RVHyper: A Runtime Verification Tool for Temporal Hyperproperties by Finkbeiner, Bernd et al.
C
o
n
si
st
en
t *
 Complete * W
e
ll D
o
cu
m
ented * Easy t
o 
Re
u
se
 *
 *
  Evaluated
 *
 T
A
C
A
S
 *
 A
rtifact  *  A
E
C
RVHyper: A Runtime Verification Tool for
Temporal Hyperproperties?
Bernd Finkbeiner, Christopher Hahn, Marvin Stenger, and Leander Tentrup
Reactive Systems Group
Saarland University
lastname@react.uni-saarland.de
Abstract. We present RVHyper, a runtime verification tool for hyper-
properties. Hyperproperties, such as non-interference and observational
determinism, relate multiple computation traces with each other. Spec-
ifications are given as formulas in the temporal logic HyperLTL, which
extends linear-time temporal logic (LTL) with trace quantifiers and trace
variables. RVHyper processes execution traces sequentially until a vio-
lation of the specification is detected. In this case, a counter example,
in the form of a set of traces, is returned. As an example application,
we show how RVHyper can be used to detect spurious dependencies in
hardware designs.
1 Introduction
Hyperproperties [4] generalize trace properties in that they not only check the
correctness of individual computation traces in isolation, but relate multiple com-
putation traces to each other. HyperLTL [3] is a logic for expressing temporal hy-
perproperties, by extending linear-time temporal logic with explicit trace quan-
tification. HyperLTL has been used to specify a variety of information-flow and
security properties. Examples include classical properties like non-interference
and observational determinism, as well as quantitative information-flow prop-
erties, symmetries in hardware designs, and formally verified error correcting
codes [8]. While model checking and satisfiability checking tools for HyperLTL
already exist [5, 8], the runtime verification of HyperLTL specifications has so
far, despite recent theoretical progress [1, 2, 7], not been supported by practical
tool implementations.
Monitoring hyperproperties is difficult: in principle, the monitor not only
needs to process every observed trace, but must also store every trace observed
so far, so that future traces can be compared with the traces seen so far. On the
other hand, a runtime verification tool for hyperproperties is certainly useful,
in particular if the implementation of a security critical system is not available.
? This work was partially supported by the German Research Foundation (DFG) as
part of the Collaborative Research Center “Methods and Tools for Understanding
and Controlling Privacy” (SFB 1223) and by the European Research Council (ERC)
Grant OSARES (No. 683300).
ar
X
iv
:1
90
6.
00
79
8v
1 
 [c
s.L
O]
  3
1 M
ay
 20
19
Even without access to the source code, monitoring the observable execution
traces still detects insecure information flow.
In this paper, we present RVHyper, a runtime verification tool for moni-
toring temporal hyperproperties. RVHyper tackles this challenging problem by
implementing two major optimizations: (1) a trace analysis, which detects all
redundant traces that can be omitted during the monitoring process and (2) a
specification analysis to detect exploitable properties of a hyperproperty, such
as symmetry.
We have applied RVHyper in classical information-flow security, such as
checking for violations of observational determinism. HyperLTL is, however, not
limited to security policies. As an example of such an application beyond se-
curity, we show how RVHyper can be used to detect spurious dependencies in
hardware designs.
2 RVHyper
In this section we give an overview on the monitoring approach, including the
input and output of the monitoring algorithm and the two major optimization
techniques implemented in RVHyper.
Specification. The input to RVHyper is a HyperLTL specification.
HyperLTL [3] is a temporal logic for specifying hyperproperties. The logic ex-
tends LTL with quantification over trace variables pi and a method to link
atomic propositions to specific traces. The set of trace variables is V. Formu-
las in HyperLTL are given by the grammar
ϕ ::= ∀pi. ϕ | ∃pi. ϕ | ψ , and
ψ ::= api | ¬ψ | ψ ∨ ψ | ψ | ψ U ψ ,
where a ∈ AP and pi ∈ V. The finite trace semantics [2] for HyperLTL is based
on the finite trace semantics of LTL. In the following, when using L(ϕ) we refer
to the finite trace semantics of a HyperLTL formula ϕ. Let t be a finite trace, 
denotes the empty trace, and |t| denotes the length of a trace. Since we are in a
finite trace setting, t[i, . . .] denotes the subsequence from position i to position
|t| − 1. Let Πfin : V → Σ∗ be a partial function mapping trace variables to finite
traces. We define [0] as the empty set. Πfin [i, . . .] denotes the trace assignment
that is equal to Πfin(pi)[i, . . .] for all pi. We define a subsequence of t as follows.
t[i, j] =
{
 if i ≥ |t|
t[i,min(j, |t| − 1)], otherwise
Πfin T api if a ∈ Πfin(pi)[0]
Πfin T ¬ϕ if Πfin 2T ϕ
Πfin T ϕ ∨ ψ if Πfin T ϕ or Πfin T ψ
Πfin T ϕ if Πfin [1, . . .] T ϕ
Πfin T ϕ U ψ if ∃i ≥ 0. Πfin [i, . . .] T ψ ∧ ∀0 ≤ j < i.Πfin [j, . . .] T ϕ
Πfin T ∃pi. ϕ if there is some t ∈ T such that Πfin [pi 7→ t] T ϕ
2
input : ∀n HyperLTL formula ϕ,
set of traces T ,
fresh trace t
output: satisfied or n-ary tuple
witnessing violation
Mϕ = build template(ϕ);
for each tuple N ∈ (T ∪ {t})n do
if Mϕ accepts N then
proceed;
else
return N ;
end
end
return satisfied;
Algorithm 1: A high-level sketch of
the monitoring algorithm for ∀n Hy-
perLTL formulas.
input : HyperLTL formula ϕ,
redundancy free trace set
T , fresh trace t
output: redundancy free set of
traces Tmin ⊆ T ∪ {t}
Mϕ = build template(ϕ)
foreach t′ ∈ T do
if t′ dominates t then
return T
end
end
foreach t′ ∈ T do
if t dominates t′ then
T := T \ {t′}
end
end
return T ∪ {t}
Algorithm 2: Trace analysis algo-
rithm to minimize trace storage.
For example, above mentioned observational determinism can be formalized as
the HyperLTL formula ∀pi.∀pi′. (Opi = Opi′)W (Ipi 6= Ipi′), where W is the weak
version of U.
Input and Output. The input of RVHyper consists of a HyperLTL formula and
the observed behavior of the system under consideration. The observed behavior
is represented as a trace set T , where each t ∈ T represents a previously observed
execution of the system under consideration. If RVHyper detects that the system
violates the hyperproperty, it outputs a counter example, i.e, a k-ary tuple of
traces, where k is the number of quantifiers in the HyperLTL formula.
Monitoring Algorithm. Given a HyperLTL formula ϕ and a trace set T ,
RVHyper processes a fresh trace under consideration as depicted in Algorithm 1.
The algorithm revolves around a monitor-template Mϕ, which is constructed
from the HyperLTL formula ϕ. The basic idea of the monitor template is that
it still contains every trace variables of ϕ, which can be initialized with explicit
traces at runtime. This way, the automaton construction of the monitor template
is constructed only once as a preprocessing step.
RVHyper initializes the monitor template for each k-ary combination of
traces in T ∪{t}. If one tuple violates the hyperproperty, RVHyper returns that
k-ary tuple of traces as a counter example, otherwise RVHyper returns satisfied.
Trace Analysis: Minimizing Trace Storage. The main obstacle in monitor-
ing hyperproperties is the potentially unbounded space consumption. RVHyper
3
uses a trace analysis to detect redundant traces, with respect to a given Hy-
perLTL formula, i.e., traces that can be safely discarded without losing any
information and without losing the ability to return a counter example.
RVHyper’s trace analysis is based on the definition of trace redundancy:
we say a fresh trace t is (T, ϕ)-redundant, if T is a model of ϕ if and only
if T ∪ {t} is a model of ϕ. The idea, depicted in Algorithm 2, is to check if
another trace t′ contains at least as much informations as t: we say a t′ dominates
t if
∧
pi∈V L(Mϕ[t′/pi]) ⊆ L(Mϕ[t/pi]). For a fresh incoming trace, RVHyper
performs this language inclusion check in both directions in order to compute
the minimal trace set that must be stored to monitor the hyperproperty under
consideration.
Specification Analysis: Decreasing Running Time. RVHyper uses a spec-
ification analysis, which is a preprocessing step that analyzes the HyperLTL
formula under consideration. RVHyper detects whether a formula is (1) sym-
metric, i.e., we halve the number of instantiated monitors, (2) transitive, i.e, we
reduce the number of instantiated monitors to two, or (3) reflexive, i.e., we can
omit the self comparison of traces [7].
Symmetry is especially interesting because many information flow poli-
cies satisfy this property. Consider, for example, observational determinism:
∀pi.∀pi′. (Opi = Opi′)W (Ipi 6= Ipi′). RVHyper detects symmetry by translating
this formula to a formula that is unsatisfiable if there exists no pair of traces
which violates the symmetry condition: ∃pi.∃pi′. ((Opi = Opi′)W (Ipi 6= Ipi′)) =(
(Opi′ = Opi)W (Ipi′ 6= Ipi)
)
. If the resulting formula turns out to be unsatisfiable,
RVHyper omits the symmetric instantiations of the monitor automaton, which
turns out to be, especially in combination with RVHypers trace analysis, a major
optimization in practice [7].
Implementation. RVHyper1 is written in C++. It uses spot for building the de-
terministic monitor automata and the Buddy BDD library for handling symbolic
constraints. We use the HyperLTL satisfiability solver EAHyper [5, 6] to deter-
mine whether the input formula is reflexive, symmetric, or transitive. Depending
on those results, we omit redundant tuples in the monitoring algorithm.
3 Detecting Spurious Dependencies in Hardware Designs
While HyperLTL has been applied to a range of domains, including security and
information flow properties, we focus in the following on a classical verification
problem, the independence of signals in hardware designs. We demonstrate how
RVHyper can automatically detect such dependencies from traces generated from
hardware designs.
1 The implementation is available at https://react.uni-saarland.de/tools/
rvhyper/.
4
1 module counter(increase ,
2 decrease , overflow );
3 input increase;
4 input decrease;
5 output overflow;
6
7 reg[2:0] counter;
8
9 assign overflow = (counter
10 == 3’b111 && increase
11 && !decrease );
12
13
14 initial
15 begin
16 counter = 0;
17 end
18 always @($global_clock)
19 begin
20 if (increase && !decrease)
21 counter = counter + 1;
22 else if (! increase && decrease
23 && counter > 0)
24 counter = counter - 1;
25 else
26 counter = counter;
27 end
28 endmodule
Fig. 2: Verilog description of Example 3 (counter).
mux
imux
i i′sel
o o′
Fig. 1: mux circuit with
black box
Input & Output. The input to RVHyper is a set of
traces where the propositions match the atomic propo-
sitions of the HyperLTL formula. For the following
experiments, we generate a set of traces from the Ver-
ilog description of several example circuits by random
simulation. If a set of traces violates the specification,
RVHyper returns a counter example.
Specification. We consider the problem of detect-
ing whether input signals influence output signals in
hardware designs. We write i 6; o to denote that the
inputs i do not influence the outputs o. Formally, we
specify this property as the following HyperLTL for-
mula:
∀pi1∀pi2. (opi1 = opi2)W (ipi1 6= ipi2) ,
where i denotes all inputs except i. Intuitively, the formula asserts that for every
two pairs of execution traces (pi1, pi2) the value of o has to be the same until there
is a difference between pi1 and pi2 in the input vector i, i.e., the inputs on which
o may depend.
Sample Hardware Designs. We apply RVHyper to traces generated from
the following hardware designs. Note that, since RVHyper observes traces and
treats the system that generates the traces as a black box, the performance of
RVHyper does not depend on the size of the circuit.
Example 1 (xor). As a first example, consider the xor function o = i⊕ i′. In
the corresponding circuit, every j-th output bit oj is only influenced by the j-the
input bits ij and i
′
j .
5
Table 1: Results of RVHyper on traces generated from circuit instances. Every
instance was run 10 times with different seeds and the average is reported.
instance property satisfied # traces length time # instances
xor i0 6; o0 no 18 5 12ms 222
xor i1 6; o0 yes 1000 5 16913ms 499500
counter incr 6; overflow no 1636 20 28677ms 1659446
counter decr 6; overflow no 1142 20 15574ms 887902
mux i′ 6; o yes 1000 5 14885ms 499500
mux2 i′ 6; o no 82 5 140ms 3704
Example 2 (mux). This example circuit is depicted in Figure 1. There is a black
box combinatorial circuit, guarded by a multiplexer that selects between the two
input vectors i and i′ and an inverse multiplexer that forwards the output of the
black box either towards o or o′. Despite there being a syntactic dependency
between o and i′, there is no semantic dependency, i.e., the output o does solely
depend on i and the selector signal.
When using the same example, but with a sequential circuit as black box,
there may be information flow from the input vector i′ to the output vector o
because the state of the latches may depend on it. We construct such a circuit
that leaks information about i′ via its internal state.
Example 3 (counter). Our last example is a binary counter with two input con-
trol bits incr and decr that increments and decrements the counter. The corre-
sponding Verilog design is shown in Figure 2. The counter has a single output,
namely a signal that is set to one when the counter value overflows. Both in-
puts influence the output, but timing of the overflow depends on the number of
counter bits.
Results. The results of multiple random simulations are given in Table 1. De-
spite the high complexity of the monitoring problem, RVHyper is able to scale
up to thousands of input traces with millions of monitor instantiations (cf. Algo-
rithm 1). RVHyper’s optimizations, i.e., keeping only a minimal set of traces and
reducing the number of instances by the specification analysis, are a key factor
to those results. For the two instances where the property is satisfied (xor and
mux), RVHyper has not found a violation for any of the runs. For instances
where the property is violated, RVHyper is able to find counter examples. While
counter examples can be found quickly for xor and mux2, the counter instances
need more traces since the chance of finding a violating pair of traces is lower.
4 Conclusion
RVHyper monitors a running system for violations of a HyperLTL specification.
The functionality of RVHyper thus complements model checking tools for Hy-
perLTL, like MCHyper [8], and tools for satisifability checking, like EAHyper [6].
6
RVHyper is in particular useful during the development of a HyperLTL specifi-
cation, where it can be used to check the HyperLTL formula on sample traces
without the need for a complete model. Based on the feedback of the tool, the
user can refine the HyperLTL formula until it captures the intended policy.
References
1. Agrawal, S., Bonakdarpour, B.: Runtime verification of k-safety hyperproperties in
HyperLTL. In: Proceedings of CSF. pp. 239–252. IEEE Computer Society (2016)
2. Brett, N., Siddique, U., Bonakdarpour, B.: Rewriting-based runtime verification for
alternation-free HyperLTL. In: Proceedings of TACAS. pp. 77–93 (2017)
3. Clarkson, M.R., Finkbeiner, B., Koleini, M., Micinski, K.K., Rabe, M.N., Sa´nchez,
C.: Temporal logics for hyperproperties. In: Proceedings of POST. LNCS, vol. 8414,
pp. 265–284. Springer (2014)
4. Clarkson, M.R., Schneider, F.B.: Hyperproperties. Journal of Computer Security
18(6), 1157–1210 (2010)
5. Finkbeiner, B., Hahn, C.: Deciding hyperproperties. In: Proceedings of CONCUR.
LIPIcs, vol. 59, pp. 13:1–13:14. Leibniz-Zentrum fuer Informatik (2016)
6. Finkbeiner, B., Hahn, C., Stenger, M.: EAHyper: Satisfiability, implication, and
equivalence checking of hyperproperties. In: Proceedings of CAV. LNCS, vol. 10427,
pp. 564–570. Springer (2017)
7. Finkbeiner, B., Hahn, C., Stenger, M., Tentrup, L.: Monitoring hyperproperties. In:
Proceedings of RV. LNCS, vol. 10548, pp. 190–207. Springer (2017)
8. Finkbeiner, B., Rabe, M.N., Sa´nchez, C.: Algorithms for model checking HyperLTL
and HyperCTL*. In: Proceedings of CAV. LNCS, vol. 9206, pp. 30–48. Springer
(2015)
7
