Secure information release in timed automata

. One of the key demands of cyberphysical systems is that they meet their safety goals. Timed automata has established itself as a formalism for modeling and analyzing the real-time safety aspects of cyberphysical systems. Increasingly it is also demanded that cyber-physical systems meet a number of security goals for conﬁdentiality and integrity. Notions of security based on Information ﬂow control , such as non-interference, provide strong guarantees that no information is leaked; however, many cyberphysical systems leak intentionally some information in order to achieve their purposes. In this paper, we develop a formal approach of information ﬂow for timed automata that allows intentional information leaks. The security of a timed automaton is then deﬁned using a bisimulation relation that takes account of the non-determinism and the clocks of timed automata. Finally, we deﬁne an algorithm that traverses a timed automaton and imposes information ﬂow constraints on it and we prove that our algo-rithm is sound with respect to our security notion.


Introduction
Motivation.Embedded systems are key components of cyberphysical systems and are often subject to stringent safety goals.Among the current approaches to the modeling and analysis of timed systems, the approach of timed automata [5] stands out as being a very successful approach with well-developed tool support -in particular the UPPAAL suite [28] of tools.As cyberphysical systems become increasingly distributed and interconnected through wireless communication links it becomes even more important to ensure that they meet suitable security goals.
In this paper, we are motivated by an example of a smart power grid system.In its very basic form, a smart grid system consists of a meter that measures the electricity consumption in a customer's (C) house and then sends this data to the utility company (UC).The detailed measurements of the meter provide more accurate billings for UC, while C receives energy management plans that optimize his energy consumption.Although this setting seems to be beneficial for both UC and C, it has been shown that high-frequent monitoring of the power flow poses a major threat to the privacy of C [14,23,27].To deal with this problem many smart grid systems introduce a trusted third-party (T T P ), on which both UC and C agree [27].The data of the meter now is collected by the T T P and by the end of each month the T T P charges C depending on the tariff prices defined by UC.In this protocol, UC trusts T T P for the accurate billing of C, while C trusts T T P with its sensitive data.However, in some cases, C may desire an energy management plan by UC, and consequently he makes a clear statement to T T P that allows the latter to release the private data of C to UC.Therefore, it is challenging to formally prove that our trusted smart grid system leaks information only under C s decision.
Information Flow Control.[10,26,29] is a key approach to ensuring that software systems maintain the confidentiality and/or integrity of their data.Policies for secure information flow are usually formalized as non-interference [29] properties and systems that adhere to the stated policy are guaranteed to admit no flow of information that violates it.However, in many applications information is leaked by intention as in our smart grid example.To deal with such systems, information flow control approaches are usually extended with mechanisms that permit controlled information leakage.The major difficulty imposed by this extension is to formalize notions of security that are able to differentiate between the intentional and the unintentional information leakages in a system.

Contribution.
It is therefore natural to extend the enforcement of safety properties of timed automata with the enforcement of appropriate Information Flow policies.It is immediate that the treatment of clocks, the non-determinism, and the unstructured control flow inherent in automata will pose a challenge.More fundamentally there is the challenge that timed automata is an automata-based formalism whereas most approaches to Information Flow take a language-based approach by developing type systems for programming languages with structured control flow or process calculi.
We start by giving the semantics of timed automata (Sect.2) based on the ones used in UPPAAL [28].Next, we formalize the security of a timed automaton using a bisimulation relation (Sect. 3).This notion describes the observations of a passive attacker and formally describes where an observation is allowed to leak information and where it is not.To deal with implicit flows we define a general notion of the post-dominator relation [18] (Sect.4).We then develop a sound algorithm (Sect.5) that imposes information flow constraints on the clocks and the variables of a timed automaton.We finish with our conclusions (Sect.6) and the proofs of our main results (Appendix).

Related Work.
There are other papers dealing with Information Flow using language based techniques for programs with a notion of time [2,9,16,22] or programs that leak information intentionally [6,13,[19][20][21]24].Our contribution focuses on the challenges of continuous time and the guarded actions of timed automata.
The work of [7,8] define a notion of non-interference for timed automata with high-level (secret) and low-level (public) actions.Their notion of security is expressed as a non-interference property and it depends on a natural number m, representing a minimum delay between high-level actions such that the low-level behaviors are not affected by the high-level ones.The authors of [17] define a notion of timed non-interference based on bisimulations for probabilistic timed automata which again have high-level (secret) and low-level (public) actions.A somewhat different approach is taken in [12] that studies the synthesis of controllers.None of those approaches considers timed automata that have data variables, nor is their notion of security able to accommodate systems that leak information intentionally.
The authors of [25] take a language-based approach and they define a typesystem for programs written in the language Timed Commands.A program in their language gives rise to a timed automaton, and type-checked programs adhere to a non-interference like security property.However, their approach is limited only to automata that can be described by their language and they do not consider information release.

Timed Automata
A timed automaton [1,5] TA = (Q, E, I, q • ) consists of a set of nodes Q, a set of annotated edges E, and a labelling function I on nodes.A node q • ∈ Q will be the initial node and the mapping I maps each node in Q to a condition (to be introduced below) that will be imposed as an invariant at the node.
The edges are annotated with actions and take the form (q s , g → x := a: r, q t ) where q s ∈ Q is the source node and q t ∈ Q is the target node.The action g → x := a: r consists of a guard g that has to be satisfied in order for the multiple assignments x := a to be performed and the clock variables r to be reset.We shall assume that the sequences x and a of program variables and expressions, respectively, have the same length and that x does not contain any repetitions.To cater for special cases we shall allow to write skip for the assignments of g → x := a: r when x (and hence a) is empty; also we shall allow to omit the guard g when it equals tt and to omit the clock resets when r is empty.
It has already emerged that we distinguish between (program) variables x and clock variables (or simply clocks) r.The arithmetic expressions a, guards g and conditions c are defined as follows using boolean tests b: The arithmetic operators op a and the relational operators op r are as usual.For comparisons of clocks we use the operators op c ∈ {<, ≤, =, ≥, >} in guards and the less permissive set of operators op d ∈ {<, ≤, =} in conditions.
To specify the semantics of timed automata let σ be a state mapping variables to values (which we take to be integers) and let δ be a clock assignment mapping clocks to non-negative reals.We then have total semantic functions [[•]] for evaluating the arithmetic expressions, boolean tests, guards and conditions; the values of the arithmetic expressions and boolean expressions only depend on the states whereas that of guards and conditions also depend on the clock assignments.
The configurations of the timed automata have the form q, σ, δ ∈ Config where [[I(q)]](σ, δ) is true, and the transitions are described by an initial delay (possibly none) that increases the values of all the clocks followed by an action.Therefore, whenever (q s , g → x := a: r, q t ) is in E we have the rule: where d corresponds to the initial delay.The rule ensures that after the initial delay the invariant and the guard are satisfied in the starting configuration and updates the mappings σ and δ where δ + d abbreviates λr.δ(r) + d.Finally, it ensures that the invariant is satisfied in the resulting configuration.Initial configurations assume that all clocks are initialized to 0 and have the form q • , σ, λr.0 .
Traces.We define a trace from q s , σ, δ to q t in a timed automaton TA to have one of three forms.It may be a finite "successful" sequence in which case at least one step is performed.It may be a finite "unsuccessful" sequence where q n , σ n , δ n is stuck when there is no action starting from q n , σ n , δ n .Finally, it may be an infinite "unsuccessful" sequence We shall write [[TA : q s → q t ]](σ, δ) for the set of traces from q s , σ, δ to q t .We then have the following proposition Proposition 1 [15].For a pair (σ, δ) whenever [[TA : q s → q t ]](σ, δ) contains only successful traces, then there exists a trace t ∈ [[TA : q s → q t ]](σ, δ) with maximal length.
Example 1.To illustrate our development we shall consider an example automaton of a smart grid system as the one described in Sect. 1.The timed automaton SG is given in Fig. 1 and it uses the clocks t and T to model the time elapse of a day and a month respectively.Between midnight and noon, the electricity data ed is aggregated in the variable e 1 , while from noon to midnight the measurements are saved in the variable e 2 .The clock r is used to regulate the frequency of the measurements, by allowing one measurement every full hour.At the end of a day (midnight) the last measurement is calculated and the clock t is being reset to 0 indicating the start of a new day.At the end of each month (T = 720) the trusted party T T P collects the data e 1 and e 2 of the meter and stores it in the collectors c 1 and c 2 respectively.At the same time, the customer C sends a service request s to T T P in case he desires to get some analytics regarding his energy consumption.The T T P then requests from the UC the prices p 1 , p 2 of the electricity tariffs for the two time periods of interest and in case that C has made a request for his data to be analysed (s = 1 otherwise s = 0), T T P also reveals the collected data c 1 and c 2 to the UC where the latter stores them in the variables y 1 and y 2 respectively.The UC then responds back to the T T P by sending the values v 1 and v 2 of the electricity tariffs and also the result z of C s data analytics in case C made a request for that, otherwise it sends the value 0.
Once the T T P receives everything (f = 1) he calculates the bill b for C, sends it to him together with the analysis result a (C stores it in x), the clocks and the variables of the meter are being reset to 0 and a new month starts.For simplicity here we assume that all the calculations done by the T T P and the UC by the end of the month are being completed in zero time.

Information Flow
We envisage that there is a security lattice expressing the permissible flows [10].Formally this is a complete lattice and the permitted flows go in the direction of the partial order.In our development, it will contain just two elements, L (for low) and H (for high), and we set L H so that only the flow from H to L is disallowed.For confidentiality, one would take L to mean public and H to mean private and for integrity one would take L to mean trusted and H to mean dubious.
A security policy is then expressed by a mapping L that assigns an element of the security lattice to each program variable and clock variable.An entity is called high if it is mapped to H by L, and it is said to be low if it is mapped to L by L. To express adherence to the security policy we use the binary operation defined on sets χ and χ (of variables and clocks): This expresses that all the entities of χ may flow into those of χ ; note that if one of the entities of χ has a high security level then it must be the case that all the entities of χ have high security level.
Example 2. Returning to Example 1 of our smart grid system, we have that L maps the program variable ed of the electricity data, the variables e 1 , e 2 that store this data, the collectors c 1 , c 2 and the bill b to the security level H, while the rest of the program variables and clocks are mapped to L.
Information flow control enforces a security policy by imposing constraints of the form {y} {x} whenever the value of y may somehow influence (or flow into) that of x.Traditionally we distinguish between explicit and implicit flows as explained below.As an example of an explicit flow consider a simple assignment of the form x:=a.This gives rise to a condition fv(a) {x} so as to indicate that the explicit flow from the variables of a to the variable x must adhere to the security policy: if a contains a variable with high security level then x also must have high security level.For an example of an implicit flow consider a conditional assignment g → x:=0 where x is assigned the constant value 0 in case g evaluates to true.This gives rise to a condition fv(g) {x} so as to indicate that the implicit flow from the variables of g to the variable x must adhere to the security policy: if g contains a variable with high security level then x also must have high security level.
As has already been explained, many applications as our smart grid example inevitably leak some information.In this paper we develop an approach to ensure that the security policy is adhered to by the timed automaton of interest, however in certain conditions it can be bypassed.Thus, for a timed automaton TA = (Q, E, I, q • ), we shall assume that there exists a set of observable nodes Y ⊆ Q, that are the nodes where the values of program variables and clocks with low security are observable by an attacker.The observable nodes will be described by the union of two disjoint sets Y s and Y w , where a node q in Y s (Y w resp.) will be called strongly observable (weakly observable resp.).The key idea is to ensure that {x} {y} whenever there is an explicit flow of information from x to y (as illustrated above) or an implicit flow from x to y in computations that lead to strongly observable nodes, while computations that lead to weakly observable nodes are allowed to bypass the security policy L.
To overcome the vagueness of this explanation we need to define a semantic condition that encompasses our notion of permissible information flow, where information leakage occurs only at specific places in our automaton.
Observable Steps.Since the values of low program variables and clocks are only observable at the nodes in Y , we collapse the transitions of the automaton that lead to non-observable nodes into one.Thus we have an observable successful step q s , σ, δ whenever there exists a successful trace t from q s , σ, δ to q t in TA and q t ∈ Y , D = Δ(t) and ∀i ∈ {1, ..., n − 1} : q i ∈ Y .And we have an observable unsuccessful trace whenever there exists an unsuccessful finite trace or an unsuccessful infinite trace σ, δ to any of the nodes in Y and ∀i > 0 : q i ∈ Y .From now on it should be clear that a configuration γ will range over Config ∪ {⊥}.
We write (σ, δ) ≡ (σ , δ ) to indicate that the two pairs are equal on low variables and low clocks: It is immediate that this definition of ≡ gives rise to an equivalence relation.
Intuitively ≡ represents the view of a passive attacker as defined in [24], a principal that is able to observe the computations of a timed automaton and deduce information.
We will now define our security notion with the use of a bisimulation relation.Our notion shares some ideas from [19,21], where a bisimulation-based security is defined for a programming language with threads.In their approach, the bypassing of the security policy is localized on the actions, and that is because their attacker model is able to observe the low variables of a program at any of its computation steps (e.g. in a timed-automaton all of the nodes would have been observable).In contrast to [19,21], we localize bypassing of policies at the level of the nodes, while we also define a more flexible notion of security with respect to the attacker's observability.

Definition 1 (Y −Bisimulation). For a timed automaton
where node( q, σ, δ ) = q, pair( q, σ, δ ) = (σ, δ), and if We write ∼ Y for the union of all the Y −bisimulations and it is immediate that this definition of ∼ Y is both a Y −bisimulation and an equivalence relation.Intuitively, when two configurations are related in ∼ Y , and they are low equivalent then they produce distinguishable pairs of states only at the weakly observable nodes.Otherwise, observations made at strongly observable nodes should be still indistinguishable.In both cases, the resulting configurations of two Y −bisimilar configurations should also be Y −bisimilar.We are now ready to define our security notion.
Definition 2 (Security of Timed Automata).For a timed automaton TA = (Q, E, I, q • ) and a set Y = Y s ∪ Y w of observable nodes, we will say that TA satisfies the information security policy L whenever: Whenever Y w = ∅ our notion of security coincides with standard definitions of non-interference [29], where an automaton that satisfies the information security policy L does not leak any information about its high variables.
Example 3.For the smart grid automaton SG of the Example 1, we have the set of observable nodes Y = {2, 3, 4}, where the strongly observable ones are the nodes 2 and 4 (Y s = {2, 4}), and the weakly one is the node 3 (Y w = {3}), where the T T P is allowed to release the secret information of C.

Post-dominators
For the implicit flows arising from conditions, we are interested in finding their end points (nodes) that are the points where the control flow is not dependent on the conditions anymore.For that, we define a generalized version of the postdominator relation and the immediate post-dominator relation [18].
Paths.A path π in a timed automaton TA = (Q, E, I, q • ) is a finite π = q 0 act 1 q 1 ...q n−1 act n q n (n ≥ 0) or infinite π = q 0 act 1 q 1 ...q n−1 act n q n ... sequence of nodes and actions such that ∀i > 0 : (q i−1 , act i , q i ) ∈ E. We say that a path is trivial if π = q 0 and we say that a node q belongs to the path π, or π contains q, and we will write q ∈ π, if there exists some i such that q i = q.For a finite path π = q 0 act 1 q 1 ...q n−1 act n q n we write π(i) = q i act i+1 q i+1 ...q n−1 act n q n (i ≤ n) for the suffix of π that starts at the i-th position and we usually refer to it as the i-th suffix of π.Finally, for a node q and a set of nodes Y ⊆ Q we write for the set of all the non-trivial finite paths that start at q, end at a node y in Y and all the intermediate nodes of the path do not belong in Y .

Definition 3 (Post-dominators). For a node q and a set of nodes
and whenever q ∈ pdom Y (q), we will say that q is a Y post-dominator of q.
Intuitively whenever a node q is a Y post-dominator of a node q it means that every non-trivial path that starts at q has to visit q before it visits one of the nodes in Y .We write pdom y (q) whenever Y = {y} is a singleton and we have the following facts Fact 1.For a set of nodes Y ⊆ Q and for a node q we have that pdom Y (q) = y∈Y pdom y (q) Fact 2. The post-dominator set for a singleton set {y} can be computed by finding the greatest solution of the following data-flow equations: For a node q, we are interested in finding the Y post-dominator "closest" to it.Definition 4. For a node q and a set of nodes Y we definite the set and a node q ∈ ipdom Y (q) will be called an immediate Y post-dominator of q.
The following fact gives us a unique immediate Y post-dominator for the nodes that can reach Y (Π (q,Y ) = ∅).Intuitively this unique immediate Y postdominator of a node q is the node that is the "closest" Y post-dominator of q, meaning that in any non-trivial path starting from q and ending in Y , the Y immediate post-dominator of q will always be visited first before any other Y post-dominator of q.
Fact 3.For a set of nodes Y and a node q, whenever Π (q,Y ) = ∅ and pdom Y (q) = ∅ then there exists node q such that ipdom Y (q) = {q }.
For simplicity, whenever a node q is the unique immediate Y post-dominator of a node q and Π (q,Y ) = ∅ we shall write ipd Y (q) for q and we will say that the unique immediate Y post-dominator of q is defined.For any other case where q can either not reach Y (Π (q,Y ) = ∅) or pdom Y (q) = ∅ we will say that the unique immediate post-dominator of q is not defined.
Example 4. For the timed automaton SG and for the set of observable nodes Y = {2, 3, 4}, we have that pdom Y (q) = ipd Y (q) = {2} for q being 1, 3 and 4 while pdom Y (2) = ipd Y (2) = ∅.Therefore for the nodes 1,3 and 4 their unique immediate Y post-dominator is defined and it is the node 2, while the unique immediate Y post-dominator of the node 2 is not defined.

Algorithm for Secure Information Flow
We develop an algorithm (Fig. 2) that traverses the graph of a timed automaton TA = (Q, E, I, q • ) and imposes information flow constraints on the program variables and clocks of the automaton with respect to a security policy L and a Y post-dominator relation, where Y = Y s ∪ Y w is the set of observable nodes.Before we explain the algorithm we start by defining some auxiliary operators.
Auxiliary Operators.For an edge (q s , g → x := a: r, q t ) ∈ E we define the auxiliary operator ass(.), expr(.)and con(.) as ass((q s , g → x := a: r, q t )) = {x, r} expr((q s , g → x := a: r, q t )) = {a} con((q s , g → x := a: r, q t )) = I(q s ) ∧ g ∧ I(q t )[a/x][0/r] where ass(.)gives the modified variables and clocks of the assignment performed by TA using that edge, expr(.)gives the expressions used for the assignment, and the operator con(.)returns the condition that has to hold in order for the assignment to be performed.We finally lift the ass(.)operator to finite paths and thus for a finite path π = q 0 act 1 q 1 ...q n−1 act n q n we define the auxiliary operators Ass(.) as Ass(q 0 act 1 q 1 ...q n−1 act n q n ) = n i=1 ass((q i−1 , act i , q i )) We write for the set of nodes, where whenever the automaton performs a successful observable step starting from a node q ∈ Q ;w and ending in an observable node q ∈ Y , then it is always the case that q is weakly observable.
Condition C1.We start by looking at the nodes in Q ;w .According to our security notion (Definition 2), for two low equivalent configurations at a node q, whenever the first one performs a successful (or unsuccessful) observable step that ends at a weakly observable node, then also the second should be able to perform an observable step that ends at a weakly observable node (or an unsuccessful one resp.).For that, the condition C1 (a) first requires that the conditions of the outgoing edges in E q where E q = {(q, act, q ) | (q, act, q ) ∈ E} contain only low variables.However, this is not enough.To explain the rest of the constraints imposed by the condition C1 (a) consider the automaton (a) of Fig. 3, where the node 3 is weakly observable, h and l is a high and a low variable respectively, and all the invariants of the nodes are set to tt.This automaton is not secure with respect to Definition 2. To see this, we have ([l → 0, h → 1], δ) ≡ ([l → 0, h → 0], δ) (for some clock state δ) but the pair ([l → 0, h → 1], δ) always produces ⊥ since we will have an infinite loop at the node 2, while ([l → 0, h → 0], δ) always terminates at the node 3.That is because even if both edges of the node 2 contain only the low variable l in their condition, the assignment l:=h bypasses the policy L and thus, right after it, the two pairs stop being low equivalent.
As another example, consider the automaton (b) of Fig. 3.Here the node 4 is weakly observable, h is a high variable, l, l are two low variables and all the invariants of nodes are set to tt again.We have and again the first pair produces ⊥ by looping at the node 3, whereas the second pair always terminates.Here even if the variable l is not used in any condition after the assignment l:=h, it influences the value of l and consequently, since l appears on the condition of the edges of the node 3 we get this behavior.
To cater for such cases, for an edge e = (q s , g → x := a: r, q t ) we first define the predicate that takes care of the explicit flows arising from the assignments.We then define to be set of paths (the ones defined in Sect.4) that start with e and end in Y , and all the intermediate nodes do not belong to Y .Finally, whenever an assignment bypasses the security policy L due to an explicit flow and thus A e is false, we then impose the predicate The predicate Ψ e demands that the assigned program variables of e = (q s , act, q t ) cannot be used in any expression or condition that appears in a path that starts with q t and goes to an observable node.Note here that even if Ψ e quantifies over a possibly infinite set of paths (Π (e,Y ) ), it can be computed in finite time by only looking at the paths where each cycle occurs at most once.
We will now look at the nodes where the automaton may perform a successful observable step that ends in a strongly observable node.Those nodes are described by the set Q c ;w = Q \ Q ;w , that is the complement of Q ;w .Condition C2.For a node q in Q c ;w , whose immediate Y post-dominator is defined, condition C2 (a) takes care of the explicit and the implicit flows generated by the assignment and the control dependencies respectively, arising from the edges of q.Note here that we do not propagate the implicit flows any further after ipd Y (q).This is because ipd Y (q) is the point where all the branches of q are joining and any further computation is not control-dependent on them anymore.Those constraints are along the line of Denning's approach [10] of the so-called block-labels.To understand condition C2 (b) consider the automaton (c) of Fig. 4, where h and l is a high and a low variable respectively, the node 2 is strongly observable, and both nodes 1 and 2 have their invariant set to tt.Next take ([l → 0, h → 1], δ) ≡ ([l → 0, h → 0], δ) (for some clock state δ) and note that the first pair can result in a configuration in 2 with ([l → 0, h → 1], δ) (taking the top branch) while the second pair always ends in 2 with [l → 1, h → 0].Therefore this automaton is not secure with respect to our Definition 2.
To take care of such behaviours we write sat(• • • ) to express the satisfiability of the • • • formula.Whenever there are two branches (induced by the edges e and e both leaving q) that are not mutually exclusive (that is, where sat(con(e) ∧ con(e )) we make sure to record the information flow arising from bypassing the branch that would otherwise perform an assignment.This is essential for dealing with non-determinism.Fact 4. For a timed automaton TA = (Q, E, I, q • ), we have that if q, σ, δ where e corresponds to the initial edge of this observable step.
Condition C2 (c) takes care of cases where a timing/termination side channel [2] could have occurred.As an example of such a case consider the automaton (d) of Fig. 5, where h and t is a high program variable and a low clock respectively, node 2 is strongly observable and both 1 and 2 have their invariant set to tt.Next, for ( ) we have that the first pair always delays at least 30 units and ends in 2 with a clock state that has t > 30, whereas the second pair can go to 2, taking the lower branch immediately without any delay, and thus the resulting pairs will not be low equivalent.To take care of such behaviours, we stipulate a predicate Using this predicate we demand that whenever the TA does not have a "constant" termination behavior from the node q to the node ipd Y (q), then variables that influence the termination behavior should not be of high security level.

Condition C3. We are now left with the nodes in Q c
;w , whose immediate Y post-dominator is not defined.Since for such a node q, we cannot find a point (the unique immediate Y post-dominator) where the control dependencies from the branches of q end, condition C3 (a) requires that the conditions of the edges of q should not be dependent on high security variables.
Condition C3 (b) caters for the explicit flows, of an edge e using the predicate A e .However we are allowed to dispense A e , whenever further computations after taking the edge e may lead only to weakly observable nodes and Ψ e holds.To express this for an edge e = (q s , g → x := a: r, q t ) we write e ; w whenever q t ∈ Y w or q t ∈ Q ;w .We have that the nodes 1, 3 and 4 are in Q c ;w and also that their immediate unique Y post-dominator is defined.Condition C2 (a) and C2 (b) impose the following constraints Now if we were to change the node 3 from being a weakly observable to a strongly observable node, the automaton SG will not be secure with respect to Definition 2. In that case our algorithm will reject it, since for the edge e we would have that e ; w and the predicate A e would have resulted in false.
Finally, we shall write sec Y,L (TA) whenever the constraints arising from our algorithm (Fig. 2) are satisfied and thus we have the following lemmas Lemma 1.For a timed automaton TA = (Q, E, I, q • ), if sec Y,L (TA) then for The following theorem concludes the two lemmas from above to establish the soundness of our algorithm with respect to the notion of security of Definition 2.
Theorem 1.For a timed automaton TA = (Q, E, I, q • ), if sec Y,L (TA) then TA satisfies the information security policy L.

Conclusion
We have shown how to successfully enforce Information Flow Control policies on timed automata.This has facilitated developing an algorithm that prevents unnecessary label creep and that deals with non-determinism, non-termination, and continuous real-time.The algorithm has been proved sound by means of a bisimulation result, that allows controlled information leakage.
We are exploring how to automate the analysis and in particular how to implement (a sound approximation of) the Φ q predicate.There has been a lot of research [3,4] done for determining the maximum (max t ) or minimum (min t ) execution time that an automaton needs to move from a location q s to a location q t .One possibility is to make use of this work [3,4] and thus the predicate Φ q would amount to checking if the execution time between the two nodes of interest (q and ipd Y (q)) is constant (e.g.max t = min t ).
A longer-term goal is to allow policies to simultaneously deal with safety and security properties of cyberphysical systems.

Appendix Proposition 1
Assume that all the traces in [[TA : q s → q t ]](σ, δ) are successful and we want to show that there exists t ∈ [[TA : q s → q t ]](σ, δ) with a maximal length m.
We use results from model-checking for timed automata [15].As in [15] we first transform our automaton to an equivalent diagonal-free automaton, that is an automaton where clocks appearing in its guards and invariants can be compared only to integers (e.g.r 1 − r 2 ≤ 5 is not allowed).We then define the region graph RG(TA) of TA, that is a finite graph where nodes of the region graph are of the form (q, reg) where reg is a clock region, that is an equivalence class defined on the clock states (for details we refer to [15]).Configurations of RG(TA) are of the form (q, reg), σ and we have that (q, reg), σ =⇒ (q , reg ), σ if there are δ ∈ reg, δ ∈ reg , d ≥ 0, σ such that the automaton T A performs the transition q, σ, δ d −→ q , σ , δ .Lemma 1 of [15] then states that each abstract run (finite or infinite) in the region graph RG(TA) can be instantiated by a run (finite or infinite resp.) in TA and vice verca.This is based on the property of the region graph of being pre-stable that is that (q, reg), σ =⇒ (q , reg ), σ if ∀δ ∈ reg there are δ ∈ reg , d ≥ 0, σ such that q, σ, δ d −→ q , σ , δ .Therefore the computation tree T of q, σ, δ in TA has the same depth as the computation tree T of (q, [δ]), σ in RG(TA) where [δ] is the region that contains all the clock states that are equivalent to δ.We then recall König's infinity lemma as it applies to trees -that every tree who has infinitely-many vertices but is locally finite (each vertex has finitely-many successor vertices), has at least one infinite path [11].It is immediate that T is a locally finite tree.Now if T is infinite then by König's infinity lemma we have that T has an infinite path and thus using Lemma 1 of [15] we have also that T has an infinite path that corresponds to a trace q, σ, δ in T A which contradicts our assumptions that all the traces of q, σ, δ are finite.Therefore we can conclude that T has a finite depth and therefore also T and that they are equal to the number m.

Proof of Fact 2
Proof.The first equation is straightforward by the definition of the postdominator relation.For the second one, that is when y is a successor (an immediate one) of q then the only post-dominators of q is the node y, since there exists a non-trivial path π = q acty ∈ Π (q,y) (for some action act) such that the trivial path π(1) = y contains only y, and therefore for any other path π ∈ Π (q,y) in which a node q different from y is contained in π (1), q can not be a postdominator of q since it is not contained in the trivial path π(1).To understand the last equation notice that if a node q post-dominates all of the successors of q or it is a successor of q that post-dominates all the other successors of q then all the non-trivial paths from q to y will always visit q and thus q ∈ pdom y (q); similarly if q ∈ q ∈succ(q) {q } ∪ pdom y (q ) then there exists a successor of q, q = q such that q does not post-dominate q and thus we can find a nontrivial path π ∈ Π (q,Y ) that starts with q actq (for some action act) and does not contain q and thus q is not a post-dominator of q.

Proof of Fact 3
Proof.To prove that ipdom Y (q) is singleton we consider two cases.In the case that pdom Y (q) = {q } then the proof is trivial.
Assume now that pdom Y (q) = {q 1 , ..., q n } (n ≥ 2) and take an arbitrary non-trivial path π ∈ Π (q,Y ) and find the closest to q (the one that appears first in the path) Y post-dominator q j ∈ pdom Y (q) in that path.Next note that q j ∈ Y since if q j ∈ Y , we could shorten that path to the point that we meet q j for the first time and thus we have found a non trivial path π ∈ Π (q,Y ) (since q j ∈ Y ) in which ∀i = j : q i ∈ π (1) and thus ∀i = j : q i ∈ pdom Y (q) which contradicts our assumption.Next to prove that ∀i = j : q i ∈ pdom Y (q j ) assume that this is not the case and thus we can find q l = q j : q l ∈ pdom Y (q j ).Therefore we can find a path π ∈ Π (qj ,Y ) such that q l ∈ π (1), but this means that if we concatenate the paths π and π we have a path in Π (q,Y ) in which q l does not belong to it and thus q l does not belong in its 1-suffix either and therefore q l ∈ pdom Y (q), which again contradicts our assumption.
Finally to prove that ipdom Y (q) is singleton assume that there exists another Y post-dominator of q, q l such that q l = q j and q l ∈ Y and q j ∈ pdom(q l ).Then this means that q j belongs in all the 1-suffixes of the paths in the set Π (q l ,Y ) .Therefore take π = q l ...q j ...y ∈ Π (q l ,Y ) (for some y ∈ Y ) such that π contains no cycles (e.g. each node occurs exactly once in the path) but then there exists a path π = q j ...y (the suffix of the path π) such that q l ∈ π and thus q l ∈ pdom Y (q j ) which contradicts our assumption.Therefore we have proved that q j is the unique immediate Y post-dominator of q.

Proof of Lemma 1
Proof.Assume that q, σ 1 , δ 1 where k > 0 and ∀i ∈ {1, .., k − 1} : q i1 ∈ Y and D 1 = k j=1 d j and the first transition of the trace has happened because of the edge e ∈ E q .
We shall consider two main cases.The one where q is in Q ;w and one where it is not.
Main Case 1: q is in Q ;w .In that case q ∈ Y w and thus we only have to prove that (σ 2 , δ 2 ) can reach q .We start by proving a small fact.
Base Case l = 1.To prove (a), let e = (q 01 , g → x := a: r, q 11 ) and note that because (σ 1 , δ 1 ) ≡ Z(π) (σ 2 , δ 2 ) and con(e) contains only low variables (since q 01 = q ∈ Q ;w and C1 (a)) it is immediate that there exists tt, and q 01 , σ 2 , δ 2 −→ q 11 , σ 12 , δ 12 .Now if l < n, to prove (b) we consider two cases.One where A e is true and one where it is false.If A e is true we note that (σ 11 , δ 11 ) ≡ Z(π) (σ 12 , δ 12 ), and then it is immediate that also (σ 11 , δ 11 ) ≡ Z(π( 1)) (σ 12 , δ 12 ) as required.Otherwise, if A e is false then Ψ e is true and thus (σ 11 , δ 11 ) ≡ Z(π( 1)) (σ 12 , δ 12 ), because the two pairs are still low equivalent for the variables that are not used in the assignment of e, while the ones used in the assignment of e they do not appear in any condition (or expression) of an edge of a node q that belongs in π (1).
and thus for where q ∈ Y w and this completes the proof for this case.
Main Case 2: When q is not in Q ;w .The proof proceeds by induction on the length k of the trace ( * ).
Base Case (k = 1).We have that and let e = (q, g → x := a: r, q ), then it is immediate that We shall consider two subcases one where the unique immediate Y postdominator of q is defined and one where it is not.
Subcase 1: When the unique immediate Y post-dominator ipd Y (q) is defined.It has to be the case then that q = ipd Y (q) since q ∈ Y and in particular, we have that q ∈ Y s .We will proceed by considering two other subcases of the Subcase 1, one where the condition Φ q is true and one which it is false.Subcase 1(a): When Φ q is true.Then it is the case that all the variables of the condition con(e) are low and thus it is immediate that there exists d 2 = d 1 and Finally, because sec Y,L (TA), condition C2 (a) gives us that A e is true, and thus all the explicit flows arising from the assignments x := a are permissible and thus (σ 1 , δ 1 ) ≡ (σ 2 , δ 2 ) as required.
Subcase 1(b): When Φ q is false.If it is the case that all the variables in the condition con(e) are low then the proof proceeds as in Subcase 1(a).

D2
=⇒ Y q , σ 2 , δ 2 We just showed that (σ 1 , δ 1 ) ≡ (σ 1 , δ Subcase 2: When the unique immediate Y post-dominator of q is not defined.In that case, all the variables in con(e) are low.If q is in Y w we have that e ; w and we proceed as in Main Case 1. Otherwise, we proceed as in Subcase 1(a).This completes the case for k = 1.
and recall that the first transition happened because of the edge e and that q is not in Q ;w .We shall consider two cases again, one where the unique immediate Y postdominator of q is defined and one where it is not.Subcase 1: When the unique immediate-post dominator ipd Y (q) is defined.We will proceed by considering two subcases of Subcase 1, one where Φ q is true and one where Φ q is false.Subcase 1(a): When Φ q is true.Since Φ q is true we have that all the variables in con(e) are low and thus ∃d 1 = d 1 and (σ 12 , δ 12 ) ≡ (σ 11 , δ 11 ) (this is ensured by our assumptions that sec Y,L (TA) and the predicate A e of the condition C2 (a) that takes care of the explicit flows arising from the assignment in the edge e) such that q, σ 2 , δ 2 = q 01 , σ 02 , δ 02 Since q is not in Q ;w , note that it is also the case that q 11 is not in Q ;w and thus using that (σ 12 , δ 12 ) ≡ (σ 11 , δ 11 ) and our induction hypothesis on the trace q 11 , σ 11 , δ 11 d2 −→ ...
Subcase 1(b): When Φ q is false.In the case that all the variables in con(e) are low then the proof proceeds as in Subcase 1(a).
Assume now that at least one variable in con(e) is high.Since ipd Y (q) is defined then there exists j ∈ {1, ..., k} such that q j1 = ipd Y (q) and ∀i ∈ {1, .., j − 1} : q i1 = ipd Y (q).Therefore we have that Next, using that sec Y,L (TA), condition C2 (a) and Fact 4 gives us that ∀x : Since Φ q is false, (σ 1 , δ 1 ) and (σ 2 , δ 2 ) have the same termination behaviour and thus there exists trace and q l2 = ipd Y (q).It is immediate that ∀x : L(x) = L ⇒ σ l2 (x) = σ 02 (x) and ∀r : L(r) = L ⇒ δ l2 (r) = δ 02 (r)+d 1 +...+d l .To see how we obtain this result, we have that if t has started using the edge e or an edge e = e, where con(e ) contains at least one high variable, then this result follows by our assumptions that sec Y,L (TA), condition C2 (a) and Fact 4. Now if the t has started using an edge e = e and con(e ) contains only low variables then (σ 1 , δ 1 ) is a witness of sat(con(e) ∧ con(e )) and the result follows by our assumptions that sec Y,L (TA), condition C2 (b) and Fact 4. Therefore in any case (σ j1 , δ j1 ) ≡ (σ l2 , δ l2 ).Now if ipd Y (q) = q k1 the proof has been completed.Otherwise we have that ipd Y (q) is not in Q ;w and the proof follows by an induction on the trace Subcase 2: When the unique immediate Y post-dominator of q is not defined.In that case, all the variables in con(e) are low.Therefore, if e ; w we proceed similar to Main Case 1, otherwise we proceed as in Subcase 1(a).This completes our proof.
We consider two main cases one where q is in Q ;w and one where it isn't.
Main Case 1: When q is in Q ;w .If the trace t of q, σ 1 , δ 1 visits only nodes that can reach Y (∀i : Π qi1 = ∅) then we proceed similar to the proof of Main Case 1 of Lemma 1, using the result (a) and (b) of the fact proven there.Therefore if t is infinite we can show that (σ 2 , δ 2 ) can simulate the first m steps of (σ 1 , δ 1 ) and this give us the desired trace t .Similarly, in case of t being a finite unsuccessful trace that stops at the node q n1 , and q n1 , σ n1 , δ n1 is a stuck, we can also show that (σ 2 , δ 2 ) can reach the node q n1 (using the result (a)) and the resulting configuration will be stuck (using the result (b)).Now if the first j > 0 nodes q 01 ...q j1 (visited by t) can reach Y and then for the node q (j+1)1 we have that Π (q (j+1)1 ,Y ) = ∅, we can show similarly as before that (σ 2 , δ 2 ) can reach the node q (j+1)1 (using the results (a) and (b)), and thus any further computation will lead to an unsuccessful trace since Π (q (j+1)1 ,Y ) = ∅.
Finally if t visits only nodes that cannot reach Y (∀i : Π qi1 = ∅) and thus also q cannot reach Y , the proof is trivial since all the traces of q, σ 2 , δ 2 will be unsuccessful with respect to Y .This completes the proof of Main Case 1.
Main Case 2: When q is not in Q ;w .We will now present a finite construction strategy for the desired trace t .
Construction.We start by looking at the configurations q, σ 1 , δ 1 , q, σ 2 , δ 2 the unsuccessful trace t of (σ 1 , δ 1 ), and we remember that so far we have created a trace t = q, σ 2 , δ 2 of length l = 0. We proceed according to the following cases: Case 1: When the unique immediate Y post-dominator ipd Y (q) of q is defined.We then consider two subcases, one where Φ q is false and one where Φ q is true.Subcase (a): Φ q is false.Now if the trace t does not visit ipd Y (q), we have that (σ 1 , δ 1 ) and (σ 2 , δ 2 ) have the same termination behaviour (using that Φ q is false) and thus there exists a trace t of (σ 2 , δ 2 ) that never visits ipd Y (q).However, then we would have the case that t is an unsuccessful trace with respect to q and the set Y which contradicts our assumptions.
If the trace t does visit ipd Y (q), then it has to be the case that ipd Y (q) is not in Y .Assume now that t starts with an edge e ∈ E q .If con(e) contains only low variables then ∃d 1 = d 1 and (σ 12 , δ 12 ) ≡ (σ 11 , δ 11 ) (this is ensured by our assumptions that sec Y,L (TA) and the predicate A e of condition C2 (a) that takes care of the explicit flows arising from the assignment in the edge e) such that q, σ 2 , δ 2 = q 02 , σ 02 , δ 02 where q 12 = q 11 .If now m ≤ l + 1 then we have our desired trace t and we stop.Otherwise, notice that also q 11 is not in Q ;w and we repeat the Construction by looking at the configurations q 11 , σ 11 , δ 11 , q 11 , σ 12 , δ 12 , the suffix of t that starts with q 11 , σ 11 , δ 11 and we remember that so far we have created the trace t = q 02 , σ 02 , δ 02 d 1 −→ q 12 , σ 12 , δ 12 ( q, σ 2 , δ 2 = q 02 , σ 02 , δ 02 ) that has length equal to l+1.Now if con(e) contains at least one high variable then we look at the first occurrence of ipd Y (q) in t and let that to be the configuration q h1 , σ h1 , δ h1 for some h > 0. Therefore, since sec Y,L (TA), using the condition C2 (a) and Fact 4 we have that ∀x : L(x) = L ⇒ σ h1 (x) = σ 01 (x) and ∀r : L(r) = L ⇒ δ h1 (r) = δ 01 (r)+d 1 + ... + d h .Since Φ q is false (σ 1 , δ 1 ) and (σ 2 , δ 2 ) have the same termination behaviour and thus there exists trace t ∈ [[TA : q → ipd Y (q)]](σ 2 , δ 2 ) and d 1 , ..., d j such that d 1 + ... + d h = d 1 + ... + d j and (σ j2 , δ j2 ) such that t is q, σ 2 , δ 2 = q 02 , σ 02 , δ 02 where q j2 = ipd Y (q).Now if j + l ≥ m we have constructed the required trace t .Otherwise, we have that ∀x : L(x) = L ⇒ σ j2 (x) = σ 02 (x) and ∀r : L(r) = L ⇒ δ j2 (r) = δ 02 (r)+d 1 + ... + d j .To see how we obtain this result, we have that if t has started using the edge e or an edge e = e, where con(e ) contains at least one high variable, then this result follows by our assumptions that sec Y,L (TA), condition C2 (a) and Fact 4. Now if the t has started using an edge e = e and con(e ) has only low variables then (σ 1 , δ 1 ) is a witness of sat(con(e) ∧ con(e )) and the result follows again by our assumptions that sec Y,L (TA), condition C2 (b) and Fact 4. Therefore in any case (σ h1 , δ h1 ) ≡ (σ j2 , δ j2 ) and thus we repeat the Construction by looking at the configurations q h1 , σ h1 , δ h1 , q j2 , σ j2 , δ j2 the suffix of t that starts with q h1 , σ h1 , δ h1 and we remember that so far we have created the trace t q, σ 2 , δ 2 = q 02 , σ 02 , δ 02  Subcase (b): Φ q is true.Then if t starts with the edge e, because sec Y,L (TA), con(e) contains only low variables and we proceed as in Subcase (a).
Case 2: When the unique immediate Y post-dominator ipd Y (q) of q is not defined.In this case, if t starts with the edge e, because sec Y,L (TA) we have that con(e) contains only low variables.Now if e ; w working as in Main Case 1 we can get an unsuccessful trace t , otherwise we proceed as in Subcase (a).

Proof of Theorem 1
Proof.Let Z = {( q, σ, δ , q, σ , δ ) The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material.If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Fig. 2 .
Fig. 2. Security of TA = (Q, E, I, q•) with respect to L and the Y post-dominator relation

Example 5 .
Consider now the automaton SG of Example 1, and the Y postdominator relation of Example 4.