Model Checking Quantitative Hyperproperties

Finkbeiner, Bernd; Hahn, Christopher; Torfah, Hazem

doi:10.1007/978-3-319-96145-3_8

Cited by 50 publications

(44 citation statements)

References 41 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…HyperLTL [8] is a successor of the temporal logic SecLTL [14] used to characterize temporal information flow. The model-checking [8,25,26], satisfiability [18,19,21], monitoring problem [1][2][3][4][22][23][24]33,34], and the first-order extension [31] of HyperLTL have been studied before. In [11], it has been shown that existential quantification in a HyperLTL formula can be reduced to strategic choice.…”

Section: Related Workmentioning

confidence: 99%

Synthesis from hyperproperties

et al. 2019

Self Cite

View full text Add to dashboard Cite

We study the reactive synthesis problem for hyperproperties given as formulas of the temporal logic HyperLTL. Hyperproperties generalize trace properties, i.e., sets of traces, to sets of sets of traces. Typical examples are information-flow policies like noninterference, which stipulate that no sensitive data must leak into the public domain. Such properties cannot be expressed in standard linear or branching-time temporal logics like LTL, CTL, or CTL *. Furthermore, HyperLTL subsumes many classical extensions of the LTL realizability problem, including realizability under incomplete information, distributed synthesis, and fault-tolerant synthesis. We show that, while the synthesis problem is undecidable for full HyperLTL, it remains decidable for the ∃ * , ∃ * ∀ 1 , and the linear ∀ * fragments. Beyond these fragments, the synthesis problem immediately becomes undecidable. For universal HyperLTL, we present a semi-decision procedure that constructs implementations and counterexamples up to a given bound. We report encouraging experimental results obtained with a prototype implementation on example specifications with hyperproperties like symmetric responses, secrecy, and information flow.

show abstract

Section: Related Workmentioning

confidence: 99%

Synthesis from hyperproperties

et al. 2019

Self Cite

View full text Add to dashboard Cite

show abstract

“…Related Work. While the verification of general HyperLTL formulas has been studied before [6,17,18], there has been, so far, no practical model checking algorithm for HyperLTL formulas with quantifier alternation. The existing algorithm involves a complementation of the system automaton, which results in an exponential blow-up of the state space [18].…”

Section: Introductionmentioning

confidence: 99%

Verifying Hyperliveness

Coenen

Finkbeiner

Sánchez

et al. 2019

Computer Aided Verification

Self Cite

View full text Add to dashboard Cite

HyperLTL is an extension of linear-time temporal logic for the specification of hyperproperties, i.e., temporal properties that relate multiple computation traces. HyperLTL can express information flow policies as well as properties like symmetry in mutual exclusion algorithms or Hamming distances in error-resistant transmission protocols. Previous work on HyperLTL model checking has focussed on the alternation-free fragment of HyperLTL, where verification reduces to checking a standard trace property over an appropriate self-composition of the system. The alternation-free fragment does, however, not cover general hyperliveness properties. Universal formulas, for example, cannot express the secrecy requirement that for every possible value of a secret variable there exists a computation where the value is different while the observations made by the external observer are the same. In this paper, we study the more difficult case of hyperliveness properties expressed as HyperLTL formulas with quantifier alternation. We reduce existential quantification to strategic choice and show that synthesis algorithms can be used to eliminate the existential quantifiers automatically. We furthermore show that this approach can be extended to reactive system synthesis, i.e., to automatically construct a reactive system that is guaranteed to satisfy a given HyperLTL formula.

show abstract

“…HyperLTL has been used extensively to specify hyperproperties of practical interest (e.g. [14,21,[23][24][25][26]). For example, observational determinism is expressed as the following formula:…”

Section: Introductionmentioning

confidence: 99%

“…Efficient model checking, synthesis, and satisfiability checking tools for HyperLTL already exist [12,[19][20][21][22]25,26]. Implementing an efficient runtime verification tool for HyperLTL specifications is, despite recent theoretical progress [1,[5][6][7]24,28,29,37], difficult: In principle, the monitor not only needs to process every observed trace, but must also store every trace observed so far, so that future traces can be compared with the traces seen so far.…”

Section: Introductionmentioning

confidence: 99%

Efficient monitoring of hyperproperties using prefix trees

Finkbeiner

Hahn

Stenger

et al. 2020

Int J Softw Tools Technol Transfer

Self Cite

View full text Add to dashboard Cite

Hyperproperties, such as non-interference and observational determinism, relate multiple computation traces with each other and are thus not monitorable by tools that consider computations in isolation. We present the monitoring approach implemented in the latest version of RVHyper, a runtime verification tool for hyperproperties. The input to the tool are specifications given in the temporal logic HyperLTL, which extends linear-time temporal logic (LTL) with trace quantifiers and trace variables. RVHyper processes execution traces sequentially until a violation of the specification is detected. In this case, a counterexample, in the form of a set of traces, is returned. RVHyper employs a range of optimizations: a preprocessing analysis of the specification and a procedure that minimizes the traces that need to be stored during the monitoring process. In this article, we introduce a novel trace storage technique that arranges the traces in a tree-like structure to exploit partially equal traces. We evaluate RVHyper on existing benchmarks on secure information flow control, error correcting codes, and symmetry in hardware designs. As an example application outside of security, we show how RVHyper can be used to detect spurious dependencies in hardware designs.

show abstract

Model Checking Quantitative Hyperproperties

Cited by 50 publications

References 41 publications

Synthesis from hyperproperties

Synthesis from hyperproperties

Verifying Hyperliveness

Efficient monitoring of hyperproperties using prefix trees

Contact Info

Product

Resources

About