Enforcing opacity of regular predicates on modal transition systems

Given a labelled transition system G partially observed by an attacker, and a regular predicate Sec over the runs of G, enforcing opacity of the secret Sec in G means computing a supervisory controller K such that an attacker who observes a run of the controlled system K/G cannot ascertain that the trace of this run belongs to Sec based on the knowledge of G and K. We lift the problem from a single labelled transition system G to the class of all labelled transition systems specified by a Modal Transition SystemM. The lifted problem is to compute the maximally permissive controller K such that Sec is opaque in K/G for every labelled transition system G which is a model of M. The situations of the attacker and of the controller are asymmetric: at run time, the attacker may fully know G and K whereas the controller knows only M and the sequence of actions executed so far by the unknown G. We address the problem in two cases. Let Σa denote the set of actions that can be observed by the attacker, and let Σc and Σo denote the sets of actions that can be controlled and observed by the controller, respectively. We provide optimal and regular controllers that enforce the opacity of regular secrets when Σc⊆Σo⊆Σa=Σ${\Sigma }_{c}\subseteq {\Sigma }_{o}\subseteq {\Sigma }_{a}={\Sigma }$. We provide optimal and regular controllers that enforce the opacity of regular upper-closed secrets (Sec=Sec.Σ∗) under the following assumptions: (i) Σa⊆Σc⊆Σo=Σ${\Sigma }_{a}\subseteq {\Sigma }_{c}\subseteq {\Sigma }_{o}={\Sigma }$ or (ii) Σa,Σc⊆Σo=Σ${\Sigma }_{a},{\Sigma }_{c}\subseteq {\Sigma }_{o}={\Sigma }$ and wΣ∈Sec⇒w∈Sec$w{\Sigma }\in Sec\Rightarrow w\in Sec$ for all Σ∈Σ∖Σc.