A Hybrid, Dynamic Logic for Hybrid-Dynamic Information Flow

Information-flow security is important to the safety and privacy of cyber-physical systems (CPSs) across many domains: information leakage can both violate user privacy and reveal vulnerabilities to physical attacks. CPSs face the challenge that information can flow both in discrete cyber channels and in continuous real-valued physical channels ranging from time to motion to electrical currents. We call these hybrid-dynamic information flows (HDIFs) and introduce dHL, the first logic for verifying HDIFs in hybrid-dynamical models of CPSs. Our logic extends differential dynamic logic (dL) for hybrid-dynamical systems with hybrid-logical features for explicit program state representation, supporting relational reasoning used for information flow arguments. By verifying HDIFs, we ensure security even under a strong attacker model wherein an attacker can observe time and physical values continuously. We present a Hilbert-style proof calculus for dHL, prove it sound, and compare the expressive power of dHL with dL. We develop a hybrid system model based on the smart electrical grid FREEDM, with which we showcase dHL. We prove that the naive model has a previously unknown information flow vulnerability, which we verify is resolved in a revised model. This is the first information flow proof both for HDIFs and for a hybrid-dynamical model in general.

[1]  Maxim Raya,et al.  The security of vehicular ad hoc networks , 2005, SASN '05.

[2]  André Platzer Logic & Proofs for Cyber-Physical Systems , 2016, IJCAR.

[3]  P. G. Allen,et al.  A comparison of non-interference and non-deducibility using CSP , 1991, Proceedings Computer Security Foundations Workshop IV.

[4]  Christoph Scheben,et al.  Verification of Information Flow Properties of Java Programs without Approximations , 2011, FoVeOOS.

[5]  Tinko Tinchev,et al.  An Essay in Combinatory Dynamic Logic , 1991, Inf. Comput..

[6]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[7]  Thomas A. Henzinger,et al.  The theory of hybrid automata , 1996, Proceedings 11th Annual IEEE Symposium on Logic in Computer Science.

[8]  André Platzer,et al.  Differential Dynamic Logic for Hybrid Systems , 2008, Journal of Automated Reasoning.

[9]  Nathan Fulton,et al.  KeYmaera X: An Axiomatic Tactical Theorem Prover for Hybrid Systems , 2015, CADE.

[10]  André Platzer,et al.  The Complete Proof Theory of Hybrid Systems , 2012, 2012 27th Annual IEEE Symposium on Logic in Computer Science.

[11]  T. Braüner Hybrid Logic and its Proof-Theory , 2010 .

[12]  Bruce M. McMillin,et al.  Analysis of information flow security in cyber-physical systems , 2010, Int. J. Crit. Infrastructure Prot..

[13]  André Platzer,et al.  Formally verified differential dynamic logic , 2017, CPP.

[14]  Bruce M. McMillin,et al.  Information Flow Analysis of Energy Management in a Smart Grid , 2010, SAFECOMP.

[15]  Huirong Fu,et al.  Privacy Issues of Vehicular Ad-Hoc Networks , 2010 .

[16]  André Platzer,et al.  Differential Game Logic , 2014, ACM Trans. Comput. Log..

[17]  Farinaz Koushanfar,et al.  Heart-to-heart (H2H): authentication for implanted medical devices , 2013, CCS.

[18]  André Platzer,et al.  Differential Refinement Logic* , 2016, 2016 31st Annual ACM/IEEE Symposium on Logic in Computer Science (LICS).

[19]  Huiqun Yu,et al.  Analysis of the Composition of Non-Deducibility in Cyber-Physical Systems , 2014 .

[20]  Tinko Tinchev,et al.  Quantifiers in combinatory PDL: completeness, definability, incompleteness , 1985, FCT.

[21]  Jean-Baptiste Jeannin,et al.  Formal verification of ACAS X, an industrial airborne collision avoidance system , 2015, 2015 International Conference on Embedded Software (EMSOFT).

[22]  Radha Poovendran,et al.  Future E-Enabled Aircraft Communications and Security: The Next 20 Years and Beyond , 2011, Proceedings of the IEEE.

[23]  Deepak Garg,et al.  Verification of Information Flow and Access Control Policies with Dependent Types , 2011, 2011 IEEE Symposium on Security and Privacy.

[24]  Xuning Feng,et al.  Thermal runaway mechanism of lithium ion battery for electric vehicles: A review , 2018 .

[25]  Manuel A. Martins,et al.  Dynamic Logic with Binders and Its Application to the Development of Reactive Systems , 2016, ICTAC.

[26]  Nick Benton,et al.  Simple relational correctness proofs for static analyses and program transformations , 2004, POPL.

[27]  Alex Q. Huang Renewable energy system research and education at the NSF FREEDM systems center , 2009, 2009 IEEE Power & Energy Society General Meeting.

[28]  Bernhard Reus,et al.  A Complete Temporal and Spatial Logic for Distributed Systems , 2005, FroCoS.

[29]  Kamin Whitehouse,et al.  Protecting your daily in-home activity information from a wireless snooping attack , 2008, UbiComp.

[30]  Riccardo Muradore,et al.  A Formal Approach to Cyber-Physical Attacks , 2016, 2017 IEEE 30th Computer Security Foundations Symposium (CSF).

[31]  André Platzer,et al.  A Complete Axiomatization of Quantified Differential Dynamic Logic for Distributed Hybrid Systems , 2012, Log. Methods Comput. Sci..

[32]  Kevin Fu,et al.  Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[33]  Alexander Aiken,et al.  Secure Information Flow as a Safety Problem , 2005, SAS.

[34]  Frank Pfenning,et al.  A symmetric modal lambda calculus for distributed computing , 2004, Proceedings of the 19th Annual IEEE Symposium on Logic in Computer Science, 2004..

[35]  Johan van Benthem,et al.  Dynamic logic of preference upgrade , 2007, J. Appl. Non Class. Logics.

[36]  André Platzer,et al.  KeYmaera: A Hybrid Theorem Prover for Hybrid Systems (System Description) , 2008, IJCAR.

[37]  Alonzo Church,et al.  Introduction to Mathematical Logic , 1991 .

[38]  André Platzer,et al.  Adaptive Cruise Control: Hybrid, Distributed, and Now Formally Verified , 2011, FM.

[39]  Peter Kazanzides,et al.  Certifying the safe design of a virtual fixture control algorithm for a surgical robot , 2013, HSCC '13.

[40]  Nathan Fulton,et al.  Bellerophon: Tactical Theorem Proving for Hybrid Systems , 2017, ITP.

[41]  André Platzer,et al.  Towards a Hybrid Dynamic Logic for Hybrid Dynamic Systems , 2007, HyLo@FLoC.

[42]  Xavier Litrico,et al.  Stealthy deception attacks on water SCADA systems , 2010, HSCC '10.

[43]  André Platzer,et al.  A Complete Uniform Substitution Calculus for Differential Dynamic Logic , 2016, Journal of Automated Reasoning.

[44]  Antoine Girard,et al.  SpaceEx: Scalable Verification of Hybrid Systems , 2011, CAV.

[45]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[46]  Patrick Blackburn,et al.  Hybrid languages , 1995, J. Log. Lang. Inf..

[47]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..