A Hybrid, Dynamic Logic for Hybrid-Dynamic Information Flow Brandon - - PowerPoint PPT Presentation

a hybrid dynamic logic for hybrid dynamic information flow
SMART_READER_LITE
LIVE PREVIEW

A Hybrid, Dynamic Logic for Hybrid-Dynamic Information Flow Brandon - - PowerPoint PPT Presentation

Dec 05, 2022 13 likes •357 views

A Hybrid, Dynamic Logic for Hybrid-Dynamic Information Flow Brandon Bohrer and Andr e Platzer Logical Systems Lab Computer Science Department Carnegie Mellon University LICS18 1 / 21 Outline: Hybrid { Dynamics, Logic, Power } Hybrid

slide-1
SLIDE 1

A Hybrid, Dynamic Logic for Hybrid-Dynamic Information Flow

Brandon Bohrer and Andr´ e Platzer

Logical Systems Lab Computer Science Department Carnegie Mellon University

LICS’18

1 / 21

slide-2
SLIDE 2

Outline: Hybrid {Dynamics, Logic, Power}

Hybrid Dynamics Hybrid Logic Hybrid Power

HDIF

L

  • g

i c d H L Information Flow

Smart Grid Hybrid Model

We 1) develop dHL, a hybrid logic for hybrid-dynamical systems and 2) apply dHL to verify hybrid dynamic information flow HDIF for 3) security of a hybrid power grid.

2 / 21

slide-3
SLIDE 3

CPS are Safety-Critical and Ubiquitous

Grid Transport Medical How can we design cyber-physical systems people can bet their lives on? – Jeanette Wing

3 / 21

slide-4
SLIDE 4

Secure Information Flow is Safety Critical

Grid Transport Medical ⇓ ⇓ ⇓ Overloads Position Spoofing Hijacking

3 / 21

slide-5
SLIDE 5

Results Only as Good as the Model

  • Related work: Verified discrete event model of FREEDM grid
  • Did not model physical dynamics

4 / 21

slide-6
SLIDE 6

Results Only as Good as the Model

  • Related work: Verified discrete event model of FREEDM grid
  • Did not model physical dynamics
  • Event model can’t catch vulnerabilities in dynamics!

4 / 21

slide-7
SLIDE 7

Expressive Hybrid Models Provide Expressive Flows

  • Hybrid dynamics: Mix and match discrete and continuous
  • Hybrid-Dynamic Information Flow (HDIF): Information can

flow in both discrete and continuous channels

5 / 21

slide-8
SLIDE 8

Expressive Hybrid Models Provide Expressive Flows

  • Hybrid dynamics: Mix and match discrete and continuous
  • Hybrid-Dynamic Information Flow (HDIF): Information can

flow in both discrete and continuous channels

  • How do we model and verify HDIFs?

5 / 21

slide-9
SLIDE 9

Outline

1 dHL: Hybrid {Dynamics, Logic} 2 FREEDM Case Study: Hybrid Power 3 Theory: Soundness and Reducibility

6 / 21

slide-10
SLIDE 10

Example Hybrid System: Diesel Generator

Generator consumes Fuel to produce power for the grid. αgen

def

≡ ((p := 0 ∪ (p := ∗; ?(Fuel > 0 ∧ 0 ≤ p ≤ maxp)); {Fuel′ = −p, gr′ = p & Fuel ≥ 0})∗ Questions: Can grid observer detect fuel level?

Program Meaning {x′ = θ & ψ} Evolve ODE x′ = θ, but only while ψ holds x := ∗ Assign randomly to x ?φ Test whether φ holds α ∪ β Run α or β α∗ Run α any number of times in sequence

7 / 21

slide-11
SLIDE 11

Dynamic Logic Operators

Definition (dL Formulas, Fragment of dHL)

φ, ψ ::= φ ∧ ψ | ¬φ | ∃x : R φ | θ1 ≤ θ2 | αφ

  • First-order classical logic
  • Real-valued terms θ1, θ2
  • Dynamic modality αφ says φ holds after some run of α.

8 / 21

slide-12
SLIDE 12

Dynamic Logic Operators

Definition (dL Formulas, Fragment of dHL)

φ, ψ ::= φ ∧ ψ | ¬φ | ∃x : R φ | θ1 ≤ θ2 | αφ

  • First-order classical logic
  • Real-valued terms θ1, θ2
  • Dynamic modality αφ says φ holds after some run of α.

α can reach φ

8 / 21

slide-13
SLIDE 13

Program Axioms Decompose Dynamics

′ x′ = F & q(x)p(x) ↔ ∃t≥0(p(y(t)) ∧ ∀0≤s≤t q(y(s))) ∪ a ∪ bP ↔ (aP ∨ bP) in

  • ut
  • ut

α β α ∪ β

9 / 21

slide-14
SLIDE 14

dHL Adds Hybrid Logic

Definition (dHL, Hybrid-Logical Operators)

φ ::= · · · | @wφ | ∃s : W φ | ↓s φ | w

  • Evaluate formulas φ or terms θ and named world w.
  • Quantifiers ∃s : W φ, ∀s : W φ, and ↓s φ (binds current world)
  • Nominal predicate w holds exactly in world named by w

@hom @np(F1, . . . Fm) ↔ p(@nF1, . . . , @nFm) ↓ ↓s p(s) ↔ ∃s : W (s ∧ p(s)) @id @nn

10 / 21

slide-15
SLIDE 15

dHL Adds Hybrid Logic

Definition (dHL, Hybrid-Logical Operators)

φ ::= · · · | @wφ | ∃s : W φ | ↓s φ | w Go to world w

  • Evaluate formulas φ or terms θ and named world w.
  • Quantifiers ∃s : W φ, ∀s : W φ, and ↓s φ (binds current world)
  • Nominal predicate w holds exactly in world named by w

@hom @np(F1, . . . Fm) ↔ p(@nF1, . . . , @nFm) ↓ ↓s p(s) ↔ ∃s : W (s ∧ p(s)) @id @nn

10 / 21

slide-16
SLIDE 16

dHL Adds Hybrid Logic

Definition (dHL, Hybrid-Logical Operators)

φ ::= · · · | @wφ | ∃s : W φ | ↓s φ | w Go to world w Exists world

  • Evaluate formulas φ or terms θ and named world w.
  • Quantifiers ∃s : W φ, ∀s : W φ, and ↓s φ (binds current world)
  • Nominal predicate w holds exactly in world named by w

@hom @np(F1, . . . Fm) ↔ p(@nF1, . . . , @nFm) ↓ ↓s p(s) ↔ ∃s : W (s ∧ p(s)) @id @nn

10 / 21

slide-17
SLIDE 17

dHL Adds Hybrid Logic

Definition (dHL, Hybrid-Logical Operators)

φ ::= · · · | @wφ | ∃s : W φ | ↓s φ | w Go to world w Exists world Remember world in s

  • Evaluate formulas φ or terms θ and named world w.
  • Quantifiers ∃s : W φ, ∀s : W φ, and ↓s φ (binds current world)
  • Nominal predicate w holds exactly in world named by w

@hom @np(F1, . . . Fm) ↔ p(@nF1, . . . , @nFm) ↓ ↓s p(s) ↔ ∃s : W (s ∧ p(s)) @id @nn

10 / 21

slide-18
SLIDE 18

dHL Adds Hybrid Logic

Definition (dHL, Hybrid-Logical Operators)

φ ::= · · · | @wφ | ∃s : W φ | ↓s φ | w Go to world w Exists world Remember world in s Test world

  • Evaluate formulas φ or terms θ and named world w.
  • Quantifiers ∃s : W φ, ∀s : W φ, and ↓s φ (binds current world)
  • Nominal predicate w holds exactly in world named by w

@hom @np(F1, . . . Fm) ↔ p(@nF1, . . . , @nFm) ↓ ↓s p(s) ↔ ∃s : W (s ∧ p(s)) @id @nn

10 / 21

slide-19
SLIDE 19

Nondeducibility Information Flow

Program α is nondeducibility-secure with bisimulation R when ∀i1, i2, o1 : W

  • @i1αo1 ∧ R(i1, i2) → @i2α↓o2 R(o1, o2)
  • R(k1, k2)

def

  • θ∈L

(@k1θ = @k2θ) (i.e., k1, k2 agree on L) i1 i2

  • 1
  • 2

∀ ∃ α α R R “All similar inputs would have made similar outputs possible”

11 / 21

slide-20
SLIDE 20

Derived Rules Simplify HDIF Proofs

Relational reasoning proceeds structurally on programs BS; @i1αm1 ∧ Ri(i1, i2) → @i2α↓m2 Rm(m1, m2) @m1βo1 ∧ Rm(m1, m2) → @m2β↓o2 Ro(o1, o2) @i1α; βo1 ∧ Ri(i1, i2) → @i2α; β↓o2 Ro(o1, o2) i1 i2 m1 m2

  • 1
  • 2

∀ ∃ α β α β Ri Rm Ro α; β α; β

12 / 21

slide-21
SLIDE 21

Derived Rules Simplify HDIF Proofs

Relational reasoning proceeds structurally on programs BS; @i1αm1 ∧ Ri(i1, i2) → @i2α↓m2 Rm(m1, m2) @m1βo1 ∧ Rm(m1, m2) → @m2β↓o2 Ro(o1, o2) @i1α; βo1 ∧ Ri(i1, i2) → @i2α; β↓o2 Ro(o1, o2) i1 i2 m1 m2

  • 1
  • 2

∀ ∃ α β α β Ri Rm Ro α; β α; β Bisimulation rules are all derived!

12 / 21

slide-22
SLIDE 22

Outline

1 dHL: Hybrid {Dynamics, Logic} 2 FREEDM Case Study: Hybrid Power 3 Theory: Soundness and Reducibility

13 / 21

slide-23
SLIDE 23

Example: FREEDM Smart Grid

Battery Demand Transformer Resource Grid r1 d1 B1 T1 p1 T2 p2 Link r2 d2 B2 gr Our hybrid model reveals a bug missed by the event-based model

14 / 21

slide-24
SLIDE 24

FREEDM: Formal Model

αF ≡ (ctrl; plant)∗ ctrl ≡ migrate; bat migrate ≡

  • di, ri := ∗; ?(di, ri ≥ 0); ni := di − (ri + pi);

if (ni ≥ thresh ∧ n¯

i < 0) { m := Migrate(i)}

else { m := 0}

  • plant ≡ {p′

i = −1i · m, B′ i = bi, b′ i = bmi, gr ′ = grm, t′ = 1 & Bi ≥ 0}

batI ≡ gr, bmi, vGridMig := 0; if ((ni ≤ 0 ∧ ¬Full) ∨ (ni > 0 ∧ ¬Emp)){ { ToBat(ni, m)} else { ToGrid(ni, m)} batS ≡ gr, bmi, vGridMig := 0;

  • ?(Full ∨ (ni > 0 ∧ ¬Emp));

ToBat(ni, m)

  • ∪ (ToGrid(ni, m))

15 / 21

slide-25
SLIDE 25

FREEDM: Formal Model

αF ≡ (ctrl; plant)∗ ctrl ≡ migrate; bat migrate ≡

  • di, ri := ∗; ?(di, ri ≥ 0); ni := di − (ri + pi);

if (ni ≥ thresh ∧ n¯

i < 0) { m := Migrate(i)}

else { m := 0}

  • plant ≡ {p′

i = −1i · m, B′ i = bi, b′ i = bmi, gr ′ = grm, t′ = 1 & Bi ≥ 0}

batI ≡ gr, bmi, vGridMig := 0; if ((ni ≤ 0 ∧ ¬Full) ∨ (ni > 0 ∧ ¬Emp)){ { ToBat(ni, m)} else { ToGrid(ni, m)} batS ≡ gr, bmi, vGridMig := 0;

  • ?(Full ∨ (ni > 0 ∧ ¬Emp));

ToBat(ni, m)

  • ∪ (ToGrid(ni, m))

Load Balance

15 / 21

slide-26
SLIDE 26

FREEDM: Formal Model

αF ≡ (ctrl; plant)∗ ctrl ≡ migrate; bat migrate ≡

  • di, ri := ∗; ?(di, ri ≥ 0); ni := di − (ri + pi);

if (ni ≥ thresh ∧ n¯

i < 0) { m := Migrate(i)}

else { m := 0}

  • plant ≡ {p′

i = −1i · m, B′ i = bi, b′ i = bmi, gr ′ = grm, t′ = 1 & Bi ≥ 0}

batI ≡ gr, bmi, vGridMig := 0; if ((ni ≤ 0 ∧ ¬Full) ∨ (ni > 0 ∧ ¬Emp)){ { ToBat(ni, m)} else { ToGrid(ni, m)} batS ≡ gr, bmi, vGridMig := 0;

  • ?(Full ∨ (ni > 0 ∧ ¬Emp));

ToBat(ni, m)

  • ∪ (ToGrid(ni, m))

Load Balance Battery, Insecure

15 / 21

slide-27
SLIDE 27

FREEDM: Formal Model

αF ≡ (ctrl; plant)∗ ctrl ≡ migrate; bat migrate ≡

  • di, ri := ∗; ?(di, ri ≥ 0); ni := di − (ri + pi);

if (ni ≥ thresh ∧ n¯

i < 0) { m := Migrate(i)}

else { m := 0}

  • plant ≡ {p′

i = −1i · m, B′ i = bi, b′ i = bmi, gr ′ = grm, t′ = 1 & Bi ≥ 0}

batI ≡ gr, bmi, vGridMig := 0; if ((ni ≤ 0 ∧ ¬Full) ∨ (ni > 0 ∧ ¬Emp)){ { ToBat(ni, m)} else { ToGrid(ni, m)} batS ≡ gr, bmi, vGridMig := 0;

  • ?(Full ∨ (ni > 0 ∧ ¬Emp));

ToBat(ni, m)

  • ∪ (ToGrid(ni, m))

Load Balance Battery, Insecure Battery, Secure

15 / 21

slide-28
SLIDE 28

FREEDM: Results

Define R(i, j) ≡ (@it = @jt ∧ @igr = @jgr). Same grid flow, same time

Proposition (FREEDM with original batI is insecure)

∃i1, i2, o1 : W

  • @i1αIo1 ∧ R(i1, i2) ∧ @i2[αI]↓o2 ¬R(o1, o2)
  • Proposition (Nondeducibility for fixed FREEDM)

∀i1, i2, o1 : W

  • @i1αSo1 ∧ R(i1, i2) → @i2αS↓o2 R(o1, o2)
  • Takeaway: Determinism helps attackers! (“Refinement Paradox”)

16 / 21

slide-29
SLIDE 29

FREEDM: Results

Define R(i, j) ≡ (@it = @jt ∧ @igr = @jgr). Same grid flow, same time

Proposition (FREEDM with original batI is insecure)

∃i1, i2, o1 : W

  • @i1αIo1 ∧ R(i1, i2) ∧ @i2[αI]↓o2 ¬R(o1, o2)
  • Proposition (Nondeducibility for fixed FREEDM)

∀i1, i2, o1 : W

  • @i1αSo1 ∧ R(i1, i2) → @i2αS↓o2 R(o1, o2)
  • Takeaway: Determinism helps attackers! (“Refinement Paradox”)

Impact: Translates to, e.g., randomization in implementation.

16 / 21

slide-30
SLIDE 30

Outline

1 dHL: Hybrid {Dynamics, Logic} 2 FREEDM Case Study: Hybrid Power 3 Theory: Soundness and Reducibility

17 / 21

slide-31
SLIDE 31

Hybrid Logic (+Uniform Substitution)

Provides Clean Foundation for Info. Flow

Ours is a uniform substitution calculus: variables over predicates, programs, etc. represented explicitly in concrete axiom formulas, instantiated with rule US: US φ σ(φ) Rule US sound iff σ is admissible:

Definition (Admissibility (dL))

Substitution σ adds no free variable references in bound positions

Definition (Admissibility (dHL))

Substitution σ adds no free symbol references in bound positions Takeaway: Admissibility generalizes cleanly to hybrid logics

18 / 21

slide-32
SLIDE 32

Axiom Validity

Proposition (dHL contains dL)

A dL formula φ is valid in dL iff it is valid in dHL

  • Containment imports all dL axioms to dHL once and for all,

even when instantiated with proper dHL formulas.

  • dHL axioms are single formulas, so each case of soundness
  • nly needs to show validity of one single formula.

19 / 21

slide-33
SLIDE 33

Concrete Reducibility

Motivation: What is the expressive power of dHL?

Theorem (Concrete reducibility)

Concrete dHL (i.e. without US symbols) reduces to concrete dL. There exists an effective reduction T : dHL → dL such that when φ ∈ dHL is concrete, T(φ) ∈ dL is valid iff φ is.

Proposition (Complexity of T)

T increases size quadratically, i.e., |T(φ)| ∈ Θ(|φ|2) for concrete φ. Implication: T cannot reduce axioms or certain advanced proof

  • techniques. Reduction likely to bloat proofs in practice.

20 / 21

slide-34
SLIDE 34

Takeaways

  • Info. flow analysis only as good as the model
  • Hybrid models enable expressive CPS flows
  • Logic dHL provides HDIF analysis.
  • Hybrid logic (+ Uniform Substitution) provides clean

foundation, High-level relational rules are derived

  • Smart-grid example shows promise for practical applications
  • Future Work: Hybrid logic as a broader foundation for

hyperproperties, compare with other relational systems

  • Future Work: Implementation to enable large-scale proofs

21 / 21