A Hybrid, Dynamic Logic for Hybrid-Dynamic Information Flow Brandon - PowerPoint PPT Presentation

A Hybrid, Dynamic Logic for Hybrid-Dynamic Information Flow Brandon Bohrer and Andr´ e Platzer Logical Systems Lab Computer Science Department Carnegie Mellon University LICS’18 1 / 21

Outline: Hybrid { Dynamics, Logic, Power } Hybrid Dynamics Smart Grid Hybrid Model L H d c i g o L HDIF Hybrid Hybrid Logic Power Information Flow We 1) develop dHL, a hybrid logic for hybrid- dynamical systems and 2) apply dHL to verify hybrid dynamic information flow HDIF for 3) security of a hybrid power grid . 2 / 21

CPS are Safety-Critical and Ubiquitous Grid Transport Medical How can we design cyber-physical systems people can bet their lives on? – Jeanette Wing 3 / 21

Secure Information Flow is Safety Critical Grid Transport Medical ⇓ ⇓ ⇓ Overloads Position Spoofing Hijacking 3 / 21

Results Only as Good as the Model • Related work: Verified discrete event model of FREEDM grid • Did not model physical dynamics 4 / 21

Results Only as Good as the Model • Related work: Verified discrete event model of FREEDM grid • Did not model physical dynamics • Event model can’t catch vulnerabilities in dynamics! 4 / 21

Expressive Hybrid Models Provide Expressive Flows • Hybrid dynamics: Mix and match discrete and continuous • Hybrid-Dynamic Information Flow (HDIF): Information can flow in both discrete and continuous channels 5 / 21

Expressive Hybrid Models Provide Expressive Flows • Hybrid dynamics: Mix and match discrete and continuous • Hybrid-Dynamic Information Flow (HDIF): Information can flow in both discrete and continuous channels • How do we model and verify HDIFs? 5 / 21

Outline 1 dHL: Hybrid { Dynamics, Logic } 2 FREEDM Case Study: Hybrid Power 3 Theory: Soundness and Reducibility 6 / 21

Example Hybrid System: Diesel Generator Generator consumes Fuel to produce p ower for the gr id. def α gen ≡ (( p := 0 ∪ ( p := ∗ ; ?( Fuel > 0 ∧ 0 ≤ p ≤ maxp )); { Fuel ′ = − p , gr ′ = p & Fuel ≥ 0 } ) ∗ Questions: Can grid observer detect fuel level? Program Meaning { x ′ = θ & ψ } Evolve ODE x ′ = θ, but only while ψ holds x := ∗ Assign randomly to x ? φ Test whether φ holds α ∪ β Run α or β α ∗ Run α any number of times in sequence 7 / 21

Dynamic Logic Operators Definition (d L Formulas, Fragment of dH L ) φ, ψ ::= φ ∧ ψ | ¬ φ | ∃ x : R φ | θ 1 ≤ θ 2 | � α � φ • First-order classical logic • Real-valued terms θ 1 , θ 2 • Dynamic modality � α � φ says φ holds after some run of α . 8 / 21

Dynamic Logic Operators α can reach φ Definition (d L Formulas, Fragment of dH L ) φ, ψ ::= φ ∧ ψ | ¬ φ | ∃ x : R φ | θ 1 ≤ θ 2 | � α � φ • First-order classical logic • Real-valued terms θ 1 , θ 2 • Dynamic modality � α � φ says φ holds after some run of α . 8 / 21

Program Axioms Decompose Dynamics � x ′ = F & q ( x ) � p ( x ) ↔ ∃ t ≥ 0( p ( y ( t )) ∧ ∀ 0 ≤ s ≤ t q ( y ( s ))) � ′ � �∪� � a ∪ b � P ↔ ( � a � P ∨ � b � P ) out α α ∪ β in β out 9 / 21

dH L Adds Hybrid Logic Definition (dH L , Hybrid-Logical Operators) φ ::= · · · | @ w φ | ∃ s : W φ | ↓ s φ | w • Evaluate formulas φ or terms θ and named world w . • Quantifiers ∃ s : W φ, ∀ s : W φ, and ↓ s φ (binds current world) • Nominal predicate w holds exactly in world named by w @hom @ n p ( F 1 , . . . F m ) ↔ p (@ n F 1 , . . . , @ n F m ) ↓ ↓ s p ( s ) ↔ ∃ s : W ( s ∧ p ( s )) @id @ n n 10 / 21

Go to dH L Adds Hybrid Logic world w Definition (dH L , Hybrid-Logical Operators) φ ::= · · · | @ w φ | ∃ s : W φ | ↓ s φ | w • Evaluate formulas φ or terms θ and named world w . • Quantifiers ∃ s : W φ, ∀ s : W φ, and ↓ s φ (binds current world) • Nominal predicate w holds exactly in world named by w @hom @ n p ( F 1 , . . . F m ) ↔ p (@ n F 1 , . . . , @ n F m ) ↓ ↓ s p ( s ) ↔ ∃ s : W ( s ∧ p ( s )) @id @ n n 10 / 21

Go to Exists dH L Adds Hybrid Logic world w world Definition (dH L , Hybrid-Logical Operators) φ ::= · · · | @ w φ | ∃ s : W φ | ↓ s φ | w • Evaluate formulas φ or terms θ and named world w . • Quantifiers ∃ s : W φ, ∀ s : W φ, and ↓ s φ (binds current world) • Nominal predicate w holds exactly in world named by w @hom @ n p ( F 1 , . . . F m ) ↔ p (@ n F 1 , . . . , @ n F m ) ↓ ↓ s p ( s ) ↔ ∃ s : W ( s ∧ p ( s )) @id @ n n 10 / 21

Go to Exists Remember dH L Adds Hybrid Logic world w world world in s Definition (dH L , Hybrid-Logical Operators) φ ::= · · · | @ w φ | ∃ s : W φ | ↓ s φ | w • Evaluate formulas φ or terms θ and named world w . • Quantifiers ∃ s : W φ, ∀ s : W φ, and ↓ s φ (binds current world) • Nominal predicate w holds exactly in world named by w @hom @ n p ( F 1 , . . . F m ) ↔ p (@ n F 1 , . . . , @ n F m ) ↓ ↓ s p ( s ) ↔ ∃ s : W ( s ∧ p ( s )) @id @ n n 10 / 21

Go to Exists Remember Test dH L Adds Hybrid Logic world w world world in s world Definition (dH L , Hybrid-Logical Operators) φ ::= · · · | @ w φ | ∃ s : W φ | ↓ s φ | w • Evaluate formulas φ or terms θ and named world w . • Quantifiers ∃ s : W φ, ∀ s : W φ, and ↓ s φ (binds current world) • Nominal predicate w holds exactly in world named by w @hom @ n p ( F 1 , . . . F m ) ↔ p (@ n F 1 , . . . , @ n F m ) ↓ ↓ s p ( s ) ↔ ∃ s : W ( s ∧ p ( s )) @id @ n n 10 / 21

Nondeducibility Information Flow Program α is nondeducibility -secure with bisimulation R when � � ∀ i 1 , i 2 , o 1 : W @ i 1 � α � o 1 ∧ R ( i 1 , i 2 ) → @ i 2 � α �↓ o 2 R ( o 1 , o 2 ) def � R ( k 1 , k 2 ) ≡ (@ k 1 θ = @ k 2 θ ) (i.e., k 1 , k 2 agree on L ) θ ∈ L α o 1 i 1 ∀ R R o 2 i 2 ∃ α “All similar inputs would have made similar outputs possible” 11 / 21

Derived Rules Simplify HDIF Proofs Relational reasoning proceeds structurally on programs @ i 1 � α � m 1 ∧ R i ( i 1 , i 2 ) → @ i 2 � α �↓ m 2 R m ( m 1 , m 2 ) @ m 1 � β � o 1 ∧ R m ( m 1 , m 2 ) → @ m 2 � β �↓ o 2 R o ( o 1 , o 2 ) BS; @ i 1 � α ; β � o 1 ∧ R i ( i 1 , i 2 ) → @ i 2 � α ; β �↓ o 2 R o ( o 1 , o 2 ) α ; β α β m 1 o 1 i 1 ∀ R i R m R o m 2 o 2 i 2 ∃ α β α ; β 12 / 21

Derived Rules Simplify HDIF Proofs Relational reasoning proceeds structurally on programs @ i 1 � α � m 1 ∧ R i ( i 1 , i 2 ) → @ i 2 � α �↓ m 2 R m ( m 1 , m 2 ) @ m 1 � β � o 1 ∧ R m ( m 1 , m 2 ) → @ m 2 � β �↓ o 2 R o ( o 1 , o 2 ) BS; @ i 1 � α ; β � o 1 ∧ R i ( i 1 , i 2 ) → @ i 2 � α ; β �↓ o 2 R o ( o 1 , o 2 ) α ; β α β m 1 o 1 i 1 ∀ R i R m R o m 2 o 2 i 2 ∃ α β α ; β Bisimulation rules are all derived! 12 / 21

Outline 1 dHL: Hybrid { Dynamics, Logic } 2 FREEDM Case Study: Hybrid Power 3 Theory: Soundness and Reducibility 13 / 21

Example: FREEDM Smart Grid Battery B 1 B 2 Demand Link d 1 T 1 T 2 d 2 Transformer p 1 p 2 Resource r 1 r 2 gr Grid Our hybrid model reveals a bug missed by the event-based model 14 / 21

FREEDM: Formal Model α F ≡ (ctrl; plant) ∗ ctrl ≡ migrate; bat � migrate ≡ d i , r i := ∗ ; ?( d i , r i ≥ 0); n i := d i − ( r i + p i ); if ( n i ≥ thresh ∧ n ¯ i < 0) { m := Migrate( i ) } � { m := 0 } else i = − 1 i · m , B ′ i = bm i , gr ′ = grm , t ′ = 1 & B i ≥ 0 } plant ≡ { p ′ i = b i , b ′ bat I ≡ bat S ≡ gr , bm i , vGridMig := 0; gr , bm i , vGridMig := 0; � if (( n i ≤ 0 ∧ ¬ Full) ∨ ( n i > 0 ∧ ¬ Emp)) { ? (Full ∨ ( n i > 0 ∧ ¬ Emp)); � { ToBat( n i , m ) } ToBat( n i , m ) else { ToGrid( n i , m ) } ∪ (ToGrid( n i , m )) 15 / 21

FREEDM: Formal Model Load Balance α F ≡ (ctrl; plant) ∗ ctrl ≡ migrate; bat � migrate ≡ d i , r i := ∗ ; ?( d i , r i ≥ 0); n i := d i − ( r i + p i ); if ( n i ≥ thresh ∧ n ¯ i < 0) { m := Migrate( i ) } � { m := 0 } else i = − 1 i · m , B ′ i = bm i , gr ′ = grm , t ′ = 1 & B i ≥ 0 } plant ≡ { p ′ i = b i , b ′ bat I ≡ bat S ≡ gr , bm i , vGridMig := 0; gr , bm i , vGridMig := 0; � if (( n i ≤ 0 ∧ ¬ Full) ∨ ( n i > 0 ∧ ¬ Emp)) { ? (Full ∨ ( n i > 0 ∧ ¬ Emp)); � { ToBat( n i , m ) } ToBat( n i , m ) else { ToGrid( n i , m ) } ∪ (ToGrid( n i , m )) 15 / 21

FREEDM: Formal Model Load Balance α F ≡ (ctrl; plant) ∗ ctrl ≡ migrate; bat � migrate ≡ d i , r i := ∗ ; ?( d i , r i ≥ 0); n i := d i − ( r i + p i ); if ( n i ≥ thresh ∧ n ¯ i < 0) { m := Migrate( i ) } � { m := 0 } else Battery, i = − 1 i · m , B ′ i = bm i , gr ′ = grm , t ′ = 1 & B i ≥ 0 } Insecure plant ≡ { p ′ i = b i , b ′ bat I ≡ bat S ≡ gr , bm i , vGridMig := 0; gr , bm i , vGridMig := 0; � if (( n i ≤ 0 ∧ ¬ Full) ∨ ( n i > 0 ∧ ¬ Emp)) { ? (Full ∨ ( n i > 0 ∧ ¬ Emp)); � { ToBat( n i , m ) } ToBat( n i , m ) else { ToGrid( n i , m ) } ∪ (ToGrid( n i , m )) 15 / 21