122 research outputs found
Constraint-Based Monitoring of Hyperproperties
Verifying hyperproperties at runtime is a challenging problem as
hyperproperties, such as non-interference and observational determinism, relate
multiple computation traces with each other. It is necessary to store
previously seen traces, because every new incoming trace needs to be compatible
with every run of the system observed so far. Furthermore, the new incoming
trace poses requirements on future traces. In our monitoring approach, we focus
on those requirements by rewriting a hyperproperty in the temporal logic
HyperLTL to a Boolean constraint system. A hyperproperty is then violated by
multiple runs of the system if the constraint system becomes unsatisfiable. We
compare our implementation, which utilizes either BDDs or a SAT solver to store
and evaluate constraints, to the automata-based monitoring tool RVHyper
Recommended from our members
Timed hyperproperties
We study the satisfiability and model-checking problems for timed hyperproperties specified with HyperMITL, a timed extension of HyperLTL. While the satisfiability problem can be solved similarly as for HyperLTL, we show that the model-checking problem for HyperMITL, unless the specification is alternation-free, is undecidable even when very restricted timing constraints are allowed. On the positive side, we show that model checking HyperMITL with quantifier alternations is possible under certain semantic restrictions. As an intermediate tool, we give an âasynchronousâ interpretation of Wilke's monadic logic of relative distance (L ) and show that it characterises timed languages recognised by timed automata with silent transitions. d
Gray-box monitoring of hyperproperties with an application to privacy
Runtime verification is a complementary approach to testing, model checking and other static verification techniques to verify software properties. Monitorability characterizes what can be verified (monitored) at run time. Different definitions of monitorability have been given both for trace properties and for hyperproperties (properties defined over sets of traces), but these definitions usually cover only some aspects of what is important when characterizing the notion of monitorability. The first contribution of this paper is a refinement of classic notions of monitorability both for trace properties and hyperproperties, taking into account, among other things, the computability of the monitor. A second contribution of our work is to show that black-box monitoring of HyperLTL (a logic for hyperproperties) is in general unfeasible, and to suggest a gray-box approach in which we combine static and runtime verification. The main idea is to call a static verifier as an oracle at run time allowing, in some cases, to give a final verdict for properties that are considered to be non-monitorable under a black-box approach. Our third contribution is the instantiation of this solution to a privacy property called distributed data minimization which cannot be verified using black-box runtime verification. We use an SMT-based static verifier as an oracle at run time. We have implemented our gray-box approach for monitoring data minimization into the proof-of-concept tool Minion. We describe the tool and apply it to a few case studies to show its feasibility
Logical and deep learning methods for temporal reasoning
In this thesis, we study logical and deep learning methods for the temporal reasoning of reactive systems. In Part I, we determine decidability borders for the satisfiability and realizability problem of temporal hyperproperties. Temporal hyperproperties relate multiple computation traces to each other and are expressed in a temporal hyperlogic. In particular, we identify decidable fragments of the highly expressive hyperlogics HyperQPTL and HyperCTL*. As an application, we elaborate on an enforcement mechanism for temporal hyperproperties. We study explicit enforcement algorithms for specifications given as formulas in universally quantified HyperLTL. In Part II, we train a (deep) neural network on the trace generation and realizability problem of linear-time temporal logic (LTL). We consider a method to generate large amounts of additional training data from practical specification patterns. The training data is generated with classical solvers, which provide one of many possible solutions to each formula. We demonstrate that it is sufficient to train on those particular solutions such that the neural network generalizes to the semantics of the logic. The neural network can predict solutions even for formulas from benchmarks from the literature on which the classical solver timed out. Additionally, we show that it solves a significant portion of problems from the annual synthesis competition (SYNTCOMP) and even out-of-distribution examples from a recent case study.Diese Arbeit befasst sich mit logischen Methoden und mehrschichtigen Lernmethoden fĂŒr das zeitabhĂ€ngige Argumentieren ĂŒber reaktive Systeme. In Teil I werden die Grenzen der Entscheidbarkeit des ErfĂŒllbarkeits- und des Realisierbarkeitsproblem von temporalen Hypereigenschaften bestimmt. Temporale Hypereigenschaften setzen mehrere Berechnungsspuren zueinander in Beziehung und werden in einer temporalen Hyperlogik ausgedrĂŒckt. Insbesondere werden entscheidbare Fragmente der hochexpressiven Hyperlogiken HyperQPTL und HyperCTL* identifiziert. Als Anwendung wird ein Enforcement-Mechanismus fĂŒr temporale Hypereigenschaften erarbeitet. Explizite Enforcement-Algorithmen fĂŒr Spezifikationen, die als Formeln in universell quantifiziertem HyperLTL angegeben werden, werden untersucht. In Teil II wird ein (mehrschichtiges) neuronales Netz auf den Problemen der Spurgenerierung und Realisierbarkeit von Linear-zeit Temporallogik (LTL) trainiert. Es wird eine Methode betrachtet, um aus praktischen Spezifikationsmustern groĂe Mengen zusĂ€tzlicher Trainingsdaten zu generieren. Die Trainingsdaten werden mit klassischen Solvern generiert, die zu jeder Formel nur eine von vielen möglichen Lösungen liefern. Es wird gezeigt, dass es ausreichend ist, an diesen speziellen Lösungen zu trainieren, sodass das neuronale Netz zur Semantik der Logik generalisiert. Das neuronale Netz kann Lösungen sogar fĂŒr Formeln aus Benchmarks aus der Literatur vorhersagen, bei denen der klassische Solver eine ZeitĂŒberschreitung hatte. ZusĂ€tzlich wird gezeigt, dass das neuronale Netz einen erheblichen Teil der Probleme aus dem jĂ€hrlichen Synthesewettbewerb (SYNTCOMP) und sogar Beispiele auĂerhalb der Distribution aus einer aktuellen Fallstudie lösen kann
On verifying timed hyperproperties
We study the satisfiability and model-checking problems for timed
hyperproperties specified with HyperMTL, a timed extension of HyperLTL.
Depending on whether interleaving of events in different traces is allowed, two
possible semantics can be defined for timed hyperproperties: asynchronous and
synchronous. While the satisfiability problem can be decided similarly to
HyperLTL regardless of the choice of semantics, we show that the model-checking
problem, unless the specification is alternation-free, is undecidable even when
very restricted timing constraints are allowed. On the positive side, we show
that model checking HyperMTL with quantifier alternations is possible under
certain conditions in the synchronous semantics, or when there is a fixed bound
on the length of the time domain.EP/K026399/1 and EP/P020011/
Bounded Model Checking for Asynchronous Hyperproperties
Many types of attacks on confidentiality stem from the nondeterministic
nature of the environment that computer programs operate in (e.g., schedulers
and asynchronous communication channels). In this paper, we focus on
verification of confidentiality in nondeterministic environments by reasoning
about asynchronous hyperproperties. First, we generalize the temporal logic
A-HLTL to allow nested trajectory quantification, where a trajectory determines
how different execution traces may advance and stutter. We propose a bounded
model checking algorithm for A-HLTL based on QBF-solving for a fragment of the
generalized A-HLTL and evaluate it by various case studies on concurrent
programs, scheduling attacks, compiler optimization, speculative execution, and
cache timing attacks. We also rigorously analyze the complexity of model
checking for different fragments of A-HLTL.Comment: 34 page
Realizing Omega-regular Hyperproperties
We studied the hyperlogic HyperQPTL, which combines the concepts of trace
relations and -regularity. We showed that HyperQPTL is very expressive,
it can express properties like promptness, bounded waiting for a grant,
epistemic properties, and, in particular, any -regular property. Those
properties are not expressible in previously studied hyperlogics like HyperLTL.
At the same time, we argued that the expressiveness of HyperQPTL is optimal in
a sense that a more expressive logic for -regular hyperproperties would
have an undecidable model checking problem. We furthermore studied the
realizability problem of HyperQPTL. We showed that realizability is decidable
for HyperQPTL fragments that contain properties like promptness. But still, in
contrast to the satisfiability problem, propositional quantification does make
the realizability problem of hyperlogics harder. More specifically, the
HyperQPTL fragment of formulas with a universal-existential propositional
quantifier alternation followed by a single trace quantifier is undecidable in
general, even though the projection of the fragment to HyperLTL has a decidable
realizability problem. Lastly, we implemented the bounded synthesis problem for
HyperQPTL in the prototype tool BoSy. Using BoSy with HyperQPTL specifications,
we have been able to synthesize several resource arbiters. The synthesis
problem of non-linear-time hyperlogics is still open. For example, it is not
yet known how to synthesize systems from specifications given in branching-time
hyperlogics like HyperCTL.Comment: International Conference on Computer Aided Verification (CAV 2020
- âŠ