Verification of Initial-State Opacity in Security ... - Semantic Scholar

Verification of Initial-State Opacity in Security Applications of DES Anooshiravan Saboori and Christoforos N. Hadjicostis

Abstract— Motivated by security applications where the initial state of a system needs to be kept secret (opaque) to outside observers (intruders), we formulate, analyze and verify the notion of initial-state opacity in discrete event systems. Specifically, a system is initial-state opaque if the membership of its true initial state to a set of secret states remains opaque to an intruder who is modeled as an observer of the system activity through some projection map. In other words, based on observations through this map, the observer is never certain that the initial state of the system is within the set of secret states. To verify initial-state opacity, we address the initialstate estimation problem in discrete event systems via the construction of an initial-state estimator. This estimator captures estimates of the initial state of the system which are consistent with all observations obtained so far. We also analyze the properties and complexity of the initial-state estimator.

I. I NTRODUCTION The exchange of vital information over shared cyberinfrastructures in many application areas (ranging from defense and banking to health care and power distribution systems) has increased concerns about the vulnerability of such systems to intruders and other malicious entities. As a result, various notions of security and privacy have received considerable attention from researchers, and work pursued so far can be roughly classified into two main categories. The first approach focuses on carefully characterizing the intruder’s capabilities whereas the second one focuses on the information flow from the system to the intruder [1],[2]. Opacity is a security notion that falls in the second category and aims at determining whether a given system’s secret behavior (i.e., a subset of the behavior of the system that is considered critical and is usually represented by a predicate) is kept opaque to outsiders [3],[4]. More specifically, this requires that an intruder (modeled as an observer of the system’s behavior) is never able to establish the truth of the predicate. In our earlier work [4], we considered opacity with respect to predicates that are state-based. More specifically, assuming that the system under consideration can be modeled as a finite-state automaton with partial observation on its transitions, we defined the secret behavior of the system as the evolution of the system’s state to a set of secret states S. This material is based upon work supported in part by the National Science Foundation under NSF Career Award No 0092696 and NSF ITR Award No 0426831. Any opinions, findings, and conclusions or recommendations expressed in this publication are those of the authors and do not necessarily reflect the views of NSF. The authors are with the Coordinated Science Laboratory, and the Department of Electrical and Computer Engineering, University of Illinois at Urbana-Champaign, IL 61801–2307, USA. Corresponding author: C. N. Hadjicostis, 357 CSL, 1308 West Main Street, Urbana, IL 61801–2307, USA (e-mail: [email protected]).

The intruder was assumed to have full knowledge of the system and able to observe the observable transitions in the system. Opacity in this context requires that the intruder can never be certain that the current state of the system is in the set of secret states S. This notion of opacity demands that the secret behavior of the system remain opaque until the system enters a state outside the set of secret states S. In [4], we also introduced the stronger notion of K-step opacity which requires opacity until K observations are made after the system’s state leaves the secret set. This stronger notion is suitable for situations where the secrecy of some states becomes unimportant only after the occurrence of a certain number of events (e.g., the passage of time). In both of these notions of opacity, the set of secret states S is a subset of the system states and is assumed to be constant over the length of the observation. In this paper, assuming that the initial state of the system is unknown, we consider a notion of opacity in which the secret behavior of the system is defined as the membership of its initial state to a set of secret states S. This notion is called initial-state opacity and requires that the intruder can never be certain that the initial state of the system was in the set of secret states S. Initial-state opacity can be useful in variety of applications including the modeling of various security properties in encryption, communication and secure protocols [3]. The following example motivates initial-state opacity in the context of cryptographic protocols. Example 1: In cryptography, a symmetric cipher combines plain text (original information) bits with a pseudorandom bit stream (key-stream), typically using an XOR operation. For example, message 1010 XOR-ed with keystream 0100 results in the encrypted message 1110. Knowledge of the encrypted message does not reveal the plain text unless the key-stream is compromised. To create the keystream, one often uses a linear feedback shift register (LFSR) as a pseudo-random number generator (Figure 1). An LFSR is an autonomous shift register whose input (leftmost or most significant) bit is obtained by XOR-ing some predefined combination of the bits that are stored in the shift register. This implies that the input bit is a linear function of the LFSR’s previous state. The initial state of the LFSR is called the seed, and the list of the bit positions that affect the next state is called the tap sequence. The taps are XORed sequentially and then fed back into the register as the leftmost bit. Figure 1 shows an 8-bit LFSR with tapped bits 0,1,7 and seed 10010011. Because the operation of the register is deterministic, the sequence of values produced by the register (which is used as the key-stream for the stream cipher) is completely determined by its seed. For example,

Least Significant Bit

1

0

0

1

0

0

1

1

Fig. 1. A conventional 8-bit LFSR with tapped bits 0,1,7 and seed (initial state) 10010011.

assuming that the seed (initial state) of the LFSR in Figure 1 is 10010011, then the next output is 1 (i.e., the rightmost bit shifted out) and the next state of the LFSR becomes 01001001 (because the incoming leftmost bit is given by 1 ⊕ 0 ⊕ 1 = 0 and the rest of the bits are the leftmost seven bits of 10010011 with the rightmost bit shifted out). Note that the register has a finite number of possible states (28 states), so it must eventually enter a repeating cycle. An LFSR with a well-chosen feedback function (taps) and initial state1 can have a very long cycle and can produce a sequence of bits which appears random. Alternative structures to the conventional LFSR do exist (see, for example, the idea of a clock mechanism in [5]). A5/1 is a stream cypher that is used to encrypt messages in GSM mobile phone systems. It is based on a combination of three LFSRs with clocking mechanisms and was kept secret by GSM companies for a long time. Anderson [6] first identified and published the general structure of A5/1 and later, Briceno et. al. [7] reversed-engineered this protocol. An intruder/observer can interact with this protocol by inserting some plain text and observing the ciphered text in order to find the seed. Note that finding the seed is equivalent to finding the stream of the keys that were used to encrypt all previous messages. Hence, if the intruder records all of the (encrypted) conversation, after finding the seed, he/she can go back and decrypt them using the key-stream. Clearly, many of the security concerns about this protocol can be recast in the framework of this paper: is there a seed for which there exists a sequence of inputs that reveals that seed? We can obtain the answer to this question by formulating the problem as an initial-state opacity problem. [Note that if there is such a seed, one might be interested in how long (in terms of input size) it takes for the intruder to detect it. An answer to this question can be obtained in terms of a problem formulation that involves K-step opacity [4]].  There already exists some work on security in DES [8], [9], [10], and our work in this paper is certainly related to it. In particular, the authors of [8] consider finite state Petri nets and define opacity with respect to state-based predicates. Following a language-based approach, the authors of [9] consider multiple observers with different observation capabilities (modeled through different observable transitions); opacity in this setting requires that no observer is able to determine whether the actual trajectory of the system belongs to the secret language that is assigned to it. In both [8] and [9], for opacity to hold, the projection of secret trajectories needs to be verified to be a subset of the projection of the remaining trajectories in the system. The authors of [10] 1 Clearly,

initial state 00000000 would not be a good choice in this example regardless of the choice of tapped bits.

partition the event set into high level and low level events and consider the verification problem of intransitive interference which captures the allowed information flow (e.g. occurrence of certain events) from the high level events to the low level events through a downgrading process. Our work in this paper and [4] essentially extends the notion of opacity defined for Petri nets in [8] to automata. To verify initial-state opacity, we construct an initial-state estimator which provides estimates of the system’s initial state. We show that a system is initial-state opaque if and only if all initial-state estimates (in its initial-state estimator) contain at least one state outside S. Therefore, we can use an initial-state estimator to verify initial-state opacity. Note that, in contrast to [9], opacity in our framework assumes that the states of the system can be partitioned into secret and non-secret ones; this state-based formulation is what enables us to use an estimator to verify opacity. Also note that the notion of initial-state opacity introduced here is not considered in [9]. Our model of the intruder’s capability (in terms of observability power) is different from [10] which makes the two frameworks incomparable. II. P RELIMINARIES AND N OTATION Let Σ be an alphabet and denote by Σ∗ the set of all finitelength strings of elements of Σ, including the empty string ǫ. A language L ⊆ Σ∗ is a subset of finite-length strings from strings in Σ∗ [11], [12]. A DES is modeled in this paper as a finite-state deterministic automaton G = (X, Σ, δ), where X = {0, 1, . . . , N − 1} is the set of states, Σ is the set of events, and δ : X × Σ → X is the (partial) state transition function.2 Note that in our model the initial state of the DES G is not known. The function δ can be extended from the domain X ×Σ to the domain X ×Σ∗ in the routine recursive manner: δ(i, ts) := δ(δ(i, t), s), for i ∈ X, s ∈ Σ∗ and t ∈ Σ with δ(i, ǫ) := i (and is taken to be undefined if δ(i, t) is undefined). The behavior of DES G is captured by L(G) := {s ∈ Σ∗ | ∃i ∈ X, δ(i, s) is defined}. We use L(G, i) to denote the set of S all traces that originate from N −1 state i of G (so that L(G) = i=0 L(G, i)). In general, only a subset Σobs of the events can be observed. Typically, one assumes that Σ can be partitioned into two sets, Σobs and Σuo . The natural projection PΣobs : Σ∗ → Σ∗obs can be used to map any trace executed in the system to the sequence of observations associated with it. This projection is defined recursively as PΣobs (σs) = PΣobs (σ)PΣobs (s), σ ∈ Σ, s ∈ Σ∗ , with ( σ if σ ∈ Σobs , PΣobs (σ) = ǫ if σ ∈ Σuo ∪ {ǫ}, where ǫ represents the empty trace [11], [12]. In the sequel, the index Σobs in PΣobs will be dropped if it is clear from the context. 2 Any m ∈ 2X is a subset of X 2 and contains some pairs of states. In this paper, m will be viewed as a state mapping 2 If the transition function is defined as δ : X × Σ → 2X (where 2X is the power set of X) then the DES is nondeterministic. All the results that follow hold for (or easily translate to) the nondeterministic case as well.

α

δuo

0

Fig. 2.

2 β

β

α 1

3 δuo

G with Σobs = {α, β}.

consisting of a starting state and an ending state. The set of states included as the first (second) component in these pairs is called the set of starting (ending) states of m. We denote the set of starting states for state mapping m by m(1) and the set of ending states by m(2). Since we use the notion of state mapping frequently in this paper, we provide some definitions related to it. We say that state mapping m1 refines m2 if the set of starting states of m1 is a subset of the set of starting states of m2 . Moreover, if mapping m1 refines m2 and mapping m2 refines m1 , then we say that mapping m1 is consistent with m2 . We also define the composition operator 2 2 2 2 ◦ : 2X × 2X → 2X for state mappings m1 , m2 ∈ 2X as m1 ◦ m2 := {(i1 , i3 )|∃i2 ∈ X, (i1 , i2 ) ∈ m1 , (i2 , i3 ) ∈ m2 }. The composition operator takes as inputs two sets of 2-tuples and produces as output another set of 2-tuples by including all 2-tuples with the first element borrowed from a 2-tuple in the first input set and the second element borrowed from a 2-tuple in the second set, as long as these two 2-tuples share the same second/first element. We can map any observation of finite but arbitrary length in DES G to a state mapping by using the mapping M : 2 Σ∗obs → 2X defined as M (s) = {(i, j)|i, j ∈ X, ∃t ∈ Σ∗ , P (t) = s, δ(i, t) = j}, which we call the s-induced state mapping. The 2-tuple (i, j) ∈ M (s) implies that there exists a sequence of events that starts from state i and ends in state j, and produces observation s. We also define the binary relation R on Σ∗obs × Σ∗obs as sRt if and only if M (s) = M (t). Clearly R is an equivalence relation and, thus, induces a partition on Σ∗obs . The number of equivalence classes induced by R is 2 at most 2N where N denotes the number of states. Finally, 2 for any Z ⊆ X , we define the operator ⊙ : 2X → 2X to represent Z ⊙ Z := {(i, i)|i ∈ Z}. The following example illustrates the concept of state mappings and its composition. Example 2: In this example, we consider the DES G represented in Figure 2 with Σobs = {α, β} and X = {0, 1, 2, 3}. First we construct the α-induced state mapping, i.e., M (α). Observe that α can be observed from state 0 and 2. Upon this observation, if the initial state was 0, the ending state can be any of the states in {0, 1, 2, 3}. However, if the initial state was 2, the ending state could only be {1, 3}. Hence M (α) = {(0, 0), (0, 1), (0, 2), (0, 3), (2, 1), (2, 3)}. Following the same reasoning as in the case of M (α), we have M (β) = {(1, 0), (1, 1), (1, 2), (1, 3), (3, 1), (3, 3)}. The composition of these two state mappings M (α) ◦ M (β) = {(0, 0), (0, 1), (0, 2), (0, 3), (2, 0), (2, 1), (2, 2), (2, 3)} and indicates that if we observe αβ, we could start from state 0

or 2 and end up in any of the system states (0,1,2 or 3). III. I NITIAL -S TATE O PACITY In certain applications, such as encryption, some vital initial information (e.g., the key used for encryption or the seed used in the LFSR in Example 1) should be kept secret from an outside observer for the whole length of operation. Motivated by such requirements, we define in this section initial-state opacity in DES that are modeled as finite-state automata with unknown initial state.3 Initial-state opacity requires that the membership of the initial state to the set of secret states S remains opaque to an external observer who is observing the events that occur in the system through a fixed (static) projection map P . In other words, in an initialstate opaque system, the outside observer will never be able to infer that the initial state of the system was in the set of secret states S. The following definition defines this property formally. Definition 1 (Initial-State Opacity): Given a deterministic finite-state automaton G = (X, Σ, δ), a projection map P with respect to the set of observable events Σobs , and a set of secret states S ⊆ X, automaton G is initial-state opaque with respect to S and P (or (S, P, ∞) initial-state opaque), if for all i ∈ S and for all t ∈ L(G, i) we have ∃j ∈ X − S, ∃s ∈ L(G, j), P (s) = P (t). According to Definition 1, the system G is (S, P, ∞) initialstate opaque if for every string t that originates from a state in the secret set S there exists a string s that originates from a state outside S and has the same projection as t. To verify this property, in the following section, we introduce initialstate estimates and a finite-state automaton (called initialstate estimator) that captures such estimates. We show that this estimator models the behavior of the intruder in our framework and hence can be used for verification purposes. Remark 1: Related to initial-state opacity is the notion of diagnosibility which is defined by assuming that the states of the system can be partitioned into two sets: faulty states (F ) and normal states (X − F ) [13]. The system is diagnosable if there exists an integer K ≥ 0 such that the failure can be detected and isolated after the occurrence of at most K events following the occurrence of the failure. Assuming that failure occurs before the initialization of the diagnoser and also that S comprises the set of faulty states, then G being diagnosable implies that system is not (S, P, ∞) initial-state opaque. However initial-state opacity is not the inverse of diagnosability: for a system not to be diagnosable, there must exist at least two infinite traces with the same projection such that one starts in the set of faulty states (secret states) and one starts in the set of normal states (non-secret states). On the other hand, for initial-state opacity we need this to be true for all traces that start in faulty states (secret states). IV. I NITIAL -S TATE E STIMATION Given an observed sequence of labels, the initial-state estimation problem requires the enumeration of all states 3 One could also handle the case of partially known initial state but we do not discuss that case explicitly due to space limitations.

from which this observed sequence of labels could have originated. We call this estimate the initial-state estimate and define it formally as follows. Definition 2 (Initial-State Estimate): Given a deterministic finite-state automaton G = (X, Σ, δ) and a projection map P with respect to the set of observable events Σobs , the initial-state estimate after observing string s is defined as ˆ 0 (s) = {i|i ∈ X, ∃t ∈ Σ∗ , P (t) = s, δ(i, t) is defined}. X Remark 2: There are two problems in testing of finite state machines (refer to [14] for a detailed survey) that relate to the initial state estimation problem. (i) In the initial state identification problem, the goal is to identify a sequence of inputs (called distinguishing sequence), if it exists, to uniquely identify the unknown initial state of the system. (ii) In the initial state verification problem, the goal is to identify a sequence of inputs (called unique input/output (UIO) sequence), if it exists, to verify that the system starts from a known initial state. The notion of partial observation in our framework makes the problem of initial state estimation more general than the problems considered in [14].  In order to capture initial-state estimates, the first method that comes to mind is to use the sequence of observations to back-propagate the state trajectory using the system model (to obtain all initial states that could generate the sequence of observations). Though straightforward, this method requires storing all of the observations, which is not feasible since the system might generate a sequence of arbitrary length (e.g., in an online application of this problem). Therefore, we need to find a way to map all possible sequences of observations to a set with finite elements so that we can store them with finite memory; clearly, the mapped elements need to contain the same amount of information regarding the initial state of the system as the original sequence of observations. Equivalently, we need to find a finite structure that allows us to process (perhaps recursively and online) information about the initial state as observations are coming in. Next we introduce an algorithm which generates the initial-state estimator G∞,obs , a finite automaton driven by observable events, in which each state is associated with a unique state mapping. To construct the estimator, we start from a state in which nothing about the initial system state is known: specifically, the state mapping associated with this initial state of the estimator is X ⊙ X where X is the set of states of the system. When the first observation is made, the induced state mapping corresponding to that observation is taken as the next state of the estimator. After that, the observation of a label causes G∞,obs to transition to the state associated with the state mapping obtained by composing the previous state mapping and the mapping induced by the new observation. The information captured by this composed state mapping (and thus by each state of G∞,obs ) is the following: we keep track of all pairs of one starting state and one ending state such that we can reach the ending state from the starting state via a sequence of events that generates the observed sequence of events. This is all the information we need to

keep in order to update the necessary information as more labels are observed: at any given time, the state mapping gives information about the current state and initial-state estimates (and the connections between them) through its pairs of starting and ending states. Note that this structure (which will be defined formally shortly) is guaranteed to be 2 finite and has at most 2N states where N is the number of states of the finite automaton G. The initial-state estimator, when considered as a finitestate machine, summarizes the effect of any sequence of observations on the estimate of the initial state. This summary, along with a summary of the effect of the observations on the estimate of current state and possible paths between initial and current state estimates, is independent of the observation length; hence multiple observations might be mapped to the same state in the initial-state estimator, demonstrating the fact that they impose identical constraints on the initial/current state estimates and the possible paths between them. This emphasizes the importance of state mappings as a tool for compressing the information necessary and enabling us to perform initial-state estimation using finite memory. In other words, we can think of the state mappings as a way to partition the set of all observation sequences, of arbitrary but finite length, into a finite number of equivalence classes. Two strings belong to the same equivalence class if they induce the same state mapping. The following algorithm describes the construction of the initial-state estimator formally. Definition 3 (Initial-State Estimator (ISE)): Given a deterministic finite-state automaton G = (X, Σ, δ) and a projection map P with respect to the set of observable events Σobs , we define the initial-state estimator as the deterministic automaton G∞,obs = AC(2X×X , Σobs , δ∞,obs , X∞,0 ) with state set 2X×X (power set of X × X), event set Σobs , initial state X∞,0 = X ⊙ X, and state transition function δ∞,obs : 2X×X × Σobs → 2X×X defined for α ∈ Σobs as m′ = δ∞,obs (m, α) := m ◦ M (α), where m, m′ ∈ 2X×X . Recall that M (α) denotes the state mapping that is induced by observing α at the beginning of the observation. Also, δ∞,obs can be extended to include strings in the usual manner. If we let X∞,obs ⊆ 2X×X be the reachable states from the initial state X∞,0 under δ∞,obs , then G∞,obs = (X∞,obs , Σobs , δ∞,obs , X∞,0 ). Remark 3: In [15], a finite tree, called unique input-output (UIO) tree, is constructed using the concepts of path vector and vector perturbation which are special cases of a state mapping since in a path vector, each element in the set of starting states is mapped to exactly one element in the set of ending states (this follows from the assumption of full-observation in [15]), whereas in a state mapping, this association can be one-to-many.  Note that G∞,obs is a deterministic structure with initial state X ⊙ X. In the following lemma, we show that the set of starting and ending states associated with a state of the estimator G∞,obs that is reached via a string s are respectively the set of states from which the observation s could have originated and the set of states that can be reached

m0

m3

m2

m1

from such initial states.

0

0

0

0

0

0

0

0

Lemma 1: If state m in G∞,obs (as constructed in Definition 3) is reachable from initial state X∞,0 = X ⊙ X via string s, then m is associated with a state mapping that satisfies m = {(i, j)|i, j ∈ X, ∃t ∈ Σ∗ , P (t) = s, δ(i, t) = j}.

1

1

1

1

1

1

1

1

2

2

2

2

2

2

2

2

3

3

3

3

3

3

3

3

0

0

0

0

0

0

1

1

1

1

1

1

2

2

2

2

2

2

3

3

3

3

3

3

Proof: Assume s = α0 . . . αn and denote the sequence of states visited in G∞,obs via s by m0 , . . . , mn+1 . We prove the result by induction: for s = α0 , the statement is true by construction. Now assuming that lemma holds for s = α0 α1 . . . αn−1 , we prove it for s = α0 . . . αn . Recall that mn+1 is a state in G∞,obs reachable from the initial state with string s (in the Lemma state mn+1 is denoted by m). By construction, we have mn+1 = mn ◦ M (αn ) = {(i, k)|∃j ∈ X, (i, j) ∈ mn , (j, k) ∈ M (αn )}

(1)

= {(i, k)|∃j ∈ X, i, k ∈ X, ∃tn−1 ∈ Σ∗ , P (tn−1 ) = α0 α1 . . . αn−1 , δ(i, tn−1 ) = j, (j, k) ∈ M (α)} = {(i, k)|∃j ∈ X, i, k ∈ X, ∃t n−1

α0 α1 . . . αn−1 , δ(i, t

n−1

∗

∈ Σ , P (t

n−1

(2)

)=

∗

) = j, ∃tn ∈ Σ ,

P (tn ) = αn , δ(j, tn ) = k} (3) = {(i, k)|i, k ∈ X, ∃tn ∈ Σ∗ , P (tn ) = α0 α1 . . . αn , δ(i, tn ) = k}. where (1) follows from the definition of the ◦ operator, (2) follows from the induction hypothesis, and (3) follows from the definition of M (α). Note that in the last line, we use tn = tn−1 tn . If we rename k to j, tn to t, and replace α0 α1 . . . αn with s, the proof is completed. Next we prove that the set of starting states in the state mapping associated with the state of G∞,obs reached via string s are the estimates of the initial state after observing string s according to Definition 2. Theorem 1: The initial-state estimate after observing s, ˆ 0 (s), can be captured using the ISE as follows: suppose X ˆ 0 (s) = m(1). δ∞,obs (X∞,0 , s) = m, then X Proof: By Lemma 1, m = δ∞,obs (X∞,0 , s) = {(i, j)|i, j ∈ X, ∃t ∈ Σ∗ , P (t) = s, δ(i, t) = j}. Therefore, m(1) = {i|(i, j) ∈ m} = {i|i ∈ X, ∃j ∈ X, ∃t ∈ Σ∗ , P (t) = s, δ(i, t) = j} = {i|i ∈ X, ∃t ∈ Σ∗ , P (t) = s, δ(i, t) is defined} ˆ 0 (s), =X which completes the proof. The following example clarifies the ISE construction. Example 3: In this example, we consider the DES G represented in Figure 2 with Σobs = {α, β}. On the left of Figure 3, we show the initial-state estimator for this system. As mentioned earlier, the initial uncertainty is assumed to be equal to the state space and hence m0 = X ⊙ X={(0, 0), (1, 1), (2, 2), (3, 3)}. Upon observing α (and following the notation of Algorithm 3), the next state of the

m0

β

α

m4 α

m6 α, β

β

β

m5 α, β

m3 α, β

Fig. 3.

m1

m4

α

m2 α, β

m5

m6

Initial-state estimator in Example 3.

ISE becomes m′ = δ∞ (m0 , α) = m0 ◦ M (α) = {(0, 0), (0, 1), (0, 2), (0, 3), (2, 1), (2, 3)} = M (α) ≡ m1 . Example 2 explained how M (α) is synthesized. Note that on the right of Figure 3 we use a graphical way to describe the pairs associated with each state of the ISE. Next, assume that we observe β (and following the same reasoning as in the case of M (α)) we first obtain M (β) = {(1, 0), (1, 1), (1, 2), (1, 3), (3, 1), (3, 3)}; then, using Example 2 and the notation in Definition 3, we have m′ = δ∞ (m1 , β) = m1 ◦ M (β) = M (α) ◦ M (β) = {(0, 0), (0, 1), (0, 2), (0, 3), (2, 0), (2, 1), (2, 2), (2, 3)} ≡ m3 . Using this approach for all possible observations (from each state), the ISE construction can be completed as shown in Figure 3. Remark 4: In the above discussions, it is assumed that the initial uncertainty about the initial state equals the state space ˆ 0 (ǫ) = X). If this uncertainty can be reduced to X (i.e., X ˆ 0 (ǫ) = X0 ⊂ X), then a subset of the state space (i.e., X we can easily modify the ISE construction to account for this additional information by changing the initial state to X∞,0 = X0 ⊙ X0 . V. V ERIFYING I NITIAL -S TATE O PACITY In this section we discuss how the ISE construction can be used to verify initial-state opacity. Recall that initialstate opacity requires that regardless of the string that might be generated by the system (and therefore be observed) no explicit information about the membership of the initial state of the system to the set of secret states S can be inferred. From the previous section we know that we can use the ISE construction to capture all possible information that can be inferred about the initial state from all possible sequences of observation (of any length). Therefore, we can model the intruder as an initial-state estimator and check whether there exist observation sequences that lead to a state in which the associated estimate of the initial state falls completely within the set of secret states S. We formalize this intuition in the following theorem. Theorem 2: The deterministic finite-state automaton G = (X, Σ, δ) is (S, P, ∞) initial-state opaque if and only if ∀m ∈ X∞,obs : m(1) ∩ 2S = ∅,

where X∞,obs is the set of states in G∞,obs that are reachable from the initial state X∞,0 = X ⊙ X of G∞,obs . Proof: The condition in the theorem is equivalent to the following: for all m ∈ X∞,obs (j, k) ∈ m, j ∈ S ⇒ ∃(j ′ , k ′ ) ∈ m, j ′ ∈ X − S, which implies that there is no point along the observation sequence such that the estimate of the initial state is entirely within the set of secret states; in other words, the condition in the theorem is equivalent to the fact that the system is (S, P, ∞) initial-state opaque. Example 4: Consider the finite-state automaton G in Figure 2 and the corresponding ISE in Figure 3. This system is not ({1}, P, ∞) initial-state opaque due to the existence of state m6 in the ISE, which can be reached via sequences of the form βα(α + β)∗ . Since m6 = {(1, 0), (1, 1), (1, 2), (1, 3)}, its only possible starting state is {1} which is within S (i.e., m6 (1) ∩ 2S 6= ∅). This means that observing any string of the form βα(α + β)∗ positively determines the initial state as state 1 which is within the secret set (and hence violates initial-state opacity). Remark 5: In order to verify initial-state opacity using Theorem 2, we need to construct the ISE and check whether each of the set of starting states of the state mappings associated with states of the ISE contains an element outside the set of secret states S. As a result, checking for initial2 state opacity has space complexity O(2N ) and similar time complexity. Observe that this method of checking for initialstate opacity has the benefit that if S is changed, we can still use the same construction for verification purposes. However, if S is fixed, we can potentially simplify the verification method:4 since we no longer need the exact estimate of the initial states but only knowledge of whether the current state is reachable from secret states or not, instead of associating a set of starting states with each ending state (as in the state mapping), one could assign a label to each state in the set of ending states to capture whether the current state is only reachable from non-secret states, secret states, or both. Due to space limitations we leave the details of this method to future work. We would like to mention that in this special case, the space complexity is greatly reduced, but the price for this reduction is that a different set of secret states S ′ would require a new construction. VI. C ONCLUSIONS In this paper, motivated by a variety of security applications, we followed a state-based approach to define the notion of initial-state opacity. For a system to be (S, P, ∞) initial-state opaque, the membership of the initial state of the system to the set of secret states S needs to remain opaque (for the whole length of the observation) to an outside observer who is observing the system behavior through the static projection map P . To verify initial-state opacity, we 4 The authors are grateful to an anonymous reviewer for bringing this possibility to their attention.

introduced the initial-state estimator which provides initialstate estimates. We showed that for a system to be initialstate opaque, all initial-state estimates associated with states of this estimator need to contain at least one state outside the secret set S. Our future work will focus on designing minimally restrictive supervisors which can disable some of the controllable events in the given system in order to restrict the information flow. For example, one goal might be to ensure initial-state opacity while keeping the behavior of the supervised system within some predefined legal behavior. ACKNOWLEDGEMENT The authors are grateful to Hamed Okhravi for suggesting the A5/1 protocol as a motivational example. R EFERENCES [1] R. Focardi and R. Gorrieri, “A taxonomy of trace–based security properties for CCS,” in Proc. of the 7th Workshop on Computer Security Foundations, June 1994, pp. 126–136. [2] S. Schneider and A. Sidiropoulos, “CSP and anonymity,” in Proc. of the 4th European Symposium on Research in Computer Security, September 1996, pp. 198–218. [3] J. Bryans, M. Koutny, L. Mazare, and P. Ryan, “Opacity generalised to transition systems,” in Proc. of the 3rd International Workshop on Formal Aspects in Security and Trust, July 2005, pp. 81–95. [4] A. Saboori and C. N. Hadjicostis, “Notions of security and opacity in discrete event systems,” in Proc. of the 46th IEEE Conference on Decision and Control, December 2007, pp. 5056–5061. [5] D. K. Pradhan and M. Chatterjee, “GLFSR — a new test pattern generator for built–in–self–test,” IEEE Transactions on Computer– Aided Design of Integrated Circuits and Systems, vol. 18, no. 2, pp. 238–247, February 1999. [6] R. Anderson, “On Fibonacci keystream generators,” in Proc. of International Workshop on Fast Software Encryption, 1995, pp. 346–352. [7] M. Briceno, I. Goldberg, and D. Wagner. A pedagogical implementation of the GSM A5/1 and A5/2 voice privacy encryption algorithms. [Online]. Available: http://www.scard.org/gsm/a51.html [8] J. W. Bryans, M. Koutny, and P. Y. A. Ryan, “Modelling opacity using Petri nets,” Electronic Notes in Theoretical Computer Science, vol. 121, pp. 101–115, February 2005. [9] E. Badouel, M. Bednarczyk, A. Borzyszkowski, B. Caillaud, and Ph. Darondeau, “Concurrent secrets,” in Proc. of the 8th International Workshop on Discrete Event Systems, July 2006, pp. 51–57. [10] N. Hadj-Alouane, S. Lafrance, L. Feng, J. Mullins, and M. Yeddes, “On the verification of intransitive noninterference in multilevel security,” IEEE Transactions on Systems, Man and Cybernetics, Part B (Cybernetics), vol. 35, no. 5, pp. 948–958, October 2005. [11] C. Cassandras and S. Lafortune, Introduction to Discrete Event Systems. Kluwer Academic Publishers, 1999. [12] W. Wonham, Supervisory Control of Discrete–Event Systems, Systems Control Group, Department of Electrical and Computer Engineering, University of Toronto. Available at www.utoronto.ca/DES, 2005. [13] S. Hashtrudi Zad, H. Kwong, and W. Wonham, “Fault diagnosis in discrete event systems: Framework and model reduction,” IEEE Transactions on Automatic Control, vol. 48, no. 7, pp. 1199–1212, July 2003. [14] D. Lee and M. Yannakakis, “Principles and methods of testing finite state machines — a survey,” Proc. of the IEEE, vol. 84, no. 8, pp. 1090–1123, August 1996. [15] K. Naik, “Efficient computation of unique input/output sequences in finite–state machines,” IEEE/ACM Transactions on Networking, vol. 5, no. 4, pp. 585–599, August 1997.