Runtime Enforcement of Cyber-Physical Systems

Authors:
Srinivas Pinisetty

Aalto University, Finland and University of Gothenburg, Sweden

Aalto University, Finland and University of Gothenburg, Sweden
View Profile

,
Partha S. Roop

University of Auckland, New Zealand

University of Auckland, New Zealand
View Profile

,
Steven Smyth

Kiel University, Germany

Kiel University, Germany
View Profile

,
Nathan Allen

University of Auckland, New Zealand

University of Auckland, New Zealand
View Profile

,
Stavros Tripakis

Aalto University, Finland and UC Berkeley, USA

Aalto University, Finland and UC Berkeley, USA
View Profile

,
Reinhard Von Hanxleden

Kiel University, Germany

Kiel University, Germany
View Profile

Authors Info & Claims

ACM Transactions on Embedded Computing Systems Volume 16 Issue 5sArticle No.: 178pp 1–25https://doi.org/10.1145/3126500

Published:27 September 2017Publication History

ACM Transactions on Embedded Computing Systems

Abstract

Many implantable medical devices, such as pacemakers, have been recalled due to failure of their embedded software. This motivates rethinking their design and certification processes. We propose, for the first time, an additional layer of safety by formalising the problem of run-time enforcement of implantable pacemakers. While recent work has formalised run-time enforcement of reactive systems, the proposed framework generalises existing work along the following directions: (1) we develop bi-directional enforcement, where the enforced policies depend not only on the status of the pacemaker (the controller) but also of the heart (the plant), thus formalising the run-time enforcement problem for cyber-physical systems (2) we express policies using a variant of discrete timed automata (DTA), which can cover all regular properties unlike earlier frameworks limited to safety properties, (3) we are able to ensure the timing safety of implantable devices through the proposed enforcement, and (4) we show that the DTA-based approach is efficient relative to its dense time variant while ensuring that the discretisation error is relatively small and bounded. The developed approach is validated through a prototype system implemented using the open source KIELER framework. The experiments show that the framework incurs minimal runtime overhead.

References

Weiwei Ai, Nitish Patel, and Partha Roop. 2016. Requirements-centric closed-loop validation of implantable cardiac devices. In Design, Automation 8 Test in Europe Conference 8 Exhibition (DATE), 2016. IEEE, 846--849 Google ScholarDigital Library
Homa Alemzadeh, Ravishankar K. Iyer, Zbigniew Kalbarczyk, and Jai Raman. 2013. Analysis of safety-critical computer failures in medical devices. Security 8 Privacy, IEEE 11, 4 (2013), 14--26. Google ScholarDigital Library
Rajeev Alur and David L. Dill. 1994. A theory of timed automata. Theoretical Computer Science 126, 2 (1994), 183--235. Google ScholarDigital Library
Charles Andre, Frédéric Boulanger, and Alain Girault. 2001. Software implementation of synchronous programs. In Application of Concurrency to System Design, 2001. Proceedings. 2001 International Conference on. IEEE, 133--142. Google ScholarDigital Library
A. Benveniste, P. Caspi, S. A. Edwards, N. Halbwachs, P. Le Guernic, and R. de Simone. 2003. The synchronous languages 12 years later. Proc. IEEE 91, 1 (Jan 2003), 64--83.Google ScholarCross Ref
Roderick Bloem, Bettina Könighofer, Robert Könighofer, and Chao Wang. 2015. Shield synthesis: Runtime enforcement for reactive systems. In TACAS (LNCS), Vol. 9035. Springer. Google ScholarDigital Library
Marius Bozga, Oded Maler, and Stavros Tripakis. 1999. Efficient verification of timed automata using dense and discrete time semantics. In Correct Hardware Design and Verification Methods: 10th IFIP WG10.5 Advanced Research Working Conference, CHARME’99 BadHerrenalb, Germany, September 27--29, 1999 Proceedings, Laurence Pierre and Thomas Kropf (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 125--141. Google ScholarDigital Library
Lei Bu, Qixin Wang, Xin Chen, Linzhang Wang, Tian Zhang, Jianhua Zhao, and Xuandong Li. 2011. Toward online hybrid systems model checking of cyber-physical systems’ time-bounded short-run behavior. SIGBED Rev. 8, 2 (June 2011), 7--10. Google ScholarDigital Library
Taolue Chen, Marco Diciolla, Marta Kwiatkowska, and Alexandru Mereacre. 2013. A simulink hybrid heart model for quantitative verification of cardiac pacemakers. In Proceedings of the 16th International Conference on Hybrid Systems: Computation and Control. ACM, 131--136. Google ScholarDigital Library
Egor Dolzhenko, Jay Ligatti, and Srikar Reddy. 2015. Modeling runtime enforcement with mandatory results automata. Int. J. Inf. Sec. 14, 1 (2015), 47--60. Google ScholarDigital Library
Ylies Falcone, Thierry Jéron, Hervé Marchand, and Srinivas Pinisetty. 2016. Runtime enforcement of regular timed properties by suppressing and delaying events. Science of Computer Programming 123 (2016), 2--41. Google ScholarDigital Library
Yliès Falcone, Laurent Mounier, Jean-Claude Fernandez, and Jean-Luc Richier. 2011. Runtime enforcement monitors: Composition, synthesis, and enforcement abilities. FMSD 38, 3 (2011), 223--262. Google ScholarDigital Library
Nicolas Halbwachs, Fabienne Lagnier, and Pascal Raymond. 1994. Synchronous observers and the verification of reactive systems. In Algebraic Methodology and Software Technology (AMAST’93). Springer, 83--96. Google ScholarDigital Library
Zhihao Jiang, Miroslav Pajic, Rajeev Alur, and Rahul Mangharam. 2014. Closed-loop verification of medical devices with model abstraction and refinement. International Journal on Software Tools for Technology Transfer 16, 2 (2014), 191--213. Google ScholarDigital Library
Z. Jiang, M. Pajic, and R. Mangharam. 2012. Cyber-physical modeling of implantable cardiac medical devices. Proc. IEEE 100, 1 (Jan 2012), 122--137.Google Scholar
Zhihao Jiang, Miroslav Pajic, Salar Moarref, Rajeev Alur, and Rahul Mangharam. 2012. Modeling and verification of a dual chamber implantable pacemaker. In Proceedings of the 18th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’12). Springer-Verlag, Berlin, Heidelberg, 188--203. Google ScholarDigital Library
Marta Kwiatkowska, Harriet Lea-Banks, Alexandru Mereacre, and Nicola Paoletti. 2014. Formal modelling and validation of rate-adaptive pacemakers. In Healthcare Informatics (ICHI), 2014 IEEE International Conference on. IEEE, 23--32. Google ScholarDigital Library
Jay Ligatti, Lujo Bauer, and David Walker. 2009. Run-time enforcement of nonsafety policies. ACM Trans. Inf. Syst. Secur. 12, 3, Article 19 (Jan. 2009), 19:1--19:41 pages. Google ScholarDigital Library
Srinivas Pinisetty, Yliès Falcone, Thierry Jéron, Hervé Marchand, Antoine Rollet, and Omer Nguena Timo. 2014. Runtime enforcement of timed properties revisited. FMSD 45, 3 (2014), 381--422. Google ScholarDigital Library
Fred B. Schneider. 2000. Enforceable security policies. ACM Trans. Inf. Syst. Secur. 3, 1 (2000), 30--50. Google ScholarDigital Library
Partha S. Roop Sidharta Andalam, Avinash Malik, and Mark Trew. 2016. Hybrid automata model of the heart for formal verification of pacemakers. In Applied Verification for Continuous and Hybrid Systems (ARCH’16). Vienna, Austria.Google Scholar
Christian von Essen and Barbara Jobstmann. 2013. Program Repair without Regret. Springer, Berlin, Heidelberg, 896--911.Google Scholar
F. Xu, Z. Qin, C. C. Tan, B. Wang, and Q. Li. 2011. IMDGuard: Securing implantable medical devices with the external wearable guardian. In 2011 Proceedings IEEE INFOCOM. 1862--1870.Google Scholar
P. Ye, E. Entcheva, S. A. Smolka, and R. Grosu. 2008. Modelling excitable cells using cycle-linear hybrid automata. IET Systems Biology 2, 1 (2008), 24--32.Google ScholarCross Ref
Eugene Yip, Sidharta Andalam, Partha S. Roop, Avinash Malik, Mark Trew, Weiwei Ai, and Nitish Patel. 2016. Towards the emulation of the cardiac conduction system for pacemaker testing. arXiv Preprint arXiv:1603.05315 (2016).Google Scholar

Index Terms

Runtime Enforcement of Cyber-Physical Systems

Recommendations

Runtime enforcement of reactive systems using synchronous enforcers
SPIN 2017: Proceedings of the 24th ACM SIGSOFT International SPIN Symposium on Model Checking of Software

Synchronous programming is a paradigm of choice for the design of safety-critical reactive systems. Runtime enforcement is a technique to ensure that the output of a black-box system satisfies some desired properties. This paper deals with the problem ...
Read More
Predictive runtime enforcement

Runtime enforcement (RE) is a technique to ensure that the (untrustworthy) output of a black-box system satisfies some desired properties. In RE, the output of the running system, modeled as a sequence of events, is fed into an enforcer. The enforcer ...
Read More
Runtime enforcement of timed properties revisited

Runtime enforcement is a powerful technique to ensure that a running system satisfies some desired properties. Using an enforcement monitor, an (untrustworthy) input execution (in the form of a sequence of events) is modified into an output sequence ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Transactions on Embedded Computing Systems Volume 16, Issue 5s
Special Issue ESWEEK 2017, CASES 2017, CODES + ISSS 2017 and EMSOFT 2017
October 2017
1448 pages
ISSN:1539-9087
EISSN:1558-3465
DOI:10.1145/3145508
Editor:
Sandeep K. Shukla
Indian Institute of Technology, India
Issue’s Table of Contents
Copyright © 2017 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States

Journal Family
ACM Journals for the Design of Smart and Connected Systems
Publication History
- Published: 27 September 2017
- Accepted: 1 July 2017
- Revised: 1 June 2017
- Received: 1 April 2017
Published in tecs Volume 16, Issue 5s

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Automata
Cyber-Physical Systems
Runtime Enforcement
Runtime Monitoring
SCCharts
Synchronous Programming
Timed Properties
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 31
  Total Citations
  View Citations
- 600
  Total Downloads
- Downloads (Last 12 months)136
- Downloads (Last 6 weeks)15
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Runtime Enforcement of Cyber-Physical Systems

ACM Transactions on Embedded Computing Systems

Abstract

References

Cited By

Index Terms

Recommendations

Runtime enforcement of reactive systems using synchronous enforcers

Predictive runtime enforcement

Runtime enforcement of timed properties revisited