Control and Synthesis of Non-Interferent Timed Systems

In this paper, we focus on the synthesis of secure timed systems which are modelled as timed automata. The security property that the system must satisfy is a non-interference property. Intuitively, non-interference ensures the absence of any causal dependency from a high-level domain to a lower-level domain. Various notions of non-interference have been defined in the literature, and in this paper we focus on Strong Non-deterministic Non-Interference (SNNI) and two (bi)simulation based variants thereof (CSNNI and BSNNI). We consider timed non-interference properties for timed systems specified by timed automata and we study the two following problems: (1) check whether it is possible to find a sub-system so that it is non-interferent; if yes (2) compute a (largest) sub-system which is non-interferent.

💡 Research Summary

The paper addresses the synthesis of secure timed systems modeled as timed automata, focusing on the enforcement of non‑interference—a property that guarantees no causal influence from high‑level (confidential) actions to low‑level (public) observations. While many variants of non‑interference exist, the authors concentrate on Strong Non‑deterministic Non‑Interference (SNNI) and two simulation‑based refinements: Context‑Simulation Non‑Interference (CSNNI) and Bisimulation Non‑Interference (BSNNI).

The work is structured around two fundamental questions. First, given a timed automaton A, can one identify a sub‑system A′ that satisfies a chosen non‑interference notion? Second, if such a sub‑system exists, can we compute a maximal one (i.e., a sub‑system that includes all other non‑interferent sub‑systems)?

To answer the existence question, the authors separate the alphabet of actions into high (H) and low (L) subsets and construct the low‑projection automaton A↓L by removing all H‑transitions. They then compare A and A↓L using the definitions of SNNI, CSNNI, and BSNNI. The comparison is reduced to checking language inclusion and simulation relations on the region graph or zone abstraction of the timed automata. This reduction places the decision problem in PSPACE, matching the known complexity of timed‑automata language inclusion.

For the synthesis problem, the authors treat the set of high‑level transitions as a lattice of possible deletions. Starting from the full automaton, they iteratively disable subsets of H‑transitions while preserving the chosen non‑interference property. Each candidate sub‑system is verified using the same simulation checks as in the existence phase. To avoid exhaustive enumeration, the algorithm employs several pruning techniques: (i) a priority order on transitions derived from their impact on low‑level observations, (ii) invariant‑based pruning that discards candidates violating timing constraints early, and (iii) zone‑based abstraction that groups states with equivalent clock valuations, dramatically shrinking the state space.

The methodology is implemented as an extension to the UPPAAL model‑checking framework, allowing the input of timed‑automata models in the standard XML format. Experimental evaluation covers four realistic case studies: a smart‑card authentication protocol, an automotive cruise‑control system, a factory‑floor robotic cell, and a networked sensor‑actuator scenario. Across these benchmarks, the proposed approach achieves a 30‑45 % reduction in verification time compared to a naïve “remove‑all‑high‑actions” baseline, while the synthesized maximal non‑interferent sub‑systems retain at least 70 % of the original functionality (measured by the number of retained transitions). Moreover, the approach successfully produces sub‑systems that satisfy both CSNNI and BSNNI simultaneously, demonstrating its flexibility.

In conclusion, the paper makes three key contributions: (1) a formal definition of SNNI, CSNNI, and BSNNI for timed automata, (2) a PSPACE‑complete decision procedure for the existence of non‑interferent sub‑systems, and (3) a practical synthesis algorithm that leverages zone abstractions and transition‑level pruning to compute maximal non‑interferent sub‑systems efficiently. The results are directly applicable to the design of secure cyber‑physical and embedded systems where timing constraints are integral to correct operation. Future work is outlined to extend the framework to multi‑level security domains, probabilistic timed automata, and to integrate quantitative cost metrics for trade‑off analysis between security and performance.