Prophecy Variables for Hyperproperty Verification

Beutner, Raven; Finkbeiner, Bernd

doi:10.1109/csf54842.2022.9919658

Cited by 15 publications

(34 citation statements)

References 49 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this paper, we develop simulation-based algorithms to overcome this limitation. There are alternative approaches to reason about infinite traces, like reasoning about strategies to deal with ∀∃ formulas [15], whose completeness can be obtained by generating a set of prophecy variables [8]. In this work, we capture infinite traces in BMC approach using simulation.…”

Section: Casementioning

confidence: 99%

“…To solve this, we incorporate the notion of prophecies to our setting. Prophecies have been proposed as a method to aid in the verification of hyperliveness [15] (see [7] for a systematic method to construct these kind of prophecies). For simplicity, we restrict here to prophecies expressed as safety automata.…”

Section: Encodings For Ae-simulation With Propheciesmentioning

confidence: 99%

“…These notions circumvent the need to boundlessly unroll traces in both structures and synchronize them. For SIM AE , in order to resolve non-determinism in the first model, we also present a third variant, where we enhance SIM AE by using prophecy variables [1,7]. Prophecy variables allow us to handle cases in which ∀∃ hyperprop-erties hold despite the lack of a direct simulation.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Efficient Loop Conditions for Bounded Model Checking Hyperproperties

Hsu¹,

Sánchez²,

Sheinvald³

et al. 2023

Preprint

View full text Add to dashboard Cite

Bounded model checking (BMC) is an effective technique for hunting bugs by incrementally exploring the state space of a system. To reason about infinite traces through a finite structure and to ultimately obtain completeness, BMC incorporates loop conditions that revisit previously observed states. This paper focuses on developing loop conditions for BMC of HyperLTLa temporal logic for hyperproperties that allows expressing important policies for security and consistency in concurrent systems, etc. Loop conditions for HyperLTL are more complicated than for LTL, as different traces may loop inconsistently in unrelated moments. Existing BMC approaches for HyperLTL only considered linear unrollings without any looping capability, which precludes both finding small infinite traces and obtaining a complete technique. We investigate loop conditions for HyperLTL BMC, for HyperLTL formulas that contain up to one quantifier alternation. We first present a general complete automatabased technique which is based on bounds of maximum unrollings. Then, we introduce alternative simulation-based algorithms that allow exploiting short loops effectively, generating SAT queries whose satisfiability guarantees the outcome of the original model checking problem. We also report empirical evaluation of the prototype implementation of our BMC techniques using Z3py.

show abstract

Section: Casementioning

confidence: 99%

Section: Encodings For Ae-simulation With Propheciesmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Efficient Loop Conditions for Bounded Model Checking Hyperproperties

Hsu¹,

Sánchez²,

Sheinvald³

et al. 2023

Preprint

View full text Add to dashboard Cite

show abstract

“…Coenen et al [18] instantiate existential quantification in a ∀ * ∃ * property (i.e., a property involving an arbitrary number of universal quantifiers followed by an arbitrary number of existential quantifiers, such as GNI) with an explicit (user-provided) strategy, thus reducing to the verification of an alternation-free formula. Alternatively, the strategy that resolves existential quantification can be automatically synthesized [8]. Hsu et al [30] present a bounded model checking (BMC) approach for HyperLTL that is implemented in HyperQube.…”

Section: Introductionmentioning

confidence: 99%

“…We discuss alternative verification approaches for HyperLTL in Section 4. In Section 6, we compare different backend solving techniques and study the complexity of HyperLTL MC with multiple quantifier alternations in practice; In Section 7, we evaluate ABV on a set of benchmarks from the literature and compare with the bounded model checker HyperQube [30]; In Section 8 we use AutoHyper for a detailed analysis of (and comparison with) strategy-based verification [18,8].…”

Section: Introductionmentioning

confidence: 99%

AutoHyper: Explicit-State Model Checking for HyperLTL

Beutner¹,

Finkbeiner²

2023

Preprint

View full text Add to dashboard Cite

HyperLTL is a temporal logic that can express hyperproperties, i.e., properties that relate multiple execution traces of a system. Such properties are becoming increasingly important and naturally occur, e.g., in information-flow control, robustness, mutation testing, path planning, and causality checking. Thus far, complete model checking tools for HyperLTL have been limited to alternation-free formulas, i.e., formulas that use only universal or only existential trace quantification. Properties involving quantifier alternations could only be handled in an incomplete way, i.e., the verification might fail even though the property holds. In this paper, we present AutoHyper, an explicit-state automatabased model checker that supports full HyperLTL and is complete for properties with arbitrary quantifier alternations. We show that language inclusion checks can be integrated into HyperLTL verification, which allows AutoHyper to benefit from a range of existing inclusion-checking tools. We evaluate AutoHyper on a broad set of benchmarks drawn from different areas in the literature and compare it with existing (incomplete) methods for HyperLTL verification.

show abstract

Software Verification of Hyperproperties Beyond k-Safety

Beutner

Finkbeiner

2022

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Temporal hyperproperties are system properties that relate multiple execution traces. For (finite-state) hardware, temporal hyperproperties are supported by model checking algorithms, and tools for general temporal logics like HyperLTL exist. For (infinite-state) software, the analysis of temporal hyperproperties has, so far, been limited to k-safety properties, i.e., properties that stipulate the absence of a bad interaction between any k traces. In this paper, we present an automated method for the verification of $$\forall ^k\exists ^l$$ ∀ k ∃ l -safety properties in infinite-state systems. A $$\forall ^k\exists ^l$$ ∀ k ∃ l -safety property stipulates that for any k traces, there existl traces such that the resulting $$k+l$$ k + l traces do not interact badly. This combination of universal and existential quantification enables us to express many properties beyond k-safety, including, for example, generalized non-interference or program refinement. Our method is based on a strategy-based instantiation of existential trace quantification combined with a program reduction, both in the context of a fixed predicate abstraction. Notably, our framework allows for mutual dependence of strategy and reduction.

show abstract

Prophecy Variables for Hyperproperty Verification

Cited by 15 publications

References 49 publications

Efficient Loop Conditions for Bounded Model Checking Hyperproperties

Efficient Loop Conditions for Bounded Model Checking Hyperproperties

AutoHyper: Explicit-State Model Checking for HyperLTL

Software Verification of Hyperproperties Beyond k-Safety

Contact Info

Product

Resources

About