Team Semantics for the Specification and Verification of Hyperproperties Team Semantics for the Specification and Verification of Jonni Virtema Hyperproperties Movativation & History Hyperproperties & HyperLTL Jonni Virtema TeamLTL Extensions of TeamLTL Hasselt University, Belgium jonni.virtema@gmail.com Complexity Results Conclusion Joint work with Andreas Krebs 1 , Arne Meier 2 , and Martin Zimmermann 3 1 University of T¨ ubingen, Germany, 2 University of Hanover, Germany, 3 Saarland University, Germany 27th of August, 2018 – MFCS 2018 1/ 18
Team Semantics Core of Team Semantics for the Specification and Verification of Hyperproperties Jonni Virtema ◮ In most studied logics formulae are evaluated in a single state of affairs. Movativation & E.g., History ◮ a first-order assignment in first-order logic, Hyperproperties & HyperLTL ◮ a propositional assignment in propositional logic, TeamLTL ◮ a possible world of a Kripke structure in modal logic. Extensions of TeamLTL ◮ In team semantics sets of states of affairs are considered. Complexity Results E.g., Conclusion ◮ a set of first-order assignments in first-order logic, ◮ a set of propositional assignments in propositional logic, ◮ a set of possible worlds of a Kripke structure in modal logic. ◮ These sets of things are called teams. 2/ 18
Team Semantics Core of Team Semantics for the Specification and Verification of Hyperproperties Jonni Virtema ◮ In most studied logics formulae are evaluated in a single state of affairs. Movativation & E.g., History ◮ a first-order assignment in first-order logic, Hyperproperties & HyperLTL ◮ a propositional assignment in propositional logic, TeamLTL ◮ a possible world of a Kripke structure in modal logic. Extensions of TeamLTL ◮ In team semantics sets of states of affairs are considered. Complexity Results E.g., Conclusion ◮ a set of first-order assignments in first-order logic, ◮ a set of propositional assignments in propositional logic, ◮ a set of possible worlds of a Kripke structure in modal logic. ◮ These sets of things are called teams. 2/ 18
Team Semantics Team Semantics: Motivation and History for the Specification and Logical modelling of uncertainty, imperfect information, and different notions of Verification of Hyperproperties dependence such as functional dependence and independence, from application Jonni Virtema fields: statistics (probabilistic independence), database theory (database dependencies), social choice theory (arrows theore), etc. Movativation & History Hyperproperties & Historical development: HyperLTL ◮ Branching quantifiers by Henkin 1959. TeamLTL � ∀ x ∃ y � Extensions of ϕ ( x , y , x ′ , y ′ ) TeamLTL ∀ x ′ ∃ y ′ Complexity Results ◮ Independence-friendly logic by Hintikka and Sandu 1989. Conclusion ∀ x ∃ y ∀ x ′ ∃ y ′ / { x , y } ϕ ( x , y , x ′ , y ′ ) ◮ Team semantics by Hodges 1997. ◮ Dependence logic and modal dependence logic by V¨ a¨ an¨ anen 2007. ◮ Introduction of other dependency notions to team semantics such as inclusion, exclusion, and independence. Galliani, Gr¨ adel, V¨ a¨ an¨ anen. ◮ Team semantics for computational tree logic CTL by Krebs et al. ◮ Multiteam, polyteam, and probabilistic team semantics by Hannula et al. 3/ 18
Team Semantics Team Semantics: Motivation and History for the Specification and Verification of Logical modelling of uncertainty, imperfect information, and different notions of Hyperproperties dependence such as functional dependence and independence, from application Jonni Virtema fields: statistics (probabilistic independence), database theory (database Movativation & dependencies), social choice theory (arrows theore), etc. History Hyperproperties & HyperLTL Historical development: TeamLTL ◮ Branching quantifiers by Henkin 1959. Extensions of TeamLTL ◮ Independence-friendly logic by Hintikka and Sandu 1989. Complexity Results ◮ Team semantics by Hodges 1997. Conclusion ◮ Dependence logic and modal dependence logic by V¨ a¨ an¨ anen 2007. ◮ Introduction of other dependency notions to team semantics such as inclusion, exclusion, and independence. Galliani, Gr¨ adel, V¨ a¨ an¨ anen. ◮ Team semantics for computational tree logic CTL by Krebs et al. ◮ Multiteam, polyteam, and probabilistic team semantics by Hannula et al. 3/ 18
Team Semantics Trace Properties and Hyperproperties for the Specification and Verification of Hyperproperties Jonni Virtema ◮ Behaviour of a system can be modelled via execution traces � t . ◮ Think of a (infinite) sequence � t , where t [ i ] is the state of the system at time i . Movativation & History ◮ Trace properties are sets of traces of the system in question. Hyperproperties & HyperLTL ◮ A system satisfies a trace property if each of its traces has the property. TeamLTL ◮ The system terminates eventually is a trace property. Extensions of ◮ The system terminates within a bounded time is not a trace property. TeamLTL ◮ Hyperproperties by Clarkson and Schneider 2010 Complexity Results ◮ Hyperproperties are sets of sets of traces. Conclusion ◮ A system satisfies a hyperproperty H if its set of traces belong to H . ◮ Every trace property is a hyperproperty. ◮ The system terminates within a bounded time is a hyperproperty. ◮ Hyperproperties are exactly the same as team properties. 4/ 18
Team Semantics Trace Properties and Hyperproperties for the Specification and Verification of Hyperproperties Jonni Virtema ◮ Behaviour of a system can be modelled via execution traces � t . ◮ Think of a (infinite) sequence � t , where t [ i ] is the state of the system at time i . Movativation & History ◮ Trace properties are sets of traces of the system in question. Hyperproperties & HyperLTL ◮ A system satisfies a trace property if each of its traces has the property. TeamLTL ◮ The system terminates eventually is a trace property. Extensions of ◮ The system terminates within a bounded time is not a trace property. TeamLTL ◮ Hyperproperties by Clarkson and Schneider 2010 Complexity Results ◮ Hyperproperties are sets of sets of traces. Conclusion ◮ A system satisfies a hyperproperty H if its set of traces belong to H . ◮ Every trace property is a hyperproperty. ◮ The system terminates within a bounded time is a hyperproperty. ◮ Hyperproperties are exactly the same as team properties. 4/ 18
Team Semantics LTL and HyperLTL for the Specification and ◮ Trace properties are typically specified in temporal logics, most prominently Verification of Hyperproperties in Linear Temporal Logic (LTL). Jonni Virtema ◮ Verification of LTL specifications is routinely employed in industrial settings Movativation & and marks one of the most successful applications of formal methods to History real-life problems. Hyperproperties & HyperLTL ◮ HyperLTL by Clarkson et al. 2014 is an extension of LTL for specifying TeamLTL hyperproperties. Extensions of TeamLTL ◮ In LTL the satisfying object is a trace. Syntax: Complexity Results ϕ ::= p | ¬ ϕ | ( ϕ ∨ ϕ ) | X ϕ | ϕ U ϕ Conclusion ◮ In HyperLTL the satisfying object is a set of traces and a trace assignment. ϕ ::= ∃ πϕ | ∀ πϕ | ψ ψ ::= p π | ¬ ψ | ( ψ ∨ ψ ) | X ψ | ψ U ψ 5/ 18
Team Semantics LTL and HyperLTL for the Specification and ◮ Trace properties are typically specified in temporal logics, most prominently Verification of Hyperproperties in Linear Temporal Logic (LTL). Jonni Virtema ◮ Verification of LTL specifications is routinely employed in industrial settings Movativation & and marks one of the most successful applications of formal methods to History real-life problems. Hyperproperties & HyperLTL ◮ HyperLTL by Clarkson et al. 2014 is an extension of LTL for specifying TeamLTL hyperproperties. Extensions of TeamLTL ◮ In LTL the satisfying object is a trace. Syntax: Complexity Results ϕ ::= p | ¬ ϕ | ( ϕ ∨ ϕ ) | X ϕ | ϕ U ϕ Conclusion ◮ In HyperLTL the satisfying object is a set of traces and a trace assignment. ϕ ::= ∃ πϕ | ∀ πϕ | ψ ψ ::= p π | ¬ ψ | ( ψ ∨ ψ ) | X ψ | ψ U ψ 5/ 18
Team Semantics Hyperproperties in HyperLTL for the Specification and Verification of Hyperproperties Jonni Virtema ◮ Majority of the information flow properties found in the literature are Movativation & History expressible. Hyperproperties & ◮ Observational determinism: ∀ π ∀ π ′ ( π [0] = in π ′ [0]) → ( π [0] = out π ′ [0]) HyperLTL ◮ Noninference (from high security to low security): ∀ π ∃ π ′ ( G λ π ′ ) ∧ π = L π ′ TeamLTL λ = ”dummy high security information”, in/out=”input/output”, L=”low Extensions of TeamLTL security information” Complexity Results ◮ Problems about HyperLTL: Conclusion ◮ Bounded termination is not expressible. ◮ Satisfiability problem is undecidable. ◮ Model checking problem is non-elementary. 6/ 18
Recommend
More recommend
