HyperPCTL: A Temporal Logic for Probabilistic Hyperproperties Erika - - PowerPoint PPT Presentation

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

HyperPCTL: A Temporal Logic for Probabilistic Hyperproperties

Erika ´ Abrah´ am1 Borzoo Bonakdarpour2 RWTH Aachen, Germany1 Iowa State University, USA2

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Presentation outline

1

Motivation

2

HyperPCTL Syntax and Semantics

3

HyperPCTL in Action

4

HyperPCTL Model Checking

5

Conclusion

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Motivation

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Motivation

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Motivation

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Motivation

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Motivation

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Motivation

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Motivation

Classical trace properties cannot express relation among multiple traces

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Hyperproperties (Clarkson, Schneider - 2010)

A hyperproperty is a set of sets of traces.

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Hyperproperties (Clarkson, Schneider - 2010)

A hyperproperty is a set of sets of traces. Information-flow security: Noninterference Observational determinism Declassification Noninference

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Hyperproperties (Clarkson, Schneider - 2010)

A hyperproperty is a set of sets of traces. Information-flow security: Noninterference Observational determinism Declassification Noninference Consistency models (concurrency): Linearizability Eventual/causal consistency

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Hyperproperties (Clarkson, Schneider - 2010)

A hyperproperty is a set of sets of traces. Information-flow security: Noninterference Observational determinism Declassification Noninference Consistency models (concurrency): Linearizability Eventual/causal consistency Temporal logics for hyperproperties: HyperLTL HyperCTL∗

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Hyperproperties (Clarkson, Schneider - 2010)

A hyperproperty is a set of sets of traces. Information-flow security: Noninterference Observational determinism Declassification Noninference Consistency models (concurrency): Linearizability Eventual/causal consistency Temporal logics for hyperproperties: HyperLTL HyperCTL∗ Hyperproperty Satisfaction A system P satisfies a hyperproperty ψ (denoted, P | = ψ) iff Traces(P) ∈ ψ; i.e, language equality.

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Timed Hyperproperties

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Probabilistic Hyperproperties

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Probabilistic Hyperproperties

Probabilistic hyperproperties express probabilistic relations between independent executions of a system.

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Probabilistic Hyperproperties

Probabilistic hyperproperties express probabilistic relations between independent executions of a system. Probabilistic noninterference stipulates that the probability distribution on the final values on publicly observable channels (low outputs) is independent of the initial values of secrets (high inputs).

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Probabilistic Hyperproperties

Probabilistic hyperproperties express probabilistic relations between independent executions of a system. Probabilistic noninterference stipulates that the probability distribution on the final values on publicly observable channels (low outputs) is independent of the initial values of secrets (high inputs). t : while h > 0 do {h ← h − 1}; l ← 2 t′ : l ← 1 where h is a high input and l is a low output.

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Probabilistic Hyperproperties

Probabilistic hyperproperties express probabilistic relations between independent executions of a system. Probabilistic noninterference stipulates that the probability distribution on the final values on publicly observable channels (low outputs) is independent of the initial values of secrets (high inputs). t : while h > 0 do {h ← h − 1}; l ← 2 t′ : l ← 1 where h is a high input and l is a low output. Assuming a uniform probabilistic scheduler:

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Probabilistic Hyperproperties

Probabilistic hyperproperties express probabilistic relations between independent executions of a system. Probabilistic noninterference stipulates that the probability distribution on the final values on publicly observable channels (low outputs) is independent of the initial values of secrets (high inputs). t : while h > 0 do {h ← h − 1}; l ← 2 t′ : l ← 1 where h is a high input and l is a low output. Assuming a uniform probabilistic scheduler: If h = 0, then at termination, P(l = 1) = 1/4 and P(l = 2) = 3/4.

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Probabilistic Hyperproperties

Probabilistic hyperproperties express probabilistic relations between independent executions of a system. Probabilistic noninterference stipulates that the probability distribution on the final values on publicly observable channels (low outputs) is independent of the initial values of secrets (high inputs). t : while h > 0 do {h ← h − 1}; l ← 2 t′ : l ← 1 where h is a high input and l is a low output. Assuming a uniform probabilistic scheduler: If h = 0, then at termination, P(l = 1) = 1/4 and P(l = 2) = 3/4. If h = 5, then at termination, P(l = 1) = 1/4096 and P(l = 2) = 4095/4096.

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

The Need for a Probabilistic Hyper Logic

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

The Need for a Probabilistic Hyper Logic

Existing probabilistic temporal logics such as PCTL and PCTL∗, cannot draw connection between the probability of reaching certain states in independent executions.

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

The Need for a Probabilistic Hyper Logic

Existing probabilistic temporal logics such as PCTL and PCTL∗, cannot draw connection between the probability of reaching certain states in independent executions. Introducing probability operators to HyperLTL is not quite natural, as the semantics of HyperLTL is trace-based and probabilistic logics are branching-time in nature.

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

The Need for a Probabilistic Hyper Logic

Existing probabilistic temporal logics such as PCTL and PCTL∗, cannot draw connection between the probability of reaching certain states in independent executions. Introducing probability operators to HyperLTL is not quite natural, as the semantics of HyperLTL is trace-based and probabilistic logics are branching-time in nature. HyperPCTL HyperPCTL extends PCTL by allowing explicit and simultaneous quantification

• ver initial states of a discrete-time Markov chain.

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

The Need for a Probabilistic Hyper Logic

Existing probabilistic temporal logics such as PCTL and PCTL∗, cannot draw connection between the probability of reaching certain states in independent executions. Introducing probability operators to HyperLTL is not quite natural, as the semantics of HyperLTL is trace-based and probabilistic logics are branching-time in nature. HyperPCTL HyperPCTL extends PCTL by allowing explicit and simultaneous quantification

• ver initial states of a discrete-time Markov chain.

Probabilistic Noninterference ∀σ.∀σ′.

• initσ ∧ initσ′ ∧ hσ = hσ′
• ⇒
• P

(finσ ∧ (l=1)σ) = P (finσ′ ∧ (l=1)σ′)

• ∧
• P

(finσ ∧ (l=2)σ) = P (finσ′ ∧ (l=2)σ′)

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Presentation outline

1

Motivation

2

HyperPCTL Syntax and Semantics

3

HyperPCTL in Action

4

HyperPCTL Model Checking

5

Conclusion

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

HyperPCTL Semantics

Example s0 s1 s2 s3 s4 s5 s6 {init} {init} {a} {a}

0.4 0.2 0.4 0.7 0.3 1 0.8 0.2 1 1 1

ψ = ∀σ.∀σ′.(initσ ∧ initσ′) ⇒

• P(

aσ) = P( aσ′)

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

HyperPCTL Semantics

Example s0 s1 s2 s3 s4 s5 s6 {init} {init} {a} {a}

0.4 0.2 0.4 0.7 0.3 1 0.8 0.2 1 1 1

ψ = ∀σ.∀σ′.(initσ ∧ initσ′) ⇒

• P(

aσ) = P( aσ′)

• The probability of reaching a from s0 is 0.4 + (0.2 × 0.2) = 0.44.

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

HyperPCTL Semantics

Example s0 s1 s2 s3 s4 s5 s6 {init} {init} {a} {a}

0.4 0.2 0.4 0.7 0.3 1 0.8 0.2 1 1 1

ψ = ∀σ.∀σ′.(initσ ∧ initσ′) ⇒

• P(

aσ) = P( aσ′)

• The probability of reaching a from s0 is 0.4 + (0.2 × 0.2) = 0.44.

The probability of reaching a from s1 is 0.3 + (0.7 × 0.2) = 0.44.

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Presentation outline

1

Motivation

2

HyperPCTL Syntax and Semantics

3

HyperPCTL in Action

4

HyperPCTL Model Checking

5

Conclusion

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Differential Privacy

Differential privacy is a commitment by a data holder to a data subject (normally an individual) that he/she will not be affected by allowing his/her data to be used in any study or analysis.

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Differential Privacy

Differential privacy is a commitment by a data holder to a data subject (normally an individual) that he/she will not be affected by allowing his/her data to be used in any study or analysis. Formally, let ǫ be a positive real number and A be a randomized algorithm that makes a query to an input database and produces an output. Algorithm A is called ǫ-differentially private, if for all databases D1 and D2 that differ on a single element, and all subsets S of possible outputs of A, we have:

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Differential Privacy

Differential privacy is a commitment by a data holder to a data subject (normally an individual) that he/she will not be affected by allowing his/her data to be used in any study or analysis. Formally, let ǫ be a positive real number and A be a randomized algorithm that makes a query to an input database and produces an output. Algorithm A is called ǫ-differentially private, if for all databases D1 and D2 that differ on a single element, and all subsets S of possible outputs of A, we have: Pr[A(D1) ∈ S] ≤ eǫ · Pr[A(D2) ∈ S].

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Differential Privacy

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Differential Privacy

In a social study, each participant is faced with the query, “Have you engaged in activity A” and is instructed to follow this protocol:

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Differential Privacy

In a social study, each participant is faced with the query, “Have you engaged in activity A” and is instructed to follow this protocol:

1

Flip a fair coin.

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Differential Privacy

In a social study, each participant is faced with the query, “Have you engaged in activity A” and is instructed to follow this protocol:

1

Flip a fair coin.

2

If tail, then answer truthfully.

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Differential Privacy

In a social study, each participant is faced with the query, “Have you engaged in activity A” and is instructed to follow this protocol:

1

Flip a fair coin.

2

If tail, then answer truthfully.

3

If head, then flip the coin again and respond “Yes” if head and “No” if tail.

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Differential Privacy

In a social study, each participant is faced with the query, “Have you engaged in activity A” and is instructed to follow this protocol:

1

Flip a fair coin.

2

If tail, then answer truthfully.

3

If head, then flip the coin again and respond “Yes” if head and “No” if tail. This protocol is (ln 3)-differentially private.

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Differential Privacy

In a social study, each participant is faced with the query, “Have you engaged in activity A” and is instructed to follow this protocol:

1

Flip a fair coin.

2

If tail, then answer truthfully.

3

If head, then flip the coin again and respond “Yes” if head and “No” if tail. This protocol is (ln 3)-differentially private.

s0 {t=y} {r=y} {r=n} {r=y}

0.5 0.5 0.5 0.5 1 1 1

s1 {t=n} {r=n} {r=n} {r=y}

0.5 0.5 0.5 0.5 1 1 1

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Differential Privacy

In a social study, each participant is faced with the query, “Have you engaged in activity A” and is instructed to follow this protocol:

1

Flip a fair coin.

2

If tail, then answer truthfully.

3

If head, then flip the coin again and respond “Yes” if head and “No” if tail. This protocol is (ln 3)-differentially private.

s0 {t=y} {r=y} {r=n} {r=y}

0.5 0.5 0.5 0.5 1 1 1

s1 {t=n} {r=n} {r=n} {r=y}

0.5 0.5 0.5 0.5 1 1 1

HyperPCTL formula for DP ∀σ.∀σ′.

• (t=n)σ ∧ (t=y)σ′
• ⇒
• P
• (r=n)σ
• ≤ eln 3 · P
• (r=n)σ′
• ∧
• (t=y)σ ∧ (t=n)σ′
• ⇒
• P
• (r=y)σ
• ≤ eln 3 · P
• (r=y)σ′

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Probabilistic Causation

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Probabilistic Causation

Probabilistic causation aims to assert that the probability of occurring effect e if cause c happens is higher than the probability of occurring e when c does not happen.

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Probabilistic Causation

Probabilistic causation aims to assert that the probability of occurring effect e if cause c happens is higher than the probability of occurring e when c does not happen. Probabilistic Causation ψpc1 = ∀σ.∀σ′.cσ ∧

• P(

eσ) > P(¬cσ′ Ueσ′)

• .

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

HyperPCTL Examples

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

HyperPCTL Examples

Probabilistic Bisimulation ϕpb = ∀σ.∀σ′.

k

• i=1
• (ai

σ ∧ ai σ′) ⇒

• ψAP ∧

k

• j=1

P( aj

σ) = P(

aj

σ′)

• where ψAP =

a∈AP(aσ ⇔ aσ′).

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

HyperPCTL Examples

Probabilistic Bisimulation ϕpb = ∀σ.∀σ′.

k

• i=1
• (ai

σ ∧ ai σ′) ⇒

• ψAP ∧

k

• j=1

P( aj

σ) = P(

aj

σ′)

• where ψAP =

a∈AP(aσ ⇔ aσ′).

Probabilistic Noninterference ∀σ.∀σ′.

• initσ ∧ initσ′ ∧ hσ = hσ′
• ⇒
• P

(finσ ∧ (l=1)σ) = P (finσ′ ∧ (l=1)σ′)

• ∧
• P

(finσ ∧ (l=2)σ) = P (finσ′ ∧ (l=2)σ′)

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Presentation outline

1

Motivation

2

HyperPCTL Syntax and Semantics

3

HyperPCTL in Action

4

HyperPCTL Model Checking

5

Conclusion

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

HyperPCTL Model Checking

Theorem 1 For a finite Markov chain M and HyperPCTL formula ψ, the HyperPCTL model checking problem (to decide whether M | = ψ) can be solved in time O(poly(|M|)).

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

HyperPCTL Model Checking

Theorem 1 For a finite Markov chain M and HyperPCTL formula ψ, the HyperPCTL model checking problem (to decide whether M | = ψ) can be solved in time O(poly(|M|)). Theorem 2 The HyperPCTL model checking problem is PSPACE-hard in the number of quantifiers in the formula.

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Presentation outline

1

Motivation

2

HyperPCTL Syntax and Semantics

3

HyperPCTL in Action

4

HyperPCTL Model Checking

5

Conclusion

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Summary

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Summary

We introduced a temporal logic to express probabilistic hyperproperties.

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Summary

We introduced a temporal logic to express probabilistic hyperproperties. HyperPCTL extends PCTL by allowing explicit and simultaneous quantification

• ver initial states of a discrete-time Markov chain.

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Summary

We introduced a temporal logic to express probabilistic hyperproperties. HyperPCTL extends PCTL by allowing explicit and simultaneous quantification

• ver initial states of a discrete-time Markov chain.

We showed that HyperPCTL can express interesting requirements:

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Summary

We introduced a temporal logic to express probabilistic hyperproperties. HyperPCTL extends PCTL by allowing explicit and simultaneous quantification

• ver initial states of a discrete-time Markov chain.

We showed that HyperPCTL can express interesting requirements: Probabilistic bisimulation

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Summary

We introduced a temporal logic to express probabilistic hyperproperties. HyperPCTL extends PCTL by allowing explicit and simultaneous quantification

• ver initial states of a discrete-time Markov chain.

We showed that HyperPCTL can express interesting requirements: Probabilistic bisimulation Probabilistic noninterference

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Summary

We introduced a temporal logic to express probabilistic hyperproperties. HyperPCTL extends PCTL by allowing explicit and simultaneous quantification

• ver initial states of a discrete-time Markov chain.

We showed that HyperPCTL can express interesting requirements: Probabilistic bisimulation Probabilistic noninterference Differential privacy

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Summary

We introduced a temporal logic to express probabilistic hyperproperties. HyperPCTL extends PCTL by allowing explicit and simultaneous quantification

• ver initial states of a discrete-time Markov chain.

We showed that HyperPCTL can express interesting requirements: Probabilistic bisimulation Probabilistic noninterference Differential privacy Probabilistic causation (causality)

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Summary

We introduced a temporal logic to express probabilistic hyperproperties. HyperPCTL extends PCTL by allowing explicit and simultaneous quantification

• ver initial states of a discrete-time Markov chain.

We showed that HyperPCTL can express interesting requirements: Probabilistic bisimulation Probabilistic noninterference Differential privacy Probabilistic causation (causality) We presented a polynomial-time model checking algorithm in the size of the input DTMC (exponential in the size of the input HyperPCTL formula).

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Future Work

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Future Work

On-the-fly model checking algorithm without full blown generation of the self-composition.

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Future Work

On-the-fly model checking algorithm without full blown generation of the self-composition. HyperPCTL∗.

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Future Work

On-the-fly model checking algorithm without full blown generation of the self-composition. HyperPCTL∗. HyperPCTL in MDPs.

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Future Work

On-the-fly model checking algorithm without full blown generation of the self-composition. HyperPCTL∗. HyperPCTL in MDPs. HyperPCTL with rewards.

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Future Work

On-the-fly model checking algorithm without full blown generation of the self-composition. HyperPCTL∗. HyperPCTL in MDPs. HyperPCTL with rewards. Parametric DTMC model checking.

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Future Work

On-the-fly model checking algorithm without full blown generation of the self-composition. HyperPCTL∗. HyperPCTL in MDPs. HyperPCTL with rewards. Parametric DTMC model checking. DTMC repair for HyperPCTL.

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion

Thank you!