Verification of Initial-State Opacity in Petri Nets

Transcription

1 Verifiction of Initil-Stte Opcity in Petri Nets Yin Tong 1, Zhiwu Li, Crl Setzu 3 nd Alessndro Giu 4 Astrct A Petri net system is sid to e initil-stte opque if its initil stte remins opque to n externl oserver (clled n intruder). In other words, the intruder is never le to scertin tht the initil stte elongs to given set of sttes (clled secret) sed on its oservtion of the system s evolution. This pper ddresses the prolem of verifying initil-stte opcity in discrete event systems (DES) modeled y leled Petri nets. An efficient pproch to verifying initil-stte opcity is proposed sed on the notion of sis rechility grph (BRG). To pper s: Y. Tong, Z.W. Li, C. Setzu, A. Giu, Verifiction of Initil-Stte Opcity in Petri Nets, 54nd IEEE Conf. on Decision nd Control (Osk, Jpn), Dec , Yin Tong is with the School of Electro-Mechnicl Engineering, Xidin University, Xi n , Chin, nd lso with DIEE, University of Cgliri, 0913 Cgliri, Itly yintong@stu.xidin.edu.cn Zhiwu Li is with the Institute of Systems Engineering, Mcu University of Science nd Technology, Tip, Mcu, Fculty of Engineering, King Adulziz University, Jeddh 1589, Sudi Ari, nd lso with the School of Electro-Mechnicl Engineering, Xidin University, Xi n , Chin zhwli@xidin.edu.cn 3 Crl Setzu is with the Deprtment of Electricl nd Electronic Engineering, University of Cgliri, 0913 Cgliri, Itly setzu@diee.unic.it 4 Alessndro Giu is with Aix Mrseille Université, CNRS, ENSAM, Université de Toulon, LSIS UMR 796, Mrseille 13397, Frnce nd lso with DIEE, University of Cgliri, Cgliri 0913, Itly lessndro.giu@lsis.org; giu@diee.unic.it

2 I. INTRODUCTION Opcity is n informtion flow property [1], [], [3], [4] which reltes to the system s ility to hide secret ehvior from n intruder [5], [6], [7], [8], [9]. In DES models, the secret is usully defined s suset of the stte spce or lnguge (susequent opcity properties re referred to s stte-sed opcity nd lnguge-sed opcity, respectively), nd the intruder is modeled s n oserver tht hs full knowledge of the system s structure ut only hs prtil oservility over the system s evolution. Bsed on its oservtion, the intruder tries to infer the secret. Initil-stte opcity is stte-sed opcity property. A system is sid to e initil-stte opque if, given set of secret sttes, y oserving the sequence of events generted y the system, the intruder will never e le to infer tht the system s evolution strted from one of the secret sttes. In recent yers, initil-stte opcity hs een extensively studied in the frmework of utomt [8], [10], [11]. It hs een proved tht the verifiction of initil-stte opcity is PSPACE-complete [11]. Soori nd Hdjicostis [10], [11] hve shown tht y constructing the initil-stte estimtor for given nondeterministic finite utomton (NFA), initil-stte opcity cn e verified with complexity O( X ), where X is the set of sttes of the utomton. An initil-stte estimtor is deterministic finite utomton (DFA) whose sttes denote the set of initil sttes where n oserved word could hve strted nd the current sttes tht it yields. As long s n initil-stte estimtor is uilt, there is no need to reconstruct it when the secret is modified. For specific secret, verifiers re introduced in [11] to study initil-stte opcity. Insted of precisely estimting the initil stte, the verifier only records if stte is rechle from secret/non-secret sttes. Therefore, the verifiction complexity is reduced to O(4 X ). Menwhile, Wu nd Lfortune [8] propose more efficient method whose complexity is O( X ). They show tht the oserver of the reverse utomton cn e used to estimte the initil stte. Bryns et l. [4] proved tht the verifiction of initil-stte opcity for ounded PNs is decidle when the initil stte is defined s finite set of initil mrkings nd the secret is suset of it. However, in PNs the initil-stte opcity prolem is very difficult in generl, nd so fr no efficient method hs een proposed yet. For ounded PNs we my construct its rechility grph (RG), which is n utomton, so tht the forementioned pproches in utomt could e pplied. Nevertheless, this pproch will inevitly suffer from the stte explosion prolem. As compct description of the RG, sis rechility grph (BRG) hs een used to solve prolems of stte estimtion, fult dignosis [1] nd current-stte opcity [13]. The dvntge of this technique is tht only prt of the rechility spce, i.e., the set of sis mrkings (see Section IV.A), hs to e enumerted, nd ll other rechle mrkings cn e chrcterized in terms of liner lger. The BRG of PN, in generl, is smller thn the RG, ut it well chrcterizes oth the rechle mrkings nd the ehvior (lnguge) of the corresponding PN. In this pper, the verifiction of initil-stte opcity in ounded leled Petri nets is ddressed. The secret is defined s suset of the rechle mrkings. A leled Petri net is initil-stte opque with respect to secret if the intruder cn never infer tht the oserved sequence origins from secret mrking. It is known tht net is initil-stte opque if nd only if the lnguge generted from secret mrkings is suset of the lnguge generted

3 from non-secret mrkings. Therefore, the initil-stte opcity prolem in ounded leled Petri nets is trnsformed into the lnguge continment prolem in its RG. Considering tht the intruder would never distinguish possile non-secret mrking tht is rechle from secret initil mrking y firing only unoservle trnsitions, we mke the following resonle ssumption: ll mrkings rechle from secret mrking y firing only unoservle trnsitions elong to the secret. Under this ssumption, we show tht initil-stte opcity of ounded net cn e verified y justifying the lnguge continment in the corresponding BRG. Therefore, compred with using RG, the pproch proposed in this work is more efficient in generl. II. PRELIMINARIES A. Automt A non-deterministic finite-stte utomton (NFA) is 4-tuple A = (X, E,, x 0 ), where X is the finite set of sttes, E = {,, } is the lphet, X E X is the trnsition reltion with E = E {}, where is the empty word descriing unoservle events, nd x 0 X is the initil stte. The trnsition reltion specifies the dynmics of the NFA: if (x, e, x ), then from stte x the occurrence of event e E yields stte x. The trnsition reltion cn e extended to X E X: (x j0, w, x jk ) if there exists sequence of events nd sttes x j0 e j1 x j1 x jk 1 e jk x jk such tht σ = e j1... e jk genertes the word w E, x ji X for i = 0, 1,..., k, nd e ji E, (x ji 1, e ji, x ji ) for i = 1,,..., k. An NFA is denoted s A = (X, E, ) in the cse where the initil stte could e ny stte from X. The generted lnguge of n utomton A = (X, E, ) from stte x X is defined s L(A, x) = {w E x X : (x, w, x ) }. Generlly, given set of sttes Y X, we define L(A, Y ) = x Y L(A, x) the lnguge generted from the sttes in Y. B. Petri nets A Petri net is structure N = (P, T, P re, P ost), where P is set of m plces represented y circles; T is set of n trnsitions represented y rs; P re : P T N nd P ost : P T N re the pre- nd post-incidence functions tht specify the rcs directed from plces to trnsitions, nd vice vers. The incidence mtrix of net is denoted y C = P ost P re. A mrking is vector M : P N tht ssigns to ech plce non-negtive integer numer of tokens, represented y lck dots. The mrking of plce p is denoted y M(p). For economy of spce, mrkings cn lso e denoted s M = p P M(p) p (see Fig.5). A Petri net system N, M 0 is net N with initil mrking M 0. A trnsition t is enled t mrking M if M P re(, t) nd my fire yielding new mrking M = M +C(, t). We write M[σ to denote tht the sequence of trnsitions σ = t j1 t jk is enled t M, nd M[σ M to denote tht the firing of σ yields M. Given sequence σ T, we cll π : T N n the function tht ssocites with σ the Prikh vector y = π(σ) N n, i.e., y(t) = k if trnsition t ppers k times in σ. 3

4 A mrking M is rechle in N, M 0 if there exists sequence σ such tht M 0 [σ M. The set of ll mrkings rechle from M 0 defines the rechility set of N, M 0 nd is denoted y R(N, M 0 ). A PN system is ounded if there exists non-negtive integer k N such tht for ny plce p P nd for ny rechle mrking M R(N, M 0 ), M(p) k holds. A leled Petri net (LPN) is 4-tuple G = (N, M 0, E, l), where N, M 0 is the PN system, E is the lphet ( set of lels) nd l : T E {} is the leling function tht ssigns to ech trnsition t T either symol from E or the empty word. Therefore, the set of trnsitions cn e prtitioned into two disjoint sets T = T o T u, where T o = {t T l(t) E} is the set of oservle trnsitions nd T u = {t T l(t) = } is the set of unoservle trnsitions. The leling function cn e extended to firing sequences l : T E, i.e., l(σt) = l(σ)l(t) with σ T nd t T. The unoservle rech of mrking M is defined s U(M) = {M N n σ u Tu : M[σ u M }, i.e., the set of mrkings rechle from M y firing unoservle trnsitions. Given n LPN G = (N, M 0, E, l) nd mrking M R(N, M 0 ), we define the lnguge generted from M s L(N, M) = {w E σ T : M[σ nd l(σ) = w}. The generted lnguge of G is L(N, M 0 ). Furthermore, given set of mrkings Y R(N, M 0 ) of G, we define L(N, Y ) = M Y L(N, M) the lnguge generted from mrkings in Y. Given n LPN G = (N, M 0, E, l) nd the set of unoservle trnsitions T u, the T u -induced sunet N = (P, T, P re, P ost ) of N, is the net tht removes ll oservle trnsitions in T o, where P re nd P ost re the restriction of P re, P ost to T u. The incidence mtrix of the T u -induced sunet is denoted y C u = P ost P re. III. INITIAL-STATE OPACITY IN PETRI NETS A. Initil-stte opcity Definition 3.1: Given n LPN G = (N, M 0, E, l), secret is set of rechle mrkings S R(N, M 0 ). A mrking M S is sid to e secret mrking. Mrkings in S = R(N, M 0 ) \ S re non-secret mrkings. Definition 3.: Let G = (N, M 0, E, l) e n LPN nd S R(N, M 0 ) e secret. G is sid to e initil-stte opque wrt S if M S, w L(N, M) M S : w L(N, M ). In simple words, PN is initil-stte opque if for ny word w tht cn e oserved strting from some secret mrkings in S, there lwys exists (t lest) one non-secret mrking from which w could lso e generted so tht the intruder cnnot estlish if the system strted its evolution from secret or non-secret mrking. B. Verifiction of initil-stte opcity using RG Bsed on the given secret, we define the secret lnguge nd the non-secret lnguge. Definition 3.3: Given n LPN G = (N, M 0, E, l) nd secret S R(N, M 0 ), its secret lnguge is defined s L(N, S) = L(N, M), M S 4

5 nd its non-secret lnguge is defined s L(N, S) = L(N, M). M S Lemm 3.4: Let G = (N, M 0, E, l) e n LPN nd S e secret. G is initil-stte opque wrt S if nd only if L(N, S) L(N, S). Proof: Follows from Definitions 3. nd 3.3. Lemm 3.4 shows tht n LPN is opque with respect to given secret if nd only if its secret lnguge is suset of the non-secret lnguge. As result, the initil-stte opcity prolem in PNs is equivlent to the lnguge continment prolem. Therefore, in the cse of ounded nets, y constructing the RG, ll methods of verifying lnguge continment in utomt cn e pplied to solving the opcity prolem. The complexity of checking lnguge continment of two NFA hving the sme numer of sttes is O(4 X ), where X is the set of sttes [14]. Therefore, the size of the RG gretly ffects the efficiency of verifying initil-stte opcity in ounded PNs. IV. VERIFYING INITIAL-STATE OPACITY USING BRG To the est of our knowledge, no lterntive method to the one in Section III-B hs een proposed to verify initilstte opcity in ounded PNs. However, such n pproch suffers from the well-known stte explosion prolem, since the RG needs to e constructed. To overcome the potentil stte explosion prolem, we propose new method sed on BRG nlysis. A. Bsis rechility grph In the work of Csino et l. [1], [15], compct wy to represent the rechility set of PN is proposed to solve the fult dignosis prolem. Under the ssumption tht the T u -induced sunet is cyclic, only prt of the rechle mrkings of the PN, clled sis mrkings, re computed, while, ll non-sis mrkings re chrcterized y set of liner equtions ssocited with ech sis mrking. Using the notion of sis mrkings, the sis rechility grph (BRG) is defined. It is n NFA in which ech stte corresponds to sis mrking nd ll events re oservle. The BRG well preserves the informtion on the rechility set, s well s on the evolution of the PN, while its structure is usully much more compct thn the RG nd the stte explosion prolem my often e voided. The BRG s proposed in [1], [15] lso includes some dignosis informtion, which re redundnt for opcity verifiction. Herein we redefine the BRG neglecting such informtion. Before providing the lgorithm for its construction, let us recll some key definitions [1]. Definition 4.1: Given mrking M nd n oservle trnsition t T o, we define Σ(M, t) = {σ Tu M[σ M, M P re(, t)} the set of explntions of t t M. Thus Σ(M, t) is the set of unoservle sequences whose firing t M enles t. Among ll the explntions, we re interested in finding the miniml ones, i.e., the ones whose firing vector is miniml. 5

6 Definition 4.: Given mrking M nd n oservle trnsition t T o, we define Σ min (M, t) = {σ Σ(M, t) σ Σ(M, t) : π(σ ) π(σ)} the set of miniml explntions of t t M nd Y min (M, t) = {y u N nu σ Σ min (M, t) : y u = π(σ)} the corresponding set of miniml e-vectors. Algorithm 1 constructs the BRG without dignoser s sttes. We denote the BRG s n NFA B = (M B, E, ), where M B is the set of sis mrkings of the LPN, nd ll events re oservle. The trnsition reltion M B E M B is determined y the following rule. From mrking M if there is n oservle trnsition t for which n explntion exists, i.e., Σ(M, t), nd the firing of t nd one of its miniml explntions led to M, then n edge from stte M to stte M leled y l(t) is dded in the BRG, i.e., (M, l(t), M ). Algorithm 1 Construction of the BRG Input: A ounded LPN G = (N, M 0, E, l) whose T u -induced sunet is cyclic. Output: The BRG B = (M B, E, ) 1: Let M B = {M 0 } nd ssign no tg to M 0 ; : while sttes with no tg exist, do 3: select stte M M B with no tg; 4: for ll t s.t. l(t) E nd Y min (M, t), do 5: for ll y u Y min (M, t), do 6: M := M + C u y u + C(, t); 7: if M / M B, then 8: M B := M B {M }; 9: ssign no tg to M ; 10: end if 11: = {(M, l(t), M )}; 1: end for 13: end for 14: tg node M s old ; 15: end while 16: Remove ll tgs. Given word w L(B, M 0 ), sed on Algorithm 1, if (M 0, w, M) then M is the mrking reched from M 0 y firing n oservle sequence σ o tht produces w nd eventully interleved with some unoservle trnsitions whose firing is necessry to enle σ o. Therefore, M B R(N, M 0 ). Notice tht to pply BRG, two ssumptions re mde: A1) the LPN G is ounded, nd 6

7 ) 5 t 4 () t 1 () t () t 3 () p 1 p p 3 p 4 t 5 () Fig. 1. An LPN whose T u-induced sunet is cyclic.. Theorem 4.3: [1] Let G = (N, M 0, E, l) e n LPN whose T u -induced sunet is cyclic nd M B e the set (M 0,1) of sis mrkings. A mrking M is rechle if nd only if there exists sis mrking M M B such tht M U(M ). Theorem 4.3 (M 1 shows,1) tht for ny rechle (M 4,1) (M (M,1),1) mrking M, we cn lwys find sis mrking from which M cn e reched y firing unoservle trnsitions. On (M the 5,1) other hnd, given sis mrking M, if M is rechle from M y firing unoservle trnsitions, it is lso rechle from M 0. Note tht the if sttement is true, even if Assumption (MA) 3,0) is removed. (M 0,0) (M 4,0) (M 4,0) As result of Theorem 4.3, considering the T u -induced sunet is cyclic mrking is rechle from M 0 if (M 5,0) (M 5,0) nd only if there exists sis mrking M such tht M = M + C u y u llows non-negtive integer solution cn lso e generted. In ddition, the lnguge generted from stte M in the BRG is superset of the lnguge (M,1) (M 0,1) (M,1) (M 0,1),(M 4,0) generted from the(mmrking 5,0) M U(M ) with M M. Exmple 4.5: Let us consider the LPN in Fig. 1. Trnsitions t 1 nd t 3 re oservle. The lels ssigned to them re nd, respectively. For this net, there re 10 rechle mrkings nd its RG is shown in Fig.. However, there (M 4,0) (M 1,1) (M 1,1) (M 4,0) (M 5,0) (M,1) (M,1) (M 5,0),0),(M 4,0),0) A) the T u -induced sunet of G is cyclic. Assumption A1) mkes sure tht the numer of sis mrkings is finite so tht Algorithm 1 cn hlt, nd Assumption A) is common technicl ssumption when prtil oservtion prolems, e.g., fult dignosis or oservility, re considered. It llows to use the stte eqution to chrcterize the set of mrkings reched from sis mrking firing unoservle trnsitions. y u N nu. Proposition 4.4: Let G = (N, M 0, E, l) e ounded LPN, nd B = (M B, E, ) e its BRG. Given sis mrking M M B nd mrking M U(M ) with M M, we hve L(N, U(M )) = L(B, M ), nd L(N, M) L(B, M ). Proof: Since M U(M ), L(N, U(M )) = L(N, M ). Therefore, L(N, U(M )) = L(B, M ). Moreover, s M U(M ), L(N, M) L(N, U(M )) holds, i.e., L(N, M) L(B, M ). According to Proposition 4.4, the BRG of PN descries the lnguge generted from rechle mrkings s well. If word cn e generted from rechle mrking, there must exist sis mrking from which the word (M 0,1),(M 4,0) (M,1) (M 5,0) 7

8 t 5() +p t 1() t () M 1 =p M 5 =p 1 +p 3 t 4 () t () t 1() t 3() t 4() t 4() t 1() M 6 =p +p 3 t 1() t () t 3() t 4() t 1() M =p 1 t+p 1 () 4 M 8 =p 1 t () t 3 () t 5() M 3 =p +p 4 t () M 7 =p 3 t 3() M 9 =p 3 +p 4 t 3() M 4 =p 4 p 1 p p 3 p 4 t 4() t 5() t 5() t 5 () Fig.. The RG of the LPN in Fig. 1. t 1 () t 1 () t 1 () t 3 () t () p 1 p p 3 MWRONG 0 =p 1 +p EXAMPLE t 1() t 3() M 1 =p M =p 1 +p 4 t 1 () t 3 () t 1 () M 3 =p +p 4 t 3 () t 1 () M 1 =p t () M =p 3 t () M =p 3 M 0,M 1,M, M 3,M 4 M 0,M 1,M 3 M 1 t 3 () t 1 () t 4 () M 4 =p 4 t 4 () t 1 () t 1 () t 1 () t 1 () t () t 3 () Fig. 3. The BRG of the LPN in Fig. 1. M 1 =p t () M 1 =p t 3 () p 1 p p 3 p 4 M =p 3 t 3 () M 3 =p 4 M 3 =p 4 re only 5 sis mrkings M B = {M 0,..., M 4 }, nd the corresponding BRG is shown in Fig. 3. It holds U(M 0 ) = {M 0, M 5, M 8 }, U(M 1 ) = {M 1, M 5, M 6, M 7, M 8 }, U(M ) = {M, M 8 }, U(M 3 ) = {M 0, M 3, M 5, M 8, M 9 } nd U(M 4 ) = {M, M 4, M 8 }. Finlly, Proposition 4.4 cn e esily verified. B. Reduction to the lnguge continment on the BRG p +p +p 3 t () t 1() +p +p 3 p 1 t 1 () t () M 1 =p 1 M =p +p 3 M 1 =p 1 In this section we show tht, when certin ssumption on the secret is stisfied, the lnguge continment p 3 t () prolem etween the secret nd non-secret lnguges cn e reduced to the corresponding prolem of the lnguge M 3 =p generted in the BRG. Nmely, initil-stte opcity of n ounded LPN cn e verified y just nlyzing the BRG. Definition 4.6: Let G = (N, M 0, E, l) e n LPN, M B e the set of sis mrkings, nd S e secret. The secret sis mrking set S B is defined s S B = M B S, nd the non-secret sis mrking set S B is defined s S B = M B S t ()

9 t 4 () t 4 () t 1 () t 1 () t 1 () t () t 3 () M 1 =p t () p 1 p p 3 p 4 M =p 3 t 3 () Fig. 4. An LPN tht is initil-stte opque wrt S = {M 0, M }. M 3 =p 4 Given n LPN G = (N, M 0, E, l), its BRG B nd the secret S, it lwys holds L(B, S B ) L(N, S) nd L(B, S B ) L(N, S), since S B S nd S B S. Therefore, L(B, S B ) L(B, S B ) does not necessrily indicte tht L(N, S) L(N, S), or vice vers. In other words, y just constructing the BRG, initil-stte opcity of the LPN cnnot e decided for ritrry secrets. In the rest of this pper we mke the following dditionl ssumption: A3) M S, t T u : M[t M nd M / S. In other words, for ll secret mrkings there does not exist n unoservle trnsition tht leds to non-secret one. This is equivlent to ssuming tht ll mrkings in the unoservle rech of secret mrking elong to the secret. Note tht this ssumption cn e relxed y considering ll unoservle trnsitions violting Assumption A3) s oservle nd then constructing the modified BRG (see [16]). However, the numer of sttes in the modified BRG will increse. We now prove tht if Assumptions A1) to A3) re stisfied, the non-secret lnguge of net coincides with the non-secret lnguge of its BRG. Proposition 4.7: Let G = (N, M 0, E, l) e n LPN nd S e secret, which stisfy Assumptions A1) to A3). Let B e the BRG nd M B e the set of sis mrkings of G, then we hve L(B, S B ) = L(N, S). Proof: We provide sketch of the complete proof tht cn e found in [17]. The continment is trivil since S B S. Now we prove lso holds: if word is generted from nonsecret mrking, there lwys exists nonsecret sis mrking from which the word cn e generted (otherwise Assumption A3 will e contrdicted). Note tht for the secret lnguge it does not necessrily hold tht L(B, S B ) = L(N, S). Exmple 4.8: Let us consider the LPN in Fig. 4. Let S = {M 0, M } tht stisfies Assumption A3). Bsed on the BRG in Fig. 5(), we hve S B = {M 0 } nd L(N, S B ) = {, n n 1}. However, L(N, S) = {, n n 0}, i.e., L(N, S B ) L(N, S). However, the following proposition shows tht under Assumptions A1) to A3) the lnguge continment etween secret nd non-secret lnguges cn e verified y just nlyzing the BRG. Proposition 4.9: Let G = (N, M 0, E, l) e n LPN nd S e secret, which stisfy Assumptions A1) to A3). 9

10 t 4 () 1() t () t 3 () t 3 () p p 3 t 4 () p 4 t 4 () t 1 () M 1 =p t () t 1 () M 1 =p t () M =p 3 t 3 () t 1 () Mt 1 () 0 =p 1 t 1 () M 1 =p t 1 () M 1 =p t 3 () t M 3 =p 4 3 () p 3 p 4 M =p 3 t 3 () () M 3 =p 4 M 3 =p 4 () M 3 =p 4 Fig. 5. The RG () nd the BRG () of the LPN in Fig. 4. p +p +p 3 Let B e the BRG nd M t B e the set of sis mrkings of G. It holds () t 1 () L(B, S t () M 1 =p M B ) L(B, S 1 =p +p B ) L(N, S) L(N, 3 MS). 1 =p 1 p 3 Proof: We provide sketch of the completet proof () tht cn e found in [17]. According to Propositions 4.4 nd M 3 =p +p +p 3 4.7, we just need to prove L(N, S B ) L(N, S) L(N, S) L(N, S). The prt is trivil since L(N, S B ) L(N, S). Now we prove prt lso holds. Since for ll secret mrkings M tht re not sis mrkings there exists secret sis mrking M such tht M is rechle from M y firing unoservle trnsitions, words generted from M cn e lso generted from M, i.e., L(N, S \ S B ) L(N, S B ) L(N, S). Therefore, under Assumptions A1) to A3), insted of nlyzing the RG, we could verify the lnguge continment in the BRG to check if given LPN is opque wrt secret. Corollry 4.10: Let G = (N, M 0, E, l) e n LPN nd S e secret, which stisfy Assumptions A1) to A3). Let B e the BRG nd M B e the set of sis mrkings. G is initil-stte opque wrt S if nd only L(B, S B ) L(B, S B ). Proof: It follows from Lemm 3.4 nd Proposition 4.9. In other words, Corollry 4.10 proves tht the initil-stte opcity prolem in PNs is equivlent to the lnguge continment prolem in the corresponding BRG. C. Verifiction of initil-stte opcity In this section we first riefly recll technique tht is used to verify initil-stte opcity in utomt [8]. Bsed on the result in the previous section, we show tht y pplying the technique to the BRG of n LPN, initil-stte opcity of the LPN cn e effectively verified. In [8] n utomton clled n initil-stte estimtor is proposed sed on the reverse utomton. Given n utomton A without specifying its initil stte, the corresponding initil-stte estimtor A e is the oserver of its reverse utomton A r, i.e., the utomton is otined y revising ll rcs in A. In A e, the stte reched y word w is the set of sttes from which the word w cn e generted in A, where w is the reverse of w. t () 10

11 Fig. 6. An utomton A ,1,,3 0, 1, () ,1,,3 0, 1,3 1 0,1,,3 0, 1,3 0 1 () Fig. 7. The reverse utomton () nd the initil-stte estimtor () of the utomton in Fig. 6. Exmple 4.11: Let us consider the utomton A in Fig. 6 presented in [10]. Its reverse utomton A r nd the corresponding oserver A e, i.e., the initil-stte estimtor, re shown in Figs. 7() nd 7(), respectively. Let w =. In the estimtor, the reched stte is {1}, which implies tht the set of sttes tht cn generte w = in A is {1}. Theorem 4.1: [8] Let A = (X, E, ) e n utomton nd A e = (X, E, e, X 0 ) e the corresponding initilstte estimtor. Given set of sttes Y X, we hve L(A, Y ) L(A, Y ) if nd only if X e X, X e Y, where Y = X \ Y. In other words, to verify the lnguge continment the oserver of the reverse utomton needs to e constructed. The verifiction of the lnguge continment L(A, Y ) L(A, Y ) hs complexity of O( X ). Furthermore, ccording to Lemm 3.4, initil-stte opcity in ounded PNs cn e verified y pplying Theorem 4.1 to the RG. Therefore, the complexity of verifying initil-stte opcity in ounded PNs is O( R(N,M0) ). However, if the PN 11

12 5 +p ) t 3 () p M =p 1 +p 4 () t 1 () t 1 () M 0,M 1,M, M 3,M 4 M 0,M 1,M 3 M 1 M 3 =p +p 4 t 3 () t 1 () M 4 =p 4 Fig. 8. The initil-stte estimtor of the BRG in Fig. 3. nd the secret stisfy Assumptions A1) to A3), Theorem 4.1 cn e directly pplied on BRG ;0' Corollry 4.13: Let G = (N, M 0, E, l) e n LPN, S e secret tht stisfy Assumptions A1) to A3), B e the BRG of G, M B e the set of sis mrkings, nd B e = (X, E, e, X 0 ) e the corresponding initil-stte estimtor of B. LPN G is initil-stte opque wrt S if nd only if X e X, X e S B, where S B = M B S. Proof: Follows from Corollry 4.10 nd Theorem 4.1. Therefore, the complexity of using BRG to verify initil-stte opcity is O( MB ). In generl, given ounded PN, it is M B R(N, M 0 ), therefore, the efficiency of using BRG to verify opcity will not e worse thn tht of using RG. In prticulr, when unoservle trnsitions re considered, the BRG will e smller thn the RG. Moreover, exhustive enumertion is not needed to compute the BRG. Therefore, BRG rings ig dvntges over RG for verifying initil-stte opcity. Exmple 4.14: Consider gin the LPN in Fig. 1. The initil-stte estimtor of its BRG is shown in Fig. 8. Let S = {M 0, M, M 5, M 8, M 9 }, then S B = {M 0, M } nd S B = {M 1, M 3, M 4 }. According to Corollry 4.13, G is initil-stte opque wrt S, since no stte of the estimtor either coincides with S B or is strictly contined in it. V. CONCLUSIONS AND FUTURE WORK In this pper we propose n efficient pproch to verifying initil-stte opcity in ounded Petri nets. We proved tht under n cceptle ssumption on the secret, the verifiction of initil-stte opcity cn e trnsformed into lnguge continment prolem in the sis rechility grph (BRG). Therefore, initil-stte opcity cn e verified using BRG nlysis rther thn rechility grph nlysis, which provides dvntges in terms of computtionl complexity. Our future reserch will e focused on relxing the ssumption on the secret nd extend the use of the BRG to the lnguge-sed opcity nlysis. 1

13 ACKNOWLEDGMENT This work ws supported in prt y the Ntionl Nturl Science Foundtion of Chin under Grnt No , , the Recruitment Progrm of Glol Experts, nd the Science nd Technology Deprtment Fund, MSAR, under Grnt No. 066/013/A, nd the Itlin Ministry of Foreign Affir nd Interntionl Coopertion (MAECI) under project Roust Decentrlised Estimtion for lrge-scle systems (RODEO)-PGR0015. REFERENCES [1] N. Busi nd R. Gorrieri. A survey on non-interference with Petri nets. In Lectures on Concurrency nd Petri Nets, pges Springer, 004. [] V. Shmtikov. Proilistic nlysis of n nonymity system. J. of Computer Security, 1(3): , 004. [3] N.B. Hdj-Aloune, S. Lfrnce, F. Lin, J. Mullins, nd M.M. Yeddes. On the verifiction of intrnsitive noninterference in mulitlevel security. IEEE Trns. on Systems, Mn, nd Cyernetics, Prt B: Cyernetics, 35(5): , 005. [4] J.W. Bryns, M. Koutny, nd P.Y. Ryn. Modelling opcity using Petri nets. Electronic Notes in Theoreticl Computer Science, 11: , 005. [5] J.W. Bryns, M. Koutny, L. Mzré, nd P.Y. Ryn. Opcity generlised to trnsition systems. Int. J. of Informtion Security, 7(6):41 435, 008. [6] A. Soori nd C.N. Hdjicostis. Notions of security nd opcity in discrete event systems. In 46th IEEE Conf. on Decision nd Control, pges , 007. [7] E. Bdouel, M. Bednrczyk, A. Borzyszkowski, B. Cillud, nd P. Drondeu. Concurrent secrets. Discrete Event Dynmic Systems, 17(4):45 446, 007. [8] Y. Wu nd S. Lfortune. Comprtive nlysis of relted notions of opcity in centrlized nd coordinted rchitectures. Discrete Event Dynmic Systems, 3(3): , 013. [9] R. Jco, J.J Lesge, nd J.M Fure. Opcity of discrete event systems: models, vlidtion nd quntifiction. In DCDS15. [10] A. Soori nd C.N. Hdjicostis. Verifiction of initil-stte opcity in security pplictions of DES. In 9th Int. Workshop on Discrete Event Systems, pges , 008. [11] A. Soori nd C.N. Hdjicostis. Verifiction of initil-stte opcity in security pplictions of discrete event systems. Informtion Sciences, 46:115 13, 013. [1] M.P. Csino, A. Giu, M. Pocci, nd C. Setzu. Discrete event dignosis using leled Petri nets. n ppliction to mnufcturing systems. Control Engineering Prctice, 19(9): , 011. [13] Y. Tong, Z.W. Li, C. Setzu, nd A. Giu. Verifiction of current-stte opcity using Petri nets. In 015 Americn Control Conf., 015. [14] C.G. Cssndrs nd S. Lfortune. Introduction to discrete event systems. Springer, 008. [15] M.P. Csino, A. Giu, nd C. Setzu. Fult detection for discrete event systems using Petri nets with unoservle trnsitions. Automtic, 46(9): , 010. [16] M.P. Csino, A. Giu, nd C. Setzu. Dignosility of discrete-event systems using leled Petri nets. IEEE Trns. on Automtion Science nd Engineering, 11(1): , 014. [17] Y. Tong, Z.W. Li, C. Setzu, nd A. Giu. Proofs. setzu/cdc15-proofs.pdf. 13