A Hybrid, Dynamic Logic for Hybrid-Dynamic Information Flow

Size: px

Start display at page:

Download "A Hybrid, Dynamic Logic for Hybrid-Dynamic Information Flow"

Hubert Willis
5 years ago
Views:

1 A Hybrid, Dynamic Logic for Hybrid-Dynamic Information Flow Brandon Bohrer and André Platzer Logical Systems Lab Computer Science Department Carnegie Mellon University LICS 18 1 / 21

develop dhl, a hybrid logic for hybrid-dynamical systems and 2) apply dhl to

2 Outline: Hybrid {Dynamics, Logic, Power} Hybrid Logic Logic dhl Hybrid Dynamics HDIF Information Flow Smart Grid Hybrid Model Hybrid Power We 1) develop dhl, a hybrid logic for hybrid-dynamical systems and 2) apply dhl to verify hybrid dynamic information flow HDIF for 3) security of a hybrid power grid. 2 / 21

3 CPS are Safety-Critical and Ubiquitous Grid Transport Medical How can we design cyber-physical systems people can bet their lives on? Jeanette Wing 3 / 21

4 Secure Information Flow is Safety Critical Grid Transport Medical Overloads Position Spoofing Hijacking 3 / 21

5 Results Only as Good as the Model Related work: Verified discrete event model of FREEDM grid Did not model physical dynamics 4 / 21

6 Results Only as Good as the Model Related work: Verified discrete event model of FREEDM grid Did not model physical dynamics Event model can t catch vulnerabilities in dynamics! 4 / 21

7 Expressive Hybrid Models Provide Expressive Flows Hybrid dynamics: Mix and match discrete and continuous Hybrid-Dynamic Information Flow (HDIF): Information can flow in both discrete and continuous channels 5 / 21

8 Expressive Hybrid Models Provide Expressive Flows Hybrid dynamics: Mix and match discrete and continuous Hybrid-Dynamic Information Flow (HDIF): Information can flow in both discrete and continuous channels How do we model and verify HDIFs? 5 / 21

9 Outline 1 dhl: Hybrid {Dynamics, Logic} 2 FREEDM Case Study: Hybrid Power 3 Theory: Soundness and Reducibility 6 / 21

10 Example Hybrid System: Diesel Generator Generator consumes Fuel to produce power for the grid. α gen def ((p := 0 (p := ;?(Fuel > 0 0 p maxp)); {Fuel = p, gr = p & Fuel 0}) Questions: Can grid observer detect fuel level? Program Meaning {x = θ & ψ} Evolve ODE x = θ, but only while ψ holds x := Assign randomly to x?φ Test whether φ holds α β Run α or β α Run α any number of times in sequence 7 / 21

11 Dynamic Logic Operators Definition (dl Formulas, Fragment of dhl) φ, ψ ::= φ ψ φ x : R φ θ 1 θ 2 α φ First-order classical logic Real-valued terms θ 1, θ 2 Dynamic modality α φ says φ holds after some run of α. 8 / 21

12 Dynamic Logic Operators Definition (dl Formulas, Fragment of dhl) α can reach φ φ, ψ ::= φ ψ φ x : R φ θ 1 θ 2 α φ First-order classical logic Real-valued terms θ 1, θ 2 Dynamic modality α φ says φ holds after some run of α. 8 / 21

13 Program Axioms Decompose Dynamics x = F & q(x) p(x) t 0(p(y(t)) 0 s t q(y(s))) a b P ( a P b P) α out in α β β out 9 / 21

14 dhl Adds Hybrid Logic Definition (dhl, Hybrid-Logical Operators) φ w φ s : W φ s φ w Evaluate formulas φ or terms θ and named world w. Quantifiers s : W φ, s : W φ, and s φ (binds current world) Nominal predicate w holds exactly in world named n p(f 1,... F m ) p(@ n F n F m s p(s) s : W (s n n 10 / 21

15 Go to world w dhl Adds Hybrid Logic Definition (dhl, Hybrid-Logical Operators) φ w φ s : W φ s φ w Evaluate formulas φ or terms θ and named world w. Quantifiers s : W φ, s : W φ, and s φ (binds current world) Nominal predicate w holds exactly in world named n p(f 1,... F m ) p(@ n F n F m s p(s) s : W (s n n 10 / 21

16 Go to world w Exists world dhl Adds Hybrid Logic Definition (dhl, Hybrid-Logical Operators) φ w φ s : W φ s φ w Evaluate formulas φ or terms θ and named world w. Quantifiers s : W φ, s : W φ, and s φ (binds current world) Nominal predicate w holds exactly in world named n p(f 1,... F m ) p(@ n F n F m s p(s) s : W (s n n 10 / 21

17 Go to world w Exists world Remember world in s dhl Adds Hybrid Logic Definition (dhl, Hybrid-Logical Operators) φ w φ s : W φ s φ w Evaluate formulas φ or terms θ and named world w. Quantifiers s : W φ, s : W φ, and s φ (binds current world) Nominal predicate w holds exactly in world named n p(f 1,... F m ) p(@ n F n F m s p(s) s : W (s n n 10 / 21

18 Go to world w Exists world Remember world in s Test world dhl Adds Hybrid Logic Definition (dhl, Hybrid-Logical Operators) φ w φ s : W φ s φ w Evaluate formulas φ or terms θ and named world w. Quantifiers s : W φ, s : W φ, and s φ (binds current world) Nominal predicate w holds exactly in world named n p(f 1,... F m ) p(@ n F n F m s p(s) s : W (s n n 10 / 21

19 Nondeducibility Information Flow Program α is nondeducibility-secure with bisimulation R when i 1, i 2, o 1 : W i1 α o 1 R(i 1, i 2 i2 α o 2 R(o 1, o 2 ) ) R(k 1, k 2 ) def θ L (@ k1 θ k2 θ) (i.e., k 1, k 2 agree on L) i 1 α o 1 R R i 2 α o 2 All similar inputs would have made similar outputs possible 11 / 21

20 Derived Rules Simplify HDIF Proofs Relational reasoning proceeds structurally on programs i1 α m 1 R i (i 1, i 2 i2 α m 2 R m (m 1, m 2 m1 β o 1 R m (m 1, m 2 m2 β o 2 R o (o 1, o 2 i1 α; β o 1 R i (i 1, i 2 i2 α; β o 2 R o (o 1, o 2 ) α; β i 1 α m 1 β o 1 R i R m R o i 2 α m 2 β o 2 α; β 12 / 21

21 Derived Rules Simplify HDIF Proofs Relational reasoning proceeds structurally on programs i1 α m 1 R i (i 1, i 2 i2 α m 2 R m (m 1, m 2 m1 β o 1 R m (m 1, m 2 m2 β o 2 R o (o 1, o 2 i1 α; β o 1 R i (i 1, i 2 i2 α; β o 2 R o (o 1, o 2 ) α; β i 1 α m 1 β o 1 R i R m R o i 2 α m 2 β o 2 α; β Bisimulation rules are all derived! 12 / 21

22 Outline 1 dhl: Hybrid {Dynamics, Logic} 2 FREEDM Case Study: Hybrid Power 3 Theory: Soundness and Reducibility 13 / 21

23 Example: FREEDM Smart Grid Battery B 1 B 2 Demand Transformer Resource Grid d 1 r 1 T Link 1 T 2 p 1 p 2 gr d 2 r 2 Our hybrid model reveals a bug missed by the event-based model 14 / 21

24 FREEDM: Formal Model α F (ctrl; plant) ctrl migrate; bat migrate { d i, r i := ;?(d i, r i 0); n i := d i (r i + p i ); if (n i thresh n ī < 0) { m := Migrate(i)} else { m := 0} } plant {p i = 1 i m, B i = b i, b i = bm i, gr = grm, t = 1 & B i 0} bat I gr, bm i, vgridmig := 0; if ((n i 0 Full) (n i > 0 Emp)){ { ToBat(n i, m)} else { ToGrid(n i, m)} bat S gr, bm i, vgridmig := 0; (?(Full (ni > 0 Emp)); ToBat(n i, m) ) (ToGrid(n i, m)) 15 / 21

25 Load Balance α F (ctrl; plant) FREEDM: Formal Model ctrl migrate; bat migrate { d i, r i := ;?(d i, r i 0); n i := d i (r i + p i ); if (n i thresh n ī < 0) { m := Migrate(i)} else { m := 0} } plant {p i = 1 i m, B i = b i, b i = bm i, gr = grm, t = 1 & B i 0} bat I gr, bm i, vgridmig := 0; if ((n i 0 Full) (n i > 0 Emp)){ { ToBat(n i, m)} else { ToGrid(n i, m)} bat S gr, bm i, vgridmig := 0; (?(Full (ni > 0 Emp)); ToBat(n i, m) ) (ToGrid(n i, m)) 15 / 21

26 Load Balance α F (ctrl; plant) FREEDM: Formal Model ctrl migrate; bat migrate { d i, r i := ;?(d i, r i 0); n i := d i (r i + p i ); if (n i thresh n ī < 0) { m := Migrate(i)} else { m := 0} } Battery, Insecure plant {p i = 1 i m, B i = b i, b i = bm i, gr = grm, t = 1 & B i 0} bat I gr, bm i, vgridmig := 0; if ((n i 0 Full) (n i > 0 Emp)){ { ToBat(n i, m)} else { ToGrid(n i, m)} bat S gr, bm i, vgridmig := 0; (?(Full (ni > 0 Emp)); ToBat(n i, m) ) (ToGrid(n i, m)) 15 / 21

27 Load Balance α F (ctrl; plant) FREEDM: Formal Model ctrl migrate; bat migrate { d i, r i := ;?(d i, r i 0); n i := d i (r i + p i ); if (n i thresh n ī < 0) { m := Migrate(i)} else { m := 0} } Battery, Insecure plant {p i = 1 i m, B i = b i, b i = bm i, gr = grm, t = 1 & B i 0} Battery, bat I bat S Secure gr, bm i, vgridmig := 0; if ((n i 0 Full) (n i > 0 Emp)){ { ToBat(n i, m)} else { ToGrid(n i, m)} gr, bm i, vgridmig := 0; (?(Full (ni > 0 Emp)); ToBat(n i, m) ) (ToGrid(n i, m)) 15 / 21

28 FREEDM: Results Define R(i, j) i t j i gr j gr). Same grid flow, same time Proposition (FREEDM with original bat I is insecure) i 1, i 2, o 1 : W i1 α I o 1 R(i 1, i 2 i2 [α I ] o 2 R(o 1, o 2 ) ) Proposition (Nondeducibility for fixed FREEDM) i 1, i 2, o 1 : W i1 α S o 1 R(i 1, i 2 i2 α S o 2 R(o 1, o 2 ) ) Takeaway: Determinism helps attackers! ( Refinement Paradox ) 16 / 21

29 FREEDM: Results Define R(i, j) i t j i gr j gr). Same grid flow, same time Proposition (FREEDM with original bat I is insecure) i 1, i 2, o 1 : W i1 α I o 1 R(i 1, i 2 i2 [α I ] o 2 R(o 1, o 2 ) ) Proposition (Nondeducibility for fixed FREEDM) i 1, i 2, o 1 : W i1 α S o 1 R(i 1, i 2 i2 α S o 2 R(o 1, o 2 ) ) Takeaway: Determinism helps attackers! ( Refinement Paradox ) Impact: Translates to, e.g., randomization in implementation. 16 / 21

30 Outline 1 dhl: Hybrid {Dynamics, Logic} 2 FREEDM Case Study: Hybrid Power 3 Theory: Soundness and Reducibility 17 / 21

31 Hybrid Logic (+Uniform Substitution) Provides Clean Foundation for Info. Flow Ours is a uniform substitution calculus: variables over predicates, programs, etc. represented explicitly in concrete axiom formulas, instantiated with rule US: US φ σ(φ) Rule US sound iff σ is admissible: Definition (Admissibility (dl)) Substitution σ adds no free variable references in bound positions Definition (Admissibility (dhl)) Substitution σ adds no free symbol references in bound positions Takeaway: Admissibility generalizes cleanly to hybrid logics 18 / 21

32 Axiom Validity Proposition (dhl contains dl) A dl formula φ is valid in dl iff it is valid in dhl Containment imports all dl axioms to dhl once and for all, even when instantiated with proper dhl formulas. dhl axioms are single formulas, so each case of soundness only needs to show validity of one single formula. 19 / 21

33 Concrete Reducibility Motivation: What is the expressive power of dhl? Theorem (Concrete reducibility) Concrete dhl (i.e. without US symbols) reduces to concrete dl. There exists an effective reduction T : dhl dl such that when φ dhl is concrete, T (φ) dl is valid iff φ is. Proposition (Complexity of T ) T increases size quadratically, i.e., T (φ) Θ( φ 2 ) for concrete φ. Implication: T cannot reduce axioms or certain advanced proof techniques. Reduction likely to bloat proofs in practice. 20 / 21

34 Takeaways Info. flow analysis only as good as the model Hybrid models enable expressive CPS flows Logic dhl provides HDIF analysis. Hybrid logic (+ Uniform Substitution) provides clean foundation, High-level relational rules are derived Smart-grid example shows promise for practical applications Future Work: Hybrid logic as a broader foundation for hyperproperties, compare with other relational systems Future Work: Implementation to enable large-scale proofs 21 / 21

A COMPONENT-BASED APPROACH TO HYBRID SYSTEMS SAFETY VERIFICATION

A COMPONENT-BASED APPROACH TO HYBRID SYSTEMS SAFETY VERIFICATION Andreas Müller andreas.mueller@jku.at Werner Retschitzegger werner.retschitzegger@jku.at Wieland Schwinger wieland.schwinger@jku.at Johannes