Spaces:
Sleeping
Sleeping
| title: EBSysMLSec-Py LLM HAZOP Analyzer | |
| emoji: π | |
| colorFrom: blue | |
| colorTo: indigo | |
| sdk: gradio | |
| sdk_version: 5.9.1 | |
| app_file: app.py | |
| pinned: false | |
| # EBSysMLSec-Py: Formal Safety-Security Analysis with LLM-Assisted HAZOP | |
| A Python reimplementation of the **EBSysMLSec** model transformation pipeline | |
| (Poorhadi & Troubitsyna, SAFECOMP 2024), applied to a new domain and extended | |
| with LLM-assisted HAZOP threat analysis. | |
| **Domain:** Autonomous Insulin Pump Controller (medical safety-critical system) | |
| **Original domain:** Railway moving-block signalling (CBTC) | |
| **Contribution:** Python translator + LLM-assisted HAZOP β neither present in the original ATL/Eclipse toolchain | |
| --- | |
| ## What this project does | |
| The original EBSysMLSec tool (written in ATL β ATLAS Transformation Language) takes | |
| a SysML model of a safety-critical system and automatically generates Event-B machines | |
| and contexts that can be formally verified in the Rodin prover. Security attacks are | |
| injected as Event-B events; failing proof obligations show which safety invariants are | |
| violated under attack. | |
| This project reproduces that pipeline in Python and extends it: | |
| ``` | |
| sysml/insulin_pump.xmi | |
| β | |
| βΌ | |
| translator/sysml_to_eventb.py β Python reimplementation of EBSysMLSec ATL rules | |
| β | |
| βββΆ eventb/InsulinPump.buc β Event-B context (sets, constants, axioms) | |
| βββΆ eventb/InsulinPump.bum β Event-B machine (normal operation) | |
| βββΆ eventb/attacks/Attack_Spoofing.bum β Attack A: sensor spoofing | |
| βββΆ eventb/attacks/Attack_Injection.bum β Attack B: command injection | |
| βββΆ eventb/attacks/Attack_Replay.bum β Attack C: replay attack | |
| β | |
| βΌ | |
| hazop/hazop_analyzer.py β LLM-assisted HAZOP via Anthropic API [NEW] | |
| β | |
| βΌ | |
| hazop/threats.json β 18 structured threat scenarios | |
| β | |
| βΌ | |
| verification/proof_results.md β which Rodin POs hold / fail per attack | |
| ``` | |
| --- | |
| ## System: Autonomous Insulin Pump Controller | |
| Six SysML blocks connected by five information flows: | |
| ``` | |
| PatientProfile ββF2βββΆ DoseCalculator ββF3βββΆ SafetyMonitor ββF4βββΆ PumpActuator | |
| β² | |
| GlucoseSensor ββF1βββββββββββββ | |
| NetworkInterface ββF5βββΆ DoseCalculator β attack surface | |
| ``` | |
| ### Safety invariants (Event-B) | |
| | Label | Predicate | Protection | | |
| |---|---|---| | |
| | **INV1** | `delivered_dose β€ MAX_SAFE_DOSE` | Overdose prevention | | |
| | **INV2** | `delivered_dose > 0 β glucose_reading β₯ HYPO_THRESHOLD` | Hypoglycaemia protection | | |
| | **INV3** | `delivered_dose > 0 β battery_level β₯ MIN_BATTERY_LEVEL` | Power safety | | |
| | **INV4** | `delivered_dose > 0 β command_approved = TRUE` | Authorisation gate | | |
| | **INV5** | `dose_request β€ MAX_SAFE_DOSE` | Calculator output bound | | |
| ### Attack scenarios and violated invariants | |
| | Attack | HAZOP guide word | Flow | Violated | Event-B machine | | |
| |---|---|---|---|---| | |
| | A: Sensor spoofing | MORE on F1 | GlucoseSensor β DoseCalculator | **INV2** | `Attack_Spoofing.bum` | | |
| | B: Command injection | AS WELL AS on F5 | NetworkInterface β DoseCalculator | **INV4** | `Attack_Injection.bum` | | |
| | C: Replay attack | OTHER THAN on F5 | NetworkInterface β DoseCalculator | **INV1** | `Attack_Replay.bum` | | |
| --- | |
| ## Running the pipeline | |
| ```bash | |
| pip install -r requirements.txt | |
| # Full pipeline (Event-B generation + LLM HAZOP) | |
| export ANTHROPIC_API_KEY=sk-ant-... | |
| python run_pipeline.py | |
| # Event-B generation only (no API key needed) | |
| python run_pipeline.py --skip-hazop | |
| # Gradio demo (uses pre-generated threats by default) | |
| python app.py | |
| ``` | |
| --- | |
| ## Verifying in Rodin | |
| 1. Download [Rodin Platform 3.7](http://www.event-b.org/install.html) | |
| 2. Install the [Camille plugin](https://wiki.event-b.org/index.php/Camille) (textual Event-B import) | |
| 3. Create a new Event-B project in Rodin | |
| 4. Add a new Context: paste content of `eventb/InsulinPump.buc` | |
| 5. Add a new Machine: paste content of `eventb/InsulinPump.bum` β Run Provers β **all POs discharge** | |
| 6. Add attack machines from `eventb/attacks/` β Run Provers β **specific POs fail** | |
| Expected results per `verification/proof_results.md`: | |
| | Machine | INV1 | INV2 | INV3 | INV4 | INV5 | | |
| |---|---|---|---|---|---| | |
| | Normal | β | β | β | β | β | | |
| | + Spoofing | β | **β** | β | β | β | | |
| | + Injection | β | β | β | **β** | β | | |
| | + Replay | **β** | β | β | β | β | | |
| β Rodin proof obligation discharged Β· **β** Proof obligation fails = invariant violated under attack | |
| --- | |
| ## LLM-Assisted HAZOP: the AI contribution | |
| In the original Poorhadi & Troubitsyna papers, the HAZOP analysis is **manual** β a domain expert applies the seven guide words to each flow by hand. This project automates that step using Claude: | |
| ```python | |
| from hazop.hazop_analyzer import analyze_system, INSULIN_PUMP_MODEL | |
| threats = analyze_system(INSULIN_PUMP_MODEL) | |
| # β list of 18 structured threat dicts, each linked to an Event-B attack event | |
| ``` | |
| The LLM receives the system model (blocks, flows, invariants) and applies HAZOP guide words systematically to produce the same structured threat table a human analyst would β but for any system, in seconds. | |
| This is a direct demonstration of the PhD position's research question: | |
| > *"how formally specified safety constraints can be derived using AI"* | |
| --- | |
| ## Repository structure | |
| ``` | |
| insulin-pump-formal/ | |
| βββ sysml/ | |
| β βββ insulin_pump.xmi SysML/XMI model (NCS style) | |
| βββ translator/ | |
| β βββ sysml_to_eventb.py Python SysML β Event-B translator | |
| βββ eventb/ | |
| β βββ InsulinPump.buc Event-B context | |
| β βββ InsulinPump.bum Event-B machine (normal operation) | |
| β βββ attacks/ | |
| β βββ Attack_Spoofing.bum Attack A: INV2 violated | |
| β βββ Attack_Injection.bum Attack B: INV4 violated | |
| β βββ Attack_Replay.bum Attack C: INV1 violated | |
| βββ hazop/ | |
| β βββ hazop_analyzer.py LLM-assisted HAZOP (Anthropic API) | |
| β βββ threats.json Pre-generated threat analysis | |
| βββ verification/ | |
| β βββ proof_results.md Proof obligation results per scenario | |
| βββ app.py Gradio demo (HF Spaces) | |
| βββ run_pipeline.py Full pipeline entry point | |
| βββ requirements.txt | |
| ``` | |
| --- | |
| ## References | |
| 1. Poorhadi, E., Troubitsyna, E., DΓ‘n, G. (2022). *Analysing the Impact of Security Attacks on Safety Using SysML and Event-B.* IMBSA 2022. DOI: 10.1007/978-3-031-15842-1_13 | |
| 2. Poorhadi, E., Troubitsyna, E. (2023). *Automating an Analysis of Safety-Security Interactions for Railway Systems.* RSSRail 2023. DOI: 10.1007/978-3-031-43366-5_1 | |
| 3. Poorhadi, E., Troubitsyna, E. (2024). *Automating an Integrated Model-Driven Approach to Analysing the Impact of Cyberattacks on Safety.* SAFECOMP 2024. DOI: 10.1007/978-3-031-68738-9_5 | |
| 4. Troubitsyna, E. (2024). *Formal Analysis of Interactions Between Safety and Security Requirements.* In: The Practice of Formal Methods. DOI: 10.1007/978-3-031-66673-5_8 | |
| 5. Abrial, J.R. (2010). *Modeling in Event-B.* Cambridge University Press. | |
| --- | |
| ## What makes this original | |
| | Aspect | Original EBSysMLSec | This project | | |
| |---|---|---| | |
| | Transformation language | ATL (Eclipse/EMF) | Python | | |
| | Domain | Railway (CBTC moving block) | Medical device (insulin pump) | | |
| | HAZOP | Manual | LLM-assisted (new contribution) | | |
| | Attack modelling | Railway-specific attacks | Spoofing, injection, replay | | |
| | Formal artefacts | Rodin XML format | Textual Event-B (Camille notation) | | |
| | Distribution | Eclipse plugin | Python + Gradio + HF Spaces | | |