650 likes | 708 Views
TLS: A TIMED AUTOMATA APPROACH Giuliana Carullo Università degli Studi di Salerno. DID YOU KNOW.
E N D
TLS: A TIMED AUTOMATA APPROACHGiuliana CarulloUniversità degli Studi di Salerno
that for a train crossing it is essential that on detecting the approach of a train, the gate is closed within a certain time bound in order to halt car and pedestrian traffic before the train reaches the crossing
that for a radiation machine the time period during which a cancer patient is subjected to a high dose of radiation is extremely important: a small extension of this period is dangerous and can cause the patient's death.
To put it in a nutshell: Correctness in time-critical systems not only depends on the logical result of the computation but also on the time at which the results are produced.
Whatwillthatmean in termsofautomatatheory? TimedAutomata
Talk outline The central theme of this discussion is timed automata, basically an extension of classical finite-state automata with clock variables. Topics include: • ω-automatarecap • Timedautomata • TLS Handshakeprotocol • Conclusions
ω-automata in short Definition 2.1 A transition tableA is a tuple (∑, S, S0,E) where: • ∑ is an alphabet • S is a finite set of automaton states • S0 ⊆ S is a set of start states • E ⊆ S × S ×∑ is a set of edges The automaton starts in an initial state s ⊆ S0 and if (s, s’, a)∈ E, then the automaton can change its state from s to s’ reading the input symbol a.
ω-automata in short Definition 2.2 Let be σ= σ1σ2… a word over the alphabet ∑ a run r of A over σ is r : s0σ1 s1σ2 … with s0 ⊆ S0 and (si-1, si, σi) ∈E for all i ≥ 1. For such a run r, the set inf(r) consists of the states s ⊆ Sfor each s= si for infinitely many i ≥ 0. Different types of ω-automata are defined by adding an acceptance condition to the definition of the transition table.
Büchi and MullerAutomata A Büchi automatonA is a transition table (∑, S, S0,E) with additional set F ⊆ S of acceptance states. A run r is accepting iff some state s ⊆ F repeats infinitely often along r. In other words, a run r is an accepting run iffinf( r ) ∩ F ≠∅. A Muller automatonA is a transition table (∑, S, S0,E) with an acceptance family F ⊆ 2S. A run r is accepting iff the set of state repeating infinitely often along r equals some set in F. In other words, a run r is an accepting run iffinf(r) ⊆ F.
Büchi AutomataProperties The class of regular ω-languages overagivenalphabetis closed under the Boolean operations and under projection. The emptiness problem (and the equivalence problem) for Büchi automataisdecidable. Deterministic Büchi automata are strictly weakerthannondeterministicones.
TA: intro A timed automaton is an automaton equipped with a clock structure. They can capture interesting aspects of real-time systems: qualitative features- liveness, fairness, nondeterminism. quantitative features - periodicity, bounded response, timing delays.
TimedLanguages • Definition 3.1 • A timed sequenceτ = τ1 ,τ2,… is an infinite sequence of time values τi ∈ R with τi>0. • Following constraints are satisfied: • Monotonicity: τ increases strictly monotonically; that is τi < τi+1 for all i≥1; • Progress: For every t ∈ R, there is some i ≥1 such that τi>t.
TimedLanguages Definition 3.2 A timed word over an alphabet ∑ is a pair (σ, τ) where σ = σ1σ2… is an infinite word over ∑ and τ is a time sequence. If a timed word (σ, τ) is viewed as an input to the automaton, it presents the symbol σi at time τi.
TimedLanguages A simple example of timed language is: Let the alphabet be ∑={a, b}. Define a timed language L to consist of all timed words (σ, τ) where there is no b after time 5. Thus, the language L is given by: L = { (σ, τ) | ∀ ((τi> 5) (σi= a))}
TimedLanguages • Definition 3.3 • Given a set C of clocks, the set of clock constraints, denoted by guard(C); is the set of formulas inductively defined by: • true, false, c ~ n where c ∈ C, n ∈Nand ~ ∈ {>, <, =}, • f1 Λ f2, f1 V f2 where f1 and f2 are formulas in guard(C). • A clock interpretation v for a set of clocks C, assigns a real value to each clock and we say that it satisfies a clock constraint guard(C) iffguard(C) evaluates to true using the value given by v.
TimedAutomaton • Definition 3.4 • A timed automatonover an alphabet ∑ is a tuple A = (L; C; λ; μ; l0; F; E) where: • L is a finite set of locations, • C is a finite set of clocks, • λ: S→∑ is an output function, • μ: S→guard(C), assigns to each location a guard called invariantof the location, • l0∈ L is the initial location, • F ⊆ L is a set of final locations, • E ⊆L ×L × guard(C) × 2Cgives the set of edges between locations labeled by sets of clocks and formulas.
Timedtransitiontable • Definition 3.5 • A timed transition tableA is a tuple (∑, S, S0, C, E) where: • ∑is a finite alphabet, • S is a finite set of states • S0 ⊆ S is a set of start states • C is a finite set of clocks, • E ⊆S × S × ∑ × guard(C) × 2C. • An edge (s, s’, a, c, guard(C)) represents a transition from state s to state s’ on input symbol a. The set λ ⊆ C gives the clocks to be reset with this transition, and guard(C) is a clock constraints over C.
Howitworks Model Event lifetime Event sequence eventi event.setLifetime(int x) event.resetLifetime()
Howitworks The triggering event at a given state is the one with the smallest clock value among all events that are active at that state. When the triggering event occurs, all other event clocks are reduced by the amount of time elapsed since the previous event occurrence, unless an event is deactivated. The age of a currently active event is the time elapsed since its most recent activation. Its residual lifetime is the time remaining until its next occurrence. The clock value of an active event is always its residual lifetime
Howitworks • In order to properly capture the semantics of a timed model, it is required to represent a the set of timed transitions of the automaton as a set of triples in the following form: • ( guard(C), event, reset ) • Where: • guard(C) component is a pre-condition: it specifies the timing condition that need to be satisfied on some of the clocks for transition to occur; • event∈ E component denotes the event executed by the system upon a certain transition; • reset⊆ C component is a set that lists which clocks are reset to 0 upon completion of a given transition.
Crossingtrain scenario • Required steps: • Train comes along the tracks towards an intersection • Gate comes down, train comes in • Train exits the gate area • Gate raises back up Central Controller
Crossingtrain scenario • Two conditions need to be met: • Safety : The train never enters unless the gate is down and the gate never go up until the train l eaves. • Real time liveness: The gate never stays closed for more than 10 minutes.
Crossingtrain scenario • Büchi automata are closed under union, intersection and complement. C2 C1 S C3
Trainmodel Event set Communicationwith CC Train’s events Safety Liveness
Gatemodel Communicationwith CC Gate’s events Timing Event set
Controller model Event set Messageexchange
TimedAutomataProperties • Undecidability:The language inclusion checking problem i.e. to check L(A) µ L(B) is undecidable. • Closure properties: NTA are closed under union and intersection but, surprisingly, not under complementation. The deterministic classes are closed under all Boolean operations. Expressiveness Properties Every DTBAs can be expressed as a DTMA simply by rewriting its acceptance condition. However the converse does not hold
TimedAutomataImplementability Implementation Digitalclocks Delayedsynchronization Reactiontime = ε Model Perfectcontinuousclocks Instantaneoussynchronization Reactiontime = 0 ? CorrectmodelCorrectimplementation
Transport Layer Security
Cryptology Cryptography Cryptoanalysis
Transport Layer Security • Transport Layer Security (TLS) and itspredecessor, SecureSockets Layer (SSL), are cryptographicprotocolsthatprovidecommunication security over the Internet. • The encrypt the segmentsof network connectionsabove the Transport Layer, using: • asymmetriccryptographyfor key exchange, • symmetricencryptionfor privacy, • and messageauthenticationcodesformessageintegrity. • The TLS protocol allows client/server applications to communicate across a network in a way designed to prevent eavesdropping.
UPPAAL UPPAAL is an integrated suite for modeling, validation and automatic verification of safety and bounded liveness properties of real-time systems modeled as networks of timed automata.
UPPAAL-Atomic clock constraint Definition 1. Let C be a set of real valued clocks an I a set of integer valued variables. An atomic clock constraint over C is a constraint of the form: x ~ n, for x ∈ C, ~ ∈ { ≤ , ≥ , = } and n ∈ N. An atomic integer constraint over I is a constraint of the form: i~ n, for i ∈ I, ~ ∈ { ≤ , ≥ , =} and n ∈ Z. By Cc(C) we denote the set of all clock constraints over C, and Ci(I) denotes the set of all integer constraints over I.
UPPAAL-guard Definition 2. Let C be a set of real valued clocks and I a set of integer valued variables. A guard g over C and I is a formula generated by the following syntax: g ::= c|g ∧ g, where c ∈ (Cc(C) U Ci(I)). B(C, I) stands for the set of all guards over C and I.
UPPAAL-clockassignment Definition 3. Let C be a set of real valued clocks and I a set of integer valued variables. A clock assignment over C is a tuple (v, c), where v ∈ C and c ∈ N. An integer assignment over I is a tuple (v, c1, c2) representing the assignment v = C1· v + c2, where v ∈ I and C1, c2 ∈ Z. We will use A(C, I) to denote the power-set of all assignments over I and C.
UPPAAL-timedautomaton Definition 4. A timed automaton A over a finite set of actions Act, clocks C, and integer variables I is a tuple (L, l0,E) , where L is a finite set of nodes (control-nodes), l0 is the initial node, and E ⊆ L×B(C, I)×Act×A(C, I)×L is the set of edges. We will write: to denote