Finite-Horizon Shield for Path Planning Ensuring Safety/Co-Safety Specifications and Security Policies

Abstract

With the development of network technology, security in path planning problems has attracted widespread attention. We consider a path planning problem in which a planner computes a finite path that satisfies a specification. We assume that the specification includes mandatory safety/co-safety specifications. Moreover, we consider a security policy for this path. However, we assume that the information leaked to an intruder is not known beforehand. Then, we propose an enforcement mechanism referred to as a finite-horizon shield. This mechanism modifies the path computed by the planner as small as possible to satisfy the safety/co-safety specifications and security policy under the leaked information. We assume that the safety/co-safety specifications are described by LTL <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">${}_{f}$ </tex-math></inline-formula> formulas and the security policy by a hyperLTL <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">${}_{f}$ </tex-math></inline-formula> formula. Subsequently, we convert the formulas into quantified formulas and compute the modified path using a satisfiability modulo theories solver. As an example, we consider an opacity problem where there is another path whose leaked information is the same as that of the modified path. By simulations, it confirms that the output of shield depends on the leaked information and the modified path may have additional movements to ensure opacity. We also compare the computation time of the shield with that of a security-aware planning by simulation.