tufts wireless laboratory school of engineering tufts university “verifying noninterference in a...

Tufts Wireless LaboratorySchool Of Engineering

Tufts University

“Verifying Noninterference in a Cyber-Physical System – The Advanced Electric Power Grid”

by

Yan Sun, Bruce McMillin, Xiaoqing Liu, David Cape

Yuping Dong

04/19/23 1


Tufts University

Advanced Electric Power Grid• A complex real-time system having both Cyber and

Physical components.• A reliable self-healing grid in which coordinated cyber

control of power flow control devices plays a significant role. i.e., Flexible AC Transmission System (FACTS).

• Interferences between components cause incorrectness.• This paper verifies correct CPS composition with

noninterference in frequency domain.• Decompose the Cyber Physical System to sub systems.04/19/23 2


Tufts University

Model Checking• Use model checking for hardware/software system design.• Process Meta Language (PROMELA) modeling language.• RT-SPIN to verify the model for correctness.• Break model into smaller ones. Noninterference checked

with overall system correctness.• Clock variables for real-time control.• Hardware-in-the-Loop (HIL) test bed of a portion of the

advanced electric power grid control system.

04/19/23 3


Tufts University

HIL Test Bed

• Real-time simulation of many lines in electric power grid.

• FACTS devices that interact through real power lines.

• Simulation interacts with power flow via A/D input, D/A output.

• FACTS devices update power line settings in certain frequency.

04/19/23 4


Tufts University

HIL (cont.)• Two independent interaction loops:

between the FACTS and the HIL line, between the Simulation Engine and the HIL line.

• Two procedures:– Read sensor data

– Apply new settings to HIL line.

• FACTS device and Simulation Engine are active components.

– FACTS calculates new settings in order to modify the power flow

– Simulation Engine takes sensor readings and attempts to calculate the response of the entire simulated network and its effects on the HIL line.

04/19/23 5


Tufts University

Possible Interference• The interference between cyber and physical components is in

the frequency domain.• FACTS and Simulation Engine calculate the new settings based

on the correct reading of the current status of the HIL line.• Sensor reading needs to be fast enough to capture the changes

due to the two asynchronous interaction loops.• Four properties to be checked:

– FACTS reading rate vs. FACTS setting rate– Simulation reading rate vs. Simulation setting rate– FACTS reading rate vs. Simulation setting rate– Simulation reading rate vs. FACTS setting rate

04/19/23 6


Tufts University

Comprehensive Model

• Uses rendezvous channels and circular buffers to record reading and setting events.

• Rendezvous channels are used for synchronized message passing.

• Buffers are used on the HIL line side to receive and record messages.

• Each of the four events are assigned one channel and one buffer.

04/19/23 7


Tufts University

Comprehensive Model (cont.)

04/19/23 8

• Five processes– FACTS_S (sampling process of FACTS device)– FACTS_U (updating process of FACTS device)– SimEng_S (sampling process of simulation engine)– SimEng_U (updating process of simulation engine)

– HIL (reception process which simulates the HIL line and receives all the events through the channels)

• Five clock variables– f_s_clk (controls FACTS device sampling)– f_u_clk (controls FACTS device updating)– s_s_clk (controls simulation engine sampling)– s_u_clk (controls simulation engine updating)– s_clk (controls moving of buffer pointers)


Tufts University

• A pointer moves along the slots in the buffer at a certain speed.• When an event is sent and received through the channel, the value

in current slot increments by one.• The window sizes are the same for all four channels.• The count for the sliding window of a reading event should be at

least twice as large as the count for a setting event.

04/19/23 9

Comprehensive Model (cont.)


Tufts University

Comprehensive Model (cont.)• Dynamic behavior and interactions among five

processes.• Events are governed by clock variables, one clock

variable for each event• g_clk is used to control the speed of the buffer pointer

and the sliding window pointer.• Sampling and updating events in both FACTS device

and simulation engine are separated and their frequencies are different.

04/19/23 10


Tufts University

Model Decomposition

• The comprehensive model contains five clock variables and five processes. Current available computing resources were not adequate in verifying it.

• Decomposed model does not contain extra processes, variables, etc.

• Prove noninterference with decomposed models.

04/19/23 11


Tufts University

Model Decomposition (cont.)• The comprehensive model is

decomposed into smaller models.

• To check a property, each model needs to include three processes:

– The sampling process

– The updating process

– HIL line receiving the messages

• Two clock variables are needed. One for updating process, the other for sampling process and buffer pointer moving.

04/19/23 12


Tufts University

Model Decomposition (cont.)• Example (Decomposed Model a)

– Processes:• FACTS_S (sampling process of FACTS device)• FACTS_U (updating process of FACTS device)• HIL (HIL line reception process through the channels)

– Channels:• E_FACTS_Samples_HIL• E_FACTS_Affects_HIL

– Clock Variables:• f_s_clk (controls FACTS device sampling and moving of buffer pointers)• f_u_clk (controls FACTS device updating)

04/19/23 13


Tufts University

FACTS Device Sampling

04/19/23 14

• QUIT is an acceptable end state.• I is the pointer variable for the buffer.• j is the pointer variable for the sliding window.


Tufts University

FACTS Device Sampling (cont.)

• An assertion is added to check if the Nyquist frequency is satisfied.

04/19/23 15


Tufts University

Model Decomposition (cont.)

• Four models verify four assertions:– Assertion 1: assert(2*cnt_FACTS_affect <= cnt_FACTS_sample)– Assertion 2: assert(2*cnt_FACTS_affect <= cnt_SimEng_sample)– Assertion 3: assert(2*cnt_SimEng_update <= cnt_FACTS_sample)– Assertion 4: assert(2*cnt_SimEng_update <= cnt_SimEng_sample)

04/19/23 16


Tufts University

Verification of Noninterference

04/19/23 17

Prove:

Example: {pre(Model a) AND Assertion 2} Model a {Assertion 2}Since Assertion 2 is invariant over Model a, we have:{(Assertion 1: 2*cnt_FACTS_affect <= cnt_FACTS_sample) AND (Assertion 2: assert(2*cnt_FACTS_affect <= cnt_SimEng_sample))}Model a {Assertion 2: assert(2*cnt_FACTS_affect <= cnt_SimEng_sample)}

Since the clocks and sample rate among the four models are fixed, Model a’s action can be considered as assignments.

As long as Model b and Model d hold cnt_SimEng_sample constant, the implication remains true.

tufts wireless laboratory school of engineering tufts university “verifying noninterference in a...

Documents