17 research outputs found
Realizing Omega-regular Hyperproperties
We studied the hyperlogic HyperQPTL, which combines the concepts of trace
relations and -regularity. We showed that HyperQPTL is very expressive,
it can express properties like promptness, bounded waiting for a grant,
epistemic properties, and, in particular, any -regular property. Those
properties are not expressible in previously studied hyperlogics like HyperLTL.
At the same time, we argued that the expressiveness of HyperQPTL is optimal in
a sense that a more expressive logic for -regular hyperproperties would
have an undecidable model checking problem. We furthermore studied the
realizability problem of HyperQPTL. We showed that realizability is decidable
for HyperQPTL fragments that contain properties like promptness. But still, in
contrast to the satisfiability problem, propositional quantification does make
the realizability problem of hyperlogics harder. More specifically, the
HyperQPTL fragment of formulas with a universal-existential propositional
quantifier alternation followed by a single trace quantifier is undecidable in
general, even though the projection of the fragment to HyperLTL has a decidable
realizability problem. Lastly, we implemented the bounded synthesis problem for
HyperQPTL in the prototype tool BoSy. Using BoSy with HyperQPTL specifications,
we have been able to synthesize several resource arbiters. The synthesis
problem of non-linear-time hyperlogics is still open. For example, it is not
yet known how to synthesize systems from specifications given in branching-time
hyperlogics like HyperCTL.Comment: International Conference on Computer Aided Verification (CAV 2020
Runtime Enforcement of Hyperproperties
An enforcement mechanism monitors a reactive system for
undesired behavior at runtime and corrects the system’s output in case it violates the given specification. In this paper, we study the enforcement problem for hyperproperties, i.e., properties that relate multiple computation traces to each other. We elaborate the notion of sound and transparent enforcement mechanisms for hyperproperties in two trace
input models: 1) the parallel trace input model, where the number of traces is known a-priori and all traces are produced and processed in parallel and 2) the sequential trace input model, where traces are processed sequentially and no a-priori bound on the number of traces is known. For both models, we study enforcement algorithms for specifications given as formulas in universally quantified HyperLTL, a temporal
logic for hyperproperties. For the parallel model, we describe an enforcement mechanism based on parity games. For the sequential model, we show that enforcement is in general undecidable and present algorithms for reasonable simplifications of the problem (partial guarantees or the
restriction to safety properties). Furthermore, we report on experimental results of our prototype implementation for the parallel model
Hyper Hoare Logic: (Dis-)Proving Program Hyperproperties (extended version)
Hoare logics are proof systems that allow one to formally establish
properties of computer programs. Traditional Hoare logics prove properties of
individual program executions (so-called trace properties, such as functional
correctness). Hoare logic has been generalized to prove also properties of
multiple executions of a program (so-called hyperproperties, such as
determinism or non-interference). These program logics prove the absence of
(bad combinations of) executions. On the other hand, program logics similar to
Hoare logic have been proposed to disprove program properties (e.g.,
Incorrectness Logic), by proving the existence of (bad combinations of)
executions. All of these logics have in common that they specify program
properties using assertions over a fixed number of states, for instance, a
single pre- and post-state for functional properties or pairs of pre- and
post-states for non-interference.
In this paper, we present Hyper Hoare Logic, a generalization of Hoare logic
that lifts assertions to properties of arbitrary sets of states. The resulting
logic is simple yet expressive: its judgments can express arbitrary trace- and
hyperproperties over the terminating executions of a program. By allowing
assertions to reason about sets of states, Hyper Hoare Logic can reason about
both the absence and the existence of (combinations of) executions, and,
thereby, supports both proving and disproving program (hyper-)properties within
the same logic. In fact, we prove that Hyper Hoare Logic subsumes the
properties handled by numerous existing correctness and incorrectness logics,
and can express hyperproperties that no existing Hoare logic can. We also prove
that Hyper Hoare Logic is sound and complete, and admits powerful
compositionality rules. All our technical results have been proved in
Isabelle/HOL
Computer Aided Verification
This open access two-volume set LNCS 11561 and 11562 constitutes the refereed proceedings of the 31st International Conference on Computer Aided Verification, CAV 2019, held in New York City, USA, in July 2019. The 52 full papers presented together with 13 tool papers and 2 case studies, were carefully reviewed and selected from 258 submissions. The papers were organized in the following topical sections: Part I: automata and timed systems; security and hyperproperties; synthesis; model checking; cyber-physical systems and machine learning; probabilistic systems, runtime techniques; dynamical, hybrid, and reactive systems; Part II: logics, decision procedures; and solvers; numerical programs; verification; distributed systems and networks; verification and invariants; and concurrency
Explaining Hyperproperty Violations
Hyperproperties relate multiple computation traces to each other. Model checkers for hyperproperties thus return, in case a system model violates the specification, a set of traces as a counterexample. Fixing the erroneous relations between traces in the system that led to the counterexample is a difficult manual effort that highly benefits from additional explanations. In this paper, we present an explanation method for counterexamples to hyperproperties described in the specification logic HyperLTL. We extend Halpern and Pearl's definition of actual causality to sets of traces witnessing the violation of a HyperLTL formula, which allows us to identify the events that caused the violation. We report on the implementation of our method and show that it significantly improves on previous approaches for analyzing counterexamples returned by HyperLTL model checkers
The Keys to Decidable HyperLTL Satisfiability: Small Models or Very Simple Formulas
HyperLTL, the extension of Linear Temporal Logic by trace quantifiers, is a uniform framework for expressing information flow policies by relating multiple traces of a security-critical system. HyperLTL has been successfully applied to express fundamental security policies like noninterference and observational determinism, but has also found applications beyond security, e.g., distributed protocols and coding theory. However, HyperLTL satisfiability is undecidable as soon as there are existential quantifiers in the scope of a universal one. To overcome this severe limitation to applicability, we investigate here restricted variants of the satisfiability problem to pinpoint the decidability border. First, we restrict the space of admissible models and show decidability when restricting the search space to models of bounded size or to finitely representable ones. Second, we consider formulas with restricted nesting of temporal operators and show that nesting depth one yields decidability for a slightly larger class of quantifier prefixes. We provide tight complexity bounds in almost all cases
Symbolic reactive synthesis
In this thesis, we develop symbolic algorithms for the synthesis of reactive systems. Synthesis, that is the task of deriving correct-by-construction implementations from formal specifications, has the potential to eliminate the need for the manual—and error-prone—programming task. The synthesis problem can be formulated as an infinite two-player game, where the system player has the objective to satisfy the specification against all possible actions of the environment player. The standard synthesis algorithms represent the underlying synthesis game explicitly and, thus, they scale poorly with respect to the size of the specification. We provide an algorithmic framework to solve the synthesis problem symbolically. In contrast to the standard approaches, we use a succinct representation of the synthesis game which leads to improved scalability in terms of the symbolically represented parameters. Our algorithm reduces the synthesis game to the satisfiability problem of quantified Boolean formulas (QBF) and dependency quantified Boolean formulas (DQBF). In the encodings, we use propositional quantification to succinctly represent different parts of the implementation, such as the state space and the transition function. We develop highly optimized satisfiability algorithms for QBF and DQBF. Based on a counterexample-guided abstraction refinement (CEGAR) loop, our algorithms avoid an exponential blow-up by using the structure of the underlying symbolic encodings. Further, we extend the solving algorithms to extract certificates in the form of Boolean functions, from which we construct implementations for the synthesis problem. Our empirical evaluation shows that our symbolic approach significantly outperforms previous explicit synthesis algorithms with respect to scalability and solution quality.In dieser Dissertation werden symbolische Algorithmen für die Synthese von reaktiven Systemen entwickelt. Synthese, d.h. die Aufgabe, aus formalen Spezifikationen korrekte Implementierungen abzuleiten, hat das Potenzial, die manuelle und fehleranfällige Programmierung überflüssig zu machen. Das Syntheseproblem kann als unendliches Zweispielerspiel verstanden werden, bei dem der Systemspieler das Ziel hat, die Spezifikation gegen alle möglichen Handlungen des Umgebungsspielers zu erfüllen. Die Standardsynthesealgorithmen stellen das zugrunde liegende Synthesespiel explizit dar und skalieren daher schlecht in Bezug auf die Größe der Spezifikation. Diese Arbeit präsentiert einen algorithmischen Ansatz, der das Syntheseproblem symbolisch löst. Im Gegensatz zu den Standardansätzen wird eine kompakte Darstellung des Synthesespiels verwendet, die zu einer verbesserten Skalierbarkeit der symbolisch dargestellten Parameter führt. Der Algorithmus reduziert das Synthesespiel auf das Erfüllbarkeitsproblem von quantifizierten booleschen Formeln (QBF) und abhängigkeitsquantifizierten booleschen Formeln (DQBF). In den Kodierungen verwenden wir propositionale Quantifizierung, um verschiedene Teile der Implementierung, wie den Zustandsraum und die Übergangsfunktion, kompakt darzustellen. Wir entwickeln hochoptimierte Erfüllbarkeitsalgorithmen für QBF und DQBF. Basierend auf einer gegenbeispielgeführten Abstraktionsverfeinerungsschleife (CEGAR) vermeiden diese Algorithmen ein exponentielles Blow-up, indem sie die Struktur der zugrunde liegenden symbolischen Kodierungen verwenden. Weiterhin werden die Lösungsalgorithmen um Zertifikate in Form von booleschen Funktionen erweitert, aus denen Implementierungen für das Syntheseproblem abgeleitet werden. Unsere empirische Auswertung zeigt, dass unser symbolischer Ansatz die bisherigen expliziten Synthesealgorithmen in Bezug auf Skalierbarkeit und Lösungsqualität deutlich übertrifft