Abstract
We introduce Hyper2LTL, a temporal logic for the specification of hyperproperties that allows for second-order quantification over sets of traces. Unlike first-order temporal logics for hyperproperties, such as HyperLTL, Hyper2LTL can express complex epistemic properties like common knowledge, Mazurkiewicz trace theory, and asynchronous hyperproperties. The model checking problem of Hyper2LTL is, in general, undecidable. For the expressive fragment where second-order quantification is restricted to smallest and largest sets, we present an approximate model-checking algorithm that computes increasingly precise under- and overapproximations of the quantified sets, based on fixpoint iteration and automata learning. We report on encouraging experimental results with our model-checking algorithm, which we implemented in the tool�HySO.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
1 Introduction
About a decade ago, Clarkson and Schneider coined the term hyperproperties�[21] for the rich class of system requirements that relate multiple computations. In their definition, hyperproperties generalize trace properties, which are sets of traces, to sets of sets of traces. This covers a wide range of requirements, from information-flow security policies to epistemic properties describing the knowledge of agents in a distributed system. Missing from Clarkson and Schneider’s original theory was, however, a concrete specification language that could express customized hyperproperties for specific applications and serve as the common semantic foundation for different verification methods.
A first milestone towards such a language was the introduction of the temporal logic HyperLTL [20]. HyperLTL extends linear-time temporal logic (LTL) with quantification over traces. Suppose, for example, that an agent i in a distributed system observes only a subset of the system variables. The agent knows that some LTL formula \(\varphi \) is true on some trace \(\pi \) iff \(\varphi \) holds on all traces \(\pi '\) that agent i cannot distinguish from \(\pi \). If we denote the indistinguishability of \(\pi \) and \(\pi '\) by \(\pi \sim _i \pi '\), then the property that there exists a trace \(\pi \) where agent i knows \(\varphi \) can be expressed as the HyperLTL formula
where we write \(\varphi (\pi ')\) to denote that the trace property \(\varphi \) holds on trace \(\pi '\).
While HyperLTL and its variations have found many applications [28, 32, 44], the expressiveness of these logics is limited, leaving many widely used hyperproperties out of reach. A prominent example is common knowledge, which is used in distributed applications to ensure simultaneous action [30, 40]. Common knowledge in a group of agents means that the agents not only know individually that some condition \(\varphi \) is true, but that this knowledge is “common” to the group in the sense that each agent knows that every agent knows that \(\varphi \) is true; on top of that, each agent in the group knows that every agent knows that every agent knows that \(\varphi \) is true; and so on, forming an infinite chain of knowledge.
The fundamental limitation of HyperLTL that makes it impossible to express properties like common knowledge is that the logic is restricted to first-order quantification. HyperLTL, then, cannot reason about sets of traces directly, but must always do so by referring to individual traces that are chosen existentially or universally from the full set of traces. For the specification of an agent’s individual knowledge, where we are only interested in the (non-)existence of a single trace that is indistinguishable and that violates \(\varphi \), this is sufficient; however, expressing an infinite chain, as needed for common knowledge, is impossible.
In this paper, we introduce Hyper2LTL, a temporal logic for hyperproperties with second-order quantification over traces. In Hyper2LTL, the existence of a trace \(\pi \) where the condition \(\varphi \) is common knowledge can be expressed as the following formula (using slightly simplified syntax):
The second-order quantifier \(\exists X\) postulates the existence of a set X of traces that (1) contains \(\pi \); that (2) is closed under the observations of each agent, i.e., for every trace \(\pi '\) already in X, all other traces \(\pi ''\) that some agent i cannot distinguish from \(\pi '\) are also in X; and that (3) only contains traces that satisfy \(\varphi \). The existence of X is a necessary and sufficient condition for \(\varphi \) being common knowledge on \(\pi \). In the paper, we show that Hyper2LTL is an elegant specification language for many hyperproperties of interest that cannot be expressed in HyperLTL, including, in addition to epistemic properties like common knowledge, also Mazurkiewicz trace theory and asynchronous hyperproperties.
The model checking problem for Hyper2LTL is much more difficult than for HyperLTL. A HyperLTL formula can be checked by translating the LTL subformula into an automaton and then applying a series of automata transformations, such as self-composition to generate multiple traces, projection for existential quantification, and complementation for negation [8, 32]. For Hyper2LTL, the model checking problem is, in general, undecidable. We introduce a method that nevertheless obtains sound results by over- and underapproximating the quantified sets of traces. For this purpose, we study Hyper2LTLfp, a fragment of Hyper2LTL, in which we restrict second-order quantification to the smallest or largest set satisfying some property. For example, to check common knowledge, it suffices to consider the smallest set X that is closed under the observations of all agents. This smallest set X is defined by the (monotone) fixpoint operation that adds, in each step, all traces that are indistinguishable to some trace already in X.
We develop an approximate model checking algorithm for Hyper2LTLfp that uses bidirectional inference to deduce lower and upper bounds on second-order variables, interposed with first-order model checking in the style of HyperLTL. Our procedure is parametric in an oracle that provides (increasingly precise) lower and upper bounds. In the paper, we realize the oracles with fixpoint iteration for underapproximations of the sets of traces assigned to the second-order variables, and automata learning for overapproximations. We report on encouraging experimental results with our model-checking algorithm, which has been implemented in a tool called HySO.
2 Preliminaries
For \(n \in \mathbb {N}\) we define \([n] := \{1, \ldots , n\}\). We assume that \(\text {AP}\) is a finite set of atomic propositions and define \(\varSigma := 2^\text {AP}\). For \(t \in \varSigma ^\omega \) and \(i \in \mathbb {N}\) define \(t(i) \in \varSigma \) as the ith element in t (starting with the 0th); and \(t[i,\infty ]\) for the infinite suffix starting at position i. For traces \(t_1, \ldots , t_n \in \varSigma ^\omega \) we write \( zip (t_1, \ldots , t_n) \in (\varSigma ^n)^\omega \) for the pointwise zipping of the traces, i.e., \( zip (t_1, \ldots , t_n)(i) := (t_1(i), \ldots , t_n(i))\).
Transition Systems. A transition system is a tuple \(\mathcal {T}= (S, S_0, \kappa , L)\) where S is a set of states, \(S_0 \subseteq S\) is a set of initial states, \(\kappa \subseteq S \times S\) is a transition relation, and \(L : S \rightarrow \varSigma \) is a labeling function. A path in \(\mathcal {T}\) is an infinite state sequence \(s_0s_1s_2 \cdots \in S^\omega \), s.t., \(s_0 \in S_0\), and \((s_i, s_{i+1}) \in \kappa \) for all i. The associated trace is given by \(L(s_0)L(s_1)L(s_2) \cdots \in \varSigma ^\omega \) and \( Traces (\mathcal {T}) \subseteq \varSigma ^\omega \) denotes all traces of \(\mathcal {T}\).
Automata. A non-deterministic Büchi automaton (NBA) [18] is a tuple \(\mathcal {A}= (\varSigma , Q, q_0, \delta , F)\) where \(\varSigma \) is a finite alphabet, Q is a finite set of states, \(Q_0\subseteq Q\) is the set of initial states, \(F\subseteq Q\) is a set of accepting states, and \(\delta : Q\times \varSigma \rightarrow 2^Q\) is the transition function. A run on a word \(u \in \varSigma ^\omega \) is an infinite sequence of states \(q_0q_1q_2 \cdots \in Q^\omega \) such that \(q_0 \in Q_0\) and for every \(i \in \mathbb {N}\), \(q_{i+1} \in \delta (q_i, u(i))\). The run is accepting if it visits states in F infinitely many times, and we define the language of \(\mathcal {A}\), denoted \(\mathcal {L}(\mathcal {A}) \subseteq \varSigma ^\omega \), as all infinite words on which \(\mathcal {A}\) has an accepting run.
HyperLTL. HyperLTL [20] is one of the most studied temporal logics for the specification of hyperproperties. We assume that \(\mathcal {V}\) is a fixed set of trace variables. For the most part, we use variations of \(\pi \) (e.g., \(\pi , \pi ', \pi _1, \ldots \)) to denote trace variables. HyperLTL formulas are then generated by the grammar
where \(a \in \text {AP}\) is an atomic proposition, \(\pi \in \mathcal {V}{}\) is a trace variable, \(\mathbb {Q}\in \{\forall , \exists \}\) is a quantifier, and and are the temporal operators next and until.
The semantics of HyperLTL is given with respect to a trace assignment \(\varPi \), which is a partial mapping \(\varPi : \mathcal {V}\rightharpoonup \varSigma ^\omega \) that maps trace variables to traces. Given \(\pi \in \mathcal {V}\) and \(t \in \varSigma ^\omega \) we define \(\varPi [\pi \mapsto t]\) as the updated assignment that maps \(\pi \) to t. For \(i \in \mathbb {N}\) we define \(\varPi [i, \infty ]\) as the trace assignment defined by \(\varPi [i, \infty ](\pi ) := \varPi (\pi )[i, \infty ]\), i.e., we (synchronously) progress all traces by i steps. For quantifier-free formulas \(\psi \) we follow the LTL semantics and define
The indexed atomic propositions refer to a specific path in \(\varPi \), i.e., \(a_\pi \) holds iff a holds on the trace bound to \(\pi \). Quantifiers range over system traces:
We write \(\mathcal {T}\vDash \varphi \) if \(\emptyset \vDash _\mathcal {T}\varphi \) where \(\emptyset \) denotes the empty trace assignment.
HyperQPTL. HyperQPTL [45] adds – on top of the trace quantification of HyperLTL – also propositional quantification (analogous to the propositional quantification that QPTL [46] adds on top of LTL). For example, HyperQPTL can express a promptness property which states that there must exist a bound (which is common among all traces), up to which an event must have happened. We can express this as which states that there exists an evaluation of proposition q such that (1) q holds at least once, and (2) for all traces \(\pi \), a holds on \(\pi \) before the first occurrence of q. See [8] for details.
3 Second-Order HyperLTL
The (first-order) trace quantification in HyperLTL ranges over the set of all system traces; we thus cannot reason about arbitrary sets of traces as required for, e.g., common knowledge. We introduce a second-order extension of HyperLTL by introducing second-order variables (ranging over sets of traces) and allowing quantification over traces from any such set. We present two variants of our logic that differ in the way quantification is resolved. In Hyper2LTL, we quantify over arbitrary sets of traces. While this yields a powerful and intuitive logic, second-order quantification is inherently non-constructive. During model checking, there thus does not exist an efficient way to even approximate possible witnesses for the sets of traces. To solve this quandary, we restrict Hyper2LTL to Hyper2LTLfp, where we instead quantify over sets of traces that satisfy some minimality or maximality constraint. This allows for large fragments of Hyper2LTLfp that admit algorithmic approximations to its model checking (by, e.g., using known techniques from fixpoint computations�[47, 48]).
3.1 \(\text {Hyper}^2\text {LTL}\)
Alongside the set \(\mathcal {V}{}\) of trace variables, we use a set \(\mathfrak {V}{}\) of second-order variables (which we, for the most part, denote with capital letters X,�Y,�...). We assume that there is a special variable \(\mathfrak {S}\in \mathfrak {V}{}\) that refers to the set of traces of the given system at hand, and a variable \(\mathfrak {A}\in \mathfrak {V}{}\) that refers to the set of all traces. We define the Hyper2LTL syntax by the following grammar:
where \(a \in \text {AP}{}\) is an atomic proposition, \(\pi \in \mathcal {V}{}\) is a trace variable, \(X \in \mathfrak {V}{}\) is a second-order variable, and \(\mathbb {Q}\in \{\forall , \exists \}\) is a quantifier. We also consider the usual derived Boolean constants (\( true \), \( false \)) and connectives (\(\vee \), \(\rightarrow \), \(\leftrightarrow \)) as well as the temporal operators eventually ( ) and globally ( ). Given a set of atomic propositions \(P \subseteq \text {AP}\) and two trace variables \(\pi , \pi '\), we abbreviate \(\pi =_P \pi ' := \bigwedge _{a \in P} (a_\pi \leftrightarrow a_{\pi '})\).
Semantics. Apart from a trace assignment \(\varPi \) (as in the semantics of HyperLTL), we maintain a second-order assignment \(\varDelta : \mathfrak {V}{} \rightharpoonup 2^{\varSigma ^\omega }\) mapping second-order variables to sets of traces. Given \(X \in \mathfrak {V}\) and \(A \subseteq \varSigma ^\omega \) we define the updated assignment \(\varDelta [X \mapsto A]\) as expected. Quantifier-free formulas \(\psi \) are then evaluated in a fixed trace assignment as for HyperLTL (cf.�Sect.�2). For the quantifier prefix we define:
Second-order quantification updates \(\varDelta \) with a set of traces, and first-order quantification updates \(\varPi \) by quantifying over traces within the set defined by \(\varDelta \).
Initially, we evaluate a formula in the empty trace assignment and fix the valuation of the special second-order variable \(\mathfrak {S}\) to be the set of all system traces and \(\mathfrak {A}\) to be the set of all traces. That is, given a system \(\mathcal {T}\) and Hyper2LTL formula \(\varphi \), we say that \(\mathcal {T}\) satisfies \(\varphi \), written \(\mathcal {T}\vDash \varphi \), if \(\emptyset , [\mathfrak {S}\mapsto Traces (\mathcal {T}), \mathfrak {A}\mapsto \varSigma ^\omega ] \vDash \varphi \), where we write \(\emptyset \) for the empty trace assignment. The model-checking problem for Hyper2LTL is checking whether \(\mathcal {T}\vDash \varphi \) holds.
Hyper2LTL naturally generalizes HyperLTL by adding second-order quantification. As sets range over arbitrary traces, Hyper2LTL also subsumes the�more powerful logic HyperQPTL. The proof of�Lemma 1 is given in the full version of this paper�[11].
Lemma 1
Hyper2LTL subsumes HyperQPTL (and thus also HyperLTL).
Syntactic Sugar. In Hyper2LTL, we can quantify over traces within a second-order variable, but we cannot state, within the body of the formula, that some path is a member of some second-order variable. For that, we define \(\pi \triangleright X\) (as an atom within the body) as syntactic sugar for , i.e., \(\pi \) is in X if there exists some trace in X that agrees with \(\pi \) on all propositions. Note that we can only use \(\pi \triangleright X\) outside of the scope of any temporal operators; this ensures that we can bring the resulting formula into a form that conforms to the Hyper2LTL syntax.
3.2 \(\text {Hyper}^2\text {LTL}_{fp}\)
The semantics of Hyper2LTL quantifies over arbitrary sets of traces, making even approximations to its semantics challenging. We propose Hyper2LTLfp as a restriction that only quantifies over sets that are subject to an additional minimality or maximality constraint. For large classes of formulas, we show that this admits effective model-checking approximations. We define Hyper2LTLfp by the following grammar:
where \(a \in \text {AP}\), \(\pi \in \mathcal {V}{}\), \(X \in \mathfrak {V}\), \(\mathbb {Q}\in \{\forall , \exists \}\), and determines if we consider smallest (\(\curlyvee \)) or largest (\(\curlywedge \)) sets. For example, the formula \(\exists \, (X, \curlyvee , \varphi _1) \mathpunct {.}\varphi _2\) holds if there exists some set of traces X, that satisfies both \(\varphi _1\) and \(\varphi _2\), and is a smallest set that satisfies�\(\varphi _1\). Such minimality and maximality constraints with respect to a (hyper)property arise naturally in many properties. Examples include common knowledge (cf.�Sect.�3.3), asynchronous hyperproperties (cf.�Sect.�4.2), and causality in reactive systems�[22, 23].
Semantics. For path formulas, the semantics of Hyper2LTLfp is defined analogously to that of Hyper2LTL and HyperLTL. For the quantifier prefix we define:
where denotes all solutions to the minimality/maximality condition given by \(\varphi _1\), which we define by mutual recursion as follows:
A set A satisfies the minimality/maximality constraint if it satisfies \(\varphi \) and is a least (in case ) or greatest (in case ) set that satisfies \(\varphi \).
Note that can contain multiple sets or no set at all, i.e., there may not exists a unique least or greatest set that satisfies \(\varphi \). In Hyper2LTLfp, we therefore add an additional quantification over the set of all solutions to the minimality/maximality constraint. When discussing our model checking approximation algorithm, we present a (syntactic) restriction on \(\varphi \) which guarantees that contains a unique element (i.e., is a singleton set). Moreover, our restriction allows us to employ fixpoint techniques to find approximations to this unique solution. In case the solution for is unique, we often omit the leading quantifier and simply write instead of .
As we can encode the minimality/maximality constraints of Hyper2LTLfp in Hyper2LTL (see full version�[11]), we have the following:
Proposition 1
Any Hyper2LTLfp formula \(\varphi \) can be effectively translated into an Hyper2LTL formula \(\varphi '\) such that for all transition systems \(\mathcal {T}\) we have \(\mathcal {T}\vDash \varphi \) iff \(\mathcal {T}\vDash \varphi '\).
3.3 Common Knowledge in�Multi-agent Systems
To explain common knowledge, we use a variation of an example from�[43], and encode it in Hyper2LTLfp. Fig.�1(left) shows a transition system of a distributed system with two agents, agent�1 and agent 2. Agent�1 observes variables a and d, whereas agent 2 observes c and�d. The property of interest is starting from the trace \(\pi = a^n d^\omega \) for some fixed \( n > 1\), is it common knowledge for the two agents that a holds in the second step. It is trivial to see that holds on�\(\pi \). However, for common knowledge, we consider the (possibly) infinite chain of observationally equivalent traces. For example, agent 2 cannot distinguish the traces \(a^nd^\omega \) and \(a^{n-1}bd^\omega \). Therefore, agent 2 only knows that holds on \(\pi \) if it also holds on \( \pi ' = a^{n-1}bd^\omega \). For common knowledge, agent 1 also has to know that agent�2 knows , which means that for all traces that are indistinguishable from \(\pi \) or�\(\pi '\) for agent 1, has to hold. This adds \(\pi '' = a^{n-1}cd^\omega \) to the set of traces to verify against. This chain of reasoning continues as shown in Fig.�1(right). In the last step we add \(ac^{n-1}d^\omega \) to the set of indistinguishable traces, concluding that is not common knowledge.
The following Hyper2LTLfp formula specifies the property stated above. The abbreviation denotes that \(\pi _1\) and \(\pi _2\) are observationally equivalent for either agent 1 or agent 2.
For a trace \(\pi \) of the form \(\pi = a^n d^\omega \), the set X represents the common knowledge set on�\(\pi \). This set X is the smallest set that (1) contains \(\pi \) (expressed using our syntactic sugar \(\triangleright \)); and (2) is closed under observations by either agent, i.e., if we find some \(\pi _1 \in X\) and some system trace \(\pi _2\) that are observationally equivalent, \(\pi _2\) should also be in X. Note that this set is unique (due to the minimality restriction), so we do not quantify it explicitly. Lastly, we require that all traces in X satisfy the property . All sets that satisfy this formula would also include the trace \(ac^{n-1}d^\omega \), and therefore no such X exists; thus, we can conclude that starting from trace \(a^nd^\omega \), it is not common knowledge that holds. On the other hand, it is common knowledge that a holds in the first step (cf.�Sect.�6).
3.4 \(\text {Hyper}^2\text {LTL}\) Model Checking
As Hyper2LTL and Hyper2LTLfp allow quantification over arbitrary sets of traces, we can encode the satisfiability of HyperQPTL (i.e., the question of whether some set of traces satisfies a formula) within their model-checking problem; rendering the model-checking problem highly undecidable�[34], even for very simple formulas [4].
Proposition 2
For any HyperQPTL formula \(\varphi \) there exists a Hyper2LTL formula \(\varphi '\) such that \(\varphi \) is satisfiable iff \(\varphi '\) holds on some arbitrary transition system. The model-checking problem of Hyper2LTL is thus highly undecidable (\(\varSigma _1^1\)-hard).
Proof
Let \(\varphi '\) be the Hyper2LTL formula obtained from \(\varphi \) by replacing each HyperQPTL trace quantifier \(\mathbb {Q}\pi \) with the Hyper2LTL quantifier \(\mathbb {Q}\pi \in X\), and each propositional quantifier \(\mathbb {Q}q\) with \(\mathbb {Q}\pi _q \in \mathfrak {A}\) for some fresh trace variable \(\pi _q\). In the body, we replace each propositional variable q with \(a_{\pi _q}\) for some fixed proposition \(a \in \text {AP}\). Then, \(\varphi \) is satisfiable iff the Hyper2LTL formula \(\exists X. \varphi '\) holds in some arbitrary system. ���\(\square \)
Hyper2LTLfp cannot express HyperQPTL satisfiability directly. If there exists a model of a HyperQPTL formula, there may not exist a least one. However, model checking of Hyper2LTLfp is also highly undecidable.
Proposition 3
The model-checking problem of Hyper2LTLfp is \(\varSigma _1^1\)-hard.
Proof (Sketch)
We can encode the existence of a recurrent computation of a Turing machine, which is known to be \(\varSigma _1^1\)-hard [1].���\(\square \)
Conversely, the existential fragment of Hyper2LTL can be encoded back into HyperQPTL satisfiability:
Proposition 4
Let \(\varphi \) be a Hyper2LTL formula that uses only existential second-order quantification and \(\mathcal {T}\) be any system. We can effectively construct a formula \(\varphi '\) in HyperQPTL such that \(\mathcal {T}\vDash \varphi \) iff \(\varphi '\) is satisfiable.
Lastly, we present some easy fragments of Hyper2LTL for which the model-checking problem is decidable. Here we write \(\exists ^* X\) (resp.�\(\forall ^* X\)) for some sequence of existentially (resp.�universally) quantified second-order variables and \(\exists ^* \pi \) (resp.�\(\forall ^* \pi \)) for some sequence of existentially (resp.�universally) quantified first-order variables. For example, \(\exists ^* X \forall ^*\pi \) captures all formulas of the form \(\exists X_1, \ldots X_n. \forall \pi _1, \ldots , \pi _m. \psi \) where \(\psi \) is quantifier-free.
Proposition 5
The model-checking problem of Hyper2LTL is decidable for the fragments: \(\exists ^* X \forall ^*\pi \), \(\forall ^* X \forall ^*\pi \), \(\exists ^* X \exists ^*\pi \), \(\forall ^* X \exists ^*\pi \), \(\exists X.\exists ^* \pi \in X \forall ^*\pi '\in X\).
We refer the reader to the full version�[11] for detailed proofs.
4 Expressiveness of \(\text {Hyper}^2\text {LTL}\)
In this section, we point to existing logics that can naturally be encoded within our second-order hyperlogics Hyper2LTL and Hyper2LTLfp.
4.1 \(\text {Hyper}^2\text {LTL}\) and LTL\(_{\textsf{K}, \textsf{C}}\)
LTL\(_\textsf{K}\) extends LTL with the knowledge operator \(\textsf{K}\). For some subset of agents A, the formula \(\textsf{K}_A \psi \) holds in timestep i, if \(\psi \) holds on all traces equivalent to some agent in A up to timestep i. See full version [11] for detailed semantics. LTL\(_\textsf{K}\) and HyperCTL\(^*\) have incomparable expressiveness [16] but the knowledge operator \(\textsf{K}\) can be encoded by either adding a linear past operator [16] or by adding propositional quantification (as in HyperQPTL) [45].
Using Hyper2LTLfp we can encode LTL\(_{\textsf{K}, \textsf{C}}\), featuring the knowledge operator \(\textsf{K}\) and the common knowledge operator \(\textsf{C}\) (which requires that \(\psi \) holds on the closure set of equivalent traces, up to the current timepoint) [41]. Note that LTL\(_{\textsf{K}, \textsf{C}}\) is not encodable by only adding propositional quantification or the linear past operator.
Proposition 6
For every LTL\(_{\textsf{K}, \textsf{C}}\) formula \(\varphi \) there exists an Hyper2LTLfp formula \(\varphi '\) such that for any system \(\mathcal {T}\) we have \(\mathcal {T}\vDash _{LTL_{\textsf{K}, \textsf{C}}} \varphi \) iff \(\mathcal {T}\vDash \varphi '\).
Proof (Sketch)
We follow the intuition discussed in Sect. 3.3. For each occurrence of a knowledge operator in \(\{\textsf{K}, \textsf{C}\}\), we use a fresh trace variable to keep track on the points in time with respect to which we need to compare traces. We then use this trace variable to introduce a second-order set that collects all equivalent traces (by the observations of one agent, or the closure of all agents’ observations). We then inductively construct a Hyper2LTLfp formula that captures all the knowledge and common-knowledge sets, over which we check the properties at hand. See full version for more details [11]. \(\square \)
4.2 \(\text {Hyper}^2\text {LTL}\) and Asynchronous Hyperproperties
Most existing hyperlogics (including Hyper2LTL) traverse the traces of a system synchronously. However, in many cases such a synchronous traversal is too restricting and we need to compare traces asynchronously. As an example, consider observational determinism (OD), which we can express in HyperLTL as . The formula states that the output of a system is identical across all traces and so (trivially) no information about high-security inputs is leaked. In most systems encountered in practice, this synchronous formula is violated, as the exact timing between updates to o might differ by a few steps (we provide some examples in the full version [11]). However, assuming that an attacker only has access to the memory footprint and not a timing channel, we would only like to check that all traces are stutter equivalent (with respect to o).
A range of extensions to existing hyperlogics has been proposed to reason about such asynchronous hyperproperties [3, 5, 9, 17, 39]. We consider AHLTL [3]. An AHLTL formula has the form \(\mathbb {Q}_1 \pi _1, \ldots , \mathbb {Q}_n \pi _m. \textbf{E} \mathpunct {.}\psi \) where \(\psi \) is a qunatifier-free HyperLTL formula. The initial trace quantifier prefix is handled as in HyperLTL. However, different from HyperLTL, a trace assignment \([\pi _1 \mapsto t_1, \ldots , \pi _n \mapsto t_n]\) satisfies \(\textbf{E} \mathpunct {.}\psi \) if there exist stuttered traces \(t_1', \ldots , t_n'\) of \(t_1, \ldots , t_n\) such that \([\pi _1 \mapsto t_1', \ldots , \pi _n \mapsto t_n'] \vDash \psi \). We write \(\mathcal {T}\vDash _{ AHLTL } \varphi \) if a system \(\mathcal {T}\) satisfies the AHLTL formula \(\varphi \). Using this quantification over stutterings we can, for example, express an asynchronous version of observational determinism as stating that every two traces can be aligned such that they (globally) agree on o. Despite the fact that Hyper2LTLfp is itself synchronous, we can use second-order quantification to encode asynchronous hyperproperties, as we state in the following proposition.
Proposition 7
For any AHLTL formula \(\varphi \) there exists a Hyper2LTLfp formula \(\varphi '\) such that for any system \(\mathcal {T}\) we have \(\mathcal {T}\vDash _{ AHLTL } \varphi \) iff \(\mathcal {T}\vDash \varphi '\).
Proof
Assume that \(\varphi = \mathbb {Q}_1 \pi _1, \ldots , \mathbb {Q}_n \pi _n. \textbf{E} \mathpunct {.}\psi \) is the given AHLTL formula. For each \(i \in [n]\) we define a formula \(\varphi _i\) as follows
The formula asserts that the set of traces bound to \(X_i\) is closed under stuttering, i.e., if we start from any trace in \(X_i\) and stutter it once (at some arbitrary position) we again end up in \(X_i\). Using the formulas \(\varphi _i\), we then construct a Hyper2LTLfp formula that is equivalent to \(\varphi \) as follows
We first mimic the quantification in \(\varphi \) and, for each trace \(\pi _i\), construct a least set \(X_i\) that contains \(\pi _i\) and is closed under stuttering (thus describing exactly the set of all stuttering of \(\pi _i\)). Finally, we assert that there are traces \(\pi _1', \ldots , \pi _n'\) with \(\pi _i' \in X_i\) (so \(\pi _i'\) is a stuttering of \(\pi _i\)) such that \(\pi _1', \ldots , \pi _n'\) satisfy \(\psi \). It is easy to see that \(\mathcal {T}\vDash _{ AHLTL } \varphi \) iff \(\mathcal {T}\vDash \varphi '\) holds for all systems. ���\(\square \)
Hyper2LTLfp captures all properties expressible in AHLTL. In particular, our approximate model-checking algorithm for Hyper2LTLfp (cf.�Sect.�5) is applicable to AHLTL; even for instances where no approximate solutions were previously known. In Sect.�6, we show that our prototype model checker for Hyper2LTLfp can verify asynchronous properties in practice.
5 Model-Checking \(\text {Hyper}^2\text {LTL}_{fp}\)
In general, finite-state model checking of Hyper2LTLfp is highly undecidable (cf. Proposition 2). In this section, we outline a partial algorithm that computes approximations on the concrete values of second-order variables for a fragment of Hyper2LTLfp. At a very high-level, our algorithm (Algorithm 1) iteratively computes under- and overapproximations for second-order variables. It then turns to resolve first-order quantification, using techniques from HyperLTL model checking [8, 32], and resolves existential and universal trace quantification on the under- and overapproximation of the second-order variables, respectively. If the verification fails, it goes back to refine second-order approximations.
In this section, we focus on the setting where we are interested in the least sets (using \(\curlyvee \)), and use techniques to approximate the least fixpoint. A similar (dual) treatment is possible for Hyper2LTLfp formulas that use the largest set. Every Hyper2LTLfp which uses only minimal sets has the following form:
We quantify second-order variables \(Y_1, \ldots , Y_k\), where, for each \(j \in [k]\), \(Y_j\) is the least set that satisfies \(\varphi ^ con _j\). Finally, for each \(j \in [k+1]\),
is the block of first-order quantifiers that sits between the quantification of \(Y_{j-1}\) and \(Y_j\). Here \(X_{l_j+1}, \ldots , X_{l_{j+1}} \in \{\mathfrak {S}, \mathfrak {A}, Y_1, \ldots , Y_{j-1}\}\) are second-order variables that are quantified before \(\gamma _j\). In particular, \(\pi _1, \ldots , \pi _{l_j}\) are the first-order variables quantified before�\(Y_j\).
5.1 Fixpoints in�\(\text {Hyper}^2\text {LTL}_{fp}\)
We consider a fragment of Hyper2LTLfp which we call the least fixpoint fragment. Within this fragment, we restrict the formulas \(\varphi ^ con _1, \ldots , \varphi ^ con _k\) such that \(Y_1, \ldots , Y_k\) can be approximated as (least) fixpoints. Concretely, we say that \(\varphi \) is in the least fixpoint fragment of Hyper2LTLfp if for all \(j \in [k]\), \(\varphi ^ con _j\) is a conjunction of formulas of the form
where each \(X_i \in \{\mathfrak {S}, \mathfrak {A}, Y_1, \ldots , Y_j\}\), \(\psi _{ step }\) is quantifier-free formula over trace variables \(\dot{\pi }_1, \ldots , \dot{\pi }_n, \pi _1, \ldots , \pi _{l_j}\), and \(M \in [n]\). Intuitively, Eq. (2) states a requirement on traces that should be included in \(Y_j\). If we find traces \(\dot{t}_1 \in X_1, \ldots , \dot{t}_n \in X_n\) that, together with the traces \(t_1, \ldots , t_{l_j}\) quantified before \(Y_j\), satisfy \(\psi _{ step }\), then \(\dot{t}_M\) should be included in \(Y_j\).
Together with the minimality constraint on \(Y_j\) (stemming from the semantics of Hyper2LTLfp), this effectively defines a (monotone) least fixpoint computation, as \(\psi _{ step }\) defines exactly the traces to be added to the set. This will allow us to use results from fixpoint theory to compute approximations for the sets \(Y_j\).
Our least fixpoint fragment captures most properties of interest, in particular, common knowledge (Sect.�3.3) and asynchronous hyperproperties (Sect.�4.2). We observe that formulas of the above form ensure that the solution \(Y_j\) is unique, i.e., for any trace assignment \(\varPi \) to \(\pi _1, \ldots , \pi _{l_j}\) and second-order assignment \(\varDelta \) to \(\mathfrak {S}, \mathfrak {A}, Y_1, \ldots , Y_{j-1}\), there is only one element in \( sol (\varPi , \varDelta , (Y_j, \curlyvee , \varphi _j^ con ))\).
5.2 Functions as�Automata
In our (approximate) model-checking algorithm, we represent a concrete assignment to the second-order variables \(Y_1, \ldots , Y_k\) using automata \(\mathcal {B}_{Y_1}, \ldots , \mathcal {B}_{Y_k}\). The concrete assignment of \(Y_j\) can depend on traces assigned to \(\pi _1, \ldots , \pi _{l_j}\), i.e., the first-order variables quantified before \(Y_j\). To capture these dependencies, we view each \(Y_j\) not as a set of traces but as a function mapping traces of all preceding first-order variables to a set of traces. We represent such a function \(f : (\varSigma ^\omega )^{l_j} \rightarrow 2^{(\varSigma ^\omega )}\) mapping the \(l_j\) traces to a set of traces as an automaton \(\mathcal {A}\) over \(\varSigma ^{l_j+1}\). For traces \(t_1, \ldots , t_{l_j}\), the set \(f(t_1, \ldots , t_{l_j})\) is represented in the automaton by the set \(\{ t \in \varSigma ^\omega \mid zip (t_1, \ldots , t_{l_j}, t) \in \mathcal {L}(\mathcal {A}) \}\). For example, the function \(f(t_1) := \{t_1\}\) can be defined by the automaton that accepts the zipping of a pair of traces exactly if both traces agree on all propositions. This representation of functions as automata allows us to maintain an assignment to \(Y_j\) that is parametric in \(\pi _1, \ldots , \pi _{l_j}\) and still allows first-order model checking on \(Y_1, \ldots , Y_k\).
5.3 Model Checking for First-Order Quantification
First, we focus on first-order quantification, and assume that we are given a concrete assignment for each second-order variable as fixed automata \(\mathcal {B}_{Y_1}, \ldots , \mathcal {B}_{Y_k}\) (where \(\mathcal {B}_{Y_j}\) is an automaton over \(\varSigma ^{l_j+1}\)). Our construction for resolving first-order quantification is based on HyperLTL model checking [32], but needs to work on sets of traces that, themselves, are based on traces quantified before (cf. Sect. 5.2). Recall that the first-order quantifier prefix is \(\gamma _1 \cdots \gamma _{k+1} = \mathbb {Q}_{1} \pi _{1} \in X_{1} \cdots \mathbb {Q}_{l_{k+1}} \pi _{l_{k+1}} \in X_{l_{k+1}}\). For each \(1 \le i \le l_{k+1}\) we inductively construct an automaton \(\mathcal {A}_i\) over \(\varSigma ^{i-1}\) that summarizes all trace assignments to \(\pi _1, \ldots , \pi _{i-1}\) that satisfy the subformula starting with the quantification of \(\pi _i\). That is, for all traces \(t_1, \ldots , t_{i-1}\) we have
(under the fixed second-order assignment for \(Y_1, \ldots , Y_k\) given by \(\mathcal {B}_{Y_1}, \ldots , \mathcal {B}_{Y_k}\)) if and only if \( zip (t_1, \ldots , t_{i-1}) \in \mathcal {L}(\mathcal {A}_i)\). In the context of HyperLTL model checking we say \(\mathcal {A}_i\) is equivalent to \(\mathbb {Q}_{i} \pi _{i} \in X_{i} \cdots \mathbb {Q}_{l_{k+1}} \pi _{l_{k+1}} \in X_{l_{k+1}}\mathpunct {.}\psi \) [8, 32]. In particular, \(\mathcal {A}_1\) is an automaton over singleton alphabet \(\varSigma ^0\).
We construct \(\mathcal {A}_1, \ldots , \mathcal {A}_{l_{k+1}+1}\) inductively, starting with \(\mathcal {A}_{l_{k+1}+1}\). Initially, we construct \(\mathcal {A}_{l_{k+1}+1}\) (over \(\varSigma ^{l_{k+1}}\)) using a standard LTL-to-NBA construction on the (quantifier-free) body \(\psi \) (see [32] for details). Now assume that we are given an (inductively constructed) automaton \(\mathcal {A}_{i+1}\) over \(\varSigma ^i\) and want to construct \(\mathcal {A}_i\). We first consider the case where \(\mathbb {Q}_i = \exists \), i.e., the ith trace quantification is existential. Now \(X_i\) (the set where \(\pi _i\) is resolved on) either equals \(\mathfrak {S}\), \(\mathfrak {A}\) or \(Y_j\) for some \(j \in [k]\). In either case, we represent the current assignment to \(X_i\) as an automaton \(\mathcal {C}\) over \(\varSigma ^{T + 1}\) for some \(T < i\) that defines the model of \(X_i\) based on traces \(\pi _1, \ldots , \pi _T\): In case \(X_i = \mathfrak {S}\), we set \(\mathcal {C}\) to be the automaton over \(\varSigma ^{0 + 1}\) that accepts exactly the traces in the given system \(\mathcal {T}\); in case \(X_i = \mathfrak {A}\), we set \(\mathcal {C}\) to be the automaton over \(\varSigma ^{0 + 1}\) that accepts all traces; If \(X_i = Y_j\) for some \(j \in [k]\) we set \(\mathcal {C}\) to be \(\mathcal {B}_{Y_j}\) (which is an automaton over \(\varSigma ^{l_j + 1}\)).Footnote 1 Given \(\mathcal {C}\), we can now modify the construction from [32], to resolve first-order quantification: The desired automaton \(\mathcal {A}_i\) should accept the zipping of traces \(t_1, \ldots , t_{i-1}\) if there exists a trace t such that (1) \( zip (t_1, \ldots , t_{i-1}, t) \in \mathcal {L}(\mathcal {A}_{i+1})\), and (2) the trace t is contained in the set of traces assigned to \(X_i\) as given by \(\mathcal {C}\), i.e., \( zip (t_1, \ldots , t_T, t) \in \mathcal {L}(\mathcal {C})\). The construction of this automaton is straightforward by taking a product of \(\mathcal {A}_{i+1}\) and \(\mathcal {C}\). We denote this automaton with . In case \(\mathbb {Q}_i = \forall \) we exploit the duality that \(\forall \pi . \psi \) = \(\lnot \exists \pi . \lnot \psi \), combining the above construction with automata complementation. We denote this universal product of \(\mathcal {A}_{i+1}\) and \(\mathcal {C}\) with .
The final automaton \(\mathcal {A}_1\) is an automaton over singleton alphabet \(\varSigma ^0\) that is equivalent to \(\gamma _1 \cdots \gamma _{k+1}. \psi \), i.e., the entire first-order quantifier prefix. Automaton \(\mathcal {A}_1\) thus satisfies \(\mathcal {L}(\mathcal {A}_1) \ne \emptyset \) (which we can decide) iff the empty trace assignment satisfies the first-order formula \(\gamma _1 \cdots \gamma _{k+1}\mathpunct {.}\psi \), iff \(\varphi \) (of Eq. (1)) holds within the fixed model for \(Y_1, \ldots , Y_k\). For a given fixed second-order assignment (given as automata \(\mathcal {B}_{Y_1}, \ldots , \mathcal {B}_{Y_k}\)), we can thus decide if the system satisfies the first-order part.
During the first-order model-checking phase, each quantifier alternations in the formula require complex automata complementation. For the first-order phase, we could also use cheaper approximate methods by, e.g., instantiating the existential trace using a strategy [6, 7, 25].
5.4 Bidirectional Model Checking
So far, we have discussed the verification of the first-order quantifiers assuming we have a fixed model for all second-order variables \(Y_1, \ldots , Y_k\). In our actual model-checking algorithm, we instead maintain under- and overapproximations on each of the \(Y_1, \ldots , Y_k\).
In each iteration, we first traverse the second-order quantifiers in an outside-in direction and compute lower- and upper-bounds on each \(Y_j\). Given the bounds, we then traverse the first-order prefix in an inside-out direction using the current approximations to \(Y_1, \ldots , Y_k\). If the current approximations are not precise enough to witness the satisfaction (or violation) of a property, we repeat and try to compute better bounds on \(Y_1, \ldots , Y_k\). Due to the different directions of traversal, we refer to our model-checking approach as bidirectional. Algorithm�1 provides an overview. Initially, we convert the system \(\mathcal {T}\) to an NBA \(\mathcal {A}_\mathcal {T}\) accepting exactly the traces of the system. In each round, we compute under- and overapproximations for each \(Y_j\) in a mapping�\(\flat \). We initialize \(\flat \) by mapping \(\mathfrak {S}\) to \((\mathcal {A}_\mathcal {T}, \mathcal {A}_\mathcal {T})\) (i.e., the value assigned to the system variable is precisely�\(\mathcal {A}_\mathcal {T}\) for both under- and overapproximation), and \(\mathfrak {A}\) to \((\mathcal {A}_\top , \mathcal {A}_\top )\) where \(\mathcal {A}_\top \) is an automaton over \(\varSigma ^1\) accepting all traces. We then traverse the second-order quantifiers outside-in (from \(Y_1\) to \(Y_k\)) and for each \(Y_j\) compute a pair \((\mathcal {B}_j^l, \mathcal {B}_j^u)\) of automata over \(\varSigma ^{l_j + 1}\) that under- and overapproximate the actual (unique) model of \(Y_j\). We compute these approximations using functions and , which can be instantiated with any procedure that computes sound lower and upper bounds (see Sect.�5.5). During verification, we further maintain a precision bound�N (initially set to 0) that tracks the current precision of the second-order approximations.
When \(\flat \) contains an under- and overapproximation for each second-order variable, we traverse the first-order variables in an inside-out direction (from�\(\pi _{l_{k+1}}\) to�\(\pi _1\)) and, following the construction outlined in Sect.�5.3, construct automata \(\mathcal {A}_{l_k+1}, \ldots , \mathcal {A}_1\). Different from the simplified setting in Sect.�5.3 (where we assume a fixed automaton \(\mathcal {B}_{Y_j}\) providing a model for each \(Y_j\)), the mapping \(\flat \) contains only approximations of the concrete solution. We choose which approximation to use according to the corresponding set quantification: In case we construct \(\mathcal {A}_i\) and \(\mathbb {Q}_i = \exists \), we use the underapproximation (thus making sure that any witness trace we pick is indeed contained in the actual model of the second-order variable); and if \(\mathbb {Q}_i = \forall \), we use the overapproximation (making sure that we consider at least those traces that are in the actual solution). If \(\mathcal {L}(\mathcal {A}_1)\) is non-empty, i.e., accepts the empty trace assignment, the formula holds (assuming the approximations returned by and are sound). If not, we increase the precision bound N and repeat.
In Algorithm�1, we only check for the satisfaction of a formula (to keep the notation succinct). Using the second-order approximations in \(\flat \) we can also check the negation of a formula (by considering the negated body and dualizing all trace quantifiers). Our tool (Sect.�6) makes use of this and thus simultaneously tries to show satisfaction and violation of a formula.
5.5 Computing Under- and Overapproximations
In this section we provide concrete instantiations for and .
Computing Underapproximations. As we consider the fixpoint fragment, each formula \(\varphi _j^ con \) (defining \(Y_j\)) is a conjunction of formulas of the form in Eq. (2), thus defining \(Y_j\) via a least fixpoint computation. For simplicity, we assume that \(Y_j\) is defined by the single conjunct, given by�Eq. (2) (our construction generalizes easily to a conjunction of such formulas). Assuming fixed models for \(\mathfrak {S}\), \(\mathfrak {A}\) and \(Y_1, \ldots , Y_{j-1}\), the fixpoint operation defining \(Y_j\) is monotone, i.e., the larger the current model for \(Y_j\) is, the more traces we need to add according to Eq. (2). Monotonicity allows us to apply the Knaster-Tarski theorem [47] and compute underapproximations to the fixpoint by iteration.
In our construction of an approximation for \(Y_j\), we are given a mapping \(\flat \) that fixes a pair of automata for \(\mathfrak {S}\), \(\mathfrak {A}\), and \(Y_1, \ldots , Y_{j-1}\) (due to the outside-in traversal in Algorithm�1). As we are computing an underapproximation, we use the underapproximation for each of the second-order variables in \(\flat \). So \(\flat (\mathfrak {S})\) and \(\flat (\mathfrak {A})\) are automata over \(\varSigma ^1\) and for each \(j' \in [j-1]\), \(\flat (Y_{j'})\) is an automaton over \(\varSigma ^{l_{j'} + 1}\). Given this fixed mapping \(\flat \), we iteratively construct automata \(\hat{\mathcal {C}}_0, \hat{\mathcal {C}}_1, \ldots \) over \(\varSigma ^{l_j + 1}\) that capture (increasingly precise) underapproximations on the solution for \(Y_j\). We set \(\hat{\mathcal {C}}_0\) to be the automaton with the empty language. We then recursively define \(\hat{\mathcal {C}}_{N+1}\) based on \(\hat{\mathcal {C}}_{N}\) as follows: For each second-order variable \(X_i\) for \(i \in [n]\) used in Eq. (2) we can assume a concrete assignment in the form of an automaton \(\mathcal {D}_i\) over \(\varSigma ^{T_i + 1}\) for some \(T_i \le l_j\): In case \(X_i \ne Y_j\) (so \(X_i \in \{\mathfrak {S}, \mathfrak {A}, Y_1, \ldots , Y_{j-1}\}\)), we set \(\mathcal {D}_i := \flat (X_i)\). In case \(X_i = Y_j\), we set \(\mathcal {D}_i := \hat{\mathcal {C}}_N\), i.e., we use the current approximation of \(Y_j\) in iteration N. After we have set \(\mathcal {D}_1, \ldots , \mathcal {D}_n\), we compute an automaton \(\dot{\mathcal {C}}\) over \(\varSigma ^{l_j+1}\) that accepts \( zip (t_1, \ldots , t_{l_j}, t)\) iff there exists traces \(\dot{t}_1, \ldots , \dot{t}_n\) such that (1) \( zip (t_1, \ldots , t_{T_i}, \dot{t}_i) \in \mathcal {L}(\mathcal {D}_i)\) for all \(i \in [n]\), (2) \([\pi _1 \mapsto t_1, \ldots , \pi _{l_j} \mapsto t_{l_j}, \dot{\pi }_1 \mapsto \dot{t}_{1},\ldots , \dot{\pi }_n \mapsto \dot{t}_n] \vDash \psi _ step \), and (3) trace t equals \(\dot{t}_M\) (of Eq. (2)). The intuition is that \(\dot{\mathcal {C}}\) captures all traces that should be added to \(Y_j\): Given \(t_1, \ldots , t_{l_j}\) we check if there are traces \(\dot{t}_1, \ldots , \dot{t}_n\) for trace variables \(\dot{\pi }_1, \ldots , \dot{\pi }_n\) in Eq. (2) where (1) each \(\dot{t}_i\) is in the assignment for \(X_i\), which is captured by the automaton \(\mathcal {D}_i\) over \(\varSigma ^{T_i + 1}\), and (2) the traces \(\dot{t}_1, \ldots , \dot{t}_n\) satisfy \(\varphi _ step \). If this is the case, we want to add \(\dot{t}_M\) (as stated in Eq. (2)). We then define \(\hat{\mathcal {C}}_{N+1}\) as the union of \(\hat{\mathcal {C}}_{N}\) and \(\dot{\mathcal {C}}\), i.e. extend the previous model with all (potentially new) traces that need to be added.
Computing Overapproximations. As we noted above, conditions of the form of Eq. (2) always define fixpoint constraints. To compute upper bounds on such fixpoint constructions we make use of Park’s theorem, [48] stating that if we find some set (or automaton) \(\mathcal {B}\) that is inductive (i.e., when computing all traces that we would need to add assuming the current model of \(Y_j\) is \(\mathcal {B}\), we end up with traces that are already in \(\mathcal {B}\)), then \(\mathcal {B}\) overapproximates the unique solution (aka. least fixpoint) of \(Y_j\). To derive such an inductive invariant, we employ techniques developed in the context of regular model checking [15] (see Sect. 7). Concretely, we employ the approach from [19] that uses automata learning [2] to find suitable invariants. While the approach from [19] is limited to finite words, we extend it to an \(\omega \)-setting by interpreting an automaton accepting finite words as one that accepts an \(\omega \)-word u iff every prefix of u is accepted.Footnote 2 As soon as the learner provides a candidate for an equivalence check, we check that it is inductive and, if not, provide some finite counterexample (see [19] for details). If the automaton is inductive, we return it as a potential overapproximation. Should this approximation not be precise enough, the first-order model checking (Sect.�5.3) returns some concrete counterexample, i.e., some trace contained in the invariant but violating the property, which we use to provide more counterexamples to the learner.
6 Implementation and Experiments
We have implemented our model-checking algorithm in a prototype tool we call HySO (Hyperproperties with Second Order).Footnote 3 Our tool uses spot [29] for basic automata operations (such as LTL-to-NBA translations and complementations). To compute under- and overapproximations, we use the techniques described in Sect. 5.5. We evaluate the algorithm on the following benchmarks.
Muddy Children. The muddy children puzzle [30] is one of the classic examples in common knowledge literature. The puzzle consists of n children standing such that each child can see all other children’s faces. From the n children, an unknown number \(k \ge 1\) have a muddy forehead, and in incremental rounds, the children should step forward if they know if their face is muddy or not. Consider the scenario of \(n=2\) and \(k = 1\), so child a sees that child b has a muddy forehead and child b sees that a is clean. In this case, b immediately steps forward, as it knows that its forehead is muddy since \(k\ge 1\). In the next step, a knows that its face is clean since b stepped forward in round 1. In general, one can prove that all children step forward in round k, deriving common knowledge.
For each n we construct a transition system \(\mathcal {T}_n\) that encodes the muddy children scenario with n children. For every m we design a Hyper2LTLfp formula \(\varphi _m\) that adds to the common knowledge set X all traces that appear indistinguishable in the first m steps for some child. We then specify that all traces in X should agree on all inputs, asserting that all inputs are common knowledge.Footnote 4 We used HySO to fully automatically check \(\mathcal {T}_n\) against \(\varphi _m\) for varying values of n and m, i.e., we checked if, after the first m steps, the inputs of all children are common knowledge. As expected, the above property holds only if \(m \ge n\) (in the worst case, where all children are dirty \((k = n)\), the inputs of all children only become common knowledge after n steps). We depict the results in Table 1a.
Asynchronous Hyperproperties. As we have shown in Sect. 4.2, we can encode arbitrary AHLTL properties into Hyper2LTLfp. We verified synchronous and asynchronous version of observational determinism (cf. Sect. 4.2) on programs taken from [3, 5, 9]. We depict the verification results in Table 1b. Recall that Hyper2LTLfp properties without any second-order variables correspond to HyperQPTL formulas. HySO can check such properties precisely, i.e., it constitutes a sound-and-complete model checker for HyperQPTL properties with an arbitrary quantifier prefix. The synchronous version of observational determinism is a HyperLTL property and thus needs no second-order approximation (we set the method column to “-” in these cases).
Common Knowledge in Multi-agent Systems. We used HySO for an automatic analysis of the system in Fig. 1. Here, we verify that on initial trace \(\{a\}^n\{d\}^\omega \) it is CK that a holds in the first step. We use a similar formula as the one of Sect. 3.3, with the change that we are interested in whether a is CK (whereas we used in Sect. 3.3). As expected, HySO requires \(2n-1\) iterations to converge. We depict the results in Table 2a.
Mazurkiewicz Traces. Mazurkiewicz traces are an important concept in the theory of distributed computing [27]. Let \(I \subseteq \varSigma \times \varSigma \) be an independence relation that determines when two consecutive letters can be switched (think of two actions in disjoint processes in a distributed system). Any \(t \in \varSigma ^\omega \) then defines the set of all traces that are equivalent to t by flipping consecutive independent actions an arbitrary number of times (the equivalence class of all these traces is called the Mazurkiewicz Trace). See [27] for details. The verification problem for Mazurkiewicz traces now asks if, given some \(t \in \varSigma ^\omega \), all traces in the Mazurkiewicz trace of t satisfy some property \(\psi \). Using Hyper2LTLfp we can directly reason about the Mazurkiewicz Trace of any given trace, by requiring that all traces that are equal up to one swap of independent letters are also in a given set (which is easily expressed in Hyper2LTLfp).
Using HySO we verify a selection of such trace properties that often require non-trivial reasoning by coming up with a suitable invariant. We depict the results in Table 2b. In our preliminary experiments, we model a situation where we start with \(\{a\}^1\{\}^\omega \) and can swap letters \(\{a\}\) and \(\{\}\). We then, e.g., ask if on any trace in the resulting Mazurkiewicz trace, a holds at most once, which requires inductive invariants and cannot be established by iteration.
7 Related Work
In recent years, many logics for the formal specification of hyperproperties have been developed, extending temporal logics with explicit path quantification (examples include HyperLTL, HyperCTL\(^*\) [20], HyperQPTL [10, 45], HyperPDL [38], and HyperATL\(^*\) [5, 9]); or extending first and second-order logics with an equal level predicate [25, 33]. Others study (\(\omega \))-regular [14, 37] and context-free hyperproperties [35]; or discuss hyperproperties over data and modulo theories [24, 31]. Hyper2LTL is the first temporal logic that reasons about second-order hyperproperties which allows is to capture many existing (epistemic, asynchronous, etc.) hyperlogics while at the same time taking advantage of model-checking solutions that have been proven successful in first-order settings.
Asynchronous Hyperproperties. For asynchronous hyperproperties, Gutfeld et al. [39] present an asynchronous extension of the polyadic \(\mu \)-calculus. Bozelli et al. [17] extend HyperLTL with temporal operators that are only evaluated if the truth value of some temporal formula changes. Baumeister et al. present AHLTL [3], that extends HyperLTL with a explicit quantification over trajectories and can be directly encoded within Hyper2LTLfp.
Regular Model Checking. Regular model checking [15] is a general verification method for (possibly infinite state) systems, in which each state of the system is interpreted as a finite word. The transitions of the system are given as a finite-state (regular) transducer, and the model checking problem asks if, from some initial set of states (given as a regular language), some bad state is eventually reachable. Many methods for automated regular model checking have been developed [12, 13, 19, 26]. Hyper2LTL can be seen as a logical foundation for \(\omega \)-regular model checking: Assume the set of initial states is given as a QPTL formula \(\varphi _ init \), the set of bad states is given as a QPTL formula \(\varphi _ bad \), and the transition relation is given as a QPTL formula \(\varphi _ step \) over trace variables \(\pi \) and \(\pi '\). The set of bad states is reachable from a trace (state) in \(\varphi _ init \) iff the following Hyper2LTLfp formula holds on the system that generates all traces:
Conversely, Hyper2LTLfp can express more complex properties, beyond the reachability checks possible in the framework of (\(\omega \)-)regular model checking.
Model Checking Knowledge. Model checking of knowledge properties in multi-agent systems was developed in the tools MCK [36] and MCMAS [42], which can exactly express LTL\(_{\textsf{K}}\). Bozzelli et al. [16] have shown that HyperCTL\(^*\) and LTL\(_\textsf{K}\) have incomparable expressiveness, and present HyperCTL\(^*_{lp}\) – an extension of HyperCTL\(^*\) that can reason about past – to unify HyperCTL\(^*\) and LTL\(_\textsf{K}\). While HyperCTL\(^*_{lp}\) can express the knowledge operator, it cannot capture common knowledge. LTL\(_{\textsf{K},\textsf{C}}\) [41] captures both knowledge and common knowledge, but the suggested model-checking algorithm only handles a decidable fragment that is reducible to LTL model checking.
8 Conclusion
Hyperproperties play an increasingly important role in many areas of computer science. There is a strong need for specification languages and verification methods that reason about hyperproperties in a uniform and general manner, similar to what is standard for more traditional notions of safety and reliability. In this paper, we have ventured forward from the first-order reasoning of logics like HyperLTL into the realm of second-order hyperproperties, i.e., properties that not only compare individual traces but reason comprehensively about sets of such traces. With Hyper2LTL, we have introduced a natural specification language and a general model-checking approach for second-order hyperproperties. Hyper2LTL provides a general framework for a wide range of relevant hyperproperties, including common knowledge and asynchronous hyperproperties, which could previously only be studied with specialized logics and algorithms. Hyper2LTL also provides a starting point for future work on second-order hyperproperties in areas such as cyber-physical [44] and probabilistic systems [28].
Notes
- 1.
Note that in this case \(l_j < i\): if trace \(\pi _i\) is resolved on \(Y_j\) (i.e., \(X_i = Y_j\)), then \(Y_j\) must be quantified before \(\pi _i\) so there are at most \(i-1\) traces quantified before \(Y_j\).
- 2.
This effectively poses the assumption that the step formula specifies a safety property, which seems to be the case for almost all examples. As an example, common knowledge infers a safety property: In each step, we add all traces for which there exists some trace that agrees on all propositions observed by that agent.
- 3.
Our tool is publicly available at https://doi.org/10.5281/zenodo.7877144.
- 4.
This property is not expressible in non-hyper logics such as LTL\(_{\textsf{K}, \textsf{C}}\), where we can only check trace properties on the common knowledge set X. In contrast, Hyper2LTLfp allows us to check hyperproperties on X. That way, we can express that some value is common knowledge (i.e., equal across all traces in the set) and not only that a property is common knowledge (i.e., holds on all traces in the set).
References
Alur, R., Henzinger, T.A.: A really temporal logic. J. ACM 41(1) (1994). https://doi.org/10.1145/174644.174651
Angluin, D.: Learning regular sets from queries and counterexamples. Inf. Comput. 75(2) (1987). https://doi.org/10.1016/0890-5401(87)90052-6
Baumeister, J., Coenen, N., Bonakdarpour, B., Finkbeiner, B., Sánchez, C.: A temporal logic for asynchronous hyperproperties. In: Silva, A., Leino, K.R.M. (eds.) CAV 2021. LNCS, vol. 12759, pp. 694–717. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-81685-8_33
Beutner, R., Carral, D., Finkbeiner, B., Hofmann, J., Krötzsch, M.: Deciding hyperproperties combined with functional specifications. In: Annual ACM/IEEE Symposium on Logic in Computer, LICS 2022. ACM (2022). https://doi.org/10.1145/3531130.3533369
Beutner, R., Finkbeiner, B.: A temporal logic for strategic hyperproperties. In: International Conference on Concurrency Theory, CONCUR 2021. LIPIcs, vol. 203. Schloss Dagstuhl (2021). https://doi.org/10.4230/LIPIcs.CONCUR.2021.24
Beutner, R., Finkbeiner, B.: Prophecy variables for hyperproperty verification. In: IEEE Computer Security Foundations Symposium, CSF 2022. IEEE (2022). https://doi.org/10.1109/CSF54842.2022.9919658
Beutner, R., Finkbeiner, B.: Software verification of hyperproperties beyond k-safety. In: International Conference on Computer Aided Verification, CAV 2022. LNCS, vol. 13371. Springer (2022). https://doi.org/10.1007/978-3-031-13185-1_17
Beutner, R., Finkbeiner, B.: AutoHyper: Explicit-state model checking for HyperLTL. In: International Conference on Tools and Algorithms for the Construction and Analysis of Systems, TACAS 2023, vol. 13993. Springer (2023). https://doi.org/10.1007/978-3-031-30823-9_8
Beutner, R., Finkbeiner, B.: HyperATL\(^*\): A logic for hyperproperties in multi-agent systems. Log. Methods Comput, Sci (2023)
Beutner, R., Finkbeiner, B.: Model checking omega-regular hyperproperties with AutoHyperQ. In: International Conference on Logic for Programming, Artificial Intelligence and Reasoning, LPAR 2023. EPiC Series in Computing, EasyChair (2023)
Beutner, R., Finkbeiner, B., Frenkel, H., Metzger, N.: Second-order hyperproperties. CoRR abs/2305.17935 (2023). https://doi.org/10.48550/arXiv.2305.17935, https://doi.org/10.48550/arXiv.2305.17935
Boigelot, B., Legay, A., Wolper, P.: Iterating transducers in the large. In: Hunt, W.A., Somenzi, F. (eds.) CAV 2003. LNCS, vol. 2725, pp. 223–235. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45069-6_24
Boigelot, B., Legay, A., Wolper, P.: Omega-regular model checking. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 561–575. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24730-2_41
Bonakdarpour, B., Sheinvald, S.: Finite-word hyperlanguages. In: Leporati, A., Martín-Vide, C., Shapira, D., Zandron, C. (eds.) LATA 2021. LNCS, vol. 12638, pp. 173–186. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-68195-1_17
Bouajjani, A., Jonsson, B., Nilsson, M., Touili, T.: Regular model checking. In: Emerson, E.A., Sistla, A.P. (eds.) CAV 2000. LNCS, vol. 1855, pp. 403–418. Springer, Heidelberg (2000). https://doi.org/10.1007/10722167_31
Bozzelli, L., Maubert, B., Pinchinat, S.: Unifying hyper and epistemic temporal logics. In: Pitts, A. (ed.) FoSSaCS 2015. LNCS, vol. 9034, pp. 167–182. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46678-0_11
Bozzelli, L., Peron, A., Sánchez, C.: Asynchronous extensions of HyperLTL. In: Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2021. IEEE (2021). https://doi.org/10.1109/LICS52264.2021.9470583
Büchi, J.R.: On a decision method in restricted second-order arithmetic. In: Studies in Logic and the Foundations of Mathematics, vol. 44. Elsevier (1966)
Chen, Y., Hong, C., Lin, A.W., Rümmer, P.: Learning to prove safety over parameterised concurrent systems. In: Formal Methods in Computer Aided Design, FMCAD 2017. IEEE (2017). https://doi.org/10.23919/FMCAD.2017.8102244
Clarkson, M.R., Finkbeiner, B., Koleini, M., Micinski, K.K., Rabe, M.N., Sánchez, C.: Temporal logics for hyperproperties. In: Abadi, M., Kremer, S. (eds.) POST 2014. LNCS, vol. 8414, pp. 265–284. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54792-8_15
Clarkson, M.R., Schneider, F.B.: Hyperproperties. J. Comput. Secur. 18(6) (2010). https://doi.org/10.3233/JCS-2009-0393
Coenen, N., et al.: Explaining hyperproperty violations. In: International Conference on Computer Aided Verification, CAV 2022. LNCS, vol. 13371. Springer (2022). https://doi.org/10.1007/978-3-031-13185-1_20
Coenen, N., Finkbeiner, B., Frenkel, H., Hahn, C., Metzger, N., Siber, J.: Temporal causality in reactive systems. In: International Symposium on Automated Technology for Verification and Analysis, ATVA 2022. LNCS, vol. 13505. Springer (2022). https://doi.org/10.1007/978-3-031-19992-9_13
Coenen, N., Finkbeiner, B., Hofmann, J., Tillman, J.: Smart contract synthesis modulo hyperproperties. To appear at the 36th IEEE Computer Security Foundations Symposium (CSF 2023) (2023)
Coenen, N., Finkbeiner, B., Sánchez, C., Tentrup, L.: Verifying hyperliveness. In: Dillig, I., Tasiran, S. (eds.) CAV 2019. LNCS, vol. 11561, pp. 121–139. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25540-4_7
Dams, D., Lakhnech, Y., Steffen, M.: Iterating transducers. In: Berry, G., Comon, H., Finkel, A. (eds.) CAV 2001. LNCS, vol. 2102, pp. 286–297. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44585-4_27
Diekert, V., Rozenberg, G. (eds.): The Book of Traces. World Scientific (1995). https://doi.org/10.1142/2563
Dimitrova, R., Finkbeiner, B., Torfah, H.: Probabilistic hyperproperties of markov decision processes. In: Hung, D.V., Sokolsky, O. (eds.) ATVA 2020. LNCS, vol. 12302, pp. 484–500. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-59152-6_27
Duret-Lutz, A., et al.: From spot 2.0 to spot 2.10: What’s new? In: International Conference on Computer Aided Verification, CAV 2022. LNCS, vol. 13372. Springer (2022). https://doi.org/10.1007/978-3-031-13188-2_9
Fagin, R., Halpern, J.Y., Moses, Y., Vardi, M.Y.: Reasoning About Knowledge. MIT Press (1995). https://doi.org/10.7551/mitpress/5803.001.0001
Finkbeiner, B., Frenkel, H., Hofmann, J., Lohse, J.: Automata-based software model checking of hyperproperties. In: Rozier, K.Y., Chaudhuri, S. (eds.) NASA Formal Methods, 15th International Symposium, NFM 2023, Houston, TX, USA, 16–18 May 2023, Proceedings. LNCS, vol. 13903. Springer (2023). https://doi.org/10.1007/978-3-031-33170-1_22
Finkbeiner, B., Rabe, M.N., Sánchez, C.: Algorithms for model checking HyperLTL and HyperCTL\(^*\). In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 30–48. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21690-4_3
Finkbeiner, B., Zimmermann, M.: The first-order logic of hyperproperties. In: Symposium on Theoretical Aspects of Computer Science, STACS 2017. LIPIcs, vol. 66. Schloss Dagstuhl (2017). https://doi.org/10.4230/LIPIcs.STACS.2017.30
Fortin, M., Kuijer, L.B., Totzke, P., Zimmermann, M.: HyperLTL satisfiability is \(\Sigma _1^1\)-complete, HyperCTL* satisfiability is \(\Sigma _1^2\)-complete. In: International Symposium on Mathematical Foundations of Computer Science, MFCS 2021. LIPIcs, vol. 202. Schloss Dagstuhl (2021). https://doi.org/10.4230/LIPIcs.MFCS.2021.47
Frenkel, H., Sheinvald, S.: Realizable and context-free hyperlanguages. In: Ganty, P., Monica, D.D. (eds.) Proceedings of the 13th International Symposium on Games, Automata, Logics and Formal Verification, GandALF 2022, Madrid, Spain, 21–23 September 2022. EPTCS, vol. 370, pp. 114–130 (2022). https://doi.org/10.4204/EPTCS.370.8, https://doi.org/10.4204/EPTCS.370.8
Gammie, P., van der Meyden, R.: MCK: model checking the logic of knowledge. In: Alur, R., Peled, D.A. (eds.) CAV 2004. LNCS, vol. 3114, pp. 479–483. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-27813-9_41
Goudsmid, O., Grumberg, O., Sheinvald, S.: Compositional model checking for multi-properties. In: Henglein, F., Shoham, S., Vizel, Y. (eds.) VMCAI 2021. LNCS, vol. 12597, pp. 55–80. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-67067-2_4
Gutsfeld, J.O., Müller-Olm, M., Ohrem, C.: Propositional dynamic logic for hyperproperties. In: International Conference on Concurrency Theory, CONCUR 2020. LIPIcs, vol. 171. Schloss Dagstuhl (2020). https://doi.org/10.4230/LIPIcs.CONCUR.2020.50
Gutsfeld, J.O., Müller-Olm, M., Ohrem, C.: Automata and fixpoints for asynchronous hyperproperties. Proc. ACM Program. Lang. 5(POPL) (2021). https://doi.org/10.1145/3434319
Halpern, J.Y., Moses, Y.: Knowledge and common knowledge in a distributed environment. J. ACM 37(3), 549–587 (1990)
van der Hoek, W., Wooldridge, M.: Model checking knowledge and time. In: Bošnački, D., Leue, S. (eds.) SPIN 2002. LNCS, vol. 2318, pp. 95–111. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46017-9_9
Lomuscio, A., Qu, H., Raimondi, F.: MCMAS: an open-source model checker for the verification of multi-agent systems. Int. J. Softw. Tools Technol. Transfer 19(1), 9–30 (2015). https://doi.org/10.1007/s10009-015-0378-x
van der Meyden, R.: Common knowledge and update in finite environments. Inf. Comput. 140(2) (1998). https://doi.org/10.1006/inco.1997.2679
Nguyen, L.V., Kapinski, J., Jin, X., Deshmukh, J.V., Johnson, T.T.: Hyperproperties of real-valued signals. In: ACM-IEEE International Conference on Formal Methods and Models for System Design, MEMOCODE 2017. ACM (2017). https://doi.org/10.1145/3127041.3127058
Rabe, M.N.: A temporal logic approach to information-flow control. Ph.D. thesis, Saarland University (2016)
Sistla, A.P.: Theoretical issues in the design and verification of distributed systems. Ph.D. thesis, Harvard University (1983)
Tarski, A.: A lattice-theoretical fixpoint theorem and its applications (1955)
Winskel, G.: The formal semantics of programming languages - an introduction. MIT Press, Foundation of computing series (1993)
Acknowledgements
We thank Jana Hofmann for the fruitful discussions. This work was supported by the European Research Council (ERC) Grant HYPER (No. 101055412), by DFG grant 389792660 as part of TRR 248 – CPEC, and by the German Israeli Foundation (GIF) Grant No. I-1513-407.2019.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
� 2023 The Author(s)
About this paper
Cite this paper
Beutner, R., Finkbeiner, B., Frenkel, H., Metzger, N. (2023). Second-Order Hyperproperties. In: Enea, C., Lal, A. (eds) Computer Aided Verification. CAV 2023. Lecture Notes in Computer Science, vol 13965. Springer, Cham. https://doi.org/10.1007/978-3-031-37703-7_15
Download citation
DOI: https://doi.org/10.1007/978-3-031-37703-7_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-37702-0
Online ISBN: 978-3-031-37703-7
eBook Packages: Computer ScienceComputer Science (R0)