Verifying Hyperliveness

HyperLTL is an extension of linear-time temporal logic for the specification of hyperproperties, i.e., temporal properties that relate multiple computation traces. HyperLTL can express information flow policies as well as properties like symmetry in mutual exclusion algorithms or Hamming distances in error-resistant transmission protocols. Previous work on HyperLTL model checking has focussed on the alternation-free fragment of HyperLTL, where verification reduces to checking a standard trace property over an appropriate self-composition of the system. The alternation-free fragment does, however, not cover general hyperliveness properties. Universal formulas, for example, cannot express the secrecy requirement that for every possible value of a secret variable there exists a computation where the value is different while the observations made by the external observer are the same. In this paper, we study the more difficult case of hyperliveness properties expressed as HyperLTL formulas with quantifier alternation. We reduce existential quantification to strategic choice and show that synthesis algorithms can be used to eliminate the existential quantifiers automatically. We furthermore show that this approach can be extended to reactive system synthesis, i.e., to automatically construct a reactive system that is guaranteed to satisfy a given HyperLTL formula.

[1]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[2]  Nancy A. Lynch,et al.  Forward and Backward Simulations, II: Timing-Based Systems , 1996, Inf. Comput..

[3]  Martín Abadi,et al.  The existence of refinement mappings , 1988, [1988] Proceedings. Third Annual Information Symposium on Logic in Computer Science.

[4]  Gilles Barthe,et al.  Beyond 2-Safety: Asymmetric Product Programs for Relational Program Verification , 2013, LFCS.

[5]  David Chaum,et al.  Security without identification: transaction systems to make big brother obsolete , 1985, CACM.

[6]  Ron van der Meyden,et al.  Algorithmic Verification of Noninterference Properties , 2007, VODCA@FOSAD.

[7]  G. S. Graham A New Solution of Dijkstra ' s Concurrent Programming Problem , 2022 .

[8]  Bernd Finkbeiner,et al.  MGHyper: Checking Satisfiability of HyperLTL Formulas Beyond the ∃ * ∀ * Fragment. , 2019 .

[9]  Bernd Finkbeiner,et al.  Monitoring Hyperproperties , 2017, RV.

[10]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[11]  Daryl McCullough,et al.  Noninterference and the composability of security properties , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[12]  Deepak D'Souza,et al.  Model-checking trace-based information flow properties , 2011, J. Comput. Secur..

[13]  Bernd Finkbeiner,et al.  Temporal Logics for Hyperproperties , 2013, POST.

[14]  Bernd Finkbeiner,et al.  Bounded synthesis , 2012, International Journal on Software Tools for Technology Transfer.

[15]  Robert K. Brayton,et al.  ABC: An Academic Industrial-Strength Verification Tool , 2010, CAV.

[16]  Markus N. Rabe,et al.  Clausal Abstraction for DQBF , 2019, SAT.

[17]  Bernd Finkbeiner,et al.  Is your software on dope? Formal analysis of surreptitiously "enhanced" programs , 2017, ESOP.

[18]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[19]  Amir Pnueli,et al.  On the synthesis of a reactive module , 1989, POPL '89.

[20]  Christopher Hahn,et al.  Constraint-Based Monitoring of Hyperproperties , 2019, TACAS.

[21]  Bernd Finkbeiner,et al.  EAHyper: Satisfiability, Implication, and Equivalence Checking of Hyperproperties , 2017, CAV.

[22]  Bernd Finkbeiner,et al.  Model Checking Quantitative Hyperproperties , 2018, CAV.

[23]  N. Lynch,et al.  Forward and backward simulations , 1993 .

[24]  Felix Klein,et al.  How Much Lookahead is Needed to Win Infinite Games? , 2014, Log. Methods Comput. Sci..

[25]  Bernd Finkbeiner,et al.  Uniform distributed synthesis , 2005, 20th Annual IEEE Symposium on Logic in Computer Science (LICS' 05).

[26]  Bernd Finkbeiner,et al.  Deciding Hyperproperties , 2016, CONCUR.

[27]  Michael R. Clarkson,et al.  Hyperproperties , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[28]  Bernd Finkbeiner,et al.  Algorithms for Model Checking HyperLTL and HyperCTL ^* , 2015, CAV.

[29]  Marieke Huisman,et al.  A temporal logic characterisation of observational determinism , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[30]  Bernd Finkbeiner,et al.  Synthesizing Reactive Systems from Hyperproperties , 2018, CAV.

[31]  Bernd Finkbeiner,et al.  MGHyper: Checking Satisfiability of HyperLTL Formulas Beyond the \exists ^*\forall ^* ∃ ∗ ∀ ∗ Fragment , 2018, ATVA.

[32]  Nir Piterman,et al.  On Automation of CTL* Verification for Infinite-State Systems , 2015, CAV.

[33]  Bernd Finkbeiner,et al.  RVHyper: A Runtime Verification Tool for Temporal Hyperproperties , 2018, TACAS.

[34]  Nancy A. Lynch,et al.  Forward and Backward Simulations: I. Untimed Systems , 1995, Inf. Comput..