Date of this Version
Luan Viet Nguyen, Gautam Mohan, James Weimer, Oleg Sokolsky, Insup Lee, and Rajeev Alur, "Detecting Security Leaks in Hybrid Systems with Information Flow Analysis", 17th ACM-IEEE International Conference on Formal Methods and Models for Codesign (MemoCODE 2019) . October 2019. http://dx.doi.org/10.1145/3359986.3361212
Information flow analysis is an effective way to check useful security properties, such as whether secret information can leak to adversaries. Despite being widely investigated in the realm of programming languages, information-flow- based security analysis has not been widely studied in the domain of cyber-physical systems (CPS). CPS provide interesting challenges to traditional type-based techniques, as they model mixed discrete-continuous behaviors and are usually expressed as a composition of state machines. In this paper, we propose a lightweight static analysis methodology that enables information security properties for CPS models.We introduce a set of security rules for hybrid automata that characterizes the property of non-interference. Based on those rules, we propose an algorithm that generates security constraints between each sub-component of hybrid automata, and then transforms these constraints into a directed dependency graph to search for non-interference violations. The proposed algorithm can be applied directly to parallel compositions of automata without resorting to model-flattening techniques. Our static checker works on hybrid systems modeled in Simulink/Stateflow format and decides whether or not the model satisfies non-interference given a user-provided security annotation for each variable. Moreover, our approach can also infer the security labels of variables, allowing a designer to verify the correctness of partial security annotations. We demonstrate the potential benefits of the proposed methodology on two case studies.
CPS Formal Methods, CPS Security
17th ACM-IEEE International Conference on Formal Methods and Models for Codesign (MemoCODE 2019)
information flow security, static analysis, hybrid systems, Simulink/Stateflow
Date Posted: 06 November 2019
This document has been peer reviewed.