Constraint-Based Monitoring of Hyperproperties

Hahn, Christopher; Stenger, Marvin; Tentrup, Leander

doi:10.1007/978-3-030-17465-1_7

Cited by 35 publications

(21 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…HyperLTL [8] is a successor of the temporal logic SecLTL [14] used to characterize temporal information flow. The model-checking [8,25,26], satisfiability [18,19,21], monitoring problem [1][2][3][4][22][23][24]33,34], and the first-order extension [31] of HyperLTL have been studied before. In [11], it has been shown that existential quantification in a HyperLTL formula can be reduced to strategic choice.…”

Section: Related Workmentioning

confidence: 99%

Synthesis from hyperproperties

et al. 2019

Self Cite

View full text Add to dashboard Cite

We study the reactive synthesis problem for hyperproperties given as formulas of the temporal logic HyperLTL. Hyperproperties generalize trace properties, i.e., sets of traces, to sets of sets of traces. Typical examples are information-flow policies like noninterference, which stipulate that no sensitive data must leak into the public domain. Such properties cannot be expressed in standard linear or branching-time temporal logics like LTL, CTL, or CTL *. Furthermore, HyperLTL subsumes many classical extensions of the LTL realizability problem, including realizability under incomplete information, distributed synthesis, and fault-tolerant synthesis. We show that, while the synthesis problem is undecidable for full HyperLTL, it remains decidable for the ∃ * , ∃ * ∀ 1 , and the linear ∀ * fragments. Beyond these fragments, the synthesis problem immediately becomes undecidable. For universal HyperLTL, we present a semi-decision procedure that constructs implementations and counterexamples up to a given bound. We report encouraging experimental results obtained with a prototype implementation on example specifications with hyperproperties like symmetric responses, secrecy, and information flow.

show abstract

Section: Related Workmentioning

confidence: 99%

Synthesis from hyperproperties

et al. 2019

Self Cite

View full text Add to dashboard Cite

show abstract

“…The idea is to identify a set of propositions of interest and store corresponding constraints. A constraint-based algorithm for the complete fragment of ∀ 2 HyperLTL formulas has been proposed in [29]. The algorithms rewrite a HyperLTL formula and an incoming event into a constraint composed of a plain LTL requirement as well as a HyperLTL requirement.…”

Section: Structure Of This Articlementioning

confidence: 99%

“…Efficient model checking, synthesis, and satisfiability checking tools for HyperLTL already exist [12,[19][20][21][22]25,26]. Implementing an efficient runtime verification tool for HyperLTL specifications is, despite recent theoretical progress [1,[5][6][7]24,28,29,37], difficult: In principle, the monitor not only needs to process every observed trace, but must also store every trace observed so far, so that future traces can be compared with the traces seen so far.…”

Section: Introductionmentioning

confidence: 99%

Efficient monitoring of hyperproperties using prefix trees

Finkbeiner

Hahn

Stenger

et al. 2020

Int J Softw Tools Technol Transfer

Self Cite

View full text Add to dashboard Cite

Hyperproperties, such as non-interference and observational determinism, relate multiple computation traces with each other and are thus not monitorable by tools that consider computations in isolation. We present the monitoring approach implemented in the latest version of RVHyper, a runtime verification tool for hyperproperties. The input to the tool are specifications given in the temporal logic HyperLTL, which extends linear-time temporal logic (LTL) with trace quantifiers and trace variables. RVHyper processes execution traces sequentially until a violation of the specification is detected. In this case, a counterexample, in the form of a set of traces, is returned. RVHyper employs a range of optimizations: a preprocessing analysis of the specification and a procedure that minimizes the traces that need to be stored during the monitoring process. In this article, we introduce a novel trace storage technique that arranges the traces in a tree-like structure to exploit partially equal traces. We evaluate RVHyper on existing benchmarks on secure information flow control, error correcting codes, and symmetry in hardware designs. As an example application outside of security, we show how RVHyper can be used to detect spurious dependencies in hardware designs.

show abstract

“…HyperLTL [26] is a recently introduced temporal logic, which is an extension of Linear-time Temporal Logic (LTL) [27]. Runtime verification of information flow properties, including observational determinism, using HyperLTL is discussed in [28,29]. Verifying BOD using HyperLTL would be an interesting future work.…”

Section: Related Workmentioning

confidence: 99%

Bisimulation for Secure Information Flow Analysis of Multi-Threaded Programs

Noroozi

Karimpour

Isazadeh

2019

MCA

View full text Add to dashboard Cite

Preserving the confidentiality of information is a growing concern in software development. Secure information flow is intended to maintain the confidentiality of sensitive information by preventing them from flowing to attackers. This paper discusses how to ensure confidentiality for multi-threaded programs through a property called observational determinism. Operational semantics of multi-threaded programs are modeled using Kripke structures. Observational determinism is formalized in terms of divergence weak low-bisimulation. Bisimulation is an equivalence relation associating executions that simulate each other. The new property is called bisimulation-based observational determinism. Furthermore, a model checking method is proposed to verify the new property and ensure that secure information flow holds in a multi-threaded program. The model checking method successively refines the Kripke model of the program until the quotient of the model with respect to divergence weak low-bisimulation is reached. Then, bisimulation-based observational determinism is checked on the quotient, which is a minimized model of the concrete Kripke model. The time complexity of the proposed method is polynomial in the size of the Kripke model. The proposed approach has been implemented on top of PRISM, a probabilistic model checking tool. Finally, a case study is discussed to show the applicability of the proposed approach.

show abstract

Constraint-Based Monitoring of Hyperproperties

Cited by 35 publications

References 23 publications

Synthesis from hyperproperties

Synthesis from hyperproperties

Efficient monitoring of hyperproperties using prefix trees

Bisimulation for Secure Information Flow Analysis of Multi-Threaded Programs

Contact Info

Product

Resources

About