Linear Temporal Logic for Hyperproperties (HyperLTL) Course: - - PowerPoint PPT Presentation

linear temporal logic for hyperproperties hyperltl
SMART_READER_LITE
LIVE PREVIEW

Linear Temporal Logic for Hyperproperties (HyperLTL) Course: - - PowerPoint PPT Presentation

May 03, 2023 404 likes •551 views

Linear Temporal Logic for Hyperproperties (HyperLTL) Course: Specification and Verification of Parallel Systems 29 November 2019 Presented by: Elahe Fazeldehkordi 1 Hyperproperties Trace: a sequence of states System: is modeled by

slide-1
SLIDE 1

Linear Temporal Logic for Hyperproperties (HyperLTL)

Course: Specification and Verification of Parallel Systems 29 November 2019

Presented by: Elahe Fazeldehkordi

1

slide-2
SLIDE 2

Hyperproperties

  • Trace: a sequence of states
  • System: is modeled by a non-empty set of infinite traces, called its executions
  • Trace property: a set of infinite traces

If systems are modeled as sets of execution traces, then the extension of a system property is a set of sets of infinite traces or, equivalently, a set of trace properties. This type of set is named a hyperproperty. Every property of system behavior (for systems modeled as trace sets) can be specified as a hyperproperty.

Course: Specification and Verification of Parallel Systems HyperLTL Presented By: Elahe Fazeldehkordi 2

slide-3
SLIDE 3

Important security policies cannot be expressed as properties of individual execution traces of a system.

– whether a trace is allowed by the policy depends on whether another trace is also allowed

Hyperproperties can describe:

– trace properties – security policies, such as:

  • noninterference
  • mean response time

3 Course: Specification and Verification of Parallel Systems HyperLTL Presented By: Elahe Fazeldehkordi

slide-4
SLIDE 4

HyperLTL

  • By Clarkson et al. 2014 is an extension of LTL for specifying

hyperproperties.

  • Generalizes linear-time temporal logic (LTL)
  • Examines more than one execution trace at a time
  • Allows explicit quantification over multiple execution traces

simultaneously

  • Allows propositions that stipulate relationships among those traces
  • Provides a simple and unifying logic in which many information-flow

security policies can be directly expressed

4 Course: Specification and Verification of Parallel Systems HyperLTL Presented By: Elahe Fazeldehkordi

slide-5
SLIDE 5

LTL and HyperLTL

Ø Trace properties are typically specified in temporal logics, most prominently in Linear Temporal Logic (LTL). Ø Verification of LTL specifications is routinely employed in industrial settings and marks one of the most successful applications of formal methods to real-life problems. Ø LTL implicitly quantifies over only a single path at a time, hence cannot express many hyperproperties of interest. Ø In LTL the satisfying object is a trace. Syntax: Ø In HyperLTL the satisfying object is a set of traces and a trace assignment:

5 Course: Specification and Verification of Parallel Systems HyperLTL Presented By: Elahe Fazeldehkordi

slide-6
SLIDE 6

Syntax

Formulas of HyperLTL are defined by the following grammar: 𝜌 is a trace variable from an infinite supply 𝒲 of trace variables. ∀𝜌$. ∀𝜌&. ∃𝜌(. 𝜔 means that for all traces 𝜌$ and 𝜌&, there exists another trace 𝜌(, such that 𝜔 holds on those three traces.

𝑌+ means that 𝜒 holds on the next state of every quantified trace.

6 Course: Specification and Verification of Parallel Systems HyperLTL Presented By: Elahe Fazeldehkordi

slide-7
SLIDE 7

Syntax

  • Implication:

𝜒$ → 𝜒& ≡ ¬ 𝜒$ ∨ 𝜒&

  • Conjunction:

𝜒$ ∧ 𝜒& ≡ ¬ (¬ 𝜒$ ∨ ¬ 𝜒&)

  • Bi-implication:

𝜒$ ↔ 𝜒& ≡ (𝜒$ → 𝜒&) ∧ (𝜒& → 𝜒$)

  • True and false: 𝑏6 ∨ ¬ 𝑏6 and ¬ 𝑢𝑠𝑣𝑓
  • Other standard temporal connectives are:

– 𝐺𝜒 ≡ 𝑢𝑠𝑣𝑓 𝑉 𝜒 – 𝐻𝜒 ≡ ¬ 𝐺 ¬ 𝜒 – 𝜒$ 𝑋 𝜒& ≡ (𝜒$ 𝑉𝜒&) ∨ 𝐻𝜒$ – 𝜒$ 𝑆 𝜒& ≡ ¬ (¬ 𝜒$ 𝑉 ¬𝜒&)

  • 𝜒$ ∪ 𝜒&

means that 𝜒& will eventually hold of the states of all quantified traces that appear at the same index, and until then 𝜒$ holds.

7 Course: Specification and Verification of Parallel Systems HyperLTL Presented By: Elahe Fazeldehkordi

slide-8
SLIDE 8

Semantics

Validity:

  • Trace assignment suffix Π[𝑗, ∞ ] denotes the trace assignment below for all 𝜌

ΠI (𝜌 ) = Π(𝜌 )[𝑗, ∞ ]

  • If Π ⊨L 𝜒 holds for the empty assignment Π, then 𝑈 satisfies 𝜒 .

8 Course: Specification and Verification of Parallel Systems HyperLTL Presented By: Elahe Fazeldehkordi

slide-9
SLIDE 9

Semantics

  • A Kripke structure 𝐿 is a tuple (𝑇, 𝑡Q, 𝜀, 𝐵𝑄, 𝑀)

– a set of states 𝑇 , – an initial state 𝑡Q ∈ 𝑇 , – a transition function 𝜀 – 𝑇 → 2X, a set of atomic propositions 𝐵𝑄 – a labeling function 𝑀 ∶ 𝑇 → 2Z[ .

  • To ensure that all traces are infinite, we require that 𝜀 (𝑡 ) is nonempty for every

state 𝑡 .

  • The set Traces (𝐿) of traces of 𝐿 is the set of all sequences of labels produced

by the state transitions of 𝐿 starting from initial state.

  • Traces (𝐿) contains trace 𝑢 iff there exists a sequence 𝑡Q𝑡$ . . . of states, such

that 𝑡Q is the initial state, and for all 𝑗 ≥ 0, it holds that 𝑡^ + 1 ∈ 𝜀 (𝑡^); and 𝑢 [𝑗 ] = 𝑀 (𝑡^).

  • A Kripke structure 𝐿 satisfies 𝜒 , denoted by 𝐿 ⊨ 𝜒 , if Traces (𝐿) satisfies 𝜒 .

9 Course: Specification and Verification of Parallel Systems HyperLTL Presented By: Elahe Fazeldehkordi

slide-10
SLIDE 10

Security Policies in HyperLTL

  • Noninterference: the outputs observed by low-security users are the same as

they would be in the absence of inputs submitted by high-security users.

  • Noninference is a variant of noninterference.
  • Noninference: for all traces, the low-observable behavior must not change when

all high inputs are replaced by a dummy input 𝜇 , that is, when the high input is removed. Noninference in HyperLTL:

∀𝜌. ∃𝜌I. (𝐻 𝜇6b) ∧ 𝜌 =c 𝜌I

𝜇6b expresses that all of the high inputs in the current state of 𝜌I are 𝜇, 𝜌 =c 𝜌I expresses that all low variables in 𝜌 and 𝜌Ihave the same values.

10 Course: Specification and Verification of Parallel Systems HyperLTL Presented By: Elahe Fazeldehkordi

slide-11
SLIDE 11

Security Policies in HyperLTL

  • A (nondeterministic) program satisfies observational determinism if every pair
  • f traces with the same initial low observation remain indistinguishable for low

users. Observational determinism in HyperLTL:

∀π. ∀𝜌I. π[0] =c,^e 𝜌I[0] → π =c,fgh 𝜌I

Where π =c,^e 𝜌I and π =c,fgh 𝜌I express that both traces agree on the low input and low

  • utput variables, respectively.

11 Course: Specification and Verification of Parallel Systems HyperLTL Presented By: Elahe Fazeldehkordi

slide-12
SLIDE 12

Problems about HyperLTL:

v Bounded termination is not expressible. v Satisfiability problem is undecidable.

12 Course: Specification and Verification of Parallel Systems HyperLTL Presented By: Elahe Fazeldehkordi

slide-13
SLIDE 13

References

1. Clarkson, Michael R., et al. "Temporal logics for hyperproperties." International Conference

  • n Principles of Security and Trust. Springer, Berlin, Heidelberg, 2014.

2. Clarkson, Michael R., and Fred B. Schneider. "Hyperproperties." Journal of Computer Security 18.6 (2010): 1157-1210. 3. Goguen, Joseph A., and José Meseguer. "Security policies and security models." 1982 IEEE Symposium on Security and Privacy. IEEE, 1982.

13 Course: Specification and Verification of Parallel Systems HyperLTL Presented By: Elahe Fazeldehkordi