Static-Dynamic Analysis of Security Metrics

Transcription

1 Static-Dynamic Analysis of Security Metrics for Cyber-Physical Systems Sayan Mitra (PI), Geir Dullerud (co-pi), Swarat Chaudhuri (co-pi) University of Illinois at Urbana Champaign NSA SoS Quarterly meeting, University of Maryland October 29 th

2 Project team Sayan Mitra UIUC, ECE Hybrid & Distributed systems Geir Dullerud UIUC, MechE Control theory, hybrid systems Swarat Chaudhuri Rice University, CS Programming Languages, Formal methods Zhenqi Huang PhD student, ECE Yu Wang PhD student, MechE 2

3 Project goal Hard problem addressed: (1) Predictive security metrics and (2) scalability and composability Title: Static-Dynamic Analysis of Security Metrics for Cyber- Physical Systems Goals: (a) Identify security metrics & adversary models (b) develop theory, algorithms & tools for analyzing the metrics in the context of adversary models 3

4 CPS & Security Plant dynamics Actuator hardware Sensor hardware Controller Hardware software 4

5 Models, code, adversaries, & metrics Plant dynamics Actuator hardware Sensor hardware Controller Hardware software 5

6 Hierarchy of modeling formalisms Discrete transition systems (countable states) FSM, PDA, TMs Communicating processes IO automata, process algebras Dynamical Systems x = f(x, t, u) Guard(x) x = f 1 x, t Inv 1 Nondeterministic transition systems Switched Systems x = f σ t (x, t, u) Reset(x, x ) x = f 2 x, t Inv 2 Networked Hybrid Automata* 6

7 Metrics : Physical systems to CPS Safety factor, Margin of safety, reserve capacity Availability, Stability envelope, safety margin, vulnerability level Brooklyn bridge (1883) Adversary models access: actuator intrusion sensor jamming malicious programs energy: opportunistic curious focused committed 7

8 Outline Two problems Reachability for nonlinear hybrid systems Cost of security in distributed control Two applications Alerting protocol for parallel landing Pacemaker with networked cardiac tissue Ongoing work Synthesis with and for adversary 8

9 Part 1 STATIC-DYNAMIC ANALYSIS 9

10 Basic analysis problem: verification. Model, adversary, requirements Algorithm Bug trace Certificate x 0 Init, u U, a A, t [0, T], such that trajectory ξ x 0, a, u, t violates requirements? Yes (bug / security violation trace) / No (certificate) 10

11 Hybrid System Safety Verification. Early 90 s: Exactly compute unbounded time reach set Decidable for timed automata [Alur Dill 92] Undecidable even for rectangular dynamics [Henzinger 95] Late : Approximate bounded time reach set Hamilton-Jacobi-Bellman approach [Tomlin et al. 02] Polytopes [Henzinger 97], ellipsoids [Kurzhanski] zonotopes [Girard 05], support functions [Frehse 08] Predicate abstraction [Alur 03], CEGAR [Clarke 03] [Mitra 13] Today: Scalability Simulation-based methods [Julius 02] [Mitra 10-13][Donze 07] 11

12 A simple strategy Given start S and target Compute finite cover of initial set Simulate from the center x 0 of each cover Bloat simulation so that bloated tube contains all trajectories from the cover Union = over-approximation of reach set Check intersection/containment with T Refine T x 0 How much to bloat? How to handle mode switches? 12

13 Discrepancy (Annotations in the spirit of loop invariants). Definition. β: R 2n R 0 R 0 defines a discrepancy of the system if for any two states x 1 and x 2 X, For any t, 1. ξ x 1, t ξ x 2, t β x 1, x 2, t and 2. β 0 as x 1 x 2 x 0 invariant x 10 until x 10 do x x + 1 od ξ x 1, t V ξ x 1, t, ξ x 2, t β x 1, x 2, t 13

14 Lipschitz Constant. If L is a Lipschitz constant for f(x,t) then ξ x 1, t ξ x 2, t e Lt x 1 x 2 Theorem [Lohmiller & Slotine 98]. A positive definite matrix M is a contraction metric if there is a constant b M > 0 such that the Jacobian J of f satisfies: J T M + M J + b M M 0. If M is a contraction metric then k, δ > 0 such that ξ x, t 14

15 Hybrid Systems: Invariants Track & propagate may and must fragments of reachtube tagregion R, P = must may not R P R P R P = invariantprefix(ψ, S) = R 0, tag 0,, R m, tag m, such that either tag i = must if all the R j s before it are must tag i = may if all the R j s before it are at least may and at least one of them is not must 16

16 Sound & Relatively Complete. Theorem. (Soundness). If Algorithm returns safe or a counter-example, then A is indeed safe or has a counter-example. Definition Given HA A = V, Loc, A, D, T, an ε-perturbation of A is a new HA A that is identical except, Θ = B ε (Θ), l Loc, Inv = B ε (Inv) (b) a A, Guard a = B ε (Guard a ). A is robustly meets U iff ε > 0, such that A meets U ε upto time bound T, and transition bound N. Robustly violates iff ε < 0 such that A is violates U ε. Theorem. (Relative Completeness) Algorithm always terminates whenever the A is either robustly meets or violates the requirement. 17

17 Part II COST OF PRIVACY IN CONTROL Huang Wang Mitra Dullerud [CCS WPES 2012] [HiCons 2014] [CDC 2014] [ICDCN 2015] 18

18 Controlling Agents in a Shared Environment x 1 x 1 x n x n Traffic Traffic z = 1 N x i z = 1 n x i z z Vehicle Vehicle i x i = f i (x i, z, i u) x i = f i (x i, z, u) Controller Controller u i = g(x i, z) u i = g i (p i, x i ) Vehicle Vehicle j x j = f j (x j, z, j u) x j = f j (x j, z, u) Controller Controller u j = g(x j, z) u j = g j (x j ) 19

19 Controlling Agents in a Shared Environment x 1 x 1 x n x n Traffic Traffic z = 1 N x i z = 1 n x i z z x 1 x n Server z = 1 n x i z Vehicle Vehicle i x i = f i (x i, z, i u) x i = f i (x i, z, u) Vehicle Vehicle j x j = f j (x j, z, j u) x j = f j (x j, z, u) Controller Controller u i = g(x i, z) u i = g i (x i, z ) Controller Controller u j = g(x j, z) u j = g j (z ) M 20

20 Control while Protecting Sensitive Data Obs: observation stream of the system bounded by time T, the x 1 broadcast positions. Sensitive data: g = {g 1,, g n } g and g be two sequences of controllers that are identical except g i and g i. The system is differentially private iff P g leads to Obs P g leads to Obs e g i g i Cost of privacy: sup E[Cost g, M Cost g, M ] g,i What is the cost of Privacy in distributed control? 21

21 DP Control x 1 x 1 x n x n Traffic Traffic z = 1 N x i z = 1 n x i z z x 1 = x 1 + Lap( ΔT ε ) x 2 = x 2 + Lap( ΔT ε ) Server z = 1 n x i z Vehicle Vehicle i x i = f i (x i, z, i u) x i = f i (x i, z, u) Vehicle Vehicle j x j = f j (x j, z, j u) x j = f j (x j, z, u) Controller Controller u i = g(x i, z) u i = g i (x i, z) Controller Controller u j = g(x j, z) u j = g j (x j, z) M 22

22 Control while Protecting Sensitive Data Obs: observation stream of the system bounded by time T, the broadcast positions. x 1 Privacy: g and g be two sequences of controllers that are identical except g i and g i. The system preserves differentially private iff Cost of privacy: sup g P g leads to Obs P g leads to Obs e g i g i E[Cost g, M Cost g, M ] Theorem. COP = O( T3 N 2 ε2) for stable linear systems [HiCons 2014] Cost reasonable for short-lived agents and large number of agents Adversary estimates the initial system state from observations. X(t) = E[X(0) Z(0), Z(1),, Z(t)]. Accuracy at time t N is measured by H( X t ). Lower-bound on H for any ε-dp one shot query [CDC 2014]. 23

23 TWO APPLICATIONS OF STATIC-DYNAMIC ANALYSIS Duggirala Wang Mitra Munoz Viswanathan (FM 2014) Huang Fan Meracre Mitra Kiwatkowska (CAV 2014) 24

24 ysep SB SF SAPA-ALAS Parallel Landing Protocol Ownship and Intruder approaching parallel runways with small separation ALAS (at ownship) protocol is supposed to raise an alarm if within T time units the Intruder can violate safe separation based on 3 different projections xsep SH Verify Alert b Unsafe for different scenarios Scenario 1. With xsep [.11,.12] Nm ysep [.1,.21] Nm, φ = 30 o φ max = 45 o vy o = 136 Nmph, vy i = 155 Nmph Alert b Unsafe is satisfied by Reachtube ψ if I 2 Must Unsafe May Unsafe there exists I 1 Must Alert such that I 1 < I 2 b 25

25 Real-time Alerting Protocol. Sound & robustly completeness C2E2 verifies interesting scenarios in reasonable time; shows that false alarms are possible; found scenarios where alarm may be missed Scenario Alert 4 Unsafe Running time (mins:sec) Alert? Unsafe 6 False 3: True 1:13 8 True 2: False 7: True 2: True 4:55 9 False 2: False 3: False 4: False 6:

26 Scalability through Compositionality Module 1? Module 2 Module 1 Module 3 Module 2 Module 3 Module 4 Module 5 q a x 1 = f a (x 1, x 2, x 3 ) x 2 = f b (x 2, x 1, x 3 ) L N q b q c x 3 = f c (x 3, x 1, x 2 ) 27

27 Input-to-State (IS) Discrepancy u x = f(x, u) x x ξ(x, u, t) ξ(x,u, t) time u (t) u(t) time t Definition. IS discrepancy is defined by β and γ such that for any initial states x, x and any inputs u, u, ξ(x, u, t) ξ x, u, t β(x, x, t) + β 0 as x x, and γ 0 as u u 0 t γ u s u s ds 28

28 Reduced System M(δ 1, δ 2, V 1, V 2 ). x = f M x x = m 1, m 2, clk m 1 m 2 clk = f M x = β 1 δ 1, clk + γ 1 m 2 β 2 δ 2, clk + γ 2 m

29 Bloating with Reduced Model x 1 = f 1 (x 1, u 1 ) m 1 = β 1 δ, t +γ 1 (m 2,m 3 ) x 2 = f 2 (x 2,u 2 ) x 3 = f 3 (x 3, u 3 ) m 2 = β 2 δ, t +γ 2 (m 1,m 3 ) m 3 = β 3 δ, t +γ 3 (m 1,m 2 ) x m(t) ξ(t) time δ m(t) time The bloated tube contains all trajectories start from the δ-ball of x. The over-approximation can be computed arbitrarily precise. 30

30 Reduced M gives effective Discrepancy of A. Theorem. For any δ = δ 1,δ 2, V = V 1, V 2 and T Reach A B δ x, T t T B V μ t (ξ x, t ) Theorem. For any ϵ > 0 there exists δ = δ 1, δ 2 such that V (ξ x, t ) B ε (Reach A (B δ x, T) t T B μ t Here μ t is the solution of M(δ 1, δ 2, V 1, V 2 ). Huang et al. HSCC 2014, CAV

31 Pacemaker + Cardiac Network. Action potential remains in specific range No alternation of action potentials Nodes Thresh Sims Run time (s) Property TRUE TRUE TRUE TRUE NA 63.4 FALSE TRUE TRUE

32 PART IV ONGOING WORK 33

33 Adversarial synthesis problem u t a t x t+1 = f t x t, u t, a t Given system A, u Ctr, x 0 Init, a Adv : t ξ(x 0, u, a, t) Safe ξ x 0, u, a, T Goal requirements are met? Adv: a i 2 b: intrusion budget constraints Ctr: c i u i k: actuation constraints 34

34 Decomposition with Leverage Reach x 0, u, Adv, t = Reach x 0, u, O, t L(x 0, u, t) ---Leverage For each t H, compute Safe t L t = Safe & Goal t L t = Goal Check u Ctrl : t, x 0 Init, Reach Init, u, 0, t Safe t? For linear dynamics and L2-budget L x 0, u, t can be computed exactly We can find b crit that makes control impossible Classify initial states based on vulnerability 35

35 Summary Static-Dynamic Analysis = sound and relatively complete algorithm for analysis of nonlinear nondeterministic models Tool support (C2E2, try it: Compositional analysis Symbolic simulation of adversary-free system + overapproximation of leverage Synthesize controllers and attack strategies Measure vulnerability of states w.r.t. attacks 36