// ===========================================================================

1. // ===========================================================================
2. // SWEN90010 2018 - Assignment 3 Submission
3. // by Chong Hin Chau and William Pan
4. // ===========================================================================
5.  
6. module ebs
7. open util/ordering[State] as ord
8.  
9. // =========================== System State ==================================
10. // a type for storing amounts of Joules
11. sig Joules {}
12.  
13. // the initial number of joules to deliver (30)
14. one sig InitialJoulesToDeliver extends Joules {}
15.  
16. // we ignore the clinical assistants for simplicity in this model
17. abstract sig Role {}
18. one sig Cardiologist, Patient extends Role {}
19.  
20. // principals have associated roles
21. sig Principal {
22. roles : set Role
23. }
24.  
25. // an abstract signature for network messages
26. abstract sig Message {
27. source : Principal
28. }
29.  
30. // ChangeSettingsRequest messages
31. // Note: we ignore the tachybound part to keep things tractable
32. sig ChangeSettingsMessage extends Message {
33. joules_to_deliver : Joules
34. }
35.  
36. // ModeOn message
37. sig ModeOnMessage extends Message {
38. }
39.  
40.  
41. // Modes: either On or Off
42. abstract sig Mode {}
43. one sig ModeOn, ModeOff extends Mode {}
44.  
45. // meta information in the model that identifies the last action performed
46. abstract sig Action {
47. who : Principal // indentifies which principal caused the action
48. }
49.  
50. sig SendModeOn, RecvModeOn,
51. SendChangeSettings, RecvChangeSettings
52. extends Action {}
53.  
54. // represents the occurrence of attacker actions
55. one sig AttackerAction extends Action {}
56.  
57. // a dummy action which will be the "last action" in the initial state
58. // we do this just to make sure that every state has a last action
59. one sig DummyInitialAction extends Action {}
60.  
61. // The system state
62. sig State {
63. network : lone Message, // CAN Bus state: holds up to one message
64. icd_mode : Mode, // whether ICD system is in on or off mode
65. impulse_mode : Mode, // whether the impulse generator is on or off
66. joules_to_deliver : Joules, // joules to deliver for ventrical fibrillation
67. authorised_card : Principal, // the authorised cardiologist
68. last_action : Action, // identifies the most recent action performed
69. }
70.  
71. // an axiom that restricts the model to never allow more than one messasge on
72. // the network at a time; a simplifying assumption to ease the analysis
73. fact {
74. all s : State | lone s.network
75. }
76.  
77. // =========================== Initial State =================================
78.  
79. // The initial state of the system:
80. // - empty network,
81. // - ICD and impulse generator both off
82. // - joules to deliver at initial value
83. // - the authorised cardiologist is really a cardiologist
84. // - last_action set to the dummy value
85. pred Init[s : State] {
86. no s.network and s.icd_mode = ModeOff and s.impulse_mode = ModeOff
87. and s.joules_to_deliver = InitialJoulesToDeliver and
88. Cardiologist in s.authorised_card.roles and
89. s.last_action = DummyInitialAction
90. }
91.  
92. // =========================== Actions =======================================
93.  
94. // Models the action in which a ModeOn message is sent on the network by the
95. // authorised cardiologist.
96. // Precondition: none
97. // Postcondition: network now contains a ModeOn message from the authorised
98. // cardiologist
99. // last_action is SendModeOn for the message's sender
100. // and nothing else changes
101. pred send_mode_on[s, s' : State] {
102. some m : ModeOnMessage | m.source = s.authorised_card and
103. s'.network = s.network + m and
104. s'.icd_mode = s.icd_mode and
105. s'.impulse_mode = s.impulse_mode and
106. s'.joules_to_deliver = s.joules_to_deliver and
107. s'.authorised_card = s.authorised_card and
108. s'.last_action in SendModeOn and
109. s'.last_action.who = m.source
110. }
111.  
112. // Models the action in which a valid ModeOn message is received by the
113. // ICD from the authorised cardiologist, causing the ICD system's mode to change
114. // from Off to On and the message to be removed from the network
115. // Precondition: ICD and impulse generator both off
116. // Postcondition: ICD and impulse generator both on
117. // last_action in RecvModeOn and
118. // last_action.who = the source of the ModeOn message
119. // and nothing else changes
120. pred recv_mode_on[s, s' : State] {
121. ModeOff in s.icd_mode and ModeOff in s.impulse_mode
122. some m : ModeOnMessage |
123. no s'.network and
124. s'.icd_mode = ModeOn and
125. s'.impulse_mode = ModeOn and
126. s'.joules_to_deliver = s.joules_to_deliver and
127. s'.authorised_card = s.authorised_card and
128. s'.last_action in RecvModeOn and
129. s'.last_action.who = m.source
130. }
131.  
132. // Models the action in which a valid ChangeSettingsRequest message is sent
133. // on the network, from the authorised cardiologist, specifying the new quantity of
134. // joules to deliver for ventrical fibrillation.
135. // Precondition: none
136. // Postcondition: network now contains a ChangeSettings message from the authorised
137. // cardiologist
138. // last_action in SendChangeSettings and
139. // last_action.who = the source of the ChangeSettingsMessage
140. // and nothing else changes
141. pred send_change_settings[s, s' : State] {
142. some m : ChangeSettingsMessage | m.source = s.authorised_card and
143. s'.network = s.network + m and
144. s'.icd_mode = s.icd_mode and
145. s'.impulse_mode = s.impulse_mode and
146. s'.joules_to_deliver = m.joules_to_deliver and
147. s'.authorised_card = s.authorised_card and
148. s'.last_action in SendChangeSettings and
149. s'.last_action.who = m.source
150. }
151.  
152. // Models the action in which a valid ChangeSettingsRequest message is received
153. // by the ICD, from the authorised cardiologist, causing the current joules to be
154. // updated to that contained in the message and the message to be removed from the
155. // network.
156. // Precondition: ICD and impulse generator both off
157. // Postcondition: joules to deliver is set to new value
158. // last_action in RecvChangeSettings and
159. // last_action.who = the source of the ChangeSettingsMessage
160. // and nothing else changes
161. pred recv_change_settings[s, s' : State] {
162. ModeOff in s.icd_mode and ModeOff in s.impulse_mode
163. some m : ChangeSettingsMessage |
164. no s'.network and
165. s'.icd_mode = s.icd_mode and
166. s'.impulse_mode = s.impulse_mode and
167. s'.joules_to_deliver = m.joules_to_deliver and
168. s'.authorised_card = s.authorised_card and
169. s'.last_action in SendChangeSettings and
170. s'.last_action.who = m.source
171. }
172.  
173. // =========================== Attacker Actions ==============================
174.  
175. // Models the actions of a potential attacker that has access to the network
176. // The only part of the system state that the attacker can possibly change
177. // is that of the network
178. //
179. // NOTE: In the initial template you are given, the attacker
180. // is modelled as being able to modify the network contents arbitrarily.
181. // Howeever, for later parts of the assignment you will change this definition
182. // to only permit certain kinds of modifications to the state of the network.
183. // When doing so, ensure you update the following line that describes the
184. // attacker's abilities.
185. //
186. // Attacker's abilities: can modify network contents arbitrarily
187. // <UPDATE HERE>
188. //
189. // Precondition: none
190. // Postcondition: network state changes in accordance with attacker's abilities
191. // last_action is AttackerAction
192. // and nothing else changes
193. pred attacker_action[s, s' : State] {
194. s'.icd_mode = s.icd_mode and
195. s'.joules_to_deliver = s.joules_to_deliver and
196. s'.impulse_mode = s.impulse_mode and
197. s'.authorised_card = s.authorised_card and
198. s'.last_action = AttackerAction
199. }
200.  
201.  
202. // =========================== State Transitions and Traces ==================
203.  
204. // State transitions occur via the various actions of the system above
205. // including those of the attacker.
206. pred state_transition[s, s' : State] {
207. send_mode_on[s,s']
208. or recv_mode_on[s,s']
209. or send_change_settings[s,s']
210. or recv_change_settings[s,s']
211. //or attacker_action[s,s']
212. }
213.  
214. // Define the linear ordering on states to be that generated by the
215. // state transitions above, defining execution traces to be sequences
216. // of states in which each state follows in the sequence from the last
217. // by a state transition.
218. fact state_transition_ord {
219. all s: State, s': ord/next[s] {
220. state_transition[s,s'] and s' != s
221. }
222. }
223.  
224. // The initial state is first in the order, i.e. all execution traces
225. // that we model begin in the initial state described by the Init predicate
226. fact init_state {
227. all s: ord/first {
228. Init[s]
229. }
230. }
231.  
232. // =========================== Properties ====================================
233.  
234.  
235. // An example assertion and check:
236. // Specifies that once the ICD is in the On mode, it never leaves
237. // the On mode in all future states in the execution trace,
238. // i.e. it stays in the On mode forever.
239. assert icd_never_off_after_on {
240. all s : State | all s' : ord/nexts[s] |
241. s.icd_mode = ModeOn implies s'.icd_mode = ModeOn
242. }
243.  
244. check icd_never_off_after_on for 10 expect 0
245.  
246.  
247.  
248. // Describes a basic sanity condition of the system about how the modes of the
249. // ICD system and the impulse generator are related to each other.
250. // This condition should be true in all states of the system,
251. // i.e. it should be an "invariant"
252. pred inv[s : State] {
253. s.icd_mode in s.impulse_mode
254. }
255.  
256. // Specifies that the invariant "inv" above should be true in all states
257. // of all execution traces of the system
258. assert inv_always {
259. inv[ord/first] and all s : ord/nexts[ord/first] | inv[s]
260. // NOTE (as a curiosity): the above is equivalent to saying
261. // all s : State | inv[s]
262. // This is because when checking this assertion, the linear order
263. // defined on States causes all States considered by Alloy to come
264. // from the linear order
265. }
266.  
267. // Check that the invariant is never violated during 15
268. // state transitions
269. check inv_always for 15
270. // <FILL IN HERE: does the assertion hold? why / why not?>
271. // NOTE: you will want to use smaller thresholds if getting
272. // counterexamples, so you can interpret them
273.  
274. // An unexplained assertion. You need to describe the meaning of this assertion
275. // in the comment <FILL IN HERE>
276. assert unexplained_assertion {
277. all s : State | (all s' : State | s'.last_action not in AttackerAction) =>
278. s.last_action in RecvChangeSettings =>
279. Patient not in s.last_action.who.roles
280. }
281.  
282. check unexplained_assertion for 5
283. // <FILL IN HERE: does the assertion hold? why / why not?>
284.  
285. // Check that the device turns on only after properly instructed to
286. // i.e. that the SendModeOn action occurs only after a RecvModeOn action has occurred
287. assert turns_on_safe {
288. // <FILL IN HERE>
289. }
290.  
291. // NOTE: you may want to adjust these thresholds for your own use
292. check turns_on_safe for 5 but 8 State
293. // <FILL IN HERE: does the assertion hold in the updated attacker model in which
294. // the attacker cannot guess Principal ids? why / why not?>
295. // what additional restrictions need to be added to the attacker model?
296.  
297. // Attacks still permitted by the updated attacker model:
298. //
299. // <FILL IN HERE>
300.  
301.  
302. // Relationship to our HAZOP study:
303. //
304. // <FILL IN HERE>