Stefano Marrone

Vulnerability modeling and analysis for critical infrastructure protection applications

Abstract Effective critical infrastructure protection requires methodologies and tools for the automated evaluation of the vulnerabilities of assets and the efficacy of protection systems. This paper presents a modeling language for vulnerability analysis in critical infrastructure protection applications. The language extends the popular Unified Modeling Language (UML) to provide vulnerability and protection modeling functionality. The extended language provides an abstract representation of concepts and activities in the infrastructure protection domain that enables model-to-model transformations for analysis purposes. The application of the language is demonstrated through a use case that models vulnerabilities and physical protection systems in a railway station.

Model-driven availability evaluation of railway control systems

Maintenance of real-world systems is a complex task involving several actors, procedures and technologies. Proper approaches are needed in order to evaluate the impact of different maintenance policies considering cost/benefit factors. To that aim, maintenance models may be used within availability, performability or safety models, the latter developed using formal languages according to the requirements of international standards. In this paper, a model-driven approach is described for the development of formal maintenance and reliability models for the availability evaluation of repairable systems. The approach facilitates the use of formal models which would be otherwise difficult to manage, and provides the basis for automated models construction. Starting from an extension to maintenance aspects of the MARTE-DAM profile for dependability analysis, an automated process based on model-to-model transformations is described. The process is applied to generate a Repairable Fault Trees model from the MARTE-DAM specification of the Radio Block Centre - a modern railway controller.

Enabling the usage of UML in the verification of railway systems: The DAM-rail approach

The need for integration of model-based verification into industrial processes has produced several attempts to define Model-Driven solutions implementing a unifying approach to system development. A recent trend is to implement tool chains supporting the developer both in the design phase and V&V activities. In this Model-Driven context, specific domains require proper modelling approaches, especially for what concerns RAM (Reliability, Availability, Maintainability) analysis and fulfillment of international standards. This paper specifically addresses the definition of a Model-Driven approach for the evaluation of RAM attributes in railway applications to automatically generate formal models. For this aim we extend the MARTE-DAM UML profile with concepts related to maintenance aspects and service degradation, and show that the MARTE-DAM framework can be successfully specialized for the railway domain. Model transformations are then defined to generate Repairable Fault Tree and Bayesian Network models from MARTE-DAM specifications. The whole process is applied to the railway domain in two different availability studies.

Interfaces and binding in component based development of formal models

Component based modeling is of great importance for building and analyzing models of real systems. It is based on a well known paradigm which makes use of abstraction and composition. In this paper we focus on abstraction, by describing a practical approach to the definition of very simple interface models allowing the substitution of components within composed multiformalism models. The work extends the OsMoSys methodology and relies on meta-modeling. This paper does not discuss formal aspects about interface theory and components interaction, but focuses on the problem of building component models in practice with the ultimate goal of solving them by using (the existing) analysis tools. The paper formally extends the OsMoSys conceptual model in order to introduce model interfaces and to provide some rules for interface compatibility. The paper also describes some steps towards the full definition of mechanisms for interface binding and their implementation.

A new modeling approach to the safety evaluation of N-modular redundant computer systems in presence of imperfect maintenance

A large number of safety-critical control systems are based on N-modular redundant architectures, using majority voters on the outputs of independent computation units. In order to assess the compliance of these architectures with international safety standards, the frequency of hazardous failures must be analyzed by developing and solving proper formal models. Furthermore, the impact of maintenance faults has to be considered, since imperfect maintenance may degrade the safety integrity level of the system. In this paper, we present both a failure model for voting architectures based on Bayesian networks and a maintenance model based on continuous time Markov chains, and we propose to combine them according to a compositional multiformalism modeling approach in order to analyze the impact of imperfect maintenance on the system safety. We also show how the proposed approach promotes the reuse and the interchange of models as well the interchange of solving tools.

Using repairable fault trees for the evaluation of design choices for critical repairable systems

Critical repairable systems are characterized by complex architecture and requirements. The evaluation of benefits produced by repair policies on the overall system availability is not straightforward, as policies can be very articulated and different. In order to support this evaluation process, the repairable fault tree (RFT) formalism revealed to be useful and suitable to represent complex repair policies by extending the existing fault tree formalism. In this paper we show how to exploit RFT advantages by evaluating the effects of different repair policies on the availability of the most critical component of ERTMS/ETCS (an European railway standard) systems: the radio block centre (RBC).

Estimation of the Energy Consumption of Mobile Sensors in WSN Environmental Monitoring Applications

The increasing necessity to have wireless sensor nodes capable to be active for a long time without battery recharge asks for technologies and methods that can anticipate the level of energy drain in these devices. In this paper a modelling approach based on Fluid Stochastic Petri Nets is proposed. The main contribution of the paper is the definition of a model to estimate single node performance in presence of several energy consuming entities. The definition of this single node model is relevant in order to properly support the design of more complex network topologies. The paper also reports first experimental results on model analysis mainly conducted by simulation.

Towards Model-Driven V&V assessment of railway control systems

Verification and Validation (V&V) activities aiming at certifying railway controllers are among the most critical and time-consuming in system development life cycle. As such, they would greatly benefit from novel approaches enabling both automation and traceability for assessment purposes. While several formal and Model-Based approaches have been proposed in the scientific literature, some of which are successfully employed in industrial settings, we are still far from an integrated and unified methodology which allows guiding design choices, minimizing the chances of failures/non-compliances, and considerably reducing the overall assessment effort. To address these issues, this paper describes a Model-Driven Engineering approach which is very promising to tackle the aforementioned challenges. In fact, the usage of appropriate Unified Modeling Language profiles featuring system analysis and test case specification capabilities, together with tool chains for model transformations and analysis, seems a viable way to allow end-users to concentrate on high-level holistic models and specification of non-functional requirements (i.e., dependability) and support the automation of the V&V process. We show, through a case study belonging to the railway signalling domain, how the approach is effective in supporting activities like system testing and availability evaluation.

Performability modeling of exceptions-aware systems in multiformalism tools

Exceptions constitute a widely accepted fault tolerance mechanism, suitable to manage both hardware and software faults. In performability analysis it is a common practice to exploit software tools capable of describing a system using models expressed in various formalisms. Often these tools provide extensibility features that allow augmenting the primitives of a given formalism, but in most cases they lack of exception support. This paper aims at filling this gap, by introducing a general mechanism to add support for exception handling to most of the existing formalisms. The validity of the proposed method is supported by two modelling cases that benefit in clarity and economy.

Compositional Modeling of Complex Systems: Contact Center Scenarios in OsMoSys

In this paper we present the application of a compositional modeling methodology to the re-engineering of Stochastic Well Formed net (SWN) models of a contact center. The modeling methodology is based on the definition of proper operators to connect submodels and it is supported by the OsMoSys modeling framework. The paper describes the implementation of a library of reusable SWN submodels of the contact center components and the definition of proper SWN connectors to easily develop models of different configurations of the system. We also describe the solving process of the composed models and its integration in the OsMoSys framework. Moreover, we discuss the advantages that this approach, based on the definition of classes and instances of submodels, can provide to the application of SWN to complex case studies.