et al., we do not enforce specific properties for all admissible systems (inour case, controllers) but we ensure the preservation of the correct semantics ofa corrupted controller. Bielova and Massacci [7,8] provided a stronger notion ofenforceability by introducing a predictability criterion to prevent monitors fromtransforming invalid executions in an arbitrary manner. Intuitively, a monitor issaid predictable if one can predict the number of transformations used to correctinvalid executions, thereby avoiding unnecessary transformations. In our case,we never introduce unnecessary transformations as our synthesis is based on theexact knowledge of the controller. Falcone et al. [11,12] proposed a synthesisalgorithm, relying on Streett automata , to translate most of the property classesdefined within the safety-progress hierarchy [23] into enforcers. Könighofer etal. [15] proposed a synthesis algorithm that given a safety property returns amonitor, called shield , that analyses both inputs and outputs of reactive systemsin order to enforce properties by modifying the outputs only. Pinisetty et al. [27]have proposed a bi-directional runtime enforcement mechanism for reactive sys-tems, and more generally for cyber-physical systems, to correct both inputs andoutputs. Aceto et al. [5] developed an operational framework to enforce proper-ties in HML logic with recursion ( µ HML) relying on suppression. More precisely,they achieved the enforcement of a safety fragment of µ HML by providing a lin-ear automated synthesis algorithm that generates correct suppression monitorsfrom formulas. Enforceability of modal µ -calculus (a reformulation of µ HML)was previously tackled by Martinelli and Matteucci [24] by means of a synthesisalgorithm which is exponential in the lenght of the enforceable formula. Morerecently, Cassar [10] defined a general framework to compare different enforce-ment models and different correctness criteria, including optimality. His worksfocuses on the enforcement of a safety fragment of µ HML, paying attention toboth directional and bi-directional notions of enforcement.The present work is a revised extension of the extended abstract appearedin [19]. Here, besides full proofs, we provide new results on the anomaly detectionand the mitigation activity of the monitoring secured proxy. In particular, as for-mally stated in Proposition 6 and Proposition 8, our secured proxies promptlydetect abnormal behaviours and safely intervene by mitigating them. Further-more, compared to the conference paper, in Section 3 we provide a more involvedand realistic use case, taken from the field of water transmission networks. Wethen apply our synthesis algorithm to derive an enforcing edit automata for thefamily of PLCs proposed in our use case. Finally, in our companion paper [18]we abstracted over PLC implementations and provided a simple language of reg-ular properties to express correctness properties that should be enforced uponcompletion of PLC scan cycles.
References
1. Abadi, M., Blanchet, B., Fournet, C.: The Applied Pi Calculus: Mobile Values, NewNames, and Secure Communication. Journal of the ACM (1), 1:1–1:41 (2018)2. Abadi, M., Gordon, A.D.: A Calculus for Cryptographic Protocols: The Spi Cal-culus. In: ACM CCS. pp. 36–47. ACM (1997) . Abbasi, A., Hashemi, M.: Ghost in the PLC designing an undetectable oro-grammable logic controller rootkit via pin control attack. In: Black Hat (2016)4. Aceto, L., Achilleos, A., Francalanza, A., Ingólfsdóttir, A., Kjartansson, S.Ö.: Onthe Complexity of Determinizing Monitors. In: CIAA. LNCS, vol. 10329, pp. 1–13.Springer (2017)5. Aceto, L., Cassar, I., Francalanza, A., Ingólfsdóttir, A.: On runtime enforcementvia suppressions. In: CONCUR. pp. 34:1–34:17. Schloss Dagstuhl (2018)6. BarrÃĺre, M., Hankin, C., Nicolaou, N., Eliades, D.G., Parisini, T.: Measuringcyber-physical security in industrial control systems via minimum-effort attackstrategies. Journal of Information Security and Applications (2020)7. Bielova, M.: A theory of constructive and predictable runtime enforcement mech-anisms. Ph.D. thesis, University of Trento (2011)8. Bielova, N., Massacci, F.: Predictability of enforcement. In: Engineering SecureSoftware and Systems. pp. 73–86 (2011)9. Bodei, C., Degano, P., Ferrari, G., Galletta, L.: Tracing where IoT data are col-lected and aggregated. Logical Methods in Computer Science , 1–38 (2017).https://doi.org/10.23638/LMCS-13(3:5)201710. Cassar, I.: Developing Theoretical Foundations for Runtime Enforcement. Ph.D.thesis, University of Malta and Reykjavik University (2020)11. Falcone, Y., Fernandez, J.C., Mounier, L.: What can you verify and enforce atruntime? Int. J. Soft. Tools Technol. Transf. (3), 349–382 (2012)12. Falcone, Y., Mounier, L., Fernandez, J., Richier, J.: Runtime enforcement monitors:composition, synthesis, and enforcement abilities. FMSD (3), 223–262 (2011)13. Giraldo, J., Urbina, D.I., Cardenas, A., Valente, J., Faisal, M., Ruths, J., Tippen-hauer, N.O., Sandberg, H., Candell, R.: A Survey of Physics-Based Attack Detec-tion in Cyber-Physical Systems. ACM Comput. Surv. (4), 76:1–76:36 (2018)14. Hennessy, M., Regan, T.: A process algebra for timed systems. Information andComputation (2), 221–239 (1995)15. Könighofer, B., Alshiekh, M., Bloem, R., Humphrey, L., Könighofer, R., Topcu,U., Wang, C.: Shield synthesis. FMSD (2), 332–361 (2017)16. Lanese, I., Bedogni, L., Di Felice, M.: Internet of Things: a process calculus ap-proach. In: ACM SAC. pp. 1339–1346. ACM (2013)17. Lanotte, R., Merro, M.: A semantic theory of the Internet of Things. Informationand Computation (1), 72–101 (2018)18. Lanotte, R., Merro, M., Munteanu, A.: Runtime Enforcement for Control SystemSecurity. In: CSF. pp. 246–261. IEEE (2020)19. Lanotte, R., Merro, M., Munteanu, A.: A process calculus approach to correctenessenforcement of PLCs. In: ICTCS. pp. 1–13. CEUR Workshop Proceedings, CEUR-WS.org (to appear)20. Lanotte, R., Merro, M., Munteanu, A., Viganò, L.: A Formal Approach to Physics-based Attacks in Cyber-physical Systems. ACM TOPS (1), 3:1–3:41 (2020)21. Lanotte, R., Merro, M., Tini, S.: A Probabilistic Calculus of Cyber-Physical Sys-tems. Information and Computation (2020)22. Ligatti, J., Bauer, L., Walker, D.: Edit automata: enforcement mechanisms forrun-time security policies. Int. J. Inf. Sec. (1-2), 2–16 (2005)23. Manna, Z., Pnueli, A.: A Hierarchy of Temporal Properties. Tech. rep., StanfordUniversity (1987)24. Martinelli, F., Matteucci, I.: Through modeling to synthesis of security automata.ENTCS , 31–46 (2007)25. McLaughlin, S.E.: CPS: stateful policy enforcement for control system device us-age. In: ACSAC. pp. 109–118. ACM (2013)
6. Mohan, S., Bak, S., Betti, E., Yun, H., Sha, L., Caccamo, M.: S3A: secure sys-tem simplex architecture for enhanced security and robustness of cyber-physicalsystems. In: HiCoNS. pp. 65–74. ACM (2013)27. Pinisetty, S., Roop, P.S., Smyth, S., Allen, N., Tripakis, S., Hanxleden, R.: Runtimeenforcement of cyber-physical systems. ACM TECS (5s), 178:1–178:25 (2017)28. Radvanovsky, B.: Project shine: 1,000,000 internet-connected SCADA and ICSstystems and counting (2013), Tofino Security29. Schneider, F.B.: Enforceable security policies. ACM TISSEC (1), 30–50 (2000)30. Spenneberg, R., Brüggerman, M., Schwartke, H.: PLC-Blaster: A Worm LivingSolely in the PLC. In: Black Hat. pp. 1–16 (2016) A Proofs
Before proving Proposition 2 we provide a formal definition of the size of acontroller.
Definition 3.
For a generic controller Z ∈ Ctrl ∪ Sens ∪ Comm ∪ Act , wedefine the size of Z , written dim ( Z ) , by induction on the structure of the con-troller: dim ( rec X .S ) (cid:44) dim ( S ) dim ( (cid:98) (cid:80) i ∈ I s i .S i (cid:99) S ) (cid:44) | I | + (cid:80) i ∈ I dim ( S i ) + dim ( S ) dim ( tick .S ) (cid:44) dim ( S ) dim ( (cid:98) (cid:80) i ∈ I c i .C i (cid:99) C ) (cid:44) | I | + (cid:80) i ∈ I dim ( C i ) + dim ( C ) dim ( a.A ) (cid:44) dim ( A ) dim ( (cid:98) c.C (cid:99) C ) (cid:44) dim ( C ) + dim ( C ) dim ( end . X ) (cid:44) . Let us prove Proposition 2.Proof.
For a generic controller Z , we prove that the recursive structure of thesynthesis function (cid:113) Z (cid:48) (cid:121) with Z (cid:48) ∈ { P, S, C, A } can be characterised by the fol-lowing form: T ( m ) = T ( m −
1) + n , with n = dim ( Z ) and dim ( Z (cid:48) ) = m ≤ n .Hence the thesis follows since T ( n ) = T ( n −
1) + n is O ( n ) . We prove this bycase analysis on the structure of Z by examining each synthesis step in whichthe synthesis function is processing m = dim ( Z (cid:48) ) symbols, whit m ≤ n and Z (cid:48) ∈ { P, S, C, A } . Thus, we characterise: (i) how many symbols of Z the syn-thesis functions processes, (ii) how many times the synthesis function calls itselfand (iii) how many computations performs in that step. We consider the mostsignificant cases. Case (cid:98) (cid:80) i ∈ I c i .C i (cid:99) C . For m = dim ( (cid:98) (cid:80) i ∈ I c i .C i (cid:99) C ) , by definition the syn-thesis function consumes all c i , with i ∈ I . The synthesis function calls itselfagain r + 1 times where r = | I | . Thus, each (cid:113) C i (cid:121) operates on dim ( C i ) remainingsymbols and (cid:113) C (cid:121) operates on dim ( C ) remaining symbols. The synthesis functionproduces a sum over α ∈ Act ∗ ∪ Chn ∗ \ (cid:83) i ∈ I c i which are at most n operations.Thus, we can characterise the recursive structure as T ( m ) = (cid:80) i ∈ I T ( dim ( C i )) + T ( dim ( C )) + n . Since (cid:80) i ∈ I dim ( C i ) + dim ( C ) = m − | I | − ≤ m − , thecomplexity is smaller than that of T ( m −
1) + n . Case a.A . For m = dim ( a.A ) , by definition the synthesis function consumesthe, a and calls itself again once (cid:113) A (cid:121) Moreover, the synthesis function producesa sum over α ∈ Act ∗ ∪ Chn ∗ ∪ { τ } \ { a, a } which are at most n operations. Thuswe can characterise the recursive structure as: T ( m ) = T ( m −
1) + n .18 et us prove Proposition 4 (Soundness) . Proof.
Let us define four binary relations: – P (cid:44) { ( (cid:113) P (cid:121) (cid:96) { J } , (cid:113) P (cid:121) (cid:96) { P } ) | for any P and J } ; – S (cid:44) { ( (cid:113) S (cid:121) (cid:96) { J } , (cid:113) S (cid:121) (cid:96) { S } ) | for any S and J } ; – C (cid:44) { ( (cid:113) C (cid:121) (cid:96) { J } , (cid:113) C (cid:121) (cid:96) { C } ) | for any C and J } ; – A (cid:44) { ( (cid:113) A (cid:121) (cid:96) { J } , (cid:113) A (cid:121) (cid:96) { A } ) | for any A and J } .We prove that the relation R (cid:44) P ∪ S ∪ C ∪ A is a weak simulation . For eachpair ( N , N ) ∈ R we proceed by case analysis on why N α −−→ N (cid:48) . We considerthe most significant cases. Case ( N , N ) ∈ C . We do case analysis on the structure of the controller C in N = (cid:113) C (cid:121) (cid:96) { J } , for some arbitrary J .Let C ≡ (cid:98) (cid:80) i c i .C i (cid:99) ˆ C . – Let N c i −−→ (cid:113) C i (cid:121) (cid:96) { J (cid:48) } = N (cid:48) , by an application rule (Enforce) as J c i −−→ J (cid:48) .Then, N = (cid:113) C (cid:121) (cid:96) { C } c i −−→ (cid:113) C i (cid:121) (cid:96) { C i } = N (cid:48) and ( N (cid:48) , N (cid:48) ) ∈ C ⊂ R byconstruction. – Let N tick −−−→ (cid:113) ˆ C (cid:121) (cid:96) { J (cid:48) } = N (cid:48) , by an application rule (Enforce) as J tick −−−→ J (cid:48) . Then, N = (cid:113) C (cid:121) (cid:96) { C } tick −−−→ (cid:113) ˆ C (cid:121) (cid:96) { ˆ C } = N (cid:48) and ( N (cid:48) , N (cid:48) ) ∈ C ⊂ R by construction. – Let N τ −−→ (cid:113) C (cid:121) (cid:96) { J (cid:48) } = N (cid:48) , by an application rule (Enforce) , because J α −−→ J (cid:48) , for some α ∈ Act ∗ ∪ Chn ∗ \ (cid:83) i c i . Here, notice that the edit au-tomaton (cid:113) C (cid:121) suppresses all possible injections originating from the malware,turning them into τ -actions. Thus, N = (cid:113) C (cid:121) (cid:96) { C } ˆ τ == ⇒ (cid:113) C (cid:121) (cid:96) { C } = N (cid:48) and ( N (cid:48) , N (cid:48) ) ∈ C ⊂ R by construction.Let C ≡ (cid:98) c.C (cid:99) C . This case is similar to the previous one.Let C ≡ A . In this case, we end up to the case ( N , N ) ∈ A . Case ( N , N ) ∈ A . We do case analysis on the structure of the controller A in N = (cid:113) A (cid:121) (cid:96) { J } , for some arbitrary J .Let A ≡ a. ˆ A . – Let N a −−→ (cid:113) ˆ A (cid:121) (cid:96) { J (cid:48) } = N (cid:48) , by an application of (Enforce) as J a −−→ J (cid:48) Then, N = (cid:113) A (cid:121) (cid:96) { A } a −−→ (cid:113) ˆ A (cid:121) (cid:96) { ˆ A } = N (cid:48) and ( N (cid:48) , N (cid:48) ) ∈ A ⊂ R byconstruction. – Let N τ −−→ (cid:113) ˆ A (cid:121) (cid:96) { J (cid:48) } = N (cid:48) , by an application rule (Enforce) , because J α −−→ J (cid:48) , for some α ∈ { τ }∪ Act ∗ ∪ Chn ∗ \{ a } . Note that the edit automaton (cid:113) A (cid:121) suppresses all possible injections originating from the malware, turningthem into τ -actions. Thus, N = (cid:113) ˆ A (cid:121) (cid:96) { ˆ A } ˆ τ == ⇒ (cid:113) ˆ A (cid:121) (cid:96) { ˆ A } = N (cid:48) and ( N (cid:48) , N (cid:48) ) ∈ A ⊂ R by construction.Let A ≡ end . X . 19 Let N end −−−→ (cid:113) S (cid:121) (cid:96) { J (cid:48) } = N (cid:48) , by an application rule (Enforce) triggeredby (Ctrl) . By definition of the transition rule (Rec) we end up from end . X to the case end .S . Then, N = (cid:113) A (cid:121) (cid:96) { A } end −−−→ (cid:113) S (cid:121) (cid:96) { S } = N (cid:48) and ( N (cid:48) , N (cid:48) ) ∈ S ⊂ R by construction. – Let N τ −−→ (cid:113) A (cid:121) (cid:96) { J (cid:48) } = N (cid:48) , by an application rule (Enforce) triggeredby an application of rule (Inject) or (Ctrl) , because J α −−→ J (cid:48) for some α ∈{ a, a, c, c } . Here, notice that the edit automaton (cid:113) S (cid:121) suppresses all possibleinjections originating from the malware or the controller not aligned withthe edit, turning them into τ -actions. Thus, N = (cid:113) A (cid:121) (cid:96) { A } ˆ τ == ⇒ (cid:113) A (cid:121) (cid:96) { A } = N (cid:48) and ( N , N (cid:48) ) ∈ A ⊂ R by construction. Let us prove Proposition 5 . Proof.
Let us define fours binary relations: – P (cid:44) { ( (cid:113) P (cid:121) (cid:96) { P } , (cid:113) P (cid:121) (cid:96) { P | M } ) | for any P and M } ; – S (cid:44) { ( (cid:113) S (cid:121) (cid:96) { S } , (cid:113) S (cid:121) (cid:96) { S | M } ) | for any S and M } ; – C (cid:44) { ( (cid:113) C (cid:121) (cid:96) { C } , (cid:113) C (cid:121) (cid:96) { C | M } ) | for any C and M } ; – A (cid:44) { ( (cid:113) A (cid:121) (cid:96) { A } , (cid:113) A (cid:121) (cid:96) { A | M } ) | for any A and M } .It is enough to prove that the relation R (cid:44) P ∪S ∪C ∪A is a weak simulation . Foreach pair ( N , N ) ∈ R , the proof proceeds by case analysis on why N α −−→ N (cid:48) .The proofs relies on two main facts: (i) in a compromised controller Z | M themalware M cannot prevent the execution of actions that Z would execute inisolation, in particular, (ii) M cannot prevent the passage of the time of Z , asrecursion processes in M are always time guarded.Let us prove Proposition 6 (Anomaly detection) Proof. As P t −−→ Z , for some Z , by an application of transition rules (Go) and (Enforce) it follows that go (cid:96) { P } t −−→ go (cid:96) { Z } . By an application of theimplication from right to left of Theorem 1 it follows that (cid:113) P (cid:121) (cid:96) { P | M } t −−→ N ,for some N . Thus, by Definition 2, we have to show that (cid:113) P (cid:121) (cid:96) { P | M } tα −−−→ N for no N . As by hypothesis P tα −−−→ Z for no Z , it follows that go (cid:96) { P } t · α −−−→ N ,for no N . Thus, by an application of Theorem 1, this time from left to right, itfollows that (cid:113) P (cid:121) (cid:96) { P | M } tα −−−→ N , for no N , as required. Let us prove Proposition 7 (Weak enforcement of field networks) . Proof.
The result cannot be directly derived by an application of Theorem 1because in our timed setting trace equivalence (cid:39) is not preserved by paral-lel composition (the problem being the negative premise in the transition rule (TimeSync) ). However, since the weak simulation (cid:118) is notoriously preserved byparallel composition, by an application of Proposition 3 and Proposition 4 wecan easily derive: n (cid:89) i =1 (cid:113) P i (cid:121) (cid:96) { P i | M i } (cid:118) n (cid:89) i =1 go (cid:96) { P i } . n (cid:89) i =1 (cid:113) P i (cid:121) (cid:96) { P i | M i } (cid:119) n (cid:89) i =1 go (cid:96) { P i } . This is enough to derive that the two systems under investigation are traceequivalent.
Let us prove Theorem 2 (Observational enforcement of controllers) . Proof.
Let us define four binary relations: – S (cid:44) { ( (cid:113) S (cid:121) (cid:96) { S | M } , (cid:113) S (cid:121) (cid:96) { S } ) | for any S and M } ; – S (cid:44) { ( (cid:113) S (cid:121) (cid:96) { J } , (cid:113) S (cid:121) (cid:96) { S } ) | for any S and M } ; – C (cid:44) { ( (cid:113) C (cid:121) (cid:96) { J } , (cid:113) C (cid:121) (cid:96) { C } ) | for any C and J } ; – A (cid:44) { ( (cid:113) A (cid:121) (cid:96) { J } , (cid:113) A (cid:121) (cid:96) { A } ) | for any A and J } .We prove that the relation R (cid:44) P ∪ S ∪ C ∪ A is a weak bisimulation.For each pair ( N , N ) ∈ R we proceed by case analysis on why N α −−→ N (cid:48) .Then, we do the same for N α −−→ N (cid:48) . We consider the most significant cases. Case ( N , N ) ∈ C . We do case analysis on the structure of the controller C in N = (cid:113) C (cid:121) (cid:96) { J } , for some arbitrary J .Let C ≡ (cid:98) (cid:80) i c i .C i (cid:99) ˆ C . – Let N c i −−→ (cid:113) C i (cid:121) (cid:96) { J (cid:48) } = N (cid:48) , by an application rule (Enforce) triggered by (Ctrl) or (Inject) , alternatively, by an application of rule (Mitigation) . Then, N = (cid:113) C (cid:121) (cid:96) { C } c i −−→ (cid:113) C i (cid:121) (cid:96) { C i } = N (cid:48) and ( N (cid:48) , N (cid:48) ) ∈ C ⊂ R byconstruction. – Let N tick −−−→ (cid:113) ˆ C (cid:121) (cid:96) { J (cid:48) } = N (cid:48) , by an application rule (Enforce) triggeredby an application of rule (TimeSync) , alternatively, by an application of rule (Mitigation) . Then, N = (cid:113) C (cid:121) (cid:96) { C } tick −−−→ (cid:113) ˆ C (cid:121) (cid:96) { ˆ C } = N (cid:48) and ( N (cid:48) , N (cid:48) ) ∈C ⊂ R by construction. – Let N τ −−→ (cid:113) C (cid:121) (cid:96) { J (cid:48) } = N (cid:48) , by an application rule (Enforce) triggeredby an application of rule (Inject) or (Ctrl) , because J α −−→ J (cid:48) for some α ∈ Act ∗ ∪ Chn ∗ \ (cid:83) i c i . Note that the edit automaton (cid:113) C (cid:121) suppresses all possibleinjections originating from the malware or the controller not aligned withthe edit automaton, turning them into τ -actions. Note also that if J a −−→ J (cid:48) ,for some actuator name a , then no drop is actually possible. Thus, N = (cid:113) C (cid:121) (cid:96) { C } ˆ τ == ⇒ (cid:113) C (cid:121) (cid:96) { C } = N (cid:48) and ( N , N (cid:48) ) ∈ C ⊂ R by construction.Now, we proceed by case analysis on why N α −−→ N (cid:48) . – Let N = (cid:113) C (cid:121) (cid:96) { C } c i −−→ (cid:113) C i (cid:121) (cid:96) { C i } = N (cid:48) . Then, by definition of (cid:113) C (cid:121) wehave (cid:113) C (cid:121) c i /c i −−−−→ (cid:113) C i (cid:121) by an application of rule (Enforce) because J c i −−→ J (cid:48) ,it follows that N c i −−→ (cid:113) C i (cid:121) (cid:96) { J (cid:48) } = N (cid:48) , and ( N (cid:48) , N (cid:48) ) ∈ C ⊂ R by21onstruction. Note that, if J end −−−→ , then by an application rule (Mitigation) ,it follows that N c i −−→ (cid:113) C i (cid:121) (cid:96) { J } = N (cid:48) , and ( N (cid:48) , N (cid:48) ) ∈ C ⊂ R byconstruction. – Let N = (cid:113) C (cid:121) (cid:96) { C } tick −−−→ (cid:113) ˆ C (cid:121) (cid:96) { ˆ C } = N (cid:48) . Then, by definition of (cid:113) C (cid:121) wehave (cid:113) C (cid:121) tick / tick −−−−−→ (cid:113) ˆ C (cid:121) and (cid:113) C (cid:121) α/τ −−−→ (cid:113) C (cid:121) , for any action α ∈ Act ∗ ∪ Chn ∗ \ (cid:83) i c i performed (injected) by the malware or the controller not aligned withthe edit automaton. We recall that recursion in both malware and controllercode is always time-guarded , i.e. may not prevent the passage time. Moreformally, for any J there is a finite n providing an upper bound to themaximum number of possible consecutive untimed actions of J . Thus, by n possible applications of rule (Inject) or (Ctrl) and a final application ofrule (TimeSync) , we have: J α −−−→ J α −−−→ · · · α n −−−→ J n tick −−−→ J (cid:48) . By n +1 applications of rule (Enforce) we get N tick === ⇒ (cid:113) ˆ C (cid:121) (cid:96) { J (cid:48) } = N (cid:48) , with ( N (cid:48) , N (cid:48) ) ∈ C ⊂ R by construction.Let C ≡ (cid:98) c.C (cid:99) C . This case is similar to the previous one.Let C ≡ A . In this case, we resort to one of the next cases. Case ( N , N ) ∈ A . We proceed by case analysis on the structure of the con-troller A in N = (cid:113) A (cid:121) (cid:96) { J } , for some arbitrary J .Let A ≡ a. ˆ A . – Let N a −−→ (cid:113) ˆ A (cid:121) (cid:96) { J (cid:48) } = N (cid:48) , by an application rule (Enforce) triggered by (Ctrl) or (Inject) , alternatively, by an application of rule (Mitigation) . Then, N = (cid:113) A (cid:121) (cid:96) { A } a −−→ (cid:113) ˆ A (cid:121) (cid:96) { ˆ A } = N (cid:48) and ( N (cid:48) , N (cid:48) ) ∈ A ⊂ R by construc-tion. – Let N τ −−→ (cid:113) A (cid:121) (cid:96) { J (cid:48) } = N (cid:48) , by an application of (Enforce) triggered byan application of (Inject) or (Ctrl) , because J α −−→ J (cid:48) for some α ∈ { τ } ∪ Act ∗ ∪ Chn ∗ \ { a } . Note that the edit automaton (cid:113) A (cid:121) suppresses all possibleinjections originating from the malware or the controller not aligned with theedit automaton, turning them into τ -actions. Furthermore, the misalignmentmay also occur as the malware has dropped the current actuation (DropAct) ,thus the controller performing an actuation α ∈ Act ∪\{ a } will be suppressed.Thus, N = (cid:113) A (cid:121) (cid:96) { A } ˆ τ == ⇒ (cid:113) A (cid:121) (cid:96) { A } = N (cid:48) and ( N , N (cid:48) ) ∈ A ⊂ R byconstruction.Now, we proceed by case analysis on why N α −−→ N (cid:48) . – Let N = (cid:113) A (cid:121) (cid:96) { A } a −−→ (cid:113) ˆ A (cid:121) (cid:96) { ˆ A } = N (cid:48) . Then, by definition of (cid:113) A (cid:121) we have (cid:113) A (cid:121) a/a −−−→ (cid:113) ˆ A (cid:121) by an application of rule (Enforce) because J a −−→ J (cid:48) , it follows that N a −−→ (cid:113) ˆ A (cid:121) (cid:96) { J (cid:48) } = N (cid:48) , and ( N (cid:48) , N (cid:48) ) ∈ A ⊂ R byconstruction. Note that, if J end −−−→ by an application of rule (Mitigation) ,it follows that N a −−→ (cid:113) ˆ A (cid:121) (cid:96) { J } = N (cid:48) , and ( N (cid:48) , N (cid:48) ) ∈ A s ⊂ R byconstruction. 22et A ≡ end . X . – Let N end −−−→ (cid:113) S (cid:121) (cid:96) { J (cid:48) } = N (cid:48) , by an application rule (Enforce) triggered by (Ctrl) . Note that by definition of the transition rule (Rec) we end up from end . X to the case end .S . Then, N = (cid:113) A (cid:121) (cid:96) { A } end −−−→ (cid:113) S (cid:121) (cid:96) { S } = N (cid:48) and ( N (cid:48) , N (cid:48) ) ∈ S ⊂ R by construction. – Let N τ −−→ (cid:113) A (cid:121) (cid:96) { J (cid:48) } = N (cid:48) , by an application rule (Enforce) triggeredby an application of rule (Inject) or (Ctrl) , because J α −−→ J (cid:48) for some α ∈ Act ∗ ∪ Chn ∗ . Here, notice that the edit automaton (cid:113) A (cid:121) suppresses all possibleinjections originating from the malware or the controller not aligned withthe edit, turning them into τ -actions. Thus, N = (cid:113) A (cid:121) (cid:96) { A } ˆ τ == ⇒ (cid:113) A (cid:121) (cid:96) { A } = N (cid:48) and ( N , N (cid:48) ) ∈ A ⊂ R by construction.Now, we proceed by case analysis on why N α −−→ N (cid:48) . – Let N = (cid:113) A (cid:121) (cid:96) { A } end −−−→ (cid:113) S (cid:121) (cid:96) { S } = N (cid:48) . Here notice that by definitionof the transition rule (Rec) we end up from end . X to the case end .S . Then,by definition of (cid:113) A (cid:121) we have (cid:113) A (cid:121) end / end −−−−→ (cid:113) S (cid:121) and (cid:113) A (cid:121) α/τ −−−→ (cid:113) A (cid:121) , for anyaction α ∈ Act ∗ ∪ Chn ∗ performed (injected) by the malware or the controllernot aligned with the edit. Recall that the recursion in both malware andcontroller code is always time-guarded , i.e. may not prevent the passage time.Thus, the controller can always perform end . More formally, for any J thereis a finite integer n providing an upper bound to the maximum number ofpossible consecutive untimed actions of J . Thus, by n possible applicationsof rule (Inject) or (Ctrl) and a final application of rule (Enforce) , we have: J α −−−→ J α −−−→ · · · α n −−−→ J n end −−−→ J (cid:48) . By n + 1 applications of rule (Enforce) we get N end === ⇒ (cid:113) S (cid:121) (cid:96) { J (cid:48) } = N (cid:48) , with ( N (cid:48) , N (cid:48) ) ∈ S ⊂ R by construction.Before proving Proposition 8 we need the following technical result, sayingthat controllers never deadlock. Lemma 1.
For any closed Z ∈ Ctrl ∪ Sens ∪ Comm ∪ Act , it holds that Z β −−→ ˆ Z , for some β and ˆ Z .Proof. The proof is by induction on the structure of Z . – If Z ≡ rec X .S then, by definition of the transition rule (Rec) , we end up toone of the other cases. – If Z ≡ (cid:98) (cid:80) i s i .S i (cid:99) ˆ S then we can apply two different transitions rules: • by an application of rule (ReadS) we have ˆ Z s j −−−→ S j , for some j ∈ I ; • by an application of rule (TimeoutS) we have ˆ Z tick −−−→ S .In both cases, we have (cid:98) (cid:80) i s i .S i (cid:99) ˆ S β −−→ ˆ Z , for some β and ˆ Z . – The other cases can be proved in a similar manner since Z is closed, and inparticular Z (cid:54) = end . X . 23 et us prove Proposition 8 (Anomaly detection and mitigation) . Proof.
Let us prove the first item of the proposition. As there is a controller Z such that P t −−→ Z , by an application of transition rules (Go) and (Enforce) itfollows that go (cid:96) { P } t −−→ go (cid:96) { Z } . By an application of the implication fromright to left of Theorem 2 it follows that (cid:113) P (cid:121) (cid:96) { P | M } t −−→ N , for some N .Thus, by Definition 2, we have to show that (cid:113) P (cid:121) (cid:96) { P | M } tα −−−→ N for no N .As by hypothesis P tα −−−→ Z for no Z , it follows that go (cid:96) { P } t · α −−−→ N , for no N . Thus, by an application of Theorem 2, this time from left to right, it followsthat (cid:113) P (cid:121) (cid:96) { P | M } tα −−−→ N , for no N , as required.Let us prove the second item of the proposition. We proceed by contradiction,showing that (cid:113) P (cid:121) (cid:96) { P | M } tβ −−−→ N , for some β (cid:54) = α . Suppose (cid:113) P (cid:121) (cid:96) { P | M } tβ −−−→ N , for no β and N . By an application Theorem 2, from right to left,it follows that go (cid:96) { P } tβ −−−→ N , for no β and N . Thus, P tβ −−−→ Z , for no β and Z . Since, by hypothesis, P t −−→ Z , for some Z , it holds that Z β −−→ ˆ Z , for no β and ˆ Z . This is in contradiction with Lemma 1. As a consequence, it must bethat (cid:113) P (cid:121) (cid:96) { P | M } tβ −−−→ N for some β (cid:54) = α . Now, there are two possibilities: – either β is derived by an application of rule (Mitigation) , with α = end and (cid:113) P (cid:121) β/β −−−→ , and by definition of our synthesis function, we have that τ (cid:54) = β (cid:54) = α = end ; – or β is derived by an application of rule (Enforce) and, by definition oursynthesis, the monitor (cid:113) P (cid:121) suppresses the action α , namely, α (cid:54) = τ and β = ττ