Synthesis of Winning Attacks on Communication Protocols using Supervisory Control Theory: Two Case Studies
SSynthesis of Winning Attacks on Communication Protocols usingSupervisory Control Theory
Shoma Matsui and Stéphane Lafortune ∗ Abstract
There is an increasing need to study the vulnerability of communication protocols in distributed systems tomalicious attacks that attempt to violate safety or liveness properties. In this paper, we propose a general methodologyfor formal synthesis of successful attacks against protocols where the attacker always eventually wins, called For-all attacks. This generalizes previous work on the synthesis of There-exists attacks, where the attacker cansometimes win. As we model protocols and system architectures by finite-state automata, our methodology employsthe supervisory control theory of discrete event systems, which is well suited to pose and solve the synthesis of For-all attacks where the attacker has partial observability and controllability of the system events. We demonstrate ourmethodology using examples of man-in-the-middle attacks against the Alternating Bit Protocol and the TransmissionControl Protocol.
Keywords: distributed protocols, man-in-the-middle attacks, supervisory control
Keeping systems secure against attacks and preventing security incidents are challenging tasks due to the increasingcomplexity of modern system architectures, where a number of hardware and software components communicate overpotentially heterogenous networks. To analyze systems which are too complex to be fully described monolithically,abstraction employing formal methods plays a key role and it has been studied in particular in the computer scienceliterature (see, e.g., [1, 2]).In network systems, components with different architectures cooperate with each other using various pre-designedprotocols. Due to the proliferation of communication using standardized protocols, vulnerabilities or misuses ofprotocols can result in serious security issues. As a concrete example, [3] introduces a formal model and analysis ofa protocol used in Android OS, one of the most popular operating systems for smart phones. In order for componentsto cooperate with each other without damaging systems and without data corruption, robustness of protocols againstcommunication failures and attacks is essential in modern system architectures. To ensure robustness of protocols,relevant safety and liveness properties must be satisfied at design time as well as after implementation of the protocolsin the system. In that context, the objective of potential attackers is to induce a violation of the safety or livenessproperties, thereby causing the system to enter an abnormal state.The development of resilient protocols that satisfy requirements and are applicable to various systems requiresformal methods for modeling, verification, and synthesis. These problems have a long history in computer science aswell as in control engineering. The readers are referred to [1] and [4] for a comprehensive treatment of modeling andverification by employing formal methods, such as temporal logic. To prevent systems from being damaged by attacksthat exploit vulnerabilities of protocols, the recent work [5] introduces the process of completing an incompletelyspecified protocol so that the completed protocol satisfies required properties and does not suffer from deadlock.[5] explains its methodology of protocol completion using the Alternating Bit Protocol (ABP).In control engineering, the formalism of of discrete event systems (DES) [6] and its supervisory control theory(SCT) [7] are useful tools to treat the problem of protocol verification as a supervisory control problem [8], so as todetermine whether a given protocol satisfies the required properties. Not only can SCT be used to analyze existingprotocols, it can also be used to synthesize a desired protocol based on given requirements. For instance, [9] introduces ∗ This research was supported in part by the US NSF under grant CNS-1801342. S. Matsui and S. Lafortune are with the Department ofElectrical Engineering and Computer Science at University of Michigan, Ann Arbor, USA. S. Matsui: [email protected] , S. Lafortune: [email protected] a r X i v : . [ c s . CR ] F e b systematic approach to design a protocol converter for mismatched protocols so that the specifications of the entiresystem and protocols themselves are satisfied simultaneously. On the other hand, [10] considers protocols comprisinglocal communicating processes, and formalizes protocol synthesis as the problem of controlling the local processesso that the global specification of the entire system is satisfied, employing the decentralized version of SCT. For acomprehensive survey of protocol synthesis, focusing on the formalization of the design of protocols, the readers arereferred to [11].More generally, detection, mitigation, and prevention of attacks on supervisory control systems within the frameworkof SCT has been considered in several works, such as [12, 13, 14, 15]. [12] presents a methodology of designing intrusiondetectors to mitigate online four types of attacks; actuator enablement/disablement and sensor erasure/insertion.Focusing on sensor deception attacks under which the attacker arbitrarily edits sensor readings by intervening betweenthe target system and its control module to trick the supervisor to issue improper control commands, [13] and [14] studieshow to synthesize robust supervisors against sensor deception attacks, while [14] also introduces the synthesis problemof attack strategies from the attacker’s point of view. Subsequently, a more efficient technique than in [14] to computea solution of the synthesis problem of robust supervisors was proposed in [15].As protection against attacks is one of the main subjects of systems security, methodologies for designing attackstrategies against systems have been reported in the literature [16, 17, 18]. [16] presents how to synthesize an attacker inthe context of stealthy deception attacks, modeled in the framework of SCT, which cannot be detected by the supervisorand cause damage to the system, as a counter weapon against intrusion detection modules as in [12]. While [16]considers sensor deception attacks as the attacker’s weapon, [17] introduces the synthesis of actuator attacks underwhich the attacker has the ability to hijack the control commands generated by the supervisor, to damage the system.Formal synthesis of successful attacks against protocols is the problem considered in this paper. The work in [18](and its conference version [19]) is of special relevance, as it introduces a methodology of attacker synthesis againstsystems whose components are modeled as finite-state automata (FSA). It presents how so-called “There-exists”attackers can be found (if they exist) using a formal methodology that has been implemented in the software toolKorg [20]. In the terminology of [18], “There-exists” refers to attackers that cannot always lead protocols to a violationof required properties, but sometimes succeed (“there exists” a winning run for the attacker). [18] formulates theproperties that protocols must protect against as threat models , and it illustrates its methodology with the TransmissionControl Protocol (TCP), as standardized in [21]. The formal model in [18] was inspired by that in [22] where automatedattack discovery is performed using a state-machine-informed search.In this paper, we revisit the respective ABP and TCP models of [5] and [18] in the standard framework ofDES modeled as FSA. In contrast to the feedback-loop system architectures in the previously-mentioned work onsensor/actuator deception attacks in SCT, we consider two architectures of network systems in which two peers aresending and receiving packets through channels and/or networks, as illustrated in Fig. 1. We consider “man-in-the-middle” (MITM) attacks as in [18, 22], in a manner reminiscent of deception attacks. Inspired by and complementary tothe approach in [18], we exploit results in SCT and propose a general methodology to synthesize “For-all” attackers,that is, attackers that can always eventually cause a violation of required properties of the system. Thus, our resultsextend those in [18] by formally considering the synthesis of “For-all” attackers. We show how this problem can bereformulated, from the attacker’s viewpoint , as a supervisory control problem under partial observation, which is thensolved using existing techniques [6, 7]. Specifically, under the assumptions of our MITM attack model, a “For-all”attacker for a given threat model is obtained by building the realization of the partial-observation supervisor that resultsin the supremal controllable and normal sublanguage (supCN) of the threat model language with respect to the systemlanguage and to the attacker’s controllable and observable event sets. The supCN operation was first introduced in [23],and several formulas to compute supCN were derived in [24].Our methodology for attacker synthesis is illustrated in two case studies, one for ABP and one for TCP. In eachcase, we presents several setups for different MITM attacker capabilities.The remaining of this paper is organized as follows. In Section 2, we introduce a target system, modeled as a DES,and give an overview of our (MITM) attack model on the system. Section 3 formulates the synthesis problem of a For-all attacker (if it exists), which can always eventually cause a violation of the required properties, and presents generalprocedures to find a solution to that problem. In Section 4 and Section 5, we demonstrate our methodology within thecontext of two well-known protocols, ABP and TCP, respectively. Finally, we conclude the paper in Section 6.2 System Models
In terms of communication protocols, we consider a system which consists of peers communicating with each other,channels, and networks. For clarity of presentation, we suppose the system comprises two peers, two or four channels,and one network. If peers form a small network using channels, e.g., local area network (LAN), then networks canbe omitted and we consider two channels connecting each peer, namely, the forward and backward channels. Fig. 1
A C1C2 Network C3C4 B (a) With network; C1, C2, C3, and C4 indicate channels
A ForwardBackward B (b) Without network
Fig. 1: Communication overview illustrates an overview of the flow of packets between two peers through channels. Peers A and B exchange packetsusing communication protocols through the channels and network. In this paper, we consider “man-in-the-middle”(MITM) attack as the attack model on the system. In this model, the attacker infiltrates the network or channels, andafterwards sends fake packets and/or discard genuine ones, exploiting vulnerabilities of the protocol, to damage thesystem. The system may contain other processes for exogenous events, e.g., timers, called environment processes,which are not depicted in Fig. 1. Channels work as interfaces between the peers and the network, relaying packets totheir destinations. Each component of the system is modeled by a finite-state automaton, and denoted as follows: • 𝐺 𝑃𝐴 : Peer A • 𝐺 𝑃𝐵 : Peer B • 𝐺 𝐶 : Channel • 𝐺 𝑁 : Network • 𝐺 𝑒 : Environment processesEach channel is represented by a finite-state automaton, thus 𝐺 𝐶 is the parallel composition of channel automata. Forexample, if the system architecture is that in Fig. 1a, then 𝐺 𝐶 = 𝐺 𝐶1 ∥ 𝐺 𝐶2 ∥ 𝐺 𝐶3 ∥ 𝐺 𝐶4 where 𝐺 𝐶𝑖 ( 𝑖 = [1, 4] ) arethe respective automata modeling each channel. If the system architecture is that in Fig. 1b, then 𝐺 𝐶 = 𝐺 𝐹𝐶 ∥ 𝐺 𝐵𝐶 where 𝐺 𝐹𝐶 and 𝐺 𝐵𝐶 are the forward and backward channels, respectively. In the case where there exist more thantwo environment processes in the system, 𝐺 𝑒 is also constructed as the parallel composition of environment processesdefined by automata. Moreover, we define the channels and network infiltrated by the attacker as 𝐺 𝐶,𝑎 and 𝐺 𝑁,𝑎 inwhich new transitions and events are possibly added to represent the feasible actions of the attacker.Let us define a nominal system model (i.e., without attacker) by 𝐺 𝑛𝑜𝑚 ∶= (𝑋 𝑛𝑜𝑚 , 𝐸 𝑛𝑜𝑚 , 𝑓 𝑛𝑜𝑚 , 𝑥 𝑛𝑜𝑚,0 , 𝑋 𝑛𝑜𝑚,𝑚 ) (1)where 𝑋 𝑛𝑜𝑚 is the set of states, 𝐸 𝑛𝑜𝑚 is the set of events, 𝑓 𝑛𝑜𝑚 is the partial transition function, 𝑥 𝑛𝑜𝑚,0 is the initialstate, and 𝑋 𝑛𝑜𝑚,𝑚 is the set of marked states. 𝐺 𝑛𝑜𝑚 is typically the parallel composition of the peers, channels, network,and environment processes, namely 𝐺 𝑛𝑜𝑚 = 𝐺 𝑃𝐴 ∥ 𝐺 𝑃𝐵 ∥ 𝐺 𝐶 ∥ 𝐺 𝑁 ∥ 𝐺 𝑒 . (2)As we consider attack on the system, we enhance 𝐺 𝑛𝑜𝑚 to a new model of the system under attack 𝐺 𝑎 ∶= (𝑋 𝑎 , 𝐸 𝑎 , 𝑓 𝑎 , 𝑥 𝑎,0 , 𝑋 𝑎,𝑚 ) (3)3here possible new transitions and events representing attacker’s actions come from 𝐺 𝐶,𝑎 and 𝐺 𝑁,𝑎 . In the frameworkof SCT of DES, a system to be controlled is called a plant . The plant for the attacker, namely the entire system underattack, is the parallel composition of the relevant components. That is, 𝐺 𝑎 = 𝐺 𝑃𝐴 ∥ 𝐺 𝑃𝐵 ∥ 𝐺 𝐶,𝑎 ∥ 𝐺
𝑁,𝑎 ∥ 𝐺 𝑒 .In our model of the system, the sending and receiving of packets are represented by events. As we consider theMITM attack, it is reasonable to assume that the attacker infiltrating the network or channels only can monitor incomingand outgoing packets at the component where the attacker exists. In other words, the attacker cannot observe the privateevents of peers. Therefore, we consider that the events in our system model are partitioned into observable events and unobservable events , based on the system structure and the capability of the attacker.It is also natural to assume that the attacker cannot prevent the peers from sending packets to the network orchannels, although the attacker can discard their packets. That is, the attacker cannot control the receiving of packetsby the network or channels. Moreover, the attacker cannot control the private events of peers. Therefore, we alsoconsider that the system events are partitioned into controllable events and uncontrollable events .In our methodology, 𝐺 𝑎 is the plant for the attacker synthesis problem to be solved by attackers. The plant iscontrolled by a supervisor which enables or disables particular events so that the plant satisfies a given specification forsafety or liveness for instance. Control actions of the supervisor are determined by observation of the strings generatedby the plant, thus the plant and supervisor form a feedback (closed) loop as depicted in Fig. 2. The attacker plays a PlantSupervisor
Fig. 2: The feedback loop of supervisory control role of the supervisor, and the specification in this context represents what damage the attacker wants to cause to thesystem. In other words, the specification indicates a violation of a desired property of the communication protocol,such as deadlock or proper delivery of packets. Thus, the attacker’s objective is to obtain a supervisor such that itsspecification is enforced with respect to the plant, which in turn means that the considered protocol property is violated.In this paper, we consider that the attacker wants to attack the system in a “For-all” manner, meaning that theprotocol property is always eventually violated under the attack. Consider an attacker’s (non-prefix-closed) specificationlanguage 𝐿 𝑠𝑝𝑒𝑐𝑎 ⊂ ℒ(𝐺 𝑎 ) which consists of strings illegal but feasible in the system under attack. Let 𝑆 𝑎 be a supervisorof the attacker to enforce the system 𝐺 𝑎 to mark as much of the language 𝐿 𝑠𝑝𝑒𝑐𝑎 as possible. We denote this markedlanguage by 𝐾 , namely, 𝐾 ⊆ 𝐿 𝑠𝑝𝑒𝑐𝑎 and the attacker wants 𝐾 to be as large as possible. In order to achieve For-allattack, the attacker wants 𝑆 𝑎 to be nonblocking, namely, ℒ 𝑚 (𝑆 𝑎 ∕𝐺 𝑎 ) = 𝐾 and ℒ(𝑆 𝑎 ∕𝐺 𝑎 ) = 𝐾 . On the other hand, ifthere does not exist such nonblocking 𝑆 𝑎 but ℒ 𝑚 (𝑆 𝑎 ∕𝐺 𝑎 ) ⊂ ℒ(𝑆 𝑎 ∕𝐺 𝑎 ) , then we say that this 𝑆 𝑎 achieves There-existsattack, because 𝑆 𝑎 ∕𝐺 𝑎 contains deadlocks and/or livelocks in this case, and this prohibits the attacker from alwayseventually winning. In this section, we discuss the procedure to construct a specification automaton for the attacker based on the consideredproperties of the communication protocol that are to be violated by actions of the attacker. Finally, we formulate theproblem of finding maximal feasible attacks to the system.
In this section, the safety property is defined as an automaton, a safety monitor 𝐺 𝑠𝑚 . It represents what states thesystem should not reach as illegal states. The specification for attackers represents a violation of the property, thusillegal states are represented by marked states in 𝐺 𝑠𝑚 . In other words, 𝐺 𝑠𝑚 captures the violation of safety propertieswhen it reaches its marked states. 𝐺 𝑠𝑚 can be formed as a dedicated automaton, or derived from automata composing 𝐺 𝑛𝑜𝑚 , namely, the peers, channels, or network, by modifying state marking. Let 𝐺 𝑜𝑡ℎ𝑒𝑟 be the parallel composition ofthe automata in 𝐺 𝑛𝑜𝑚 which do not take part in 𝐺 𝑠𝑚 . For example, from (2), if 𝐺 𝑠𝑚 is derived from 𝐺 𝑃𝐴 and 𝐺 𝑃𝐵 , then 𝐺 𝑜𝑡ℎ𝑒𝑟 = 𝐺 𝐶 ∥ 𝐺 𝑁 ∥ 𝐺 𝑒 . 4he specification automaton is typically the parallel composition of 𝐺 𝑜𝑡ℎ𝑒𝑟 and 𝐺 𝑠𝑚 . Thus letting 𝐻 𝑛𝑜𝑚 be thespecification automaton with respect to 𝐺 𝑛𝑜𝑚 , 𝐻 𝑛𝑜𝑚 = 𝐺 𝑜𝑡ℎ𝑒𝑟 ∥ 𝐺 𝑠𝑚 . It is true that if our system model is correct,then 𝐻 𝑛𝑜𝑚 has no reachable marked states, meaning that 𝐻 𝑛𝑜𝑚 captures no violations of the given safety propertieswith respect to 𝐺 𝑛𝑜𝑚 .To represent the specification automaton with respect to the system under attack, namely 𝐺 𝑎 , we construct 𝐺 𝑜𝑡ℎ𝑒𝑟,𝑎 based on 𝐺 𝑎 in the same manner as 𝐺 𝑜𝑡ℎ𝑒𝑟 . For instance, if 𝐺 𝑠𝑚 is a dedicated automaton and the attacker infiltratesthe network, then 𝐺 𝑜𝑡ℎ𝑒𝑟,𝑎 = 𝐺 𝑃𝐴 ∥ 𝐺 𝑃𝐵 ∥ 𝐺 𝐶 ∥ 𝐺 𝑁,𝑎 ∥ 𝐺 𝑒 . Let 𝐻 𝑎 = 𝐺 𝑜𝑡ℎ𝑒𝑟,𝑎 ∥ 𝐺 𝑠𝑚 be the specification automatonunder attack. If there exist no marked states in 𝐻 𝑎 , then the attacker is not powerful enough to attack the system.Note that even if 𝐻 𝑎 has marked states, there may not exist For-all attacks but possibly only There-exists attacks,depending on whether a supervisor for the attacker can be synthesized with respect to 𝐺 𝑎 and 𝐻 𝑎 . Consequently, theprocedure to form 𝐻 𝑎 for safety properties is as follows:1. Construct 𝐺 𝑠𝑚 which captures a violation of safety properties.2. Construct 𝐺 𝑜𝑡ℎ𝑒𝑟 as the parallel composition of the automata in 𝐺 𝑛𝑜𝑚 which do not take part in 𝐺 𝑠𝑚 .3. Construct 𝐻 𝑛𝑜𝑚 = 𝐺 𝑜𝑡ℎ𝑒𝑟 ∥ 𝐺 𝑠𝑚 and see if 𝐻 𝑛𝑜𝑚 has marked states. If so, the system model is incorrect soterminate.4. Construct 𝐺 𝑜𝑡ℎ𝑒𝑟,𝑎 based on 𝐺 𝑎 and 𝐺 𝑠𝑚 in the same manner as 𝐺 𝑜𝑡ℎ𝑒𝑟 .5. Construct 𝐻 𝑎 = 𝑇𝑟𝑖𝑚(𝐺 𝑜𝑡ℎ𝑒𝑟,𝑎 ∥ 𝐺 𝑠𝑚 ) and see if 𝐻 𝑎 has marked states. If so, the attacker’s actions representedas new transitions and events in 𝐺 𝐶,𝑎 and/or 𝐺 𝑁,𝑎 can cause a violation of the given safety properties. Note that 𝐻 𝑎 should be trim because the attacker always wants to win, that is, they do not want any deadlocks/livelocks inthe controlled 𝐺 𝑎 .We model 𝐻 𝑎 with respect to the safety monitors of ABP in Section 4.5 and TCP in Section 5.5. The safetymonitors for ABP are given as dedicated automata as explained in Section 4.2, and those for TCP are derived from 𝐺 𝑎 based on the given safety property, as explained in Section 5.2. In their simplest form, liveness properties correspond to preventing the system from blocking, in the usual sense ofthe word in SCT (i.e., deadlock or livelock may not occur with respect to the set of marked states of the plant).Nonblockingness is the only type of liveness considered in this paper. In contrast to typical supervisory controlproblems, in For-all attacks the attacker wants the system to always eventually reach its blocking states so as to causea violation of the liveness properties.First of all, 𝐺 𝑛𝑜𝑚 in (2) must be trim for correctness of the given system, because 𝐺 𝑛𝑜𝑚 contains deadlocks orlivelocks if it is not trim. In terms of attacks against the liveness properties, it should also be true that 𝐺 𝑎 is not trim,meaning that the system under attack should contain deadlock or livelock states. In the same fashion as a safety monitor,the liveness property is defined as an automaton, the liveness monitor 𝐺 𝑙𝑚 . If 𝐺 𝑙𝑚 is not given, it can be derived from 𝐺 𝑎 , according to the case without attacker or with attacker respectively, by unmarking all states and marking deadlockand livelock states in 𝐺 𝑎 , because deadlock and livelock states are illegal and the attacker wants the system to reachthose illegal states. Observe that by construction, such a 𝐺 𝑙𝑚 captures a violation of the liveness properties. Next, weconstruct 𝐺 𝑜𝑡ℎ𝑒𝑟,𝑎 in the same way as in Section 3.1. That is, we model 𝐺 𝑜𝑡ℎ𝑒𝑟,𝑎 as the parallel composition of theautomata in 𝐺 𝑎 which do not take part in 𝐺 𝑙𝑚 . Note that if 𝐺 𝑙𝑚 is not given as a dedicated automaton and we derive 𝐺 𝑙𝑚 from 𝐺 𝑎 , then 𝐺 𝑜𝑡ℎ𝑒𝑟,𝑎 is empty.Finally, we define 𝐻 𝑎 = 𝑇𝑟𝑖𝑚(𝐺 𝑜𝑡ℎ𝑒𝑟,𝑎 ∥ 𝐺 𝑙𝑚 ) , to represent the specification for the attacker which leads the systemto deadlock or livelock states. As a result, the procedure to construct 𝐻 𝑎 in the case of the liveness properties is asfollows:1. Check if 𝐺 𝑛𝑜𝑚 is trim. If not, then the system model is incorrect so terminate.2. If 𝐺 𝑙𝑚 is to be derived from 𝐺 𝑎 , check if 𝐺 𝑎 is not trim. If it is trim, then the attacker’s actions in 𝐺 𝐶,𝑎 and/or 𝐺 𝑁,𝑎 cannot cause a violation of the liveness properties, so terminate.3. Construct 𝐺 𝑙𝑚 which captures a violation of the liveness properties.5. Construct 𝐻 𝑎 = 𝑇𝑟𝑖𝑚(𝐺 𝑜𝑡ℎ𝑒𝑟,𝑎 ∥ 𝐺 𝑙𝑚 ) . 𝐻 𝑎 should have at least one marked state and should be a trim automatonfor the same reason as in Section 3.1.We model 𝐻 𝑎 with respect to the liveness monitors for ABP in Section 4.5 and TCP in Section 5.5. 𝐺 𝑙𝑚 forABP is given as a dedicated automaton introduced in Section 4.3, and we derive 𝐺 𝑙𝑚 for TCP from 𝐺 𝑎 as explainedin Sections 5.5.3 and 5.5.4. In this section, we formulate the Attacker Supervisory Control and Observation Problem (ASCOP) which is a super-visory control problem for the attacker with respect to the given system and required properties. First, we modify 𝐺 𝐶 and/or 𝐺 𝑁 to represent the attacker’s ability of inserting and discarding packets, denoted by 𝐺 𝐶,𝑎 and 𝐺 𝑁,𝑎 . Next, weform 𝐺 𝑎 as the parallel composition of nominal and infiltrated automata. For example, if the network is infiltrated bythe attacker, then 𝐺 𝑎 = 𝐺 𝑃𝐴 ∥ 𝐺 𝑃𝐵 ∥ 𝐺 𝐶 ∥ 𝐺 𝑁,𝑎 ∥ 𝐺 𝑒 . Finally, we form 𝐻 𝑎 based on the given safety or livenessproperties, as discussed in Section 3.1 and Section 3.2. Since marking of states in 𝐻 𝑎 is detemined by marking of 𝐺 𝑠𝑚 or 𝐺 𝑙𝑚 , the language marked by 𝐻 𝑎 , namely ℒ 𝑚 (𝐻 𝑎 ) , represents strings where the attacker wins, because(i) These strings are feasible in 𝐺 𝑎 by construction.(ii) These strings lead the safety or liveness monitor to a marked state.As we discussed in Section 2, it is reasonable to assume that, in the MITM attack, the attacker cannot disable orenable the events in nominal automata, and also the attacker only observes the events in the automata of the infiltratedcomponents where the attacker exists. Thus we define two partitions of 𝐸 𝑎 in (3):(i) Controllable events 𝐸 𝑎,𝑐 and uncontrollable events 𝐸 𝑎,𝑢𝑐 for controllability.(ii) Obsevable events 𝐸 𝑎,𝑜 and unobservable events 𝐸 𝑎,𝑢𝑜 for observability.Consequently, we have a supervisory control problem, under partial observation, for the attacker. Problem 1 (Attacker Supervisory Control and Observation Problem, or ASCOP) . Let 𝐺 𝑎 be a plant automaton, underattack, as in (3); 𝐸 𝑎,𝑐 be a set of controllable events; 𝐸 𝑎,𝑜 be a set of observable events; and ℒ 𝑚 (𝐻 𝑎 ) ⊂ ℒ(𝐺 𝑎 ) bea (non-prefix-closed) specification language. Find a maximal controllable and observable language of ℒ 𝑚 (𝐻 𝑎 ) withrespect to ℒ(𝐺 𝑎 ) , 𝐸 𝑎,𝑐 , and 𝐸 𝑎,𝑜 , if a non-empty one exists.In the MITM attack model, the assumption of 𝐸 𝑎,𝑐 ⊆ 𝐸 𝑎,𝑜 usually holds. In this special case, the supremalcontrollable and observable sublanguage of ℒ 𝑚 (𝐻 𝑎 ) with respect to ℒ(𝐺 𝑎 ) , 𝐸 𝑎,𝑐 , and 𝐸 𝑎,𝑜 exists and is equal to thesupremal controllable and normal sublanguage of ℒ 𝑚 (𝐻 𝑎 ) , denoted by ℒ 𝑚 (𝐻 𝑎 ) ↑𝐶𝑁 , with respect to ℒ(𝐺 𝑎 ) , 𝐸 𝑎,𝑐 , and 𝐸 𝑎,𝑜 . If it is empty, then no For-all attack exists for the given safety or liveness property.If ℒ 𝑚 (𝐻 𝑎 ) ↑𝐶𝑁 ≠ ∅ , then this language represents the largest attacked behavior which is possible in the context ofa For-all attack against the safety or liveness property. Any marked string in that language provides an example ofa successful attack, which is feasible in 𝐺 𝑎 and steers 𝐺 𝑙𝑚 or 𝐺 𝑠𝑚 to its marked (illegal) state. Let 𝐻 𝐶𝑁𝑎 be the trimautomaton output by the algorithm for the supremal controllable and normal sublanguage, namely ℒ 𝑚 (𝐻 𝐶𝑁𝑎 ) = ℒ 𝑚 (𝐻 𝑎 ) ↑𝐶𝑁 (4)and ℒ(𝐻
𝐶𝑁𝑎 ) = ℒ 𝑚 (𝐻 𝑎 ) ↑𝐶𝑁 . (5)From the “controllability and observability theorem” of SCT (see p.181 in [6]), there exists a partial-observationsupervisor 𝑆 𝑃 such that ℒ(𝑆 𝑃 ∕𝐺 𝑎 ) = ℒ 𝑚 (𝐻 𝑎 ) ↑𝐶𝑁 = ℒ(𝐻 𝐶𝑁𝑎 ). (6) 𝑆 𝑃 corresponds to a For-all attack supervisor since every string in the controlled behavior, 𝑆 𝑃 ∕𝐺 𝑎 , can be extendedto a marked string. In other words, it is always eventually possible for the system under attack by 𝑆 𝑃 to violate theproperties. 6n the above formulation, ℒ 𝑚 (𝐻 𝑎 ) may not be ℒ 𝑚 (𝐺 𝑎 ) -closed, since it is possible that 𝐺 𝑎 = 𝐺 𝑜𝑡ℎ𝑒𝑟,𝑎 and all thestates in 𝐺 𝑎 are marked. Therefore, according to the use of 𝐺 𝑠𝑚 and 𝐺 𝑙𝑚 , whenever necessary we define 𝑆 𝑃 as a marking supervisor , namely ℒ 𝑚 (𝑆 𝑃 ∕𝐺 𝑎 ) ∶= ℒ(𝑆 𝑃 ∕𝐺 𝑎 ) ∩ ℒ 𝑚 (𝐻 𝐶𝑁𝑎 ) = ℒ 𝑚 (𝐻 𝑎 ) ↑𝐶𝑁 (7)For the technical details of marking supervisors, the readers are referred to p.103 in [7].As a last step, we need to build a realization of the desired 𝑆 𝑃 as an automaton which only changes its state byobservable events, since 𝐻 𝐶𝑁𝑎 contains transitions with unobservable events. Noting that marking of states is relevantin this step, the standard process (see Section 3.7.2 in [6]) for the realization can be followed. From (6) and (7), webuild an automaton realization of 𝑆 𝑃 using 𝐻 𝐶𝑁𝑎 , where 𝑆 𝑃 is such that ℒ 𝑚 (𝑆 𝑃 ∕𝐺 𝑎 ) = ℒ 𝑚 (𝐻 𝑎 ) ↑𝐶𝑁 (8)and ℒ(𝑆 𝑃 ∕𝐺 𝑎 ) = ℒ 𝑚 (𝐻 𝑎 ) ↑𝐶𝑁 . (9)First, we build the observer of 𝐻 𝐶𝑁𝑎 , 𝑂𝑏𝑠(𝐻
𝐶𝑁𝑎 ) , with respect to 𝐸 𝑎,𝑜 . Afterwards, we add self loops for all events in 𝐸 𝑎,𝑐 ∩ 𝐸 𝑎,𝑢𝑜 which need to be enabled at each state of 𝑂𝑏𝑠(𝐻
𝐶𝑁𝑎 ) , obtained by examining the corresponding states of 𝐻 𝐶𝑁𝑎 . In this section, we illustrate our methodology by employing the Alternating Bit Protocol (ABP) as studied and modeledin [5]. ABP is a protocol which defines the communication mechanism between two peers depicted in Fig. 1b. Eachpeer sends and receives packets from its counterpart through the forward and backward channels using first-in-first-out(FIFO) semantics.
Let 𝐺 𝑛𝑜𝑚 in (1) be the (nominal) entire system of ABP, i.e., without attacker. Based on the architecture of ABPdescribed in [5], we consider 𝐺 𝑛𝑜𝑚 as the parallel composition of the following components: • 𝐺 𝑆 = (𝑋 𝑆 , 𝐸 𝑆 , 𝑓 𝑆 , 𝑥 𝑆,0 , 𝑋
𝑆,𝑚 ) : ABP sender • 𝐺 𝑅 = (𝑋 𝑅 , 𝐸 𝑅 , 𝑓 𝑅 , 𝑥 𝑅,0 , 𝑋
𝑅,𝑚 ) : ABP receiver • 𝐺 𝐹𝐶 = (𝑋 𝐹𝐶 , 𝐸 𝐹𝐶 , 𝑓 𝐹𝐶 , 𝑥 𝐹𝐶,0 , 𝑋
𝐹𝐶,𝑚 ) : Forward channel • 𝐺 𝐵𝐶 = (𝑋 𝐵𝐶 , 𝐸 𝐵𝐶 , 𝑓 𝐵𝐶 , 𝑥 𝐵𝐶,0 , 𝑋
𝐵𝐶,𝑚 ) : Backward channel • 𝐺 𝑆𝐶 = (𝑋 𝑆𝐶 , 𝐸 𝑆𝐶 , 𝑓 𝑆𝐶 , 𝑥 𝑆𝐶,0 , 𝑋
𝑆𝐶,𝑚 ) : Sending client • 𝐺 𝑅𝐶 = (𝑋 𝑅𝐶 , 𝐸 𝑅𝐶 , 𝑓 𝑅𝐶 , 𝑥 𝑅𝐶,0 , 𝑋
𝑅𝐶,𝑚 ) : Receiving client • 𝐺 𝑇 = (𝑋 𝑇 , 𝐸 𝑇 , 𝑓 𝑇 , 𝑥 𝑇,0 , 𝑋
𝑇,𝑚 ) : Timer,namely 𝐺 𝑛𝑜𝑚 = 𝐺 𝑆 ∥ 𝐺 𝑅 ∥ 𝐺 𝐹𝐶 ∥ 𝐺 𝐵𝐶 ∥ 𝐺 𝑆𝐶 ∥ 𝐺 𝑅𝐶 ∥ 𝐺 𝑇 . (10)We also consider that Peer A first sends packets to Peer B, and afterwards Peer B sends an acknowledgment to Peer A.Since Peer A plays a role of the sender side and Peer B is at the receiver side, 𝐺 𝑃𝐴 = 𝐺 𝑆 , 𝐺 𝑃𝐵 = 𝐺 𝑅 , 𝐺 𝐶 = 𝐺 𝐹𝐶 ∥ 𝐺 𝐵𝐶 ,and 𝐺 𝑒 = 𝐺 𝑆𝐶 ∥ 𝐺 𝑅𝐶 ∥ 𝐺 𝑇 , thus (10) reduces to (2).In [5], events are partitioned into input events and output events denoted with the suffix symbols “?” and “!”,respectively, to represent systems with a model similar to I/O automata. In this work, since we employ finite-stateautomata to model entire systems, events are not divided into input and output events, thus the labels of events in ourmodels do not have symbols of “?” and “!”. In the framework of DES, it is usual to use the same event label to maketransitions synchronize by the parallel composition. Thereby the “input” and “output” nature of synchronized events7s not explicitly distinguished. Thus, we drop the symbols of “?” and “!” from the event labels in [5]. Therefore, wesetup our event sets as follows: 𝐸 𝑆 = {𝑠𝑒𝑛𝑑, 𝑑𝑜𝑛𝑒, 𝑡𝑖𝑚𝑒𝑜𝑢𝑡, 𝑝 , 𝑝 , 𝑎 ′0 , 𝑎 ′1 } (11) 𝐸 𝑅 = {𝑑𝑒𝑙𝑖𝑣𝑒𝑟, 𝑝 ′0 , 𝑝 ′1 , 𝑎 , 𝑎 } (12) 𝐸 𝐹𝐶 = {𝑝 , 𝑝 , 𝑝 ′0 , 𝑝 ′1 } (13) 𝐸 𝐵𝐶 = {𝑎 , 𝑎 , 𝑎 ′0 , 𝑎 ′1 } (14) 𝐸 𝑆𝐶 = {𝑠𝑒𝑛𝑑, 𝑑𝑜𝑛𝑒} (15) 𝐸 𝑅𝐶 = {𝑑𝑒𝑙𝑖𝑣𝑒𝑟} (16) 𝐸 𝑇 = {𝑡𝑖𝑚𝑒𝑜𝑢𝑡} (17)hence 𝐸 𝑛𝑜𝑚 = 𝐸 𝑆 ∪ 𝐸 𝑅 ∪ 𝐸 𝐹𝐶 ∪ 𝐸 𝐵𝐶 ∪ 𝐸 𝑆𝐶 ∪ 𝐸 𝑅𝐶 ∪ 𝐸 𝑇 (18) = {𝑠𝑒𝑛𝑑, 𝑑𝑜𝑛𝑒, 𝑡𝑖𝑚𝑒𝑜𝑢𝑡, 𝑑𝑒𝑙𝑖𝑣𝑒𝑟, 𝑝 , 𝑝 , 𝑝 ′0 , 𝑝 ′1 , 𝑎 , 𝑎 , 𝑎 ′0 , 𝑎 ′1 }. (19)The events with prefix “p” indicate that a packet with indicator bit “0” or “1” has been sent from the ABP sender to theABP receiver (i.e., from Peer A to Peer B), and prefix “a” indicates an acknowledgment sent from the ABP receiverto the ABP sender, corresponding to which “0” or “1” has been received by the ABP receiver. The prime symbol isattached to the events of packets and acknowledgments to distinguish those before going through the channel from thecorresponding ones after the channels.Fig. 4 shows the models of the ABP components. 𝐺 𝑆 and 𝐺 𝑅 are example solutions of the distributed protocolcompletion problem in [5]. We mark all the states of the ABP components, because in [5] no states of those automataare marked, meaning that all states are desired for the system. Namely, 𝑋 𝑆,𝑚 = 𝑋 𝑆 , 𝑋 𝑅,𝑚 = 𝑋 𝑅 , 𝑋 𝐹𝐶,𝑚 = 𝑋 𝐹𝐶 , 𝑋 𝐵𝐶,𝑚 = 𝑋 𝐵𝐶 , 𝑋 𝑆𝐶,𝑚 = 𝑋 𝑆𝐶 , 𝑋 𝑅𝐶,𝑚 = 𝑋 𝑅𝐶 , 𝑋 𝑇,𝑚 = 𝑋 𝑇 . In [5], the forward and backward channels are modeled as nondeterministic finite-state automata as shown in Figs. 4cand 4d. That nondeterminism is introduced to model nonadversarial errors in communication channels, such as packetdrop and duplication (see Section 4.2 in [5]). To construct the system model in (10), we need deterministic finite-stateautomata as factors of the parallel composition. Thus, we model 𝐺 𝐹𝐶 and 𝐺 𝐵𝐶 as observer automata of 𝐺 𝑛𝑑𝐹𝐶 and 𝐺 𝑛𝑑𝐵𝐶 ,depicted in Fig. 5, using the standard process of observer construction [6]: 𝐺 𝐹𝐶 = 𝑂𝑏𝑠(𝐺 𝑛𝑑𝐹𝐶 ) (20) 𝐺 𝐵𝐶 = 𝑂𝑏𝑠(𝐺 𝑛𝑑𝐵𝐶 ). (21)Observe that 𝐺 𝐹𝐶 and 𝐺 𝐵𝐶 generate exactly the same languages as 𝐺 𝑛𝑑𝐹𝐶 and 𝐺 𝑛𝑑𝐵𝐶 , respectively. As introduced in Section 3.1, safety properties are represented by safety monitor automata which define what statesin the system must not be reached, i.e., define illegal states. [5] provides two safety monitor automata, 𝐺 and 𝐺 ,capturing the violation of safety properties for ABP, depicted in Fig. 6. The marked state 𝑞 in 𝐺 and 𝐺 indicatesthe illegal state, namely, the safety property is violated if the monitor reaches this state from the initial state. 𝐺 expresses that: • 𝑑𝑒𝑙𝑖𝑣𝑒𝑟 should happen after 𝑠𝑒𝑛𝑑 , meaning that 𝑑𝑒𝑙𝑖𝑣𝑒𝑟 of the ABP receiver and the Receiving client shouldnot happen before the Sending client tells the ABP sender to send a bit to the forward channel. • After 𝑠𝑒𝑛𝑑 happens, the next 𝑠𝑒𝑛𝑑 should not occur before 𝑑𝑒𝑙𝑖𝑣𝑒𝑟 occurs, meaning that the Sending clientshould wait for the acknowledgment signal from the ABP receiver.On the other hand, 𝐺 expresses that: 8 𝑑𝑜𝑛𝑒 should happen after 𝑑𝑒𝑙𝑖𝑣𝑒𝑟 , meaning that 𝑑𝑜𝑛𝑒 of the ABP sender and the Sending client should nothappen before the ABP receiver receives the signal and sends the acknowledgment to the ABP sender. • After 𝑑𝑒𝑙𝑖𝑣𝑒𝑟 happens, the next 𝑑𝑒𝑙𝑖𝑣𝑒𝑟 should not occur before 𝑑𝑜𝑛𝑒 occurs, meaning that 𝑑𝑒𝑙𝑖𝑣𝑒𝑟 cannothappen before the Sending client tells the ABP sender to send the next signal to the forward channel.Since the safety monitors are provided as dedicated automata, 𝐺 and 𝐺 , 𝐺 𝑜𝑡ℎ𝑒𝑟 in step 2 of Section 3.1 is equalto 𝐺 𝑛𝑜𝑚 in (10). In our ABP system model, 𝐻 𝑛𝑜𝑚 in step 3 of Section 3.1 has no marked states, thus we state that ourABP model is correct in terms of the safety properties. Namely, the nominal system (without attacker) does not violatethe given safety properties. The liveness monitor in Fig. 7, 𝐺 𝑙𝑚 , inspired by a monitor in [5], captures a violation of the liveness property that theentire system should not get stuck, and should not keep invoking 𝑠𝑒𝑛𝑑 . Also, 𝑠𝑒𝑛𝑑 should eventually be followed by a 𝑑𝑒𝑙𝑖𝑣𝑒𝑟 . As we consider the system architecture in Fig. 1b for ABP, the attacker infiltrates the forward and/or backward channels.To follow the procedure in Section 3, we first construct a modified model of the plant 𝐺 𝑎 in (3) under attack. Sincethe channels of ABP are under attack, we enhance 𝐺 𝐹𝐶 and 𝐺 𝐵𝐶 to those under attack, 𝐺 𝐹𝐶,𝑎 and 𝐺 𝐵𝐶,𝑎 , by addingnew transitions to represent capabilities of the attacker. Note that if we keep either of the channels nominal, then 𝐺 𝐹𝐶,𝑎 = 𝐺 𝐹𝐶 or 𝐺 𝐵𝐶,𝑎 = 𝐺 𝐵𝐶 accordingly. Therefore, 𝐺 𝐶,𝑎 = 𝐺
𝐹𝐶,𝑎 ∥ 𝐺
𝐵𝐶,𝑎 .The MITM attacker is represented by a modified forward or backward channel that can send the recipient a differentpacket from the incoming packet. For example, if the attacker has infiltrated the forward channel, then the attacker cansend either 𝑝 ′0 or 𝑝 ′1 to the ABP receiver regardless of which 𝑝 or 𝑝 occurs. Fig. 8 shows the attacked forward andbackward channels. Red transitions are added to the original channel models in Figs. 4c and 4d. These new transitionsenable the attacker to send whichever packet they want. To construct 𝐺 𝑎 , we model 𝐺 𝐹𝐶,𝑎 and 𝐺 𝐵𝐶,𝑎 as observerautomata of 𝐺 𝑛𝑑𝐹𝐶,𝑎 and 𝐺 𝑛𝑑𝐵𝐶,𝑎 , as was done for 𝐺 𝑛𝑜𝑚 . Fig. 9 depicts 𝐺 𝐹𝐶,𝑎 and 𝐺 𝐵𝐶,𝑎 , representing new transitionscompared to Fig. 5 as red transitions.As discussed in Section 2, we suppose that the attacker cannot control and observe events outside the channels.Therefore, the event set 𝐸 𝑎 is partitioned as follows: • Controllable events: 𝐸 𝑎,𝑐 = {𝑝 ′0 , 𝑝 ′1 , 𝑎 ′0 , 𝑎 ′1 } • Uncontrollable events: 𝐸 𝑎,𝑢𝑐 = {𝑠𝑒𝑛𝑑, 𝑑𝑜𝑛𝑒, 𝑡𝑖𝑚𝑒𝑜𝑢𝑡, 𝑑𝑒𝑙𝑖𝑣𝑒𝑟, 𝑝 , 𝑝 , 𝑎 , 𝑎 } • Observable events: 𝐸 𝑎,𝑜 = {𝑝 , 𝑝 , 𝑝 ′0 , 𝑝 ′1 , 𝑎 , 𝑎 , 𝑎 ′0 , 𝑎 ′1 } • Unobservable events: 𝐸 𝑎,𝑢𝑜 = {𝑠𝑒𝑛𝑑, 𝑑𝑜𝑛𝑒, 𝑡𝑖𝑚𝑒𝑜𝑢𝑡, 𝑑𝑒𝑙𝑖𝑣𝑒𝑟} .We consider that in our attack model, the attacker controls the output packets from the channels so that each safety orliveness monitor in Sections 4.2 and 4.3 reaches its marked state, if possible. In this section, we examine the MITM attack for the safety and liveness properties of ABP by the following steps:1. Construct the system 𝐺 𝑎 as the parallel composition of the component models of ABP under attack, namely 𝐺 𝑎 = 𝐺 𝑆 ∥ 𝐺 𝑅 ∥ 𝐺 𝐶,𝑎 ∥ 𝐺 𝑒 (22)where 𝐺 𝐶,𝑎 = 𝐺
𝐹𝐶,𝑎 ∥ 𝐺
𝐵𝐶,𝑎 and 𝐺 𝑒 = 𝐺 𝑆𝐶 ∥ 𝐺 𝑅𝐶 ∥ 𝐺 𝑇 .2. Construct the specification automaton 𝐻 𝑎 by following the procedure in Section 3.1 or Section 3.2, dependingon which monitor the attacker wants to reach its marked state. Since the monitors are provided as dedicatedautomata, 𝐺 𝑜𝑡ℎ𝑒𝑟 = 𝐺 𝑛𝑜𝑚 in step 2 of Section 3.1, and 𝐺 𝑜𝑡ℎ𝑒𝑟,𝑎 = 𝐺 𝑎 in step 4 of Sections 3.1 and 3.2.9. Compute ℒ 𝑚 (𝐻 𝑎 ) ↑𝐶𝑁 = ℒ 𝑚 (𝐻 𝐶𝑁𝑎 ) , the supremal controllable and normal sublanguage of ℒ 𝑚 (𝐻 𝑎 ) , where 𝐻 𝐶𝑁𝑎 is the trim automaton output by the standard algorithm [6] for the supremal controllable and normal sublanguage.From 𝐸 𝑎,𝑐 ⊆ 𝐸 𝑎,𝑜 as stated earlier, the supremal controllable and observable sublanguage of ℒ 𝑚 (𝐻 𝑎 ) exists andis equal to ℒ 𝑚 (𝐻 𝑎 ) ↑𝐶𝑁 .4. Check whether ℒ 𝑚 (𝐻 𝑎 ) ↑𝐶𝑁 is non-empty. If so, we know that there exists a (partial observation) supervisor 𝑆 𝑃 ,representing the attacker, such that ℒ 𝑚 (𝑆 𝑃 ∕𝐺 𝑎 ) = ℒ 𝑚 (𝐻 𝑎 ) ↑𝐶𝑁 and ℒ(𝑆 𝑃 ∕𝐺 𝑎 ) = ℒ 𝑚 (𝐻 𝑎 ) ↑𝐶𝑁 , where 𝑆 𝑃 ∕𝐺 𝑎 represents the controlled system. The realization of 𝑆 𝑃 is derived from 𝐻 𝐶𝑁𝑎 as discussed in Section 3.3.5. For illustration purposes, pick one example string from the initial state to one marked state in ℒ 𝑚 (𝐻 𝑎 ) ↑𝐶𝑁 , whichrepresents one system behavior under attack that reaches marked state 𝑞 in the safety monitor.As long as 𝐻 𝐶𝑁𝑎 in step 3 is non-empty, the above methodology results in a closed-loop system that produces For-allattacks, in the presence of the attacker. Since 𝐻 𝐶𝑁𝑎 is a trim automaton, we know that at any state in 𝐻 𝐶𝑁𝑎 , it is possibleto reach a marked state, resulting in a violation of the monitor. Therefore, it is always possible for the attacker toeventually win. Note that since all states in 𝐺 𝑜𝑡ℎ𝑒𝑟,𝑎 are marked in this case, all marked states in 𝐻 𝐶𝑁𝑎 correspond to 𝑞 in the safety monitors.From Section 4.1, 𝐺 𝑎 varies depending on 𝐺 𝐶,𝑎 , namely which channel is under the MITM attack, so we considerthe following three cases in each setup:1. The forward channel is under the MITM attack (i.e. 𝐺 𝐵𝐶,𝑎 = 𝐺 𝐵𝐶 ): 𝐺 𝑎 = 𝐺 𝑆 ∥ 𝐺 𝑅 ∥ 𝐺 𝐹𝐶,𝑎 ∥ 𝐺 𝐵𝐶 ∥ 𝐺 𝑒 (23)2. The backward channel is under the MITM attack (i.e. 𝐺 𝐹𝐶,𝑎 = 𝐺 𝐹𝐶 ): 𝐺 𝑎 = 𝐺 𝑆 ∥ 𝐺 𝑅 ∥ 𝐺 𝐹𝐶 ∥ 𝐺 𝐵𝐶,𝑎 ∥ 𝐺 𝑒 (24)3. Both channels are under the MITM attack: 𝐺 𝑎 = 𝐺 𝑆 ∥ 𝐺 𝑅 ∥ 𝐺 𝐹𝐶,𝑎 ∥ 𝐺
𝐵𝐶,𝑎 ∥ 𝐺 𝑒 . (25)For clarity of presentation, we henceforth focus on the use of the safety monitor 1 and 𝐺 𝑎 in (23) in which the forwardchannel is under attack. In other words, we consider 𝐻 𝑎 as the parallel composition of 𝐺 𝑎 in (23) and the safety monitor1 𝐺 . The other cases of (24) and (25) and the safety monitor 2 can be examined using the same procedure. Consider the MITM channels in Fig. 8 which represent a quite powerful attacker that can send packets to the recipientwith whichever bit 0 or 1, regardless of the incoming packets.Following the procedure explained above, 𝐻 𝑎 = 𝐺 𝑎 ∥ 𝐺 , where 𝐺 𝑎 is in (23), has 258 marked states of 355 statesand 𝐻 𝐶𝑁𝑎 is non-empty, which means that there exist For-all attack strategies to the ABP architecture with our MITMattack model. However, ℒ 𝑚 (𝐻 𝐶𝑁𝑎 ) = ℒ 𝑚 (𝐻 𝑎 ) and ℒ(𝐻
𝐶𝑁𝑎 ) = ℒ(𝐺 𝑎 ) , meaning that the attacker need not disable anyevent to enforce the behavior of ℒ 𝑚 (𝐻 𝑎 ) . Let us pick the example string 𝑠𝑒𝑛𝑑.𝑝 .𝑝 ′0 .𝑑𝑒𝑙𝑖𝑣𝑒𝑟.𝑎 .𝑝 ′1 .𝑑𝑒𝑙𝑖𝑣𝑒𝑟 , and thismeans that the attacker sends the correct packet with bit 0 first, and afterwards sends a fake packet with bit 1 to theABP receiver when it observes 𝑎 . In other words, the attacker inserts 𝑞 ′1 soon after it observes 𝑎 . Consequently, 𝐺 captures the violation by reaching 𝑞 with 𝑠𝑒𝑛𝑑.𝑑𝑒𝑙𝑖𝑣𝑒𝑟.𝑑𝑒𝑙𝑖𝑣𝑒𝑟 .Although we focus on the case where only the forward channel is infiltrated, it is worth mentioning that we foundthat the attacker utilizes a “dead” transition 𝑓 𝑆 (𝑠 , 𝑎 ′1 ) = 𝑠 which is never executed by the system when the attacker isnot present, in the case where only the backward channel is infiltrated. The terminology “dead” is from [5]. Since thistransition is nevertheless included in the model in [5], we have retained it and it so happens that the attacker can takeadvantage of it. Later on, we will remove dead transitions from the model and see if attacks still exist for the modifiedmodel. 10 .5.2 (Setup 2) Safety: Removing dead transitions As was seen in the last section, the attacker can exploit dead transitions in the system model. Based on [5], we removethe following dead transitions from the ABP components, depicted as the red transitions in Fig. 4: • ABP sender 𝐺 𝑆 – 𝑓 𝑆 (𝑠 , 𝑎 ′0 ) = 𝑠 – 𝑓 𝑆 (𝑠 , 𝑠𝑒𝑛𝑑) = 𝑠 – 𝑓 𝑆 (𝑠 , 𝑎 ′1 ) = 𝑠 – 𝑓 𝑆 (𝑠 , 𝑠𝑒𝑛𝑑) = 𝑠 . • Sending client 𝐺 𝑆𝐶 – 𝑓 𝑆𝐶 (𝑠 𝑐0 , 𝑑𝑜𝑛𝑒) = 𝑠 𝑐0 Let 𝐺 ′𝑆 and 𝐺 ′𝑆𝐶 be the ABP sender and the Sending client derived from 𝐺 𝑆 and 𝐺 𝑆𝐶 by removing the above deadtransitions. After removing these dead transitions, 𝐻 𝑛𝑜𝑚 still has no marked states, that is, neither 𝐺 nor 𝐺 reaches 𝑞 . Therefore, our system model of ABP is correct even without the dead transitions, in terms of the safety propertiesrepresented by 𝐺 and 𝐺 . Next, letting 𝐺 ′𝑒 = 𝐺 ′𝑆𝐶 ∥ 𝐺 𝑅𝐶 ∥ 𝐺 𝑇 , we consider the following three cases as in thesetup in Section 4.5.1:1. The forward channel is under the MITM attack: 𝐺 𝑎 = 𝐺 ′𝑆 ∥ 𝐺 𝑅 ∥ 𝐺 𝐹𝐶,𝑎 ∥ 𝐺 𝐵𝐶 ∥ 𝐺 ′𝑒 (26)2. The backward channel is under the MITM attack: 𝐺 𝑎 = 𝐺 ′𝑆 ∥ 𝐺 𝑅 ∥ 𝐺 𝐹𝐶 ∥ 𝐺 𝐵𝐶,𝑎 ∥ 𝐺 ′𝑒 (27)3. Both channels are under the MITM attack: 𝐺 𝑎 = 𝐺 ′𝑆 ∥ 𝐺 𝑅 ∥ 𝐺 𝐹𝐶,𝑎 ∥ 𝐺
𝐵𝐶,𝑎 ∥ 𝐺 ′𝑒 . (28)Following our procedure, we found that 𝐻 𝑎 has 168 marked states of 265 states and 𝐻 𝐶𝑁𝑎 is nonempty. Here, ℒ 𝑚 (𝐻 𝐶𝑁𝑎 ) = ℒ 𝑚 (𝐻 𝑎 ) and ℒ(𝐻
𝐶𝑁𝑎 ) = ℒ(𝐺 𝑎 ) , so 𝐻 𝑎 is already controllable and normal with respect to 𝐺 𝑎 , thus theattacker issues no disablement actions. The example string of this case is the same as that in Setup 1. In this section, we consider a less powerful attacker than one in the previous sections by employing two differentrepresentations.
Setup 3
Let us represent a less-powerful attacker by removing additional transitions from the MITM channelsin Fig. 8. First, we remove all red transitions except 𝑝 ′1 from 𝑓 to 𝑓 in Fig. 8a, so that the attacker can send packetswith bit 1 at the particular timing. Let 𝐺 𝑛𝑑𝐹𝐶,𝑤𝑎 be the lesspowerful forward MITM channel derived from 𝐺 𝑛𝑑𝐹𝐶,𝑎 . Fig. 10shows 𝐺 𝑛𝑑𝐹𝐶,𝑤𝑎 and 𝐺 𝐹𝐶,𝑤𝑎 = 𝑂𝑏𝑠(𝐺 𝑛𝑑𝐹𝐶,𝑤𝑎 ) . The red transitions are new ones compared to 𝐺 𝑛𝑑𝐹𝐶 and 𝐺 𝐹𝐶 .Next, we compute 𝐺 𝑎 , 𝐻 𝑎 , and 𝐻 𝐶𝑁𝑎 by following the steps at the beginning of Section 4.5. 𝐺 𝑎 = 𝐺 ′𝑆 ∥ 𝐺 𝑅 ∥𝐺 𝐹𝐶,𝑤𝑎 ∥ 𝐺 𝐵𝐶 ∥ 𝐺 ′𝑒 has 248 states, and 𝐻 𝑎 = 𝐺 𝑎 ∥ 𝐺 has 370 states and 228 marked states. 𝐻 𝐶𝑁𝑎 is non-emptyand consists of 1099 states and 771 marked states. In every case,
ℒ(𝐻
𝐶𝑁𝑎 ) = ℒ(𝐺 𝑎 ) , so no disabling happens. As theexample string in 𝐻 𝐶𝑁𝑎 , we pick 𝑠𝑒𝑛𝑑.𝑝 .𝑝 ′0 .𝑑𝑒𝑙𝑖𝑣𝑒𝑟.𝑎 .𝑝 ′1 .𝑑𝑒𝑙𝑖𝑣𝑒𝑟 which is the same as that in Setup 2, but 𝐻 𝐶𝑁𝑎 hereis not equivalent. Let (𝐻 𝐶𝑁𝑎 ) be 𝐻 𝐶𝑁𝑎 here and (𝐻 𝐶𝑁𝑎 ) be 𝐻 𝐶𝑁𝑎 in Setup 2. Since (𝐻 𝐶𝑁𝑎 ) 𝑐𝑜𝑚𝑝2 × (𝐻 𝐶𝑁𝑎 ) is non-empty,we conclude that (𝐻 𝐶𝑁𝑎 ) lacks some attack strategies, but one additional 𝑝 ′1 in 𝐺 𝑛𝑑𝐹𝐶,𝑤𝑎 is enough to cause the violationof the safety properties. 11 etup 4 As a different representation of a lesspowerful attacker, we reduce the set of controllable events for theattacker. Let us consider the same setup as in Setup 2, i.e., we consider the MITM channels in Fig. 8, but eventsassociated with the backward channel cannot be observed and controlled by the attacker. In this case, we have thefollowing event sets: • Controllable events: 𝐸 𝑎,𝑐 = {𝑝 ′0 , 𝑝 ′1 } • Uncontrollable events: 𝐸 𝑎,𝑢𝑐 = {𝑠𝑒𝑛𝑑, 𝑑𝑜𝑛𝑒, 𝑡𝑖𝑚𝑒𝑜𝑢𝑡, 𝑑𝑒𝑙𝑖𝑣𝑒𝑟, 𝑝 , 𝑝 , 𝑎 , 𝑎 , 𝑎 ′0 , 𝑎 ′1 } • Observable events: 𝐸 𝑎,𝑜 = {𝑝 , 𝑝 , 𝑝 ′0 , 𝑝 ′1 } • Unobservable events: 𝐸 𝑎,𝑢𝑜 = {𝑠𝑒𝑛𝑑, 𝑜𝑛𝑒, 𝑡𝑖𝑚𝑒𝑜𝑢𝑡, 𝑑𝑒𝑙𝑖𝑣𝑒𝑟, 𝑎 , 𝑎 , 𝑎 ′0 , 𝑎 ′1 } .From 𝐸 𝑎,𝑐 ⊆ 𝐸 𝑎,𝑜 , computation of ℒ 𝑚 (𝐻 𝑎 ) ↑𝐶𝑁 with the above event sets still returns the unique maximally permissivesolution. As a result, we have 𝐺 𝑎 and 𝐻 𝑎 the same as in Setup 2, and ℒ 𝑚 (𝐻 𝑎 ) ↑𝐶𝑁 , namely ℒ 𝑚 (𝐻 𝐶𝑁𝑎 ) , is the sameas in Setup 2. Thus, it can be said that we have the same attack strategies as in Setup 2. We pick example string 𝑠𝑒𝑛𝑑.𝑝 .𝑝 ′0 .𝑑𝑒𝑙𝑖𝑣𝑒𝑟.𝑎 .𝑝 ′1 .𝑑𝑒𝑙𝑖𝑣𝑒𝑟 which is the same as in Setup 2. However, in this case, the attacker cannot observe 𝑎 and does not know when to send a fake packet 𝑝 ′1 . In conclusion, this example string means that the attacker sent afake packet and successfully caused the violation of the safety property “by chance”. Setup 5
Let us make the attacker much less powerful than in Setup 4 and Setup 5, by building a new automaton ofthe infiltrated forward channel and changing the event sets of controllable and observable events.Consider the new automaton of the infiltrated forward channel, depicted in Fig. 11. We denote this new automatonby 𝐺 𝑜𝑛𝑒𝑠ℎ𝑜𝑡,𝑛𝑑𝐹𝐶,𝑎 and its observer by 𝐺 𝑜𝑛𝑒𝑠ℎ𝑜𝑡𝐹𝐶,𝑎 , namely 𝐺 𝑜𝑛𝑒𝑠ℎ𝑜𝑡𝐹𝐶,𝑎 = 𝑂𝑏𝑠(𝐺 𝑜𝑛𝑒𝑠ℎ𝑜𝑡,𝑛𝑑𝐹𝐶,𝑎 ) . This forward channel means that theattacker can send a fake packet with bit 1 to the ABP receiver only once (one-shot attacker). After the fake packet, thechannel’s behavior will get back to normal. Moreover, we consider the following controllable and observable eventsets: • Controllable events: 𝐸 𝑎,𝑐 = {𝑝 ′1 } • Observable events: 𝐸 𝑎,𝑜 = {𝑝 , 𝑝 , 𝑝 ′0 , 𝑝 ′1 , 𝑎 , 𝑎 , 𝑎 ′0 , 𝑎 ′1 } meaning that the attacker can observe events in both of the channels, but can only control 𝑝 ′1 in the (infiltrated) forwardchannel. By following the procedure as we have done, 𝐺 𝑎 in (26), where 𝐺 𝐹𝐶,𝑎 = 𝐺 𝑜𝑛𝑒𝑠ℎ𝑜𝑡𝐹𝐶,𝑎 , has 214 states. Also, 𝐻 𝑎 = 𝐺 𝑎 ∥ 𝐺 𝑠𝑚1 has 78 marked states out of 270 states, and 𝐻 𝐶𝑁𝑎 is nonempty. Moreover, ℒ 𝑚 (𝐻 𝐶𝑁𝑎 ) ≠ ℒ 𝑚 (𝐻 𝑎 ) and ℒ(𝐻
𝐶𝑁𝑎 ) ≠ ℒ(𝐺 𝑎 ) , thus the attacker issues event disablement actions during its attack on the system. For illustration,we pick the following example string in 𝐻 𝐶𝑁𝑎 : 𝑠𝑒𝑛𝑑.𝑝 .𝑝 ′0 .𝑑𝑒𝑙𝑖𝑣𝑒𝑟.𝑎 .𝑎 ′0 .𝑑𝑜𝑛𝑒.𝑠𝑒𝑛𝑑.𝑝 .𝑝 ′1 .𝑑𝑒𝑙𝑖𝑣𝑒𝑟.𝑝 ′1 .𝑎 .𝑎 ′1 .𝑑𝑜𝑛𝑒.𝑠𝑒𝑛𝑑.𝑝 .𝑝 ′0 .𝑑𝑒𝑙𝑖𝑣𝑒𝑟.𝑎 .𝑎 ′1 .𝑝 ′1 .𝑡𝑖𝑚𝑒𝑜𝑢𝑡.𝑝 .𝑑𝑒𝑙𝑖𝑣𝑒𝑟 By observation, the blue events are nonadversarial error packets which are sent mistakenly, and the red event 𝑝 ′1 isinserted by the attacker. Note that the attacker can observe 𝑝 ′1 and 𝑎 ′1 here. Accordingly, this string means that theattacker can lead the system to the undesired state by sending the fake packet 𝑝 ′1 only once after the observationof two error packets. Moreover, the attacker disables 𝑝 ′1 several times before sending the fake 𝑝 ′1 . Therefore, inthis case, the violation is caused “by chance”, since the attacker exploits errors, but that violation is enabled bythe attacker’s intervention, in comparison with Setup 4. It is worth mentioning that if we remove the events in thebackward channel (i.e., 𝑎 , 𝑎 , 𝑎 ′0 and 𝑎 ′1 ) from 𝐸 𝑎,𝑜 , then 𝐻 𝐶𝑁𝑎 is empty. This means that the attacker needs toobserve the behavior of the backward channel so as to exploit nonadversarial errors to attack. Moreover, if we set 𝐸 𝑎,𝑐 = ∅ and 𝐸 𝑎,𝑜 = {𝑝 , 𝑝 , 𝑝 ′0 , 𝑝 ′1 , 𝑎 , 𝑎 , 𝑎 ′0 , 𝑎 ′1 } , then 𝐻 𝐶𝑁𝑎 is empty again, meaning that the attacker needs to havethe controllability of 𝑝 ′1 to attack successfully. Consider that the attacker wants the system to violate the liveness property represented by the liveness monitor 𝐺 𝑙𝑚 in Fig. 7. 12et us consider the system without dead transitions and the forward channels infiltrated by the attacker, namely 𝐺 𝑎 in (26). Note that the forward MITM channel here is that in Fig. 8a which is quite powerful. Since 𝐺 𝑙𝑚 is given as adedicated automaton, we build 𝐻 𝑎 = 𝑇𝑟𝑖𝑚(𝐺 𝑜𝑡ℎ𝑒𝑟,𝑎 ∥ 𝐺 𝑙𝑚 ) where 𝐺 𝑜𝑡ℎ𝑒𝑟,𝑎 = 𝐺 𝑎 .In this case, 𝐺 𝑎 consists of 174 states, and 𝐻 𝑎 comprises 14 states and 13 marked states. 𝐻 𝐶𝑁𝑎 is non-empty andconsists of 10 states and 9 marked states. As the example string in 𝐻 𝐶𝑁𝑎 , we pick string 𝑠𝑒𝑛𝑑.𝑝0.𝑝1 ′ .𝑎1.𝑡𝑖𝑚𝑒𝑜𝑢𝑡 which means that the attacker sends a fake packet with bit 1 to the ABP receiver after it observes 𝑝0 , and expectsthe system to suffer from timeout. Moreover, from 𝐻 𝐶𝑁𝑎 , the attacker’s supervisor disables 𝑝 ′0 to prevent 𝑑𝑒𝑙𝑖𝑣𝑒𝑟 ,resulting in ℒ(𝐻
𝐶𝑁𝑎 ) ≠ ℒ(𝐺 𝑎 ) . Therefore, there exist no 𝑑𝑒𝑙𝑖𝑣𝑒𝑟 transitions in 𝐻 𝐶𝑁𝑎 . This result shows that the attackersuccessfully leads the system to violate the liveness property that 𝑠𝑒𝑛𝑑 should eventually be followed by 𝑑𝑒𝑙𝑖𝑣𝑒𝑟 . In this section, we demonstrate our methodology using one of the major protocols in the Internet, the TransmissionControl Protocol (TCP) [21]. TCP is widely used to communicate through unreliable paths. We consider a com-munication architecture as in Fig. 1a. Each peer sends and receives packets to and from channels, and the networkinterconnects channels to relay the incoming packets to their destinations.
Let 𝐺 𝑛𝑜𝑚 in (1) be the entire system of TCP without an attacker. Based on the architecture of TCP introduced in [18],we consider 𝐺 𝑛𝑜𝑚 as the parallel composition of the following components: • 𝐺 𝑃𝐴 = (𝑋 𝑃𝐴 , 𝐸 𝑃𝐴 , 𝑓 𝑃𝐴 , 𝑥 𝑃𝐴,0 , 𝑋
𝑃𝐴,𝑚 ) : Peer A • 𝐺 𝑃𝐵 = (𝑋 𝑃𝐵 , 𝐸 𝑃𝐵 , 𝑓 𝑃𝐵 , 𝑥 𝑃𝐵,0 , 𝑋
𝑃𝐵,𝑚 ) : Peer B • 𝐺 𝐶1 = (𝑋 𝐶1 , 𝐸 𝐶1 , 𝑓 𝐶1 , 𝑥 𝐶1,0 , 𝑋
𝐶1,𝑚 ) : Channel 1 • 𝐺 𝐶2 = (𝑋 𝐶2 , 𝐸 𝐶2 , 𝑓 𝐶2 , 𝑥 𝐶2,0 , 𝑋
𝐶2,𝑚 ) : Channel 2 • 𝐺 𝐶3 = (𝑋 𝐶3 , 𝐸 𝐶3 , 𝑓 𝐶3 , 𝑥 𝐶3,0 , 𝑋
𝐶3,𝑚 ) : Channel 3 • 𝐺 𝐶4 = (𝑋 𝐶4 , 𝐸 𝐶4 , 𝑓 𝐶4 , 𝑥 𝐶4,0 , 𝑋
𝐶4,𝑚 ) : Channel 4 • 𝐺 𝑁 = (𝑋 𝑁 , 𝐸 𝑁 , 𝑓 𝑁 , 𝑥 𝑁,0 , 𝑋
𝑁,𝑚 ) : Network,namely 𝐺 𝑛𝑜𝑚 = 𝐺 𝑃𝐴 ∥ 𝐺 𝑃𝐵 ∥ 𝐺 𝐶1 ∥ 𝐺 𝐶2 ∥ 𝐺 𝐶3 ∥ 𝐺 𝐶4 ∥ 𝐺 𝑁 . (29)Hence, 𝐺 𝐶 = 𝐺 𝐶1 ∥ 𝐺 𝐶2 ∥ 𝐺 𝐶3 ∥ 𝐺 𝐶4 and 𝐺 𝑒 = 𝐺 𝑁 , so (29) reduces to (2).As was seen in ABP, events are partitioned into input events and output events in [18], and we do not divide eventsinto input and output events, since we employ finite-state automata to model the entire system. We setup our event setsas follows: 𝐸 𝑃𝐴 = {𝑙𝑖𝑠𝑡𝑒𝑛 𝐴 , 𝑑𝑒𝑙𝑒𝑡𝑒𝑇𝐶𝐵 𝐴 , 𝑆𝑌𝑁 𝐴𝐶1 , 𝑆𝑌𝑁
𝐶2𝐴 ,𝐴𝐶𝐾
𝐴𝐶1 , 𝐴𝐶𝐾
𝐶2𝐴 , 𝐹𝐼𝑁
𝐴𝐶1 , 𝐹𝐼𝑁
𝐶2𝐴 , 𝑆𝑌𝑁 _ 𝐴𝐶𝐾
𝐴𝐶1 , 𝑆𝑌𝑁 _ 𝐴𝐶𝐾
𝐶2𝐴 } (30) 𝐸 𝑃𝐵 = {𝑙𝑖𝑠𝑡𝑒𝑛 𝐵 , 𝑑𝑒𝑙𝑒𝑡𝑒𝑇𝐶𝐵 𝐵 , 𝑆𝑌𝑁 𝐵𝐶3 , 𝑆𝑌𝑁
𝐶4𝐵 ,𝐴𝐶𝐾
𝐵𝐶3 , 𝐴𝐶𝐾
𝐶4𝐵 , 𝐹𝐼𝑁
𝐵𝐶3 , 𝐹𝐼𝑁
𝐶4𝐵 , 𝑆𝑌𝑁 _ 𝐴𝐶𝐾
𝐵𝐶3 , 𝑆𝑌𝑁 _ 𝐴𝐶𝐾
𝐶4𝐵 } (31) 𝐸 𝐶1 = {𝑆𝑌𝑁 𝐴𝐶1 , 𝑆𝑌𝑁
𝐶1𝑁 , 𝐴𝐶𝐾
𝐴𝐶1 , 𝐴𝐶𝐾
𝐶1𝑁 , 𝐹𝐼𝑁
𝐴𝐶1 , 𝐹𝐼𝑁
𝐶1𝑁 , 𝑆𝑌𝑁 _ 𝐴𝐶𝐾
𝐴𝐶1 , 𝑆𝑌𝑁 _ 𝐴𝐶𝐾
𝐶1𝑁 } (32) 𝐸 𝐶2 = {𝑆𝑌𝑁 𝑁𝐶2 , 𝑆𝑌𝑁
𝐶2𝐴 , 𝐴𝐶𝐾
𝑁𝐶2 , 𝐴𝐶𝐾
𝐶2𝐴 , 𝐹𝐼𝑁
𝑁𝐶2 , 𝐹𝐼𝑁
𝐶2𝐴 , 𝑆𝑌𝑁 _ 𝐴𝐶𝐾
𝑁𝐶2 , 𝑆𝑌𝑁 _ 𝐴𝐶𝐾
𝐶2𝐴 } (33) 𝐸 𝐶3 = {𝑆𝑌𝑁 𝐵𝐶3 , 𝑆𝑌𝑁
𝐶3𝑁 , 𝐴𝐶𝐾
𝐵𝐶3 , 𝐴𝐶𝐾
𝐶3𝑁 , 𝐹𝐼𝑁
𝐵𝐶3 , 𝐹𝐼𝑁
𝐶3𝑁 , 𝑆𝑌𝑁 _ 𝐴𝐶𝐾
𝐵𝐶3 , 𝑆𝑌𝑁 _ 𝐴𝐶𝐾
𝐶3𝑁 } (34) 𝐸 𝐶4 = {𝑆𝑌𝑁 𝑁𝐶4 , 𝑆𝑌𝑁
𝐶4𝐵 , 𝐴𝐶𝐾
𝑁𝐶4 , 𝐴𝐶𝐾
𝐶4𝐵 , 𝐹𝐼𝑁
𝑁𝐶4 , 𝐹𝐼𝑁
𝐶4𝐵 , 𝑆𝑌𝑁 _ 𝐴𝐶𝐾
𝑁𝐶4 , 𝑆𝑌𝑁 _ 𝐴𝐶𝐾
𝐶4𝐵 } (35) 𝐸 𝑁 = {𝑆𝑌𝑁 𝐶1𝑁 , 𝑆𝑌𝑁
𝐶3𝑁 , 𝑆𝑌𝑁
𝑁𝐶2 , 𝑆𝑌𝑁
𝑁𝐶4 ,𝐴𝐶𝐾
𝐶1𝑁 , 𝐴𝐶𝐾
𝐶3𝑁 , 𝐴𝐶𝐾
𝑁𝐶2 , 𝐴𝐶𝐾
𝑁𝐶4 ,𝐹𝐼𝑁
𝐶1𝑁 , 𝐹𝐼𝑁
𝐶3𝑁 , 𝐹𝐼𝑁
𝑁𝐶2 , 𝐹𝐼𝑁
𝑁𝐶4 ,𝑆𝑌𝑁 _ 𝐴𝐶𝐾
𝐶1𝑁 , 𝑆𝑌𝑁 _ 𝐴𝐶𝐾
𝐶3𝑁 , 𝑆𝑌𝑁 _ 𝐴𝐶𝐾
𝑁𝐶2 , 𝑆𝑌𝑁 _ 𝐴𝐶𝐾
𝑁𝐶4 } (36)13ence 𝐸 𝑛𝑜𝑚 = 𝐸 𝑃𝐴 ∪ 𝐸 𝑃𝐵 ∪ 𝐸 𝐶1 ∪ 𝐸 𝐶2 ∪ 𝐸 𝐶3 ∪ 𝐸 𝐶4 ∪ 𝐸 𝑁 . (37)The subscripts of events indicate the directions of packets. For example, “AC1” means packets from Peer A to Channel1. Note that the subscripts of A and B are added to “listen” and “deleteTCB” to make those events private.Figs. 12 to 14 depict the models of the TCP components. 𝐺 𝑃𝐴 and 𝐺 𝑃𝐵 illustrate the sequence of 3-way handshakeand cleanup. We mark the states of “closed”, “listen”, and “established” in the automata of the peers, because the peershould not stay in other states during communication, based on [21]. We also mark all states in the automata of thechannels and network, to prevent these automata from marking the system. Namely, 𝑋 𝐶1,𝑚 = 𝑋 𝐶1 , 𝑋 𝐶2,𝑚 = 𝑋 𝐶2 , 𝑋 𝐶3,𝑚 = 𝑋 𝐶3 , 𝑋 𝐶4,𝑚 = 𝑋 𝐶4 , 𝑋 𝑁 = 𝑋 𝑁,𝑚
Moreover, we drop “timeout” events from the peer models in [18], because such an event would impose timeout eventson the automata of the channels and the network for synchronization, resulting in a very large state space for 𝐺 𝑛𝑜𝑚 and 𝐺 𝑎 . The absence of timeout events does not affect our desired goal of synthesizing For-all attacks in any othersignificant way, unless otherwise noted afterwards. Dropping timeout events also means that we assume ideal channelsand network in which packets are not lost or distorted by benign malfunctions. In [18], the safety/liveness property of interest is defined as a threat model (TM). TM explains the property usingLinear Temporal Logic (LTL) [1]. In this paper, we represent the required properties in [18] as finite-state automata.[18] provides one threat model, TM1, for the safety property of TCP. TM1 defines the safety property that ifPeer A is at state “closed”, then Peer B should not be at state “established”, because both peers should consecutivelyreach their “established” states after beginning the connection handshake. Let 𝐺 𝑇𝑀1𝑠𝑚 be the safety monitor to capturethe violation of TM1. We represent 𝐺 𝑇𝑀1𝑠𝑚 as the parallel composition of the automata in Fig. 12 where the markedstates are only “closed” in Peer A and “established” in Peer B, namely 𝐺 𝑇𝑀1𝑠𝑚 = 𝐺
𝑇𝑀1𝑃𝐴 ∥ 𝐺
𝑇𝑀1𝑃𝐵 , where 𝐺 𝑇𝑀1𝑃𝐴 =(𝑋
𝑇𝑀1𝑃𝐴 , 𝐸
𝑇𝑀1𝑃𝐴 , 𝑓
𝑇𝑀1𝑃𝐴 , 𝑥
𝑇𝑀1𝑃𝐴,0 , 𝑋
𝑇𝑀1𝑃𝐴,𝑚 ) and 𝐺 𝑇𝑀1𝑃𝐵 = (𝑋
𝑇𝑀1𝑃𝐵 , 𝐸
𝑇𝑀1𝑃𝐵 , 𝑓
𝑇𝑀1𝑃𝐵 , 𝑥
𝑇𝑀1𝑃𝐵,0 , 𝑋
𝑇𝑀1𝑃𝐵,𝑚 ) . Note that 𝑋 𝑇𝑀1𝑃𝐴 = 𝑋 𝑃𝐴 , 𝐸 𝑇𝑀1𝑃𝐴 = 𝐸 𝑃𝐴 , 𝑥 𝑇𝑀1𝑃𝐴,0 = 𝑥
𝑃𝐴,0 , 𝑋
𝑇𝑀1𝑃𝐴,𝑚 = {𝑐𝑙𝑜𝑠𝑒𝑑} ≠ 𝑋
𝑃𝐴,𝑚 ,𝑋 𝑇𝑀1𝑃𝐵 = 𝑋 𝑃𝐵 , 𝐸 𝑇𝑀1𝑃𝐵 = 𝐸 𝑃𝐵 , 𝑥 𝑇𝑀1𝑃𝐵,0 = 𝑥
𝑃𝐵,0 , 𝑋
𝑇𝑀1𝑃𝐵,𝑚 = {𝑒𝑠𝑡𝑎𝑏𝑙𝑖𝑠ℎ𝑒𝑑} ≠ 𝑋
𝑃𝐵,𝑚 . Hence, the marked states in 𝐺 𝑇𝑀1𝑠𝑚 are illegal states, capturing that Peer A is at “closed” and Peer B is at “established”simultaneously.Since the safety monitor for TM1, 𝐺 𝑇𝑀1𝑠𝑚 , is derived from 𝐺 𝑃𝐴 and 𝐺 𝑃𝐵 , 𝐺 𝑜𝑡ℎ𝑒𝑟 in step 2 of Section 3.1 is the parallelcomposition of the automata of the channels and network, namely 𝐺 𝑜𝑡ℎ𝑒𝑟 = 𝐺 𝐶1 ∥ 𝐺 𝐶2 ∥ 𝐺 𝐶3 ∥ 𝐺 𝐶4 ∥ 𝐺 𝑁 . Let 𝐻 𝑛𝑜𝑚 in step 4 of Section 3.1 be a nominal specification automaton (without attacker) for TM1. In our system model of TCP, 𝐻 𝑛𝑜𝑚 = 𝑇𝑟𝑖𝑚(𝐺 𝑇𝑀1𝑙𝑚 ∥ 𝐺 𝑜𝑡ℎ𝑒𝑟 ) has no marked states, thus we conclude that our TCP model is correct in terms of TM1. [18] also provides two liveness properties denoted as TM2 and TM3. TM2 defines the liveness property that Peer 2should eventually reach the “established” state. TM3 requires that both peers should not get stuck except at “closed”state, that is, no deadlocks except at “closed” state are allowed. Both TM2 and TM3 requires the system to remainalive during the communication process.We construct the liveness monitors of TM2 and TM3, 𝐺 𝑇𝑀2𝑙𝑚 and 𝐺 𝑇𝑀3𝑙𝑚 , by following Section 3.2. In this paper, theliveness monitors are not given as dedicated automata, thus we construct 𝐺 𝑇𝑀2𝑙𝑚 and 𝐺 𝑇𝑀3𝑙𝑚 based on 𝐺 𝑛𝑜𝑚 and 𝐺 𝑎 . Wediscuss the construction of 𝐺 𝑇𝑀2𝑙𝑚 and 𝐺 𝑇𝑀3𝑙𝑚 in Section 5.5, because to build those automata, we rebuild 𝐺 𝑛𝑜𝑚 and 𝐺 𝑎 as new automata according to TM2 and TM3. In this section, we explain our attack model for TCP. As we consider the system architecture in Fig. 1a for TCP, theattacker infiltrates the network. First, we construct a modified model of the plant 𝐺 𝑎 in (3) under attack. Since the14etwork of TCP is under attack, we enhance 𝐺 𝑁 to that under attack, 𝐺 𝑁,𝑎 = (𝑋
𝑁,𝑎 , 𝐸
𝑁,𝑎 , 𝑓
𝑁,𝑎 , 𝑥
𝑁,𝑎,0 , 𝑋
𝑁,𝑎,𝑚 ) , byadding new transitions to represent capabilities of the attacker. Thus, 𝐺 𝑎 = 𝐺 𝑃𝐴 ∥ 𝐺 𝑃𝐵 ∥ 𝐺 𝐶1 ∥ 𝐺 𝐶2 ∥ 𝐺 𝐶3 ∥ 𝐺 𝐶4 ∥ 𝐺 𝑁,𝑎 . (38)Fig. 15 depicts the MITM attacked model of the network, 𝐺 𝑁,𝑎 , where “
𝐴𝑇𝑇𝐾 ” is the set of events of outgoingpackets from the network, namely
𝐴𝑇𝑇𝐾 = {𝑆𝑌𝑁
𝑁𝐶2 , 𝐴𝐶𝐾
𝑁𝐶2 , 𝐹𝐼𝑁
𝑁𝐶2 , 𝑆𝑌𝑁 _ 𝐴𝐶𝐾
𝑁𝐶2 , 𝑆𝑌𝑁
𝑁𝐶4 , 𝐴𝐶𝐾
𝑁𝐶4 , 𝐹𝐼𝑁
𝑁𝐶4 , 𝑆𝑌𝑁 _ 𝐴𝐶𝐾
𝑁𝐶4 }, (39)representing multiple transitions, illustrated as the red transitions, by events in 𝐴𝑇𝑇𝐾 . Hence, the event set of 𝐺 𝑁,𝑎 , 𝐸 𝑁,𝑎 , is as follows: 𝐸 𝑁,𝑎 = 𝐴𝑇𝑇𝐾 ∪ 𝐸 𝑁 (40)where 𝐸 𝑁 is in (36). This allows the attacker to be flexible so that the attacker can send any packets and freely choosethe destination of packets. As in the discussion in Section 2 and in the ABP model, we suppose that the attacker cannotcontrol and observe events outside the network. Hence, the event set of 𝐺 𝑎 , 𝐸 𝑎 , is partitioned for controllability andobservability of the attacker as follows: • Controllable events: 𝐸 𝑎,𝑐 = 𝐴𝑇𝑇𝐾 in (39) • Uncontrollable events: 𝐸 𝑎,𝑢𝑐 = 𝐸 𝑛𝑜𝑚 ⧵ 𝐸 𝑎,𝑐 • Observable events: 𝐸 𝑎,𝑜 = 𝐸 𝑁,𝑎 in (40) • Unobservable events: 𝐸 𝑎,𝑢𝑜 = 𝐸 𝑛𝑜𝑚 ⧵ 𝐸 𝑎,𝑜 .In our attack model, the attacker controls the outgoing packets from the network, to lead the safety/liveness monitor toreach its marked (illegal) state. In this section, we examine whether a For-all attack exists in terms of TM1, TM2, and TM3.
For Threat Model 1 (TM1), we try to synthesize a For-all attacker by the following procedure:1. Construct the system 𝐺 𝑎 in (38).2. Construct the specification automaton 𝐻 𝑎 by following Section 5.2 and the procedure in Section 3.1. 𝐺 𝑇𝑀1𝑠𝑚 =𝐺 𝑇𝑀1𝑃𝐴 ∥ 𝐺
𝑇𝑀1𝑃𝐵 is derived from 𝐺 𝑃𝐴 and 𝐺 𝑃𝐵 , thus 𝐺 𝑜𝑡ℎ𝑒𝑟,𝑎 = 𝐺 𝐶1 ∥ 𝐺 𝐶2 ∥ 𝐺 𝐶3 ∥ 𝐺 𝐶4 ∥ 𝐺 𝑁,𝑎 .3. Since 𝐸 𝑎,𝑐 ⊆ 𝐸 𝑎,𝑜 , compute ℒ 𝑚 (𝐻 𝑎 ) ↑𝐶𝑁 = ℒ 𝑚 (𝐻 𝐶𝑁𝑎 ) .4. Check whether ℒ 𝑚 (𝐻 𝑎 ) ↑𝐶𝑁 is non-empty.5. Pick one example string from the initial state to one marked state in ℒ 𝑚 (𝐻 𝑎 ) ↑𝐶𝑁 , which represents one systembehavior under attack that reaches the marked state in 𝐺 𝑇𝑀1𝑠𝑚 .In our system model of TCP, all states in 𝐺 𝑜𝑡ℎ𝑒𝑟,𝑎 are marked, thus the marked states in 𝐻 𝐶𝑁𝑎 correspond to the markedstates in 𝐺 𝑇𝑀1𝑠𝑚 . Since these steps are for the attacker synthesis in terms of the safety property, this procedure is quitesimilar as that for ABP in Section 4.5.
Setup 1
Let us consider a powerful attacker represented by 𝐺 𝑁,𝑎 in Fig. 15. By following the above procedure, 𝐺 𝑎 in (38) is not trim, and has 118761 states and 6307 marked states. Also, 𝐻 𝑎 has 34658 states and 704 marked states. Asa result, 𝐻 𝐶𝑁𝑎 is empty with respect to 𝐺 𝑎 and 𝐻 𝑎 , that is, there exist no For-all attacks in terms of this setup. This isdue to deadlock states comprising “listen” state of both Peer A and Peer B in 𝐺 𝑎 . If both peers reach “listen” state, thenthey keep waiting for packets from channels. Such deadlock states are reachable by the uncontrollable events 𝑙𝑖𝑠𝑡𝑒𝑛 𝐴 or 𝑙𝑖𝑠𝑡𝑒𝑛 𝐵 , resulting in an empty 𝐻 𝐶𝑁𝑎 . Later on, we remove such deadlock states by retrieving a “timeout” transitionfrom “listen” to “closed”. 15 etup 2
To determine whether or not any attack strategies exist in this setup, we see if any There-exist attacks exist.First, we mark all states of 𝐺 𝑎 and 𝐻 𝑎 in Setup 1. This allows deadlock and livelock states to exist. Consequently,the standard algortihm for the supremal controllable normal sublanguage returns a non-empty 𝐻 𝐶𝑁𝑎 , and ℒ 𝑚 (𝐻 𝐶𝑁𝑎 ) contains the following string steering 𝐺 𝑇𝑀1𝑠𝑚 to its marked states:
𝑆𝑌𝑁
𝐵𝐶3 .𝑆𝑌𝑁
𝐶3𝑁 .𝑆𝑌𝑁 _ 𝐴𝐶𝐾
𝑁𝐶4 .𝑆𝑌𝑁 _ 𝐴𝐶𝐾
𝐶4𝐵 .𝐴𝐶𝐾
𝐵𝐶3 . (41) 𝑆𝑌𝑁 _ 𝐴𝐶𝐾
𝑁𝐶4 is a fake packet sent to Peer B by the attacker, and this leads 𝐺 𝑇𝑀1𝑃𝐵 to the marked state “established”while 𝐺 𝑇𝑀1𝑃𝐴 is at “closed” state. According to the existence of this string, we conclude that a There-exist attack existswith respect to 𝐺 𝑎 and 𝐻 𝑎 . Setup 3
In this setup, we remove the deadlock states found in Setup 1 due to “listen” state, by retrieving “timeout”from “listen” to “closed” in 𝐺 𝑃𝐴 and 𝐺 𝑃𝐵 . Fig. 17 shows the new automata of the peers. We add the subscripts ofA and B to the timeout events to make those events private. Henceforth, we denote 𝐺 𝑃𝐴 and 𝐺 𝑃𝐵 as the automata inFig. 17. According to the new timeout events, 𝐸 𝑃𝐴 = {𝑡𝑖𝑚𝑒𝑜𝑢𝑡 𝐴 , 𝑙𝑖𝑠𝑡𝑒𝑛 𝐴 , 𝑑𝑒𝑙𝑒𝑡𝑒𝑇𝐶𝐵 𝐴 , 𝑆𝑌𝑁 𝐴𝐶1 , 𝑆𝑌𝑁
𝐶2𝐴 ,𝐴𝐶𝐾
𝐴𝐶1 , 𝐴𝐶𝐾
𝐶2𝐴 , 𝐹𝐼𝑁
𝐴𝐶1 , 𝐹𝐼𝑁
𝐶2𝐴 , 𝑆𝑌𝑁 _ 𝐴𝐶𝐾
𝐴𝐶1 , 𝑆𝑌𝑁 _ 𝐴𝐶𝐾
𝐶2𝐴 } (42) 𝐸 𝑃𝐵 = {𝑡𝑖𝑚𝑒𝑜𝑢𝑡 𝐵 , 𝑙𝑖𝑠𝑡𝑒𝑛 𝐵 , 𝑑𝑒𝑙𝑒𝑡𝑒𝑇𝐶𝐵 𝐵 , 𝑆𝑌𝑁 𝐵𝐶3 , 𝑆𝑌𝑁
𝐶4𝐵 ,𝐴𝐶𝐾
𝐵𝐶3 , 𝐴𝐶𝐾
𝐶4𝐵 , 𝐹𝐼𝑁
𝐵𝐶3 , 𝐹𝐼𝑁
𝐶4𝐵 , 𝑆𝑌𝑁 _ 𝐴𝐶𝐾
𝐵𝐶3 , 𝑆𝑌𝑁 _ 𝐴𝐶𝐾
𝐶4𝐵 }, (43)so the new 𝐺 𝑎 has 118761 states and 6307 marked states, and the new 𝐻 𝑎 has 38270 states and 704 marked states.Next, we compute 𝐻 𝐶𝑁𝑎 with respect to 𝐺 𝑎 and 𝐻 𝑎 by following the procedure for TM1, using the new 𝐺 𝑃𝐴 and 𝐺 𝑃𝐵 . As a result, 𝐻 𝐶𝑁𝑎 computed by the standard algorithm is non-empty, having 52783 states and 626 marked states,and ℒ 𝑚 (𝐻 𝐶𝑁𝑎 ) contains the string in (41). Therefore, we conclude that there exists a For-all attacker 𝑆 𝑃 defined in (7)with respect to 𝐺 𝑎 and 𝐻 𝑎 in this setup. From ℒ(𝐺 𝑎 ) ≠ ℒ(𝐻 𝐶𝑁𝑎 ) , the attacker disables some transitions by controllableevents in 𝐺 𝑎 , to always eventually win. One may find that in our TCP model, the channels just relay the incoming packets to their destinations,without any deletion or manipulation of packets. Since we assume ideal channels, we can reduce the communicationarchitecture in Fig. 1a to that without channels, namely the architecture in Fig. 3. Due to the removal of the channels,
A Network B
Fig. 3: Communication overview without channels to assure the synchronization of the peers and network in the parallel composition, we rename subscripts of events in 𝐸 𝑃𝐴 in (42), 𝐸 𝑃𝐵 in (43), 𝐸 𝑁 in (36), and 𝐸 𝑁,𝑎 in (40), as follows:
𝐴𝐶1 → 𝐴𝑁, 𝐶2𝐴 → 𝑁𝐴, 𝐵𝐶3 → 𝐵𝑁, 𝐶4𝐵 → 𝑁𝐵,𝐶1𝑁 → 𝐴𝑁, 𝑁𝐶2 → 𝑁𝐴, 𝐶3𝑁 → 𝐵𝑁, 𝑁𝐶4 → 𝑁𝐵. (44)According to this change, the new 𝐺 𝑛𝑜𝑚 and 𝐺 𝑎 are as follows: 𝐺 𝑛𝑜𝑚 = 𝐺 𝑃𝐴 ∥ 𝐺 𝑃𝐵 ∥ 𝐺 𝑁 (45) 𝐺 𝑎 = 𝐺 𝑃𝐴 ∥ 𝐺 𝑃𝐵 ∥ 𝐺 𝑁,𝑎 . (46) 𝐺 𝑛𝑜𝑚 in (45) is trim, consisting of 41 states and 5 marked states, and 𝐺 𝑎 in (46) comprises 580 states and 27 markedstates, and is not trim. Since we remove the automata of the channels from our system model, 𝐺 𝑜𝑡ℎ𝑒𝑟 and 𝐺 𝑜𝑡ℎ𝑒𝑟,𝑎 in Section 5.2 and in step 2 of our examination procedure are equal to 𝐺 𝑁 and 𝐺 𝑁,𝑎 , respectively. Even after theremoval of the channels, 𝐻 𝑛𝑜𝑚 has no marked states. 16oting that 𝐸 𝑎,𝑐 ⊆ 𝐸 𝑎,𝑜 still holds after renaming, let us revisit the procedure of the construction of 𝐻 𝑎 and thecomputation of 𝐻 𝐶𝑁𝑎 with the new 𝐺 𝑎 . In this setup, 𝐻 𝑎 consists of 547 states and 3 marked states, 𝐻 𝐶𝑁𝑎 with respectto 𝐺 𝑎 and 𝐻 𝑎 is non-empty with 513 states and 3 marked states. ℒ 𝑚 (𝐻 𝐶𝑁𝑎 ) contains the following string: 𝑆𝑌𝑁 𝐵𝑁 .𝑆𝑌𝑁 𝑁𝐵 .𝐴𝐶𝐾 𝐵𝑁 .𝐴𝐶𝐾 𝑁𝐵 (47)where 𝑆𝑌𝑁 𝑁𝐵 and 𝐴𝐶𝐾 𝑁𝐵 are fake packets inserted by the attacker, tricking Peer B into reaching “established”whereas Peer A does not move out from “closed”. Finally, from ℒ(𝐻
𝐶𝑁𝑎 ) ≠ ℒ(𝐺 𝑎 ) and non-trim 𝐺 𝑎 , the supervisorof the attacker disables several transitions in 𝐺 𝑎 , to prevent the system from reaching deadlock/livelock states and toassure that the attacker always eventually wins. Setup 5
As we have done in the ABP case study, let us consider a less-powerful attacker than the attacker in setups 1through 4. First, we change the controllable events for the attacker, 𝐸 𝑎,𝑐 , as follows: 𝐸 𝑎,𝑐 = {𝑆𝑌𝑁 𝐴𝑁 , 𝑆𝑌𝑁 _ 𝐴𝐶𝐾 𝑁𝐵 } (48) 𝐸 𝑎,𝑢𝑐 = 𝐸 𝑎 ⧵ 𝐸 𝑎,𝑐 (49)whereas 𝐸 𝑎,𝑜 and 𝐸 𝑎,𝑢𝑜 do not change. Note that 𝐸 𝑎,𝑐 ⊆ 𝐸 𝑎,𝑜 still holds. 𝑆𝑌𝑁 𝐴𝑁 in 𝐸 𝑎,𝑐 means that the attacker candiscard SYN packet coming from Peer A. Next, we redesign the infiltrated network by the attacker, 𝐺 𝑁,𝑎 , to representthe reduced capability of the attacker. Fig. 16 indicates the model of an infiltrated network by a lesspowerful attacker, 𝐺 𝑤𝑁,𝑎 . The red transitions are where the attacker can take action.From the change of 𝐺 𝑁,𝑎 to 𝐺 𝑤𝑁,𝑎 , we change 𝐺 𝑎 to the entire system under the lesspowerful MITM attack, namely 𝐺 𝑎 = 𝐺 𝑃𝐴 ∥ 𝐺 𝑃𝐵 ∥ 𝐺 𝑤𝑁,𝑎 , in this setup. As a result, the new 𝐺 𝑎 is not trim, consisting of 48 states, 7 marked states,and 1 deadlock state. Because 𝐺 𝑇𝑀1𝑠𝑚 is not different from Setup 4, 𝐺 𝑜𝑡ℎ𝑒𝑟,𝑎 = 𝐺 𝑤𝑁,𝑎 here. Therefore by following theprocedure for TM1, 𝐻 𝑎 comprises 47 states and 1 marked state, and 𝐻 𝐶𝑁𝑎 with respect to 𝐺 𝑎 and 𝐻 𝑎 here is non-emptywith 63 states and 2 marked states, containing the following string leading 𝐺 𝑇𝑀1𝑠𝑚 to its marked state:
𝑆𝑌𝑁 𝐵𝑁 .𝑆𝑌𝑁 _ 𝐴𝐶𝐾 𝑁𝐵 .𝐴𝐶𝐾 𝐵𝑁 . (50)In conclusion, there exists a supervisor of the attacker for For-all attack with the less-powerful MITM model.From 𝐺 𝑤𝑁,𝑎 in Fig. 16, the attacker can send a fake SYN_ACK packet to Peer B only when Peer B enters “SYN sent”state, and the attacker must keep Peer A at “closed” state. Hence, the supervisor of the attacker must disable 𝑆𝑌𝑁 𝐴𝑁 at “closed” state in 𝐺 𝑃𝐴 shown in Fig. 17 where the subscripts of events are changed as in (44), and ℒ(𝐻
𝐶𝑁𝑎 ) ≠ ℒ(𝐺 𝑎 ) reflects this disablement action. Therefore, if 𝑆𝑌𝑁 𝐴𝑁 is uncontrollable, then 𝐻 𝐶𝑁𝑎 is empty.
Consider 𝐺 𝑃𝐴 , 𝐺 𝑃𝐵 , 𝐺 𝑁 , and 𝐺 𝑁,𝑎 in Setup 4. Recall that Threat Model 2 (TM2) requires Peer A to reach its“established” state eventually. To design the liveness monitor which captures the violation of TM2, we first unmarkall states of 𝐺 𝑃𝐴 and mark its “established” state. Let 𝐺 𝑇𝑀2𝑃𝐴 be a new automaton derived from 𝐺 𝑃𝐴 in Fig. 17a bythis marking and renaming as in (44). In contrast to the construction of safety monitors, 𝐺 𝑇𝑀2𝑃𝐴 captures the desiredbehavior where Peer A reaches its “established” state eventually. Thus we construct 𝐺 𝑛𝑜𝑚 and 𝐺 𝑎 as follows: 𝐺 𝑛𝑜𝑚 = 𝐺 𝑇𝑀2𝑃𝐴 ∥ 𝐺 𝑃𝐵 ∥ 𝐺 𝑁 (51) 𝐺 𝑎 = 𝐺 𝑇𝑀2𝑃𝐴 ∥ 𝐺 𝑃𝐵 ∥ 𝐺 𝑁,𝑎 (52)To prevent it from marking 𝐺 𝑛𝑜𝑚 and 𝐺 𝑎 , we mark all states in 𝐺 𝑃𝐵 , so the marked states of 𝐺 𝑛𝑜𝑚 and 𝐺 𝑎 are determinedby the “established” state in 𝐺 𝑇𝑀2𝑃𝐴 . Setup 6
Let us construct 𝐻 𝑎 by following the procedure in Section 3.2. First of all, 𝐺 𝑛𝑜𝑚 in (51) is trim, thus thesystem model is correct in terms of TM2, meaning that Peer A eventually reaches its “established” state. So, let usproceed to the next step. From the additional transitions of 𝐺 𝑁,𝑎 in Fig. 15, 𝐺 𝑎 in (52) is not trim, thus 𝐺 𝑎 containsseveral deadlock and/or livelock states. In this paper, the liveness monitor for TM2, 𝐺 𝑇𝑀2𝑙𝑚 , is not given. Hence webuild 𝐺 𝑇𝑀2𝑙𝑚 based on 𝐺 𝑎 . In 𝐺 𝑎 , there are 25 deadlock states. These deadlock states are those the attacker wants 𝐺 𝑎
17o reach so that Peer A cannot always reach its “established” state. To design 𝐺 𝑇𝑀2𝑙𝑚 representing the violation of TM2,namely reaching the deadlock states, we unmark all states in 𝐺 𝑎 and then mark all the deadlock states. Hence, let 𝐺 𝑇𝑀2𝑙𝑚 be the new automaton built by the marking of deadlock states in 𝐺 𝑎 , so that every string in ℒ 𝑚 (𝐺 𝑇𝑀2𝑙𝑚 ) ends with oneof the deadlock states. Finally, the specification automaton for the attacker is 𝐻 𝑎 = 𝑇𝑟𝑖𝑚(𝐺 𝑇𝑀2𝑙𝑚 ) .Consequently, 𝐻 𝑎 consists of 580 states and 25 deadlock states which are determined by 𝐺 𝑎 , and 𝐻 𝐶𝑁𝑎 with respectto 𝐺 𝑎 and 𝐻 𝑎 is non-empty, where ℒ 𝑚 (𝐻 𝐶𝑁𝑎 ) contains the following string: 𝑆𝑌𝑁 𝐴𝑁 .𝑆𝑌𝑁 _ 𝐴𝐶𝐾 𝑁𝐴 .𝐴𝐶𝐾 𝐴𝑁 .𝐹𝐼𝑁 𝑁𝐴 .𝑆𝑌𝑁 𝐵𝑁 .𝑆𝑌𝑁 𝑁𝐵 .𝐴𝐶𝐾 𝐴𝑁 . (53) 𝑆𝑌𝑁 _ 𝐴𝐶𝐾 𝑁𝐴 , 𝐹𝐼𝑁 𝑁𝐴 , and 𝑆𝑌𝑁 𝑁𝐵 in (53) are fake packets inserted by the attacker. This string makes Peer A andPeer B stuck at “close wait” state and at “i3” state, respectively. Here, ℒ(𝐻
𝐶𝑁𝑎 ) = ℒ(𝐺 𝑎 ) , thus the attacker just insertsfake packets and does not disable any controllable events. In conclusion, there exists a For-all attack for TM2 withthis setup. In this section, we examine whether any For-all attacks against the Threat Model 3 (TM3) exist. TM3 defines theliveness requirement for the system that the peers should not suffer from any deadlocks if they leave “closed” state.Consider 𝐺 𝑃𝐴 , 𝐺 𝑃𝐵 , 𝐺 𝑁 , and 𝐺 𝑁,𝑎 in Setup 4 again. Since TM3 is defined by a liveness property, we design aliveness monitor for TM3 similarly as a monitor for TM2, discussed in Section 5.5.3. According to TM3, we firstunmark all states and mark “closed” state in 𝐺 𝑃𝐴 and 𝐺 𝑃𝐵 . Let 𝐺 𝑇𝑀3𝑃𝐴 and 𝐺 𝑇𝑀3𝑃𝐵 be the new automata derived from 𝐺 𝑃𝐴 and 𝐺 𝑃𝐵 in Fig. 17 by this marking and renaming as in (44), respectively. Since 𝐺 𝑇𝑀3𝑃𝐴 and 𝐺 𝑇𝑀3𝑃𝐵 capture thedesired behavior of the system model, we construct 𝐺 𝑛𝑜𝑚 and 𝐺 𝑎 as follows: 𝐺 𝑛𝑜𝑚 = 𝐺 𝑇𝑀3𝑃𝐴 ∥ 𝐺
𝑇𝑀3𝑃𝐵 ∥ 𝐺 𝑁 (54) 𝐺 𝑎 = 𝐺 𝑇𝑀3𝑃𝐴 ∥ 𝐺
𝑇𝑀3𝑃𝐵 ∥ 𝐺
𝑁,𝑎 (55)Since all states in 𝐺 𝑁 and 𝐺 𝑁,𝑎 are marked, the marked states in 𝐺 𝑛𝑜𝑚 and 𝐺 𝑎 are determined by “closed” state of 𝐺 𝑇𝑀3𝑃𝐴 and 𝐺 𝑇𝑀3𝑃𝐵 . Setup 7
We construct 𝐻 𝑎 using the procedure in Section 3.2. First, 𝐺 𝑛𝑜𝑚 in (54) consisting of 41 states and 1 markedstate is trim, thus our system model is correct in terms of TM3. This means that neither Peer A nor Peer B suffers fromdeadlocks and/or livelocks when they are not at “closed” state. In the next step, due to 𝐺 𝑁,𝑎 , 𝐺 𝑎 in (55) comprising580 states and 3 marked states is not trim, thus 𝐺 𝑎 contains deadlock and/or livelock states. In particular, 𝐺 𝑎 has25 deadlock states and no livelock states. Since the liveness monitor for TM3, 𝐺 𝑇𝑀3𝑙𝑚 , is not given as a dedicatedautomaton, 𝐺 𝑇𝑀3𝑙𝑚 is derived from 𝐺 𝑎 by unmarking all states and marking the 25 deadlock states in 𝐺 𝑎 . Finally, wehave 𝐻 𝑎 = 𝑇𝑟𝑖𝑚(𝐺 𝑇𝑀3𝑙𝑚 ) .As a result, 𝐻 𝑎 in this setup consists of 580 states and 25 marked (deadlock) states, determined by 𝐺 𝑎 , and 𝐻 𝐶𝑁𝑎 with respect to 𝐺 𝑎 and 𝐻 𝑎 is non-empty with 660 states and 25 marked states. To see a behavior of the system underthe attack, we pick the following example string in ℒ 𝑚 (𝐻 𝐶𝑁𝑎 ) : 𝑙𝑖𝑠𝑡𝑒𝑛 𝐴 .𝑆𝑌𝑁 𝐵𝑁 .𝑆𝑌𝑁 𝑁𝐴 .𝑆𝑌𝑁 _ 𝐴𝐶𝐾 𝐴𝑁 .𝐴𝐶𝐾 𝑁𝐴 .𝐹𝐼𝑁 𝐴𝑁 .𝐴𝐶𝐾 𝑁𝐴 (56)where the fifth and seventh 𝐴𝐶𝐾 𝑁𝐴 are fake packets sent from the attacker to Peer A. This string makes Peer A andPeer B stuck at “FIN wait 2” and “SYN sent”, respectively. Here, ℒ(𝐻
𝐶𝑁𝑎 ) = ℒ(𝐺 𝑎 ) , thus the attacker inserts fakepackets and does not disable any controllable events. To sum up, there exists a For-all attack for TM3 with this setup. We investigated the synthesis problem of For-all attacks under which the attacker can always eventually win, in thespecific context of man-in-the-middle attacks in communication protocols, where a sender and a receiver communicateover channels and a network. We formulated this problem in the framework of discrete event systems in order toleverage its supervisory control theory for attacker synthesis. We showed that the synthesis of a For-all attack can be18ormulated as the problem of finding a maximal controllable and observable sublanguage of the specification languagefor the attacker with respect to the given plant and the capabilities of the attacker in terms of controllable and observableevents. The plant is the combination of the models of the sender, receiver, channels, and network. The specificationlanguage for the attacker is derived from a suitable specification automaton, and we described in Sections 3.1 and 3.2how to construct that automaton for safety properties and liveness properties, respectively. The goal of the attacker isto force a violation of the given safety or liveness property of the communication protocol.We then applied our methodology to synthesize For-all attacks with respect to the given system and the requiredproperties using the well-known protocols ABP and TCP under man-in-the-middle attacks in Sections 4 and 5. Thisextends the previous results in [18] (for TCP), where the authors considered the synthesis of There-exists attacksunder which the attacker may not always win, but is guaranteed to sometimes win. As a result, we found severalFor-all attacks for various setups for the capabilities of the attacker. Our models for ABP and TCP, and for the safetyand liveness properties to be violated by the attacker, followed those in [5] and [18]. In total, we presented six setupsfor ABP and seven setups for TCP, where the plant, specification, and event partitions vary. When For-all attacks didnot exist, we showed how to obtain There-exists attacks.In the MITM attack setups we considered, it was reasonable to assume that the attacker observes all the events itcontrols. Hence, the synthesis of a For-all attack reduced to the computation of the supremal controllable and normalsublanguage.The methodology that we employed for ABP and TCP is generic and could be applied to other protocols and othertypes of attacks that can be modeled as additional events in the transition structure of the protocol. This shows thatformulating attacker synthesis as a supervisory control problem is a powerful approach in the study of vulnerabilitiesof distributed protocols. In the future, it would be of interest to investigate how to make distributed protocols moreresilient to both There-exists and For-all attacks. 19
Figures of ABP 𝑠 𝑠 𝑠 𝑠 𝑠 𝑠 𝑠 𝑠 𝑎 ′0 𝑎 ′1 𝑡𝑖𝑚𝑒𝑜𝑢𝑡𝑠𝑒𝑛𝑑 𝑝 𝑠𝑒𝑛𝑑𝑡𝑖𝑚𝑒𝑜𝑢𝑡 𝑎 ′1 𝑎 ′0 𝑑𝑜𝑛𝑒 𝑎 ′0 𝑡𝑖𝑚𝑒𝑜𝑢𝑡𝑠𝑒𝑛𝑑 𝑎 ′1 𝑝 𝑠𝑒𝑛𝑑𝑡𝑖𝑚𝑒𝑜𝑢𝑡𝑎 ′1 𝑑𝑜𝑛𝑒 (a) ABP sender 𝐺 𝑆 𝑟 𝑟 𝑟 𝑟 𝑟 𝑟 𝑝 ′0 𝑑𝑒𝑙𝑖𝑣𝑒𝑟 𝑎 𝑝 ′0 𝑝 ′1 𝑑𝑒𝑙𝑖𝑣𝑒𝑟𝑝 ′1 𝑎 (b) ABP receiver 𝐺 𝑅 𝑓 𝑓 𝑓 𝑝 𝑝 𝑝 𝑝 𝑝 ′0 𝑝 𝑝 ′0 𝑝 𝑝 𝑝 ′1 𝑝 𝑝 ′1 (c) Forward channel 𝐺 𝑛𝑑𝐹𝐶 𝑏 𝑏 𝑏 𝑎 𝑎 𝑎 𝑎 𝑎 ′0 𝑎 𝑎 ′0 𝑎 𝑎 𝑎 ′1 𝑎 𝑎 ′1 (d) Backward channel 𝐺 𝑛𝑑𝐵𝐶 𝑠 𝑐0 𝑠 𝑐1 𝑑𝑜𝑛𝑒 𝑠𝑒𝑛𝑑𝑑𝑜𝑛𝑒 (e) Sending client 𝐺 𝑆𝐶 𝑟 𝑐0 𝑑𝑒𝑙𝑖𝑣𝑒𝑟 (f) Receiving client 𝐺 𝑅𝐶 𝑡 𝑡𝑖𝑚𝑒𝑜𝑢𝑡 (g) Timer 𝐺 𝑇 Fig. 4: Models of ABP components from [5]; the red transitions are dead transitions addressed in Section 4.5.2. {𝑓 } {𝑓 , 𝑓 }{𝑓 , 𝑓 } {𝑓 , 𝑓 , 𝑓 }𝑝 𝑝 𝑝 ′0 𝑝 𝑝 ′0 𝑝 𝑝 𝑝 ′1 𝑝 𝑝 ′1 𝑝 𝑝 (a) Forward channel 𝐺 𝐹𝐶 {𝑏 } {𝑏 , 𝑏 }{𝑏 , 𝑏 } {𝑏 , 𝑏 , 𝑏 }𝑎 𝑎 𝑎 ′0 𝑎 𝑎 ′0 𝑎 𝑎 𝑎 ′1 𝑎 𝑎 ′1 𝑎 𝑎 (b) Backward channel 𝐺 𝐵𝐶 Fig. 5: Observer automata of channels 𝑞 𝑞 𝑠𝑒𝑛𝑑𝑑𝑒𝑙𝑖𝑣𝑒𝑟 𝑠𝑒𝑛𝑑𝑑𝑒𝑙𝑖𝑣𝑒𝑟 𝑠𝑒𝑛𝑑 𝑑𝑒𝑙𝑖𝑣𝑒𝑟 (a) Safety monitor 1 𝐺 ; 𝑠𝑒𝑛𝑑 and 𝑑𝑒𝑙𝑖𝑣𝑒𝑟 should happen in the rightorder. 𝑞 𝑞 𝑞 𝑑𝑒𝑙𝑖𝑣𝑒𝑟𝑑𝑜𝑛𝑒 𝑑𝑒𝑙𝑖𝑣𝑒𝑟𝑑𝑜𝑛𝑒 𝑑𝑒𝑙𝑖𝑣𝑒𝑟 𝑑𝑜𝑛𝑒 (b) Safety monitor 2 𝐺 ; 𝑑𝑒𝑙𝑖𝑣𝑒𝑟 and 𝑑𝑜𝑛𝑒 should happen in the rightorder. Fig. 6: Safety monitors from [5] 𝑞 𝑞 𝑞 𝑑𝑒𝑙𝑖𝑣𝑒𝑟 𝑠𝑒𝑛𝑑 𝑠𝑒𝑛𝑑 𝑑𝑒𝑙𝑖𝑣𝑒𝑟 𝑠𝑒𝑛𝑑𝑑𝑒𝑙𝑖𝑣𝑒𝑟 Fig. 7: Liveness monitor 𝐺 𝑙𝑚 based on [5]; 𝑠𝑒𝑛𝑑 should eventually be followed by a 𝑑𝑒𝑙𝑖𝑣𝑒𝑟𝑓 𝑓 𝑓 𝑝 𝑝 𝑝 𝑝 𝑝 ′0 𝑝 𝑝 ′0 𝑝 𝑝 𝑝 ′1 𝑝 𝑝 ′1 𝑝 ′1 𝑝 ′1 𝑝 ′0 𝑝 ′0 (a) Forward MITM channel 𝐺 𝑛𝑑𝐹𝐶,𝑎 𝑏 𝑏 𝑏 𝑎 𝑎 𝑎 𝑎 𝑎 ′0 𝑎 𝑎 ′0 𝑎 𝑎 𝑎 ′1 𝑎 𝑎 ′1 𝑎 ′1 𝑎 ′1 𝑎 ′0 𝑎 ′0 (b) Backward MITM channel 𝐺 𝑛𝑑𝐵𝐶,𝑎 Fig. 8: Channel models under the MITM attack {𝑓 } {𝑓 , 𝑓 }{𝑓 , 𝑓 } {𝑓 , 𝑓 , 𝑓 }𝑝 𝑝 𝑝 ′0 𝑝 𝑝 ′0 𝑝 𝑝 𝑝 ′1 𝑝 𝑝 ′1 𝑝 𝑝 𝑝 ′1 𝑝 ′0 𝑝 ′0 𝑝 ′1 (a) Foward MITM channel 𝐺 𝐹𝐶,𝑎 {𝑏 } {𝑏 , 𝑏 }{𝑏 , 𝑏 } {𝑏 , 𝑏 , 𝑏 }𝑎 𝑎 𝑎 ′0 𝑎 𝑎 ′0 𝑎 𝑎 𝑎 ′1 𝑎 𝑎 ′1 𝑎 𝑎 𝑎 ′1 𝑎 ′0 𝑎 ′0 𝑎 ′1 (b) Backward MITM channel 𝐺 𝐵𝐶,𝑎
Fig. 9: Observer automata of the MITM channels 𝑓 𝑓 𝑝 𝑝 𝑝 𝑝 𝑝 ′0 𝑝 𝑝 ′0 𝑝 𝑝 𝑝 ′1 𝑝 𝑝 ′1 𝑝 ′1 (a) Lesspowerful forward MITM channel 𝐺 𝑛𝑑𝐹𝐶,𝑤𝑎 {𝑓 } {𝑓 , 𝑓 }{𝑓 , 𝑓 } {𝑓 , 𝑓 , 𝑓 }𝑝 𝑝 𝑝 ′0 𝑝 ′1 𝑝 𝑝 ′0 𝑝 𝑝 𝑝 ′1 𝑝 𝑝 ′1 𝑝 𝑝 (b) Observer automata of lesspowerful forward MITM channel 𝐺 𝐹𝐶,𝑤𝑎
Fig. 10: Lesspowerful forward MITM channel 𝑓 𝑓 𝑓 𝑓 ′0 𝑓 ′1 𝑓 ′2 𝑝 𝑝 𝑝 𝑝 𝑝 ′0 𝑝 𝑝 ′0 𝑝 𝑝 𝑝 ′1 𝑝 𝑝 ′1 𝑝 𝑝 𝑝 𝑝 𝑝 ′0 𝑝 𝑝 ′0 𝑝 𝑝 𝑝 ′1 𝑝 𝑝 ′1 𝑝 ′1 Fig. 11: One-shot forward MITM channel Figures of TCP closed SYNsentlisten 𝑖 𝑖 𝑖 establishedSYNreceived 𝑖 closewaitlastACK FINwait 1 FINwait 2 𝑖 𝑖 closingtimewait SYN
AC1
SYN_ACK
C2A
ACK
AC1
SYN
C2A
ACK
AC1
ACK
C2A listen A SYN
C2A
SYN_ACK
AC1
FIN
C2A
ACK
AC1
FIN
AC1
ACK
C2A
FIN
AC1
ACK
C2A
FIN
C2A
FIN
C2A
ACK
AC1
ACK
C2A
ACK
AC1 deleteTCB A (a) Peer A 𝐺 𝑃𝐴 closed SYNsentlisten 𝑖 𝑖 𝑖 establishedSYNreceived 𝑖 closewaitlastACK FINwait 1 FINwait 2 𝑖 𝑖 closingtimewait SYN
BC3
SYN_ACK
C4B
ACK
BC3
SYN
C4B
ACK
BC3
ACK
C4B listen B SYN
C4B
SYN_ACK
BC3
FIN
C4B
ACK
BC3
FIN
BC3
ACK
C4B
FIN
BC3
ACK
C4B
FIN
C4B
FIN
C4B
ACK
BC3
ACK
C4B
ACK
BC3 deleteTCB B (b) Peer B 𝐺 𝑃𝐵 Fig. 12: Component models of TCP YN AC1
SYN
C1N
ACK
AC1
ACK
C1N
SYN_ACK
AC1
SYN_ACK
C1N
FIN
AC1
FIN
C1N (a) Channel 1 𝐺 𝐶1 SYN
NC2
SYN
C2A
ACK
NC2
ACK
C2A
SYN_ACK
NC2
SYN_ACK
C2A
FIN
NC2
FIN
C2A (b) Channel 2 𝐺 𝐶2 SYN
BC3
SYN
C3N
ACK
BC3
ACK
C3N
SYN_ACK
BC3
SYN_ACK
C3N
FIN
BC3
FIN
C3N (c) Channel 3 𝐺 𝐶3 SYN
NC4
SYN
C4B
ACK
NC4
ACK
C4B
SYN_ACK
NC4
SYN_ACK
C4B
FIN
NC4
FIN
C4B (d) Channel 4 𝐺 𝐶4 Fig. 13: Channel models of TCP
SYN
C1N
SYN
NC4
SYN
C3N
SYN
NC2
FIN
C1N
FIN
NC4
FIN
C3N
FIN
NC2
ACK
C1N
ACK
NC4
ACK
C3N
ACK
NC2
SYN_ACK
C1N
SYN_ACK
NC4
SYN_ACK
C3N
SYN_ACK
NC2
Fig. 14: Network model of TCP
SYN
C1N
ATTKSYN
C3N
ATTKFIN
C1N
ATTKFIN
C3N
ATTKACK
C1N
ATTKACK
C3N
ATTKSYN_ACK
C1N
ATTKSYN_ACK
C3N
ATTK
Fig. 15: Network model under the MITM attack 𝐺 𝑁,𝑎
SYN AN SYN NB SYN BN SYN NA FIN AN FIN NB FIN BN FIN NA ACK AN ACK NB ACK BN ACK NA SYN_ACK AN SYN_ACK NB SYN_ACK BN SYN_ACK NA SYN_ACK NB Fig. 16: Network model under the lesspowerful MITM attack 𝐺 𝑤𝑁,𝑎 losed SYNsentlisten 𝑖 𝑖 𝑖 establishedSYNreceived 𝑖 closewaitlastACK FINwait 1 FINwait 2 𝑖 𝑖 closingtimewait SYN
AC1
SYN_ACK
C2A
ACK
AC1
SYN
C2A
ACK
AC1
ACK
C2A listen A SYN
C2A
SYN_ACK
AC1
FIN
C2A
ACK
AC1
FIN
AC1
ACK
C2A
FIN
AC1
ACK
C2A
FIN
C2A
FIN
C2A
ACK
AC1
ACK
C2A
ACK
AC1 deleteTCB A timeout A (a) Peer A 𝐺 𝑃𝐴 closed SYNsentlisten 𝑖 𝑖 𝑖 establishedSYNreceived 𝑖 closewaitlastACK FINwait 1 FINwait 2 𝑖 𝑖 closingtimewait SYN
BC3
SYN_ACK
C4B
ACK
BC3
SYN
C4B
ACK
BC3
ACK
C4B listen B SYN
C4B
SYN_ACK
BC3
FIN
C4B
ACK
BC3
FIN
BC3
ACK
C4B
FIN
BC3
ACK
C4B
FIN
C4B
FIN
C4B
ACK
BC3
ACK
C4B
ACK
BC3 deleteTCB B timeout B (b) Peer B 𝐺 𝑃𝐵 Fig. 17: Peers with timeout eferences [1] C. Baier and J.-P. Katoen, Principles of model checking . The MIT Press, 2008.[2] E. Kang, A. Milicevic, and D. Jackson, “Multi-representational security analysis,” in
Proceedings of the 24thACM SIGSOFT International Symposium on Foundations of Software Engineering , pp. 181–192.[3] H. Bagheri, E. Kang, S. Malek, and D. Jackson, “Detection of design flaws in the android permission protocolthrough bounded verification,” in
FM 2015: Formal Methods , N. Bjørner and F. de Boer, Eds., vol. 9109.Springer International Publishing, pp. 73–89, series Title: Lecture Notes in Computer Science.[4] G. J. Holzmann and W. S. Lieberman,
Design and validation of computer protocols . Prentice hall EnglewoodCliffs, 1991, vol. 512.[5] R. Alur and S. Tripakis, “Automatic synthesis of distributed protocols,”
ACM SIGACT News , vol. 48, no. 1, pp.55–90, 2017.[6] C. Cassandras and S. Lafortune,
Introduction to Discrete Event Systems . Boston, MA: Springer US, 2008.[7] W. M. Wonham and K. Cai,
Supervisory Control of Discrete-Event Systems , ser. Communications and ControlEngineering. Springer International Publishing, 2019.[8] K. Rudie and W. Wonham, “Protocol verification using discrete-event systems,” in
Proceedings of the 31st IEEEConference on Decision and Control . IEEE, pp. 3770–3777.[9] R. Kumar, S. Nelvagal, and S. I. Marcus, “A discrete event systems approach for protocol conversion,” vol. 7,no. 3, pp. 295–315.[10] K. Rudie and W. M. Wonham, “Supervisory control of communicating processes,” in
Proceedings of the IFIPWG6.1 Tenth International Symposium on Protocol Specification, Testing and Verification X , 1990, pp. 243–257.[11] K. Saleh, “Synthesis of communications protocols: an annotated bibliography,”
ACM SIGCOMM ComputerCommunication Review , vol. 26, no. 5, pp. 40–59, 1996.[12] L. K. Carvalho, Y.-C. Wu, R. Kwong, and S. Lafortune, “Detection and mitigation of classes of attacks insupervisory control systems,” vol. 97, pp. 121–133.[13] M. Wakaiki, P. Tabuada, and J. P. Hespanha, “Supervisory control of discrete-event systems under attacks,” vol. 9,no. 4, pp. 965–983.[14] R. Su, “Supervisor synthesis to thwart cyber attack with bounded sensor reading alterations,” vol. 94, pp. 35–44.[15] R. Meira-Goes, H. Marchand, and S. Lafortune, “Towards resilient supervisors against sensor deception attacks,”in
Proceedings of the IEEE 58th Conference on Decision and Control . IEEE, pp. 5144–5149.[16] R. Meira-Góes, E. Kang, R. H. Kwong, and S. Lafortune, “Synthesis of sensor deception attacks at the supervisorylayer of cyber–physical systems,” vol. 121, p. 109172.[17] L. Lin, Y. Zhu, and R. Su, “Synthesis of actuator attackers for free.”[18] M. von Hippel, C. Vick, S. Tripakis, and C. Nita-Rotaru, “Automated attacker synthesis for distributedprotocols,” 4 2020. [Online]. Available: http://arxiv.org/abs/2004.01220[19] M. von Hippel, C. Vick, S. Tripakis, and C. Nita-Rotaru, “Automated attacker synthesis for distributed protocols,”in
Proceedings of the 39th International Conference on Computer Safety, Reliability, and Security . SpringerInternational Publishing, pp. 133–149.[20] M. von Hippel. (2020) Korg. [Online]. Available: https://github.com/maxvonhippel/AttackerSynthesis[21] “Transmission Control Protocol,” RFC 793, Sep. 1981. [Online]. Available: https://rfc-editor.org/rfc/rfc793.txt2622] S. Jero, H. Lee, and C. Nita-Rotaru, “Leveraging state information for automated attack discovery in transport pro-tocol implementations,” in
Proceedings of the 45th Annual IEEE/IFIP International Conference on DependableSystems and Networks . IEEE, 2015, pp. 1–12.[23] H. Cho and S. I. Marcus, “On supremal languages of classes of sublanguages that arise in supervisor synthesisproblems with partial observation,”
Mathematics of Control, Signals and Systems , vol. 2, no. 1, pp. 47–69, 1989.[24] R. Brandt, V. Garg, R. Kumar, F. Lin, S. Marcus, and W. Wonham, “Formulas for calculating supremal controllableand normal sublanguages,”