Discrete Event Dynamic Systems

, Volume 25, Issue 4, pp 531–570 | Cite as

Enforcement and validation (at runtime) of various notions of opacity

  • Yliès Falcone
  • Hervé MarchandEmail author


We are interested in the validation of opacity. Opacity models the impossibility for an attacker to retrieve the value of a secret in a system of interest. Roughly speaking, ensuring opacity provides confidentiality of a secret on the system that must not leak to an attacker. More specifically, we study how we can model-check, verify and enforce at system runtime, several levels of opacity. Besides existing notions of opacity, we also introduce K-step strong opacity, a more practical notion of opacity that provides a stronger level of confidentiality.


Opacity K-step opacity Runtime verification Runtime enforcement 



The authors would like to gratefully thank the anonymous reviewers for their helpful remarks.


  1. Alur R, Zdancewic S (2006) Preserving secrecy under refinement. In: Proc. of the 33rd Internat. Colloq. on Automata, Languages and Programming (ICALP 06), volume 4052 of Lecture Notes in Computer Science, Springer, pp 107–118Google Scholar
  2. Badouel E, Bednarczyk M, Borzyszkowski A, Caillaud B, Darondeau P (2007) Concurrent secrets. Discret Event Dyn Syst 17 (4): 425–446.  10.1007/s10626-007-0020-5 zbMATHMathSciNetCrossRefGoogle Scholar
  3. Bryans J, Koutny M, Mazaré L, Ryan PYA (2008) Opacity generalised to transition systems. Int J Inf Secur 7 (6): 421–435CrossRefGoogle Scholar
  4. Cassandras CG, Lafortune S (2006) Introduction to discrete event systems. Springer, SecaucusGoogle Scholar
  5. Cassez F, Dubreil J, Marchand H (2009) Dynamic observers for the synthesis of opaque systems. In: ATVA’09: 7th international symposium on automated technology for verification and analysis, pp 352–367Google Scholar
  6. Dubreil J (2009) Monitoring and supervisory control for opacity properties. Ph.D. Thesis, Université de Rennes 1Google Scholar
  7. Dubreil J, Jéron T, Marchand H (2009) Monitoring confidentiality by diagnosis techniques. In: European control conference. Budapest, Hungary, pp 2584–2590Google Scholar
  8. Dubreil J, Darondeau P, Marchand H (2010) Supervisory control for opacity. IEEE Trans Autom Control 55 (5): 1089–1100MathSciNetCrossRefGoogle Scholar
  9. Falcone Y You should better enforce than verify. In: Barringer H, Falcone Y, Finkbeiner B, Havelund K, Lee I, Pace GJ, Rosu G, Sokolsky O, Tillmann N (eds) Lecture Notes in Computer Science. RV, Springer, vol 6418, pp 89–105Google Scholar
  10. Falcone Y, Marchand H (2010a) TAKOS: a java toolbox for the analysis of K-Opacity of systems. Available at
  11. Falcone Y, Marchand H (2010b) Various notions of opacity verified and enforced at runtime. Tech. Rep. 7349, INRIAGoogle Scholar
  12. Falcone Y, Marchand H (2013) Runtime enforcement of k-step opacity. In: Proceedings of the 52nd conference on decision and control. IEEEGoogle Scholar
  13. Falcone Y, Fernandez JC, Mounier L (2008) Synthesizing enforcement monitors wrt. the safety-progress classification of properties. In: Sekar R, Pujari AK (eds) Lecture notes in computer science, 5352. ICISS, Springer, pp 41–55Google Scholar
  14. Falcone Y, Fernandez JC, Mounier L (2009a) Enforcement monitoring wrt. the safety-progress classification of properties. In: SAC’09: Proceedings of the 2009 ACM symposium on Applied Computing, ACM, pp 593–600Google Scholar
  15. Falcone Y, Fernandez JC, Mounier L (2009b) Runtime verification of safety-progress properties. In: RV’09: Proceedings of the 9th workshop on runtime verification. Revised selected Papers, pp 40–59Google Scholar
  16. Falcone Y, Mounier L, Fernandez JC, Richier JL (2011) Runtime enforcement monitors: composition, synthesis, and enforcement abilities. Form Methods Syst Des 38 (3): 223–262zbMATHCrossRefGoogle Scholar
  17. Falcone Y, Fernandez JC, Mounier L (2012) What can you verify and enforce at runtime? STTT 14 (3): 349–382CrossRefGoogle Scholar
  18. Hamlen KW, Morrisett G, Schneider FB (2006) Computability classes for enforcement mechanisms. ACM Trans Program Lang Syst 28 (1): 175–205. CrossRefGoogle Scholar
  19. Havelund K, Goldberg A (2008) Verify your runs. In: VSTTE’05: verified software: theories, tools, experiments: first IFIP TC 2/WG 2.3 conference, revised selected papers and discussions, pp 374–383Google Scholar
  20. Havelund K, Rosu G (2002) Efficient monitoring of safety properties. Software Tools and Technology TransferGoogle Scholar
  21. Leucker M, Schallhart C (2008) A brief account of runtime verification. J Logic Algebraic Program 78 (5): 293–303CrossRefGoogle Scholar
  22. Ligatti J, Bauer L, Walker D (2005) Enforcing non-safety security policies with program monitors. In: ESORICS, pp 355–373Google Scholar
  23. Ligatti J, Bauer L, Walker D (2009) Run-time enforcement of nonsafety policies. ACM Trans Inf Syst Secur 12 (3): 1–41. CrossRefGoogle Scholar
  24. Marchand H, Dubreil J, Jéron T (2009) Automatic testing of access control for security properties. In: TestCom’09, Springer-Verlag, LNCS, vol 5826, pp 113–128Google Scholar
  25. Pnueli A, Zaks A (2006) PSL model checking and run-time verification via testers. In: FM’06: proceedings of formal methods, pp 573–586Google Scholar
  26. Saboori A, Hadjicostis CN (2007) Notions of security and opacity in discrete event systems. In: CDC’07: 46th IEEE Conf. Decision and Control, pp 5056–5061Google Scholar
  27. Saboori A, Hadjicostis CN (2009) Verification of infinite-step opacity and analysis of its complexity. In: Dependable control of discrete systemsGoogle Scholar
  28. Saboori A, Hadjicostis CN (2011) Verification of k-step opacity and analysis of its complexity. IEEE Trans Autom Sci Eng 8 (3): 549–559CrossRefGoogle Scholar
  29. Saboori A, Hadjicostis CN (2012) Opacity-enforcing supervisory strategies via state estimator constructions. IEEE Trans Autom Control 57 (5): 1155–1165MathSciNetCrossRefGoogle Scholar
  30. Saboori A, Hadjicostis CN (2013) Verification of initial-state opacity in security applications of discrete event systems. Inf Sci 246: 115–132MathSciNetCrossRefGoogle Scholar
  31. Schneider FB (2000) Enforceable security policies. ACM Trans Inf Syst Secur 3 (1): 30–50CrossRefGoogle Scholar
  32. Takai S, Kumar R (2009) Verification and synthesis for secrecy in discrete-event systems. In: ACC’09: Proceedings of the 2009 conference on America Control Conference. IEEE Press, Piscataway, NJ, USA, pp 4741–4746Google Scholar
  33. Takai S, Oka Y (2008) A formula for the supremal controllable and opaque sublanguage arising in supervisory control. SICE J Control Meas, Syst Integr 1 (4): 307–312CrossRefGoogle Scholar
  34. Wu Y, Lafortune S (2012) Enforcement of opacity properties using insertion functions. In: 51st IEEE Conf. on Decision and Contr., pp 6722–6728Google Scholar

Copyright information

© Springer Science+Business Media New York 2014

Authors and Affiliations

  1. 1.UJF-Grenoble 1, Laboratoire d’Informatique de GrenobleSaint Martin d’HèresFrance
  2. 2.INRIA - Rennes Bretagne AtlantiqueRennes CedexFrance

Personalised recommendations