An Integrative Framework for Model-Driven Systems Engineering : Towards the Co-Evolution of Simulation, Formal Analysis and Enactment Methodologies for Discrete Event Systems / Un cadre intégratif pour l'ingénierie dirigée par les modèles des systèmes complexes : vers une fusion méthodologique de la simulation à évènements discrets avec l'analyse formelle et le prototypage rapide

Aliyu, Hamzat Olanrewaju

15 December 2016

Les méthodes d’ingénierie dirigée par modèle des systèmes, telles que la simulation, l’analyse formelle et l’émulation ont été intensivement utilisées ces dernières années pour étudier et prévoir les propriétés et les comportements des systèmes complexes. Les résultats de ces analyses révèlent des connaissances qui peuvent améliorer la compréhension d’un système existant ou soutenir un processus de conception de manière à éviter des erreurs couteuses (et catastrophiques) qui pourraient se produire dans le système. Les réponses à certaines questions que l’on se pose sur un système sont généralement obtenues en utilisant des méthodes d’analyse spécifiques ; par exemple les performances et les comportements d’un système peuvent être étudiés de façon efficace dans certains cadres expérimentaux, en utilisant une méthode appropriée de simulation. De façon similaire, la vérification de propriétés telles que la vivacité, la sécurité et l’équité sont mieux étudiées en utilisant des méthodes formelles appropriées tandis que les méthodologies d’émulation peuvent être utilisées pour vérifier des hypothèses temporelles et des activités et comportements impliquant des interactions humaines. Donc, une étude exhaustive d’un système complexe (ou même d’apparence simple) nécessite souvent l’utilisation de plusieurs méthodes d’analyse pour produire des réponses complémentaires aux probables questions. Nul doute que la combinaison de multiples méthodes d’analyse offre plus de possibilités et de rigueur pour analyser un système que ne peut le faire chacune des méthodes prise individuellement. Si cet exercice (de combinaison) permet d’aller vers une connaissance (presque) complète des systèmes complexes, son adoption pratique ne va pas de pair avec les avancées théoriques en matière de formalismes et d’algorithmes évolués, qui résultent de décennies de recherche par les praticiens des différentes méthodes. Ce déficit peut s’expliquer parles compétences mathématiques requises pour utiliser ces formalismes, en combinaison avec la faible portabilité des modèles entre les outils des différentes méthodes. Cette dernière exigence rend nécessaire la tâche herculéenne de créer et de gérer plusieurs modèles du même système dans différents formalismes et pour différents types d’analyse. Un autre facteur bloquant est que la plupart des environnements d’analyse sont dédiés à une méthode d’analyse spécifique (i.e., simulation, ou analyse formelle, ou émulation) et sont généralement difficiles à étendre pour réaliser d’autres types d’analyse. Ainsi, une vaste connaissance de formalismes supportant la multitude de méthodes d’analyse est requise, pour pouvoir créer les différents modèles nécessaires, mais surtout un problème de cohérence se pose lorsqu’il faudra mettre à jour séparément ces modèles lorsque certaines parties du système changent. La contribution de cette thèse est d’alléger les charges d’un utilisateur de méthodes d'analyse multiples, dans sa quête d’exhaustivité dans l’étude des systèmes complexes, grâce à un cadre qui utilise les technologies d’Ingénierie Dirigée par les Modèles (IDM) pour fédérer la simulation, l’analyse formelle et l’émulation. Ceci est rendu possible grâce à la définition d’un langage de spécification unifié de haut niveau, supporté par des capacités de synthèse automatiques d’artéfacts requis par les différentes méthodes d’analyse. (...) / Model-based systems engineering methodologies such as Simulation, Formal Methods (FM) and Enactment have been used extensively in recent decades to study, analyze, and forecast the properties and behaviors of complex systems. The results of these analyses often reveal subtle knowledge that could enhance deeper understanding of an existing system or provide timely feedbacks into a design process to avert costly (and catastrophic) errors that may arise in the system. Questions about different aspects of a system are usually best answered using some specific analysis methodologies; for instance, system's performance and behavior in some specified experimental frames can be efficiently studied using appropriate simulation methodologies. Similarly, verification of properties such as, liveness, safeness and fairness are better studied with appropriate formal methods while enactment methodologies may be used to verify assumptions about some time-based and human-in-the-loop activities and behaviors. Therefore, an exhaustive study of a complex (or even seemingly simple) system often requires the use of different analysis methodologies to produce complementary answers to likely questions. There is no gainsaying that a combination of multiple analysis methodologies offers more powerful capabilities and rigor to test system designs than can be accomplished with any of the methodologies applied alone. While this exercise will provide (near) complete knowledge of complex systems and helps analysts to make reliable assumptions and forecasts about their properties, its practical adoption is not commensurate with the theoretical advancements, and evolving formalisms and algorithms, resulting from decades of research by practitioners of the different methodologies. This shortfall has been linked to the prerequisite mathematical skills for dealing with most formalisms, which is compounded by little portability of models between tools of different methodologies that makes it mostly necessary to bear the herculean task of creating and managing several models of same system in different formalisms. Another contributing factor is that most of existing computational analysis environments are dedicated to specific analysis methodologies (i.e., simulation or FM or enactment) and are usually difficult to extend to accommodate other approaches. Thus, one must learn all the formalisms underlining the various methods to create models and go round to update all of them whenever certain system variables change. The contribution of this thesis to alleviating the burdens on users of multiple analysis methodologies for exhaustive study of complex systems can be described as a framework that uses Model-Driven Engineering (MDE) technologies to federate simulation, FM and enactment analysis methodologies behind a unified high-level specification language with support for automated synthesis of artifacts required by the disparate methodologies. This framework envelops four pieces of contributions: i) a methodology that emulates the Model- Driven Architecture (MDA) to propose an independent formalism to integrate the different analysis methodologies. ii) Integration of concepts from the three methodologies to provide a common metamodel to unite some selected formalisms for simulation, FM and enactment. Iii) Mapping rules for automated synthesis of artifacts for simulation, FM and enactment from a common reference model of a system and its requirements. iv) A framework for the enactment of idiscrete event systems. We use the beverage vending system as a running example throughout the thesis. (...)

Ingénierie Dirigée par les Modèles

SimStudio

HiLLS

Simulation

Analyse Formelle

Emulation

DEVS

Z

Logique Temporelle

Model-Driven Systems Engineering

SimStudio

HiLLS

Simulation

Formal Analysis

Enactment

DEVS

Z

Temporal Logic

thesis.pdf

Jianliang Wu (15926933)

30 May 2023

<p>Bluetooth is the de facto standard for short-range wireless communications. Besides Bluetooth Classic (BC), Bluetooth also consists of Bluetooth Low Energy (BLE) and Bluetooth Mesh (Mesh), two relatively new protocols, paving the way for its domination in the era of IoT and 5G. Meanwhile, attacks against Bluetooth, such as BlueBorne, BleedingBit, KNOB, BIAS, and BThack, have been booming in the past few years, impacting the security and privacy of billions of devices. These attacks exploit both design issues in the Bluetooth specification and vulnerabilities of its implementations, allowing for privilege escalation, remote code execution, breaking cryptography, spoofing, device tracking, etc.</p> <p><br></p> <p>To secure Bluetooth, researchers have proposed different approaches for both Bluetooth specification (e.g., formal analysis) and implementation (e.g., fuzzing). However, existing analyses of the Bluetooth specification and implementations are either done manually, or the automatic approaches only cover a small part of the targets. As a consequence, current research is far from complete in securing Bluetooth.</p> <p><br></p> <p>Therefore, in this dissertation, we propose the following research to provide missing pieces in prior research toward completing Bluetooth security research in terms of both Bluetooth specification and implementations. (i) For Bluetooth security at the specification level, we start from one protocol in Bluetooth, BLE, and focus on the previously unexplored reconnection procedure of two paired BLE devices. We conduct a formal analysis of this procedure defined in the BLE specification to provide security guarantees and identify new vulnerabilities that allow spoofing attacks. (ii) Besides BLE, we then formally verify other security-critical protocols in all Bluetooth protocols (BC, BLE, and Mesh). We provide a comprehensive formal analysis by covering the aspects that prior research fails to include (i.e., all possible combinations of protocols and protocol configurations) and considering a more realistic attacker model (i.e., semi-compromised device). With this model, we are able to rediscover five known vulnerabilities and reveal two new issues that affect BC/BLE dual-stack devices and Mesh devices, respectively. (iii) In addition to the formal analysis of specification security, we propose and build a comprehensive formal model to analyze Bluetooth privacy (i.e., device untraceability) at the specification level. In this model, we convert device untraceability into a reachability problem so that it can be verified using existing tools without introducing false results. We discover four new issues allowed in the specification that can lead to eight device tracking attacks. We also evaluate these attacks on 13 Bluetooth implementations and find that all of them are affected by at least two issues. (iv) At the implementation level, we improve Bluetooth security by debloating (i.e., removing code) Bluetooth stack implementations, which differs from prior automatic approaches, such as fuzzing. We keep only the code of needed functionality by a user and minimize their Bluetooth attack surface by removing unneeded Bluetooth features in both the host stack code and the firmware. Through debloating, we can remove 20 known CVEs and prevent a wide range of attacks again Bluetooth. With the research presented in this thesis, we improve Bluetooth security and privacy at both the specification and implementation levels.</p>

System and network security

Mobile computing

Bluetooth low-energy

Security & privacy factors

Bluetooth Classic

Bluetooth Mesh

Man-in-the-middle (MITM) attacks

Device tracking

Formal Analysis

Program Analysis

Debloating

Spoofing attacks

Reflection attacks

Architektonická skulptura chrámu Matky Boží před Týnem na Starém městě pražském v lucemburském období / Architectural sculpture of Church of Our Lady before Týn in Prague Old Town in Luxembourg period

Peroutková, Jana

January 2014

This thesis looks into the analysis of iconography of the northern lateral portal of the Church of Our Lady before Týn. For this purpose this thesis summarizes the most important historiographical, Artististic Science and source literature related to this relic. Based on researched iconographic analysis this thesis aids to propose all possible solutions iconographic programme which could have been intended for this thesis. Based on the evaluation of literature, sources and on the formal analysis principal the objective of this thesis is to specify significantly problematic dating range (approximately from mid. 13th century up to late 1450) to shorter period of possible origin of the artwork there are also evaluated all available restauration reports and construction historical surveys related to the inspected relic.

Techniques de model-checking pour l’inférence de paramètres et l’analyse de réseaux biologiques / Model checking techniques for parameter inference and analysis of biological networks

Gallet, Emmanuelle

08 December 2016

Dans ce mémoire, nous présentons l’utilisation de techniques de model-checking pour l’inférence de paramètres de réseaux de régulation génétique (GRN) et l’analyse formelle d’une voie de signalisation. Le coeur du mémoire est décrit dans la première partie, dans laquelle nous proposons une approche pour inférer les paramètres biologiques régissant les dynamiques de modèles discrets de GRN. Les GRN sont encodés sous la forme d’un méta-modèle, appelé GRN paramétré, de telle façon qu’une instance de paramètres définit un modèle discret du GRN initial. Sous réserve que les propriétés biologiques d’intérêt s’expriment sous la forme de formules LTL, les techniques de model-checking LTL sont combinées à celles d’exécution symbolique et de résolution de contraintes afin de sélectionner les modèles satisfaisant ces propriétés. L’enjeu est de contourner l’explosion combinatoire en terme de taille et de nombre de modèles discrets. Nous avons implémenté notre méthode en Java, dans un outil appelé SPuTNIk. La seconde partie décrit une collaboration avec des neuropédiatres, qui ont pour objectif de comprendre l’apparition du phénotype protecteur ou toxique des microglies (un type de macrophage du cerveau) chez les prématurés. Cette partie exploite un autre versant du model-checking, celui du modelchecking statistique, afin d’étudier un type de réseau biologique particulier : la voie de signalisation Wnt/β-caténine, qui permet la transmission d’un signal de l’extérieur à l’intérieur des cellules via une cascade de réactions biochimiques. Nous présentons ici l’apport du model-checker stochastique COSMOS, utilisant la logique stochastique à automate hybride (HASL), un formalisme très expressif nous permettant une analyse formelle sophistiquée des dynamiques de la voie Wnt/β-caténine, modélisée sous la forme d’un processus stochastique à événements discrets. / In this thesis, we present the use of model checking techniques for inference of parameters of Gene Regulatory Networks (GRNs) and formal analysis of a signalling pathway. In the first and main part, we provide an approach to infer biological parameters governing the dynamics of discrete models of GRNs. GRNs are encoded in the form of a meta-model, called Parametric GRN, such that a parameter instance defines a discrete model of the original GRN. Provided that targeted biological properties are expressed in the form of LTL formulas, LTL model-checking techniques are combined with symbolic execution and constraint solving techniques to select discrete models satisfying these properties. The challenge is to prevent combinatorial explosion in terms of size and number of discrete models. Our method is implemented in Java, in a tool called SPuTNIk. The second part describes a work performed in collaboration with child neurologists, who aim to understand the occurrence of toxic or protective phenotype of microglia (a type of macrophage in the brain) in the case of preemies. We use an other type of model-checking, the statistical model-checking, to study a particular type of biological network: the Wnt/β- catenin pathway that transmits an external signal into the cells via a cascade of biochemical reactions. Here we present the benefit of the stochastic model checker COSMOS, using the Hybrid Automata Stochastic Logic (HASL), that is an very expressive formalism allowing a sophisticated formal analysis of the dynamics of the Wnt/β-catenin pathway, modelled as a discrete event stochastic process.

Analyse formelle de réseaux biologiques

Réseau de régulation génétique

Modèle discret de Thomas

Inférence de paramètres

Model-checking LTL

Voie Wnt/bêta-caténine

Modélisation stochastique

Model-checking HASL

Formal analysis of biological networks

Genetic regulatory network

Thomas discrete modelling

Parameters inference

LTL model checking

Wnt/β-catenin pathway

Stochastic modelling

HASL model checking

Support consumers' rights in DRM : a secure and fair solution to digital license reselling over the Internet

Gaber, Tarek

January 2012

Consumers of digital contents are empowered with numerous technologies allowing them to produce perfect copies of these contents and distribute them around the world with little or no cost. To prevent illegal copying and distribution, a technology called Digital Rights Management (DRM) is developed. With this technology, consumers are allowed to access digital contents only if they have purchased the corresponding licenses from license issuers. The problem, however, is that those consumers are not allowed to resell their own licenses- a restriction that goes against the first-sale doctrine. Enabling a consumer to buy a digital license directly from another consumer and allowing the two consumers to fairly exchange the license for a payment are still an open issue in DRM research area. This thesis investigates existing security solutions for achieving digital license reselling and analyses their strengths and weaknesses. The thesis then proposes a novel Reselling Deal Signing (RDS) protocol to achieve fairness in a license reselling. The idea of the protocol is to integrate the features of the concurrent signature scheme with functionalities of a License Issuer (LI). The security properties of this protocol is informally analysed and then formally verified using ATL logic and the model checker MOCHA. To assess its performance, a prototype of the RDS protocol has been developed and a comparison with related protocols has been conducted. The thesis also introduces two novel digital tokens a Reselling Permission (RP) token and a Multiple Reselling Permission (MRP) token. The RP and MRP tokens are used to show whether a given license is single and multiple resalable, respectively. Moreover, the thesis proposes two novel methods supporting fair and secure digital license reselling. The first method is the Reselling Deal (RD) method which allows a license to be resold once. This method makes use of the existing distribution infrastructure, RP, License Revocation List (LRL), and three protocols: RDS protocol RD Activation (RDA) protocol, and RD Completion (RDC) protocol. The second method is a Multiple License Reselling (MLR) method enabling one license to be resold N times by N consumers. The thesis presents two variants of the MLR method: RRP-MR (Repeated RP-based Multi-Reselling) and HC-MR (Hash Chain-based Multi-Reselling). The RRP-MR method is designed such that a buyer can choose to either continue or stop a multi-reselling of a license. Like the RD method, the RRP-MR method makes use of RP, LI, LRL, and the RDS, RDA, and RDC protocols to achieve fair and secure reselling. The HC-MR method allows multiple resellings while keeping the overhead on LI at a minimum level and enable a buyer to check how many times a license can be further resold. To do so, the HC-MR utilises MRP and the hash chain cryptographic primitive along with LRL, LI and the RDS, RDA and RDC protocols. The analysis and the evaluation of these three methods have been conducted. While supporting the license reselling, the two methods are designed to prevent a reseller from (1) continuing using a resold license, (2) reselling a non-resalable license, and (3) reselling one license a unauthorised number of times. In addition, they enable content owners of resold contents to trace a buyer who has violated any of the usage rights of a license bought from a reseller. Moreover, the methods enable a buyer to verify whether a license he is about to buy is legitimate for re-sale. Furthermore, the two methods support market power where a reseller can maximise his profit and a buyer can minimise his cost in a reselling process. In comparison with related works, our solution does not make use of any trusted hardware device, thus it is more cost-effective, while satisfying the interests of both resellers and buyers, and protecting the content owner's rights.

343.071