Modular Product Programs

Published: 21 November 2019 Publication History


Many interesting program properties like determinism or information flow security are hyperproperties, that is, they relate multiple executions of the same program. Hyperproperties can be verified using relational logics, but these logics require dedicated tool support and are difficult to automate. Alternatively, constructions such as self-composition represent multiple executions of a program by one product program, thereby reducing hyperproperties of the original program to trace properties of the product. However, existing constructions do not fully support procedure specifications, for instance, to derive the determinism of a caller from the determinism of a callee, making verification non-modular.
We present modular product programs, a novel kind of product program that permits hyperproperties in procedure specifications and, thus, can reason about calls modularly. We provide a general formalization of our product construction and prove it sound and complete. We demonstrate its expressiveness by applying it to information flow security with advanced features such as declassification and termination-sensitivity. Modular product programs can be verified using off-the-shelf verifiers; we have implemented our approach for both secure information flow and general hyperproperties using the Viper verification infrastructure. Our evaluation demonstrates that modular product programs can be used to prove hyperproperties for challenging examples in reasonable time.


Jacques Carette

Some properties of programs are not about a single run of the program; instead, they relate multiple runs. For example, a program is deterministic if, given the same input, two runs will always produce the same answer. Many other properties of interest, such as security properties, are also like this. These are known as k -hyperproperties, which relate the runs of k programs. The authors claim that current approaches to the problem are not modular, which would clearly make them difficult to scale. They instead introduce a translation-based method for verifying such properties that blows up the data dependencies (linearly in k ), but does not change the control flow. Quite a bit of care is needed to design a translation that deals with each control structure appropriately. The problem and ideas involved are well motivated through well-chosen examples (sections 2 and 3). Because of this setup, the more technical details of the construction (section 4) make sense. Section 5 is a human proof of soundness and completeness (it's a bit surprising to see a non-mechanized proof in TOPLAS ). Section 6 gives applications to various information flow and security properties, showing the wide applicability of the method, while section 7 gives a rather thorough evaluation of the corresponding implementation in Viper. The paper is very well written and quite readable. Anyone wanting a snapshot of an interesting method for proving hyperproperties, or even learning about hyperproperties, could benefit from reading this paper.

Published In

cover image ACM Transactions on Programming Languages and Systems
ACM Transactions on Programming Languages and Systems  Volume 42, Issue 1
Special Issue on ESOP 2018
March 2020
215 pages
Issue’s Table of Contents
Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 November 2019
Accepted: 01 March 2019
Revised: 01 November 2018
Received: 01 May 2018
Published in�TOPLAS�Volume 42, Issue 1


Author Tags

  1. Hyperproperties
  2. product programs


Funding Sources

  • Zurich Information Security and Privacy Center (ZISC)


