Springer Nature is making SARS-CoV-2 and COVID-19 research free. View research | View latest news | Sign up for updates

Enforcement and validation (at runtime) of various notions of opacity

  • 346 Accesses

  • 23 Citations

Abstract

We are interested in the validation of opacity. Opacity models the impossibility for an attacker to retrieve the value of a secret in a system of interest. Roughly speaking, ensuring opacity provides confidentiality of a secret on the system that must not leak to an attacker. More specifically, we study how we can model-check, verify and enforce at system runtime, several levels of opacity. Besides existing notions of opacity, we also introduce K-step strong opacity, a more practical notion of opacity that provides a stronger level of confidentiality.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Notes

  1. 1.

    1 Several notions of opacity will be considered in this paper. Here we present only the simplest one informally.

    Fig. 1
    figure1

    Several ways to validate the opacity of a secret on a system

  2. 2.

    2 Equivalently, the secret can be given by a regular language over Σ, see Cassez et al. (2009) for more details.

  3. 3.

    3 Compared with Saboori and Hadjicostis (2007), for simplicity, we only consider a unique initial state and deterministic LTSs.

  4. 4.

    4 We will also use it in Section 6 in order to enforce the various notions of opacity.

  5. 5.

    5 For clarity, in the states of the graphic representation of K-delay trajectory estimators, a state q i is noted i.

  6. 6.

    6 As in Lemmas 1 and 2 we are only interested by the capture of state estimates by K-delay trajectory estimators, we focus on state tuples and ignore Booleans. That is, for the sake of readability, states of a K-delay trajectory estimators are noted (q 0,…,q K ) instead of ((q 0,…,q K ),(b 0,…,b K−1)).

  7. 7.

    7 For clarity, for K-step weak opacity, only information about traversed state is considered in trajectory estimators since it is the sole information needed.

  8. 8.

    8 Here note that o can be 𝜖 if the enforcer chooses to not produce an output.

  9. 9.

    9 Besides memory size limitation, this constraint can represent the desired quality of service, e.g., maximal allowed delay.

  10. 10.

    10 The existence of an R-Enforcer for simple opacity relies on the trivial condition T≥1.

References

  1. Alur R, Zdancewic S (2006) Preserving secrecy under refinement. In: Proc. of the 33rd Internat. Colloq. on Automata, Languages and Programming (ICALP 06), volume 4052 of Lecture Notes in Computer Science, Springer, pp 107–118

  2. Badouel E, Bednarczyk M, Borzyszkowski A, Caillaud B, Darondeau P (2007) Concurrent secrets. Discret Event Dyn Syst 17 (4): 425–446. 10.1007/s10626-007-0020-5

  3. Bryans J, Koutny M, Mazaré L, Ryan PYA (2008) Opacity generalised to transition systems. Int J Inf Secur 7 (6): 421–435

  4. Cassandras CG, Lafortune S (2006) Introduction to discrete event systems. Springer, Secaucus

  5. Cassez F, Dubreil J, Marchand H (2009) Dynamic observers for the synthesis of opaque systems. In: ATVA’09: 7th international symposium on automated technology for verification and analysis, pp 352–367

  6. Dubreil J (2009) Monitoring and supervisory control for opacity properties. Ph.D. Thesis, Université de Rennes 1

  7. Dubreil J, Jéron T, Marchand H (2009) Monitoring confidentiality by diagnosis techniques. In: European control conference. Budapest, Hungary, pp 2584–2590

  8. Dubreil J, Darondeau P, Marchand H (2010) Supervisory control for opacity. IEEE Trans Autom Control 55 (5): 1089–1100

  9. Falcone Y You should better enforce than verify. In: Barringer H, Falcone Y, Finkbeiner B, Havelund K, Lee I, Pace GJ, Rosu G, Sokolsky O, Tillmann N (eds) Lecture Notes in Computer Science. RV, Springer, vol 6418, pp 89–105

  10. Falcone Y, Marchand H (2010a) TAKOS: a java toolbox for the analysis of K-Opacity of systems. Available at http://toolboxopacity.gforge.inria.fr

  11. Falcone Y, Marchand H (2010b) Various notions of opacity verified and enforced at runtime. Tech. Rep. 7349, INRIA

  12. Falcone Y, Marchand H (2013) Runtime enforcement of k-step opacity. In: Proceedings of the 52nd conference on decision and control. IEEE

  13. Falcone Y, Fernandez JC, Mounier L (2008) Synthesizing enforcement monitors wrt. the safety-progress classification of properties. In: Sekar R, Pujari AK (eds) Lecture notes in computer science, 5352. ICISS, Springer, pp 41–55

  14. Falcone Y, Fernandez JC, Mounier L (2009a) Enforcement monitoring wrt. the safety-progress classification of properties. In: SAC’09: Proceedings of the 2009 ACM symposium on Applied Computing, ACM, pp 593–600

  15. Falcone Y, Fernandez JC, Mounier L (2009b) Runtime verification of safety-progress properties. In: RV’09: Proceedings of the 9th workshop on runtime verification. Revised selected Papers, pp 40–59

  16. Falcone Y, Mounier L, Fernandez JC, Richier JL (2011) Runtime enforcement monitors: composition, synthesis, and enforcement abilities. Form Methods Syst Des 38 (3): 223–262

  17. Falcone Y, Fernandez JC, Mounier L (2012) What can you verify and enforce at runtime? STTT 14 (3): 349–382

  18. Hamlen KW, Morrisett G, Schneider FB (2006) Computability classes for enforcement mechanisms. ACM Trans Program Lang Syst 28 (1): 175–205. http://doi.acm.org/10.1145/1111596.1111601

  19. Havelund K, Goldberg A (2008) Verify your runs. In: VSTTE’05: verified software: theories, tools, experiments: first IFIP TC 2/WG 2.3 conference, revised selected papers and discussions, pp 374–383

  20. Havelund K, Rosu G (2002) Efficient monitoring of safety properties. Software Tools and Technology Transfer

  21. Leucker M, Schallhart C (2008) A brief account of runtime verification. J Logic Algebraic Program 78 (5): 293–303

  22. Ligatti J, Bauer L, Walker D (2005) Enforcing non-safety security policies with program monitors. In: ESORICS, pp 355–373

  23. Ligatti J, Bauer L, Walker D (2009) Run-time enforcement of nonsafety policies. ACM Trans Inf Syst Secur 12 (3): 1–41. http://doi.acm.org/10.1145/1455526.1455532

  24. Marchand H, Dubreil J, Jéron T (2009) Automatic testing of access control for security properties. In: TestCom’09, Springer-Verlag, LNCS, vol 5826, pp 113–128

  25. Pnueli A, Zaks A (2006) PSL model checking and run-time verification via testers. In: FM’06: proceedings of formal methods, pp 573–586

  26. Saboori A, Hadjicostis CN (2007) Notions of security and opacity in discrete event systems. In: CDC’07: 46th IEEE Conf. Decision and Control, pp 5056–5061

  27. Saboori A, Hadjicostis CN (2009) Verification of infinite-step opacity and analysis of its complexity. In: Dependable control of discrete systems

  28. Saboori A, Hadjicostis CN (2011) Verification of k-step opacity and analysis of its complexity. IEEE Trans Autom Sci Eng 8 (3): 549–559

  29. Saboori A, Hadjicostis CN (2012) Opacity-enforcing supervisory strategies via state estimator constructions. IEEE Trans Autom Control 57 (5): 1155–1165

  30. Saboori A, Hadjicostis CN (2013) Verification of initial-state opacity in security applications of discrete event systems. Inf Sci 246: 115–132

  31. Schneider FB (2000) Enforceable security policies. ACM Trans Inf Syst Secur 3 (1): 30–50

  32. Takai S, Kumar R (2009) Verification and synthesis for secrecy in discrete-event systems. In: ACC’09: Proceedings of the 2009 conference on America Control Conference. IEEE Press, Piscataway, NJ, USA, pp 4741–4746

  33. Takai S, Oka Y (2008) A formula for the supremal controllable and opaque sublanguage arising in supervisory control. SICE J Control Meas, Syst Integr 1 (4): 307–312

  34. Wu Y, Lafortune S (2012) Enforcement of opacity properties using insertion functions. In: 51st IEEE Conf. on Decision and Contr., pp 6722–6728

Download references

Acknowledgments

The authors would like to gratefully thank the anonymous reviewers for their helpful remarks.

Author information

Correspondence to Hervé Marchand.

Appendices

Appendix A: Proofs

A.1 Proofs of Section 4

Proposition 9

(p. 20 ). We shall prove that a secret \(S\subseteq Q^{\mathcal {G}}\) is \((\mathcal {G},P_{{{{\Sigma }_{\mathrm {o}}}}},K)\) -weakly opaque if and only if

$$\forall \mu\in \mathcal{T}_{{{{\Sigma}_{\mathrm{o}}}}}(\mathcal{G}), \forall\mu^{\prime}\preceq\mu: |\mu-\mu^{\prime}| \leq K \Rightarrow [\![\mu^{\prime}/ \mu]\!]_{{{{\Sigma}_{\mathrm{o}}}}}\not\subseteq \mathcal{L}_{S}(\mathcal{G}). $$

Proof

We prove the equivalence by showing the implication in both ways.

(\(\Rightarrow \)) Let \(\mu \in \mathcal {T}_{{{{\Sigma }_{\mathrm {o}}}}}(\mathcal {G})\), \(\mu ^{\prime }\preceq \mu \) such that \(|\mu - \mu ^{\prime }|\leq K\). Let t∈[ [μ] ]Σ o and \(t^{\prime }\preceq t\) such that \(t^{\prime }\in [\![\mu ^{\prime }]\!]_{{\Sigma }_{\mathrm {o}}}\). Then, we have \(|t-t^{\prime }|_{{{{\Sigma }_{\mathrm {o}}}}}\leq K\) and \(t^{\prime }\in [\![\mu ^{\prime }/ \mu ]\!]_{{{{\Sigma }_{\mathrm {o}}}}}\). If \(t^{\prime }\notin \mathcal {L}_{S}(\mathcal {G})\), then \([\![\mu ^{\prime }/ \mu ]\!]_{{{{\Sigma }_{\mathrm {o}}}}}\not \subseteq \mathcal {L}_{S}(\mathcal {G})\). Otherwise \(t^{\prime }\in \mathcal {L}_{S}(\mathcal {G})\) and as S is \((\mathcal {G},P_{{{{\Sigma }_{\mathrm {o}}}}},K)\)-weakly opaque, there exist \(s,s^{\prime }\in \mathcal {L}(\mathcal {G})\) such that sΣ o t, \(s^{\prime }\approx _{{{{\Sigma }_{\mathrm {o}}}}} t^{\prime }\), and \(s^{\prime }\notin \mathcal {L}_{S}(\mathcal {G})\). We thus have that \(s^{\prime }\in [\![\mu ^{\prime }/\mu ]\!]_{{{{\Sigma }_{\mathrm {o}}}}}\) and finally \([\![\mu ^{\prime }/ \mu ]\!]_{{{{\Sigma }_{\mathrm {o}}}}}\not \subseteq \mathcal {L}_{S}(\mathcal {G})\).

(\(\Leftarrow \)) Reciprocally, let \(t\in \mathcal {L}(\mathcal {G})\), \(t^{\prime }\preceq t\) such that \(|t-t^{\prime }|_{{{{\Sigma }_{\mathrm {o}}}}}\leq K\) and \(t^{\prime }\in \mathcal {L}_{S}(\mathcal {G})\). Let μ=P Σ o(t), \(\mu ^{\prime }=P_{{{{\Sigma }_{\mathrm {o}}}}}(t^{\prime })\). By definition, we have \(|\mu -\mu ^{\prime }|\leq K\). Now, by hypothesis we know that \([\![\mu ^{\prime }/ \mu ]\!]_{{{{\Sigma }_{\mathrm {o}}}}}\not \subseteq \mathcal {L}_{S}(\mathcal {G})\). So there exist s∈[ [μ] ], \(s^{\prime }\preceq s\), such that \(s^{\prime }\in [\![\mu ^{\prime }/ \mu ]\!]_{{{{\Sigma }_{\mathrm {o}}}}}\) and \(s^{\prime }\notin \mathcal {L}_{S}(\mathcal {G})\). Finally, we have found \(s\in \mathcal {L}(\mathcal {G})\), \(s^{\prime }\preceq s\) such that \(s\approx _{{{{\Sigma }_{\mathrm {o}}}}} t \wedge s^{\prime }\approx _{{{{\Sigma }_{\mathrm {o}}}}} t^{\prime } \wedge s^{\prime }\notin \mathcal {L}_{S}(\mathcal {G})\). Thus, S is \((\mathcal {G},P_{{{{\Sigma }_{\mathrm {o}}}}},K)\)-weakly opaque.

Proposition 10

(p. 25 ) We shall prove that, on \(\mathcal {G}\) , \(S\subseteq Q^{\mathcal {G}}\) is \((\mathcal {G},P_{{{{\Sigma }_{\mathrm {o}}}}},K)\) -strongly opaque if and only if

$$\forall \mu\in\mathcal{T}_{{{{\Sigma}_{\mathrm{o}}}}}(\mathcal{G}): [\![\mu]\!]_{{{{\Sigma}_{\mathrm{o}}}}}\cap {\text{Free}^{S}_{K}}(\mathcal{G})\neq \emptyset. $$

Proof

We prove the equivalence by showing the implication in both ways.

(\(\Leftarrow \)) Let \(t\in {\mathcal {L}}(\mathcal {G})\) and μ=P Σ o(t), by hypothesis we have \([\![\mu ]\!]_{{{{\Sigma }_{\mathrm {o}}}}}\cap {\text {Free}^{S}_{K}}(\mathcal {G})\). In particular, there exists s∈[ [μ] ]Σ o (thus sΣ o t) such that \(\forall s^{\prime }\preceq s: |s-s^{\prime }|_{{\Sigma }_{o}}\leq K\wedge s^{\prime }\notin \mathcal {L}_{S}(\mathcal {G})\), which entails that S is \((\mathcal {G},P_{{\Sigma }_{\mathrm {o}}},K)\)-strongly opaque.

(\(\Rightarrow \)) Let \(\mu \in \mathcal {T}_{{{{\Sigma }_{\mathrm {o}}}}}(\mathcal {G})\) and t∈[ [μ] ]Σ o. As S is \((\mathcal {G},P_{{\Sigma }_{\mathrm {o}}},K)\)-strongly opaque, there exists \(s\in \mathcal {L}(\mathcal {G})\) such that sΣ o t and \(\forall s^{\prime }\preceq s: |s-s^{\prime }|_{{\Sigma }_{o}}\leq K \Rightarrow s^{\prime }\notin \mathcal {L}_{S}(\mathcal {G})\). Obviously \(s\in \text {Free}^{S}_{K}(\mathcal {G})\), and, as s∈[ [μ] ]Σ o, \([\![\mu ]\!]_{{\Sigma }_{\mathrm {o}}}\cap {\text {Free}^{S}_{K}}(\mathcal {G})\neq \emptyset \).

A.2 Proofs of Section 5

In the two following lemmas, let us recall that only the information about traversed states is considered.

A.2.1 Lemma 1 (p. 39)

Given a system \(\mathcal {G}\) modeled by an LTS \((Q^{\mathcal {G}}, {q_{{\text {init}}}^{\mathcal {G}}}, {\Sigma }, \delta _{\mathcal {G}})\) and the corresponding K-delay trajectory estimator \(D=(M^{D},q_{\text {init}}^{D},{\Sigma }_{\mathrm {o}},\delta _{D})\), then

$$\begin{array}{ll} \bullet & \forall \mu\in \mathcal{T}_{{{{\Sigma}_{\mathrm{o}}}}}(\mathcal{G})\mbox{ s.t. }|\mu|\geq K \wedge \mu=\mu^{\prime}\cdot\sigma_{1}\cdots\sigma_{K},\\ &\qquad \forall s\in[\![\mu]\!]_{{{{\Sigma}_{\mathrm{o}}}}}: (s=s^{\prime}\cdot s_{1}{\cdots} s_{K} \wedge \forall {i\in [1,K]}: P_{{\Sigma}_{\mathrm{o}}}(s_{i})=\sigma_{i})\\ &\qquad\qquad \exists (q_{0},\ldots,q_{K})\in\delta_{D}(m_{\text{init}}^{D},\mu) : q_{0}\stackrel{s_{1}}{\to}_{\mathcal{G}} q_{1}{\cdots} q_{K-1}\stackrel{s_{K}}{\to}_{\mathcal{G}} q_{K},\\ ~\\ \bullet & \forall \mu\in \mathcal{T}_{{{{\Sigma}_{\mathrm{o}}}}}(\mathcal{G})\mbox{ s.t. } n=|\mu|< K \wedge \mu=\sigma_{1}\cdots\sigma_{n},\\ &\quad\forall s\in[\![\mu]\!]_{{{{\Sigma}_{\mathrm{o}}}}}: (s= s^{\prime}\cdot s_{1}{\cdots} s_{n} \wedge \forall {i\in [1,n]}: P_{{\Sigma}_{\mathrm{o}}}(s_{i})=\sigma_{i}), \\ &\quad\quad\exists (q_{0},\ldots,q_{K})\in\delta_{D}({m_{{\text{init}}}^{D}},\mu): q_{K-n}\stackrel{s_{1}}{\to}_{\mathcal{G}} q_{K-n+1}{\cdots} \stackrel{s_{n-1}}{\to}_{\mathcal{G}} q_{K-1}\stackrel{s_{n}}{\to}_{\mathcal{G}} q_{K},\\ & \qquad \qquad \qquad\qquad \qquad\qquad \quad\quad \wedge\ {q_{{\text{init}}}^{\mathcal{G}}}\stackrel{s^{\prime}}{\to}_{\mathcal{G}} q_{K-n}. \end{array} $$

Proof

The proof is done by induction on |μ|. We consider only observation traces μ of length |μ|≥1 since for the empty observation trace, the information provided by a K-delay trajectory estimator reduces to the state estimate reachable with unobservable events from the system. This information is given in the initial state of the trajectory estimator and is trivially correct by definition.

  • For |μ|=1, μ=σ 1, by definition \({m_{{\text {init}}}^{D}}= \odot _{K+1}{\Delta }_{\mathcal {G}}(\{{q_{{\text {init}}}^{\mathcal {G}}}\}, [\![\epsilon ]\!]_{{\Sigma }_{\mathrm {o}}})\). In particular \((q,\ldots ,q)\in {m_{{\text {init}}}^{D}}\) for every \(q\in {\Delta }_{\mathcal {G}}(\{{q_{{ \text {init}}}^{\mathcal {G}}}\}, [\![\epsilon ]\!]_{{\Sigma }_{\mathrm {o}}})\). Let \(s^{\prime }\cdot s_{1}\in [\![\sigma _{1}]\!]_{{\Sigma }_{\mathrm {o}}}\) (with \(P_{{\Sigma }_{\mathrm {o}}}(s^{\prime })=\epsilon \) and P Σ o(s 1)=σ 1) such that \(q\stackrel {s_{1}}{\to }_{\mathcal {G}} q_{1}\) for some \(q\in {\Delta }_{\mathcal {G}}(\{q_{\text {init}}^{\mathcal {G}}\}, [\![\epsilon ]\!]_{{\Sigma }_{\mathrm {o}}})\). By definition (q,q 1)∈Obs(σ 1) and thus \((q,\ldots ,q,q_{1})\in \delta _{D}(m_{\text {init}}^{D},\sigma _{1})\).

  • Assume now that the property holds for any trace of \(\mathcal {G}\) of length strictly less than K. Let \(\mu \in \mathcal {T}_{{\Sigma }_{\mathrm {o}}}(\mathcal {G})\mbox { s.t. }n=|\mu |< K \wedge \mu =\sigma _{1}\cdots \sigma _{n}\) and s∈[ [μ] ]Σ o s.t. \(s=s^{\prime }\cdot s_{1}{\cdots } s_{n}\wedge \forall {i\in [1,n]}: P_{{{{\Sigma }_{\mathrm {o}}}}}(s_{i})=\sigma _{i} \wedge P_{{\Sigma }_{\mathrm {o}}}(s^{\prime })=\epsilon \). We have \(s^{\prime }\cdot s_{1}{\cdots } s_{n-1}\in [\![\mu ^{\prime }]\!]_{{\Sigma }_{\mathrm {o}}}\) with \(\mu ^{\prime }= \sigma _{1}\cdots \sigma _{n-1}\). By induction hypothesis, \(\exists (q,q_{0},\ldots ,q_{K-1})\in m^{\prime }=\delta _{D}({m_{{\text {init}}}^{D}},\mu ^{\prime }): q_{K-n}\stackrel {s_{1}}{\to }_{\mathcal {G}} q_{K-n+1}\cdots \stackrel {s_{n-2}}{\to }_{\mathcal {G}} q_{K-2}\stackrel {s_{n-1}}{\to }_{\mathcal {G}} q_{K-1}\). Now, consider \(m=m^{\prime }\|\text {Obs}(\sigma _{n})\). As s∈[ [μ] ]Σ o, we get that there exists \(q_{K}\in Q^{\mathcal {G}}\) such that \(q_{K-n}\stackrel {s_{1}}{\to }_{\mathcal {G}} q_{K-n+1}{\cdots } \stackrel {s_{n-2}}{\to }_{\mathcal {G}} q_{K-2}\stackrel {s_{n-1}}{\to }_{\mathcal {G}} q_{K-1}\stackrel {s_{n}}{\to }_{\mathcal {G}} q_{K}\) with P Σ o(s n )=σ n . Now by definition of the function Obs, we have (q K−1,q K )∈Obs(σ n ) and finally by definition of ∥, we have (q 0,…,q n )∈m.

  • The case where |μ|≥K follows exactly the same pattern.

A.2.2. Lemma 2 (p. 40)

Given a system \(\mathcal {G}\) modelled by an LTS \((Q^{\mathcal {G}},{q_{{\text {init}}}^{\mathcal {G}}}, {\Sigma }, \delta _{\mathcal {G}})\) and the corresponding K-delay trajectory estimator \(D=(M^{D},m_{\text {init}}^{D},{\Sigma }_{\mathrm {o}},\delta _{D})\), then ∀mM D, ∀(q 0,…,q K )∈m, \(\forall \mu \in \mathcal {T}_{{\Sigma }_{\mathrm {o}}}(\mathcal {G}): \delta _{D}(m_{\text {init}}^{D},\mu )=m,\)

$$\begin{array}{ll} \bullet & |\mu|=0 \Rightarrow \forall (q,\ldots,q)\in m={m_{{\text{init}}}^{D}},\exists s\in [\![\mu]\!]_{{{{\Sigma}_{\mathrm{o}}}}}: {q_{{ \text{init}}}^{\mathcal{G}}}\stackrel{s}{\longrightarrow}_{\mathcal{G}} q\wedge P_{{\Sigma}_{\mathrm{o}}}(s) = \epsilon,\\ ~\\ \bullet & n=|\mu|< K \wedge \mu=\sigma_{1}\cdots\sigma_{n} \Rightarrow\\ & \quad\exists s^{\prime}\cdot s_{1}{\cdots} s_{n}\in[\![\mu]\!]_{{{{\Sigma}_{\mathrm{o}}}}}:\\ & \quad\quad {q_{{\text{init}}}^{\mathcal{G}}}\stackrel{s^{\prime}}{\to}_{\mathcal{G}}\ q_{K-n}\stackrel{s_{1}}{\to}_{\mathcal{G}} q_{K-n+1}{\cdots} q_{K-1}\stackrel{s_{n}}{\to}_{\mathcal{G}} q_{K} \wedge \forall {i\in [1,n]}:P_{{\Sigma}_{\mathrm{o}}}(s_{i})=\sigma_{i}\\ ~\\ \bullet & |\mu|\geq K \wedge \mu=\mu^{\prime}\cdot\sigma_{1}\cdots\sigma_{K} \Rightarrow\\ & \qquad\exists s^{\prime}\cdot s_{1}{\cdots} s_{K}\in[\![\mu]\!]_{{{{\Sigma}_{\mathrm{o}}}}} :\\ & \qquad\qquad{q_{{\text{init}}}^{\mathcal{G}}}\stackrel{s^{\prime}}{\to}_{\mathcal{G}} q_{0}\stackrel{s_{1}}{\to}_{\mathcal{G}} q_{1}{\cdots} \stackrel{s_{K}}{\to}_{\mathcal{G}} q_{K}\wedge \forall {i\in [1,K]}: P_{{\Sigma}_{\mathrm{o}}}(s_{i})=\sigma_{i}. \end{array} $$

Proof

Let us consider mM D, and \(\mu \in \mathcal {T}_{{{{\Sigma }_{\mathrm {o}}}}}(\mathcal {G}): \delta _{D}({m_{{\text {init}}}^{D}},\mu )=m\). The proof is done by induction on |σ|.

  • If |μ|=0, then μ=𝜖 Σ o and \(m=m_{\text {init}}^{D}=\odot _{K+1}({\Delta }_{\mathcal {G}}(\{q_{\text {init}}^{\mathcal {G}}\},[\![\epsilon ]\!]_{{\Sigma }_{\mathrm {o}}}))\). Then all state estimates \((q,\ldots ,q)\in m_{\text {init}}^{D}\) are s.t. \(q\in {\Delta }_{\mathcal {G}}(\{q_{\text {init}}^{\mathcal {G}}\}, [\![\epsilon ]\!]_{{\Sigma }_{\mathrm {o}}})\). Then, there exists \(s\in L(\mathcal {G})\) s.t. \(q_{\text {init}}^{\mathcal {G}} \stackrel {s}{\longrightarrow }_{\mathcal {G}} q\) and P Σ o(s)=𝜖.

  • Assume that the property holds for all \(\mu ^{\prime }\in \mathcal {T}_{{{{\Sigma }_{\mathrm {o}}}}}(\mathcal {G})\) such that \(|\mu ^{\prime }|<n\) and consider \(\mu \in \mathcal {T}_{{\Sigma }_{\mathrm {o}}}(\mathcal {G})\) such that |μ|=n

    • If |μ|=n<K, μ can be written μ=σ 1σ n . Consider now an element of m. It is of the form (q Kn ,…,q Kn ,q Kn+1,…,q K−1,q K ). There exists m 1M D s.t. δ D (m 1,σ n )=m=m 1∥Obs(σ n ) such that (q Kn ,…,q Kn ,q Kn+1,…,q K−1)∈m 1 and (q K−1,q K )∈Obs(σ n ). Let \(\mu ^{\prime }=\sigma _{1}\cdots \sigma _{n-1}\), by induction hypothesis on m 1 and \(\mu ^{\prime }\), there exists \(s^{\prime \prime }=s^{\prime }\cdot s_{1}{\cdots } s_{n-1}\) with \(P_{{{{\Sigma }_{\mathrm {o}}}}}(s^{\prime })=\epsilon \) and ∀i∈[1,n−1]:P Σ o(s i )=σ i such that \({q_{{\text {init}}}^{\mathcal {G}}} \stackrel {s^{\prime }}{\longrightarrow }_{\mathcal {G}} q_{K-n}\stackrel {s_{1}}{\longrightarrow }_{\mathcal {G}} q_{K-n+1}\stackrel {s_{2}}{\longrightarrow }_{\mathcal {G}}\cdots \stackrel {s_{n-1}}{\longrightarrow }_{\mathcal {G}}q_{K-1}\). Now by definition of Obs, there exists \(s_{n}\in {\Sigma }^{*}\) with P Σ o(s n )=σ n such that \(q_{K-1}\stackrel {s_{n}}{\longrightarrow }_{\mathcal {G}} q_{K}\). Finally \(s= s^{\prime \prime }\cdot s_{n}\) is such that \({q_{{\text {init}}}^{\mathcal {G}}} \stackrel {s^{\prime }}{\longrightarrow }_{\mathcal {G}}\, q_{K-n} \stackrel {s_{1}}{\longrightarrow }_{\mathcal {G}} q_{1}{\cdots } q_{K-1}\stackrel {s_{n}}{\longrightarrow }_{\mathcal {G}} q_{K}\) and s∈[ [μ] ]Σ o.

    • If |μ|≥K, μ can be written \(\mu =\mu ^{\prime }\cdot \sigma _{1}\cdots \sigma _{K}\). There exists m 1M D s.t. δ D (m 1,σ K )=m=m 1∥Obs(σ K ). Furthermore, there exists \(q\in Q^{\mathcal {G}}\) s.t. (q,q 0,…,q K−1)∈m 1 and (q K−1,q K )∈Obs(σ K ). By induction hypothesis applied on (q,q 0,…,q K−1)∈m 1, there exists \(s^{\prime \prime }=s^{\prime }\cdot s_{0}{\cdots } s_{K-1}\in [\![\mu ^{\prime }\cdot {\sigma _{0}}\cdots \sigma _{K-1}]\!]_{{\Sigma }_{\mathrm {o}}}\) with ∀i∈[0,K−1]:P Σ o(s i )=σ i such that \(q\stackrel {s_{0}}{\longrightarrow }_{\mathcal {G}} q_{0}\stackrel {{s_{1}}}{\longrightarrow }_{\mathcal {G}}{\cdots } \stackrel {s_{K-1}}{\longrightarrow }_{\mathcal {G}}q_{K-1}\). Finally since (q K−1,q K )∈Obs(σ K ), there exists \(s_{K}\in {\Sigma }^{*}\) with P Σ o(s K )=σ K such that \(q_{K-1}\stackrel {s_{K}}{\longrightarrow }_{\mathcal {G}} q_{K}\). Overall \(s= s^{\prime \prime }\cdot s_{K}\) is such that \(q_{0}\stackrel {s_{1}}{\longrightarrow }_{\mathcal {G}} q_{1}{\cdots } q_{K-1}\stackrel {s_{K}}{\longrightarrow }_{\mathcal {G}} q_{K}\) and s∈[ [μ] ]Σ o.

A.2.3 Proposition 4 (p. 42)

We shall prove the soundness and completeness of the synthesized R-Verifiers for K-weak opacity, as exposed in Definition 6. That is, we prove that \(\forall \mu \in \mathcal {T}_{{{{\Sigma }_{\mathrm {o}}}}}(\mathcal {G}),\forall l\in [0,K]:\)

$$\begin{array}{rrcl} &{\Gamma}^{\mathcal{V}}(\delta_{\mathcal{V}}({q_{{\text{init}}}^{\mathcal{V}}},\mu))= \text{leak}_{\mathrm{l}} &\Leftrightarrow & \mu\in \text{leak}(\mathcal{G},P_{{\Sigma}_{\mathrm{o}}},S,\mathsf{O{P_{K}^{W}}},l) \\ \wedge & {\Gamma}^{\mathcal{V}}(\delta_{\mathcal{V}}({q_{{\text{init}}}^{\mathcal{V}}},\mu))= \text{noleak} &\Leftrightarrow & \mu\notin \text{leak}(\mathcal{G},P_{{\Sigma}_{\mathrm{o}}},S,\mathsf{O{P_{K}^{W}}}). \end{array} $$

Proof

We consider \(\mu \in \mathcal {T}_{{{{\Sigma }_{\mathrm {o}}}}}(\mathcal {G})\) s.t. \(\delta _{D}({m_{{\text {init}}}^{D}},\mu )=m\).

\((\Rightarrow )\)

  • If \({\Gamma }^{\mathcal {V}}(\delta _{\mathcal {V}}({q_{{\text {init}}}^{\mathcal {V}}},\mu )) = \text {noleak}\), we have \({\Gamma }^{\mathcal {V}}(m) = \text {noleak}\), that is ∀i∈[0,K]:m(i)∉2S. Using Proposition 3, we have \(\forall i\in [0,\mathit {min}\{|\mu |,K\}]: m(i)=\delta _{\mathcal {G}}(q_{\text {init}}^{\mathcal {G}}, [\![\mu ^{{\cdots } |\mu |-i-1}/\mu ]\!]_{{\Sigma }_{\mathrm {o}}}) \notin 2^{S}\). That is, \(\forall \mu ^{\prime }\preceq \mu : |\mu -\mu ^{\prime }|_{{{{\Sigma }_{\mathrm {o}}}}} \leq K \Rightarrow [\![\mu /\mu ^{\prime }]\!]_{{\Sigma }_{\mathrm {o}}}\not \subseteq {\mathcal {L}}_{S}(\mathcal {G})\). According to Eq. (1) (p. 21), it means that \(\mu \notin \text {leak}(\mathcal {G}, P_{{\Sigma }_{\mathrm {o}}}, S, \mathsf {O{P_{K}^{W}}})\).

  • If \({\Gamma }^{\mathcal {V}}(\delta _{\mathcal {V}}({q_{{\text {init}}}^{\mathcal {V}}},\mu )) = \text {leak}_{\mathrm {l}}\), we have \({\Gamma }^{D}(m) = \text {leak}_{\mathrm {l}}\), that is m(l)∈2S and ∀i<l:m(i)∉2S. Similarly, using Proposition 3 we have \([\![\mu ^{{\cdots } |\mu |-l-1}/\mu ]\!]_{{\Sigma }_{\mathrm {o}}} \subseteq {\mathcal {L}}_{S}(\mathcal {G})\) and \(\forall i<l: [\![\mu ^{{\cdots } |\mu |-i-1}/\mu ]\!]_{{\Sigma }_{\mathrm {o}}} \not \subseteq {\mathcal {L}}_{S}(\mathcal {G})\), i.e., according to Eq. (2) (p. 22) \(\mu \in \text {leak}(\mathcal {G}, P_{{\Sigma }_{\mathrm {o}}}, S, \mathsf {OP}^{W}_{K},l)\).

(\(\Leftarrow \))

  • If \(\mu \notin \text {leak}(\mathcal {G}, P_{{{{\Sigma }_{\mathrm {o}}}}}, S, \mathsf {O{P_{K}^{W}}})\), that is \(\forall \mu ^{\prime }\preceq \mu : |\mu -\mu ^{\prime }| \leq K \Rightarrow [\![\mu ^{\prime }/\mu ]\!]_{{\Sigma }_{\mathrm {o}}} \not \subseteq {\mathcal {L}}_{S}(\mathcal {G})\). Then using Proposition 3, we have ∀i∈[0,m i n{|μ|,K}]:m(i)∉2S. Following the definition of R-Verifiers construction, we have \({\Gamma }^{\mathcal {V}}(m) = \text {noleak}\).

  • If \(\mu \in \text {leak}(\mathcal {G}, P_{{{{\Sigma }_{\mathrm {o}}}}}, S, \mathsf {OP}^{W}_{K},l)\), then according to Eq. (1), we have \([\![\mu ^{{\cdots } |\mu |-l-1}/\mu ]\!]_{{{{\Sigma }_{\mathrm {o}}}}} \subseteq {\mathcal {L}}_{S}(\mathcal {G})\) and \(\forall i<l: [\![\mu ^{{\cdots } |\mu |-i-1}/\mu ]\!]_{{{{\Sigma }_{\mathrm {o}}}}} \not \subseteq {\mathcal {L}}_{S}(\mathcal {G})\). Now, using Proposition 3, \(\forall i\in \left [0,l\left [:\right .\right . m(i)\notin 2^{S}\) and m(l)∈2S. According to the definition of the construction of R-Verifiers for K-weak opacity (definitions of \(Q^{\mathcal {V}}\) and \({\Gamma }^{\mathcal {V}}\)), we deduce that \({\Gamma }^{\mathcal {V}}(m) = \text {leak}_{\mathrm {l}}\).

A.2.4 Proposition 5 (p. 48)

We shall prove the soundness and completeness of the synthesized R-Verifiers for K-strong opacity, as exposed in Definition 6. That is, we prove that \(\forall \mu \in \mathcal {T}_{{\Sigma }_{\mathrm {o}}}(\mathcal {G}),\forall l\in [0,K]:\)

$$\begin{array}{rrcl} &{\Gamma}^{\mathcal{V}}(\delta_{\mathcal{V}}({q_{{\text{init}}}^{\mathcal{V}}},\mu))= \text{leak}_{\mathrm{l}} &\Leftrightarrow & \mu\in \text{leak}(\mathcal{G},P_{{\Sigma}_{\mathrm{o}}},S,\mathsf{O{P_{K}^{S}}},l) \\ \wedge &{\Gamma}^{\mathcal{V}}(\delta_{\mathcal{V}}({q_{{\text{init}}}^{\mathcal{V}}},\mu))= \text{noleak} &\Leftrightarrow & \mu\notin \text{leak}(\mathcal{G},P_{{\Sigma}_{\mathrm{o}}},S,\mathsf{O{P_{K}^{S}}}). \end{array} $$

Proof

We consider \(\mu \in \mathcal {T}_{{{{\Sigma }_{\mathrm {o}}}}}(\mathcal {G})\) s.t. \(\delta _{D}({m_{{\text {init}}}^{D}},\mu )=m\).

\((\Rightarrow )\)

  • If \({\Gamma }^{\mathcal {V}}(\delta _{\mathcal {V}}({q_{{ \text {init}}}^{\mathcal {V}}},\mu ))=\text {noleak}\), i.e., ∃((q i )0≤iK ,(b i )0≤iK−1)∈m s.t. ∀i∈[0,K]:q i S, and ∀i∈[0,K−1]:b i =t r u e. Let us consider \(\mu \in \mathcal {T}_{{\Sigma }_{\mathrm {o}}}(\mathcal {G})\), s.t. \(\delta _{\mathcal {V}}(q_{\text {init}}^{\mathcal {V}},\mu )=m\). If |μ|≥K and \(\mu ={\mu ^{\prime }\cdot \sigma _{0}\cdots \sigma _{K-1}}\), then according to Lemma 2, \(\exists s=s^{\prime }\cdot s_{0}{\cdots } s_{K-1}\in [\![\mu ]\!]_{{\Sigma }_{\mathrm {o}}}\) with \(\forall i\leq K-1: P_{{{{\Sigma }_{\mathrm {o}}}}}(s_{i})=\sigma _{i} \wedge q_{0}\stackrel {s_{0}}{\to }_{\mathcal {G}} q_{1} {\cdots } q_{K-1}\stackrel {s_{K-1}}{\to }_{\mathcal {G}} q_{K}\). Moreover, as ∀i∈[0,K−1]:b i =t r u e, we can choose s such that \(\forall i\in [0,K-1]:s_{i}\in {\text {Free}^{S}_{1}}({\mathcal {G}(q_{i-1})})\). Consequently \(s_{0}{\cdots } s_{K-1} \in \text {Free}^{S}_{{K}}({\mathcal {G}(q_{0})})\). Let \(s^{\prime \prime }\) be the smallest prefix of \(s^{\prime }\) s.t. \(|s^{\prime \prime }|_{{\Sigma }_{\mathrm {o}}}=|s^{\prime }|_{{\Sigma }_{\mathrm {o}}}\). Necessarily we have \(s^{\prime }=s^{\prime \prime }\). Otherwise, because of the suitability of K-delay trajectory estimators, in m we would have \(((q^{\prime }_{i})_{0\leq i\leq K},(b^{\prime }_{i})_{0\leq i\leq K-1})\) where

    $$\text{redundant}\left(((q_{i})_{0\leq i\leq K},(b_{i})_{0\leq i\leq K-1}),((q^{\prime}_{i})_{0\leq i\leq K},(b^{\prime}_{i})_{0\leq i\leq K-1})\right) $$

    would hold, which is a contradiction with ((q i )0≤iK ,(b i )0≤iK−1)∈m . Overall \(s\in {\text {Free}^{S}_{K}}({\mathcal {G}})\) and \(s\in [\![\mu ]\!]_{{{{\Sigma }_{\mathrm {o}}}}}\cap {\text {Free}^{S}_{K}}({\mathcal {G}})\) which means that \(\mu \notin \text {leak}(\mathcal {G},P_{{{{\Sigma }_{\mathrm {o}}}}},S,\mathsf {OP}^{S}_{K})\) (the case where |μ|<K is similar).

  • If \({\Gamma }^{\mathcal {V}}(\delta _{\mathcal {V}}({q_{{ \text {init}}}^{\mathcal {V}}},\mu ))=\text {leak}_{\mathrm {l}}\) for some l∈[1,K], i.e., \(l= {\min } \{l^{\prime }\in [1,K] \mid \forall ((q_{i})_{0\leq i\leq K},(b_{i})_{0\leq i\leq K-1})\in m, \exists i\leq l^{\prime }: q_{K-i}\in S \vee b_{K-i}={\mathit {false}}\}\). Let us suppose that |μ| ≥ K (the case where |μ|<K is similar), \(\mu =\mu ^{\prime }\cdot \sigma _{0}{\cdots } \sigma _{K-1}\). Now, let us consider \(s\in [\![\mu ]\!]_{{{{\Sigma }_{\mathrm {o}}}}}, s=s^{\prime }\cdot s_{0}{\cdots } s_{K-1}\) with ∀iK−1:P Σ o(s i )=σ i . By definition, there exists (q i )0≤iK s.t. \(q_{\text {init}}^{\mathcal {G}}\stackrel {s^{\prime }}{\longrightarrow }_{\mathcal {G}} q_{0} \stackrel {s_{0}}{\longrightarrow }_{\mathcal {G}} q_{1} {\cdots } \stackrel {s_{K-1}}{\longrightarrow }_{\mathcal {G}} q_{K}\) and according to Lemma 1, there exists (b i )0≤iK−1 s.t. ((q i )0≤iK ,(b i )0≤iK−1)∈m. By hypothesis, there exists il s.t. q Ki S or b Ki =f a l s e.

    • If q Ki S then \(s^{\prime }\cdot s_{0} {\cdots } s_{K-i-1} \in \mathcal {L}_{S}(\mathcal {G})\). Moreover, we have \(|s - s^{\prime }\cdot s_{0} {\cdots } s_{K-i-1}|_{{\Sigma }_{\mathrm {o}}} \leq l\), which gives us the expected result.

    • If b Ki =f a l s e, meaning that \(s_{K-i}{\notin \text {Free}_{1}^{S}}(\mathcal {G}(q_{K-i}))\), then there exists a prefix \(s_{K-i}^{\prime }\) of s Ki s.t. \(s^{\prime \prime }=s^{\prime }\cdot s_{0}{\cdots } s_{K-i}^{\prime }\in \mathcal {L}_{S}(\mathcal {G})\). Moreover, we have either \(P_{{\Sigma }_{\mathrm {o}}}(s_{K-i}^{\prime })=\sigma _{K-i}\) or \(P_{{\Sigma }_{\mathrm {o}}}(s_{K-i}^{\prime })=\epsilon \). In both cases, we have \(|s-s^{\prime \prime }|_{{\Sigma }_{\mathrm {o}}}\leq l\), which gives us again the expected result.

    Consider now \(l^{\prime }<l\), then \(\exists ((q_{i})_{0\leq i\leq K},(b_{i})_{0\leq i\leq K-1})\in m, \forall i\leq l^{\prime }: q_{K-i}\notin S \wedge b_{K-i}={\mathit {true}}\), which entails that all the sequences that match the elements of m belong to \(\text {Free}^{S}_{l^{\prime }}(\mathcal {G})\) and thus \(\mu \in \text {leak}(\mathcal {G},P_{{{{\Sigma }_{\mathrm {o}}}}},S,\mathsf {OP}^{S}_{K},l)\).

  • If \({\Gamma }^{\mathcal {V}}(\delta _{\mathcal {V}}({q_{{ \text {init}}}^{\mathcal {V}}},\mu ))=\text {leak}_{0}\), then ∀((q i )0≤iK ,(b i )0≤iK−1)∈m,q K S, which entails that \([\![\mu ]\!]_{{{{\Sigma }_{\mathrm {o}}}}}\subset \mathcal {L}_{S}(\mathcal {G})\) and thus \(\mu \in \text {leak}(\mathcal {G},P_{{{{\Sigma }_{\mathrm {o}}}}},S,\mathsf {OP}^{S}_{K},0)\).

\((\Leftarrow )\)

  • If \(\mu \notin \text {leak}(\mathcal {G},P_{{{{\Sigma }_{\mathrm {o}}}}},S,\mathsf {OP}^{S}_{K})\). It means that there exists \(s\in [\![\mu ]\!]_{{\Sigma }_{\mathrm {o}}}\cap {\text {Free}_{K}^{S}}(\mathcal {G})\). Let \(m=\delta _{D}({m_{{\text {init}}}^{D}},\mu )\). According to Lemma 1, there exist \(s^{\prime },s_{1},\ldots , s_{K}\in {\Sigma }^{*}\) s.t.:

    • \(s=s^{\prime }\cdot s_{1}{\cdots } s_{K}\),

    • iK:P Σ o(s i )=σ i ,

    Each trajectory ((q i )0≤iK ,(b i )0≤iK−1) in \(\delta _{D}({m_{{ \text {init}}}^{D}},\mu )\) are s.t. \(q_{0}\stackrel {s_{1}}{\to }_{\mathcal {G}} q_{1}{\cdots } q_{K-1}\stackrel {s_{K}}{\to }_{\mathcal {G}} q_{K}\). At least one trajectory in \(\delta _{D}(m_{\text {init}}^{D},\mu )\) is not redundant with the others. We have \(((q_{i})_{0\leq i\leq K},(b_{i})_{0\leq i\leq K-1}) \in \delta _{D}(m_{\text {init}}^{D},\mu )\downarrow \). Let us note ((q i )0≤iK ,(b i )0≤iK−1) this trajectory. Now as \(s\in {\text {Free}^{S}_{K}}(\mathcal {G})\), it is easy to see that ∀i∈[0,K−1]:b i =t r u e. Finally \({\Gamma }^{\mathcal {V}}(\delta _{\mathcal {V}}(q_{\text {init}}^{\mathcal {V}},\mu ))={\Gamma }^{\mathcal {V}}(m)=\text {noleak}\).

  • If \(\mu \in \text {leak}(\mathcal {G},P_{{{{\Sigma }_{\mathrm {o}}}}},S,\mathsf {OP}^{S}_{K},l)\) for some l∈[1,K]. By hypothesis, we have \([\![\mu ]\!]_{{\Sigma }_{\mathrm {o}}} \cap {\text {Free}^{S}_{l}}(\mathcal {G}) = \emptyset \) and \(\forall l^{\prime }<l:[\![\mu ]\!]_{{{{\Sigma }_{\mathrm {o}}}}} \cap {\text {Free}^{S}_{l}}(\mathcal {G}) \neq \emptyset \). Let \(\delta _{D}({m_{{\text {init}}}^{D}},\mu )=m\) and ((q i )0≤iK ,(b i )0≤iK−1)∈m. According to Lemma 2, \(\exists s_{1},\ldots , s_{K}\in {\Sigma }^{*}: s=s^{\prime }\cdot s_{1}{\cdots } s_{K}\) such that ∀iK:P Σ o(s i )=σ i , s∈[ [μ] ]Σ o and \(q_{0}\stackrel {s_{1}}{\to }_{\mathcal {G}} q_{1}{\cdots } q_{K-1}\stackrel {s_{K}}{\to }_{\mathcal {G}} q_{K}\). As \(s\notin {\text {Free}^{S}_{l}}(\mathcal {G})\), there exists il such that either q Ki S or \(s_{K-i}\notin {\text {Free}^{S}_{1}}(\mathcal {G}(q_{K-i}))\), which entails, by construction that b Ki =f a l s e. Now for \(l^{\prime }<l\), there exists \(s\in [\![\mu ]\!]_{{{{\Sigma }_{\mathrm {o}}}}}\cap \text {Free}^{S}_{l^{\prime }}(\mathcal {G})\). To this s, we can associate an element ((q i )0≤iK ,(b i )0≤iK−1)∈m (among the non-redundant trajectories of m) s.t. \(\forall i\in [0,l^{\prime }]\): \(q_{K-i}\notin S \wedge \forall i\in [{1},l^{\prime }]: b_{K-i}=\mathit {true}\), which entails that l is the smallest number s.t. ∀((q i )0≤iK ,(b i )0≤iK−1)∈m, ∃il:q Ki S or b Ki =f a l s e.

  • If \(\mu \in \text {leak}(\mathcal {G},P_{{{{\Sigma }_{\mathrm {o}}}}},S,\mathsf {OP}^{S}_{K},0)\), then by definition \([\![\mu ]\!]_{{{{\Sigma }_{\mathrm {o}}}}}\subseteq \mathcal {L}_{S}(\mathcal {G})\) and thus ∀((q i )0≤iK ,(b i )0≤iK−1) ∈m:q K S, which concludes the proof.

A.3 Proofs of Section 6

A.3.1 Proposition 6 (p. 73)

For a K-delay trajectory estimator \(D=(M^{D},{m_{{ \text {init}}}^{D}},{{{\Sigma }_{\mathrm {o}}}},\delta _{D})\) associated to a system \(\mathcal {G}\), we prove that the K-step based opacity \(\mathsf {OP_{K}}\in \{\mathsf {O{P_{K}^{W}}},\mathsf {O{P_{K}^{S}}}\}\) of the secret S is enforceable by an R-Enforcer with memory size T if and only if (9), i.e., if and only if

$$\max \{{\text{hold}}_{\mathsf{OP_{K}}}(m)\mid m\in M^{D}\} \leq T. $$

Proof

This is a direct consequence of Proposition 3 and the definition of \(\text {safe}_{\mathsf {OP}}(\mu ,\mu ^{\prime })\) (Definition 12). Indeed, (9) \(\Leftrightarrow \max \{K+1-l_{m}\mid m\in M^{D}\} \leq T \), with l m s.t. \(\forall \mu \in \mathcal {T}_{{\Sigma }_{\mathrm {o}}}(\mathcal {G}): \delta _{D}(m_{\text {init}}^{D},\mu )= m\Rightarrow \mu \in \text {leak}(\mathcal {G},P_{{\Sigma }_{\mathrm {o}}},S,\mathsf {OP_{K}},l_{m})\). Furthermore, using Lemma 3, one can notice that the previous proposition is equivalent to

$$\max_{\mu\in\mathcal{T}_{{{{\Sigma}_{\mathrm{o}}}}}(\mathcal{G})} \left\{K+1-l_{m}\mid \delta_{D}({q_{{\text{init}}}^{D}},\mu)=m\wedge \mu\in\text{leak}(\mathcal{G},P_{{\Sigma}_{\mathrm{o}}},S,\mathsf{OP_{K}},l_{m})\right\}\leq T. $$

Moreover, from the definition of safe, for a trace \(\mu \in \text {leak}(\mathcal {G},P_{{{{\Sigma }_{\mathrm {o}}}}},S,\mathsf {OP_{K}},l)\), one can notice that \(K+1-l = \min \{|\mu ^{\prime }|-|\mu |\mid \mu \preceq \mu ^{\prime } \wedge \text {safe}_{\mathsf {OP_{K}}}(\mu ^{\prime },\mu )\}\) with the convention that l=K+1 when \(\mu \notin \text {leak}(\mathcal {G},P_{{\Sigma }_{\mathrm {o}}},S,\mathsf {OP_{K}})\). Then (9)\(\Leftrightarrow \max _{\mu \in \mathcal {T}_{{{{\Sigma }_{\mathrm {o}}}}}(\mathcal {G})}\left \{\min \{|\mu ^{\prime }|-|\mu |\mid \mu \preceq \mu ^{\prime } \wedge \text {safe}(\mu ^{\prime },\mu )\}\right \}\leq T\).

A.3.2 Proposition 7 (p. 77)

Proof

We shall prove that: \(\forall \mu \in \mathcal {T}_{{{{\Sigma }_{\mathrm {o}}}}}(\mathcal {G}), \exists o\preceq \mu : \mu \Downarrow _{\mathcal {E}} o \Rightarrow \)

$$\begin{array}{r} \mu\notin \text{leak}(\mathcal{G},P_{{{{\Sigma}_{\mathrm{o}}}}},S,\mathsf{OP_{0}}) \Rightarrow o = \mu \hspace{2em} \hspace{1em} \text{(5)}\\ \mu\in\text{leak}(\mathcal{G},P_{{{{\Sigma}_{\mathrm{o}}}}},S,\mathsf{OP_{0}}) \Rightarrow o = \max\{\mu^{\prime}\in\mathcal{T}_{{{{\Sigma}_{\mathrm{o}}}}}(\mathcal{G})\mid \mu^{\prime}\preceq\mu \wedge \text{safe}_{\mathsf{OP_{0}}}(\mu,\mu^{\prime})\} \hspace{1em} \text{(6)} \end{array} $$

Let us consider \(\mu \in \mathcal {T}_{{{{\Sigma }_{\mathrm {o}}}}}(\mathcal {G})\), the proof is conducted by induction on |μ|.

If |μ|=1, then ∃σ∈Σo:μ=σ. The run of μ on \({\mathcal {E}}\) can be expressed \(\text {run}(\mu ,{\mathcal {E}})= (q_{\text {init}}^{\mathcal {E}}, \sigma /\alpha , q_{1})\) with \(q_{1}\in Q^{\mathcal {E}}, {\Gamma }^{\mathcal {E}}(q_{1})= \alpha \). The R-Enforcer’s evolution of configurations is \((q_{\text {init}}^{\mathcal {E}}, \sigma , \epsilon _{\mathcal {M}}) \stackrel {o}{\hookrightarrow } (q,\epsilon _{{\Sigma }_{\mathrm {o}}},m)\) with \(\alpha (\sigma ,\epsilon _{\mathcal {M}})= (o,m)\). Let us distinguish according to whether \(\sigma \in \text {leak}(\mathcal {G}, P_{{\Sigma }_{\mathrm {o}}}, S, \mathsf {OP_{0}})\) or not.

  • If \(\sigma \notin \text {leak}(\mathcal {G}, P_{{{{\Sigma }_{\mathrm {o}}}}}, S, \mathsf {OP_{0}})\), then we use the correctness of R-Verifiers synthesized from K-delay trajectory estimators (Proposition 4). The state m 1 corresponding to q 1 in the corresponding K-delay trajectory estimator is s.t. m 1(0)∉2S. Then, using the definition of R-Enforcers synthesis from K-delay trajectory estimators, we have α∈{dump,off}. Using the definition of enforcement operations, we have: \(\text {free}\circ \text {delay} (\epsilon _{\mathcal {M}}) = \epsilon _{\mathcal {M}}\), \(o=\sigma \cdot (\epsilon _{\mathcal {M}})_{\downarrow {\Sigma }_{\mathrm {o}}}=\sigma \), \(m=\epsilon _{\mathcal {M}}\). Thus, we find (5).

  • If \(\sigma \in \text {leak}(\mathcal {G}, P_{{{{\Sigma }_{\mathrm {o}}}}}, S, \mathsf {OP_{0}})\), then, similarly following from the correctness of R-Verifier synthesized from K-delay trajectory estimators (Proposition 4), we have α=store1. Similarly, we can find that o=𝜖 Σ o and m=(σ,1). Furthermore, as \(\text {safe}_{\mathsf {OP_{0}}}(\sigma ,\epsilon _{{\Sigma }_{\mathrm {o}}})\), we have (6).

Let us consider \(\mu \in {{{\Sigma }_{\mathrm {o}}^{*}}}\) s.t. |μ|=n s.t. (5) and (6) hold. Let us note μ=σ 0σ n−1, and consider μσ. The run of μσ on \({\mathcal {E}}\) can be expressed

$$\text{run}(\mu\cdot \sigma, {\mathcal{E}})= ({q_{{\text{init}}}^{\mathcal{E}}}, \sigma_{0}/\alpha_{0},q_{1}){\cdots} (q_{n-1},\sigma_{n-1}/\alpha_{n-1},q_{n})\cdot (q_{n},\sigma/\alpha,q_{n+1})</p><p class="noindent">$$

with \(\forall i\in [1,n+1]: q_{i}\in Q^{\mathcal {E}}, \alpha \in \{{\text {store}_1},\text {dump},\text {off}\}\), and ∀i∈[0,n−1]:α i ∈{store1,dump,off}. Let us distinguish again according to whether \(\mu \cdot \sigma \in \text {leak}(\mathcal {G}, P_{{\Sigma }_{\mathrm {o}}}, S, \mathsf {OP_{0}})\) or not.

  • If \(\mu \cdot \sigma \notin \text {leak}(\mathcal {G}, P_{{{{\Sigma }_{\mathrm {o}}}}}, S, \mathsf {OP_{0}})\), then following the reasoning for the induction basis, we know that α∈{off,dump}. Using the induction hypothesis, there exists \(o\in \mathcal {T}_{{\Sigma }_{\mathrm {o}}}(\mathcal {G})\) s.t. \(\mu \Downarrow _{\mathcal {E}} o\) and the constraints (5) and (6) hold.

    Now we distinguish two cases according to whether \(\mu \in \text {leak}(\mathcal {G}, P_{{{{\Sigma }_{\mathrm {o}}}}}, S, \mathsf {OP_{0}})\) or not.

    • If \(\mu \notin \text {leak}(\mathcal {G}, P_{{{{\Sigma }_{\mathrm {o}}}}}, S, \mathsf {OP_{0}})\), from (5), we know that o=μ. Then, μ induces the following evolution of configurations for \({\mathcal {E}}\):

      $$({q_{{\text{init}}}^{\mathcal{E}}}, \sigma_{0}\cdots\sigma_{n-1}\cdot\sigma,\epsilon_{\mathcal{M}})\stackrel{o_{0}}{\hookrightarrow} (q_{1},\sigma_{1}{\cdots} \sigma_{n-1}\cdot\sigma,m_{1})\stackrel{o_{1}}{\hookrightarrow} {\cdots} \stackrel{o_{n-1}}{\hookrightarrow} (q_{{n}},\sigma,\epsilon_{\mathcal{M}}) $$

      with o 0o n−1=o=σ 0σ n−1. Since α∈{off,dump}, \(\alpha (\sigma ,\epsilon _{\mathcal {M}})= (\sigma ,\epsilon _{\mathcal {M}})\). Then, we deduce the following evolution of configurations:

      $$({q_{{\text{init}}}^{\mathcal{E}}}, \mu\cdot\sigma,\epsilon_{\mathcal{M}}) {\cdots} \stackrel{o_{n-1}}{\hookrightarrow} (q_{{n}},\sigma,\epsilon_{\mathcal{M}})\stackrel{\sigma}{\hookrightarrow} (q_{{n+1}},\epsilon_{{\Sigma}_{\mathrm{o}}},\epsilon_{\mathcal{M}}). $$

      Then, we deduce \(\mu \cdot \sigma \Downarrow _{\mathcal {E}} \mu \cdot \sigma \), which gives us (5).

    • Else (\(\mu \in \text {leak}(\mathcal {G}, P_{{{{\Sigma }_{\mathrm {o}}}}}, S, \mathsf {OP_{0}})\)), from (6), we know that \(o=\max \{\mu ^{\prime }\in \mathcal {T}_{{\Sigma }_{\mathrm {o}}}(\mathcal {G})\mid \mu ^{\prime }\preceq \mu \wedge \text {safe}_{\mathsf {OP_{0}}}(\mu ,\mu ^{\prime })\}\), i.e., using the definition of \(\text {safe}_{\mathsf {OP_{0}}}\), o=σ 0σ n−2. Then, μ induces the following evolution of configurations for \({\mathcal {E}}\):

      $$({q_{{\text{init}}}^{\mathcal{E}}}, \mu\cdot\sigma,\epsilon_{\mathcal{M}})\stackrel{o_{0}}{\hookrightarrow} {\cdots} \stackrel{o_{n-1}}{\hookrightarrow} (q_{{n}},\sigma,(\sigma_{n-1},1)) $$

      with o 0o n−1=o=σ 0σ n−2, and o n−1=𝜖 Σ o. Since α∈{off,dump}, \(\alpha (\sigma ,(\sigma _{n-1},1))= (\sigma _{n-1}\cdot \sigma ,\epsilon _{\mathcal {M}})\). Then, we deduce the following evolution of configurations:

      $$({q_{{\text{init}}}^{\mathcal{E}}}, \mu\cdot\sigma,\epsilon_{\mathcal{M}}) {\cdots} \stackrel{{o_{n-1}}}{\hookrightarrow} (q_{{n}},\sigma,(\sigma_{n-1},1))\stackrel{\sigma_{n-1}\cdot\sigma}{\hookrightarrow} (q_{{n+1}},\epsilon_{{\Sigma}_{\mathrm{o}}}, {\epsilon_{\mathcal{M}}}). $$

      Then, we deduce \(\mu \cdot \sigma \Downarrow _{\mathcal {E}} \mu \cdot \sigma \), i.e., (5).

  • Else (\(\mu \cdot \sigma \in \text {leak}(\mathcal {G}, P_{{{{\Sigma }_{\mathrm {o}}}}}, S, \mathsf {OP_{0}})\)), the same reasoning can be followed: we distinguish according to whether \(\mu \in \text {leak}(\mathcal {G}, P_{{\Sigma }_{\mathrm {o}}}, S, \mathsf {OP_{0}})\) or not, apply the induction hypothesis, and use the definition of enforcement operations.

A.3.3 Proposition 8 (p. 78)

Proof

We shall prove that, for \(\mathsf {OP_{K}}\in \{\mathsf {O{P_{K}^{W}}},\mathsf {O{P_{K}^{S}}}\}\): \(\forall \mu \in \mathcal {T}_{{{{\Sigma }_{\mathrm {o}}}}}(\mathcal {G}), \exists o\preceq \mu : \mu \Downarrow _{\mathcal {E}} o \Rightarrow \) (5) ∧ (6), where:

$$\begin{array}{r} \mu\notin \text{leak}(\mathcal{G},P_{{{{\Sigma}_{\mathrm{o}}}}},S,\mathsf{OP_{K}}) \Rightarrow o = \mu \hspace{2em} \text{(5)}\\ \mu\in\text{leak}(\mathcal{G},P_{{{{\Sigma}_{\mathrm{o}}}}},S,\mathsf{OP_{K}}) \Rightarrow o = \max\{\mu^{\prime}\in\mathcal{T}_{{{{\Sigma}_{\mathrm{o}}}}}(\mathcal{G})\mid \mu^{\prime}\preceq\mu \wedge \text{safe}_{\mathsf{OP_{K}}}(\mu,\mu^{\prime})\}. \hspace{1em} \text{(6)} \end{array} $$

Let us consider \(\mu \in \mathcal {T}_{{{{\Sigma }_{\mathrm {o}}}}}(\mathcal {G})\), the proof is conducted by induction on |μ|. Moreover, the proof is done for \(\mathsf {OP_{K}}\in \{\mathsf {O{P_{K}^{W}}},\mathsf {O{P_{K}^{S}}}\}\), a K-step based notion of opacity (independently from whether it is weak or strong), since we will use the function \(\text {hold}_{\mathsf {OP_{K}}}()\) for the state of the underlying trajectory estimator and the traces of the system.

If |μ|=1, then ∃σ∈Σo:μ=σ. The run of μ on \({\mathcal {E}}\) can be expressed \(\mathit {run}(\mu ,{\mathcal {E}})= (q_{\text {init}}^{\mathcal {E}}, \sigma /\alpha , q_{1})\) with \(q_{1}\in Q^{\mathcal {E}}, {\Gamma }^{\mathcal {E}}(q_{1})= \alpha \). The R-Enforcer’s evolution of configurations is \((q_{\text {init}}^{\mathcal {E}}, \sigma , \epsilon _{\mathcal {M}}) \stackrel {o}{\hookrightarrow } (q_{1},\epsilon _{{\Sigma }_{\mathrm {o}}},m)\) with \(\alpha (\sigma ,\epsilon _{\mathcal {M}})= (o,m)\). Let us distinguish two cases according to whether \(\sigma \in \text {leak}(\mathcal {G}, P_{{\Sigma }_{\mathrm {o}}}, S, \mathsf {OP_{K}})\) or not.

  • If \(\sigma \notin \text {leak}(\mathcal {G}, P_{{{{\Sigma }_{\mathrm {o}}}}}, S, \mathsf {OP_{K}})\), then we use the correctness of R-Verifiers synthesized from K-delay trajectory estimators (Proposition 4). Using the definition and the properties of the function hold (Section 6.3, paragraph “When is the opacity of a secret enforceable on a system?”), the state m 1 corresponding to q 1 in the corresponding K-delay estimator is s.t. \(\text {hold}_{\mathsf {OP_{K}}}(\delta _{D}(m_{\text {init}}^{D},\sigma ))=\text {hold}_{\mathsf {OP_{K}}}(m_{1})= 0\). Then, using the definition of R-Enforcers synthesis, we have α∈{dump,off}. Using the definition of enforcement operations, we have: \(\text {free}\circ \text {delay} (\epsilon _{\mathcal {M}}) = \epsilon _{\mathcal {M}}\), \(o= (\epsilon _{\mathcal {M}})_{\downarrow {\Sigma }_{\mathrm {o}}} \cdot \sigma =\sigma \), \(m=\epsilon _{\mathcal {M}}\). Thus, we find (5).

  • If \(\exists k\in [0,K]:\sigma \in \text {leak}(\mathcal {G}, P_{{{{\Sigma }_{\mathrm {o}}}}}, S, \mathsf {OP_{K}},k)\), then necessarily k∈{0,1}. Similarly, following from the correctness of R-Verifiers synthesized from K-delay trajectory estimators (Propositions 4 and 5) and the definition of \(\text {hold}_{\mathsf {OP_{K}}}\), we have \(\text {hold}_{\mathsf {OP_{K}}}(\delta _{D}(m_{\text {init}}^{D},\sigma ))=\text {hold}_{\mathsf {OP_{K}}}(m_{1})=K+1-k\). From the definition of R-Enforcer synthesis, it follows that α=store d with d=K+1−k. Similarly, we can find that o=𝜖 Σ o and m=(σ,d). Furthermore, as \(\text {safe}_{\mathsf {OP_{K}}}(\sigma ,\epsilon _{{\Sigma }_{\mathrm {o}}})\), we have (6).

The induction case is performed again by distinguishing according to the opacity leakage of μσ. Similarly to the induction basis, we use the links between \(\text {hold}_{\mathsf {OP_{K}}}\) applied to the states of the underlying trajectory estimator and the correctness of R-Verifiers. Then, one can easily show, using the definitions of enforcement operations, that the synthesized R-Enforcer is sound and transparent. Furthermore, one has to notice that, when an R-Enforcer produces a halt operation while reading a (partial) trace μ, no extension \(\mu ^{\prime }\) of μ s.t. \(|\mu ^{\prime }|-|\mu |\leq T\) can lead μ to be safely produced (i.e., \(\mu ^{\prime }\) s.t. \(\text {safe}_{\mathsf {OP_{K}}}(\mu ^{\prime },\mu )\)).

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Falcone, Y., Marchand, H. Enforcement and validation (at runtime) of various notions of opacity. Discrete Event Dyn Syst 25, 531–570 (2015). https://doi.org/10.1007/s10626-014-0196-4

Download citation

Keywords

  • Opacity
  • K-step opacity
  • Runtime verification
  • Runtime enforcement