MGHyper: Checking Satisfiability of HyperLTL Formulas Beyond the \exists ^*\forall ^* ∃ ∗ ∀ ∗ Fragment

Hyperproperties are properties that refer to multiple computation traces. This includes many information-flow security policies, such as observational determinism, (generalized) noninterference, and noninference, and other system properties like symmetry or Hamming distances between in error-resistant codes. We introduce MGHyper, a tool for automatic satisfiability checking and model generation for hyperproperties expressed in HyperLTL. Unlike previous satisfiability checkers, MGHyper is not limited to the decidable \(\exists ^*\forall ^*\) fragment of HyperLTL, but provides a semi-decision procedure for the full logic. An important application of MGHyper is to automatically check equivalences between different hyperproperties (and different formalizations of the same hyperproperty) and to build counterexamples that disprove a certain claimed implication. We describe the semi-decisionprocedure implemented in MGHyper and report on experimental results obtained both with typical hyperproperties from the literature and with randomly generated HyperLTL formulas.

[1]  John McLean,et al.  Proving Noninterference and Functional Correctness Using Traces , 1992, J. Comput. Secur..

[2]  Bernd Finkbeiner,et al.  Temporal Logics for Hyperproperties , 2013, POST.

[3]  Daryl McCullough,et al.  A Hookup Theorem for Multilevel Security , 1990, IEEE Trans. Software Eng..

[4]  Lijun Zhang,et al.  Aalta: an LTL satisfiability checker over Infinite/Finite traces , 2014, SIGSOFT FSE.

[5]  Bernd Finkbeiner,et al.  Algorithms for Model Checking HyperLTL and HyperCTL ^* , 2015, CAV.

[6]  Bernd Finkbeiner,et al.  The linear-hyper-branching spectrum of temporal logics , 2014, it Inf. Technol..

[7]  Edmund M. Clarke,et al.  Design and Synthesis of Synchronization Skeletons Using Branching-Time Temporal Logic , 1981, Logic of Programs.

[8]  Daryl McCullough,et al.  Specifications for Multi-Level Security and a Hook-Up , 1987, 1987 IEEE Symposium on Security and Privacy.

[9]  Bernd Finkbeiner,et al.  Monitoring hyperproperties , 2019, Formal Methods Syst. Des..

[10]  Pavol Cerný,et al.  Preserving Secrecy Under Refinement , 2006, ICALP.

[11]  Bernd Finkbeiner,et al.  Deciding Hyperproperties , 2016, CONCUR.

[12]  Andrew C. Myers,et al.  Observational determinism for concurrent program security , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[13]  Bernd Finkbeiner,et al.  RVHyper: A Runtime Verification Tool for Temporal Hyperproperties , 2018, TACAS.

[14]  Armin Biere,et al.  PicoSAT Essentials , 2008, J. Satisf. Boolean Model. Comput..

[15]  John McLean,et al.  A General Theory of Composition for a Class of "Possibilistic'' Properties , 1996, IEEE Trans. Software Eng..

[16]  Stefan Schwendimann,et al.  A New One-Pass Tableau Calculus for PLTL , 1998, TABLEAUX.

[17]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.

[18]  Daryl McCullough,et al.  Noninterference and the composability of security properties , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[19]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[20]  Leander Tentrup Non-prenex QBF Solving Using Abstraction , 2016, SAT.

[21]  Emil L. Post A variant of a recursively unsolvable problem , 1946 .

[22]  John McLean,et al.  A general theory of composition for trace sets closed under selective interleaving functions , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[23]  Bernd Finkbeiner,et al.  EAHyper: Satisfiability, Implication, and Equivalence Checking of Hyperproperties , 2017, CAV.

[24]  Bernd Finkbeiner,et al.  Model Checking Information Flow in Reactive Systems , 2012, VMCAI.

[25]  Alexandre Duret-Lutz Manipulating LTL Formulas Using Spot 1.0 , 2013, ATVA.

[26]  Bernd Finkbeiner,et al.  Specifying and Verifying Secrecy in Workflows with Arbitrarily Many Agents , 2016, ATVA.

[27]  Jonathan K. Millen,et al.  Unwinding forward correctability , 1994, Proceedings The Computer Security Foundations Workshop VII.

[28]  Pierre Wolper,et al.  Reasoning About Infinite Computations , 1994, Inf. Comput..

[29]  Stephen A. Cook,et al.  The complexity of theorem-proving procedures , 1971, STOC.

[30]  A. W. Roscoe CSP and determinism in security modelling , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[31]  Michael R. Clarkson,et al.  Hyperproperties , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[32]  Christel Baier,et al.  Principles of Model Checking (Representation and Mind Series) , 2008 .

[33]  David S. Johnson,et al.  Computers and Intractability: A Guide to the Theory of NP-Completeness , 1978 .

[34]  Richard W. Hamming,et al.  Error detecting and error correcting codes , 1950 .

[35]  Joseph Y. Halpern,et al.  “Sometimes” and “not never” revisited: on branching versus linear time temporal logic , 1986, JACM.

[36]  Armin Biere,et al.  Bounded model checking , 2003, Adv. Comput..