The First-Order Logic of Hyperproperties

TL;DR

This paper explores the logical foundations of hyperproperties, connecting HyperLTL with first-order logic, and establishing a Kamp's theorem analogue for hyperproperties, advancing formal methods in security analysis.

Contribution

It introduces a first-order logic framework for hyperproperties and proves an expressive equivalence with HyperLTL, extending classical logical theorems to hyperproperties.

Findings

HyperLTL is subsumed by a new first-order logic over sets of traces.

A fragment of the first-order logic is equivalent to HyperLTL.

Established a Kamp's theorem analogue for hyperproperties.

Abstract

We investigate the logical foundations of hyperproperties. Hyperproperties generalize trace properties, which are sets of traces, to sets of sets of traces. The most prominent application of hyperproperties is information flow security: information flow policies characterize the secrecy and integrity of a system by comparing two or more execution traces, for example by comparing the observations made by an external observer on execution traces that result from different values of a secret variable. In this paper, we establish the first connection between temporal logics for hyperproperties and first-order logic. Kamp's seminal theorem (in the formulation due to Gabbay et al.) states that linear-time temporal logic (LTL) is expressively equivalent to first-order logic over the natural numbers with order. We introduce first-order logic over sets of traces and prove that HyperLTL, the extension of LTL to hyperproperties, is strictly subsumed by this logic. We furthermore exhibit a fragment that is expressively equivalent to HyperLTL, thereby establishing Kamp's theorem for hyperproperties.