Security Analysis of IoT Systems Using Attack Trees

Abstract

Attack trees are graphical representations of the different scenarios that can lead to a security failure. In combination with model checking, attack trees are useful to quantitatively analyse the security of a system. Such analysis can help in the design phase of a system to decide how and where to modify the system in order to meet some security specifications.

In this paper we propose a security-based framework for modeling IoT systems where attack trees are defined alongside the model. A malicious entity uses the attack tree to exploit the vulnerabilities of the system. Successful attacks can be rare events in the system’s execution, in which case they are hard to detect with usual model checking techniques. Hence, we use importance splitting as a statistical model checking technique for rare events. This technique requires a decomposition of an attack into sub parts, similarly to an attack tree. We argue that therefore, importance splitting is well suited, and benefits, from our modeling framework. We implemented our approach in a tool-set and verified its effectiveness by running a set of experiments over a real-word example.

Appendix

1.1 Counting Functions for the Operational Semantics of IoT

Definition 13

(Counting \(\tau \) transitions from a state). The functions \(\mathsf {count}_{\tau } :\text {State}\rightarrow \mathbb {N}\) and \(\mathsf {count\_proc}_{\tau } :\text {Proc}\rightarrow \mathbb {N}\) are defined as follows:

$$\begin{aligned} \mathsf {count}_{\tau } (s|t) =&\mathsf {count}_{\tau } (s) + \mathsf {count}_{\tau } (t)\\ \mathsf {count}_{\tau } (\langle P,k\rangle ) =&\mathsf {count\_proc}_{\tau } (P)\\ \mathsf {count\_proc}_{\tau } (0) =&0\\ \mathsf {count\_proc}_{\tau } (\alpha .P) =&1 \text { if } \alpha \ne \tau \\&0 \text { if } \alpha =\tau \\ \mathsf {count\_proc}_{\tau } (\sum \alpha _i.P_i) =&1 \\ \mathsf {count\_proc}_{\tau } (P~|~Q) =&\mathsf {count\_proc}_{\tau } (P) + \mathsf {count\_proc}_{\tau } (Q). \end{aligned}$$

For counting the number of interactions, we have first to rewrite a state into a canonical form:

and where \(P_i^{\text {S}} \equiv a.P\) and the action a is a send; nS is the number of processes of the form above in s. Similarly we define the rest of the processes. Note that if we cannot rewrite a state in this form then the rule ParState_Interaction cannot be applied (any internal or sum transitions have priority over the interactions). Moreover entities can only communicate with other entities, that is interactions are not defined internally to an entity. We therefore only need to count interactions between entities.

The function \(\mathsf {count}_{\text {SR,LC}}\) uses an auxiliary function \(\overline{\cdot }: \text {action} \rightarrow \text {action}\) which defines an action \(\overline{a}\) which can synchronise with a using the rules SendReceive or LeakCollect.

Definition 14

Let \(s\equiv s_S ~|~ s_R ~|~ s_L ~|~ s_C\) be a state in a canonical form. The function \(\mathsf {count}_{\text {SR,LC}} :\text {State}\rightarrow \mathbb {N}\) is defined on s as follows:

$$\begin{aligned} \mathsf {count}_{\text {SR,LC}}(s_S ~|~ s_R ~|~ s_L ~|~ s_C)&= \mathsf {count}_{\text {SR}}(s_S, s_R) + \mathsf {count}_{\text {LC}}(s_L ~|~ s_C)\\ \mathsf {count}_{\text {SR}}(\langle a.P, k\rangle ~|~ s, t)&= \mathsf {count}(a, t) + \mathsf {count}_{\text {SR}}(s, t)\\ \mathsf {count}_{\text {LC}}(\langle a.P, k\rangle ~|~ s, t)&= \mathsf {count}(a, t) + \mathsf {count}_{\text {LC}}(s, t)\\ \mathsf {count}(a, \langle b.P, k\rangle ~|~ t)&= 1 + \mathsf {count}(a, t)\text { if }a=\overline{b}\\&= \mathsf {count}(a, t)\text { otherwise }\\ \end{aligned}$$

1.2 Proof of Theorem 1

Lemma 1

Any two congruent IoT states have the same transformation in \(\mathcal {S}\)BIP systems.

Proof

We proceed by cases on the congruence relation. First consider the congruence relation on states: For the monoid laws on |, note that the transformation results in a set of atomic components and therefore the order of states in the parallel composition does not matter. In the case where processes are congruent, we distinguish two subcases: (i) Threads in a parallel composition translate into tuples of states in the transformation of a process (Definition 9) where the order of the states does not matter; (ii) For the rest we use the fact that inside an atomic component the states that have congruent labels are identified.

Proof

(Theorem 1). Let \(e_1,\cdots ,e_n\) be n entities of an IoT system \((S,L,T,s_0)\) with the initial states \(\langle P_1,k_1\rangle , \cdots \langle P_n,k_n\rangle \). \(\mathcal {B}_{e_i} = (P_i,V_i, N_i)\) with \(N_i = (L_i, L_{i,0},\) \(T_i, F_i)\), is the transformation of the current state of the entity \(e_i\), for \(i\le n\). Also let \(V_i = V^p_i \cup V^d_i\). We write \((P,Q,\pi , q_0)\) for the semantics of \(\langle \ll \rangle \varGamma (\mathcal {B}_{e_1},\cdots \mathcal {B}_{e_n})= (\varGamma ,\mathbf {V},\mathbf {N})\) with \(\mathbf {N} = \mathbf {(L, L_0, T, F)}\). Lastly \(\mathbf {X_{init}}\) is the initial valuation.

To construct the relation \(\mathcal {R}\subseteq S\times Q\) required by the theorem, we first set some notations and constraints below. Informally, these constraints establish the relation between the processes and knowledge functions in states of S and the markings and the valuations, respectively, in states of Q.

1. 1.

   Correspondence between Processes and Markings. For a thread T let us write \(m_T\) for the marking associated with T and defined as follows:

   $$\begin{aligned} m_T(l) =&1 \text { if } \ell (l)= T\text { or }\ell (l) = U^\star , U= [n]T + T',&\text { for some threads }T', U\\&0 \text { otherwise}&\end{aligned}$$

   where (P, V, N) and \(N=(\mathcal {L},\mathcal {L}_0, \mathcal {T}, \mathcal {F})\) is obtained as in Definition 8 and where \(l\in \mathcal {L}\). For a process \(P = T_1 ~|~ \cdots ~|~ T_m\), let us write \(m_P\) for the marking associated with P and defined as \(m_{T_1}+\cdots + m_{T_m}\).

2. 2.

   Correspondence between Knowledge and the Deterministic Variables. From Definition 8 it follows that for each thread \(T_j\) in a process \(P_i\) we define the set \(V_i^d = \{v_c ~|~ c\) is a protocol used in \(T_j\}\). From Definition 9 then the set of variables of \(P_i = T_1 ~|~\cdots ~|~ T_m\) is \(\cup _{j\le m} V_j = \{v_c ~|~ c\) is a protocol used in \(P_i\}\).

   Then, if \(\mathbf {X_i}\) the current valuation of entity \(e_i\), we require that \(\mathbf {X_i}(v_c) = k_i(c)\), for \(i\le n\), \(c\in C\) and \(v_c\in V^d_i\). Recall that we write C for the set of protocols used in the IoT system and \(k_i\) for the knowledge function of an entity \(e_i\).

3. 3.

   Correspondence between Probabilistic Choices in Processes and the Random Variables. For every summation thread U in a process \(P_i\), we have that there exists a random variable \(v_{U}\in V^p_i\), by Definition 8. Moreover, if T a thread of \(P_i\), belongs to a summation, i.e. \(U = [n]T + T'\), for some threads \(T', U\), then for the current valuation \(\mathbf {X_i}\) we have that \(\mathbf {X_i}(v_U) = T\). For a process \(P = T_1 ~|~ \cdots ~|~ T_m\) we use Definition 9 and have that \(V^p\) is the disjoint union of all \(V^p_j\), where \(V^p_j\) is the set of random variables for \(T_j\), \(j\le m\).

We define the following relation between the states of S and the states of Q:

We show that \(\mathcal {R}\) is the relation required in Theorem 1. First we have to show that \((s_0,q_0)\in \mathcal {R}\).

We use Definition 8 from which we have that \(\mathcal {L}_0 = \{l_T\}\) is the initial place in the transformation of a thread T. Then, by Definition 9, \(L_0 = \uplus _{j\le m} \mathcal {L}_0^j = \uplus _{j\le m} \{l_{T_j}\}\) is the initial set of places in the transformation of a process \(P = T_1 ~|~\cdots ~|~ T_m\). From Definition 7 it follows that \(\mathbf {L}_0 = \uplus _{i\le n} L_{0,i}\). By Definition 5 the initial marking in \(q_0 = (m_0,\mathbf {X_{init}})\) is defined as \(m_0(l) = 1 \iff l\in \mathbf {L}_0\) and 0 otherwise. Hence we can write \(m_0 = m_{P_1} + \cdots + m_{P_n}\). This shows condition 1 of \(\mathcal {R}\).

From Definition 9 we have that for each entity \(e_i\), \(\mathbf {X_{init}}(v_c) = k_i(c)\), for all protocols c used by \(e_i\). From Definition 7 the set of variables of the composed \(\mathcal {B}_{e_i}\) components is the disjoint union \(V_i\), i.e. \(\mathbf {V} = \uplus _{i\le n} V_i\), in particular \(\mathbf {V}^d = \uplus _{i\le n} V^d_i\). Then a valuation for \(\mathbf {V}\) is the disjoint composition of the individual valuations for \(V_i\), from which it follows the required decomposition of \(\mathbf {X_{init}}\) in \(q_0 = (m_0,\mathbf {X_{init}})\). Therefore condition 2 of \(\mathcal {R}\) holds. For condition 3 to hold suffices to note that there is no probabilistic choice made yet in any process and therefore there is no correspondence to show. We can take any initial valuation we want for the random variables.

Let us now suppose that \((s,q)\in \mathcal {R}\) and that \(s\overset{[n]}{\underset{l}{\longrightarrow }} s'\), for some label \(l\in L\), some probability n and state \(q'\in Q\). We have to show that there exists \(q'\in Q\) and \(q\xrightarrow []{p} q'\in \pi \) with \(\mathbb {P}(q\xrightarrow []{p} q') = n\) such that \((s',q')\in \mathcal {R}\). We reason by cases on the label l of the transition \(s\overset{[n]}{\underset{l}{\longrightarrow }} s'\).

• Let \(l = SR:v\) or \(l = LC:v\); then let \(e_1\) and \(e_2\) be the two communicating entities. Using Lemma 1 we can rewrite the transition as follows:

  $$\begin{aligned} s=\langle P_1,k_1\rangle ~|~\langle P_2,k_2\rangle ~|~\langle P_3,k_3\rangle ~|~\dots ~|~\langle P_n,k_n\rangle \overset{[1/m]}{\underset{l}{\longrightarrow }} \\ s'=\langle Q_1,k'_1\rangle ~|~\langle Q_2,k'_2\rangle ~|~\langle P_3,k_3\rangle ~|~\dots ~|~\langle P_n,k_n\rangle \end{aligned}$$

  where we can decompose \(P_1 \equiv _P a_1.T_1~|~ P_1'\) and \(P_2 \equiv _P a_2.T_2~|~ P_2'\), \(Q_1 \equiv _P T_1~|~P_1'\) and \(Q_2 \equiv _P T_2~|~P_2'\), again by Lemma 1 and from the rules of Fig. 2. Here we suppose w.l.o.g. that \(a_1\) and \(a_2\) are the two synchronizing actions in \(P_1\) and \(P_2\), respectively. Also suppose w.l.o.g. that \(a_1\) is a send (or a leak) and that \(a_2\) is a receive (or a collect). Let c be the protocol used for the communication in case \(l = SR:v\).

  From \((s,q)\in \mathcal {R}\) we have that \(q = (m_{P_1}+\cdots m_{P_n}, \mathbf {X_1}\sqcup \cdots \sqcup \mathbf {X_n})\) and that \(m_{P_i} = m_{a_i.T_i} + m_{P_i'}\), for \(i\le 2\). Also from condition 1 of \(\mathcal {R}\), \(m_{a_i.T_i} = \{l_i\}\) with either \(\ell (l_i) = a_i.T_i\), or \(\ell (l_i) = U_i^\star \), for some summation threads \(U_1, U_2\).

  • If \(\ell (l_1) = a_1.T_1\) then we use the transformation of Definition 8 to show that there exists the place \(l_1'\in L_1\), with \(\ell (l_1') = T_1\) and the transition \(t_1 = (\{l_{a_1.T_1}\}, \langle a_1,g_1 = true , f_1 \rangle , \{l_{T_1}\})\) in \(\mathcal {B}_1\).

    \(*\):

    If \(\ell (l_2) = a_2.T_2\) then as above, there exists \(l_2'\in L_2\), with \(\ell (l_2') = T_2\) and the transition \(t_2 = (\{l_{a_2.T_2}\}, \langle a_2,g_2 = true , f_2 \rangle , \{l_{T_1}\})\) in \(\mathcal {B}_2\).

    \(*\):

    \(\ell (l_2) = U_2^\star \), with \(U_2 = [n_2] a_2.T_2 + U_2'\), for some threads \(U_2, U_2'\). As in the case above, from Definition 8 we have that there exists the places \(l_2'\in L_2\) with \(\ell (l_2') = T_2\). We also have, from condition 3 of \(\mathcal {R}\) that there exists a random variable \(v_{U_2}\in V_2^p\) with \(\mathbf {X}(v_{U_2}) = a_2.T_2\). Moreover we have the transition \(t_2 = (\{l_{U_2^\star }\}, \langle a_2, g_2 = (v_{U_2} == a_2.T_2), f_2\rangle , \{l_{T_2}\})\) in \(\mathcal {B}_2\).

  • the other case is similar.

  Note that in all cases above, \(f_i= \{v := v~|~ v\in V^d\}\) with \(R_i^p = \emptyset \), \(i\le n\).

  Using Definition 10 we have that there exists an interaction \(\gamma = (\{a_1,a_2\}, G, F)\) such that

  • If \(l = SR:v\) then \(G = (\exists x\in v^1_c\) such that \(x\in v^2_c)\) for \(v^1_c\in V_1\) and \(v^2_c\in V_2\).

  • If \(l = LC:v\) then \(G= true \).

  Also, \(F =\{ v^2_{c'} := v^2_{c'}\cup \{v'\}~|~ \mathsf {protocol}(v') = c', v^2_{c'}\in V_2\}\) for both \(l = SR:v\) and \(l=LC:v\).

  We now use Definition 7 and have that there exists the transition

  $$\begin{aligned} \underline{T} = (\{l_1,l_2\}, \langle \gamma ,g_1 \wedge g_2 \wedge G,(f_1\sqcup f_2)\circ F\rangle , \{l_1',l_2'\})\in \mathbf {T}. \end{aligned}$$

  We have to show that the guard \(g=g_1 \wedge g_2 \wedge G\) holds for the current valuation \(\mathbf {X}\):

  • If \(g_1 = (v_{U_1} == a_1.T_1)\) then \(\mathbf {X}(g_1)\) holds from condition 3 of \(\mathcal {R}\); otherwise \(g_1 = true \). We proceed similarly for \(g_2\).

  • If \(l=SR:v\) then \(G = (\exists x\in v^1_c\) such that \(x\in v^2_c)\) for \(v^1_c\in V_1\) and \(v^2_c\in V_2\). From condition 2 of \(\mathcal {R}\) we have that \(\mathbf {X}(v^i_c) = k_i(c)\), \(i\le n\). Then the guard holds as it is the condition of rule SendReceive in Fig. 2. If \(l=LC:v\) then \(G = true \).

  The transitions above are allowed to proceed by the priority order \(\ll \) (see text after Definition 7) only if there is no internal transition available. This is the case as ensured by the rule ParState_Interaction in Fig. 2.

  Therefore, by Definition 5, there exists the transition

  $$\begin{aligned} q = (m_{P_1} + m_{P_2} +\cdots m_{P_n}, \mathbf {X_1}\sqcup \cdots \sqcup \mathbf {X_n}) \xrightarrow []{\gamma } q'=(m',\mathbf {X}') \end{aligned}$$

  where we have to show that conditions 1-3 of \(\mathcal {R}\) hold. For condition 1 we have to show that \(m' = m_{Q_1}+ m_{Q_2} + \cdots m_{P_n}\). Using Definition 5 it follows that

  $$\begin{aligned} m' = m - ^{\bullet } \underline{T} + \underline{T}^{\bullet } = m - \{l_1,l_2\} + \{l_1',l_2'\}. \end{aligned}$$

  As \(\mathbf {L}_0 = \uplus _{i\le n} L_{0,i}\), from Definition 7, it follows that

  $$\begin{aligned} m' = (m_{P_1} - \{l_1\} + \{l_1'\}) + (m_{P_2} - \{l_2\} + \{l_2'\}) + \cdots + m_{P_n}. \end{aligned}$$

  Using condition 1 of \(\mathcal {R}\) on \(m_{P_1}\) and \(m_{P_2}\) we have that \(m_{P_1}- \{l_1\} + \{l_1'\} = m_{Q_1}\) and similarly for \(m_{Q_2}\).

  Let us now show condition 2, i.e. \(\mathbf {X}' = \mathbf {X_1'}\sqcup \mathbf {X_2'}\sqcup \cdots \sqcup \mathbf {X_n}\) and \(\mathbf {X_i'}(v_{c'}) = k_i'(c')\), \(i\le 2\). Using the function F above we have that \(\mathbf {X_i'}(v_{c'}) = \mathbf {X_i}(v_{c'})\cup \{v\}\). From rules SendReceive and LeakCollect we also get that \(k_i'(c') = k_i(c)\cup \{v\}\), \(i\le 2\).

  As \(R_1^p = R_2^p = \emptyset \) condition 3 is trivial.

  Lastly, the two transitions have the same probability: \(|\mathsf {Enabled}(m;\mathbf {X})| = m\) by Lemma 1, and therefore \(\mathbb {P}\big (q\overset{p}{\longrightarrow }q'\big ) = 1/m\).

• Let \(l =\tau \); let \(e_1\) be the entity that triggers the internal transition. Using Lemma 1 we can rewrite the states in the transition as follows:

  $$\begin{aligned} s=\langle P_1,k_1\rangle ~|~\langle P_2,k_2\rangle ~|~\langle P_3,k_3\rangle ~|~\dots ~|~\langle P_n,k_n\rangle \overset{[n]}{\underset{l}{\longrightarrow }} \\ s'=\langle Q_1,k'_1\rangle ~|~\langle P_2,k_2\rangle ~|~\langle P_3,k_3\rangle ~|~\dots ~|~\langle P_n,k_n\rangle . \end{aligned}$$

  There are two possibilities: either \(P_1 \equiv _P \sum _{i\in I_1} a_i.T_i~|~ P_1'\) where \(Q_1 = a_1.T_1\) w.l.o.g. or \(P_1 \equiv _P \tau .T_1~|~P_1'\) with \(Q_1 = T_1\). We write \(U = \sum _{i\in I_1} a_i.T_i\) or \(U = \tau .T_1\) depending on which of the two cases we are.

  From \((s,q)\in \mathcal {R}\) we have that \(q = (m_{P_1}+\cdots m_{P_n}, \mathbf {X_1}\sqcup \cdots \sqcup \mathbf {X_n})\) and that \(m_{P_1} = \{l\} + m_{P_1'}\), \(\ell (l) = U\). We use the transformation of Definition 8 to show that there exists the place \(l'\in L_1\) and the transition \(t = (\{l\}, \langle \tau ,g= true , f \rangle , \{l'\})\) in \(\mathcal {B}_1\).

  • If \(U = \sum _{i\in I_1} a_i.T_i\) then \(\ell (l') = U^{\star }\), \(f= \{v := v~|~ v\in V_1^d\}\) and \(R^p = \{v_U\}\).

  • If \(U = \tau .T_1\) then \(\ell (l') =T_1\), \(f= \{v := v~|~ v\in V_1^d\}\) and \(R^p = \emptyset \).

  Using Definition 10 we have that there exists an interaction \(\gamma = (\{\tau \}, G= true , F)\) with \(F= \{v := v~|~ v\in V_1^d\}\).

  From Definition 7 there exists the transition

  $$\begin{aligned} \underline{T} = (\{l\}, \langle \gamma ,g_1 \wedge G = true ,f\circ F\rangle , \{l'\})\in \mathbf {T}. \end{aligned}$$

  The guard trivially holds and we obtain the transition

  $$\begin{aligned} q = (m_{P_1} + +\cdots m_{P_n}, \mathbf {X_1}\sqcup \cdots \sqcup \mathbf {X_n}) \xrightarrow []{\gamma } q'=(m',\mathbf {X}') \end{aligned}$$

  where we have to show that conditions 1-3 of \(\mathcal {R}\) hold. As in the first case, condition 1 follows from \(m' = m - \{l\} + \{l'\} = m_{Q_1} + \cdots m_{P_n}\). Condition 2 trivially hold as the update functions f and F are the identity and therefore \(\mathbf {X_1}' = \mathbf {X_1}\). Indeed the knowledge function of \(k_1\) is not modified by the rules Choice or Internal.

  To show condition 3 we use Definition 8 from which we have that there exists \(v_U\in V_1^p\), \(v_U\sim \mu \), where \(\mu (a_1.T_1) = n_1\). Then we can take \(\mathbf {X'}(v_U) = a_1.T_1\). We also this argument to show that the two transitions have the same probabilities: by Lemma 1, \(|\mathsf {Enabled}(m;\mathbf {X})| = m\) and therefore \(\mathbb {P}\big (q\overset{p}{\longrightarrow }q'\big ) = 1/m \times n_1\).

Hereafter we prove the similarity of the IoT system to its corresponding \(\mathcal {S}\)BIP model. Let us suppose that \((q,s)\in \mathcal {R}\) and that \(q\overset{\gamma }{\underset{}{\longrightarrow }} q'\), for a transition labelled with \(\gamma \), where \(q,q'\in Q\). We have to show that there is a state \(s'\in S\) with \(s\overset{[n]}{\underset{l}{\longrightarrow }} s'\), for some label \(l\in L\), such that \((s',q')\in \mathcal {R}\). We define \(s = \langle P_1,k_1\rangle ~|~ \langle P_2,k_2\rangle ~|~ \cdots ~|~\langle P_n,k_n\rangle \). Here we also reason by cases: whether the transition is an interaction between two components \(\mathcal {B}_{e_1}\) and \(\mathcal {B}_{e_2}\) or an internal transition.

• We consider the communication is an interaction \(\gamma =(\{a_1,a_2\}, G, F)\) between \(\mathcal {B}_{e_1}\) and \(\mathcal {B}_{e_2}\):

  $$\begin{aligned} q= (m_{P_1} + m_{P_2} + \cdots m_{P_n},\mathbf {X_1}\sqcup \mathbf {X_2}\sqcup \cdots \sqcup \mathbf {X_n}) \overset{\gamma }{\underset{}{\longrightarrow }} q'= (m', \mathbf {X'}) \end{aligned}$$

  As it is an interaction between two entities, from Definition 7 we have that there exists the transitions \(t_i = (m_i, \langle p_i,g_i,f_i\rangle ,m_i') \in T_i\), for \(i\in \{1,2\}\). From the Definition 10, \(m_i= m_{P_i}\), \(p_i = a_i\), \(g_i= true \) and \(f_i\) are the constant update functions. From \((q,s)\in \mathcal {R}\) we have that \(m_{P_1}=m_{a_1.T_1}+m_{P'_1}\), \(m_{P_2}=m_{a_2.T_2}+m_{P'_2}\) with \(P_1= a_1.T_1 ~|~ P'_1\) and \(P_2= a_2.T_2 ~|~ P'_2\). Moreover, from the Definition 5 there exists the transition

  $$\begin{aligned} \underline{T} = (m_{P_1} + m_{P_2}, \langle \{a_1,a_2\},g_1 \wedge g_2 \wedge G,(f_1\sqcup f_2)\circ F\rangle , m_{Q_1} + m_{Q_2})\in \mathbf {T} \end{aligned}$$

  with \(m_{Q_1}=m_{T_1}+m_{P'_1}\), \(m_{Q_2}=m_{T_2}+m_{P'_2}\).

  We distinguish between the two types of interactions:

  • \(a_1 = e_1\xrightarrow [\text {v'}]{\text {c}}e_2\) and there exists \(a_2\in \mathsf {Actions}\) such that \(a_2 = e_2\xleftarrow {\text {c}}e_1\),

  • or and there exists \(a_2\in \mathsf {Actions}\) such that \(a_2 = e_2\twoheadleftarrow e_1\)

  Following the Definition 10 we have the following guards:

  • if \(G = (\exists x\in v^1_c\) such that \(x\in v^2_c)\) for \(v^1_c\in V_1\) and \(v^2_c\in V_2\) then \(l= SR\)

  • if \(G = true \) then \(l= LC\)

  We can then apply the rules SendReceive or LeakCollect from Fig. 2. Hence we derive an interaction between \(e_1\) and \(e_2\) exists for which we have to show that conditions 1–3 of \(\mathcal {R}\) hols.

  $$\begin{aligned} s=\langle P_1,k_1\rangle ~|~\langle P_2,k_2\rangle ~|~\dots ~|~\langle P_n,k_n\rangle \overset{[n]}{\underset{l}{\longrightarrow }} \\ s'=\langle Q_1,k'_1\rangle ~|~\langle Q_2,k'_2\rangle ~|~\dots ~|~\langle P_n,k_n\rangle . \end{aligned}$$

  From above, it follows that \(m'=m_{Q_1} + m_{Q_2} + \cdots m_{P_n}\), which is the first condition of \(\mathcal {R}\).

  In the interaction \(\gamma \), we apply the update function \(F =\{ v^2_{c'} := v^2_{c'}\cup \{v'\}~|~ \mathsf {protocol}(v') = c', v^2_{c'}\in V_2\}\) for both \(l = SR:v\) and \(l=LC:v\), then \(\mathbf {X'_i}(v_{c'}) = \mathbf {X_i}(v_{c})\cup \{v\}\). Therefore we can write \(\mathbf {X'} = \mathbf {X_1'}\sqcup \mathbf {X_2'}\cdots \mathbf {X_n}\). With the interaction \(s\overset{[n]}{\underset{l}{\longrightarrow }} s'\), we apply rules SendReceive or LeakCollect from Fig. 2 where \(k_i'(c') = k_i(c)\cup \{v\}\). Hence the condition 2 hols, i.e. \(\mathbf {X'_i}(v_{c'})=k_i'(c')\). With the execution of the \(\gamma \) interaction, the probabilistic distribution \(R_1^p = R_2^p = \emptyset \), and from the SendReceive or LeakCollect from Fig. 2 is the same, then the condition 3 trivially hols. The two transitions have the same probability: \(\mathbb {P}\big (q\overset{p}{\longrightarrow }q'\big ) = 1/m\) by Lemma 1, and therefore \(|\mathsf {Enabled}(m;\mathbf {X})| = m\).

• We consider the transition to be an internal transition \(\tau \) in component \(\mathcal {B}_{e_1}\). From Lemma 1 we can write the transition:

  $$\begin{aligned} q= (m_{P_1} + m_{P_2} + \cdots m_{P_n},\mathbf {X_1}\sqcup \mathbf {X_2}\sqcup \cdots \sqcup \mathbf {X_n}) \overset{\gamma }{\underset{}{\longrightarrow }} q'= (m', \mathbf {X'}) \end{aligned}$$

  where \(s = \langle P_1,k_1\rangle ~|~ \langle P_2,k_2\rangle ~|~ \cdots ~|~\langle P_n,k_n\rangle \), from \((q,s)\in \mathcal {R}\), we distinguish two cases of transition execution:

  • A probabilistic choice: \(m_{P_1}=\{l\} + m_{P'_1}\) where \(\ell (l)=\sum _{i\in I}[n_i] a_i.T_i\) and \(P_1=\sum _{i\in I} a_i.T_i|P'_1\). From the transformation of Definition 8, the transition

    $$\begin{aligned} t=(\{l_{T}\},\langle \tau ,\text {true},f^{\star }\rangle ,\{l_{T^{\star }}\})\in T_1 \end{aligned}$$

    can be executed where \(f^{\star }= (\{v := v~|~ v\in V^d\}\) and \(R^p = \{v_T\})\). From relations of Fig. 2, there exists a Choice transition in IoT system such that

    $$\begin{aligned} s=\langle P_1,k_1\rangle ~|~\langle P_2,k_2\rangle ~|~\dots ~|~\langle P_n,k_n\rangle \overset{[n_1]}{\underset{l}{\longrightarrow }}\\ s'=\langle Q_1,k'_1\rangle ~|~\langle P_2,k_2\rangle ~|~\dots ~|~\langle P_n,k_n\rangle \end{aligned}$$

    where \(Q_1=a_1.T_1\). Now we can verify if the conditions 1–3 of R holds. We have that \(m_{Q_1} = \{ \ell \}^{\star }\) and \(m' = m_{Q_1} + m_{P_2} + \cdots m_{P_n}\). As the update function f is the identity function the condition 2 trivially hold and the knowledge \(k'_1=k_1\). To show condition 3, we note that there exists \(v_{T_1}\in V_1^p\), \(v_{T_1}\sim \mu \) such that \(\mathbf {X'}(v_{T_1}) = a_1.T_1\). We use Definition 8 from which we have that where \(\mu (a_1.T_1) = n_1\).

  • An internal transition: \(m_{P_1}=m_{\tau .T_1} + m_{P'_1}\) and \(P_1=\tau .T_1|P'_1\). From the transformation of Definition 8, the transition \(\underline{T}=(\{l_{a.T}\},\langle a,\text {true},f \rangle ,\{l_{T}\})\) can be executed where \(f= (\{v := v~|~ v\in V^d\}\) and \(R^p = \emptyset )\). From relations of Fig. 2, there exists an Internal transition in IoT system such that

    $$\begin{aligned} s=\langle P_1,k_1\rangle ~|~\langle P_2,k_2\rangle ~|~\dots ~|~\langle P_n,k_n\rangle \overset{[n]}{\underset{l}{\longrightarrow }}\\ s'=\langle Q_1,k'_1\rangle ~|~\langle P_2,k_2\rangle ~|~\dots ~|~\langle P_n,k_n\rangle \end{aligned}$$

    where \(Q_1 = T_1|P'_1\). Now we can verify if the conditions 1–3 of R holds. We have that \(m_{Q_1} = m_{T_1} + m_{P'_1}\) and \(m' = m_{Q_1} + m_{P_2} + \cdots m_{P_n}\). As the update function f is the identity function the condition 2 trivially hold and the knowledge \(k'_1=k_1\). Then \(\mathbf {X'} = \mathbf {X'_1}\sqcup \mathbf {X_2}\sqcup \cdots \sqcup \mathbf {X_n}\). Likewise, since \(R^p = \emptyset \) the condition 3 trivially holds.