Spaces:
Sleeping
Sleeping
File size: 7,896 Bytes
448bbf6 684d7ae 448bbf6 684d7ae 448bbf6 0994042 448bbf6 684d7ae | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 | ---
title: EBSysMLSec-Py LLM HAZOP Analyzer
emoji: π
colorFrom: blue
colorTo: indigo
sdk: gradio
sdk_version: 5.9.1
app_file: app.py
pinned: false
---
# EBSysMLSec-Py: Formal Safety-Security Analysis with LLM-Assisted HAZOP
A Python reimplementation of the **EBSysMLSec** model transformation pipeline
(Poorhadi & Troubitsyna, SAFECOMP 2024), applied to a new domain and extended
with LLM-assisted HAZOP threat analysis.
**Domain:** Autonomous Insulin Pump Controller (medical safety-critical system)
**Original domain:** Railway moving-block signalling (CBTC)
**Contribution:** Python translator + LLM-assisted HAZOP β neither present in the original ATL/Eclipse toolchain
---
## What this project does
The original EBSysMLSec tool (written in ATL β ATLAS Transformation Language) takes
a SysML model of a safety-critical system and automatically generates Event-B machines
and contexts that can be formally verified in the Rodin prover. Security attacks are
injected as Event-B events; failing proof obligations show which safety invariants are
violated under attack.
This project reproduces that pipeline in Python and extends it:
```
sysml/insulin_pump.xmi
β
βΌ
translator/sysml_to_eventb.py β Python reimplementation of EBSysMLSec ATL rules
β
βββΆ eventb/InsulinPump.buc β Event-B context (sets, constants, axioms)
βββΆ eventb/InsulinPump.bum β Event-B machine (normal operation)
βββΆ eventb/attacks/Attack_Spoofing.bum β Attack A: sensor spoofing
βββΆ eventb/attacks/Attack_Injection.bum β Attack B: command injection
βββΆ eventb/attacks/Attack_Replay.bum β Attack C: replay attack
β
βΌ
hazop/hazop_analyzer.py β LLM-assisted HAZOP via Anthropic API [NEW]
β
βΌ
hazop/threats.json β 18 structured threat scenarios
β
βΌ
verification/proof_results.md β which Rodin POs hold / fail per attack
```
---
## System: Autonomous Insulin Pump Controller
Six SysML blocks connected by five information flows:
```
PatientProfile ββF2βββΆ DoseCalculator ββF3βββΆ SafetyMonitor ββF4βββΆ PumpActuator
β²
GlucoseSensor ββF1βββββββββββββ
NetworkInterface ββF5βββΆ DoseCalculator β attack surface
```
### Safety invariants (Event-B)
| Label | Predicate | Protection |
|---|---|---|
| **INV1** | `delivered_dose β€ MAX_SAFE_DOSE` | Overdose prevention |
| **INV2** | `delivered_dose > 0 β glucose_reading β₯ HYPO_THRESHOLD` | Hypoglycaemia protection |
| **INV3** | `delivered_dose > 0 β battery_level β₯ MIN_BATTERY_LEVEL` | Power safety |
| **INV4** | `delivered_dose > 0 β command_approved = TRUE` | Authorisation gate |
| **INV5** | `dose_request β€ MAX_SAFE_DOSE` | Calculator output bound |
### Attack scenarios and violated invariants
| Attack | HAZOP guide word | Flow | Violated | Event-B machine |
|---|---|---|---|---|
| A: Sensor spoofing | MORE on F1 | GlucoseSensor β DoseCalculator | **INV2** | `Attack_Spoofing.bum` |
| B: Command injection | AS WELL AS on F5 | NetworkInterface β DoseCalculator | **INV4** | `Attack_Injection.bum` |
| C: Replay attack | OTHER THAN on F5 | NetworkInterface β DoseCalculator | **INV1** | `Attack_Replay.bum` |
---
## Running the pipeline
```bash
pip install -r requirements.txt
# Full pipeline (Event-B generation + LLM HAZOP)
export ANTHROPIC_API_KEY=sk-ant-...
python run_pipeline.py
# Event-B generation only (no API key needed)
python run_pipeline.py --skip-hazop
# Gradio demo (uses pre-generated threats by default)
python app.py
```
---
## Verifying in Rodin
1. Download [Rodin Platform 3.7](http://www.event-b.org/install.html)
2. Install the [Camille plugin](https://wiki.event-b.org/index.php/Camille) (textual Event-B import)
3. Create a new Event-B project in Rodin
4. Add a new Context: paste content of `eventb/InsulinPump.buc`
5. Add a new Machine: paste content of `eventb/InsulinPump.bum` β Run Provers β **all POs discharge**
6. Add attack machines from `eventb/attacks/` β Run Provers β **specific POs fail**
Expected results per `verification/proof_results.md`:
| Machine | INV1 | INV2 | INV3 | INV4 | INV5 |
|---|---|---|---|---|---|
| Normal | β | β | β | β | β |
| + Spoofing | β | **β** | β | β | β |
| + Injection | β | β | β | **β** | β |
| + Replay | **β** | β | β | β | β |
β Rodin proof obligation discharged Β· **β** Proof obligation fails = invariant violated under attack
---
## LLM-Assisted HAZOP: the AI contribution
In the original Poorhadi & Troubitsyna papers, the HAZOP analysis is **manual** β a domain expert applies the seven guide words to each flow by hand. This project automates that step using Claude:
```python
from hazop.hazop_analyzer import analyze_system, INSULIN_PUMP_MODEL
threats = analyze_system(INSULIN_PUMP_MODEL)
# β list of 18 structured threat dicts, each linked to an Event-B attack event
```
The LLM receives the system model (blocks, flows, invariants) and applies HAZOP guide words systematically to produce the same structured threat table a human analyst would β but for any system, in seconds.
This is a direct demonstration of the PhD position's research question:
> *"how formally specified safety constraints can be derived using AI"*
---
## Repository structure
```
insulin-pump-formal/
βββ sysml/
β βββ insulin_pump.xmi SysML/XMI model (NCS style)
βββ translator/
β βββ sysml_to_eventb.py Python SysML β Event-B translator
βββ eventb/
β βββ InsulinPump.buc Event-B context
β βββ InsulinPump.bum Event-B machine (normal operation)
β βββ attacks/
β βββ Attack_Spoofing.bum Attack A: INV2 violated
β βββ Attack_Injection.bum Attack B: INV4 violated
β βββ Attack_Replay.bum Attack C: INV1 violated
βββ hazop/
β βββ hazop_analyzer.py LLM-assisted HAZOP (Anthropic API)
β βββ threats.json Pre-generated threat analysis
βββ verification/
β βββ proof_results.md Proof obligation results per scenario
βββ app.py Gradio demo (HF Spaces)
βββ run_pipeline.py Full pipeline entry point
βββ requirements.txt
```
---
## References
1. Poorhadi, E., Troubitsyna, E., DΓ‘n, G. (2022). *Analysing the Impact of Security Attacks on Safety Using SysML and Event-B.* IMBSA 2022. DOI: 10.1007/978-3-031-15842-1_13
2. Poorhadi, E., Troubitsyna, E. (2023). *Automating an Analysis of Safety-Security Interactions for Railway Systems.* RSSRail 2023. DOI: 10.1007/978-3-031-43366-5_1
3. Poorhadi, E., Troubitsyna, E. (2024). *Automating an Integrated Model-Driven Approach to Analysing the Impact of Cyberattacks on Safety.* SAFECOMP 2024. DOI: 10.1007/978-3-031-68738-9_5
4. Troubitsyna, E. (2024). *Formal Analysis of Interactions Between Safety and Security Requirements.* In: The Practice of Formal Methods. DOI: 10.1007/978-3-031-66673-5_8
5. Abrial, J.R. (2010). *Modeling in Event-B.* Cambridge University Press.
---
## What makes this original
| Aspect | Original EBSysMLSec | This project |
|---|---|---|
| Transformation language | ATL (Eclipse/EMF) | Python |
| Domain | Railway (CBTC moving block) | Medical device (insulin pump) |
| HAZOP | Manual | LLM-assisted (new contribution) |
| Attack modelling | Railway-specific attacks | Spoofing, injection, replay |
| Formal artefacts | Rodin XML format | Textual Event-B (Camille notation) |
| Distribution | Eclipse plugin | Python + Gradio + HF Spaces |
|