[PPT] - Verifying Hyperproperties of Hardware Systems Bernd Finkbeiner PowerPoint Presentation

SLIDE 1

Verifying Hyperproperties of Hardware Systems

Bernd Finkbeiner Markus N. Rabe Saarland University UC Berkeley

based on joint work with Michael R. Clarkson, Christopher Hahn, Masoud Koleini, Kristopher K. Micinski, and César Sánchez FMCAD’16 Tutorial Mountain View October 3, 2016

SLIDE 2

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions 2 / 60

SLIDE 3

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Major Incidents in Information Security

▶ Heartbleed

4.5m patient records leaked

if (1 + 2 + payload + 16 > s->s3->rrec.length) return 0;

▶ Goto Fail

encryption of >300M devices broken

if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail;

▶ Shellshock

web servers attackable for 22 years

parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); 3 / 60

SLIDE 4

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Embedded Systems / Hardware Security

4 / 60

SLIDE 5

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Information-flow control

security-critical system

Isecret Osecret Ipublic Opublic

Public output should only depend on public input. Typical information-flow property: Noninterference ∀t, t′ ∈ Traces(K) : t =Ipublict′ ⇒ t =Opublict′

5 / 60

SLIDE 6

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Hyperproperties

Clarkson&Schneider’10:

Hyperproperty H: a set of sets of traces System K satisfies H iff Traces(K) ∈ H. Many information-flow properties can be formalized as hyperproperties. Noninterference as hyperproperty: T

Traces

t t T t

Ipublict

t

Opublict

6 / 60

SLIDE 7

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Hyperproperties

Clarkson&Schneider’10:

Hyperproperty H: a set of sets of traces System K satisfies H iff Traces(K) ∈ H. Many information-flow properties can be formalized as hyperproperties. Noninterference as hyperproperty: {T ⊆ 2Traces | ∀t, t′ ∈ T : t =Ipublict′ ⇒ t =Opublict′}

6 / 60

SLIDE 8

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Case Study 1: Information flow in the I2C Bus

▶ Under which circumstances can information flow from the

inputs through the Master to the bus (and vice versa)?

▶ Is there an expiration date for information?

7 / 60

SLIDE 9

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Case study 2: Symmetry in Protocols

while (true) { (1) choosing[i] = true; (2) number[i] = max(number)+1; (3) choosing[i] = false; (4) for (int j=0; j < n; j++) { (5) while (choosing[j]) { ; } (6) while ( j ̸= i ∧ number[j] ̸= 0 ∧ (number[j],j) < (number[i],i) ) { ; } } (7) critical (8) number[i] = 0; (9) non-critical }

▶ Are the clients treated symmetrically?

8 / 60

SLIDE 10

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Case study 3: Error-resistant codes

Different encoders from OpenCores.org.

▶ 8bit-10bit encoder, decoder ▶ Huffman encoder ▶ Hamming encoder ▶ Do codes for distinct inputs have at least Hamming

distance d?

9 / 60

SLIDE 11

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Automatic analysis techniques

▶ Security type systems ▶ Program analysis ▶ Dynamic approaches/taint tracking

Common problem: single-property techniques

This tutorial:

A unifying framework for the analysis of hyperproperties

10 / 60

SLIDE 12

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Automatic analysis techniques

▶ Security type systems ▶ Program analysis ▶ Dynamic approaches/taint tracking

Common problem: single-property techniques

This tutorial:

A unifying framework for the analysis of hyperproperties

10 / 60

SLIDE 13

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Overview

I HyperLTL II Examples III Model Checking IV Satisfiability V Beyond HyperLTL

11 / 60

SLIDE 14

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Part I HyperLTL

12 / 60

SLIDE 15

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Temporal logics for information security?

LTL: Specifies computations

Example: FG x = 0 “from some point on x is 0”

x = 3 x = 2 x = 1 x = 0 x = 0 x = 0

…

CTL/CTL∗: Specifies computation trees

Example: AGEF x = 0 “x may always become 0 in the future”

13 / 60

SLIDE 16

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

A Simple Information-flow Policy

“All executions have the light on at the same time.” “For all pairs of executions and all points in time, the light is

n on the one execution iff it is on on the other execution.”

Information flow properties compare multiple executions!

14 / 60

SLIDE 17

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

LTL?

Syntax: ϕ ::= aπ | Xψ | Gψ | Fψ | ψUψ | ψWψ Semantics: K | = ϕ iff Traces(K) ⊆ Traces(ϕ) “All executions have the light on at the same time.”

15 / 60

SLIDE 18

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

CTL∗?

Syntax: ϕ ::= a | Aϕ | Eϕ | Xϕ | Gϕ | ϕUϕ | . . . Semantics: K | = Aϕ iff for all p ∈ Paths(K) : p | = ϕ “All executions have the light on at the same time.”

AAϕ ?

n
n
n
n
n
n
n
n
ff
ff
ff
ff
n
n
ff

16 / 60

SLIDE 19

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

CTL∗?

Syntax: ϕ ::= a | Aϕ | Eϕ | Xϕ | Gϕ | ϕUϕ | . . . Semantics: K | = Aϕ iff for all p ∈ Paths(K) : p | = ϕ “All executions have the light on at the same time.”

AAϕ ?

n
n
n
n
n
n
n
n
ff
ff
ff
ff
n
n
ff

16 / 60

SLIDE 20

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

CTL∗?

Syntax: ϕ ::= a | Aϕ | Eϕ | Xϕ | Gϕ | ϕUϕ | . . . Semantics: K | = Aϕ iff for all p ∈ Paths(K) : p | = ϕ “All executions have the light on at the same time.”

AAϕ ?

n
n
n
n
n
n
n
n
ff
ff
ff
ff
n
n
ff

ϕ

16 / 60

SLIDE 21

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

HyperLTL

Quantifiers with trace variables: ∀π.ϕ ∃π.ϕ Syntax: ϕ ::= ∀π.ϕ | ∃π.ϕ | ψ ψ ::= aπ | Xψ | Gψ | Fψ | ψUψ | ψWψ HyperLTL: Start with a quantifier prefix, then quantifier-free “All executions have the light on at the same time.” G on

n

17 / 60

SLIDE 22

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

HyperLTL

Quantifiers with trace variables: ∀π.ϕ ∃π.ϕ Syntax: ϕ ::= ∀π.ϕ | ∃π.ϕ | ψ ψ ::= aπ | Xψ | Gψ | Fψ | ψUψ | ψWψ HyperLTL: Start with a quantifier prefix, then quantifier-free “All executions have the light on at the same time.” ∀π.∀π′. G(onπ ↔ onπ′)

n
n
n
n
n
n
n
n
ff
ff
ff
ff
n
n
ff

π

17 / 60

SLIDE 23

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

HyperLTL

Quantifiers with trace variables: ∀π.ϕ ∃π.ϕ Syntax: ϕ ::= ∀π.ϕ | ∃π.ϕ | ψ ψ ::= aπ | Xψ | Gψ | Fψ | ψUψ | ψWψ HyperLTL: Start with a quantifier prefix, then quantifier-free “All executions have the light on at the same time.” ∀π.∀π′. G(onπ ↔ onπ′)

n
n
n
n
n
n
n
n
ff
ff
ff
ff
n
n
ff

π π′

17 / 60

SLIDE 24

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

HyperLTL

Quantifiers with trace variables: ∀π.ϕ ∃π.ϕ Syntax: ϕ ::= ∀π.ϕ | ∃π.ϕ | ψ ψ ::= aπ | Xψ | Gψ | Fψ | ψUψ | ψWψ HyperLTL: Start with a quantifier prefix, then quantifier-free “All executions have the light on at the same time.” ∀π.∀π′. G(onπ ↔ onπ′)

n
n
n
n
n
n
n
n
ff
ff
ff
ff
n
n
ff

π π′

17 / 60

SLIDE 25

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Semantics

Π | =T aπ iff a ∈ Π(π)(0) Π | =T Gϕ iff ∀i ≥ 0 : Π[i, ∞] | =T ϕ Π | =T ∀π. ϕ iff ∀t ∈ T : Π[π → t] | =T ϕ Semantics given with respect to a set of traces T and a trace environment Π : Vars → T A Kripke structure K satisfies a HyperLTL formula ϕ iff ∅ | =Traces(K) ϕ “All executions have the light on at the same time.”

1. p =K G on

n

2. p p =K G on

n

3. i p i p i =K on

n

18 / 60

SLIDE 26

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Semantics

Π | =T aπ iff a ∈ Π(π)(0) Π | =T Gϕ iff ∀i ≥ 0 : Π[i, ∞] | =T ϕ Π | =T ∀π. ϕ iff ∀t ∈ T : Π[π → t] | =T ϕ “All executions have the light on at the same time.”

n
n
n
n
n
n
n
n
ff
ff
ff
ff
n
n
ff

1. p =K G on

n

2. p p =K G on

n

3. i p i p i =K on

n

18 / 60

SLIDE 27

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Semantics

Π | =T aπ iff a ∈ Π(π)(0) Π | =T Gϕ iff ∀i ≥ 0 : Π[i, ∞] | =T ϕ Π | =T ∀π. ϕ iff ∀t ∈ T : Π[π → t] | =T ϕ “All executions have the light on at the same time.”

n
n
n
n
n
n
n
n
ff
ff
ff
ff
n
n
ff

π

1. {π → p} |

=K ∀π′.G(onπ ↔ onπ′) 2. p p =K G on

n

3. i p i p i =K on

n

18 / 60

SLIDE 28

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Semantics

Π | =T aπ iff a ∈ Π(π)(0) Π | =T Gϕ iff ∀i ≥ 0 : Π[i, ∞] | =T ϕ Π | =T ∀π. ϕ iff ∀t ∈ T : Π[π → t] | =T ϕ “All executions have the light on at the same time.”

n
n
n
n
n
n
n
n
ff
ff
ff
ff
n
n
ff

π π′

1. {π → p} |

=K ∀π′.G(onπ ↔ onπ′)

2. {π → p, π′ → p′} |

=K G(onπ ↔ onπ′) 3. i p i p i =K on

n

18 / 60

SLIDE 29

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Semantics

Π | =T aπ iff a ∈ Π(π)(0) Π | =T Gϕ iff ∀i ≥ 0 : Π[i, ∞] | =T ϕ Π | =T ∀π. ϕ iff ∀t ∈ T : Π[π → t] | =T ϕ “All executions have the light on at the same time.”

n
n
n
n
n
n
n
n
ff
ff
ff
ff
n
n
ff

π π′

1. {π → p} |

=K ∀π′.G(onπ ↔ onπ′)

2. {π → p, π′ → p′} |

=K G(onπ ↔ onπ′)

3. ∀i ∈ N : {π → p[i, ∞], π′ → p′[i, ∞]}

| =K onπ ↔ onπ′

18 / 60

SLIDE 30

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Full Semantics

Π | =T aπ iff a ∈ Π(π)(0) Π | =T Gϕ iff ∀i ≥ 0 : Π[i, ∞] | =T ϕ Π | =T ∀π. ϕ iff ∀t ∈ T : Π[π → t] | =T ϕ Π | =T ¬ϕ iff Π ̸| =T ϕ Π | =T ϕ1 ∨ ϕ2 iff Π | =T ϕ1 or Π | =T ϕ2 Π | =T Xϕ iff Π[1, ∞] | =T ϕ Π | =T Fϕ iff ∃i ≥ 0 : Π[i, ∞] | =T ϕ Π | =T ϕ1Uϕ2 iff there exists i ≥ 0 : Π[i, ∞] | =T ϕ2 and for all 0 ≤ j < i we have Π[j, ∞] | =T ϕ1 Π | =T ϕ1Wϕ2 iff Π | =T ϕ1 Uϕ2 or Π | =T Gϕ1

19 / 60

SLIDE 31

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Part II Examples

20 / 60

SLIDE 32

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Case Study 1: Information flow in the I2C Bus

▶ Under which circumstances can information flow from the

inputs through the Master to the bus? ∀π.∀π′. G(DATπ = DATπ′) ⇒ G(SDAπ =SDAπ′)

Pπ = Pπ′ is defined as ∧

a∈P aπ ↔aπ′ .

Pπ = Pπ′ is defined as (I \ P)π = (I \ P)π′ . 21 / 60

SLIDE 33

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Case Study 1: Information flow in the I2C Bus

▶ Under which circumstances can information flow from the

inputs through the Master to the bus? ∀π.∀π′. G(¬WEπ ∧ DATπ = DATπ′) ⇒ G(SDAπ =SDAπ′)

Pπ = Pπ′ is defined as ∧

a∈P aπ ↔aπ′ .

Pπ = Pπ′ is defined as (I \ P)π = (I \ P)π′ . 21 / 60

SLIDE 34

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Case Study 1: Information flow in the I2C Bus

▶ Is there an expiration date for information?

∀π.∀π′. (DATπ = DATπ′ U G(Iπ = Iπ′)) ⇒ F G(SDAπ =SDAπ′))

Pπ = Pπ′ is defined as ∧

a∈P aπ ↔aπ′ .

Pπ = Pπ′ is defined as (I \ P)π = (I \ P)π′ . 22 / 60

SLIDE 35

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Variants of noninterference in HyperLTL

▶ Observational determinism [Zdancewich&Myers’03]

∀π.∀π′. lowInπ = lowInπ′ ⇒ G(lowOutπ = lowOutπ′)

▶ Generalized noninterference [McCullough’88]

∀π.∀π′.∃π′′. G(highInπ = highInπ′′) ∧ G(lowInπ′ = lowInπ′′ ∧ lowOutπ′ = lowOutπ′′)

▶ Noninference [McLean’94]

∀π.∃π′. G(highInπ′) ∧ G(lowInπ = lowInπ′ ∧ lowOutπ = lowOutπ′)

23 / 60

SLIDE 36

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Case study 2: Symmetry in Protocols

while (true) { (1) choosing[i] = true; (2) number[i] = max(number)+1; (3) choosing[i] = false; (4) for (int j=0; j < n; j++) { (5) while (choosing[j]) { ; } (6) while ( j ̸= i ∧ number[j] ̸= 0 ∧ (number[j],j) < (number[i],i) ) { ; } } (7) critical (8) number[i] = 0; (9) non-critical }

▶ Are the clients treated symmetrically?

∀π.∀π′. G(select_0π ↔ select_1π′ ∧ select_1π ↔ select_0π′) ⇒ G(critical_0π ↔ critical_1π′ ∧ critical_1π ↔ critical_0π′)

24 / 60

SLIDE 37

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Case study 2: Symmetry in Protocols

while (true) { (1) choosing[i] = true; (2) number[i] = max(number)+1; (3) choosing[i] = false; (4) for (int j=0; j < n; j++) { (5) while (choosing[j]) { ; } (6) while ( j ̸= i ∧ number[j] ̸= 0 ∧ f ∧ (number[j], j) < (number[i], i) ∨ ¬f ∧ (number[j], i) < (number[i], j) ) { ; } } (7) critical (8) number[i] = 0; (9) non-critical }

∀π.∀π′. G(select_0π ↔ select_1π′ ∧ select_1π ↔ select_0π′ ∧ fπ ↔ ¬fπ′) ⇒ G(critical_0π ↔ critical_1π′ ∧ critical_1π ↔ critical_0π′)

25 / 60

SLIDE 38

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Case study 3: Error-resistant codes

Different encoders from OpenCores.org.

▶ 8bit-10bit encoder, decoder ▶ Huffman encoder ▶ Hamming encoder ▶ Do codes for distinct inputs have at least Hamming

distance d? ∀π.∀π′. F(DATπ ̸=DATπ′) ⇒ ¬Ham(d, π, π′) where we define: Ham(0, π, π′) = false Ham(d, π, π′) =

π =oπ′ W

(

π ̸=oπ′ ∧ X Ham(d−1, π, π′)

)

26 / 60

SLIDE 39

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Part III Model Checking

27 / 60

SLIDE 40

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Model Checking Alternation-free HyperLTL

▶ Reduction to emptiness of Büchi word automata ▶ Alphabet consists of tuples of sets of propositions. ▶ Projection handles quantifiers.

Example: G i i G o

28 / 60

SLIDE 41

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Model Checking Alternation-free HyperLTL

▶ Reduction to emptiness of Büchi word automata ▶ Alphabet consists of tuples of sets of propositions. ▶ Projection handles quantifiers.

Example: ∀π.∀π′. G(iπ ↔ iπ′) → G(oπ ↔ oπ′)

28 / 60

SLIDE 42

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Model Checking Alternation-free HyperLTL

▶ Reduction to emptiness of Büchi word automata ▶ Alphabet consists of tuples of sets of propositions. ▶ Projection handles quantifiers.

Example: ∀π.∀π′. G(iπ ↔ iπ′) → G(oπ ↔ oπ′) Negated: ∃π.∃π′. G(iπ ↔ iπ′) ∧ F(oπ ̸↔ oπ′)

28 / 60

SLIDE 43

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Model Checking Alternation-free HyperLTL

▶ Reduction to emptiness of Büchi word automata ▶ Alphabet consists of tuples of sets of propositions. ▶ Projection handles quantifiers.

Example: ∀π.∀π′. G(iπ ↔ iπ′) → G(oπ ↔ oπ′) Negated: ∃π.∃π′. G(iπ ↔ iπ′) ∧ F(oπ ̸↔ oπ′)

A with alphabet 2AP×2AP

28 / 60

SLIDE 44

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Model Checking Alternation-free HyperLTL

▶ Reduction to emptiness of Büchi word automata ▶ Alphabet consists of tuples of sets of propositions. ▶ Projection handles quantifiers.

Example: ∀π.∀π′. G(iπ ↔ iπ′) → G(oπ ↔ oπ′) Negated: ∃π. ∃π′. G(iπ ↔ iπ′) ∧ F(oπ ̸↔ oπ′)

A with alphabet 2AP×2AP
A′ with alphabet 2AP

28 / 60

SLIDE 45

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Model Checking Alternation-free HyperLTL

▶ Reduction to emptiness of Büchi word automata ▶ Alphabet consists of tuples of sets of propositions. ▶ Projection handles quantifiers.

Example: ∀π.∀π′. G(iπ ↔ iπ′) → G(oπ ↔ oπ′) Negated: ∃π. ∃π′. G(iπ ↔ iπ′) ∧ F(oπ ̸↔ oπ′)

A with alphabet 2AP×2AP
A′ with alphabet 2AP
A′′′ with 1-letter alphabet

28 / 60

SLIDE 46

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Model Checking General HyperLTL

Complexity depends on the quantifier alternation depth.

0. ∀π.∀π′.ψ

PSPACE in |ψ|, NLOGSPACE in |K|

▶ Observational determinism

1. EXPSPACE in , PSPACE in |K|

Noninference Generalized noninterference

2. …

Rarely need more than one quantifier alternation!

29 / 60

SLIDE 47

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Model Checking General HyperLTL

Complexity depends on the quantifier alternation depth.

0. ∀π.∀π′.ψ

PSPACE in |ψ|, NLOGSPACE in |K|

▶ Observational determinism

1. ∀π.∃π′.ψ

EXPSPACE in |ψ|, PSPACE in |K|

▶ Noninference ▶ Generalized noninterference

2. …

Rarely need more than one quantifier alternation!

29 / 60

SLIDE 48

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Symbolic Model Checking for Circuits

▶ Alternation-free HyperLTL ▶ Clean extension of the circuit construction for LTL ▶ Leverages existing symbolic model checkers (e.g. ABC)

30 / 60

SLIDE 49

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Reduction to Safety Property on Circuits

∀π.∀π′. G(iπ ↔ iπ′) ⇒ G(oπ ↔ oπ′) Negated: G i i F o

31 / 60

SLIDE 50

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Reduction to Safety Property on Circuits

∀π.∀π′. G(iπ ↔ iπ′) ⇒ G(oπ ↔ oπ′) Negated: ∃π.∃π′. G(iπ ↔ iπ′) ∧ F(oπ ̸↔ oπ′)

G(iπ ↔ iπ′) ∧ F(oπ ↔oπ′) safety/liveness violation

31 / 60

SLIDE 51

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Reduction to Safety Property on Circuits

∀π.∀π′. G(iπ ↔ iπ′) ⇒ G(oπ ↔ oπ′) Negated: ∃π.∃π′. G(iπ ↔ iπ′) ∧ F(oπ ̸↔ oπ′)

G(iπ ↔ iπ′) ∧ F(oπ ↔oπ′) safety/liveness violation system

i, o i

31 / 60

SLIDE 52

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Reduction to Safety Property on Circuits

∀π.∀π′. G(iπ ↔ iπ′) ⇒ G(oπ ↔ oπ′) Negated: ∃π.∃π′. G(iπ ↔ iπ′) ∧ F(oπ ̸↔ oπ′)

G(iπ ↔ iπ′) ∧ F(oπ ↔oπ′) safety/liveness violation system

i, o i

system

i′, o′ i′

31 / 60

SLIDE 53

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Implementation - MCHyper

A transformation on Aiger circuits Workflow

1. Convert VHDL/Verilog to Aiger
2. Run MCHyper with a formula and the circuit
3. Call a hardware model checker on the resulting circuit

Tool website:

https://www.react.uni-saarland.de/tools/mchyper/

32 / 60

SLIDE 54

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

An Example Circuit

2 enable 4 reset 8 10 12 14 6 Q !Q L0

∀π.∀π′. G(resetπ ↔ resetπ′) ⇒ G(Qπ ↔ Qπ′)

33 / 60

SLIDE 55

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

An Example Circuit

2 enable 4 reset 8 10 12 14 6 Q !Q L0

∀π.∀π′. G(resetπ ↔ resetπ′) ⇒ G(Qπ ↔ Qπ′)

2 enable_0 4 reset_0 6 enable_1 8 reset_1 10 I:remember_state 28 14 12 30 32 34 36 38 40 42 18 44 16 46 48 26 50 52 54 24 56 58 60 62 22 64 66 68 70 20 72 74 76 78 80 82 84 86 88 90 92 94 96 98 100 102 104 106 108 110 n6 n7 ]l0_0 ]l0_1 sink init entered_lasso l0_copy l1_copy l2_copy

33 / 60

SLIDE 56

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Information flow - Experimental Data

Verification time in s Model #Latches #Gates IC3 INT BMC Result IF1 (NI1) I2C Master 254 1207 95.17 1.13 0.07 × IF2 (NI2) 53.08 1.16 0.08 × IF3 (NI3) 168.96 1.38

✓

IF4 (NI4) 438.41 1.01 0.09 × IF5 (NI5) 717.74 8.31 0.77 × IF6 (NI6) 186.20 1.10 0.07 × IF7 (NI7) TO 6.82 0.55 × IF8 (NI8) 1557.14 2.92 0.16 × IF9 (NI2′) Ethernet 21093 70837 TO 155.77 6.27 ×

34 / 60

SLIDE 57

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Symmetry in Protocols - Experimental Data

Verification time in s Model #Latches #Gates IC3 INT BMC Result Sym1 (S1) Bakery 46 1829 6.34 0.88 0.08 × Sym2 (S2) 168.59 464.52 7.00 × Sym3 Bakery.a 47 1588 69.12 TO 71.92 × Sym4 (S3) Bakery.a.n 47 1618 26.31 4.75 0.39 × Sym5 Bakery.a.n.s 47 1532 66.41 TO

✓

Sym6 (S4) 16.83 TO

✓

Sym7 (S5) Bakery.a.n.s.5proc 90 3762 97.45 TO

✓

Sym8 (S6) 13.59 TO

✓

Sym9 (S7) Bakery.a.n.s.7proc 136 6775 312.53∗ TO

✓

35 / 60

SLIDE 58

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Error Correcting Codes - Experimental Data

Verification time in s Model #Latches #Gates IC3 INT BMC Result Huff1 (HD1) Huffman_enc 19 571 3.08 37.19

✓

Huff2 (HD2) 0.62 0.09 0.02 × 8b10b_1 (HD1) 8b10b_enc 39 271 0.32 0.09 0.02 × 8b10b_2 (HD1′) 1.19 9.06

✓

8b10b_3 (HD2′) 0.03 0.04 0.02 × 8b10b_4 (HD1′′) 8b10b_dec 19 157 0.05 0.09

✓

Hamm1 (HD11) Hamming_enc 27 47 0.02 0.04 0.02 × Hamm2 (HD12) 0.02 0.03 0.02 × Hamm3 (HD13) 0.03 0.04 0.02 × Hamm3’ (HD1′

3)

7.34 0.18

✓

Hamm4 (HD14) 66.93 0.10

✓

Hamm5 (HD21) 11.83 1.31

✓

Hamm6 (HD22) 14.44 0.78

✓

Hamm7 (HD3) 12.23 1.25

✓

36 / 60

SLIDE 59

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Part IV Satisfiability

37 / 60

SLIDE 60

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Satisfiability of HyperLTL

HyperLTL-SAT is the problem to decide whether there exists a non-empty trace set T satisfying a HyperLTL formula ϕ. Application: Two versions of Observational Determinism:

▶ ∀π.∀π′.G(Iπ = Iπ′) → G(Oπ = Oπ′) ▶ ∀π.∀π′.(Oπ = Oπ′) W (Iπ ̸= Iπ′)

Which version is stronger?

38 / 60

SLIDE 61

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Challenge

LTL Satisfiability Solving

▶ Translate LTL formula into Büchi automaton ▶ Check the automaton for emptiness ▶ PSPACE-complete

HyperLTL Satisfiability Solving

▶ A Hyperproperty is not necessarily ω-regular ▶ Standard automata approach cannot be applied

39 / 60

SLIDE 62

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Solving HyperLTL-SAT

∀∗ & ∃∗ ∀∃ ∃∗∀∗

1. Alternation-free fragments (∀∗ & ∃∗)
2. Alternation starting with existential quantifier (∃∗∀∗)
3. Alternation starting with universal quantifier (∀∗∃∗)

40 / 60

SLIDE 63

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Existential Fragment

Theorem

∃∗ HyperLTL-SAT is PSPACE-complete.

Example

∃π0∃π1. Gaπ0 ∧ Gbπ0 ∧ Gcπ0 ∧ Gaπ1 ∧ G¬cπ1 Replace indexed atomic propositions with fresh atomic propositions. Ga0 ∧ Gb0 ∧ Gc0 ∧ Ga1 ∧ G¬c1 t a b c a T a b c a

41 / 60

SLIDE 64

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Existential Fragment

Theorem

∃∗ HyperLTL-SAT is PSPACE-complete.

Example

∃π0∃π1. Gaπ0 ∧ Gbπ0 ∧ Gcπ0 ∧ Gaπ1 ∧ G¬cπ1 Replace indexed atomic propositions with fresh atomic propositions. Ga0 ∧ Gb0 ∧ Gc0 ∧ Ga1 ∧ G¬c1 t : {a0, b0, c0, a1}ω T a b c a

41 / 60

SLIDE 65

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Existential Fragment

Theorem

∃∗ HyperLTL-SAT is PSPACE-complete.

Example

∃π0∃π1. Gaπ0 ∧ Gbπ0 ∧ Gcπ0 ∧ Gaπ1 ∧ G¬cπ1 Replace indexed atomic propositions with fresh atomic propositions. Ga0 ∧ Gb0 ∧ Gc0 ∧ Ga1 ∧ G¬c1 t : {a0, b0, c0, a1}ω T = {{a, b, c}ω, {a}ω}

41 / 60

SLIDE 66

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Universal Fragment

Theorem

∀∗ HyperLTL-SAT is PSPACE-complete.

Example

∀π∀π′.Gbπ ∧ G¬bπ′ ≡ Gb ∧ G¬b ⇓ ⇓ ⇓ t t unsatisfiable Discard indexes from indexed propositions

42 / 60

SLIDE 67

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Solving HyperLTL-SAT

∀∗ & ∃∗ ∀∃ ∃∗∀∗

1. Alternation-free fragments (∀∗ & ∃∗)
2. Alternation starting with existential quantifier (∃∗∀∗)
3. Alternation starting with universal quantifier (∀∗∃∗)

43 / 60

SLIDE 68

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

∃∗∀∗ HyperLTL-SAT

Lemma

For every ∃π1 . . . ∃πn∀π′

1 . . . ∀π′ m.ϕ HyperLTL formula, there

exists an equisatisfiable ∃∗ HyperLTL formula.

Example

∃π0∃π1∀π′

0∀π′

1. (Gaπ′

0 ∧ Gbπ′ 1) ∧ (Gcπ0 ∧ Gdπ1)

Unroll universal quantifiers ∃π0∃π1. (Gaπ0 ∧ Gbπ0) ∧ (Gcπ0 ∧ Gdπ1) ∧(Gaπ1 ∧ Gbπ0) ∧ (Gcπ0 ∧ Gdπ1) ∧(Gaπ0 ∧ Gbπ1) ∧ (Gcπ0 ∧ Gdπ1) ∧(Gaπ1 ∧ Gbπ1) ∧ (Gcπ0 ∧ Gdπ1)

44 / 60

SLIDE 69

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Complexity of ∃∗∀∗ HyperLTL-SAT

Theorem

Let n be the number of existential quantifiers and m be the number of universal quantifiers. ∃∗∀∗ HyperLTL-SAT is EXPSPACE-complete in m.

▶ Unrolling results in formula of size O(nm). ▶ Hardness follows from an encoding of an

EXPSPACE-bounded Turing machine in this fragment.

45 / 60

SLIDE 70

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Application: Implication Checking of Quantifier-alternation-free Hyperproperties

ψ implies ϕ? Check the negation ψ ∧ ¬ϕ for unsatisfiability.

▶ If one formula is in the ∀∗ fragment and the other in the

∃∗ fragment, the resulting formula is alternation-free.

▶ If both ψ and ϕ are in the same fragment, then the

resulting formula is in the ∃∗∀∗ fragment.

Theorem

Implication Checking of quantifier-alternation-free HyperLTL formulas is EXPSPACE-complete.

46 / 60

SLIDE 71

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

∃∗∀b HyperLTL-SAT

Theorem

Bounded ∃∗∀b HyperLTL-SAT is PSPACE-complete. Observation: In practice, many properties of interest quantify universally over pairs of traces ∀π.∀π′.G(Iπ = Iπ′) → G(Oπ = Oπ′)

47 / 60

SLIDE 72

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Solving HyperLTL-SAT

∀∗ & ∃∗ ∀∃ ∃∗∀∗

1. Alternation-free fragments (∀∗ & ∃∗)
2. Alternation starting with existential quantifier (∃∗∀∗)
3. Alternation starting with universal quantifier (∀∗∃∗)

48 / 60

SLIDE 73

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

The Power of ∀∃

∀π∃π′. aπ′ (1) ∧ G(aπ → XG¬aπ) (2) ∧ G(aπ → Xaπ′) (3) t1 : {a}({})ω t2 : {}{a}({})ω t3 : {}{}{a}({})ω . . . → Model has infinitely many traces.

49 / 60

SLIDE 74

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Undecidability of ∀∃ HyperLTL-SAT

Theorem

The satisfiability problem for any fragment of HyperLTL that contains the ∀∃ formulas is undecidable.

▶ Undecidability follows from a reduction from Post’s

Correspondence Problem.

50 / 60

SLIDE 75

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Summary HyperLTL-SAT

∃∗ ∀∗ ∃∗∀∗ Bounded ∃∗∀∗ ∀∃ PSpace- complete PSpace- complete EXPSpace- complete PSpace- complete undecidable

51 / 60

SLIDE 76

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Part V Beyond HyperLTL

52 / 60

SLIDE 77

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Hyperproperties and branching-time logics

Observation:

Hyperproperties induce trace equivalence. ∀K, K′. Traces(K) = Traces(K′) = ⇒ K | = H ↔ K′ | = H Hyperproperties are not models for branching-time logics.

s

a b

s

a b

53 / 60

SLIDE 78

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Hyperproperties and branching-time logics

Observation:

Hyperproperties induce trace equivalence. ∀K, K′. Traces(K) = Traces(K′) = ⇒ K | = H ↔ K′ | = H Hyperproperties are not models for branching-time logics.

s0 :

a b

s0 :

a b

53 / 60

SLIDE 79

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

HyperCTL∗

Syntax: ϕ ::= aπ | ∀π.ϕ | ∃π.ϕ | Xϕ | Gϕ | ϕUϕ | . . .

▶ HyperLTL: no quantifiers under temporal operators ▶ HyperCTL∗: no restriction ▶ HyperCTL∗ with 1 path variable ≈ CTL∗

54 / 60

SLIDE 80

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

What do we get beyond HyperLTL and CTL∗?

bool y; bool x = read(); // secret

utput(y);

s

read

read
G read

G o

55 / 60

SLIDE 81

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

What do we get beyond HyperLTL and CTL∗?

bool y; bool x = read(); // secret

utput(y);

s0 :

read

read
G read

G o

55 / 60

SLIDE 82

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

What do we get beyond HyperLTL and CTL∗?

bool y; bool x = read(); // secret

utput(y);

s0 :

read

read
∀π. G(readπ → ∀π′. G(oπ ↔ oπ′))

55 / 60

SLIDE 83

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

The Linear-Hyper-Branching Spectrum

linear-branching LTL ⊊ HyperLTL ⊊ CTL∗ ⊊ HyperCTL∗ ⊊ hyper

▶ The induced process equivalence of HyperLTL is trace equivalence.

Two systems with the same set of traces satisfy the same HyperLTL formulas.

▶ The induced process equivalence of HyperCTL∗ is bisimulation.

Two bisimular systems satisfy the same HyperCTL∗ formulas.

56 / 60

SLIDE 84

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

HyperCTL∗ Model Checking

▶ Reduction to emptiness of Büchi word automata ▶ Alphabet consists of tuples of states. ▶ Projection handles quantifiers. ▶ Complementation handles quantifier alternations.

Example: G a G o

Negated:

57 / 60

SLIDE 85

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

HyperCTL∗ Model Checking

▶ Reduction to emptiness of Büchi word automata ▶ Alphabet consists of tuples of states. ▶ Projection handles quantifiers. ▶ Complementation handles quantifier alternations.

Example: ∀π. G(aπ ⇒ ∀π′. G(oπ ↔ oπ′)) Negated: ∃π. F(aπ∧∃π′. F(oπ ̸↔ oπ′)

A with alphabet S×S

)

57 / 60

SLIDE 86

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

HyperCTL∗ Model Checking

▶ Reduction to emptiness of Büchi word automata ▶ Alphabet consists of tuples of states. ▶ Projection handles quantifiers. ▶ Complementation handles quantifier alternations.

Example: ∀π. G(aπ ⇒ ∀π′. G(oπ ↔ oπ′)) Negated: ∃π. F(aπ∧∃π′. F(oπ ̸↔ oπ′)

A with alphabet S×S

)

57 / 60

SLIDE 87

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

HyperCTL∗ Model Checking

▶ Reduction to emptiness of Büchi word automata ▶ Alphabet consists of tuples of states. ▶ Projection handles quantifiers. ▶ Complementation handles quantifier alternations.

Example: ∀π. G(aπ ⇒ ∀π′. G(oπ ↔ oπ′)) Negated: ∃π. F(aπ∧∃π′. F(oπ ̸↔ oπ′)

A with alphabet S×S
A′ with alphabet S

)

57 / 60

SLIDE 88

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

HyperCTL∗ Model Checking

▶ Reduction to emptiness of Büchi word automata ▶ Alphabet consists of tuples of states. ▶ Projection handles quantifiers. ▶ Complementation handles quantifier alternations.

Example: ∀π. G(aπ ⇒ ∀π′. G(oπ ↔ oπ′)) Negated: ∃π. F(aπ ∧ ∃π′. F(oπ ̸↔ oπ′)

A with alphabet S×S
A′ with alphabet S

)

A′′ with alphabet S

57 / 60

SLIDE 89

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

HyperCTL∗ Model Checking

▶ Reduction to emptiness of Büchi word automata ▶ Alphabet consists of tuples of states. ▶ Projection handles quantifiers. ▶ Complementation handles quantifier alternations.

Example: ∀π. G(aπ ⇒ ∀π′. G(oπ ↔ oπ′)) Negated: ∃π. F(aπ ∧ ∃π′. F(oπ ̸↔ oπ′)

A with alphabet S×S
A′ with alphabet S

)

A′′ with alphabet S
A′′′ with 1-letter alphabet

57 / 60

SLIDE 90

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Part VI Conclusions

58 / 60

SLIDE 91

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Conclusions

▶ HyperLTL is a powerful tool

for information security and beyond

▶ Information-flow control ▶ Symmetries in distributed systems ▶ Error resistant codes

▶ Efficient model checking for alternation-free HyperLTL

(non-elementary in general)

▶ Efficient satisfiability/implication/equivalence checking

for alternation-free HyperLTL (undecidable in general) Open problems HyperLTL on software Quantitative hyperproperties Specialized model checking algorithms

59 / 60

SLIDE 92

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions

Conclusions

▶ HyperLTL is a powerful tool

for information security and beyond

▶ Information-flow control ▶ Symmetries in distributed systems ▶ Error resistant codes

▶ Efficient model checking for alternation-free HyperLTL

(non-elementary in general)

▶ Efficient satisfiability/implication/equivalence checking

for alternation-free HyperLTL (undecidable in general) Open problems

▶ HyperLTL on software ▶ Quantitative hyperproperties ▶ Specialized model checking algorithms

59 / 60

SLIDE 93

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions