aa r X i v : . [ c s . S Y ] M a r Towards Bounded Synthesis of Resilient Supervisors AgainstActuator Attacks
Liyong Lin, Yuting Zhu, Rong Su
Abstract —In this work, we study the safety approach ofsynthesizing resilient supervisors against actuator attacks, forcyber-physical systems that can be modeled as discrete-eventsystems. A constraint based approach for the bounded synthesisof resilient supervisors is developed. The supervisor obfuscationproblem, which is proposed in a specific setting of actuator attack,can be naturally modelled and solved using the same approach.
Index Terms – cyber-physical systems, discrete-event sys-tems, supervisory control, constraintsI. I
NTRODUCTION
The safety of cyber-physical systems (CPS) against adver-sarial attacks has recently drawn much research interest fromboth the discrete-event systems and formal methods commu-nity [1], [2], [3], [4], [5], [6], [7], [8], [9], [10], [11], [12].For a recent survey and position paper on the discrete-eventsystems based approach, the reader is referred to [13]. In thispaper, we consider discrete-event systems (DES) as our modelof CPS and consider an approach for the safety enforcementof CPS under attacks. In particular, we further study the safetyapproach of synthesizing resilient supervisors against actuatorattacks, mostly following the framework of [11], [12].We assume there exists an adversarial attacker that cancorrupt a subset of events sent from the supervisor to the ac-tuators (i.e., compromised controllable events). The attacker’sgoal is to cause damages on the attacked closed-loop systems.Any supervisor that can guard against the damages caused byattackers is said to be resilient. In this work, we shall addressthe problem of resilient supervisor synthesis against actuatorenablement and disablement attacks. The main contributionsof this paper are as follows. • We provide a generalized formulation of actuator attack.Compared with [11], [12], we allow general control con-straints on the supervisors and general attack constraintson the attackers. • We model each actuator attacker as a Moore automatonand propose a new composition operator to constructthe attacked closed-loop system, for any given plant,supervisor and actuator attacker. • We generalize the supervisor obfuscation problem andformulate the resilient supervisor synthesis problem witha range-control target [14]. • We provide a constraint based approach for the boundedsynthesis of resilient supervisors against actuator attacks.
The authors are with School of EEE, Nanyang Technological University,Singapore. Email: [email protected]. This work is financially supportedby Singapore Ministry of Education Academic Research Grant RG91/18-(S)-SU RONG (VP)
The paper is organized as follows. In Section II, we presentthe preliminaries. In Section III, we provide a very high-level overview of the main idea behind our solution approach.Section IV talks about the system setup and problem formu-lation considered in this paper. In Section V, we provide theconstraint based approach for solving the bounded resilientsupervisor synthesis problem. Finally, conclusions and futureworks are provided in Section VI.II. P
RELIMINARIES
In this section, we shall introduce some basic notations andterminologies used in automata theory [15], [16], [17] and(quantified) Boolean formulas [18].For any set A , we shall use | A | to denote its cardinality. Forany two sets A and B , we use A × B to denote their Cartesianproduct and use A − B to denote their set difference.A (partial) finite state automaton G over alphabet Σ is a5-tuple ( Q , Σ , δ , q , Q m ) , where Q is the finite set of states, δ : Q × Σ −→ Q the partial transition function , q ∈ Q theinitial state and Q m ⊆ Q the set of marked states. G is said tobe a complete finite state automaton if δ is a total function. Let L ( G ) and L m ( G ) denote the closed-behavior and the marked-behavior of G , respectively [15]. When Q m = Q , we alsowrite G = ( Q , Σ , δ , q ) for simplicity, in which case we have L m ( G ) = L ( G ) . G is said to be n -bounded if | Q | ≤ n . Forany two finite state automata G = ( Q , Σ , δ , q , , Q , m ) , G =( Q , Σ , δ , q , , Q , m ) , we write G : = G k G to denote theirsynchronous product. Then, G = ( Q : = Q × Q , Σ : = Σ ∪ Σ , δ = δ k δ , q : = ( q , , q , ) , Q m = Q , m × Q , m ) , where the(partial) transition function δ is defined as follows: for any q = ( q , q ) ∈ Q and any σ ∈ Σ , δ ( q , σ ) : = ( δ ( q , σ ) , q ) , if σ ∈ Σ \ Σ ( q , δ ( q , σ )) , if σ ∈ Σ \ Σ ( δ ( q , σ ) , δ ( q , σ )) , if σ ∈ Σ ∩ Σ A (partial) finite Moore automaton G is a 7-tuple ( Q , Σ , δ , q , Q m , T , η ) , where Q is the finite set of states, Σ theinput alphabet, δ : Q × Σ −→ Q the (partial) transition function, q ∈ Q the initial state, Q m ⊆ Q the subset of marked states, T the output alphabet and η : Q −→ T the output function.Whenever Q = Q m , we shall omit the Q m component. G issaid to be complete if δ is complete.Propositional formulas (or, Boolean formulas) [18] are con-structed from (Boolean) variables by using logical connectives As usual, we also view δ ⊆ Q × Σ × Q as a relation. We write δ ( q , σ ) ! tomean δ ( q , σ ) is defined. For example, if σ ∈ Σ \ Σ and δ ( q , σ ) is undefined, we treat δ ( q , σ ) as undefined. ∧ , ∨ , ⇒ , ¬ ). The truth value of a propositional formula φ isdetermined by the variables’ truth values. A literal l is eithera variable x i or its negation ¬ x i . A clause c is a disjunction l ∨ . . . ∨ l n of literals. A (propositional) formula in conjunc-tive normal form (CNF) is a conjunction of clauses. Eachpropositional formula can be transformed into an equivalentformula in conjunctive normal form. Let Var ( φ ) denote theset of all the variables that occurr in φ ; A model of φ is a mapping M : Var ( φ ) → { , } (0 representing False, 1representing True) such that φ is evaluated to be True if allthe variables x i in φ are substituted by M ( x i ) . A propositionalformula φ is said to be satisfiable if it has a model M . TheBoolean Satisfiability Problem (abbreviated as SAT) is theproblem of determining if a given propositional formula issatisfiable. Quantified Boolean formulas are an extension ofBoolean formulas where each variable can be quantified eitheruniversally or existentially. The Quantified Boolean FormulaProblem (abbreviated as QBF) is the problem of determiningif a totally quantified Boolean formula is True or False.III. M AIN I DEA
The problem of synthesis of resilient supervisors againstadversarial attacks can be formulated as an ∃∀ second ordersynthesis problem. The main idea is explained as follows.Let G denote the plant under control. In synthesizing resilientsupervisors, we essentially ask for the existence of a supervisor S in the supervisor space S such that, for any attacker A in the attacker space A , the attacked closed-loop system ◦ ( A , S , G ) satisfies a desired safety property Φ sa f e , if someassumption Φ assume holds, where ◦ is the composition operatordetermined according to a chosen semantics of the attackerand its effect on the closed-loop system. Then, the resilientsupervisor synthesis problem is reduced to a constructive proofor refutation of the following ∃∀ second order logic formula: ∃ S ∈ S , ∀ A ∈ A , ◦ ( A , S , G ) | = ( Φ assume ⇒ Φ sa f e ) ,Different variations of the resilient supervisor synthesis prob-lem can be expressed, depending on the choice of supervisorspace, attacker space and properties Φ assume and Φ sa f e .For the supervisor space, one can impose restrictions on theset Σ c of controllable events, the set Σ o of observable eventsand the state size of the supervisors, in addition to some priorproperty that needs to be guaranteed by the supervisors on theclosed-loop systems (in the absence of attacker). For example,one may be required to synthesize a resilient supervisor S ofstate size no more than 10 that controls (at most) events a , b ,observes (at most) events a , c and ensures S k G | = Φ prior , where Φ prior denotes some prior safety (and progress) property thatneeds to be satisfied by S k G . By requiring L ( S k G ) = K with Φ prior , the above synthesis formula can be used to model thesupervisor obfuscation problem [12].For the attacker space, one can impose restrictions onobservation and attack capability of the attacker. For example,the attacker space A may consist of all the actuator attackers The state size restriction may come from hardware memory limitation. that are able to observe events a , b , c and attack event a . The at-tacker may even combine sensor and actuator attacks [3], [11].In general, it is also possible to consider distributed super-visors (respectively, distributed attackers) over given controlarchitectures (respectively, attack architectures) as the super-visor space (respectively, the attacker space). Φ sa f e can specify the state avoidance property (i.e., theavoidance of certain states in the plant) or more general safetyproperty [11]. In [3] and [11], the attackers are assumed tobe covert. That is, the attacker needs to remain covert inthe course of attacking the closed-loop systems until damagesare inflicted upon the attacked closed-loop systems. Since thecovertness of an attacker is with respect to the supervisor andplant, one can examine the covertness of an attacker by usingthe attacked closed-loop system ◦ ( A , S , G ) . It is convenient toexpress covertness by using Φ assume (instead of defining it inthe attacker space), and we shall adopt this approach in thispaper. Thus, to synthesize a resilient supervisor against covertattackers, we let Φ assume = Φ covert . On the other hand, if welet Φ assume = True , then the covertness requirement is removedand each synthesized resilient supervisor, if any, needs to guardagainst the damages caused by risky attacks [11].Instead of tackling the unbounded formulation directly, wecan start with a bounded formulation of the synthesis problem: ∃ S ∈ S n , ∀ A ∈ A m , ◦ ( A , S , G ) | = ( Φ assume ⇒ Φ sa f ety ) ,where S n denotes the space of supervisors of state sizes nomore than n and A m the space of attackers of state sizesno more than m . To solve the bounded supervisor synthesisproblem, we focus on an approach that reduces the above ∃∀ second order synthesis problem to solving the QBF problem,as carried out in [19], [20], [21] in a different context. Thebasic idea proceeds as follows.Since both S and A are of bounded state sizes, we canencode each of them using a list of Boolean variables. Now, ifthe (finite state) verification problem ◦ ( A , S , G ) | = ( Φ assume ⇒ Φ sa f ety ) can also be propositionally encoded, e.g., using some(quantified) Boolean formula φ assumesa f e , then the above boundedsupervisor synthesis problem is effectively reduced to provingthe validity of the quantified Boolean formula ∃ X , ∀ Y , φ assumesa f e ,where X denotes a list of Boolean variables that encodessupervisor S and Y encodes attacker A . We can then use a QBFsolver (or a repeated calls of SAT solver [20]), for example,to solve ∃ X , ∀ Y , φ assumesa f e and extract a certificate from its proofthat can be used to construct the supervisor S of state size nomore than n , if the formula is true. If the formula is false, thenwe can increase the value of n and repeat the solving process.If there exists a supervisor S of state size no more than n thatis resilient against all attackers of state sizes no more than m , then there is still the trouble that S is not guaranteed tobe resilient against all the attackers. If there is available an Given any plant G and any supervisor S ∈ S , the oracle O correctlysynthesizes a successful attacker A ∈ A or asserts the non-existence of asuccessful attacker (outputs ⊥ ). Often, such an oracle can be obtained, forexample, by using problem-specific constructions [3], [11]. An oracle mayalso be developed by using a technique similar to that of [22]. O for solving the attacker synthesis problem ∃ A ∈ A , ◦ ( A , S , G ) | = ( Φ assume ∧ ¬ Φ sa f e ) ,then we can check the resilience of S against all attackers. If S is not resilient against all attackers, say there is a successfulattacker of size m ′ > m , then we can solve the boundedsynthesis problem with supervisor space S n and attackerspace A m ′ . If indeed there is a resilient supervisor, then itcan be synthesized using the above procedure.If there is no oracle O for solving the attacker synthesisproblem, then the best possibility for us is to synthesize asupervisor that is resilient against all attackers up to a largestate size. It is possible that the synthesized supervisor isindeed resilient, but there is no proof unless the oracle O becomes available.IV. S YSTEM S ETUP AND P ROBLEM F ORMULATION
A. System Setup
To instantiate the idea in Section III, in the remaining of thiswork, we focus on the problem of synthesis of resilient super-visors against actuator attacks. To that end, we first introduceand present a formalization of the system components.
Supervisor : A control constraint over Σ is a tuple C =( Σ c , Σ o ) of sub-alphabets of Σ , where Σ o ⊆ Σ denotes thesubset of observable events and Σ c ⊆ Σ denotes the subsetof controllable events. Let Σ uo = Σ − Σ o ⊆ Σ denote the subsetof unobservable events and let Σ uc = Σ − Σ c ⊆ Σ denote thesubset of uncontrollable events. In the absence of attacker,a supervisor over control constraint ( Σ c , Σ o ) is modeled bya finite state automaton S = ( X , Σ , ζ , x ) that satisfies thecontrollability and observability constraints [23]: • ( controllability ) for any state x ∈ X and any uncontrol-lable event σ ∈ Σ uc , ζ ( x , σ ) !, • ( observability ) for any state x ∈ X and any unobservableevent σ ∈ Σ uo , ζ ( x , σ ) ! implies ζ ( x , σ ) = x ,The control command generated at each supervisor state x ∈ X is simply Γ ( x ) : = { σ ∈ Σ | ζ ( x , σ ) ! } . When and onlywhen the supervisor fires an observable transition ζ ( x , σ ) = x ′ satisfying Γ ( x ) = Γ ( x ′ ) , it sends the newly generated controlcommand Γ ( x ′ ) to the plant. In the degenerate case when thesystem first initiates, the supervisor sends the initial controlcommand Γ ( x ) to the plant. Plant : The plant is modeled as a finite state automaton G =( Q , Σ , δ , q ) as usual. Whenever the plant fires an observabletransition δ ( q , σ ) = q ′ , it sends the observable event σ to thesupervisor. Attacker : The attacker can exercise actuator attacks. Weassume the attacker knows the models of plant G and su-pervisor S to allow the possibility of making informed attackdecisions . We shall impose some restrictions on the capability In another setup [11], the supervisor sends a control command each timewhen it fires an observable transition. The question of which setup to useis implementation-dependant. In any case, it is straightforward to adapt thesolution. A supervisor that can guard against the damages caused by a knowledge-able attacker can certainly guard against an “ignorant” attacker, if we do notimpose covertness assumption on the knowledgeable attacker. of the attacker as follows. Let Σ o , A ⊆ Σ denote the subsetof (plant) events that can be observed by the attacker. Inaddition, we assume the attacker can fully observe eachcontrol command sent from the supervisor to the plant. Let Σ c , A ⊆ Σ c denote the subset of controllable events that can becompromised under actuator attack. That is, the attacker canmodify the control command γ issued by the supervisor onthe subset Σ c , A .We shall henceforth refer to A = ( Σ o , A , Σ c , A ) as an attackconstraint. An attacker over attack constraint A is modeledas a complete Moore automaton A = ( Y , Σ a = ( Σ o , A × Γ ) ∪ ( Σ o , A × { ε } ) ∪ ( { ε } × Γ ) , β , y , T , η ) ,where β : Y × Σ a −→ Y is the transition function, T : = { t ⊆ Σ | t ⊆ Σ c , A } is the output alphabet and η : Y −→ T is the outputfunction. Intuitively, Σ a denotes the observation alphabet of theattacker, each of which is a tuple that consists of 1) observationof event execution from the plant and 2) control commandsent from the supervisor. Σ a drives the state transition of theattacker. The output function η assigns to each state y ∈ Y theattack decision η ( y ) ∈ T , specifying the actuator attack η ( y ) .Intuitively, the attacker determines at state y the set of enabledcompromised controllable events to be η ( y ) . For each σ ∈ Σ a ,we write σ = ( σ [ ] , σ [ ]) . Attacked Closed-loop System : In the presence of anattacker, we assume the supervisor is augmented with a moni-toring mechanism for the detection of attack. Recall that, in theabsence of attack, a supervisor is given as S = ( X , Σ , ζ , x ) thatsatisfies the controllability and observability constraints. Now,let S T = ( X ∪ { x halt } , Σ , ζ T , x ) be the transformed supervisor,where x halt / ∈ X is a distinguished halt state and ζ T is obtainedfrom ζ by adding, • for each state x ∈ X and each σ ∈ Σ c , A ∩ Σ o , the transition ζ T ( x , σ ) = x halt , if ¬ ζ ( x , σ ) !, • for each state x ∈ X and each σ ∈ Σ c , A − Σ o , the self-looptransition ζ T ( x , σ ) = x , if ¬ ζ ( x , σ ) .The first item of the transformation is used for detecting thepresence of an attack. If an unexpected observable transi-tion is observed by the supervisor, then the supervisor canimmediately infer the presence of an attacker and halts theexecution by running into the halt state x halt , which has nooutgoing transition. The second item of the transformationallows the occurrence of each compromised controllable eventthat is unobservable to the supervisor, which leads to self loop.Overall, both items ensure that each compromised controllableevent is treated as uncontrollable by the supervisor; accord-ingly, each σ ∈ Σ c , A is defined at each supervisor state of S T after the transformation. We here shall remark that controlcommands are generated using S (and thus ζ ), which is thesupervisor under normal operation, instead of S T ; there aretwo exceptional cases that are not modeled in S (due to attackoccurrence). In [8], when the supervisor detects the presence of an attack, all control-lable events are disabled and uncontrollable events can still occur (immediatehalt by reset is impossible). This is not difficult to accommodate; we can addself-loops at the halt state x halt for each uncontrollable event σ ∈ Σ uc . At any supervisor state x ∈ X and for any σ ∈ Σ c , A − Σ o ,if ¬ ζ ( x , σ ) ! and an enablement attack on σ occurs, weshall assume Γ ( ζ ( x , σ )) = Γ ( x ) , despite of the fact that ζ ( x , σ ) is undefined. This is because the occurrence of σ (due to attack) is unobservable to the supervisor. • At any supervisor state x ∈ X and for any σ ∈ Σ c , A ∩ Σ o ,if ¬ ζ ( x , σ ) ! and an enablement attack on σ occurs,we shall assume Γ ( ζ ( x , σ )) = Γ ( x ) . Indeed, upon theoccurrence of an unexpected observable event σ (dueto attack), the supervisor has run into the halt stateand halted the execution of the closed-loop system. Thechoice of Γ ( ζ ( x , σ )) does not matter and is chosen tobe Γ ( x ) in the definition for technical convenience.Based on plant G , supervisor S (or transformed supervisor S T ) and attacker A , we can construct the attacked closed-loopsystem ◦ ( A , S , G ) . ◦ ( A , S , G ) is a 4-tuple ( Z , Σ , θ , z ) , where Z = Y × ( X ∪ { x halt } ) × Q , z = ( y , x , q ) ∈ Z is the initialstate and θ : Z × Σ −→ Z is the (partial) transition function.The definition of θ is as follows: for any ( y , x , q ) ∈ Z and any σ ∈ Σ ,1) if x = x halt and [ σ ∈ Σ c , A ∩ C ( y ) or σ / ∈ Σ c , A ∧ ζ ( x , σ ) !],a) if σ / ∈ Σ o , A ∧ ( σ / ∈ Σ o ∨ Γ ( x ) = Γ ( ζ ( x , σ ))) , then θ (( y , x , q ) , σ ) = ( y , ζ T ( x , σ ) , δ ( q , σ )) b) if σ ∈ Σ o , A ∧ ( σ ∈ Σ o ∧ Γ ( x ) = Γ ( ζ ( x , σ ))) , then θ (( y , x , q ) , σ ) =( β ( y , ( σ , Γ ( ζ ( x , σ )))) , ζ T ( x , σ ) , δ ( q , σ )) c) if σ ∈ Σ o , A ∧ ( σ / ∈ Σ o ∨ Γ ( x ) = Γ ( ζ ( x , σ ))) , then θ (( y , x , q ) , σ ) = ( β ( y , ( σ , ε )) , ζ T ( x , σ ) , δ ( q , σ )) d) if σ / ∈ Σ o , A ∧ ( σ ∈ Σ o ∧ Γ ( x ) = Γ ( ζ ( x , σ ))) , then θ (( y , x , q ) , σ ) =( β ( y , ( ε , Γ ( ζ ( x , σ )))) , ζ T ( x , σ ) , δ ( q , σ )) θ is undefined for any other caseWe shall provide an explanation about the definition of θ . Weonly need to consider the case when x = x halt , as otherwisethere will be no transition defined at ( y , x , q ) ∈ Z . If σ ∈ Σ c , A ,then there is an outgoing transition at ( y , x , q ) labeled by σ onlyif σ ∈ C ( y ) , i.e., σ is enabled by the attacker at state y . If σ / ∈ Σ c , A , then there is an outgoing transition at ( y , x , q ) labeled by σ only if ζ ( x , σ ) !, i.e., σ is enabled by the supervisor at state x (in this case, we have ζ T ( x , σ ) = ζ ( x , σ ) ). The transition, dueto the execution of σ , for S and G shall be straightforward; thetransition for A depends on 1) its observation P o , A ( σ ) [11] on σ and 2) the control command sent from the supervisor at state ζ ( x , σ ) , if any. There are four cases. The attacker observes σ ,if σ ∈ Σ o , A , and observes ε , if σ / ∈ Σ o , A ; the control command Γ ( ζ ( x , σ )) is sent iff σ ∈ Σ o ∧ Γ ( x ) = Γ ( ζ ( x , σ )) . Successful Attacker : To specify in a general manner whatstrings can cause damages, in this work we use a complete fi-nite state automaton H = ( W , Σ , χ , w , W m ) [11] to facilitate theexpression of the property ¬ Φ sa f e (cf. Section III). Intuitively, Φ sa f e states that “each string s ∈ L m ( H ) cannot be generatedin the attacked closed-loop system” [11]. In the special case ε means nothing is observed. H is referred to as a damage automaton and each string s ∈ L m ( H ) is saidto be a damage-inflicting string [11]. of state avoidance property, we can get rid of H and introducethe set Q bad ⊆ Q of bad states to avoid in the plant G . Withoutloss of generality, we make the assumption that each w ∈ W m is a sink state, i.e., ∀ σ ∈ Σ , w ∈ W m , χ ( w , σ ) = w . Intuitively,this means that damage is never recoverable. Furthermore, wecan assume | W m | =
1, i.e., there is only one sink state, withoutloss of generality. Let H = ( W , Σ , χ , w , { w m } ) in the rest.To track the executions of the attacked closed-loop systemw.r.t. H , we synchronize ◦ ( A , S , G ) with H using synchronousproduct operation to obtain O = ◦ ( A , S , G ) k H = ( I , Σ , µ , i , I m ) ,where I = Y × ( X ∪ { x halt } ) × Q × W , i = ( y , x , q , w ) , I m = { ( y , x , q , w ) ∈ I | w = w m } and µ : I × Σ −→ I is the partialtransition function with µ = θ k χ . To make it explicit, µ isdefined as follows: for any ( y , x , q , w ) ∈ I and for any σ ∈ Σ ,1) if x = x halt and [ σ ∈ Σ c , A ∩ C ( y ) or σ / ∈ Σ c , A ∧ ζ ( x , σ ) !],a) if σ / ∈ Σ o , A ∧ ( σ / ∈ Σ o ∨ Γ ( x ) = Γ ( ζ ( x , σ ))) , then µ (( y , x , q , w ) , σ ) = ( y , ζ T ( x , σ ) , δ ( q , σ ) , χ ( w , σ )) b) if σ ∈ Σ o , A ∧ ( σ ∈ Σ o ∧ Γ ( x ) = Γ ( ζ ( x , σ ))) , then µ (( y , x , q , w ) , σ ) =( β ( y , ( σ , Γ ( ζ ( x , σ )))) , ζ T ( x , σ ) , δ ( q , σ ) , χ ( w , σ )) c) if σ ∈ Σ o , A ∧ ( σ / ∈ Σ o ∨ Γ ( x ) = Γ ( ζ ( x , σ ))) , then µ (( y , x , q , w ) , σ ) =( β ( y , ( σ , ε )) , ζ T ( x , σ ) , δ ( q , σ ) , χ ( w , σ )) d) if σ / ∈ Σ o , A ∧ ( σ ∈ Σ o ∧ Γ ( x ) = Γ ( ζ ( x , σ ))) , then µ (( y , x , q , w ) , σ ) =( β ( y , ( ε , Γ ( ζ ( x , σ )))) , ζ T ( x , σ ) , δ ( q , σ ) , χ ( w , σ )) µ is undefined for any other caseThen, Φ sa f e is translated to “no state in I m is reachable from i ”. Now, let us look at the assumption Φ assume . For covertnessattack, intuitively Φ assume = Φ covert requires that if the attackeris ever caught, then it must have already caused damages. Φ assume is translated to “no state in { ( y , x halt , q , w ) | w = w m } is reachable from i ”. Thus, a covert attacker’s goal is “nostate in { ( y , x halt , q , w ) | w = w m } is reachable from i and somestate in I m is reachable from i ”, i.e., Φ assume ∧ ¬ Φ sa f e ; a riskyattacker’s goal is “some state in I m is reachable from i ”. Anattacker is successful if its goal is achieved. B. Problem Formulation
In this subsection, we recall two problems, i.e., the supervi-sor obfuscation problem [12] and a formulation of the resilientsupervisor synthesis problem [11].1)
Supervisor Obfuscation
Given a plant G over Σ , asupervisor S ′ , a control constraint C = ( Σ c , Σ o ) , an attackconstraint A = ( Σ o , A , Σ c , A ) , a damage automaton H over Σ , compute a supervisor S over C , if it exists, such that1) L ( S ′ k G ) = L ( S k G ) , 2) there is no successful attackeron ( G , S ) w.r.t. A and H .2) Resilient Supervisor Synthesis : Given a plant G over Σ ,a control constraint C = ( Σ c , Σ o ) , specification automata G i = ( Q i , Σ , δ i , q i , ) over Σ (for i = ,
2) with L ( G ) ⊆ L ( G ) , an attack constraint A = ( Σ o , A , Σ c , A ) and a dam-age automaton H over Σ , compute a supervisor S w.r.t.4 , if it exists, such that 1) L ( G ) ⊆ L ( S k G ) ⊆ L ( G ) and 2) there is no successful attacker on ( G , S ) w.r.t. A and H ? Φ prior (cf. Section III) for Problem 1 is L ( S ′ k G ) = L ( S k G ) and Φ prior for Problem 2 is L ( G ) ⊆ L ( S k G ) ⊆ L ( G ) . Thus,the supervisor obfuscation problem is a special case of theresilient supervisor synthesis problem formulated above, bysetting L ( G ) = L ( G ) = L ( S ′ k G ) . In the rest of this work, weaddress the bounded resilient supervisor synthesis problem,i.e., bounded formulation of Problem 2.V. B OUNDED R ESILIENT S UPERVISOR S YNTHESIS
Recall that the bounded resilient supervisor synthesis prob-lem amounts to solving the ∃∀ second order logic formula: ∃ S ∈ S n , ∀ A ∈ A m , ◦ ( A , S , G ) | = ¬ Φ assume ∨ Φ sa f e ,for a large values of n and m . If there is an (respectively, no)oracle for solving the attacker synthesis problem, then it ispossible to synthesize a resilient supervisor with (respectively,without) proof (cf. Section III)To solve the problem, we let Φ assume = True . In this case,a synthesized supervisor S , if it exists, is resilient againstall risky attackers of state sizes no more than m . A riskyattacker still uses the models of the plant, supervisor and itsonline observations to make informed attack decisions; in theambiguous situation where an attack may cause damages or getcaught without causing damages, a risky attacker will carry outthe attack. Thus, a covert attacker is much conservative thana risky attacker. Correspondingly, the synthesized supervisor S is also resilient against all covert attackers of state sizes nomore than m . An advantage for using this heuristic is that, bysetting Φ assume = True , we remove a lot of difficult constraintsassociated with ¬ Φ assume . This may allow us to generate abounded resilient supervisor much faster.We shall now generalize the technique of [24] and pro-vide a polynomial-time reduction from the bounded resilientsupervisor synthesis problem with Φ assume = True (boundedformulation of Problem 2 for risky attackers) to the QSATproblem. In the high level, the idea of the reduction proceedsas follows: for any given bounded instance of Problem 2 withplant G , damage automaton H , specification automata G , G ,control constraint C and attack constraint A , we produce aQBF formula Φ G , H , G , G , C , A n , m such that Φ G , H , G , G , C , A n , m is trueiff there exists an n -bounded supervisor S that is resilientagainst all m -bounded risky attackers w.r.t. H and A and L ( G ) ⊆ L ( S k G ) ⊆ L ( G ) . Moreover, we can extract a certifi-cate from its proof that can be used to construct an n -boundedsupervisor S that is resilient against all risky attackers of statesizes no more than m and satisfy Φ prior , if the formula is true.Let S = ( X , Σ , ζ , x ) be an n -bounded finite state supervisorover C = ( Σ c , Σ o ) , where X : = { x , x , . . . , x n − } consists of n states, x ∈ X is the initial state; the partial transitionfunction ζ : X × Σ −→ X is the only parameter that needsto be determined to ensure that S is a solution of the giveninstance, if a solution exists. We need to use complete finitestate automata for tracking synchronous products. Thus, S cannot be directly used. To properly model the halt state x halt for handling attack, it turns out that we need to work withthe tuple ( S T , { l x , σ | x ∈ X , σ ∈ Σ c , A ∩ Σ uo } ) instead, where S T = ( X ∪ { x halt } , Σ , ζ T , x ) is the transformed supervisor, S T denotes the completion of S T and each l x , σ is a Booleanvariable that is true iff there exists a loop at state x labeledby σ in S (i.e., unobservable event σ is enabled at supervisorstate x ). Formally, the completion of any partial finite stateautomaton P = ( U , Σ , π , u ) is a complete finite state automa-ton P = ( U ∪ { u d } , Σ , π , u , U ) , where the distinguished state x d / ∈ U with d -subscript denotes the added dump state, π = π ∪ ( { u d } × Σ × { u d } ) ∪ { ( u , σ , u d ) | π ( u , σ ) isundefined , u ∈ U , σ ∈ Σ } We remark that it is straightforward to obtain S T and thetruth values of l x , σ from S ; on the other hand, to obtain S from S T , we need to remove all the transitions associated with x halt , x d , and remove the self-loop labeled with σ ∈ Σ c , A ∩ Σ uo ifthe value of l x , σ is false, for each x ∈ X and each σ ∈ Σ c , A ∩ Σ uo .Thus, we only need to focus on ( S T , { l x , σ | x ∈ X , σ ∈ Σ c , A ∩ Σ uo } ) .We know that S T is given by the 5-tuple ( { x , x , . . . , x n − , x halt , x d } , Σ , ζ T , x , { x , x , . . . , x n − , x halt } ) and we need to determine ζ T to determine S T . We knowthat ζ T ( x d , σ ) = x d and ζ T ( x halt , σ ) = x d , for any σ ∈ Σ . Forconvenience, we let x n = x halt and x n + = x d . We introduceBoolean variables t S T x i , σ , x j , where x i , x j ∈ X ∪ { x n , x n + } , and σ ∈ Σ , in the encoding of S T with the interpretation that t S T x i , σ , x j is true if and only if ζ T ( x i , σ ) = x j . We encode thefact that ζ T is a transition function using the followingconstraints.1) ¬ t S T x i , σ , x j ∨ ¬ t S T x i , σ , x k for each i ∈ [ , n − ] , each σ ∈ Σ andeach j = k ∈ [ , n + ] W j ∈ [ , n + ] t S T x i , σ , x j for each i ∈ [ , n − ] and each σ ∈ Σ t S T x n , σ , x n + for each σ ∈ Σ t S T x n + , σ , x n + for each σ ∈ Σ Then, let φ S T , f san denote the resultant formula after combin-ing Constraints (1), (2), (3) and (4).With the above constraints, we can now encode the factthat S is a finite state supervisor over C = ( Σ c , Σ o ) and S T isa (properly) transformed supervisor using the following extraconstraints.5) W j ∈ [ , n − ] t S T x i , σ , x j for each i ∈ [ , n − ] and each σ ∈ Σ uc ( W j ∈ [ , n − ] t S T x i , σ , x j ) ⇒ t S T x i , σ , x i for each i ∈ [ , n − ] andeach σ ∈ Σ uo − Σ c , A t S T x i , σ , x i for each i ∈ [ , n − ] and each σ ∈ Σ c , A ∩ Σ uo ¬ t S T x i , σ , x n , for each i ∈ [ , n − ] and each σ / ∈ Σ c , A ∩ Σ o In particular, Constraints (5) are imposed to ensure control-lability and Constraints (6) ensure observability of S . Weshall note that the range of the index j in (5) and (6)does not contain n , n +
1. Constraints (6) are only appliedfor σ ∈ Σ uo ∩ Σ c , A . For each σ ∈ Σ c , A ∩ Σ uo , we know that5 T ( x i , σ ) = x i in S T for each i ∈ [ , n − ] . This is capturedin Constraints (7). Constraints (8) intuitively mean that therecannot be transitions labeled by σ / ∈ Σ c , A ∩ Σ o from x i to x n , foreach i ∈ [ , n − ] . Constraints (7) are (8) ensure that S T is a(properly) transformed supervisor. Then, let φ S T , con obsn denotethe resultant formula after combining Constraints (5), (6), (7)and (8).Let φ S T n = φ S T , f san ∧ φ S T , con obsn . The constraint φ S T n guaran-tees that S is a n -bounded finite state supervisor over C . Now,we need to introduce Boolean variables to encode the attackeras well. Let A = ( Y , Σ a = ( Σ o , A × Γ ) ∪ ( Σ o , A × { ε } ) ∪ ( { ε } × Γ ) , β , y , T , η ) ,be an m -bounded attacker over A = ( Σ o , A , Σ c , A ) , where Y = { y , y , . . . , y m − } consists of m states, y ∈ Y is the initialstate, T = { t ⊆ Σ | t ⊆ Σ c , A } is the output alphabet; the partialtransition function β : Y × Σ a −→ Y and the output function η : Y −→ T both need to be determined to specify the attacker A . We introduce Boolean variables t Ay i , σ , y j , for each y i , y j ∈ Y , σ ∈ Σ a , and introduce Boolean variables e Ay i , σ , for each y i ∈ Y , σ ∈ Σ c , A . Intuitively, t Ay i , σ , y j is true iff β ( y i , σ ) = y j and e Ay i , σ is true iff σ ∈ η ( y i ) .Now, we need to encode the fact that the attacker A is acomplete finite state automaton over Σ a . This can be ensuredwith the following constraints,9) ¬ t Ay i , σ , y j ∨ ¬ t Ay i , σ , y k , for each i ∈ [ , m − ] , each σ ∈ Σ a and each j = k ∈ [ , m − ] W j ∈ [ , m − ] t Ay i , σ , y j for each i ∈ [ , m − ] and each σ ∈ Σ a Let φ attackm denote the formula that combines Constraints (9)and (10).Now, after the supervisor S and the attacker A has beenpropositionally encoded, we need to encode propositionallythe following two constraints:a) L ( G ) ⊆ L ( S k G ) ⊆ L ( G ) ,b) satisfaction of the safety property Φ sa f e .To encode L ( G ) ⊆ L ( S k G ) ⊆ L ( G ) , we need to first obtainthe completion G , G , G of G , G , G , with added dump states q , d , q , d , q d respectively. We need to track the synchronousproduct S k G k G to ensure that for any reachable state, if G is in the marked state, then S k G has to be also in the markedstate. We also need to track the synchronous product S k G k G to ensure that for any reachable state, if S k G is in the markedstate, then G has to be also in the marked state. Insteadof S , we shall work with S T to be consistent in formulatingconstraints. Intuitively, both x n and x n + are now treated asdump states in this case. We remark that it is now necessary touse the Boolean variables l x , σ , where x ∈ X and σ ∈ Σ c , A ∩ Σ uo ,instead of t S T x , σ , x for tracking Σ c , A ∩ Σ uo loops in S . In fact, it ispossible that l x , σ is false but t S T x , σ , x is always true due to attack(cf. Constraint 7)).For S T k G k G , we now introduce , as in [24], auxiliaryBoolean variables r x , q . q , where x ∈ X ∪ { x n , x n + } , q ∈ Q ∪ For technical convenience, we assume G , G , G are all non-complete,which is often the case in practice. { q d } and q ∈ Q ∪ { q , d } , with the interpretation that ifstate ( x , q , q ) is reachable from the initial state ( x , q , q , ) in S T k G k G , then r x , q , q is true. We have the followingconstraints.11) r x , q , q , r x i , q , q ∧ t S T x i , σ , x j = ⇒ r x j , q ′ , q ′ , for each i , j ∈ [ , n + ] , each q , q ′ ∈ Q ∪ { q d } , each q , q ′ ∈ Q ∪ { q , d } and each σ / ∈ Σ c , A ∩ Σ uo such that q ′ = δ ( q , σ ) , q ′ = δ ( q , σ ) r x i , q , q ∧ l x i , σ = ⇒ r x i , q ′ , q ′ , for each i ∈ [ , n − ] , each q , q ′ ∈ Q ∪ { q d } , each q , q ′ ∈ Q ∪ { q , d } and each σ ∈ Σ c , A ∩ Σ uo such that q ′ = δ ( q , σ ) , q ′ = δ ( q , σ ) r x i , q , q ∧ t S T x i , σ , x j = ⇒ r x j , q ′ , q ′ , for each i , j ∈ [ n , n + ] , each q , q ′ ∈ Q ∪ { q d } , each q , q ′ ∈ Q ∪ { q , d } and each σ ∈ Σ c , A ∩ Σ uo such that q ′ = δ ( q , σ ) , q ′ = δ ( q , σ ) V q ∈ Q ∪{ q d } , i ∈ [ , n + ] ( ¬ r x n , q , q ∧ ¬ r x n + , q , q ∧ ¬ r x i , q d , q ) foreach q ∈ Q In particular, Constraints (12), (13) and (14) are used topropagate the constraints on r x , q , q , based on the synchronousproduct construction and the inductive definition of reacha-bility. We just need to note that special attention must bepaid to each σ ∈ Σ c , A ∩ Σ uo transition, and we need to use l x , σ instead on each state x ∈ X = { x , x , . . . , x n − } . Based onConstraints (12), (13) and (14), Constraints (15) are used toensure L ( G ) ⊆ L ( S k G ) . Let φ S T le ft denote the resultant formulaafter combining Constraints (11), (12), (13), (14) and (15).For S T k G k G , similarly, we introduce auxiliary Booleanvariables r x , q . q , where x ∈ X ∪ { x n , x n + } , q ∈ Q ∪ { q d } and q ∈ Q ∪ { q , d } , with the interpretation that if state ( x , q , q ) is reachable from the initial state ( x , q , q , ) in S T k G k G ,then r x , q , q is true. We have the following constraints.16) r x , q , q , r x i , q , q ∧ t S T x i , σ , x j = ⇒ r x j , q ′ , q ′ , for each i , j ∈ [ , n + ] , each q , q ′ ∈ Q ∪ { q d } , each q , q ′ ∈ Q ∪ { q , d } and each σ / ∈ Σ c , A ∩ Σ uo such that q ′ = δ ( q , σ ) , q ′ = δ ( q , σ ) r x i , q , q ∧ l x i , σ = ⇒ r x i , q ′ , q ′ , for each i ∈ [ , n − ] , each q , q ′ ∈ Q ∪ { q d } , each q , q ′ ∈ Q ∪ { q , d } and each σ ∈ Σ c , A ∩ Σ uo such that q ′ = δ ( q , σ ) , q ′ = δ ( q , σ ) r x i , q , q ∧ t S T x i , σ , x j = ⇒ r x j , q ′ , q ′ , for each i , j ∈ [ n , n + ] , each q , q ′ ∈ Q ∪ { q d } , each q , q ′ ∈ Q ∪ { q , d } and each σ ∈ Σ c , A ∩ Σ uo such that q ′ = δ ( q , σ ) , q ′ = δ ( q , σ ) ¬ r x i , q , q , d for each i ∈ [ , n − ] , q ∈ Q In particular, Constraints (17), (18) and (19) are used topropagate the constraints on r x , q , q , based on the synchronousproduct construction and the inductive definition of reacha-bility. Based on Constraints (17), (18) and (19), Constraints(20) are used to ensure L ( S k G ) ⊆ L ( G ) . Let φ S T right denote theresultant formula after combining Constraints (16), (17), (18),(19) and (20).Finally, we need to encode the safety property Φ sa f e , whichstates that “no state in I m = { ( y , x , q , w ) ∈ I | w = w m } isreachable from i in automaton O = ◦ ( A , S , G ) k H ”. We needto work with S T and G instead, in formulating the constraints.We now introduce auxiliary Boolean variables r y , x . q , w , where6 ∈ Y , x ∈ X ∪ { x n , x n + } , q ∈ Q ∪ { q d } and w ∈ W , with theinterpretation that if state ( y , x , q , w ) is reachable from theinitial state ( y , x , q , w ) in ◦ ( A , S T , G ) k H , then r y , x , q , w is true.For each x i ∈ X , σ ∈ Σ o ∪ ( Σ − Σ c , A ) , we write ω ( x i , σ ) : = W j ∈ [ , n − ] t S T x i , σ , x j Intuitively, ω ( x i , σ ) is true iff ζ ( x i , σ ) !. In particular, we knowthat t S T x i , σ , x j is a faithful encoding of the transition ζ ( x i , σ ) = x j of S , for any σ ∈ Σ o ∪ ( Σ − Σ c , A ) and i , j ∈ [ , n − ] . Foreach σ ∈ Σ c , A ∩ Σ uo and each x i ∈ X , we define ω ( x i , σ ) = l x i , σ .Again, ω ( w i , σ ) is true iff ζ ( x i , σ ) !.For each x i ∈ X and each σ ∈ Σ o , we define φ ( x i , σ ) : = V σ ∈ Σ c ( ω ( x i , σ ) ⇐⇒ ω ( δ ( x i , σ ) , σ )) .Intuitively, φ ( x i , σ ) is true iff Γ ( x i ) = Γ ( x i , σ ) . We only needto be concerned with the case when σ ∈ Σ o , since no controlcommand will be sent when σ ∈ Σ uo is fired. For any x ∈ X and any control command γ ∈ Γ , we introduce the formula ψ ( x , γ ) : = V σ ∈ γ ω ( x , σ ) ∧ V σ / ∈ γ ¬ ω ( x , σ ) . Intuitively, ψ ( x , γ ) is true iff Γ ( x ) = γ . We have the following constraints, whichinvolve many case analysis.21) r y , x , q , w r y k , x i , q , w ∧ t S T x i , σ , x j ∧ e Ay k , σ = ⇒ r y k , x j , q ′ , w ′ , for each k ∈ [ , m − ] , each i , j ∈ [ , n + ] , each q , q ′ ∈ Q ∪ { q d } ,each w , w ′ ∈ W and each σ ∈ Σ c , A − Σ o , A − Σ o such that q ′ = δ ( q , σ ) , w ′ = χ ( w , σ ) r y k , x i , q , w ∧ t S T x i , σ , x j ∧ e Ay k , σ ∧ φ ( x i , σ ) = ⇒ r y k , x j , q ′ , w ′ , for each k ∈ [ , m − ] , each i , j ∈ [ , n + ] , each q , q ′ ∈ Q ∪ { q d } ,each w , w ′ ∈ W and each σ ∈ ( Σ c , A − Σ o , A ) ∩ Σ o such that q ′ = δ ( q , σ ) , w ′ = χ ( w , σ ) r y k , x i , q , w ∧ t S T x i , σ , x j ∧ e Ay k , σ ∧ ω ( x i , σ ) = ⇒ r y k , x j , q ′ , w ′ , for each k ∈ [ , m − ] , each i , j ∈ [ , n + ] , each q , q ′ ∈ Q ∪ { q d } ,each w , w ′ ∈ W and each σ ∈ Σ − Σ c , A − Σ o , A − Σ o suchthat q ′ = δ ( q , σ ) , w ′ = χ ( w , σ ) r y k , x i , q , w ∧ t S T x i , σ , x j ∧ e Ay k , σ ∧ ω ( x i , σ ) ∧ φ ( x i , σ ) = ⇒ r y k , x j , q ′ , w ′ , for each k ∈ [ , m − ] , each i , j ∈ [ , n + ] ,each q , q ′ ∈ Q ∪ { q d } , each w , w ′ ∈ W and each σ ∈ ( Σ − Σ c , A − Σ o , A ) ∩ Σ o such that q ′ = δ ( q , σ ) , w ′ = χ ( w , σ ) r y k , x i , q , w ∧ t S T x i , σ , x j ∧ t Ay k , σ , y l ∧ e Ay k , σ ∧ ¬ φ ( x i , σ ) ∧ ψ ( x j , σ [ ]) = ⇒ r y l , x j , q ′ , w ′ , for each k , l ∈ [ , m − ] ,each i , j ∈ [ , n + ] , each q , q ′ ∈ Q ∪ { q d } , each w , w ′ ∈ W , each σ ∈ Σ c , A ∩ Σ o , A ∩ Σ o and each σ ∈ Σ a such that q ′ = δ ( q , σ ) , w ′ = χ ( w , σ ) , σ [ ] = σ r y k , x i , q , w ∧ t S T x i , σ , x j ∧ t Ay k , σ , y l ∧ e Ay k , σ ∧ ω ( x i , σ ) ∧ ¬ φ ( x i , σ ) ∧ ψ ( x j , σ [ ]) = ⇒ r y l , x j , q ′ , w ′ , for each k , l ∈ [ , m − ] , each i , j ∈ [ , n + ] , each q , q ′ ∈ Q ∪ { q d } , each w , w ′ ∈ W ,each σ ∈ Σ o , A ∩ Σ o − Σ c , A and each σ ∈ Σ a such that q ′ = δ ( q , σ ) , w ′ = χ ( w , σ ) , σ [ ] = σ r y k , x i , q , w ∧ t S T x i , σ , x j ∧ t Ay k , ( σ , ε ) , y l ∧ e Ay k , σ = ⇒ r y l , x j , q ′ , w ′ , foreach k ∈ [ , m − ] , each i , j ∈ [ , n + ] , each q , q ′ ∈ That is, t S T x i , σ , x j is true iff ζ ( x i , σ ) = x j , for any σ ∈ Σ o ∪ ( Σ − Σ c , A ) and i , j ∈ [ , n − ] . Q ∪ { q d } , each w , w ′ ∈ W and each σ ∈ Σ c , A ∩ Σ o , A − Σ o such that q ′ = δ ( q , σ ) , w ′ = χ ( w , σ ) r y k , x i , q , w ∧ t S T x i , σ , x j ∧ t Ay k , ( σ , ε ) , y l ∧ e Ay k , σ ∧ φ ( x i , σ ) = ⇒ r y l , x j , q ′ , w ′ , for each k ∈ [ , m − ] , each i , j ∈ [ , n + ] ,each q , q ′ ∈ Q ∪ { q d } , each w , w ′ ∈ W and each σ ∈ Σ c , A ∩ Σ o , A ∩ Σ o such that q ′ = δ ( q , σ ) , w ′ = χ ( w , σ ) r y k , x i , q , w ∧ t S T x i , σ , x j ∧ t Ay k , ( σ , ε ) , y l ∧ e Ay k , σ ∧ ω ( x i , σ ) = ⇒ r y l , x j , q ′ , w ′ , for each k ∈ [ , m − ] , each i , j ∈ [ , n + ] ,each q , q ′ ∈ Q ∪ { q d } , each w , w ′ ∈ W and each σ ∈ Σ o , A − Σ c , A − Σ o such that q ′ = δ ( q , σ ) , w ′ = χ ( w , σ ) r y k , x i , q , w ∧ t S T x i , σ , x j ∧ t Ay k , ( σ , ε ) , y l ∧ e Ay k , σ ∧ ω ( x i , σ ) ∧ φ ( x i , σ ) = ⇒ r y l , x j , q ′ , w ′ , for each k ∈ [ , m − ] , each i , j ∈ [ , n + ] , each q , q ′ ∈ Q ∪ { q d } , each w , w ′ ∈ W andeach σ ∈ ( Σ − Σ c , A ) ∩ Σ o , A ∩ Σ o such that q ′ = δ ( q , σ ) , w ′ = χ ( w , σ ) r y k , x i , q , w ∧ t S T x i , σ , x j ∧ t Ay k , σ , y l ∧ e Ay k , σ ∧ ¬ φ ( x i , σ ) ∧ ψ ( x j , σ [ ]) = ⇒ r y l , x j , q ′ , w ′ , for each k , l ∈ [ , m − ] ,each i , j ∈ [ , n + ] , each q , q ′ ∈ Q ∪ { q d } , each w , w ′ ∈ W , each σ ∈ Σ c , A ∩ ( Σ − Σ o , A ) ∩ Σ o and each σ ∈ Σ a such that q ′ = δ ( q , σ ) , w ′ = χ ( w , σ ) , σ [ ] = ε r y k , x i , q , w ∧ t S T x i , σ , x j ∧ t Ay k , σ , y l ∧ e Ay k , σ ∧ ω ( x i , σ ) ∧ ¬ φ ( x i , σ ) ∧ ψ ( x j , σ [ ]) = ⇒ r y l , x j , q ′ , w ′ , for each k , l ∈ [ , m − ] , each i , j ∈ [ , n + ] , each q , q ′ ∈ Q ∪ { q d } , each w , w ′ ∈ W ,each σΣ o − Σ c , A − Σ o , A and each σ ∈ Σ a such that q ′ = δ ( q , σ ) , w ′ = χ ( w , σ ) , σ [ ] = ε V j ∈ [ , m ] , q ∈ Q , i ∈ [ , n ] ¬ r y j , x i , q , w m In particular, Constraints (22) are used for the case σ ∈ Σ c , A ∩ C ( y k ) and σ / ∈ Σ o , A ∧ σ / ∈ Σ o Constraints (23) are used for the case σ ∈ Σ c , A ∩ C ( y k ) and σ / ∈ Σ o , A ∧ Γ ( x i ) = Γ ( ζ ( x i , σ )) Constraints (24) are used for the case σ / ∈ Σ c , A ∧ ζ ( x i , σ ) ! and σ / ∈ Σ o , A ∧ σ / ∈ Σ o Constraints (25) are used for the case σ / ∈ Σ c , A ∧ ζ ( x i , σ ) ! and σ / ∈ Σ o , A ∧ Γ ( x i ) = Γ ( ζ ( x i , σ )) Constraints (22), (23), (24) and (25) all belong to the case 1.a) of the definition of automaton O = ◦ ( A , S , G ) k H .Constraints (26) are used for the case σ ∈ Σ c , A ∩ C ( y k ) and σ ∈ Σ o , A ∧ ( σ ∈ Σ o ∧ Γ ( x i ) = Γ ( ζ ( x i , σ ))) Constraints (27) are used for the case σ / ∈ Σ c , A ∧ ζ ( x i , σ ) ! and σ ∈ Σ o , A ∧ ( σ ∈ Σ o ∧ Γ ( x i ) = Γ ( ζ ( x i , σ ))) Constraints (26) and (27) all belong to the case 1. b) of thedefinition of automaton O = ◦ ( A , S , G ) k H .Constraints (28)-(33) deal with the rest two cases 1. c) and1. d) in the definition of automaton O = ◦ ( A , S , G ) k H , whichare exactly dual to Constraints (22)-(27) (replacing σ ∈ Σ c , A with σ / ∈ Σ c , A and vice versa).7onstraints (22)-(33) are used to propagate the constraintson r y , x , q , w , based on the construction of ◦ ( A , S T , G ) k H andthe inductive definition of reachability. Based on Constraints(22)-(33) Constraints (34) are used to ensure “no state in I m isreachable from i in automaton O = ◦ ( A , S , G ) k H , i.e., Φ sa f e .Let φ S T , G , H , A sa f e denote the formula combining the Constraints(22)-(34). Let X : = { t S T x i , σ , x j | i , j ∈ [ , n + ] , σ ∈ Σ } ∪ { l x i , σ | i ∈ [ , n − ] , σ ∈ Σ c , A ∩ Σ uo } denote the list of Boolean variables that encodes the supervisor S and let Y : = { t Ay i , σ , y j | i , j ∈ [ , m − ] , σ ∈ Σ a } ∪ { e Ay i , σ | i ∈ [ , m − ] , σ ∈ Σ c , A } denote the list of Boolean variables that encodes the encodethe attacker A . Let R le ft = { r x i , q , q | i ∈ [ , n + ] , q ∈ Q ∪ { q d } , q ∈ Q ∪ { q , d }} denote the auxiliary Boolean variables for φ S T le ft ; let R right = { r x i , q , q | i ∈ [ , n + ] , q ∈ Q ∪ { q d } , q ∈ Q ∪ { q , d }} denote the auxiliary Boolean variables for φ S T right ; let R sa f e : = { r y j , x i , q , w | j ∈ [ , m − ] , i ∈ [ , n + ] , q ∈ Q ∪{ q d } , w ∈ W } denote the auxiliary Boolean variables for formula φ S T , G , H , A sa f e .Then, the bounded resilient supervisor synthesis problemassociated with Problem 2, for Φ assume = True , is reduced tothe validity of the following QBF formula φ resilientn , m : = ∃ X , ( φ S T n ∧ ( ∃ R le ft , φ S T le ft ) ∧ ( ∃ R right , φ S T right ) ∧ ( ∀ Y , ( φ attackm ⇒ ( ∃ R sa f e , φ S T , G , H , A sa f e )))) If φ resilientn , m is true, we can extract a certificate from its proofand obtain the assignments of Boolean variables in X , whichcan be used to construct a resilient n -bounded supervisor S against all attackers of state sizes no more than m (bothcover and non-covert attackers) and satisfy L ( G ) ⊆ L ( S k G ) ⊆ L ( G ) , as we have discussed before (first construct S T , thenconstruct S ). In the case of restricting to normal supervisors(i.e., Σ c ⊆ Σ o ) and normal attackers (i.e., Σ c , A ⊆ Σ o , A ) withthe additional restriction that Σ o , A ⊆ Σ o [11], we can run theoracle O in [11] for attacker synthesis problem for verifyingthe resilience of a supervisor against all covert attackers.VI. C ONCLUSIONS AND F UTURE W ORKS
This paper presents a preliminary study on the problemof synthesizing bounded resilient supervisors against actuatorattacks, including both enablement and disablement attacks.There are many research works that can be carried out toextend this work. An immediate problem of interest is theattacker synthesis problem for a general setup, where an oracleis planned to be developed. The symbolic encoding techniqueused in this work can be improved and we plan to extend the bounded synthesis supervisor approach to attack scenarioswith both actuator and sensor attacks.R
EFERENCES[1] L. K. Carvalho, Y. C. Wu, R. Kwong, S. Lafortune, “Detection andprevention of actuator enablement attacks in supervisory control systems”,International Workshop on Discrete Event Systems, pp. 298-305, 2016.[2] L. K. Carvalho, Y. C. Wu, R. Kwong, S. Lafortune, “Detection and mit-igation of classes of attacks in supervisory control systems”, Automatica,vol. 97, pp. 121-133, 2018.[3] R. Su, “Supervisor synthesis to thwart cyber-attack with bounded sensorreading alterations”, Automatica, accepted, 2018.[4] R. M. Goes, E. Kang, R. Kwong, S. Lafortune, “Stealthy deception attacksfor cyber-physical systems”, Conference on Decision and Control, pp:4224-4230, 2017.[5] R. Lanotte, M. Merro, R. Muradore, L. Vigano, “A formal approach tocyber-physical attacks”, IEEE Computer Security Foundations Symposium,pp: 436-450, 2017.[6] A. Jones, Z. Kong, C. Belta, “Anomaly detection in cyber-physical sys-tems: A formal methods approach”, Conference on Decision and Control,pp: 848-853, 2014.[7] M. Wakaiki, P. Tabuada, J. P. Hespanha, “Supervisory control of discrete-event systems under attacks”, arXiv:1701.00881v1, 2017.[8] P. M. Lima, M. V. S. Alves, L. K. Carvalho, M. V. Moreira, “Securityagainst network attacks in supervisory control systems”, IFAC: 12333-12338, 2017.[9] P. M. Lima, L. K. Carvalho, M. V. Moreira, “Detectable and undetectablenetwork attack security of cyber-physical systems”, IFAC, 51(7): 179-185,2018.[10] M. Rocchetto, N.O. Tippenhauer, “Towards formal security analysis ofindustrial control systems”, ASIACCS, 2017.[11] L. Lin, S. Thuijsman, Y. Zhu, S. Ware, R. Su, M. Reniers, “Synthesisof successful actuator attackers on supervisors”, American Control Con-ference, accepted, 2018.[12] Y. Zhu, L. Lin, R. Su, “Supervisor obfuscation against actuator enable-ment attack”, European Control Conference, accepted, 2018.[13] A. Rashidinejad, L. Lin, B. H. J. Wetzels, Y. Zhu, M. Reniers, Rong Su,“Supervisory control of discrete-event systems under attacks: an overviewand outlook”, European Control Conference, accepted, 2019.[14] X Yin, S Lafortune, “Synthesis of maximally-permissive supervisors forthe range control problem”, IEEE Transactions on Automatic Control, 62(8), 3914-3929, 2017.[15] W. M. Wonham, K. Cai,
Supervisory Control of Discrete-Event
Systems,Monograph Series Communications and Control Engineering, Springer,2018.[16] C. Cassandras, S. Lafortune,
Introduction to Discrete Event Systems ,Boston, MA: Kluwer, 1999.[17] J. E. Hopcroft, J. D. Ullman,
Introduction to automata theory, languages,and computation , Addison-Wesley, Reading, Massachusetts, 1979.[18] A. Biere, M. Heule, H. van Maaren, eds.
Handbook of satisfiability , vol.185. IOS press, 2009.[19] M. Crouch, N. Immerman, J. Eliot B. Moss. “Finding reductionsautomatically”, Fields of Logic and Computation, pp. 181-200, 2010.[20] C. Jordan, Ł. Kaiser. “Experiments with reduction finding”, InternationalConference on Theory and Applications of Satisfiability Testing, pp. 192-207, 2013.[21] B. Finkbeiner, S. Schewe, “Bounded synthesis”, International Journalon Software Tools for Technology Transfer, 15(56): 519-539, 2013.[22] X. Yin, S. Lafortune, “A uniform approach for synthesizing property-enforcing supervisors for partially-observed discrete-event systems”, IEEETransactions on Automatic Control, 61 (8): 2140-2154, 2016.[23] A. Bergeron, “A unified approach to control problems in discrete eventprocesses”,RAIRO-TIA, 27(6): 555-573,1993.[24] D. Neider. “Computing minimal separating DFAs and regular invariantsusing SAT and SMT solvers”, ATVA, pp. 354-369, 2012., vol.185. IOS press, 2009.[19] M. Crouch, N. Immerman, J. Eliot B. Moss. “Finding reductionsautomatically”, Fields of Logic and Computation, pp. 181-200, 2010.[20] C. Jordan, Ł. Kaiser. “Experiments with reduction finding”, InternationalConference on Theory and Applications of Satisfiability Testing, pp. 192-207, 2013.[21] B. Finkbeiner, S. Schewe, “Bounded synthesis”, International Journalon Software Tools for Technology Transfer, 15(56): 519-539, 2013.[22] X. Yin, S. Lafortune, “A uniform approach for synthesizing property-enforcing supervisors for partially-observed discrete-event systems”, IEEETransactions on Automatic Control, 61 (8): 2140-2154, 2016.[23] A. Bergeron, “A unified approach to control problems in discrete eventprocesses”,RAIRO-TIA, 27(6): 555-573,1993.[24] D. Neider. “Computing minimal separating DFAs and regular invariantsusing SAT and SMT solvers”, ATVA, pp. 354-369, 2012.