Lazy Security Controllers

Transcription

1 Lzy Security Controllers Giulio Crvgn, Griele Cost, Giovnni Prdini Diprtimento di Informtic, Sistemistic e Comuniczione Università degli Studi di Milno-Bicocc, Itly Emil: giulio.crvgn@disco.unimi.it Diprtimento di Informtic, Sistemistic e Telemtic Università di Genov, Itly Emil: griele.cost@unige.it Diprtimento di Informtic Università degli Studi di Veron, Itly Emil: giovnni.prdini@univr.it Astrct A security controller follows the eecution of trget to identify nd prevent security violtions. Effective controllers proctively oserve the trget system nd, in cse of security violtion, ct y either interrupting or modifying the ehviour of the trget. Prgmticlly, the ssumption tht controller cn oserve nd ct on the entire eecution of trget is restrictive in severl prcticl cses. In this pper we define lzy controllers, novel ctegory of security controllers which schedule oservtion points over the eecution of trget, thus reducing the cost of monitoring. The ility of lzy controller to ctch security violtions depends on its scheduling of the oservtions. In generl, determining n optiml scheduling strtegy ounding the proility tht no criticl ction goes unnoticed is non-trivil. To this etent, we propose synthesis strtegies for (i) non-deterministic trgets with non-instntneous ctions, (ii) proilistic trgets modelled s Discrete Time Mrkov Chins nd (iii) stochstic trgets modelled s Continuous Time Mrkov Chins. In ech of these cses we show tht the proility of lzy controller to miss crucil oservtion cn e ounded y n ritrry risk threshold. Keywords-Security Monitoring; Distriuted Systems Security; Risk Mngement; I. INTRODUCTION Security controllers re common prctice for gurnteeing tht n untrusted ppliction complies with security specifiction. In words, the prolem of controlling the eecution of system cn e stted s follows: Given system S nd security policy ϕ, define n effective procedure to control tht the eecution of S does not violte ϕ. In the lst decdes, the reserch on softwre security hs seen prllel evolution of sttic verifiction methods nd security controllers. Despite severl importnt dvncements in sttic progrm verifiction, security controllers re still widely dopted in mny contets. This is minly due to This work hs een prtilly supported y EU-funded projects FP Connect, FP Aniketos, FP NESSoS nd FP SP- CIoS This work strted when the three uthors were employed t Istituto di Informtic e Telemtic, Consiglio Nzionle delle Ricerche, Itly. severl prcticl nd theoreticl resons which we riefly discuss. First of ll, techniques for progrm verifiction, such s model checking [] or strct interprettion [2], typiclly rely on sttic over-pproimtions of the rel code. As such, ccounting for superset of the ctul, possile ehviour, sttic nlysis might return flse positives. Furthermore, sttic pproimtions cn e prcticlly unusle when, for instnce, the ehviour of system depends on user inputs or cn e modified y n ttcker (e.g., see [3]). In ll these cses security controllers cn still gurd progrm eecutions nd run rection procedures. Consequently, severl recent proposls [4] [7] dvocte the use of integrted frmeworks for crrying out oth verifiction nd security monitoring. In generl, it cn e useful to distinguish etween two clsses of security controllers used for (i) monitoring nd (ii) enforcement. In oth cses the controller follows the eecution of trget s fr s the trce produced is complint with the given security policy. When the trget tries to etend the current trce with new ction, the controller checks whether the etended trce is still vlid. If it is not the cse, the monitor locks the eecution of the trget. Insted, the security enforcement pproch cn declre some rection procedure to e invoked efore nd/or fter the security violtion ttempt. Needless to sy, monitors re proper suset of the security enforcement mechnisms; for survey on these topics we refer the reder to [8]. An influentil pproch to the definition of security policies nd controllers ws originlly introduced y Schneider [9]. Briefly, he proposed ctegory of Finite Stte Automt (FSA), termed security utomt, for specifying security policies. Hving forml opertionl semntics, Schneider s utomt cn e directly used, s templte, to implement security monitors. Also, security utomt re known to e epressive enough to represent sfety properties. Such properties re those sying tht d thing will never hppen s, for instnce, the trget never reches certin fulty stte. A further crucil contriution in the theory of security controllers ws proposed y Buer et l. [0] which gve

2 chrcteriztion of lrger clss of policies, nmely edit policies. Edit properties re defined through the controllers which re in chrge of enforcing them, clled edit utomt. Roughly, n edit utomton reds the net ction of its trget nd decides whether to (i) llow it, (ii) suppress it or (iii) nticipte it with nother one. Note tht the enforcement cn e used to simulte the ehviour of security monitor, tht is, edit policies re proper superset of Schneider s policies. Indeed, we cn implement n enforcement strtegy which hlts the trget y, for instnce, ppending to the trce specil ction when violtion rises. All the controllers discussed so fr work y oserving ech step of the eecution of their trget. In this pper we present new clss of security controllers, nmely lzy controllers. Like stndrd controllers, lzy controllers wtch the eecution of the trget ut, in ddition, they cn utonomously decide to suspend the oservtions for certin time spn. Clerly, differently from the stndrd proctive controllers, lzy controller could miss the oservtion of security violtion while it is suspended. Such violtions re clled pssive, ginst those which re detected, nmely ctive. Controlling the trget discontinuously hs vrious dvntges. In terms of performnce nd costs, for instnce, the monitoring process cn e optimised y reducing the numer of vlidity checks on the trget ehviour. Another importnt dvntge is in terms of pplicility. Indeed, ssuming continuous, synchronous ccess to ll the trget ctions cn e quite restrictive for certin pplictions of security controllers. For instnce, it is common to use log uditing [], [2] to check the lst ctions performed y system without intercting with its eecution. A crucil spect of the pplicility of lzy controllers is the definition nd the clcultion of the risk deriving from suspending the controller. The ojective of scheduling oservtions is to prevent pssive security violtions up to given erle risk. Finding n optiml scheduling, i.e. one which ounds the proility of pssive violtions to the risk, is the crucil issue when using lzy controllers. In this pper we define controller synthesis strtegies for (i) non-deterministic trgets with non-instntneous ctions, (ii) proilistic trgets modelled s Discrete Time Mrkov Chins nd (iii) stochstic trgets modelled s Continuous Time Mrkov Chins. In ech cse we give n nlyticl mesure of the risk tht pssive violtion occurs. Also, we define wy to synthesize controllers such tht the risk fctor is ritrrily smll. Such results demonstrte tht lzy controllers cn e used to indefinitely pproimte the ehviour of the trditionl security controllers y reducing the risk fctor. Moreover, these utomt cn e pplied to the scenrios in which the monitoring process hs precise cost nd one is interested in finding compromise etween the security risk nd the security udget. The pper is structured s follows. In Section II we recll some ckground concepts useful to define, in Section III, lzy controllers. In Sections IV nd V we discuss the synthesis of lzy controllers for specific trgets nd, in Section VII, we discuss relted works nd conclude the pper. II. BACKGROUND A Lelled Trnsition System (LTS) is triple (S, Λ, ) where Λ is set of lels, S is set of sttes nd S Λ S is set of lelled trnsitions. LTSs re often used to descrie the ehviour of systems which llow for eternl oservtions. Oservle ctions re fired when the system performs visile stte chnge. Sometimes it cn e useful to model stte chnges tht produce no oservle ctions. In those cses, the set of lels is etended with the specil symol Λ, which is used to lel the corresponding trnsitions. As usul, we write s α s in plce of (s, α, s ). As regrds timed systems, we consider Timed LTSs, nmely LTSs with sttes of the form T S, where T denotes the underlying time-domin of the system. Time domin T cn e either discrete or continuous, nd we ssume totl order reltion mong its elements. A trnsition t, s α t, s descries stte chnge from s to s, occurring t time t, nd ehiiting lel α Λ. Time cnnot decrese, tht is t t for ech trnsition. Trnsitions occur instntneously, thus for ll time instnts such tht t < t the system is in stte s. Besides the ction lels in Λ, we ssume n eternl oserver to know the ctul trnsition times t, t T. Timed systems generlize non-timed systems, which cn e seen s discretetime systems with time domin T = N nd trnsitions of the form t, s α t +, s. We define security controllers oth in the cse of untimed systems nd of timed systems, where the ltter cse is trivil etension of the former. Definition II. (Security controller). Let S e the set of sttes of trget, C the set of sttes of controller nd Σ set of lels, Security Controller is the LTS (C S, Σ, = ) where = (C S) Σ (C S). Definition II.2 (Timed security controller). Let S e the set of sttes of trget, C the set of sttes of controller, Σ set of lels nd T time-domin, Timed Security Controller is the Timed LTS (T C S, Σ, = ) where = (T C S) Σ (T C S). In the following, when the sttes of the controller nd the system re cler from the contet, we completely chrcterize (timed) security controller with its trnsition reltion =. We introduce trunction controllers, prticulr kind of controllers tht we use in the following sections for the synthesis of lzy controllers, oth in the untimed nd timed settings. Following the pproch of [3], we define the trunction controllers y using inry opertor driving the eecution of trget S under the scope of controller C, denoted C S. Definition II.3. Let (S, Σ, sys ) e the LTS descriing the trget system, nd (C, Σ, ctr ) e the LTS descriing the ehviour llowed y the controller. A trunction controller is the security controller (C S, Σ, = ) where = is the lest

3 trnsition reltion defined y the following inference rule. (monitor) C ctr C S sys S C S. = C S Definition II.4. Let (T S, Σ, sys ) e Timed LTS descriing the possile ehviour of given trget system, nd (C, Σ, ctr ) e the LTS descriing the ehviour llowed y the controller. A timed trunction controller is the timed security controller (T C S, Σ, = ) where = is the lest trnsition reltion defined y the following rule. (T-monitor) C ctr C t, S t, C S sys t, S = t, C S Notice tht, even though the controller is untimed, we re le to define timed controller y using the timed trnsition system of the trget. III. A THEORY OF LAZY CONTROLLERS In this section we present theory of lzy controllers, long with their Structurl Opertionl Semntics (SOS) [4], [5] which retins the stndrd theory of proctive controllers. In the net sections we prove theorems stting this reltion. Intuitively, we provide frmework into which stndrd controllers cn e emedded, yielding lzy controllers. We ssume set of visile ctions Σ = {,, c,...} nd we uild from it the set of unseen ctions Σ = {ã Σ}. These two sets ccount for the fct tht, depending on the oservtions scheduled y the controller, ny ction performed y the trget cn e either oserved or not. We denote the set of the sttes of proctive controller y C, the set of the sttes of trget y S nd the time-domin (e.g., discrete or continuous) underlying the trget y T. We define lzy controller s follows. Definition III.. A lzy controller is tuple where: (C, S, Σ, (T, ), =, lctr, ζ) = (T C S) (Σ { }) (T C S) is the ctive monitoring reltion; lctr C Σ C is the updte reltion for unseen ctions; ζ : C T T is the scheduling function; As we discussed in Section II, the reltion = chrcterizes the input timed proctive controller t, C S. Such reltion is generlly uilt y using reltion for the controller descriing ll the possile llowed ehviors, such s reltion ctr used for trunction controllers in Definitions II.3 nd II.4. In lzy controllers, we lso hve n updte reltion lctr, which differs from ctr y eing defined over unseen ctions in Σ. Reltion lctr cptures the opertionl notion of ctivity logging: s fr s the controller is not oserving the system, i.e., it is idle, every ction is freely performed y the trget nd is logged. When the controller wkes up t ny scheduled oservtion point, it emines the log in order to detect ny pssive violtion, nd cts ccording to its strtegy, e.g., y truncting or editing the oserved ehviour. Finlly, it performs the scheduled oservtion, efore looping this process. Therefore, the reltion lctr is ctully stepy-step opertionl definition of oth the procedure of log checking nd the recovery strtegies. Finlly, function ζ provides the scheduling of the oservtions over the eecution of the trget. Notice tht ζ(c, t) = t is function from stte c of the controller nd the time t of the lst ction performed y the trget to oservtion time t. In the net sections, when deling with the synthesis of lzy controller, we show how to utomticlly crete function ζ strting from security policy nd suitle description of the trget system. We now define the SOS of lzy controller. In the following, we denote with α Σ { } ll the visile ctions plus the specil symol, used for trnsitions not ccounting for ny ction. Let us denote y D = T C T S T the set of ll the configurtions, nd with A = Σ Σ { } the set of lels. The semntics of controller is the LTS (D, A, lzy ) where lzy D A D is the lest trnsition reltion defined y the inference rules of Figure. In those rules we mke use of two oing opertors [ ] nd { }. If the time is t we write [ C ] n, where C C nd n T, to denote tht the controller hs scheduled the net oservtion t time t + n. Differently, we write { S } h, where S S nd h T, to denote tht the trget performed its lst trnsition t time t h in the pst. In oth cses n nd t denote reltive times, hence from configurtion t, [ C ] n { S } h we derive ll the possile ehviors of the trget nd the lzy controller in the time window [t h, t+n]. By ssuming the strting time to e t 0, ll the possile ehviors of lzy controller cn e derived from the initil configurtion t 0, [ C ] 0 { S } 0. Rule (Sleep) sttes tht, if t time t the controller is cting in the proctive mode [ C ] 0 nd the net oservtion is scheduled t time t + k, then the controller cn idle till tht time, hence ecoming [ C ] k. The lel of the trnsition mens tht this derivtion does not involve ny ction of the trget. Rule (Monitor) sttes tht if t time t proctive controller must not wit further to oserve the trget, nmely ζ(c, ) = 0, then ny ction of the trget strted t previous time t h nd completing t time t h + should e proctively monitored. When so, we mke use of the reltion chrcterizing such proctive controller, =. Moreover, notice tht y using the oing opertor for the trget we re le to derive timed-trnsitions from the pst time t h, mening tht the pssge of time is synchronous for S. We remrk tht, to hve good scheduling function, the net ction should relly e pssive violtion, correctly prevented y the controller. Rule (Log) sttes tht if the time is t nd the controller hs scheduled the net oservtion t time t + k, then ny ction It would e nlogous to considering the trget idle in the time window (t h, t h + ) nd performing n tomic ction t time t h +. This lst interprettion is the one dopted for Mrkov processes.

4 (Sleep) (Monitor) (Log) (WkeUp) t, [ C ] 0 { S } h ζ(c, h) = k k > 0 lzy t, [ C ] k { S } h ζ(c, h) 0 t h, C S t h, S t, [ C ] 0 { S } h α = t h +, C S h α lzy t h +, [ C ] 0 { S } 0 sys t h +, S C ã lctr C t, [ C ] k { S } h t, [ C ] k { S } h k > 0 h < h + k lzy t h +, [ C ] k ( h) { S } 0 lzy t + k, [ C ] 0 { S } h+k Fig.. The trnsition reltion lzy D T D. which S performs efore t + k is not controlled, ut simply logged y mens of the derivtions of lctr. In this timewindow pssive violtion my hppen, not eing detected up to time t+k. Finlly, rule (Wkeup) mkes the controller le to spend time utonomously nd synchronously with the trget S. Lzy controllers etend stndrd security controllers t the semntic level, s proved y the following theorem. Theorem III.. Let (T C S, Σ, = ) e timed security controller. Let (C, S, Σ, T, =, lctr, ζ) e lzy security controller with lctr ritrrily defined nd ζ such tht C C, t T. ζ(c, t) = 0. Then t, t T, C, C C, S, S S, Σ : t, C S = t, C S t, [ C ] 0 { S } 0 lzy t, [ C ] 0 { S } 0. Proof: This nd ll the other technicl proofs cn e found in the ppendi. Theorem III. sys tht, forcing lzy controller to e lwys ctive we otin the sme enforcement process produced y the corresponding security controller. IV. SYNTHESIS OF LAZY CONTROLLERS In this section we discuss the synthesis of lzy security controllers for non-proilistic, proilistic nd stochstic trgets. In prticulr, we tke into ccount (i) non-deterministic Finite Stte Mchines (FSMs) with non-instntneous trnsitions, (ii) Discrete Time Mrkov Chins (DTMCs) nd, finlly, (iii) Continuous Time Mrkov Chins (CTMCs). We consider FSMs ecuse they hve een trditionlly dopted for system modelling nd Mrkov chins ecuse they re receiving mjor ttention s forml descriptions of timed systems. We represent the trgets s FSMs enriched with lels, tken from countle domin, on the trnsitions etween sttes. The trgets differ only for such lels, i.e. in (i) lels represent durtions, in (ii) proilities nd in (iii) the prmeters of eponentilly-distriuted rndom vriles. In this pper, we consider only lzy trunction controllers. They etend proctive trunction controllers in the nturl wy, i.e., y interrupting violting eecution either proctively or s soon s they wke up, fter violtion occurred. We rgue tht enforcing controllers cn e similrly synthesized y dpting stndrd enforcement strtegies in the frmework of lzy controllers. An investigtion of these spects is left s future work. In this section we discuss the synthesis of the controller structure. This is done in the sme wy for ll the three types of FSMs considered since the sttes nd trnsitions of lzy controller cn e synthesized independently of the interprettion we give to the lels of the trget FSM, ut rther y considering only its structure. In the net section we conclude the synthesis strtegy y defining the scheduling functions, which insted depend on the type of FSM we re considering. Preliminries We recll some preliminry notions tht re necessry for the following disserttion. Definition IV.. A Finite Stte Mchine (FSM) is tuple M = (Σ, Q, ι, δ, F ) where: Σ is finite lphet of ctions, Q is finite set of sttes, ι Q is the initil stte, δ Q Σ Q is the set of (lelled) trnsitions, F Q is the set of finl sttes. Let us denote y Σ n, with n N ll words over the lphet Σ hving length n, nd let Σ = n N Σn denote ll the finite words over Σ. Moreover, we denote y Σ ω ll the infinite words (ω-words) over Σ, nd let Σ = Σ Σ ω. A (finite) pth π is sequence of sttes q 0, q,..., q k such tht i k. (q i, i, q i ) δ. The finite word W(π) = 2 k Σ k cn e ssocited with such sequence π. The set of ll finite pths from stte q to stte q is denoted P ths(q, q ). An infinite pth π is sequence of sttes q 0, q,..., q k,... such tht i. (q i, i, q i ) δ. Similrly to the finite cse, we cn ssocite n infinite word

5 ,c,,c S 0 S 2 T 0 T T 2 c,c Fig. 3. The FSM recognizing d prefies for the property ϕ = G ( X). S Fig. 2. The FSM of the trget. W(π ) Σ ω to such pth. The set of ll infinite pths from stte q is denoted P ths ω (q). When FSM is interpreted s n utomton on finite words its semntics is lnguge L Σ. Given FSM A, we denote its lnguge on finite words s L(A), where L(A) iff there is pth from the initil stte ι to ny finl stte. Formlly, L(A) = {W(π) q F, π P ths(ι, q)}. A FSM A is clled deterministic iff, for ech stte, there is ectly one trnsition for ech possile symol. Formlly, q Q, Σ.!q Q. (q,, q ) δ. We denote y det(a) deterministic FSM equivlent to A, i.e., such tht L(det(A)) = L(A). Given two FSMs A nd D = det(a), there lwys eists mpping function µ : Q A P(Q D ) which reltes ech stte of A with set of sttes from D. Note tht det(a) univoclly denotes one of the possile deterministic FSM which re equivlent to A. We ssume tht, if A is deterministic, then det(a) = A. We lso consider the stndrd definition of the prllel composition of FSMs. Let A = (Σ, Q A, ι A, δ A, F A ) nd B = (Σ, Q B, ι B, δ B, F B ) e two FSMs, using the sme lphet Σ. The prllel composition of A nd B is defined s A B = (Σ, Q A Q B, (ι A, ι B ), δ A B, F A B ), where δ A B = {((q, q 2 ),, (q, q 2)) (q,, q ) δ A, (q 2,, q 2) δ B }, nd F A B = {(q, q 2 ) q F A q 2 F B }. We ssume computtion of non-terminting system to e represented s n infinite ω-word over given lphet Σ. A FSM cn e interpreted s n utomton over ω-words, y using proper cceptnce condition. In this pper, s regrds utomt over ω-words, we only consider FSMs for which ny possile trnsition is lwys ccepted. Therefore, in this cse, the set of finl sttes F is not involved in the definition of the cceptnce condition. Definition IV.2. An ω-utomton is FSM A whose semntics is the ω-lnguge L ω (A) = {W(π) π P ths ω (ι)}. In order to formlly define sfety properties, we need some preliminry definitions. We first consider d prefies for given lnguge of infinite words L Σ ω, which intuitively identify ny finite word which cnnot e etended to n infinite word of the lnguge. A lnguge of infinite words L Σ ω such tht ech word not in L hs d prefi is clled sfety lnguge. Their forml definitions follow. Definition IV.3. A finite word Σ is d prefi for lnguge L Σ ω iff y Σ ω. y / L. The set of ll d prefies for given lnguge L is denoted s BdPrefies(L). Definition IV.4. A lnguge L Σ ω is sfety lnguge iff w Σ ω \ L. Σ, y Σ ω. w = y BdPrefies(L). Note tht the lnguge BdPrefies(L), for given sfety lnguge L, is closed under conctention with ritrry symols, s shown y the following theorem. Theorem IV.. Let L Σ ω e sfety lnguge. Then Σ, Σ. BdPrefies(L) = BdPrefies(L). Let us denote y A d(l) (non-deterministic) FSM recognizing the d prefies of given sfety lnguge L, tht is L(A d(l) ) = BdPrefies(L). By Theorem IV. we cn ssume tht A d(l) hs ectly one finl stte ψ such tht for ech symol there is trnsition ψ ψ, nd there is no other trnsition eiting from ψ. Let us consider sfety property ϕ, nmely property whose set L(ϕ) of infinite words stisfying it form sfety lnguge. Intuitively, sfety property is such tht every violtion occurs fter finite eecution of the system. We denote y A d(ϕ) = A d(l(ϕ)) (non-deterministic) FSM which recognizes the d prefies of the (lnguge descried y the) sfety property ϕ, tht is the ll nd only words which do not stisfy the property. A sfety property cn e epressed using vrious formlisms, such s LTL formule [6] or Büchi utomt [7]. We do not discuss the spect of the trnsltion of sfety property ϕ into FSM A d(ϕ) which recognizes its d prefies. Insted, in the following, we ssume such FSM to e given. We refer the reder to [8] for detils on the construction of FSMs recognizing d prefies of LTL formule nd Büchi utomt. Synthesis of the controller structure We consider non-deterministic FSM A = (Σ, Q A, q A 0, δ A, F A ) cpturing ll the possile ehviour for the trget. In synthesizing the controller structure we strct wy from the type of lels which pper on the trnsitions of the enriched version of A. According to Definition IV.2 A is to e interpreted s n utomton over ω-words, moreover we ssume F A = Q A since the set of finl sttes is not involved in the semntics of such FSM. Let ϕ e sfety property, in the proctive setting, trunction controller cn e defined from the deterministic FSM det(a d(ϕ) ), in which trnsition is llowed only if

6 ,,c S 0 T 0 S 2 T 0 S 0 T S T 2 S 0 T 0 S 2 T 0 S 0 T S T 2 c c c S T S 0 T 2 S 2 T 2 Fig. 4. The FSM C 0, otined s the prllel of the trget s FSM (Figure 2), nd the FSM recognizing d prefies (Figure 3). it does not end up in the finl stte. By eploiting Definitions II.3 nd II.4, we cn otin proctive controller = with such ehviour y using trnsition reltion ctr defined y the following inference rule. (good) δ C(c, ) = c c / F C. () c ctr c According to the semntics of from Definitions II.3 nd II.4, such definition of ctr is pplicle to oth untimed nd timed systems. Slightly using nottion, we denote the ensemle of the controller nd the trget s A d(ϕ) A. Recll from Section III tht lzy controller is completely specified y (i) n ctive monitoring reltion =, (ii) n updte reltion for unseen ctions lctr, nd (iii) scheduling function ζ. As regrds the kinds of trget tht we consider, the corresponding lzy trunction controllers ll shre the sme structure, nd just the definition of the scheduling function ζ is different from one to nother. Emple IV.. Throughout this section we consider, s running emple, trget whose ehviour is descried y the FSM shown in Figure 2, with lphet Σ = {,, c}. We construct controller for preventing the trget to perform two consecutive ctions. Such sfety property cn e formlly epressed s the LTL formul ϕ = G ( X). Figure 3 shows the deterministic FSM recognizing the d prefies of ϕ, nmely det(a d(ϕ) ). We detil our construction only in the cse of the untimed trunction controller, i.e., Definition II.3. The construction in the timed cse is nlogous, nd ll the theorems cn e esily restted in the timed cse y ssuming timed trunction controller s in Definition II.4. The lzy controller is constructed from the prllel composition of det(a d(ϕ) ) with deterministic FSM equivlent to A, i.e., it is the FSM C 0 = det(a d(ϕ) ) det(a). This llows the controller for trcking the ctions performed y the trget, which is necessry to determine n pproprite scheduling function ζ. In this cse, the ensemle of the controller nd the trget ecomes (det(a d(ϕ) ) det(a)) A, which is equivlent to det(a d(ϕ) ) A ccording to the S T Fig. 5. The FSM C of the controller, constructed from C 0 (Figure 4). semntics of trunction controllers. This is formlly proved y the following theorem. Theorem IV.2. Let B A e trunction controller, with A eing non-deterministic FSM descriing the ehviour of trget, nd B deterministic FSM descriing the trunction controller. Let D = det(a), nd C = B D. Then, Σ, Q B, d Q D, Q A : (ι B, ι D ) ι A = (, d ) ι B ι A = where (ι B, ι d ), (, d ) Q C. The ctul FSM descriing the controller is otined from C 0 y joining together ll the finl sttes in unique finl stte ψ C0 with self loop for ech symol in Σ. We cll FSM of this kind soring, nd we denote it s C = soring(c 0 ) where the function soring is defined s follows. Definition IV.5. Given deterministic FSM C = (Q C, Σ, δ C, ι C, F C ), we denote y soring(c) FSM E = (Q E, Σ, δ E, ι E, F E ) such tht: (i) Q E = Q C \ F C {ψ E }, with ψ E / Q C ; (ii) δ E = {(µ(c),, µ(c ) (c,, c ) δ C } {(ψ E,, ψ E ) Σ}; (iii) ι E = µ(ι C ); (iv) F E = {ψ E }; where µ : Q C Q E is mpping etween the sttes of C nd E such tht c Q C \F C. µ(c) = c nd c F C. µ(c) = ψ E. For the purposes of runtime monitoring, such FSM C must e equivlent to C 0, in spite of the fct tht the lnguges they recognize cn e different. Such n equivlence is formlly proved y the following theorem. Theorem IV.3. Let C A e trunction controller, with A eing the non-deterministic FSM of trget, nd C deterministic FSM such tht c F C. δ C (c, ) F C. Let E = soring(c). Then, Σ, c Q C, e Q E, Q A : ι C ι A = c ι E ι A = e Emple IV.2. Figure 4 shows the FSM C 0 = det(a d(ϕ) ) det(a) otined from the prllel composition of the FSM of the trget, in Figure 2, nd the FSM recognizing d prefies for ϕ, in Figure 3. The FSM C = soring(c 0 ), otined from C 0 y collpsing ll the finl sttes in one, nd for which there is self loop for ech possile symol in the lphet, is

7 shown in Figure 5. Notice tht C 0 hs three finl sttes F C0 = {S 0 T 2, S T 2, S 2 T 2 }, which re replced in C y the only finl stte S T 2. The ctive monitoring reltion = nd the updte reltion for unseen ctions lctr re oth constructed from the trget FSM A nd the LTL sfety property ϕ, since their definition does not depend on the type of FSM we consider. In prticulr, the ctive monitoring reltion = corresponds to the timed trunction controller from Definition II.4. The updte reltion for unseen ctions lctr, i.e., how the stte of the controller is updted when n unseen ction occurs, is defined s follows. Definition IV.6. The updte reltion for unseen ctions lctr for lzy trunction controller is the lest reltion defined y the following rules: (sleep) (nil) δ C (c, ) = c c / F C ; c ã lctr c Σ c c F C ã lctr c Rule (sleep) mirrors δ C s fr s non-finl stte re involved. As soon s the controller reches finl stte in F C, rule (nil) ensures tht it remins in such stte while ccepting ny unseen ctions, ccording to the fct tht sleeping controller does not lock unseen ctions. V. SYNTHESIS OF THE SCHEDULING FUNCTIONS Here we complete the synthesis of lzy controllers y defining scheduling functions for the trgets considered in the previous section. We split the presenttion ccording to the type of trget considered. A. Scheduling Functions for Non-Proilistic Systems We recll tht we re considering non-deterministic trget A = (Σ, Q A, ι A, δ A, F A ), where F A = Q A, herey enriched with function θ : Q A Σ Q A R + denoting the durtions ssocited with trnsitions. We ssume θ(t) = 0 for ll t / δ A. The semntics of trget (A, θ) is the Timed LTS (R + Q A, Σ, sys ) where sys is the lest trnsition reltion defined y the following iom: (q,, q ) δ t, q θ(q,, q ) = sys t +, q Notice tht this reltion lso includes trgets whose underlying time domin is discrete. Recll tht the controller is defined y the FSM C = soring(b D), where B = det(a d(ϕ) ) nd D = det(a). Given stte c Q C of the controller, we define function giving the shortest durtion of ny pth from the current stte c to the finl stte of C, denoted ψ C. Let µ C : Q B D Q C denote the mpping defining the soring function, nd let µ D : Q A P(Q D ) denote the mpping from the sttes of the FSM A to the sttes of the FSM det(a). Let ν(c) denote the set of sttes of A which.. re mpped to stte c Q C, i.e. ν(c) = {, d. c = µ C (, d) d µ D ()}. Function ν(c) is lso etented to pths s ν(c,..., c k ) = {,..., k i k. i ν(c i )}. A function durtion cn e formlly defined s follows: durtion(π) = min { k i= θ( i, i, i ) 0,,..., k ν(π), k Σ k}. (2) This function is used to define the scheduling function ζ, i.e. ζ(c, h) = min{durtion(π) π P ths(c, ψ C )} h. (3) Note tht ζ(c, h) tkes into ccount the fct tht the lst ction from the trget hs een seen t time t h. For this type of trgets strong theorem on the efficiency of lzy controllers cn e proved. Theorem V.. Let A e non-deterministic FSM descriing the ehviour of the trget, nd B = det(a d(ϕ) ) deterministic FSM recognizing d prefies for given property ϕ. Let D = det(a), nd C = soring(b D) e the FSM of the controller. Consider the lzy trunction controller (=, lctr, ζ), with = s in Definition II.4, lctr s in Definition IV.6, nd ζ s in Eqution 3. Then, if ι C ψ C, the controller never reches the finl stte, tht is t, k, h R +, c Q C, Q A : 0, [ ι C ] 0 { ι A } 0 lzy t, [ c ] k { } h = c ψ C Intuitively, this theorem proves tht no pssive violtion cn hppen if the scheduling function stisfies Eqution 3. B. Scheduling Functions for Discrete Time Mrkov Chins As first proilistic system we consider trget descried y homogenous Discrete Time Mrkov Chin (DTMC), i.e., trget moving proilisticlly over finite set of sttes, where t ny time the proility of jumping to stte is completely determined in the stte itself. Definition V.. A Discrete Time Mrkov Chin is tuple (S, s, P) where (i) S is finite set of sttes; (ii) s is the initil stte; (iii) P : S S [0, ] is trnsition proility mtri, such tht s S P(s, s ) = for ll sttes s S. Ech element P(s, s ) gives the proility of trnsition from s to s, i.e., P(s, s ) = P(X(k + ) = s X(k) = s) for ny k 0. A DTMC is fmily of rndom vriles {X(k) k = 0,, 2,...} where X(k), rnging over sttes, re oservtions mde t discrete time-steps. Among others, these proilistic processes stisfy the Mrkov property: the stte t time k depends only on the stte t time k, nd not on the sttes t previous times, i.e., the history. We enrich this definition of DTMC with lels denoting ctions on the trnsitions. We consider trget s the pir (A, θ), where A = (Σ, Q A, ι A, δ A, F A ), with F A = Q A, is deterministic FSM enriched with θ : Q A Σ Q A [0, ] giving the proility ssocited with ech trnsition. Recll tht the proilities of ll the trnsitions eiting from stte must sum up to. We lso ssume θ(t) = 0 for ll t /

8 δ A. According to Definition V. leled DTMC representing (A, θ) is tuple (Q A, e (ι A), P), where e (ι A) is unit vector with only in the position corresponding to the initil stte ι A, nd the mtri of trnsition proilities P = [p ij ] is such tht p ij = Σ θ(q i,, q j ) when Q A = {q,..., q n }. Our strtegy for synthesizing the controller structure yields FSM structurlly nlogous to some DTMCs hving rechility properties, which we now discuss. Some terminology hs to e introduced first: DTMC stte is trnsient (conversely recurrent) if ny eecution visits it only finitely mny times. Differently, stte s is soring if it cnnot e left, i.e., P(s, s) =. A terminting DTMC is Mrkov chin where ll sttes re trnsient, ecept one which is soring. Intuitively, the controller we synthesize is structurlly equivlent to terminting DTMC. For these types of DTMCs the time to sorption T s, i.e., the time it tkes to enter the soring stte, ssuming the DTMC strts in stte s, follows wellknown Discrete Phse-type distriution [9]. Definition V.2. Let (S, s, P) e terminting DTMC, through proper reordering of its sttes, we cn lwys write P s ] [ˆP ρ P = 0 where (i) ˆP [0, ] ( S ) ( S ) restricts P to the trnsient sttes, (ii) ρ is column vector which contins proilities from ech trnsient stte to the soring one, nd (iii) 0 is zero row vector. A Discrete Phse-type (DPH) distriution, denoted DP H(τ, ˆP), is row vector τ {0, } S specifying the initil proility distriution over trnsient sttes, nd the mtri ˆP. Its cumultive distriution function, i.e., the proility tht the time t to the soring stte is smller or equl to, reds s F () = τ ˆP for N. (4) Given the system in non-soring stte s t time t, this distriution chrcterizes the proility of jumping to the soring stte, in ny numer of steps, within time t > t. We now show why this distriution llows for nlyticlly determining the proility tht the lzy controller misses the detection of violtion. Given DTMC (A, θ), its set of possile timed trnsitions is descried y the trnsition reltion sys, defined in Figure 6, i.e., specil cse of the nonproilistic system where steps lst time-unit. As we sid, the controller is the FSM C = soring(det(a d(ϕ) ) A), since A is deterministic, nd is equipped with lelling function θ : Q C Σ Q C [0, ], uilt from θ, to otin lelled DTMC (C, θ). Let µ C denote the mpping defining the soring function. Then, the lelling function θ, giving the trnsition proilities, is such tht c ψ C, c 2 Q C. θ(c,, c 2 ) = θ(,, 2 ) where, for i =, 2, i is such tht µ C (c i ) = ( i, i ) for some i. Moreover, Σ. θ(ψ C,, ψ C ) = / Σ. Note tht the proilities ssocited with the loop trnsition on the finl stte re not importnt, s long s they sum up to, for correctness. As we mentioned, C hs unique soring stte ψ C in which the d prefi of the trget trce is recognized, i.e., the violtion is detected. This proposition holds. Proposition V.2. The DPH distriution of DTMC (C, θ) is the distriution of the time until the net violtion of the DTMC. Hence the proility of pssive violtions cn e ounded y using such distriution: given stte c Q C, the function ζ(c, h) gives the mimum llowed time t N for which the proility of reching the finl stte ψ C from the current stte c, within t time units, is less thn proility β. Formlly, if the current stte of the DTMC is c then the cumultive distriution function F of DP H(e (c), ˆP) gives the time for scheduling for the net oservtion y solving t = m{0, m{t F (t) β} h} (5) where β [0, ] is given proility of error. Notice tht this corresponds to using the rndom vrile Y = (X h) where X DP H(τ, ˆP) nd Y is the liner trnsformtion of X nd h. We remrk tht even though the eponentil jumps of DTMC re memoryless (i.e., the time pst h could e disregrded if we considered eponentil witing times individully), the DPH nd hence Y re not, requiring us to use h in eqution (5). Moreover, the outmost m opertion is required since X hs infinite support, i.e., the proility tht [0, h] 0. The following proposition sttes n importnt property for lzy controllers synthesized in this mnner. Proposition V.3. If ζ(c, h) = t with t solution of eqution (5) for some β [0, ], then the proility of pssive violtion is ounded y β. Emple V.. Consider the FSM of Figure 2 denoting DTMC ({S 0, S, S 2 }, S 0, P), nd let us uild the terminting DTMC ({S 0 T 0, S T, S 2 T 0, S 0 T, S T 2 }, S 0 T 0, P ) of Figure 5 where 0 /5 4/ /5 4/5 /3 0 2/3 0 0 P = /3 0 2/3 P = /5 0 / The ltter of these mtrices is otined from the former through the definition of prllel composition of FSMs. From P, y considering the top-left 4 4 su-mtri, we etrct ˆP. If we numericlly solve eqution (5) y vrying the stte-distriution τ to ccount for ech possile stte of the chin we otin the following vlues for the scheduling function ζ(s 0 T 0, 0) = 4, ζ(s T, 0) = 4, ζ(s 2 T 0, 0) =, ζ(s 0 T, 0) = 0, for the threshold β = 0.2. Thus, for instnce, from S 0 T 0 with proility higher thn 80% no pssive violtions will hppen in the net 4 steps. If one lowers the threshold to β = 0.05 the oservtions need to e scheduled more frequently, e.g., in tht cse ζ(s 0 T 0, 0) = 2.

9 t, q (q,, q ) δ sys t +, q (q,, q ) δ R >0 t, q sys t +, q. Fig. 6. Trnsition reltion for DTMCs. Fig. 7. Trnsition reltion for CTMCs. C. Scheduling Functions for Continuous Time Mrkov Chins A homogenous Continuous Time Mrkov Chin (CTMC) is proilistic model of trget with n underlying continuous time domin, i.e., n nlogous of DTMC where rel vlued clock underlies the system. Definition V.3. A Continuous Time Mrkov Chin (CTMC) is tuple (S, s, R) where S is finite set of sttes, s S is the initil stte, R : S S R 0 is the trnsition rte mtri. The trnsition rte etween ech pir of sttes is descried in the trnsition rte mtri R, nd represents the negtive prmeter of n eponentil distriution. The time spent in stte s S is eponentilly distriuted with rte E(s), defined s E(s) def = s S R(s, s ). The vlue E(s), for stte s, is clled the eit rte of s. From CTMC n emedded DTMC cn e retrieved y defining its trnsition proility mtri P(s, s ) = R(s, s )/E(s). Trgets whose ehviour is descried s CTMC generte eecutions where the sojourn time in stte is distriuted ccording to n eponentil distriution with prmeter corresponding to the eit rte of the stte, nd in which the proilistic jumps re resolved ccording to the emedded DTMC. The notions we introduced for DTMCs pply lso to CTMCs where n soring stte s is such tht E(s) = 0. Also, lelled etensions of CTMCs cn e otined long the line of the lelled etensions of DTMCs. Scheduling functions for CTMCs re defined similrly to the corresponding discrete cse. In prticulr, the time until sorption is descried y Continuous Phse-type (PH) distriution, s opposed to the DPH distriution of the previous cse. Techniclly, given set of sttes Q A = {q,..., q n }, lelled CTMC is descried s pir (A, θ), where A = (Σ, Q A, ι A, δ A, F A ), with F A = Q A, is deterministic FSM, nd θ : Q A Σ Q A R + gives the rte ssocited with ech trnsition. As in the previous cses, we ssume θ(t) = 0 for ll t / δ A. According to Definition V.3, lelled CTMC cn e represented s tuple (Q A, e (ιa), R), where e (ιa) is unit vector with only in the position corresponding to the initil stte ι A, nd R = [r ij ], nmely the trnsition rtes mtri, is such tht r ij = Σ θ(q i,, q j ). Definition V.4. Let (S, s, R) e terminting CTMC, define its infinitesiml genertor mtri R in with entries ri,j in where ri,j in = r i,j if i j nd r i,j R, nd ri,i in = j i r i,j. Then, (y possily renumering the sttes of the CTMC) define [ ] ˆR in ρ R in = 0 0 where (i) ˆR in [0, ] ( S ) ( S ) restricts R in to the trnsient sttes, (ii) ρ nd 0 re s in Definition V.2. A Continuous Phse-type (PH) distriution P H(τ, ˆR in ) is row vector τ {0, } S, i.e., the initil distriution over trnsient sttes nd the mtri ˆR in. Its cumultive distriution function is F () = τ e ˆR for R + where e ( ) denotes mtri eponentition. The set of possile timed trnsitions of given CTMC (A, θ) is descried y the trnsition reltion sys, defined in Figure 7. Notice tht, since the eponentil distriution tkes vlues in [0, + ) such reltion defines infinite trnsitions. As in the discrete cse the controller is C = soring(det(a d(ϕ) ) A) enriched with lelling function θ : Q C Σ Q C R +. The definition of θ is nlogous to tht of the DTMC, provided tht the loop trnsition on the finl stte is Σ. θ(ψ C,, ψ C ) = 0. A continuous-time nlogous of Proposition V.2 cn now e stted. Proposition V.4. The PH distriution of (C, θ) is the distriution of the time until the net violtion for such CTMC. As in the discrete cse such chin is terminting nd the soring stte is ψ C. Given stte c Q C, function ζ(c, h) gives the mimum llowed time t R for which the proility of reching the finl stte ψ C from the current stte c, within t time units, is less thn ritrry proility β, s it ws for DTMCs. The first time to rech the soring stte follows Continuous Phse-type distriution P H(e (c), ˆR in ) otined from the CTMC (C, θ) ccording to Definition V.4. Given its cumultive distriution function F the mimum time to sleep is gin given y t = m{0, m{t F (t) β} h}, which corresponds, when t > h, to solving τ e ˆR in( t+h) = β (6) since F is monotonic. As for DTMCs, h ppers since the PH is not memoryless. By synthesizing lzy controllers in this mnner the following proposition holds. Proposition V.5. If ζ(c, h) = t with t solution of eqution (6) for some β [0, ], then the proility of pssive violtion is ounded y β. Emple V.2. Consider the FSM of Figure 2 denoting CTMC ({S 0, S, S 2 }, S 0, R), nd let us uild the terminting CTMC ({S 0 T 0, S T, S 2 T 0, S 0 T, S T 2 }, S 0 T 0, R ) of Figure

10 5 where R = R = As for DTMCs, the ltter of these mtrices is otined from the former through the definition of prllel composition of FSMs. From R, considering the top-left 4 4 su-mtri of the corresponding infinitesiml genertor mtri R in, we etrct ˆR in. If we numericlly solve eqution (6), y vrying the stte-distriution τ to ccount for ech possile stte of the chin, we otin scheduling function ζ such tht ζ(s 0 T 0, 0) = , ζ(s T, 0) = , ζ(s 2 T 0, 0) = , ζ(s 0 T, 0) = , for the threshold β = 0.2. Agin, if one lowers the threshold to β = 0.05 the oservtions re scheduled more frequently, so for instnce ζ(s 0 T 0, 0) = VI. PROTOTYPE IMPLEMENTATION AND DISCUSSION In order to test our monitoring environment under relistic ssumptions, we defined nd implemented complete cse study. In prticulr, lzy controllers hve een pplied for wtching the eecution of we service running on OSGi pltform. In this section we present our prototype nd we discuss on its ehviour nd performnces. A. Cse study We imgine simple medicl prescription service infrstructure. The system consists of four ctors: (i) prescription service, (ii) its customers, i.e, doctors, (iii) phrmcies nd (iv) delivery service. Figure 8 depicts the whole system. Registered doctors cn use the prescription service to fill prescription forms for their ptients nd sumit them to phrmcy or to the delivery service. Briefly, the progrm works s follows: ) initilly, the system wits for users, i.e., doctors, to log in (ction login); 2) then the doctor cn dd one or more medicines (stndrd, i.e., dd med, or HIV-specific, i.e., dd hiv) to the prescription; 3) finlly, the doctor chooses etween two modlities, i.e., phrmcy nd deliver, for specifying how the ptient ccesses to the medicines. At ech step, the doctor cn cncel (cncel) the opertion nd, t the end, he must confirm (confirm) the prescription. Figure 9 shows the finite stte mchine (FSM) representing the prescription system. In order to void privcy violtions, HIV therpies must lwys e delivered t the customer s residence. The FSM of Figure 0 represents the privcy policy descried ove. Briefly, the policy reches the finl stte, i.e., detects violtion, if session in which dd hiv hs een invoked concludes with phrmcy. Fig. 8. B. Prototype structure The prescription service scenrio. The OSGi undle implementing the prescription service minly consists of simple RMI interfce. The interfce declres method for ech ction lelling the FSM of Figure 9, e.g., deliver() for deliver 2. Ech method ehves ccording to its specifiction, e.g., dd med() dds medicine to the current prescription, nd writes new entry in the log. Logging functionlities re provided y n implementtion of the org.pche.commons.logging.log interfce tht simply ppends the given lel nd timestmp to tet file. The lzy controller is n eternl ppliction, i.e., running on different pltform w.r.t. the trget service. At ech control cycle, the monitor wkes up nd requests the current log to the remote pltform 3. Then, the log trce is processed y the policy utomton, see Figure 0, to check whether violtion occurred. If it is the cse, the monitor sends security error signl to the eecution pltform (here cusing the trget to e reinitilised). Insted, if the oserved trce is legl, the lzy monitor schedules the net control cycle nd hierntes, i.e., goes idle. The scheduling function mps pir of sttes p, for the trget, nd q, for the policy, into hierntion time t p,q R +. We compute hierntion times efore strting the monitoring process. In this wy, we crry out the computtion only once nd we store the pirs (p, q), t p,q in two-columns tle. Hierntion times re computed, using the procedure detiled in Section V, strting from description of the trget system. Clerly, the system ehviour depends on the customers. We ssume tht stndrd ehviour is known, e.g., y nlysing the system eecution. In our model we considered two possile descriptions: Continuous Time nd Discrete Time Mrkov Chins (CTMC nd DTMC, respectively). In prticulr, the stndrd eecution of the service is descried y the mtrices shown in Figure. The mtrices descrie the epected ehviour of the FSM of Figure 9. Mtri R contins rtes of stte trnsitions, corresponding to the prmeters of eponentilly distriuted rndom vriles, while P contins the proilities of stte trnsitions. Intuitively, time rtes define the epected numer of stte trnsitions per second, e.g., R[, 2] = /30 mens tht 2 Note tht here we re not interested in method prmeters. 3 Actully it only needs to retrieve the frgment since the lst request.

11 2 dd_med, dd_hiv login 0 confirm, cncel cncel phrmcy, deliver login, dd_med, dd_hiv, phrmcy, deliver, confirm, cncel login, dd_med, phrmcy, deliver, confirm, cncel dd_hiv 0 login, deliver confirm, cncel 2 phrmcy dd_med, dd_hiv 0 /30 0 R = 2/5 / P = /20 7/20 /0 0 0 Fig. 9. The prescription system FSM. Fig. 0. The privcy policy. Fig.. The rte nd proility mtrices. trnsition from stte 0 to stte hppens, on the verge, every 30 seconds. Insted, the elements of P descrie the proility of moving from the current stte to the net one, e.g., P [2, 3] = /0 mens tht stte 3 hs /0 proility to e the successor of 2. Also, note tht R nd P cn collpse the vlues for more thn one trnsition in single vlue, e.g., P [2, 2] = 7/20 denotes oth dd med (P dd med = 4/5) nd dd hiv (P dd hiv = /20) trnsitions. 4 C. Performnce evlution The prescription service ws developed with Eclipse IDE (Helios Service Relese 2) nd eecuted the OSGi pltform Equino 3.3. Log lirries hve een developed implementing the Apche Commons Logging API version... We tested our system y utomticlly generting customer sessions of severl types. Customers ccess the system which is monitored using lzy controller. We synthesize the lzy controllers using the two mtrices R nd P introduced ove nd considering four different risk fctors, i.e., 0.0, 0.05, 0. nd 0.2. Also, we compred our monitors with lzy controller which uses scheduling function tht returns the durtion of the shortest pth leding to violtion from the current stte, computed y mens of the Dijkstr lgorithm. For this purpose, we considered the mtri R such tht R [i, j] = R[i, j] (nd R [i, j] = if R[i, j] = 0). For the overhed nlysis we considered customers tht sttisticlly ehve in complint wy with respect to the originl specifiction, i.e., the ehviourl mtrices. The eecution overhed is mesure of the computtionl effort due to the monitoring ctivity in comprison with the computtion of the trget. For the continuous time model we considered the ctivity time of the monitor ginst the overll eecution intervl. Insted, for the discrete time model we compred the numer of controller synchroniztions nd the totl numer of service invoctions. Figure 2 shows the simultion output. As epected, oth the pproches increse their performnce with the growth of the risk threshold. Moreover, in generl 4 The ctul process hs een crried out using supplementry, phntom sttes for removing self-loops nd for distinguishing multiple trnsitions hving the sme source nd destintion. they perform etter thn the Dijkstr lgorithm-sed solution (dshed line). Clerly, such version does not gin dvntge from the risk modifiction. In order to test delys in violtions detection, we eecuted our system with clients tht only emit illegl trces (in the sense of Figure 0). The violting trces re generted using the sme proilities nd rtes of stndrd clients. Figure 3 nd Figure 4 show the violtion detection delys produced y our testing ctivity. Note tht the delys for CTMC nd DTMC-sed monitors hve completely different mening nd must e interpreted. Indeed, CTMC controllers work under rel time settings, i.e., the monitor is creted in order to keep under control the time dely of violtion detection rther thn the numer of ctions. Conversely, DTMC controllers im t minimising the numer of ctions eecuted fter violtion. However, it is interesting to compre how the two models ehve in oth cses. Finlly, we lso introduced n error fctor for testing the stility of our solution. In prticulr, we considered users tht do not perfectly comply with the given specifictions, i.e. the mtrices R nd P. Interestingly, we found tht the performnce nd dely of our system re stle even with errors up to 30%. VII. CONCLUSION AND RELATED WORK In this work we hve proposed new pproch to the synthesis nd ppliction of novel clss of security controllers, nmely lzy controllers. The novelty of our technique stnds in the possiility of scheduling the security checks long with the trget eecution. Although this genertes risk fctor, it lso etends the pplicility of security monitors to mny rel-world scenrios. Moreover, we hve shown tht the risk of security violtion cn e nlysed nd kept under control through the eecution prmeters of the controllers. Lzy controllers re generted strting from the specifiction of proctive controllers, i.e., edit utomt. Then we dd time constrints to the ppliction rules. In this wy, we cn convert ny eisting security controller, enforcing n edit property, to lzy controller. This mount to sy tht we