Logics for Hyperproperties Martin Zimmermann Saarland University - - PowerPoint PPT Presentation

Logics for Hyperproperties

Martin Zimmermann

Saarland University

May, 19th 2017

Centre Fédéré en Vérification, Brussels, Belgium

Martin Zimmermann Saarland University Logics for Hyperproperties 1/40

Hyperproperties

S Isecret Osecret Ipublic Opublic

Martin Zimmermann Saarland University Logics for Hyperproperties 2/40

Hyperproperties

S Isecret Osecret Ipublic Opublic The system S is input-deterministic: for all traces t, t′ of S t =I t′ implies t =O t′

Martin Zimmermann Saarland University Logics for Hyperproperties 2/40

Hyperproperties

S Isecret Osecret Ipublic Opublic The system S is input-deterministic: for all traces t, t′ of S t =I t′ implies t =O t′ Noninterference: for all traces t, t′ of S t =Ipublic t′ implies t =Opublic t′

Martin Zimmermann Saarland University Logics for Hyperproperties 2/40

Hyperproperties

Both properties are not trace properties, i.e., sets T ⊆ Traces(S) of traces, but hyperproperties, i.e., sets H ⊆ 2Traces(S) of sets of traces. A system S satisfies a hyperproperty H, if Traces(S) ∈ H. Example: Noninterference as trace property: {T ⊆ Traces(S) | ∀t, t′ ∈ T : t =Ipublic t′ ⇒ t =Opublic t′}

Martin Zimmermann Saarland University Logics for Hyperproperties 3/40

Hyperproperties

Both properties are not trace properties, i.e., sets T ⊆ Traces(S) of traces, but hyperproperties, i.e., sets H ⊆ 2Traces(S) of sets of traces. A system S satisfies a hyperproperty H, if Traces(S) ∈ H. Example: Noninterference as trace property: {T ⊆ Traces(S) | ∀t, t′ ∈ T : t =Ipublic t′ ⇒ t =Opublic t′} Specification languages for hyperproperties HyperLTL: Extend LTL by trace quantifiers. HyperCTL∗: Extend CTL∗ by trace quantifiers.

Martin Zimmermann Saarland University Logics for Hyperproperties 3/40

Outline

• 1. HyperLTL
• 2. The Models Of HyperLTL
• 3. HyperLTL Satisfiability
• 4. HyperLTL Model-checking
• 5. The First-order Logic of Hyperproperties
• 6. Conclusion

Martin Zimmermann Saarland University Logics for Hyperproperties 4/40

Outline

• 1. HyperLTL
• 2. The Models Of HyperLTL
• 3. HyperLTL Satisfiability
• 4. HyperLTL Model-checking
• 5. The First-order Logic of Hyperproperties
• 6. Conclusion

Martin Zimmermann Saarland University Logics for Hyperproperties 5/40

LTL in One Slide

Syntax ϕ ::= a | ¬ϕ | ϕ ∨ ϕ | ϕ ∧ ϕ | X ϕ | ϕ U ϕ where a ∈ AP (atomic propositions).

Martin Zimmermann Saarland University Logics for Hyperproperties 6/40

LTL in One Slide

Syntax ϕ ::= a | ¬ϕ | ϕ ∨ ϕ | ϕ ∧ ϕ | X ϕ | ϕ U ϕ where a ∈ AP (atomic propositions). Semantics w, n | = ϕ for a trace w ∈ (2AP)ω and a position n ∈ N: w, n | = X ϕ: w n n + 1 ϕ w, n | = ϕ0 U ϕ1: w n ϕ0 ϕ0 ϕ0 ϕ1

Martin Zimmermann Saarland University Logics for Hyperproperties 6/40

LTL in One Slide

Syntax ϕ ::= a | ¬ϕ | ϕ ∨ ϕ | ϕ ∧ ϕ | X ϕ | ϕ U ϕ where a ∈ AP (atomic propositions). Semantics w, n | = ϕ for a trace w ∈ (2AP)ω and a position n ∈ N: w, n | = X ϕ: w n n + 1 ϕ w, n | = ϕ0 U ϕ1: w n ϕ0 ϕ0 ϕ0 ϕ1 Syntactic Sugar F ψ = true U ψ G ψ = ¬F ¬ψ

Martin Zimmermann Saarland University Logics for Hyperproperties 6/40

HyperLTL

HyperLTL = LTL + trace quantification ϕ ::= ∃π. ϕ | ∀π. ϕ | ψ ψ ::= aπ | ¬ψ | ψ ∨ ψ | X ψ | ψ U ψ where a ∈ AP (atomic propositions) and π ∈ V (trace variables).

Martin Zimmermann Saarland University Logics for Hyperproperties 7/40

HyperLTL

HyperLTL = LTL + trace quantification ϕ ::= ∃π. ϕ | ∀π. ϕ | ψ ψ ::= aπ | ¬ψ | ψ ∨ ψ | X ψ | ψ U ψ where a ∈ AP (atomic propositions) and π ∈ V (trace variables). Prenex normal form, but closed under boolean combinations.

Martin Zimmermann Saarland University Logics for Hyperproperties 7/40

Semantics

ϕ = ∀π. ∀π′. G onπ ↔ onπ′ T ⊆ (2AP)ω is a model of ϕ iff

Martin Zimmermann Saarland University Logics for Hyperproperties 8/40

Semantics

ϕ = ∀π. ∀π′. G onπ ↔ onπ′ T ⊆ (2AP)ω is a model of ϕ iff

{} | = ∀π. ∀π′. G onπ ↔ onπ′

Martin Zimmermann Saarland University Logics for Hyperproperties 8/40

Semantics

ϕ = ∀π. ∀π′. G onπ ↔ onπ′ T ⊆ (2AP)ω is a model of ϕ iff

{} | = ∀π. ∀π′. G onπ ↔ onπ′ {π → t} | = ∀π′. G onπ ↔ onπ′ for all t ∈ T

Martin Zimmermann Saarland University Logics for Hyperproperties 8/40

Semantics

ϕ = ∀π. ∀π′. G onπ ↔ onπ′ T ⊆ (2AP)ω is a model of ϕ iff

{} | = ∀π. ∀π′. G onπ ↔ onπ′ {π → t} | = ∀π′. G onπ ↔ onπ′ for all t ∈ T {π → t, π′ → t′} | = G onπ ↔ onπ′ for all t′ ∈ T

Martin Zimmermann Saarland University Logics for Hyperproperties 8/40

Semantics

ϕ = ∀π. ∀π′. G onπ ↔ onπ′ T ⊆ (2AP)ω is a model of ϕ iff

{} | = ∀π. ∀π′. G onπ ↔ onπ′ {π → t} | = ∀π′. G onπ ↔ onπ′ for all t ∈ T {π → t, π′ → t′} | = G onπ ↔ onπ′ for all t′ ∈ T {π → t[n, ∞), π′ → t′[n, ∞)} | = onπ ↔ onπ′ for all n ∈ N

Martin Zimmermann Saarland University Logics for Hyperproperties 8/40

Semantics

ϕ = ∀π. ∀π′. G onπ ↔ onπ′ T ⊆ (2AP)ω is a model of ϕ iff

{} | = ∀π. ∀π′. G onπ ↔ onπ′ {π → t} | = ∀π′. G onπ ↔ onπ′ for all t ∈ T {π → t, π′ → t′} | = G onπ ↔ onπ′ for all t′ ∈ T {π → t[n, ∞), π′ → t′[n, ∞)} | = onπ ↔ onπ′ for all n ∈ N

• n ∈ t(n) ⇔ on ∈ t′(n)

Martin Zimmermann Saarland University Logics for Hyperproperties 8/40

Applications

Uniform framework for information-flow control Does a system leak information? Symmetries in distributed systems Are clients treated symmetrically? Error resistant codes Do codes for distinct inputs have at least Hamming distance d? Software doping Think emission scandal in automotive industry

Martin Zimmermann Saarland University Logics for Hyperproperties 9/40

The Virtues of LTL

LTL has many desirables properties:

• 1. Every satisfiable LTL formula is satisfied by an ultimately

periodic trace, i.e., by a finite and finitely-represented model.

• 2. LTL satisfiability and model-checking are PSpace-complete.
• 3. LTL and FO[<] are expressively equivalent.

Which properties does HyperLTL retain ?

Martin Zimmermann Saarland University Logics for Hyperproperties 10/40

References

Michael R. Clarkson and Fred B. Schneider. Hyperproperties. Journal of Computer Security (2010). Michael R. Clarkson, Bernd Finkbeiner, Masoud Koleini, Kristopher K. Micinski, Markus N. Rabe, and César Sánchez. Temporal logics for hyperproperties. In Proceedings of POST 2014. Bernd Finkbeiner and Markus N. Rabe. The Linear-Hyper-Branching Spectrum of Temporal Logics. it-Information Technology (2014). Markus N. Rabe. A Temporal Logic Approach to Information-flow Control. PhD thesis, Saarland University (2016).

Martin Zimmermann Saarland University Logics for Hyperproperties 11/40

Outline

• 1. HyperLTL
• 2. The Models Of HyperLTL
• 3. HyperLTL Satisfiability
• 4. HyperLTL Model-checking
• 5. The First-order Logic of Hyperproperties
• 6. Conclusion

Martin Zimmermann Saarland University Logics for Hyperproperties 12/40

What about Finite Models?

Fix AP = {a} and consider the conjunction ϕ of ∀π. (¬aπ) U (aπ ∧ X G ¬aπ)

Martin Zimmermann Saarland University Logics for Hyperproperties 13/40

What about Finite Models?

Fix AP = {a} and consider the conjunction ϕ of ∀π. (¬aπ) U (aπ ∧ X G ¬aπ) ∃π. aπ

Martin Zimmermann Saarland University Logics for Hyperproperties 13/40

What about Finite Models?

Fix AP = {a} and consider the conjunction ϕ of ∀π. (¬aπ) U (aπ ∧ X G ¬aπ) ∃π. aπ {a} ∅ ∅ ∅ ∅ ∅ ∅ ∅ · · ·

Martin Zimmermann Saarland University Logics for Hyperproperties 13/40

What about Finite Models?

Fix AP = {a} and consider the conjunction ϕ of ∀π. (¬aπ) U (aπ ∧ X G ¬aπ) ∃π. aπ ∀π. ∃π′. F (aπ ∧ X aπ′) {a} ∅ ∅ ∅ ∅ ∅ ∅ ∅ · · ·

Martin Zimmermann Saarland University Logics for Hyperproperties 13/40

What about Finite Models?

Fix AP = {a} and consider the conjunction ϕ of ∀π. (¬aπ) U (aπ ∧ X G ¬aπ) ∃π. aπ ∀π. ∃π′. F (aπ ∧ X aπ′) {a} ∅ ∅ ∅ ∅ ∅ ∅ ∅ · · · ∅ {a} ∅ ∅ ∅ ∅ ∅ ∅ · · ·

Martin Zimmermann Saarland University Logics for Hyperproperties 13/40

What about Finite Models?

Fix AP = {a} and consider the conjunction ϕ of ∀π. (¬aπ) U (aπ ∧ X G ¬aπ) ∃π. aπ ∀π. ∃π′. F (aπ ∧ X aπ′) {a} ∅ ∅ ∅ ∅ ∅ ∅ ∅ · · · ∅ {a} ∅ ∅ ∅ ∅ ∅ ∅ · · · ∅ ∅ {a} ∅ ∅ ∅ ∅ ∅ · · · . . . . . . . . . . . . . . . . . . . . . . . . The unique model of ϕ is {∅n {a} ∅ω | n ∈ N}.

Martin Zimmermann Saarland University Logics for Hyperproperties 13/40

What about Finite Models?

Fix AP = {a} and consider the conjunction ϕ of ∀π. (¬aπ) U (aπ ∧ X G ¬aπ) ∃π. aπ ∀π. ∃π′. F (aπ ∧ X aπ′) {a} ∅ ∅ ∅ ∅ ∅ ∅ ∅ · · · ∅ {a} ∅ ∅ ∅ ∅ ∅ ∅ · · · ∅ ∅ {a} ∅ ∅ ∅ ∅ ∅ · · · . . . . . . . . . . . . . . . . . . . . . . . . The unique model of ϕ is {∅n {a} ∅ω | n ∈ N}.

Theorem

There is a satisfiable HyperLTL sentence that is not satisfied by any finite set of traces.

Martin Zimmermann Saarland University Logics for Hyperproperties 13/40

What about Countable Models?

Theorem

Every satisfiable HyperLTL sentence has a countable model.

Martin Zimmermann Saarland University Logics for Hyperproperties 14/40

What about Countable Models?

Theorem

Every satisfiable HyperLTL sentence has a countable model. Proof W.l.o.g. ϕ = ∀π0. ∃π′

• 0. · · · ∀πk. ∃π′
• k. ψ with quantifier-free ψ.

Fix a Skolem function fj for every existentially quantified π′

j.

Martin Zimmermann Saarland University Logics for Hyperproperties 14/40

What about Countable Models?

Theorem

Every satisfiable HyperLTL sentence has a countable model. Proof W.l.o.g. ϕ = ∀π0. ∃π′

• 0. · · · ∀πk. ∃π′
• k. ψ with quantifier-free ψ.

Fix a Skolem function fj for every existentially quantified π′

j.

t

Martin Zimmermann Saarland University Logics for Hyperproperties 14/40

What about Countable Models?

Theorem

Every satisfiable HyperLTL sentence has a countable model. Proof W.l.o.g. ϕ = ∀π0. ∃π′

• 0. · · · ∀πk. ∃π′
• k. ψ with quantifier-free ψ.

Fix a Skolem function fj for every existentially quantified π′

j.

f0(t) f1(t, t) · · · fk(t, . . . , t) t

Martin Zimmermann Saarland University Logics for Hyperproperties 14/40

What about Countable Models?

Theorem

Every satisfiable HyperLTL sentence has a countable model. Proof W.l.o.g. ϕ = ∀π0. ∃π′

• 0. · · · ∀πk. ∃π′
• k. ψ with quantifier-free ψ.

Fix a Skolem function fj for every existentially quantified π′

j.

t

Martin Zimmermann Saarland University Logics for Hyperproperties 14/40

What about Countable Models?

Theorem

Every satisfiable HyperLTL sentence has a countable model. Proof W.l.o.g. ϕ = ∀π0. ∃π′

• 0. · · · ∀πk. ∃π′
• k. ψ with quantifier-free ψ.

Fix a Skolem function fj for every existentially quantified π′

j.

· · · · · · t

Martin Zimmermann Saarland University Logics for Hyperproperties 14/40

What about Countable Models?

Theorem

Every satisfiable HyperLTL sentence has a countable model. Proof W.l.o.g. ϕ = ∀π0. ∃π′

• 0. · · · ∀πk. ∃π′
• k. ψ with quantifier-free ψ.

Fix a Skolem function fj for every existentially quantified π′

j.

· · · · · · t The limit is a model of ϕ and countable.

Martin Zimmermann Saarland University Logics for Hyperproperties 14/40

What about Regular Models?

Theorem

There is a satisfiable HyperLTL sentence that is not satisfied by any ω-regular set of traces.

Martin Zimmermann Saarland University Logics for Hyperproperties 15/40

What about Regular Models?

Theorem

There is a satisfiable HyperLTL sentence that is not satisfied by any ω-regular set of traces. Proof Express that a model T contains..

• 1. .. ({a}{b})n∅ω for every n.

Martin Zimmermann Saarland University Logics for Hyperproperties 15/40

What about Regular Models?

Theorem

There is a satisfiable HyperLTL sentence that is not satisfied by any ω-regular set of traces. Proof Express that a model T contains..

• 1. .. ({a}{b})n∅ω for every n.

{a} {b} {a} {b} {a} {b} ∅ω

Martin Zimmermann Saarland University Logics for Hyperproperties 15/40

What about Regular Models?

Theorem

There is a satisfiable HyperLTL sentence that is not satisfied by any ω-regular set of traces. Proof Express that a model T contains..

• 1. .. ({a}{b})n∅ω for every n.
• 2. .. for every trace of the form

x{b}{a}y in T, also the trace x{a}{b}y. {a} {b} {a} {b} {a} {b} ∅ω

Martin Zimmermann Saarland University Logics for Hyperproperties 15/40

What about Regular Models?

Theorem

There is a satisfiable HyperLTL sentence that is not satisfied by any ω-regular set of traces. Proof Express that a model T contains..

• 1. .. ({a}{b})n∅ω for every n.
• 2. .. for every trace of the form

x{b}{a}y in T, also the trace x{a}{b}y. {a} {b} {a} {b} {a} {b} ∅ω {a} {b} {a} {b} {a} {b} ∅ω

Martin Zimmermann Saarland University Logics for Hyperproperties 15/40

What about Regular Models?

Theorem

There is a satisfiable HyperLTL sentence that is not satisfied by any ω-regular set of traces. Proof Express that a model T contains..

• 1. .. ({a}{b})n∅ω for every n.
• 2. .. for every trace of the form

x{b}{a}y in T, also the trace x{a}{b}y. {a} {b} {a} {b} {a} {b} ∅ω {a} {b} {a} {b} {a} {b} ∅ω {a} {b} {a} {b} {a} {b} ∅ω

Martin Zimmermann Saarland University Logics for Hyperproperties 15/40

What about Regular Models?

Theorem

There is a satisfiable HyperLTL sentence that is not satisfied by any ω-regular set of traces. Proof Express that a model T contains..

• 1. .. ({a}{b})n∅ω for every n.
• 2. .. for every trace of the form

x{b}{a}y in T, also the trace x{a}{b}y. {a} {b} {a} {b} {a} {b} ∅ω {a} {b} {a} {b} {a} {b} ∅ω {a} {b} {a} {b} {a} {b} ∅ω {a} {b} {a} {b} {a} {b} ∅ω

Martin Zimmermann Saarland University Logics for Hyperproperties 15/40

What about Regular Models?

Theorem

There is a satisfiable HyperLTL sentence that is not satisfied by any ω-regular set of traces. Proof Express that a model T contains..

• 1. .. ({a}{b})n∅ω for every n.
• 2. .. for every trace of the form

x{b}{a}y in T, also the trace x{a}{b}y. {a} {b} {a} {b} {a} {b} ∅ω {a} {b} {a} {b} {a} {b} ∅ω {a} {b} {a} {b} {a} {b} ∅ω {a} {b} {a} {b} {a} {b} ∅ω Then, T ∩ {a}∗{b}∗∅ω = {{a}n{b}n∅ω | n ∈ N} is not ω-regular.

Martin Zimmermann Saarland University Logics for Hyperproperties 15/40

What about Ultimately Periodic Models?

Theorem

There is a satisfiable HyperLTL sentence that is not satisfied by any set of traces that contains an ultimately periodic trace.

Martin Zimmermann Saarland University Logics for Hyperproperties 16/40

What about Ultimately Periodic Models?

Theorem

There is a satisfiable HyperLTL sentence that is not satisfied by any set of traces that contains an ultimately periodic trace. One can even encode the prime numbers in HyperLTL!

Martin Zimmermann Saarland University Logics for Hyperproperties 16/40

References

Bernd Finkbeiner and Martin Zimmermann. The first-order logic of hyperproperties. In Proceedings of STACS 2017.

Martin Zimmermann Saarland University Logics for Hyperproperties 17/40

Outline

• 1. HyperLTL
• 2. The Models Of HyperLTL
• 3. HyperLTL Satisfiability
• 4. HyperLTL Model-checking
• 5. The First-order Logic of Hyperproperties
• 6. Conclusion

Martin Zimmermann Saarland University Logics for Hyperproperties 18/40

Undecidability

The HyperLTL satisfiability problem: Given ϕ, is there a non-empty set T of traces with T | = ϕ?

Theorem

HyperLTL satisfiability is undecidable.

Martin Zimmermann Saarland University Logics for Hyperproperties 19/40

Undecidability

The HyperLTL satisfiability problem: Given ϕ, is there a non-empty set T of traces with T | = ϕ?

Theorem

HyperLTL satisfiability is undecidable. Proof: By a reduction from Post’s correspondence problem. Example Blocks (a, baa) (ab, aa) (bba, bb)

Martin Zimmermann Saarland University Logics for Hyperproperties 19/40

Undecidability

The HyperLTL satisfiability problem: Given ϕ, is there a non-empty set T of traces with T | = ϕ?

Theorem

HyperLTL satisfiability is undecidable. Proof: By a reduction from Post’s correspondence problem. Example Blocks (a, baa) (ab, aa) (bba, bb) A solution: b b a a b b b a a b b a a b b b a a

Martin Zimmermann Saarland University Logics for Hyperproperties 19/40

Undecidability

The HyperLTL satisfiability problem: Given ϕ, is there a non-empty set T of traces with T | = ϕ?

Theorem

HyperLTL satisfiability is undecidable. Proof: By a reduction from Post’s correspondence problem. Example Blocks (a, baa) (ab, aa) (bba, bb) A solution: b b a a b b b a a b b a a b b b a a

Martin Zimmermann Saarland University Logics for Hyperproperties 19/40

Undecidability

• 1. There is a (solution)

trace where top matches bottom.

Martin Zimmermann Saarland University Logics for Hyperproperties 20/40

Undecidability

• 1. There is a (solution)

trace where top matches bottom.

{b} {b} {a} {a} {b} {b} {b} {a} {a} ∅ω {b} {b} {a} {a} {b} {b} {b} {a} {a} ∅ω

Martin Zimmermann Saarland University Logics for Hyperproperties 20/40

Undecidability

• 1. There is a (solution)

trace where top matches bottom.

• 2. Every trace is finite

and starts with a block or is empty.

{b} {b} {a} {a} {b} {b} {b} {a} {a} ∅ω {b} {b} {a} {a} {b} {b} {b} {a} {a} ∅ω

Martin Zimmermann Saarland University Logics for Hyperproperties 20/40

Undecidability

• 1. There is a (solution)

trace where top matches bottom.

• 2. Every trace is finite

and starts with a block or is empty.

{b} {b} {a} {a} {b} {b} {b} {a} {a} ∅ω {b} {b} {a} {a} {b} {b} {b} {a} {a} ∅ω

Martin Zimmermann Saarland University Logics for Hyperproperties 20/40

Undecidability

• 1. There is a (solution)

trace where top matches bottom.

• 2. Every trace is finite

and starts with a block or is empty.

• 3. For every non-empty

trace, the trace

• btained by

removing the first block also exists.

{b} {b} {a} {a} {b} {b} {b} {a} {a} ∅ω {b} {b} {a} {a} {b} {b} {b} {a} {a} ∅ω

Martin Zimmermann Saarland University Logics for Hyperproperties 20/40

Undecidability

• 1. There is a (solution)

trace where top matches bottom.

• 2. Every trace is finite

and starts with a block or is empty.

• 3. For every non-empty

trace, the trace

• btained by

removing the first block also exists.

{b} {b} {a} {a} {b} {b} {b} {a} {a} ∅ω {b} {b} {a} {a} {b} {b} {b} {a} {a} ∅ω {a} {b} {b} {b} {a} {a} ∅ ∅ ∅ ∅ω {a} {a} {b} {b} {b} {a} {a} ∅ ∅ ∅ω

Martin Zimmermann Saarland University Logics for Hyperproperties 20/40

Undecidability

• 1. There is a (solution)

trace where top matches bottom.

• 2. Every trace is finite

and starts with a block or is empty.

• 3. For every non-empty

trace, the trace

• btained by

removing the first block also exists.

{b} {b} {a} {a} {b} {b} {b} {a} {a} ∅ω {b} {b} {a} {a} {b} {b} {b} {a} {a} ∅ω {a} {b} {b} {b} {a} {a} ∅ ∅ ∅ ∅ω {a} {a} {b} {b} {b} {a} {a} ∅ ∅ ∅ω

Martin Zimmermann Saarland University Logics for Hyperproperties 20/40

Undecidability

• 1. There is a (solution)

trace where top matches bottom.

• 2. Every trace is finite

and starts with a block or is empty.

• 3. For every non-empty

trace, the trace

• btained by

removing the first block also exists.

{b} {b} {a} {a} {b} {b} {b} {a} {a} ∅ω {b} {b} {a} {a} {b} {b} {b} {a} {a} ∅ω {a} {b} {b} {b} {a} {a} ∅ ∅ ∅ ∅ω {a} {a} {b} {b} {b} {a} {a} ∅ ∅ ∅ω

Martin Zimmermann Saarland University Logics for Hyperproperties 20/40

Undecidability

• 1. There is a (solution)

trace where top matches bottom.

• 2. Every trace is finite

and starts with a block or is empty.

• 3. For every non-empty

trace, the trace

• btained by

removing the first block also exists.

{b} {b} {a} {a} {b} {b} {b} {a} {a} ∅ω {b} {b} {a} {a} {b} {b} {b} {a} {a} ∅ω {a} {b} {b} {b} {a} {a} ∅ ∅ ∅ ∅ω {a} {a} {b} {b} {b} {a} {a} ∅ ∅ ∅ω {b} {b} {a} {a} ∅ ∅ ∅ ∅ ∅ ∅ω {b} {b} {b} {a} {a} ∅ ∅ ∅ ∅ ∅ω

Martin Zimmermann Saarland University Logics for Hyperproperties 20/40

Undecidability

• 1. There is a (solution)

trace where top matches bottom.

• 2. Every trace is finite

and starts with a block or is empty.

• 3. For every non-empty

trace, the trace

• btained by

removing the first block also exists.

{b} {b} {a} {a} {b} {b} {b} {a} {a} ∅ω {b} {b} {a} {a} {b} {b} {b} {a} {a} ∅ω {a} {b} {b} {b} {a} {a} ∅ ∅ ∅ ∅ω {a} {a} {b} {b} {b} {a} {a} ∅ ∅ ∅ω {b} {b} {a} {a} ∅ ∅ ∅ ∅ ∅ ∅ω {b} {b} {b} {a} {a} ∅ ∅ ∅ ∅ ∅ω

Martin Zimmermann Saarland University Logics for Hyperproperties 20/40

Undecidability

• 1. There is a (solution)

trace where top matches bottom.

• 2. Every trace is finite

and starts with a block or is empty.

• 3. For every non-empty

trace, the trace

• btained by

removing the first block also exists.

{b} {b} {a} {a} {b} {b} {b} {a} {a} ∅ω {b} {b} {a} {a} {b} {b} {b} {a} {a} ∅ω {a} {b} {b} {b} {a} {a} ∅ ∅ ∅ ∅ω {a} {a} {b} {b} {b} {a} {a} ∅ ∅ ∅ω {b} {b} {a} {a} ∅ ∅ ∅ ∅ ∅ ∅ω {b} {b} {b} {a} {a} ∅ ∅ ∅ ∅ ∅ω

Martin Zimmermann Saarland University Logics for Hyperproperties 20/40

Undecidability

• 1. There is a (solution)

trace where top matches bottom.

• 2. Every trace is finite

and starts with a block or is empty.

• 3. For every non-empty

trace, the trace

• btained by

removing the first block also exists.

{b} {b} {a} {a} {b} {b} {b} {a} {a} ∅ω {b} {b} {a} {a} {b} {b} {b} {a} {a} ∅ω {a} {b} {b} {b} {a} {a} ∅ ∅ ∅ ∅ω {a} {a} {b} {b} {b} {a} {a} ∅ ∅ ∅ω {b} {b} {a} {a} ∅ ∅ ∅ ∅ ∅ ∅ω {b} {b} {b} {a} {a} ∅ ∅ ∅ ∅ ∅ω {a} ∅ ∅ ∅ ∅ ∅ ∅ ∅ ∅ ∅ω {b} {a} {a} ∅ ∅ ∅ ∅ ∅ ∅ ∅ω

Martin Zimmermann Saarland University Logics for Hyperproperties 20/40

Undecidability

• 1. There is a (solution)

trace where top matches bottom.

• 2. Every trace is finite

and starts with a block or is empty.

• 3. For every non-empty

trace, the trace

• btained by

removing the first block also exists.

{b} {b} {a} {a} {b} {b} {b} {a} {a} ∅ω {b} {b} {a} {a} {b} {b} {b} {a} {a} ∅ω {a} {b} {b} {b} {a} {a} ∅ ∅ ∅ ∅ω {a} {a} {b} {b} {b} {a} {a} ∅ ∅ ∅ω {b} {b} {a} {a} ∅ ∅ ∅ ∅ ∅ ∅ω {b} {b} {b} {a} {a} ∅ ∅ ∅ ∅ ∅ω {a} ∅ ∅ ∅ ∅ ∅ ∅ ∅ ∅ ∅ω {b} {a} {a} ∅ ∅ ∅ ∅ ∅ ∅ ∅ω

Martin Zimmermann Saarland University Logics for Hyperproperties 20/40

Undecidability

• 1. There is a (solution)

trace where top matches bottom.

• 2. Every trace is finite

and starts with a block or is empty.

• 3. For every non-empty

trace, the trace

• btained by

removing the first block also exists.

{b} {b} {a} {a} {b} {b} {b} {a} {a} ∅ω {b} {b} {a} {a} {b} {b} {b} {a} {a} ∅ω {a} {b} {b} {b} {a} {a} ∅ ∅ ∅ ∅ω {a} {a} {b} {b} {b} {a} {a} ∅ ∅ ∅ω {b} {b} {a} {a} ∅ ∅ ∅ ∅ ∅ ∅ω {b} {b} {b} {a} {a} ∅ ∅ ∅ ∅ ∅ω {a} ∅ ∅ ∅ ∅ ∅ ∅ ∅ ∅ ∅ω {b} {a} {a} ∅ ∅ ∅ ∅ ∅ ∅ ∅ω ∅ ∅ ∅ ∅ ∅ ∅ ∅ ∅ ∅ ∅ω ∅ ∅ ∅ ∅ ∅ ∅ ∅ ∅ ∅ ∅ω

Martin Zimmermann Saarland University Logics for Hyperproperties 20/40

Decidability

Theorem

∃∗-HyperLTL satisfiability is PSpace-complete.

Martin Zimmermann Saarland University Logics for Hyperproperties 21/40

Decidability

Theorem

∃∗-HyperLTL satisfiability is PSpace-complete. Proof: Membership: Consider ϕ = ∃π0 . . . ∃πk. ψ. Obtain ψ′ from ψ by replacing each aπj by a fresh proposition aj. Then: ϕ and the LTL formula ψ′ are equi-satisfiable. Hardness: trivial reduction from LTL satisfiability

Martin Zimmermann Saarland University Logics for Hyperproperties 21/40

Decidability

Theorem

∀∗-HyperLTL satisfiability is PSpace-complete.

Martin Zimmermann Saarland University Logics for Hyperproperties 22/40

Decidability

Theorem

∀∗-HyperLTL satisfiability is PSpace-complete. Proof: Membership: Consider ϕ = ∀π0 . . . ∀πk. ψ. Obtain ψ′ from ψ by replacing each aπj by a. Then: ϕ and the LTL formula ψ′ are equi-satisfiable. Hardness: trivial reduction from LTL satisfiability

Martin Zimmermann Saarland University Logics for Hyperproperties 22/40

Decidability

Theorem

∃∗∀∗-HyperLTL satisfiability is ExpSpace-complete.

Martin Zimmermann Saarland University Logics for Hyperproperties 23/40

Decidability

Theorem

∃∗∀∗-HyperLTL satisfiability is ExpSpace-complete. Proof: Membership: Consider ϕ = ∃π0 . . . ∃πk. ∀π′

0 . . . ∀π′ ℓ. ψ.

Let ϕ′ = ∃π0 . . . ∃πk

k

• j0=0

· · ·

k

• jℓ=0

ψj0,...,jℓ where ψj0,...,jℓ is obtained from ψ by replacing each

• ccurrence of π′

i by πji.

Then: ϕ and ϕ′ are equi-satisfiable. Hardness: encoding of exponential-space Turing machines.

Martin Zimmermann Saarland University Logics for Hyperproperties 23/40

Further Results

HyperLTL implication checking: given ϕ and ϕ′, does, for every T, T | = ϕ imply T | = ϕ′?

Lemma

ϕ does not imply ϕ′ iff (ϕ ∧ ¬ϕ′) is satisfiable.

Martin Zimmermann Saarland University Logics for Hyperproperties 24/40

Further Results

HyperLTL implication checking: given ϕ and ϕ′, does, for every T, T | = ϕ imply T | = ϕ′?

Lemma

ϕ does not imply ϕ′ iff (ϕ ∧ ¬ϕ′) is satisfiable.

Corollary

Implication checking for alternation-free HyperLTL formulas is ExpSpace-complete. Tool EAHyper: satisfiability, implication, and equivalence checking for HyperLTL

Martin Zimmermann Saarland University Logics for Hyperproperties 24/40

References

Bernd Finkbeiner and Christopher Hahn. Deciding

• Hyperproperties. In Proceedings of CONCUR 2016.

Bernd Finkbeiner, Christopher Hahn, and Marvin Stenger. EAHyper: Satisfiability, Implication, and Equivalence Checking of Hyperproperties. In Proceedings of CAV 2017.

Martin Zimmermann Saarland University Logics for Hyperproperties 25/40

Outline

• 1. HyperLTL
• 2. The Models Of HyperLTL
• 3. HyperLTL Satisfiability
• 4. HyperLTL Model-checking
• 5. The First-order Logic of Hyperproperties
• 6. Conclusion

Martin Zimmermann Saarland University Logics for Hyperproperties 26/40

Model-Checking

The HyperLTL model-checking problem: Given a transition system S and ϕ, does Traces(S) | = ϕ?

Theorem

The HyperLTL model-checking problem is decidable.

Martin Zimmermann Saarland University Logics for Hyperproperties 27/40

Model-Checking

Proof: Consider ϕ = ∃π1. ∀π2. . . . ∃πk−1. ∀πk. ψ. Rewrite as ∃π1. ¬∃π2. ¬ . . . ∃πk−1. ¬∃πk. ¬ψ.

Martin Zimmermann Saarland University Logics for Hyperproperties 28/40

Model-Checking

Proof: Consider ϕ = ∃π1. ∀π2. . . . ∃πk−1. ∀πk. ψ. Rewrite as ∃π1. ¬∃π2. ¬ . . . ∃πk−1. ¬∃πk. ¬ψ. By induction over quantifier prefix construct non-determinstic Büchi automaton A with L(A) = ∅ iff Traces(S) | = ϕ. Induction start: build automaton for LTL formula

• btained from ¬ψ by replacing aπj by aj.

For ∃πjθ restrict automaton for θ in dimension j to traces

• f S.

For ¬θ complement automaton for θ.

Martin Zimmermann Saarland University Logics for Hyperproperties 28/40

Model-Checking

Proof: Consider ϕ = ∃π1. ∀π2. . . . ∃πk−1. ∀πk. ψ. Rewrite as ∃π1. ¬∃π2. ¬ . . . ∃πk−1. ¬∃πk. ¬ψ. By induction over quantifier prefix construct non-determinstic Büchi automaton A with L(A) = ∅ iff Traces(S) | = ϕ. Induction start: build automaton for LTL formula

• btained from ¬ψ by replacing aπj by aj.

For ∃πjθ restrict automaton for θ in dimension j to traces

• f S.

For ¬θ complement automaton for θ. ⇒ Non-elementary complexity, but alternation-free fragments are as hard as LTL.

Martin Zimmermann Saarland University Logics for Hyperproperties 28/40

References

Bernd Finkbeiner, Markus N. Rabe, and César Sánchez. Algorithms for Model Checking HyperLTL and HyperCTL∗. In Proceedings of CAV 2015.

Martin Zimmermann Saarland University Logics for Hyperproperties 29/40

Outline

• 1. HyperLTL
• 2. The Models Of HyperLTL
• 3. HyperLTL Satisfiability
• 4. HyperLTL Model-checking
• 5. The First-order Logic of Hyperproperties
• 6. Conclusion

Martin Zimmermann Saarland University Logics for Hyperproperties 30/40

First-order Logic vs. LTL

FO[<]: first-order order logic over signature {<} ∪ {Pa | a ∈ AP}

• ver structures with universe N.

Theorem (Kamp ’68, Gabbay et al. ’80)

LTL and FO[<] are expressively equivalent.

Martin Zimmermann Saarland University Logics for Hyperproperties 31/40

First-order Logic vs. LTL

FO[<]: first-order order logic over signature {<} ∪ {Pa | a ∈ AP}

• ver structures with universe N.

Theorem (Kamp ’68, Gabbay et al. ’80)

LTL and FO[<] are expressively equivalent. Example ∀x(Pq(x) ∧ ¬Pp(x)) → ∃y(x < y ∧ Pp(y)) and G (q → F p) are equivalent.

Martin Zimmermann Saarland University Logics for Hyperproperties 31/40

First-order Logic for Hyperproperties

· · · <

N

Martin Zimmermann Saarland University Logics for Hyperproperties 32/40

First-order Logic for Hyperproperties

· · · <

N

· · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

T

Martin Zimmermann Saarland University Logics for Hyperproperties 32/40

First-order Logic for Hyperproperties

· · · <

N

· · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

T

E

Martin Zimmermann Saarland University Logics for Hyperproperties 32/40

First-order Logic for Hyperproperties

· · · <

N

· · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

T

E FO[<, E]: first-order logic with equality over the signature {<, E} ∪ {Pa | a ∈ AP} over structures with universe T × N. Example ∀x∀x′ E(x, x′) → (Pon(x) ↔ Pon(x′))

Martin Zimmermann Saarland University Logics for Hyperproperties 32/40

First-order Logic for Hyperproperties

· · · <

N

· · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . · · · · · · . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

T

E FO[<, E]: first-order logic with equality over the signature {<, E} ∪ {Pa | a ∈ AP} over structures with universe T × N.

Proposition

For every HyperLTL sentence there is an equivalent FO[<, E] sentence.

Martin Zimmermann Saarland University Logics for Hyperproperties 32/40

A Setback

Let ϕ be the following property of sets T ⊆ (2{p})ω: There is an n such that p / ∈ t(n) for every t ∈ T.

Theorem (Bozzelli et al. ’15)

ϕ is not expressible in HyperLTL.

Martin Zimmermann Saarland University Logics for Hyperproperties 33/40

A Setback

Let ϕ be the following property of sets T ⊆ (2{p})ω: There is an n such that p / ∈ t(n) for every t ∈ T.

Theorem (Bozzelli et al. ’15)

ϕ is not expressible in HyperLTL. But, ϕ is easily expressible in FO[<, E]: ∃x ∀y E(x, y) → ¬Pp(y)

Corollary

FO[<, E] strictly subsumes HyperLTL.

Martin Zimmermann Saarland University Logics for Hyperproperties 33/40

HyperFO

∃Mx and ∀Mx: quantifiers restricted to initial positions. ∃Gy ≥ x and ∀Gy ≥ x: if x is initial, then quantifiers restricted to positions on the same trace as x.

Martin Zimmermann Saarland University Logics for Hyperproperties 34/40

HyperFO

∃Mx and ∀Mx: quantifiers restricted to initial positions. ∃Gy ≥ x and ∀Gy ≥ x: if x is initial, then quantifiers restricted to positions on the same trace as x. HyperFO: sentences of the form ϕ = QM

1 x1. · · · QM k xk. QG 1 y1 ≥ xg1. · · · QG ℓ yℓ ≥ xgℓ. ψ

Q ∈ {∃, ∀}, {x1, . . . , xk} and {y1, . . . , yℓ} are disjoint, every guard xgj is in{x1, . . . , xk}, and ψ is quantifier-free over signature {<, E} ∪ {Pa | a ∈ AP} with free variables in {y1, . . . , yℓ}.

Martin Zimmermann Saarland University Logics for Hyperproperties 34/40

Equivalence

Theorem

HyperLTL and HyperFO are equally expressive.

Martin Zimmermann Saarland University Logics for Hyperproperties 35/40

Equivalence

Theorem

HyperLTL and HyperFO are equally expressive. Proof From HyperLTL to HyperFO: structural induction. From HyperFO to HyperLTL: reduction to Kamp’s theorem.

Martin Zimmermann Saarland University Logics for Hyperproperties 35/40

From HyperFO to HyperLTL

∀x∀x′ E(x, x′) → (Pon(x) ↔ Pon(x′))

Martin Zimmermann Saarland University Logics for Hyperproperties 36/40

From HyperFO to HyperLTL

∀x∀x′ E(x, x′) → (Pon(x) ↔ Pon(x′)) ∀Mx1 ∀Mx2 ∀Gy1 ≥ x1 ∀Gy2 ≥ x2E(y1, y2) → (Pon(y1) ↔ Pon(y2))

Martin Zimmermann Saarland University Logics for Hyperproperties 36/40

From HyperFO to HyperLTL

∀x∀x′ E(x, x′) → (Pon(x) ↔ Pon(x′)) ∀Mx1 ∀Mx2 ∀Gy1 ≥ x1 ∀Gy2 ≥ x2E(y1, y2) → (Pon(y1) ↔ Pon(y2)) {on} {on} ∅ {on} · · · {on} ∅ ∅ {on} · · · x1 → x2 →

Martin Zimmermann Saarland University Logics for Hyperproperties 36/40

From HyperFO to HyperLTL

∀x∀x′ E(x, x′) → (Pon(x) ↔ Pon(x′)) ∀Gy1 ≥ x1 ∀Gy2 ≥ x2E(y1, y2) → (Pon(y1) ↔ Pon(y2)) {on} {on} ∅ {on} · · · {on} ∅ ∅ {on} · · · x1 → x2 →

Martin Zimmermann Saarland University Logics for Hyperproperties 36/40

From HyperFO to HyperLTL

∀x∀x′ E(x, x′) → (Pon(x) ↔ Pon(x′)) ∀Gy1 ≥ x1 ∀Gy2 ≥ x2E(y1, y2) → (Pon(y1) ↔ Pon(y2)) ∀Mx1 ∀Mx2 ∀y1 ∀y2 (y1 = y2) → (P(on,1)(y1) ↔ P(on,2)(y2)) {(on, 1), {(on, 1)} ∅ {(on, 1), · · · (on, 2)} (on, 2)}

Martin Zimmermann Saarland University Logics for Hyperproperties 36/40

From HyperFO to HyperLTL

∀x∀x′ E(x, x′) → (Pon(x) ↔ Pon(x′)) ∀Gy1 ≥ x1 ∀Gy2 ≥ x2E(y1, y2) → (Pon(y1) ↔ Pon(y2)) ∀Mx1 ∀Mx2 ∀y1 ∀y2 (y1 = y2) → (P(on,1)(y1) ↔ P(on,2)(y2)) ∀Mx1 ∀Mx2 G ((on, 1) ↔ (on, 2)) {(on, 1), {(on, 1)} ∅ {(on, 1), · · · (on, 2)} (on, 2)}

Martin Zimmermann Saarland University Logics for Hyperproperties 36/40

From HyperFO to HyperLTL

∀x∀x′ E(x, x′) → (Pon(x) ↔ Pon(x′)) ∀Gy1 ≥ x1 ∀Gy2 ≥ x2E(y1, y2) → (Pon(y1) ↔ Pon(y2)) ∀Mx1 ∀Mx2 ∀y1 ∀y2 (y1 = y2) → (P(on,1)(y1) ↔ P(on,2)(y2)) ∀Mx1 ∀Mx2 G ((on, 1) ↔ (on, 2)) ∀Mx1 ∀Mx2 {(on, 1), {(on, 1)} ∅ {(on, 1), · · · (on, 2)} (on, 2)}

Martin Zimmermann Saarland University Logics for Hyperproperties 36/40

From HyperFO to HyperLTL

∀x∀x′ E(x, x′) → (Pon(x) ↔ Pon(x′)) ∀Gy1 ≥ x1 ∀Gy2 ≥ x2E(y1, y2) → (Pon(y1) ↔ Pon(y2)) ∀Mx1 ∀Mx2 ∀y1 ∀y2 (y1 = y2) → (P(on,1)(y1) ↔ P(on,2)(y2)) ∀Mx1 ∀Mx2 G ((on, 1) ↔ (on, 2)) ∀Mx1 ∀Mx2 ∀π1 ∀π2 G (onπ1 ↔ onπ2) {on} {on} ∅ {on} · · · {on} ∅ ∅ {on} · · · π1 → π2 →

Martin Zimmermann Saarland University Logics for Hyperproperties 36/40

References

Bernd Finkbeiner and Martin Zimmermann. The first-order logic of hyperproperties. In Proceedings of STACS 2017.

Martin Zimmermann Saarland University Logics for Hyperproperties 37/40

Outline

• 1. HyperLTL
• 2. The Models Of HyperLTL
• 3. HyperLTL Satisfiability
• 4. HyperLTL Model-checking
• 5. The First-order Logic of Hyperproperties
• 6. Conclusion

Martin Zimmermann Saarland University Logics for Hyperproperties 38/40

Conclusion

HyperLTL behaves quite differently than LTL: The models of HyperLTL are rather not well-behaved, i.e., in general (countably) infinite, non-regular, and non-periodic. Satisfiability is in general undecidable. Model-checking is decidable, but non-elementary.

Martin Zimmermann Saarland University Logics for Hyperproperties 39/40

Conclusion

HyperLTL behaves quite differently than LTL: The models of HyperLTL are rather not well-behaved, i.e., in general (countably) infinite, non-regular, and non-periodic. Satisfiability is in general undecidable. Model-checking is decidable, but non-elementary. But with the feasible problems, you can do exciting things: HyperLTL is a powerful tool for information security and beyond Information-flow control Symmetries in distributed systems Error resistant codes Software doping

Martin Zimmermann Saarland University Logics for Hyperproperties 39/40

Open Problems

Is there a class of languages L such that every satisfiable HyperLTL sentence has a model from L? Is the quantifier alternation hierarchy strict? HyperLTL synthesis Is there a temporal logic that is expressively equivalent to FO[<, E]? What about HyperCTL∗? Software model-checking Quantitative hyperproperties

Martin Zimmermann Saarland University Logics for Hyperproperties 40/40

Open Problems

Is there a class of languages L such that every satisfiable HyperLTL sentence has a model from L? Is the quantifier alternation hierarchy strict? HyperLTL synthesis Is there a temporal logic that is expressively equivalent to FO[<, E]? What about HyperCTL∗? Software model-checking Quantitative hyperproperties

Thank you

Martin Zimmermann Saarland University Logics for Hyperproperties 40/40