Carolyn Talcott’s research while affiliated with SRI International and other places

What is this page?


This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.

Publications (221)


Programming Open Distributed Systems in Maude
  • Conference Paper

September 2024

·

21 Reads

·

1 Citation

·

Steven Eker

·

·

[...]

·

Carolyn Talcott


Dialects for CoAP-like Messaging Protocols
  • Preprint
  • File available

May 2024

·

18 Reads

Messaging protocols for resource limited systems such as distributed IoT systems are often vulnerable to attacks due to security choices made to conserve resources such as time, memory, or bandwidth. For example, use of secure layers such as DTLS are resource expensive and can sometimes cause service disruption. Protocol dialects are intended as a light weight, modular mechanism to provide selected security guarantees, such as authentication. In this report we study the CoAP messaging protocol and define two attack models formalizing different vulnerabilities. We propose a generic dialect for CoAP messaging. The CoAP protocol, dialect, and attack models are formalized in the rewriting logic system Maude. A number of case studies are reported illustrating vulnerabilities and effects of applying the dialect. We also prove (stuttering) bisimulations between CoAP messaging applications and dialected versions, thus ensuring that dialecting preserves LTL properties (without Next) of CoAP applications.

Download

Runtime Composition of Systems of Interacting Cyber-Physical Components

October 2023

·

9 Reads

·

1 Citation

Lecture Notes in Computer Science

The description of concurrent systems as a network of interacting processes helps to reduce the complexity of the specification. The same principle applies for the description of cyber-physical systems as a network of interacting components. We introduce a transition system based specification of cyber-physical components whose semantics is compositional with respect to a family of algebraic products. We give sufficient conditions for execution of a product of cyber-physical components to be correctly implemented by a lazy runtime expansion of the product construction. Our transition system algebra is implemented in the Maude rewriting logic system. As an example, we show that, under a coordination protocol, a set of autonomous energy-aware robots can self-sort themselves on a shared physical grid.


Fig. 3. Illustration of an hybrid search algorithm execution using the goal condition g and depth two. The POP surrounded by a box indicates the points when the algorithm back-tracks in the search tree. The numbers inside the circles specify the order in which nodes are traversed.
Fig. 4. Overview of the implementation used for the experiments using hybrid search, the SMT solver Z3 and the rewriting tool Maude.
Fig. 5. CASH Verification Experiments. cashOK1 = cashOK(I0, I1, I2, I3, true), cashOK2 = cashOK(I0, I1, I2, I3, I0 + I3 > I1 + I2), and caseOK3 = caseOK(I0, I1, I2, I1, I0 + I2 > I1), and mutatis mutandis for cashBad1, cashBad2 and cashBad3.
Fig. 6. Slowloris Experiments. Slow1 = Slowloris(1, 0, 24), Slow2 = Slowloris(1, 0, 36), Slow3 = Slowloris(1, 1, 12), Slow4 = Slowloris(1, 1, 24), Slow5 = Slowloris(1, 1, 36).
Incremental Rewriting Modulo SMT

September 2023

·

78 Reads

·

4 Citations

Lecture Notes in Computer Science

Rewriting Modulo SMT combines two powerful automated deduction techniques (1) rewriting and (2) SMT-solving. Rewriting enables the specification of behavior of systems using rewriting rules, while SMT theories specify system properties. Rewriting Modulo SMT is enabled by combining existing tools, such as Maude and SMT solvers. Search algorithms used for carrying out Rewriting Modulo SMT, however, cannot exploit the incremental solving features available in SMT solvers as they are based on breadth-first search. This paper addresses this limitation by proposing Incremental Rewriting Modulo SMT Theories, which is a syntactical restriction to rewriting rules. This restriction turns out to naturally be used in several applications of Rewriting Modulo SMT, including the verification of algorithms, cyber-physical systems, and security protocols. Moreover, we propose a Hybrid-Search algorithm for Incremental Rewriting Modulo SMT Theories that combines breadth-first search and depth-first search, thus enabling incremental SMT-solving. We demonstrate through a collection of existing benchmarks that the Hybrid-Search algorithm can achieve a 10 times performance improvement in verification times.


Automating Recoverability Proofs for Cyber-Physical Systems with Runtime Assurance Architectures

June 2023

·

14 Reads

·

2 Citations

Lecture Notes in Computer Science

Cyber-physical systems (CPSes), such as autonomous vehicles, use sophisticated components like ML-based controllers. It is difficult to provide evidence about the safe functioning of such components. To overcome this problem, Runtime Assurance Architecture (RTA) solutions have been proposed. The RTA ’s decision component evaluates the system’s safety risk and whenever the risk is higher than acceptable the RTA switches to a safety mode that, for example, activates a controller with strong evidence for its safe functioning. In this way, RTAs increase CPS runtime safety and resilience by recovering the system from higher to lower risk levels. The goal of this paper is to automate recovery proofs of CPSes using RTAs. We first formalize the key verification problems, namely, the decision sampling-time adequacy problem and the time-bounded recoverability problem. We then demonstrate how to automatically generate proofs for the proposed verification problems using symbolic rewriting modulo SMT. Automation is enabled by integrating the rewriting logic tool (Maude), which generates sets of non-linear constraints, with an SMT-solver (Z3) to produce proofs


Fig. 1. Illustration of how one expect RTA to maintain safety during runtime. dt is the sampling time of the decision module. Primary (respectively, Safe) denotes that the decision module switches to the primary (respectively, safe) controller.
Fig. 5. Soft Agent (SA) architecture.
Technical-Report: Automating Recoverability Proofs for Cyber-Physical Systems with Runtime Assurance Architectures

April 2023

·

25 Reads

Cyber-physical systems (CPSes), such as autonomous vehicles, use sophisticated components like ML-based controllers. It is difficult to provide evidence about the safe functioning of such components. To overcome this problem, Runtime Assurance Architecture (RTA) solutions have been proposed. The \RAP's decision component evaluates the system's safety risk and whenever the risk is higher than acceptable the RTA switches to a safety mode that, for example, activates a controller with strong evidence for its safe functioning. In this way, RTAs increase CPS runtime safety and resilience by recovering the system from higher to lower risk levels. The goal of this paper is to automate recovery proofs of CPSes using RTAs. We first formalize the key verification problems, namely, the decision sampling-time adequacy problem and the time-bounded recoverability problem. We then demonstrate how to automatically generate proofs for the proposed verification problems using symbolic rewriting modulo SMT. Automation is enabled by integrating the rewriting logic tool (Maude), which generates sets of non-linear constraints, with an SMT-solver (Z3) to produce proofs


A Rewriting Framework for Interacting Cyber-Physical Agents

October 2022

·

7 Reads

·

3 Citations

Lecture Notes in Computer Science

The analysis of cyber-physical systems (CPS) is challenging due to the large state space and the continuous changes occurring in their constituent parts. Design practices favor modularity to help reducing this complexity. In a previous work, we proposed a discrete semantic model for CPS that captures both cyber and physical aspects as streams of discrete observations, which ultimately form the behavior of a component. This semantic model is denotational and compositional, where each composition operator algebraically models an interaction between a pair of components.In this paper, we propose a specification of components as rewrite systems. The specification is operational and executable, and we study conditions for its semantics as components to be compositional. We demonstrate our framework by modeling a coordination of robots moving on a shared field. We show that our system of robots can be coordinated by a protocol in order to exhibit a desired emerging behavior. We use an implementation of our framework in Maude to give practical results.


On the Formalization and Computational Complexity of Resilience Problems for Cyber-Physical Systems

October 2022

·

22 Reads

·

2 Citations

Lecture Notes in Computer Science

Cyber-Physical Systems (CPS) are used to perform complex, safety-critical missions autonomously. Examples include applications of autonomous vehicles and drones. Given the complexity of these systems, CPS must be able to adapt to possible changes during mission execution, such as regulatory updates or changes in mission objectives. This capability is informally referred to as resilience. We formalize the intuitive notion of resilience as a formal verification property using timed multiset rewriting. An important innovation in our formalization is the distinction between rules that are under the control of the CPS and those that are not. We also study the computational complexity of resilience problems. Although undecidable in general, we show that these problems are PSPACE-complete for a class of bounded systems, more precisely, balanced systems where the rules do not affect the number of facts of the configurations and where facts are of bounded size.KeywordsResiliencePlanningFormal methodsVerificationMultiset rewritingComputational complexity


Summary of experiment results for the 2 target scenario initS1a. If PDevs is none then EDevs counts deviations in the full execution. Execution deviations due to obstacles are not currently collected. In this experiment, removing the obstacle at event before deviation corrects the behavior.
Detection and diagnosis of deviations in distributed systems of autonomous agents

September 2022

·

59 Reads

·

3 Citations

Mathematical Structures in Computer Science

Given the complexity of cyber-physical systems (CPS), such as swarms of drones, often deviations, from a planned mission or protocol, occur which may in some cases lead to harm and losses. To increase the robustness of such systems, it is necessary to detect when deviations happen and diagnose the cause(s) for a deviation. We build on our previous work on soft agents, a formal framework based on using rewriting logic for specifying and reasoning about distributed CPS, to develop methods for diagnosis of CPS at design time. We accomplish this by (1) extending the soft agents framework with Fault Models; (2) proposing a protocol specification language and the definition of protocol deviations; and (3) development of workflows/algorithms for detection and diagnosis of protocol deviations. Our approach is partially inspired by existing work using counterfactual reasoning for fault ascription. We demonstrate our machinery with a collection of experiments.


Citations (63)


... failures of robots and other components [33]) and strategies to rescue items, as recently investigated in [32]. Lion et al. [22] present an operational specification of components as rewrite systems equipped with a Maude specification that is adopted to incrementally analyze the system design. The illustrative application includes two energy sensitive robots roaming on a shared field, and results demonstrate that the introduced coordination prevents livelock behaviour. ...

Reference:

Comparing perfomance abstractions for collective adaptive systems
A Rewriting Framework for Interacting Cyber-Physical Agents
  • Citing Chapter
  • October 2022

Lecture Notes in Computer Science

... Soft Agents (SA) framework has a builtin mechanism to model environmental perturbations such as faults, weather, or obstacles [28,29,18,20]. This mechanism corresponds to the use of rules not under the control of the system being considered and is thus well suited to modeling and analyzing resilience properties of cyber-physical systems such as those proposed in this paper. ...

Detection and diagnosis of deviations in distributed systems of autonomous agents

Mathematical Structures in Computer Science

... Also, Adi and Kirchner [1] implemented an AC-unification algorithm, proposed benchmarks, and showed that their algorithm improves over previous ones in time and space. An efficient AC-unification algorithm [16] is in use in the programming language Maude. ...

Equational Unification and Matching, and Symbolic Reachability Analysis in Maude 3.2 (System Description)

Lecture Notes in Computer Science

... • Simulation-Based Evaluations: Simulation models have been widely adopted to analyze the interplay between machine configurations and production schedules [15]. For instance, previous studies approached the feasibility with simulation frameworks to compare different facility layouts and assess cost-performance trade-offs [16]. ...

Automating Safety Proofs About Cyber-Physical Systems Using Rewriting Modulo SMT
  • Citing Chapter
  • July 2022

Lecture Notes in Computer Science

... Previous works (Nigam and Talcott, 2022;Apvrille and Roudier, 2015) propose formal threat analysis using models of cyber-physical systems, such as for Industry 4.0 applications. Similar to the work on security protocols, these works require the formal specification of the behavior of the system. ...

Automated Construction of Security Integrity Wrappers for Industry 4.0 Applications
  • Citing Article
  • January 2022

Journal of Logical and Algebraic Methods in Programming

... Compositional modeling aspects described in (Broy & Rumpe 2007; detail modular aspects in interacting systems. Compositional approaches consider not only the modeling language but the models, their respective software components, and their artifacts as well (Talcott et al. 2021;Butting, Eikermann, et al. 2020). These approaches are well described in the textual technological space Butting, Pfeiffer, et al. 2020;Hölldobler et al. 2018) with consideration for the different forms of language composition. ...

Composition of Languages, Models, and Analyses

... On the other hand, increased complexity and robustness of modern systems (such as aircraft) demanded more powerful tooling to support safety analysis. These not only address the complexity and robustness but also cater to human limitations encountered when performing such tasks, with a particular focus on scaling these tools across the enterprise [3]. ...

Composing Model-Based Analysis Tools
  • Citing Book
  • January 2021

... The main goal of this paper is to formalize the intuitive notion of resilience as a verication problem for CPS. We start from our previous work [13,14], in which we proposed a Timed Multiset Rewriting (MSR) framework suitable for specication and verication of CPSes. The work addressed properties without assuming changes and considered only task realization under nominal conditions, with xed goals and xed regulations and policies. ...

On the Complexity of Verification of Time-Sensitive Distributed Systems
  • Citing Chapter
  • November 2021

Lecture Notes in Computer Science

... The entire semantic data model is subdivided into the domain level, mission level, and application level, as depicted in Figure 2. The establishment of semantic models facilitates the realization of intelligent management of underground pipelines, serving as an indispensable component in the construction of smart cities, and promoting the modernization and digitization of urban management. Semantic models support the real-time monitoring and emergency responses of underground pipelines, enabling rapid identification of issues, assessment of impacts, and formulation of effective response measures during emergencies, thereby enhancing urban resilience to sudden events [25]. ...

A Semantic Model for Interacting Cyber-Physical Systems

Electronic Proceedings in Theoretical Computer Science

... Demonstrating properties of such specifications amounts to search using these rewrite rules and satisfiability checking of the accumulated constraints using SMT solvers. Rewriting modulo SMT has been successfully applied in several case-studies from several domains, including safety of cyber-physical systems (CPSes) [13]; verification of algorithms [2]; and for network security analysis [16]. ...

Resource and timing aspects of security protocols
  • Citing Article
  • February 2021

Journal of Computer Security