Verifying Opacity of Discrete-Timed Automata

Opacity is a powerful confidentiality property that holds if a system cannot leak secret information through observable behavior. In recent years, time has become an increasingly popular attack vector. The notion of opacity has therefore been extended to timed automata (TA). However, the verification of opacity of TA has been proven to be undecidable for the commonly used dense time model. To make the problem decidable, state of the art approaches consider weaker notions of opacity or heavily restrict the class of considered TA, resulting in unrealistic threat models. In this paper, we address the problem of verifying opacity of TA without restrictions. For this purpose, we consider a discrete time setting. We present a novel algorithm to transform TA to equivalent finite automata (FA) and then use known methods to verify opacity of the resulting FA. To improve the efficiency of our algorithm, we use a novel time abstraction that significantly reduces the state space of the resulting FA, improving the scalability of our approach. We validate our method using randomized systems, as well as four case studies from the literature showing that our approach is applicable in practice.


INTRODUCTION
As IT systems grow rapidly in size and complexity, the threat of data exposure in shared applications is increasing.Hence, it is critical to ensure that there are no leaks of secret information in such systems.Opacity is a powerful confidentiality p roperty t hat e nsures the absence of such leaks to an outside observer.Opacity is commonly defined for automata models.It holds if all observations of secret behavior, like reaching a secret state or detecting a secret output, are indistinguishable from observations of non-secret behavior.Then, it is impossible to deduce classified information about the system from the outside world.
In recent years, time has become an increasingly popular attack vector, as it allows information leaks that could not be captured by traditional untimed models like finite automata (FA).To ensure confidentiality of timed systems, opacity was extended to timed automata (TA), but proven to be undecidable for the dense time model [5], making it inapplicable in practice.A common way to overcome this problem of the dense time model is to either heavily restrict the class of considered TA [11,13,14,19], or significantly weaken the notion of opacity [2][3][4].Restrictions on the class of TA narrow the class of systems that can be verified.Weakening the notion of opacity leads to lesser levels of confidentiality.Both approaches therefore lead to less applicability in a real-world setting.
In this paper, we address this lack with a new method that efficiently verifies the opacity of TA without restricting the practical applicability.Our method comprises two key contributions.
We provide the first algorithmic approach to verify any notion of opacity on TA.The main idea of our approach is to assume a discrete time setting.A discrete time setting lets us transform TA to equivalent FA, called tick automata (-FA) [8].We then verify the opacity of -FA, using existing verification methods for FA, like [20].We thereby show that the opacity verification problem of TA in a discrete time setting is decidable.
In addition, we design a new algorithm to transform TA to equivalent -FA.In [8], such a transformation is presented in the context of a theoretical characterization of timed languages.Our transformation improves this approach in two crucial aspects.
First, we design a novel time abstraction that leads to smaller -FA.This makes our method both efficient and more widely applicable, as opacity verification methods scale exponentially with the number of states [20].Second, we design our transformation to be applicable to TA with arbitrarily many clocks.The transformation in [8], in contrast, is only applicable to TA with a single clock.Additional preprocessing steps are therefore required to use [8] on TA with multiple clocks 1 .Our transformation thus greatly simplifies the verification setup and eliminates additional computational overhead.
We validate our method by analyzing its runtime performance on randomized systems and four realistic case studies.
This paper is structured as follows.Section 2 introduces our system model and relevant definitions.Section 3 reviews related works.Section 4 presents our local time abstraction, and our transformation algorithm to transform TA to equivalent -FA.In Section 5, we evaluate our method, and Section 6 concludes this paper.

PRELIMINARIES
In this section, we provide relevant definitions and notation that we use for the remainder of this paper.As we consider the opacity of timed systems, a timed model is required.For this purpose, we use timed automata (TA) [1].The main idea of our method is to transform the given input TA to equivalent finite automata (FA).Then, we use known opacity verification methods [20] on the resulting FA, verifying also the opacity of the input TA, as both automata are equivalent.In Section 2.1, we provide formal definitions for both FA and TA.To model an opacity problem, a partially observable system is required, meaning that only some actions of the system are observable to the outside world.In Section 2.2, we define our system model and provide a formal definition of opacity.
For general notation, we denote the empty word by , a silent symbol by  ( ≠ ), and the power set of a given set  by P ().

Automata Models
To model finite automata (FA), we use the standard definition from the literature as follows.
Definition 2.1 (Finite Automata).A finite automaton (FA) is 6tuple  = (,  0 ,   ,   , Σ, Δ), where •  is a finite set of states, Let   :  × Σ → P ( ) be the transition function with To model timed systems, using FA, we use tick automata (-FA) [8].-FA are standard FA with an additional -symbol to model the passing of time.The alphabet Σ is thus extended to Σ ∪ { }.Since we assume a discrete time model, time can be divided into discrete -steps, which can then be interpreted by a -FA.Every state in a -FA therefore has at least one -transition.Timed Automata.We derive -FA from a given input system.We assume this input system to be a timed automaton (TA) [1].TA are similar to FA but extended with a finite set of clocks that can be reset and used in guards on transitions.
Definition 2.2 (Timed Automata).A timed automaton (TA) is a 7-tuple A = (,  0 ,   ,   , Σ, C, Δ), where •  is a finite set of locations, Notice that in A, a state (, ) consists of a location  ∈  and a clock valuation  ∈ N | C | .A transition ( 1 , , , ,  2 ) can be taken if the location  1 is currently active, the symbol  is read as input, and the current clock valuation  satisfies  ( |= ).After taking the transition,  2 is the new active location, and  ′ =   () is the new clock valuation.If a transition has no guard for a clock , we assume the guard [ ≥ 0] for this transition.
An example of a TA can be seen in our running example A  , depicted in Figure 1.A  has an initial location  0 , two accepting locations  1 and  2 , and a unique secret location  2 .We mark secret locations red and accepting locations using double borders.A secret may be revealed once an observer can infer that a secret location is active (cf.Def.2.4).Furthermore, A  has two clocks  1 and  2 and the alphabet Σ = {, }.Each transition is labeled with , , , where  ∈ Σ is an input symbol,  ∈ Γ({ 1 ,  2 }) is a guard, and  ∈ P ({ 1 ,  2 }) is a set of clocks that are reset.
Words and Languages.We now provide a formal definition of words and languages for the above automata models.Given an alphabet Σ, let  = ( 1 , 1 )( 2 , 2 )...(  ,  ) ∈ (Σ × N) * be a timed word.To have an equivalent definition of timed words for -FA, let ..      for a given timed word .We write   for a word, consisting only of  and a length of  ∈ N. In  (), each  symbolizes the passing of one time unit.
To model runs on words, the transition function  A of automaton A (FA or TA) is extended recursively for an alphabet Σ, with  A (, ) = {} and  A (, ) = A accepts a word  iff there exists  0 , such that  A ( 0 , ) contains an accepting state.If A is a FA,  0 is an initial state.If A is a TA,  0 = ( 0 ,  0 ) is an initial location with the initial clock valuation.The language L (A) is the set of all accepted words  of A.
Region Abstraction.Like in [8], we also adapt the standard region abstraction [1] to the discrete time setting.For this purpose, let  A : C → N be a function for a given TA A = (,  0 ,   ,   , Σ, C, Δ) with where  , is the largest constant in  for the clock .With  A , the region abstraction is defined as follows.

Notions of Opacity
To model an opacity problem, a partially observable system has to be assumed [15].This means that not every action of the system is observable to the outside world.The system model, we consider, is illustrated in Figure 2 and is the standard model in related works on opacity [17].With   , the observable behavior of the original system A is defined.This results in an observable system, that is visible from the outside world.An observer can only witness the observation   () of the original behavior that we model as a timed word .
Opacity holds if an observer cannot infer secret information from the observable behavior of the system.There exist multiple notions of opacity in the literature [15].Opacity of FA is well understood and since our presented method transforms TA to equivalent FA, we can verify any notion of opacity, using known methods.To illustrate our approach, we use current-state opacity (CSO) in this paper, since we evaluate our approach on four case studies on CSO in Section 5.2.However, any other notion of opacity could be verified analogously after our transformation.CSO is defined as follows.
Intuitively, CSO holds if, for any observation of reaching any secret state (  ()), a non-secret state can be reached with an identical observation(  ( ′ )).CSO of TA is defined analogously.

RELATED WORK
There exist multiple works regarding timed opacity verification.However, all these works consider a dense time setting and therefore restrict themselves either to a weaker notion of opacity or only a strict subclass of TA.
[5] first adapt the notion of opacity to a dense time setting and prove that the verification problem is undecidable.
In [2], non-zeno TA are considered.The authors introduce new notions of opacity, where time is bounded, meaning that opacity only has to hold for a limited time.These notions of opacity are verifiable but weakened and not applicable to systems with unbounded time.
[4] propose a different setting with a weaker observer model.Here, an observer can only measure the total execution time instead of the timing of every single event.This assumption heavily weakens the proposed notion of opacity and restricts the applicability.
In [13], [14], and [19], state-based notions of opacity are adopted to real time automata (RTA).RTA are a very restricted subclass of TA with a single clock that is reset along each transition.In [11], the authors consider weighted automata as a restricted subclass of timed automata, where weights on transitions constitute their possible timings.Both models are restricted classes of TA and therefore limit the applicability in a real-world setting.

VERIFYING OPACITY OF TIMED AUTOMATA
Having covered fundamentals, we now present our method to verify opacity of TA.An overview of our method is depicted in Figure 3.Our key idea is to use a discrete time model.A discrete time model allows us to transform TA to equivalent -FA [8] (Step 1).We then use known opacity verification methods [20] on the resulting -FA to verify any notion of opacity (Step 2).Opacity verification methods generally scale exponentially with the number of states of Algorithm 1

Opacity Verifier
Input TA

𝜏-FA Result
Step 1: Transformation Step 2: Verification the input FA [20].It is therefore critical that Step 1 generates -FA with as few states as possible to ensure scalability.
In [8], a language theoretical characterization of timed languages is provided.To this end, a transformation from TA to equivalent -FA is developed.The authors partition time into discrete steps (-transitions), modeling the passing of single time units.Each -FA state is a pair (,  ) of a TA location  and a clock region  [1] of the given TA.Each state has a transition (,  )  − → (,  ′ ), where  ′ is the successor region of  .The original transitions of the TA are then translated to the corresponding states in the -FA.The region abstraction   [1] provides a finite state space and guarantees equivalent behavior.
However, due to the use of   , this transformation produces unnecessarily many states in the resulting -FA, hindering the application of opacity verification methods for large systems.Furthermore, the transformation is only defined for TA with a single clock.In discrete time, TA can always be transformed to equivalent TA with a single clock by significantly increasing the number of locations [6].The transformation in [8] therefore requires such a preprocessing step.
We improve the transformation in [8] in two ways: (1) Instead of   , we use a tighter local time abstraction   , reducing the required state space of the resulting -FA.(2) Our transformation algorithm is applicable to TA with an arbitrary number of clocks.(1) reduces the number of states in the resulting -FA.This significantly improves the scalability of our approach, as verifying any notion of opacity on FA has exponential complexity [20].
(2) removes the required preprocessing step to reduce the number of clocks in a TA to make the transformation in [8] applicable.By saving this computation step, we further increase the efficiency of our method.
We present our local time abstraction   in Section 4.1 and our transformation algorithm in Section 4.2.In Section 4.3, we demonstrate how our method can be used to verify opacity of TA.

Local Time Abstraction
In order to employ known opacity verification methods, we need to transform the input TA to equivalent -FA.Such a transformation requires a time abstraction to compute a finite state space of the -FA.In the following, we first motivate our local time abstraction   , and then provide a formal definition.Finally, we prove required properties of   for our transformation algorithm (cf.Section 4.2).
The main idea of the transformation in [8], is to enumerate all clock valuations  in each location  of the TA.Each such pair (, ) is then a state in the -FA.As there generally is an infinite number of possible clock valuations, a time abstraction is needed, that groups clock valuations that lead to equivalent behavior.With a finite number of such equivalence classes, we then get a finite state space for the -FA.In [8], the region abstraction   [1] is used for this purpose.
The problem is that   produces unnecessarily many equivalence classes, and thus, states in the resulting -FA.  only groups clock valuations in equivalence classes that can never be distinguished in any location.We propose a local time abstraction that considers behavior only on a local level, producing less equivalence classes.
The key idea of our local abstraction is to group all clock valuations that can never be distinguished in the current location.This results in significantly less total equivalence classes.
Consider our example TA A  (Fig. 1).Here,   provides different regions for  2 ∈ {0, 1, 2}.This distinction is necessary in  0 but not in  1 and  2 , as there are no transitions with guards to distinguish values of  2 .On a local level in  1 or  2 ,  2 = 0,  2 = 1, and  2 = 2 could all be grouped in the same equivalence class.  therefore produces more equivalence classes than necessary in these locations.
However, it is also not sufficient to only consider singular locations for a local time abstraction, as clock valuations that are treated equivalently in one location, might be distinguishable in a different but reachable location.It is therefore necessary to identify the set of locations that could distinguish clock valuations, reachable from a considered starting location.
Consider  0 and  1 in A  (Fig. 1). 0 has no transition with a guard for  1 .Any value of  1 is therefore treated equivalently in  0 . 1 has a transition with the guard [ 1 > 1] and can therefore distinguish  1 = 0,  1 = 1, and  1 > 1.Consider the timed words  1 = (, 1)(, 1) and  2 = (, 2)(, 2).For  2 we would get the run ( 0 , ⟨0, 0⟩) For  1 we would get the run ( 0 , ⟨0, 0⟩) and then there would be no transition for . 1 = 1 and  1 = 2 can therefore not be viewed as equivalent in  0 .Generally, for a location , it is therefore necessary to identify all reachable locations that could distinguish clock valuations that are treated equivalently in .We can then use this set of locations to determine the local time abstraction of .
We find that in general, in a location  for a clock , only locations that can be reached from , without resetting , must be considered to find a local abstraction.Moreover, locations reached by a transition with a guard  that contains [ < ] or [ ≤ ] for  ∈ N, do not have to be considered, as  then provides an upper bound for  in these locations.If a guard  does not contain [ < ] or [ ≤ ] for a clock  and  ∈ N, we say that  does not bound .
To formalize this idea, we define the clock reach  of a clock  in a location .
Definition 4.1 (Clock Reach).Given a TA A = (,  0 ,   ,   , Σ, C, Δ) (Def.2.2), let  be a function with Intuitively, given a location  and a clock ,  (, ) identifies all locations that have to be considered for the local abstraction for  in .With  (, ), we can compute a local time abstraction for  with regards to , similar to the region abstraction   [1].For this purpose, we do not use the largest (global) constant  () of the given TA (like   ), but the largest local constant in  (, ) instead.Similar to   , we can view all clock values of  for  >  () as equivalent.To formalize this idea, we define the largest local constant  of a set of locations  for a clock  as follows.Intuitively,  computes the largest constant that a clock  can be compared to in a set  of locations. ( (, ), ) therefore identifies the largest constant  that can be compared to  from .
Having defined the clock reach  and the largest local constant , we now provide the formal definition of our local abstraction   as follows.We extend the definition of   to whole clock valuations, with Intuitively,   maps a clock valuation  to an equivalent clock valuation  ′ in a location .

Definition 4.5 (Locally Equivalent Clock Valuations). Given a TA
Having defined ∼   , we have the following result.Proof.By definition, ∼   is reflexive, symmetric, transitive, and thereby an equivalence relation.Let  be the largest constant in any guard in A and let   = ⟨ +1,  +1, ...,  +1⟩ be a clock valuation.For any larger clock valuation  ′ ∈ N | C | with  ′ () ≥   () for all  ∈ C, we have ((,   ), (,  ′ )) ∈∼   .As there exist only a finite number of clock valuations that cannot be in the equivalence class of   , there must exist only finitely many equivalence classes.□ Intuitively, Lemma 4.6 states that for each location , there exist only finitely many equivalence classes of clock valuations.This means that we can represent a location  by a finite number of states (, ), where  is a representative of its equivalence class.We use this fact to transform TA to equivalent -FA in the following section.We denote the equivalence class of (, ) by [, ] ∼   .

Transformation to Tick Automata
Having defined our local time abstraction   in the previous section, we now present our transformation from a given TA to an equivalent -FA.Definition 4.7 (Equivalent Tick Automata).Given a TA A = (,  0 ,   ,   , Σ, C, Δ) (Def.2.2) with  ∉ Σ and its local time abstraction relation ∼   , we define the -FA  = (,  0 ,   ,   , Σ ∪ { }, Δ  ∪ Δ  ) of A, where Figure 5: Estimator E  of example TA A  , assuming only  is observable.
Intuitively, Δ  contains all -transitions, modeling the passing of time.Δ  contains all -transitions of the original TA, translating the actual behavior on input.Our definition is similar to the one [8].However, our definition is more general, as it is applicable to general TA with arbitrary many clocks.
Notice that instead of   , we could also use the standard region abstraction   [1].The resulting -FA could then have significantly more states, as   may produce more equivalence classes per state.For both   and   ,  has || • ( + 1) | C | states in the worst case, where  is the largest constant in any guard.  therefore does not improve the worst-case complexity of our transformation method, compared to   .However, it is unlikely that   and   produce the same states, as  ( (, )) =  () would have to hold for any clock  ∈ C and any location  ∈  of a TA A = (,  0 ,   ,   , Σ, C, Δ).In Section 5, we compare both methods on randomized TA and show that   generally produces less states and thus leads to a more efficient transformation.Consider A  (Fig. 1).According to Definition 4.7, the equivalent -FA   is depicted in Figure 4.
With Definition 4.7, we have the following result.
Theorem 4.8 (Language Eqivalence).Given a TA A = (,  0 ,   ,   , Σ, C, Δ) (Def.2.2) and its -FA  (Def.4.7), the following holds Since  ∈ L (A), there exists a path  = ( 0 ,  0 ) As we assume discrete time, we can enumerate each time step and rewrite each (  ,   ) From  , we derive   by rewriting each such sequence as (  ,   (  ,   )) , where   is the set of clocks that are reset on the original TA-transition of   .Because of Lemma 4.4, if  exists in A,   must also exist in A. By definition of ,   is a path in . ( Then, by definition of , there must exist a run 1) and ( 2), ∀ ∈ (Σ × N) * :  ∈ L (A) ⇔  () ∈ L () holds. □ With Algorithm 1 we provide an algorithmic approach to compute the -FA, defined in Definition 4.7.Lines 1-4 contain the initialization of our algorithm.In Line 1, we initialize the queue  to keep track of newly discovered states.Each state that is enqueued in  is marked and we only enqueue unmarked states.In Line 2-4, we enqueue all initial states.Lines 5-18 contain the main loop of our algorithm.In Line 6, we first dequeue the first state (, ) of .For each discovered state (, ) we complete the three following steps: (1) identify all enabled -transitions (Lines 7-11), ( 2) update all state sets (Line 12), and (3) identify all successor states (Lines 13-17).(, ) ← dequeue first element of  Update ,  0 ,   , and   for (, )  For Step (1), we go through all transitions that are enabled for  in  (Line 7) and compute the resulting clock valuation  ′ for taking the transition (Line 8).For such enabled transitions to  ′ in A, we add a -transition to Δ  (Line 9).( ′ ,  ′ ) is then enqueued in  (Line 10).
In Step (3), we evaluate all distinguishable future clock valuations of .If two clock valuations have the same abstraction in , all future clock valuations will be indistinguishable and we stop (Line 13).If this is not the case (,  + 1) must be evaluated and we update  to its successor clock valuation  + 1 (Line 14).To make this new state accessible, we add a -transition to it (Line 15) and enqueue it in  for future evaluation (Line 16).
Algorithm 1 always terminates, since there are only finitely many  ∈  in A and ∼   produces only finitely many equivalence classes.

Opacity Verification on Tick Automata
In the previous section, we provide an algorithmic approach to derive an equivalent -FA  from any given TA A. As  has equivalent behavior, we can employ any known opacity verification method on FA to verify the opacity of A. We thereby show that any notion of opacity for FA can be verified on TA in a discrete time setting.We illustrate this approach by considering the verification of current-state opacity (CSO) in this paper.Intuitively, CSO means that it is not possible to infer that currently a secret state is active.
To verify CSO of a given FA , an estimator E is required [16].To compute E, every unobservable symbol in  is replaced by .Then,  is determinized, resulting in the DFA E [16].Each state in E is then an estimate of all states that could currently be active.If there exists a reachable estimate in E that only contains secret states, it means that at this point a secret state must be active.CSO therefore holds if there exists no reachable estimate in E that contains only secret states [16].
We employ this technique in combination with our transformation to verify CSO of TA.As  has || • ( + 1) | C | states in the worst case (cf.Section 4.2) and  can be determinized in  (2 || ) [9], we have the following result.Theorem 4.9 (Current-State Opacity of Timed Automata).
where  is the largest constant in any guard of A.
Consider our example TA A  (Fig. 1) and the equivalent -FA   (Fig. 4).We assume that only  is observable and apply the standard FA determinization on   [9], obtaining estimator E  depicted in Figure 5.Each state in E  is an estimate of the currently active states of   .CSO does not hold, as E  contains a reachable estimate that contains only secret states with {( 2 ⟨1, 1⟩)}.

EVALUATION
In this section, we analyze the efficiency and applicability of our method.To measure the efficiency of our local time abstraction   , we compare it to the region abstraction   [1] in our transformation algorithm (cf.Section 4.2).We first test our method by transforming randomized TA to equivalent -FA using our novel algorithm with   and   .In a second step, we evaluate our method on four case studies from the literature.We verify current-state opacity (CSO) in all four systems and thereby demonstrate how our method can be used to verify opacity of real-world systems.To this end, we have implemented a prototype of our method [10]2 .All tests were performed on an Intel Core i7-1365 CPU with 32GB of RAM.

Randomized Systems
We have generated the randomized systems from two parameters   , and   , corresponding to the number of locations, and the largest constant in any guard, respectively, as those parameters directly impact the complexity of our transformation (cf.Section

4.2).
To sample the number of transitions in each location, we have used a uniform distribution with a mean of 2. Each transition has a randomized guard.We use a single clock in each system, as in discrete time, TA with multiple clocks can always be transformed to TA with a single clock by increasing the number of locations [6].Testing higher numbers of clocks is therefore equivalent to testing higher numbers of locations, which we do by varying   in our first experiment.We have selected the parameter ranges to be similar to our case studies.
To assess the efficiency of our local time abstraction   , we are interested in the size and computation times of the transformed -FA.For this purpose, we have tested our novel transformation algorithm for each randomized system, using   and   .We have measured the runtimes of computing both the abstraction and the -FA.Furthermore, we have also recorded the number of states of the resulting -FA.We have performed each experiment 10 3 times and averaged the outcomes.The results are depicted in Figure 6 and Figure 7.The computation times of the abstractions ( ()) are depicted in the left diagram.The computation times of the -FA with, and without the computation time of the corresponding abstraction, are depicted in the middle diagram ( () +  () and  () respectively).In the right diagram, we depict the number of states (||) of the -FA.
In our first experiment, we have varied the number of locations   , with   ∈ {1, 2, ..., 100}, and fixed the largest constant in any guard   = 50.The results are depicted in Figure 6.We see a linear growth of the computation times for both abstractions with an increase of   .However, the increase of computation time for   is higher, compared to   .This is the case, as every location has to be evaluated separately to compute   (cf.Section 4.1).  on the other hand can be computed significantly faster, as locations do not have to be considered individually.For the number of states of the equivalent -FA , we see a decrease in all experiments, when   is used.The runtime of computing  is thus also shorter, when   is used, as generally fewer states are produced.The total runtimes of computing both the abstraction  and the -FA  are also shorter for   in all experiments.The higher computation time, required for   is therefore compensated by its increase of efficiency in computing the -FA.This effect is highlighted in Figure 6b, where the difference between  () and  () +  () is marginal.
In our second experiment, we have varied the largest constant in any guard   , with   ∈ {0, 1, ..., 100}, and fixed the number of locations   = 50.The results are depicted in Figure 7.The computation times of the abstractions stay almost constant for an increase of   , as the number of locations is the same in each system.Again, the computation time of   is higher, compared to   .The results for the transformation to the -FA are similar to our first experiment.  again provides an improvement for both the number of states and the computation times of the -FA.Again, the total computation times of the -FA are only slightly affected by the computation times of the abstractions.
Despite the fact that   and   produce the same number of states in the worst case (cf.Section 4.2), our experiments show that   generally provides smaller -FA in a shorter computation time.This improvement is significant as all opacity verification methods scale exponentially with the number of states of the input FA [20].Moreover, our results imply that this increase in efficiency generally compensates for the higher computation time of   , as highlighted by Figure 6b and 7b.

Case Studies
In this section, we demonstrate the applicability of our method to real-world systems.For this purpose, we evaluate our method using four case studies from the literature [2,3,12,18].To test our method, we slightly modify some systems, as we describe below.Table 1 provides an overview of all evaluated systems, organized by the respective number of locations (||), transitions (|Δ|), maximum time constants (), symbols (|Σ|), and observable symbols (|Σ  |).Furthermore, three of the four case studies are depicted in Figure 8, with observable symbols written in black and unobservable symbols written in grey.In the following, we give a brief explanation of all case studies.
(b) Medical service from [18] with additional time constraints.Cloud System.The first system (A  ) is the case study in [2] and depicted in Figure 8a.The system is a cloud system that allows a customer to first authenticate () and then purchase products online (  ).The purchased product can be provided from three different storage locations: local (stock) and two clouds  1 and  2 .The main cloud might therefore prepare the product from stock (  ), or order the product from  1 or  2 (  ).Then, a confirmation   is sent, regardless of the storage location.For  1 and  2 this may lead to the secret locations  11 and  12 , indicating that the product was ordered from a remote location.Requesting from  1 or  2 is secret behavior.The customer should therefore not be able to infer that  11 or  12 are currently active.However, such detection is not possible in this system, as the paths through  11 and  12 cannot be distinguished from the non-secret path to  6 .The system is therefore safe (CSO holds).We assume the same observability as in [2] (Σ  = {, ,   ,   ,   ,   }).For a full explanation and further detail on this system, we refer to [2].Medical Service.The second system (A  ) is a medical service, examined in [18] and depicted in Figure 8b.The heart rate data of a patients is sent through a network, passing multiple services ( 0 ,  1 ,  2 ,  3 ).The data is private and all services should therefore be executed on safe private clouds ( 1 and  2 ).However,  2 is resource intensive and would be cheaper to execute on a public cloud ( 3 ), breaching confidentiality.The locations  2 2 and  2 3 in  3 are therefore secret and an outside observer should not be able to detect that they are currently active.The original system in [18]  constraints.To evaluate our approach, we add time constraints, making the system unsafe (CSO does not hold).We assume internal events of clouds to be unobservable (Σ  = { 1 ,  3 ,  5 ,  6 }).For a full explanation and further detail on this system, we refer to [18].
Sensor Network.The third system (A  ) is based on the work in [12].Here, a network of sensor nodes is deployed in an area to detect a moving agent.The area is divided into secret and nonsecret locations.The task for the sensor nodes is now to detect the agent entering a secret location.We have constructed an example system in a 5 × 5 grid with a single clock that is reset in each state, tracking the time it takes the agent to travel from one location to the next.Our system has a single secret location, and it is not possible for the sensor network to detect the agent entering it (CSO holds).For further detail on the construction on such case studies, we refer to [12].Due to the size of the system, we do not depict it here but provide a full explanation in [10].ATM.Our final system (A  ) is an ATM and the case study in [3].The system has two clocks to track local time ( 1 ) and global time ( 2 ).A user is first asked for a password (?).After entering the password (!), the user has the choice of quick withdrawal ( ), normal withdrawal ( ), and a request of the account balance ().A quick withdrawal initiates a waiting phase ( ) and then provides the cash ().The user can then take the cash ().For a normal withdrawal, a user can enter the correct amount () and is then given the cash ( ).Again, the user can then take the cash ().Most locations have a timeout (), which cancels () the process in some situations.For a full explanation and further detail on this system, we refer to [3].We slightly modified the system by removing two loops that can be taken three times.We removed these loops, as our TA model does not allow the counting of variables.Further, for both withdrawals, we added the states  1 and  2 .To model a CSO problem, we deem a quick withdrawal ( 1 ) as secret behavior.We assume all system actions to be unobservable and all user actions to be observable (Σ  = {!,  ,  , , , , , ,  }).It is possible to detect that  1 is active.CSO therefore does not hold.
Results.To evaluate our case studies, we again compare   to   using our transformation algorithm.To this end, we have first computed an equivalent -FA , and then an estimator E to verify CSO.CSO is verified by checking, whether there exists a reachable estimate in E, consisting only of secret states (cf.Section 4.3).We have evaluated each system 10 times and averaged the runtimes.All runtimes are measured in .Furthermore, we recorded the number of states of all computed models.The results are presented in Table 2.
Similar to our tests on randomized systems, we have higher computation times for   , compared to   .However,   provides a significant reduction in the number of states and the computation times of the resulting -FA .Moreover, the time to compute the estimator E, and thereby verify CSO, is significantly reduced in every evaluated system.Again, the reduced computation times of  and E compensate for the higher computation times of   .The improvements, regarding the computation times of E, range from -55.42% (A  ) to -86.22% (A  ).The improvements, regarding the number of states of E, are slightly lower but still significant, ranging from -43.92% (A  ) to -88.28% (A  ).Overall, our results show that our method is applicable to large real-world systems and   yields a significant improvement in the scalability of our opacity verification method.As other opacity verification methods have similar complexity [20], we expect similar results for other notions of opacity.

CONCLUSION
In this paper, we addressed the problem of verifying opacity of timed automata (TA) in a discrete time setting without restrictions.We provide a novel algorithmic approach to transform general TA to equivalent -FA.We develop a local time abstraction, reducing the state space of the resulting -FA.The reduced state space lets us employ known opacity verification methods in reasonable runtime.We have validated our method using randomized systems, as well as four case studies from related works.We have shown that our method is scalable and applicable to real world systems.To the best of our knowledge, our method is the first to verify opacity of TA in a realistic and practical setting without restrictions on the notion of opacity, or the threat model.
Our work enables various exciting possibilities for future work.Even though we have only discussed opacity verification problems, our method also enables FA-based opacity enforcement techniques that we intend to examine.Further, we plan to explore verification methods on different kinds of discrete-timed models.As -FA enumerate single time steps, finer time scales might still lead to too large -FA, even with a minimal state space.More compact models that do not rely on time step enumeration might therefore lead to better results for systems with long measurable time spans.Apart from opacity, our new transformation can also be applied to any state inference property, like detectability, predictability, and diagnosability [20].This implies that these properties are decidable in a discrete time model, which is for example not the case for weak detectability in a dense time model [7].

Figure 1 :
Figure 1: Example TA A  with secret location  2 .
For brevity, we also write shorter versions of guards, if they can be expressed by Γ(C), like [ = ] instead of [ ≤  ∧  ≥ ].If a guard  is satisfied by a clock valuation , we write  |= .

Figure 3 :
Figure 3: Overview of the presented method.

Figure 4 :
Figure 4: Derived -FA from example TA A  .
c) Slightly modified ATM A  from[3].

Figure 8 :
Figure 8: Case studies from the literature.

Table 2 :
does not have time  (  )  (  ) |  | |  |  (  ) Results of the tests on the case studies.