This paper presents a novel runtime monitoring approach for hyperproperties using HyperLTL and Boolean constraints, enabling efficient detection of violations through satisfiability checks.
Contribution
It introduces a constraint-based monitoring method for hyperproperties, leveraging BDDs or SAT solvers, improving over automata-based techniques.
Findings
01
Efficient detection of hyperproperty violations at runtime.
02
Comparison shows advantages over existing automata-based tools.
03
Framework supports complex hyperproperties like non-interference.
Abstract
Verifying hyperproperties at runtime is a challenging problem as hyperproperties, such as non-interference and observational determinism, relate multiple computation traces with each other. It is necessary to store previously seen traces, because every new incoming trace needs to be compatible with every run of the system observed so far. Furthermore, the new incoming trace poses requirements on future traces. In our monitoring approach, we focus on those requirements by rewriting a hyperproperty in the temporal logic HyperLTL to a Boolean constraint system. A hyperproperty is then violated by multiple runs of the system if the constraint system becomes unsatisfiable. We compare our implementation, which utilizes either BDDs or a SAT solver to store and evaluate constraints, to the automata-based monitoring tool RVHyper.
Figures5
Click any figure to enlarge with its caption.
Figure 1
Figure 0
Figure 1
Figure 2
Figure 3
Tables1
Table 1. Table 1 : Average results of our implementation compared to RVHyper on traces generated from circuit instances. Every instance was run 10 10 10 times.
instance
# traces
length
time RVHyper
time SAT
time BDD
xor1
19
5
12ms
47ms
49ms
xor2
1000
5
16913ms
996ms
1666ms
counter1
961
20
9610ms
8274ms
303ms
counter2
1353
20
19041ms
13772ms
437ms
mux1
1000
5
14924ms
693ms
647ms
mux2
80
5
121ms
79ms
81ms
Equations21
{a}
{a}
{a}
{}
φ
φ
ψ
\begin{array}[]{ll}\Pi_{\mathit{fin}}\vDash_{\_}Ta_{\_}\pi&\text{if }a\in\Pi_{\mathit{fin}}(\pi)[0]\\
\Pi_{\mathit{fin}}\vDash_{\_}T\neg\varphi&\text{if }\Pi_{\mathit{fin}}\nvDash_{\_}T\varphi\\
\Pi_{\mathit{fin}}\vDash_{\_}T\varphi\lor\psi&\text{if }\Pi_{\mathit{fin}}\vDash_{\_}T\varphi\text{ or }\Pi_{\mathit{fin}}\vDash_{\_}T\psi\\
\Pi_{\mathit{fin}}\vDash_{\_}T\operatorname{\leavevmode\leavevmode\hbox to7.41pt{\vbox to7.41pt{\pgfpicture\makeatletter\hbox{\hskip 3.70276pt\lower-1.11943pt\hbox to0.0pt{\pgfsys@beginscope\pgfsys@invoke{ }\definecolor{pgfstrokecolor}{rgb}{0,0,0}\pgfsys@color@rgb@stroke{0}{0}{0}\pgfsys@invoke{ }\pgfsys@color@rgb@fill{0}{0}{0}\pgfsys@invoke{ }\pgfsys@setlinewidth{0.4pt}\pgfsys@invoke{ }\nullfont\hbox to0.0pt{\pgfsys@beginscope\pgfsys@invoke{ }
{{}{}}{{}}{}{{{}}{}{}{}{}{}{}{}{}}\pgfsys@beginscope\pgfsys@invoke{ }\pgfsys@setlinewidth{0.51666pt}\pgfsys@invoke{ }{}\pgfsys@moveto{0.0pt}{2.58333pt}\pgfsys@moveto{3.44443pt}{2.58333pt}\pgfsys@curveto{3.44443pt}{4.48566pt}{1.90233pt}{6.02776pt}{0.0pt}{6.02776pt}\pgfsys@curveto{-1.90233pt}{6.02776pt}{-3.44443pt}{4.48566pt}{-3.44443pt}{2.58333pt}\pgfsys@curveto{-3.44443pt}{0.681pt}{-1.90233pt}{-0.8611pt}{0.0pt}{-0.8611pt}\pgfsys@curveto{1.90233pt}{-0.8611pt}{3.44443pt}{0.681pt}{3.44443pt}{2.58333pt}\pgfsys@closepath\pgfsys@moveto{0.0pt}{2.58333pt}\pgfsys@stroke\pgfsys@invoke{ }
\pgfsys@invoke{\lxSVG@closescope }\pgfsys@endscope
\pgfsys@invoke{\lxSVG@closescope }\pgfsys@endscope{}{}{}\hss}\pgfsys@discardpath\pgfsys@invoke{\lxSVG@closescope }\pgfsys@endscope\hss}}\lxSVG@closescope\endpgfpicture}}}\varphi&\text{if }\forall t\in\Pi_{\mathit{fin}}\mathpunct{.}|t|>1\text{ and }\Pi_{\mathit{fin}}[1\rangle\vDash_{\_}T\varphi\\
\Pi_{\mathit{fin}}\vDash_{\_}T\varphi\operatorname{\mathcal{U}}\psi&\text{if }\exists i<\min\nolimits_{\_}{t\in\Pi_{\mathit{fin}}}|t|\mathpunct{.}\Pi_{\mathit{fin}}[i\rangle\vDash_{\_}T\psi\land\forall j<i\mathpunct{.}\Pi_{\mathit{fin}}[j\rangle\vDash_{\_}T\varphi\\
\Pi_{\mathit{fin}}\vDash_{\_}T\exists\pi\mathpunct{.}\varphi&\text{if there is some }t\in T\text{ such that }\Pi_{\mathit{fin}}[\pi\mapsto t]\vDash_{\_}T\varphi\\
\Pi_{\mathit{fin}}\vDash_{\_}T\forall\pi\mathpunct{.}\varphi&\text{if for all }t\in T\text{ such that }\Pi_{\mathit{fin}}[\pi\mapsto t]\vDash_{\_}T\varphi\end{array}
\begin{array}[]{ll}\Pi_{\mathit{fin}}\vDash_{\_}Ta_{\_}\pi&\text{if }a\in\Pi_{\mathit{fin}}(\pi)[0]\\
\Pi_{\mathit{fin}}\vDash_{\_}T\neg\varphi&\text{if }\Pi_{\mathit{fin}}\nvDash_{\_}T\varphi\\
\Pi_{\mathit{fin}}\vDash_{\_}T\varphi\lor\psi&\text{if }\Pi_{\mathit{fin}}\vDash_{\_}T\varphi\text{ or }\Pi_{\mathit{fin}}\vDash_{\_}T\psi\\
\Pi_{\mathit{fin}}\vDash_{\_}T\operatorname{\leavevmode\leavevmode\hbox to7.41pt{\vbox to7.41pt{\pgfpicture\makeatletter\hbox{\hskip 3.70276pt\lower-1.11943pt\hbox to0.0pt{\pgfsys@beginscope\pgfsys@invoke{ }\definecolor{pgfstrokecolor}{rgb}{0,0,0}\pgfsys@color@rgb@stroke{0}{0}{0}\pgfsys@invoke{ }\pgfsys@color@rgb@fill{0}{0}{0}\pgfsys@invoke{ }\pgfsys@setlinewidth{0.4pt}\pgfsys@invoke{ }\nullfont\hbox to0.0pt{\pgfsys@beginscope\pgfsys@invoke{ }
{{}{}}{{}}{}{{{}}{}{}{}{}{}{}{}{}}\pgfsys@beginscope\pgfsys@invoke{ }\pgfsys@setlinewidth{0.51666pt}\pgfsys@invoke{ }{}\pgfsys@moveto{0.0pt}{2.58333pt}\pgfsys@moveto{3.44443pt}{2.58333pt}\pgfsys@curveto{3.44443pt}{4.48566pt}{1.90233pt}{6.02776pt}{0.0pt}{6.02776pt}\pgfsys@curveto{-1.90233pt}{6.02776pt}{-3.44443pt}{4.48566pt}{-3.44443pt}{2.58333pt}\pgfsys@curveto{-3.44443pt}{0.681pt}{-1.90233pt}{-0.8611pt}{0.0pt}{-0.8611pt}\pgfsys@curveto{1.90233pt}{-0.8611pt}{3.44443pt}{0.681pt}{3.44443pt}{2.58333pt}\pgfsys@closepath\pgfsys@moveto{0.0pt}{2.58333pt}\pgfsys@stroke\pgfsys@invoke{ }
\pgfsys@invoke{\lxSVG@closescope }\pgfsys@endscope
\pgfsys@invoke{\lxSVG@closescope }\pgfsys@endscope{}{}{}\hss}\pgfsys@discardpath\pgfsys@invoke{\lxSVG@closescope }\pgfsys@endscope\hss}}\lxSVG@closescope\endpgfpicture}}}\varphi&\text{if }\forall t\in\Pi_{\mathit{fin}}\mathpunct{.}|t|>1\text{ and }\Pi_{\mathit{fin}}[1\rangle\vDash_{\_}T\varphi\\
\Pi_{\mathit{fin}}\vDash_{\_}T\varphi\operatorname{\mathcal{U}}\psi&\text{if }\exists i<\min\nolimits_{\_}{t\in\Pi_{\mathit{fin}}}|t|\mathpunct{.}\Pi_{\mathit{fin}}[i\rangle\vDash_{\_}T\psi\land\forall j<i\mathpunct{.}\Pi_{\mathit{fin}}[j\rangle\vDash_{\_}T\varphi\\
\Pi_{\mathit{fin}}\vDash_{\_}T\exists\pi\mathpunct{.}\varphi&\text{if there is some }t\in T\text{ such that }\Pi_{\mathit{fin}}[\pi\mapsto t]\vDash_{\_}T\varphi\\
\Pi_{\mathit{fin}}\vDash_{\_}T\forall\pi\mathpunct{.}\varphi&\text{if for all }t\in T\text{ such that }\Pi_{\mathit{fin}}[\pi\mapsto t]\vDash_{\_}T\varphi\end{array}
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Constraint-Based Monitoring of Hyperproperties††thanks: This work was partially supported by the German Research Foundation (DFG) as part of the Collaborative Research Center “Methods and Tools for Understanding and Controlling Privacy” (CRC 1223) and the Collaborative Research Center “Foundations of Perspicuous Software Systems” (CRC 248), and by the European Research Council (ERC) Grant OSARES (No. 683300).
Christopher Hahn
Marvin Stenger
Leander Tentrup
Abstract
Verifying hyperproperties at runtime is a challenging problem as hyperproperties, such as non-interference and observational determinism, relate multiple computation traces with each other. It is necessary to store previously seen traces, because every new incoming trace needs to be compatible with every run of the system observed so far. Furthermore, the new incoming trace poses requirements on future traces. In our monitoring approach, we focus on those requirements by rewriting a hyperproperty in the temporal logic HyperLTL to a Boolean constraint system. A hyperproperty is then violated by multiple runs of the system if the constraint system becomes unsatisfiable. We compare our implementation, which utilizes either BDDs or a SAT solver to store and evaluate constraints, to the automata-based monitoring tool RVHyper.
As today’s complex and large-scale systems are usually far beyond the scope of classic verification techniques like model checking or theorem proving, we are in the need of light-weight monitors for controlling the flow of information.
By instrumenting efficient monitoring techniques in such systems that operate in an unpredictable privacy-critical environment, countermeasures will be enacted before irreparable information leaks happen.
Information-flow policies, however, cannot be monitored with standard runtime verification techniques as they relate multiple runs of a system.
For example, observational determinism [19, 21, 24] is a policy stating that altering non-observable input has no impact on the observable behavior.
Hyperproperties [7] are a generalization of trace properties and are thus capable of expressing information-flow policies.
HyperLTL [6] is a recently introduced temporal logic for hyperproperties, which extends Linear-time Temporal Logic (LTL) [20] with trace variables and explicit trace quantification.
Observational determinism is expressed as the formula ∀π,π′.(out_π↔out_π′)W(in_π↮in_π′), stating that all traces π,π′ should agree on the output as long as they agree on the inputs.
In contrast to classic trace property monitoring, where a single run suffices to determine a violation, in runtime verification of HyperLTL formulas, we are concerned whether a set of runs through a system violates a given specification.
In the common setting, those runs are given sequentially to the runtime monitor [1, 2, 12, 13], which determines if the given set of runs violates the specification.
An alternative view on HyperLTL monitoring is that every new incoming trace poses requirements on future traces.
For example, the event {in,out} in the observational determinism example above asserts that for every other trace, the output out has to be enabled if in is enabled.
Approaches based on static automata constructions [1, 12, 13] perform very well on this type of specifications, although their scalability is intrinsically limited by certain parameters:
The automaton construction becomes a bottleneck for more complex specifications, especially with respect to the number of atomic propositions. Furthermore, the computational workload grows steadily with the number of incoming traces, as every trace seen so far has to be checked against every new trace.
Even optimizations [12], which minimize the amount of traces that must be stored, turn out to be too coarse grained as the following example shows.
Consider the monitoring of the HyperLTL formula ∀π,π′.\leavevmode\leavevmodeto6.97pt\vboxto6.97pt\pgfpicture\makeatletter\lower-1.11945ptto0.0pt\pgfsys@beginscope\pgfsys@invoke\definecolorpgfstrokecolorrgb0,0,0\pgfsys@color@rgb@stroke000\pgfsys@invoke\pgfsys@color@rgb@fill000\pgfsys@invoke\pgfsys@setlinewidth0.4pt\pgfsys@invoke\nullfontto0.0pt\pgfsys@beginscope\pgfsys@invoke\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.51666pt\pgfsys@invoke\pgfsys@roundjoin\pgfsys@invoke\pgfsys@moveto0.0pt-0.86111pt\pgfsys@lineto0.0pt5.5972pt\pgfsys@lineto6.45831pt5.5972pt\pgfsys@lineto6.45831pt-0.86111pt\pgfsys@closepath\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\pgfsys@discardpath\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\lxSVG@closescope\endpgfpicture(a_π→¬b_π′), which states that globally if a occurs on any trace π, then b is not allowed to hold on any trace π′, on the following incoming traces:
[TABLE]
In prior work [12], we observed that traces, which pose less requirements on future traces, can safely be discarded from the monitoring process. In the example above, the requirements of trace 1 are dominated by the requirements of trace 2, namely that b is not allowed to hold on the first and second position of new incoming traces. Hence, trace 1 must not longer be stored in order to detect a violation.
But with the proposed language inclusion check in [12], neither trace 2 nor trace 3 can be discarded, as they pose incomparable requirements.
They have, however, overlapping constraints, that is, they both enforce ¬b in the first step.
To further improve the conciseness of the stored traces information, we use rewriting, which is a more fine-grained monitoring approach.
The basic idea is to track the requirements that future traces have to fulfill, instead of storing a set of traces.
In the example above, we would track the requirement that b is not allowed to hold on the first three positions of every freshly incoming trace.
Rewriting has been applied successfully to trace properties, namely LTL formulas [17].
The idea is to partially evaluate a given LTL specification φ on an incoming event by unrolling φ according to the expansion laws of the temporal operators.
The result of a single rewrite is again an LTL formula representing the updated specification, which the continuing execution has to satisfy.
We use rewriting techniques to reduce ∀2HyperLTL formulas to LTL constraints and check those constraints for inconsistencies corresponding to violations.
In this paper, we introduce a complete and provably correct rewriting-based monitoring approach for ∀2HyperLTL formulas.
Our algorithm rewrites a HyperLTL formula and a single event into a constraint composed of plain LTL and HyperLTL.
For example, assume the event {in,out} while monitoring observational determinism formalized above.
The first step of the rewriting applies the expansion laws for the temporal operators, which results in (in_π↮in_π′)∨(out_π↔out_π′)∧\leavevmode\leavevmodeto7.41pt\vboxto7.41pt\pgfpicture\makeatletter\lower-1.11943ptto0.0pt\pgfsys@beginscope\pgfsys@invoke\definecolorpgfstrokecolorrgb0,0,0\pgfsys@color@rgb@stroke000\pgfsys@invoke\pgfsys@color@rgb@fill000\pgfsys@invoke\pgfsys@setlinewidth0.4pt\pgfsys@invoke\nullfontto0.0pt\pgfsys@beginscope\pgfsys@invoke\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.51666pt\pgfsys@invoke\pgfsys@moveto0.0pt2.58333pt\pgfsys@moveto3.44443pt2.58333pt\pgfsys@curveto3.44443pt4.48566pt1.90233pt6.02776pt0.0pt6.02776pt\pgfsys@curveto-1.90233pt6.02776pt-3.44443pt4.48566pt-3.44443pt2.58333pt\pgfsys@curveto-3.44443pt0.681pt-1.90233pt-0.8611pt0.0pt-0.8611pt\pgfsys@curveto1.90233pt-0.8611pt3.44443pt0.681pt3.44443pt2.58333pt\pgfsys@closepath\pgfsys@moveto0.0pt2.58333pt\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\pgfsys@discardpath\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\lxSVG@closescope\endpgfpicture((out_π↔out_π′)W(in_π↮in_π′)).
The event {in,out} is rewritten for atomic propositions indexed by the trace variable π. This means replacing each occurrence of in or out in the current expansion step, i.e., before the \leavevmode\leavevmodeto7.41pt\vboxto7.41pt\pgfpicture\makeatletter\lower-1.11943ptto0.0pt\pgfsys@beginscope\pgfsys@invoke\definecolorpgfstrokecolorrgb0,0,0\pgfsys@color@rgb@stroke000\pgfsys@invoke\pgfsys@color@rgb@fill000\pgfsys@invoke\pgfsys@setlinewidth0.4pt\pgfsys@invoke\nullfontto0.0pt\pgfsys@beginscope\pgfsys@invoke\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.51666pt\pgfsys@invoke\pgfsys@moveto0.0pt2.58333pt\pgfsys@moveto3.44443pt2.58333pt\pgfsys@curveto3.44443pt4.48566pt1.90233pt6.02776pt0.0pt6.02776pt\pgfsys@curveto-1.90233pt6.02776pt-3.44443pt4.48566pt-3.44443pt2.58333pt\pgfsys@curveto-3.44443pt0.681pt-1.90233pt-0.8611pt0.0pt-0.8611pt\pgfsys@curveto1.90233pt-0.8611pt3.44443pt0.681pt3.44443pt2.58333pt\pgfsys@closepath\pgfsys@moveto0.0pt2.58333pt\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\pgfsys@discardpath\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\lxSVG@closescope\endpgfpicture operator, with ⊤.
Additionally, we strip the π′ trace quantifier in the current expansion step from all other atomic propositions.
This leaves us with (⊤↮in)∨(⊤↔out)∧\leavevmode\leavevmodeto7.41pt\vboxto7.41pt\pgfpicture\makeatletter\lower-1.11943ptto0.0pt\pgfsys@beginscope\pgfsys@invoke\definecolorpgfstrokecolorrgb0,0,0\pgfsys@color@rgb@stroke000\pgfsys@invoke\pgfsys@color@rgb@fill000\pgfsys@invoke\pgfsys@setlinewidth0.4pt\pgfsys@invoke\nullfontto0.0pt\pgfsys@beginscope\pgfsys@invoke\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.51666pt\pgfsys@invoke\pgfsys@moveto0.0pt2.58333pt\pgfsys@moveto3.44443pt2.58333pt\pgfsys@curveto3.44443pt4.48566pt1.90233pt6.02776pt0.0pt6.02776pt\pgfsys@curveto-1.90233pt6.02776pt-3.44443pt4.48566pt-3.44443pt2.58333pt\pgfsys@curveto-3.44443pt0.681pt-1.90233pt-0.8611pt0.0pt-0.8611pt\pgfsys@curveto1.90233pt-0.8611pt3.44443pt0.681pt3.44443pt2.58333pt\pgfsys@closepath\pgfsys@moveto0.0pt2.58333pt\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\pgfsys@discardpath\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\lxSVG@closescope\endpgfpicture((out_π↔out_π′)W(in_π↮in_π′)).
After simplification we have ¬in∨out∧\leavevmode\leavevmodeto7.41pt\vboxto7.41pt\pgfpicture\makeatletter\lower-1.11943ptto0.0pt\pgfsys@beginscope\pgfsys@invoke\definecolorpgfstrokecolorrgb0,0,0\pgfsys@color@rgb@stroke000\pgfsys@invoke\pgfsys@color@rgb@fill000\pgfsys@invoke\pgfsys@setlinewidth0.4pt\pgfsys@invoke\nullfontto0.0pt\pgfsys@beginscope\pgfsys@invoke\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.51666pt\pgfsys@invoke\pgfsys@moveto0.0pt2.58333pt\pgfsys@moveto3.44443pt2.58333pt\pgfsys@curveto3.44443pt4.48566pt1.90233pt6.02776pt0.0pt6.02776pt\pgfsys@curveto-1.90233pt6.02776pt-3.44443pt4.48566pt-3.44443pt2.58333pt\pgfsys@curveto-3.44443pt0.681pt-1.90233pt-0.8611pt0.0pt-0.8611pt\pgfsys@curveto1.90233pt-0.8611pt3.44443pt0.681pt3.44443pt2.58333pt\pgfsys@closepath\pgfsys@moveto0.0pt2.58333pt\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\pgfsys@discardpath\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\lxSVG@closescope\endpgfpicture((out_π↔out_π′)W(in_π↮in_π′)) as the new specification, which consists of a plain LTL part and a HyperLTL part.
Based on this, we incrementally build a Boolean constraint system: we start by encoding the constraints corresponding to the LTL part and encode the HyperLTL part as variables. Those variables will then be incrementally defined when more elements of the trace become available.
With this approach, we solely store the necessary information needed to detect violations of a given hyperproperty.
We evaluate two implementations of our approach, based on BDDs and SAT-solving, against RVHyper [13], a highly optimized automaton-based monitoring tool for temporal hyperproperties. Our experiments show that the rewriting approach performs equally well in general and better on a class of formulas which we call guarded invariants, i.e., formulas that define a certain invariant relation between two traces.
Related Work.
With the need to express temporal hyperproperties in a succinct and formal manner,
the above mentioned temporal logics HyperLTL and HyperCTL* [6] have been proposed.
The model-checking [6, 15, 14], satisfiability [9], and realizability problem [10] of HyperLTL has been studied before.
Runtime verification of HyperLTL formulas was first considered for (co-)k-safety hyperproperties [1].
In the same paper, the notion of monitorability for
HyperLTL was introduced.
The authors have also identified syntactic classes of
HyperLTL formulas that are monitorable and they proposed a monitoring algorithm based on a progression logic expressing trace interdependencies and the composition of an LTL_3 monitor.
Another automata-based approach for monitoring HyperLTL formulas was proposed in [12].
Given a HyperLTL specification, the algorithm starts by creating a deterministic monitor automaton.
For every incoming trace it is then checked that all combinations with the already seen traces are accepted by the automaton.
In order to minimize the number of stored traces, a language-inclusion-based algorithm is proposed, which allows to prune traces with redundant information.
Furthermore, a method to reduce the number of combination of traces which have to get checked by analyzing the specification for relations such as reflexivity, symmetry, and transitivity with a HyperLTL-SAT solver [9, 11], is proposed.
The algorithm is implemented in the tool RVHyper [13], which was used to monitor information-flow policies and to detect spurious dependencies in hardware designs.
Another rewriting-based monitoring approach for HyperLTL is outlined in [5]. The idea is to identify a set of propositions of interest and aggregate constraints
such that inconsistencies in the constraints indicate a violation of the HyperLTL formula. While the paper describes the building blocks for such a monitoring approach with a number of examples, we have, unfortunately, not been successful in applying the algorithm to other hyperproperties of interest, such as observational determinism.
In [3], the authors study the complexity of monitoring hyperproperties. They show that the form and size of the input, as well as the formula have a significant impact on the feasibility of the monitoring process. They differentiate between several input forms and study their complexity: a set of linear traces, tree-shaped Kripke structures, and acyclic Kripke structures. For acyclic structures and alternation-free HyperLTL formulas, the problems complexity gets as low as NC.
In [4], the authors discuss examples where static analysis can be combined with runtime verification techniques to monitor HyperLTL formulas beyond the alternation-free fragment. They discuss the challenges in monitoring formulas beyond this fragment and lay the foundations towards a general method.
2 Preliminaries
Let AP be a finite set of atomic propositions and let Σ=2AP be the corresponding alphabet.
An infinite tracet∈Σω is an infinite sequence over the alphabet.
A subset T⊆Σω is called a trace property. A hyperpropertyH⊆2(Σω) is a generalization of a trace property.
A finite trace t∈Σ+ is a finite sequence over Σ.
In the case of finite traces, ∣t∣ denotes the length of a trace.
We use the following notation to access and manipulate traces:
Let t be a trace and i be a natural number.
t[i] denotes the i-th element of t.
Therefore, t[0] represents the first element of the trace.
Let j be natural number. If j≥i and i≥∣t∣, then
t[i,j] denotes the sequence t[i]t[i+1]⋯t[min(j,∣t∣−1)]. Otherwise it denotes the empty trace ϵ.
t[i⟩ denotes the suffix of t starting at position i.
For two finite traces s and t, we denote their concatenation by s⋅t.
HyperLTL Syntax.
HyperLTL [6] extends LTL with trace variables and trace quantifiers.
Let V be a finite set of trace variables.
The syntax of HyperLTL is given by the grammar
[TABLE]
where a∈AP is an atomic proposition and π∈V is a trace variable.
Atomic propositions are indexed by trace variables. The explicit trace quantification enables us to express properties like “on all traces φ must hold”, expressed by ∀π.φ. Dually, we can express “there exists a trace such that φ holds”, expressed by ∃π.φ.
We use the standard derived operators releaseφRψ:=¬(¬φU¬ψ), eventually\leavevmode\leavevmodeto8.7pt\vboxto8.7pt\pgfpicture\makeatletter\lower-1.76527ptto0.0pt\pgfsys@beginscope\pgfsys@invoke\definecolorpgfstrokecolorrgb0,0,0\pgfsys@color@rgb@stroke000\pgfsys@invoke\pgfsys@color@rgb@fill000\pgfsys@invoke\pgfsys@setlinewidth0.4pt\pgfsys@invoke\nullfontto0.0pt\pgfsys@beginscope\pgfsys@invoke\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.51666pt\pgfsys@invoke\pgfsys@roundjoin\pgfsys@invoke\pgfsys@moveto0.0pt2.58333pt\pgfsys@lineto4.09026pt6.67358pt\pgfsys@lineto8.18053pt2.58333pt\pgfsys@lineto4.09026pt-1.50694pt\pgfsys@closepath\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\pgfsys@discardpath\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\lxSVG@closescope\endpgfpictureφ:=trueUφ, globally\leavevmode\leavevmodeto6.97pt\vboxto6.97pt\pgfpicture\makeatletter\lower-1.11945ptto0.0pt\pgfsys@beginscope\pgfsys@invoke\definecolorpgfstrokecolorrgb0,0,0\pgfsys@color@rgb@stroke000\pgfsys@invoke\pgfsys@color@rgb@fill000\pgfsys@invoke\pgfsys@setlinewidth0.4pt\pgfsys@invoke\nullfontto0.0pt\pgfsys@beginscope\pgfsys@invoke\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.51666pt\pgfsys@invoke\pgfsys@roundjoin\pgfsys@invoke\pgfsys@moveto0.0pt-0.86111pt\pgfsys@lineto0.0pt5.5972pt\pgfsys@lineto6.45831pt5.5972pt\pgfsys@lineto6.45831pt-0.86111pt\pgfsys@closepath\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\pgfsys@discardpath\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\lxSVG@closescope\endpgfpictureφ:=¬\leavevmode\leavevmodeto8.7pt\vboxto8.7pt\pgfpicture\makeatletter\lower-1.76527ptto0.0pt\pgfsys@beginscope\pgfsys@invoke\definecolorpgfstrokecolorrgb0,0,0\pgfsys@color@rgb@stroke000\pgfsys@invoke\pgfsys@color@rgb@fill000\pgfsys@invoke\pgfsys@setlinewidth0.4pt\pgfsys@invoke\nullfontto0.0pt\pgfsys@beginscope\pgfsys@invoke\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.51666pt\pgfsys@invoke\pgfsys@roundjoin\pgfsys@invoke\pgfsys@moveto0.0pt2.58333pt\pgfsys@lineto4.09026pt6.67358pt\pgfsys@lineto8.18053pt2.58333pt\pgfsys@lineto4.09026pt-1.50694pt\pgfsys@closepath\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\pgfsys@discardpath\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\lxSVG@closescope\endpgfpicture¬φ, and weak untilφ_1Wφ_2:=(φ_1Uφ_2)∨\leavevmode\leavevmodeto6.97pt\vboxto6.97pt\pgfpicture\makeatletter\lower-1.11945ptto0.0pt\pgfsys@beginscope\pgfsys@invoke\definecolorpgfstrokecolorrgb0,0,0\pgfsys@color@rgb@stroke000\pgfsys@invoke\pgfsys@color@rgb@fill000\pgfsys@invoke\pgfsys@setlinewidth0.4pt\pgfsys@invoke\nullfontto0.0pt\pgfsys@beginscope\pgfsys@invoke\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.51666pt\pgfsys@invoke\pgfsys@roundjoin\pgfsys@invoke\pgfsys@moveto0.0pt-0.86111pt\pgfsys@lineto0.0pt5.5972pt\pgfsys@lineto6.45831pt5.5972pt\pgfsys@lineto6.45831pt-0.86111pt\pgfsys@closepath\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\pgfsys@discardpath\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\lxSVG@closescope\endpgfpictureφ_1.
As we use the finite trace semantics, \leavevmode\leavevmodeto7.41pt\vboxto7.41pt\pgfpicture\makeatletter\lower-1.11943ptto0.0pt\pgfsys@beginscope\pgfsys@invoke\definecolorpgfstrokecolorrgb0,0,0\pgfsys@color@rgb@stroke000\pgfsys@invoke\pgfsys@color@rgb@fill000\pgfsys@invoke\pgfsys@setlinewidth0.4pt\pgfsys@invoke\nullfontto0.0pt\pgfsys@beginscope\pgfsys@invoke\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.51666pt\pgfsys@invoke\pgfsys@moveto0.0pt2.58333pt\pgfsys@moveto3.44443pt2.58333pt\pgfsys@curveto3.44443pt4.48566pt1.90233pt6.02776pt0.0pt6.02776pt\pgfsys@curveto-1.90233pt6.02776pt-3.44443pt4.48566pt-3.44443pt2.58333pt\pgfsys@curveto-3.44443pt0.681pt-1.90233pt-0.8611pt0.0pt-0.8611pt\pgfsys@curveto1.90233pt-0.8611pt3.44443pt0.681pt3.44443pt2.58333pt\pgfsys@closepath\pgfsys@moveto0.0pt2.58333pt\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\pgfsys@discardpath\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\lxSVG@closescope\endpgfpictureφ denotes the strong version of the next operator, i.e., if a trace ends before the satisfaction of φ can be determined, the satisfaction relation, defined below, evaluates to false.
To enable duality in the finite trace setting, we additionally use the weak next operator \leavevmode\leavevmodeto7.41pt\vboxto9.92pt\pgfpicture\makeatletter\lower-1.11943ptto0.0pt\pgfsys@beginscope\pgfsys@invoke\definecolorpgfstrokecolorrgb0,0,0\pgfsys@color@rgb@stroke000\pgfsys@invoke\pgfsys@color@rgb@fill000\pgfsys@invoke\pgfsys@setlinewidth0.4pt\pgfsys@invoke\nullfontto0.0pt\pgfsys@beginscope\pgfsys@invoke\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.51666pt\pgfsys@invoke\pgfsys@moveto0.0pt2.58333pt\pgfsys@moveto3.44443pt2.58333pt\pgfsys@curveto3.44443pt4.48566pt1.90233pt6.02776pt0.0pt6.02776pt\pgfsys@curveto-1.90233pt6.02776pt-3.44443pt4.48566pt-3.44443pt2.58333pt\pgfsys@curveto-3.44443pt0.681pt-1.90233pt-0.8611pt0.0pt-0.8611pt\pgfsys@curveto1.90233pt-0.8611pt3.44443pt0.681pt3.44443pt2.58333pt\pgfsys@closepath\pgfsys@moveto0.0pt2.58333pt\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.3875pt\pgfsys@invoke\pgfsys@roundcap\pgfsys@invoke\pgfsys@moveto-1.72221pt7.5347pt\pgfsys@lineto-1.39905pt7.93867pt\pgfsys@curveto-1.10196pt8.31003pt-0.5885pt8.33847pt-0.25223pt8.0022pt\pgfsys@lineto0.25223pt7.49776pt\pgfsys@curveto0.5885pt7.16148pt1.10196pt7.18993pt1.39905pt7.56128pt\pgfsys@lineto1.72221pt7.96526pt\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\pgfsys@discardpath\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\lxSVG@closescope\endpgfpictureφ which evaluates to true if a trace ends before the satisfaction of φ can be determined and is defined as \leavevmode\leavevmodeto7.41pt\vboxto9.92pt\pgfpicture\makeatletter\lower-1.11943ptto0.0pt\pgfsys@beginscope\pgfsys@invoke\definecolorpgfstrokecolorrgb0,0,0\pgfsys@color@rgb@stroke000\pgfsys@invoke\pgfsys@color@rgb@fill000\pgfsys@invoke\pgfsys@setlinewidth0.4pt\pgfsys@invoke\nullfontto0.0pt\pgfsys@beginscope\pgfsys@invoke\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.51666pt\pgfsys@invoke\pgfsys@moveto0.0pt2.58333pt\pgfsys@moveto3.44443pt2.58333pt\pgfsys@curveto3.44443pt4.48566pt1.90233pt6.02776pt0.0pt6.02776pt\pgfsys@curveto-1.90233pt6.02776pt-3.44443pt4.48566pt-3.44443pt2.58333pt\pgfsys@curveto-3.44443pt0.681pt-1.90233pt-0.8611pt0.0pt-0.8611pt\pgfsys@curveto1.90233pt-0.8611pt3.44443pt0.681pt3.44443pt2.58333pt\pgfsys@closepath\pgfsys@moveto0.0pt2.58333pt\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.3875pt\pgfsys@invoke\pgfsys@roundcap\pgfsys@invoke\pgfsys@moveto-1.72221pt7.5347pt\pgfsys@lineto-1.39905pt7.93867pt\pgfsys@curveto-1.10196pt8.31003pt-0.5885pt8.33847pt-0.25223pt8.0022pt\pgfsys@lineto0.25223pt7.49776pt\pgfsys@curveto0.5885pt7.16148pt1.10196pt7.18993pt1.39905pt7.56128pt\pgfsys@lineto1.72221pt7.96526pt\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\pgfsys@discardpath\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\lxSVG@closescope\endpgfpictureφ:=¬\leavevmode\leavevmodeto7.41pt\vboxto7.41pt\pgfpicture\makeatletter\lower-1.11943ptto0.0pt\pgfsys@beginscope\pgfsys@invoke\definecolorpgfstrokecolorrgb0,0,0\pgfsys@color@rgb@stroke000\pgfsys@invoke\pgfsys@color@rgb@fill000\pgfsys@invoke\pgfsys@setlinewidth0.4pt\pgfsys@invoke\nullfontto0.0pt\pgfsys@beginscope\pgfsys@invoke\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.51666pt\pgfsys@invoke\pgfsys@moveto0.0pt2.58333pt\pgfsys@moveto3.44443pt2.58333pt\pgfsys@curveto3.44443pt4.48566pt1.90233pt6.02776pt0.0pt6.02776pt\pgfsys@curveto-1.90233pt6.02776pt-3.44443pt4.48566pt-3.44443pt2.58333pt\pgfsys@curveto-3.44443pt0.681pt-1.90233pt-0.8611pt0.0pt-0.8611pt\pgfsys@curveto1.90233pt-0.8611pt3.44443pt0.681pt3.44443pt2.58333pt\pgfsys@closepath\pgfsys@moveto0.0pt2.58333pt\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\pgfsys@discardpath\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\lxSVG@closescope\endpgfpicture¬φ.
We call ψ of a HyperLTL formula Q.ψ, with an arbitrary quantifier prefix Q, the body of the formula. A HyperLTL formula Q.ψ is in the alternation-free fragment if either Q consists solely of universal quantifiers or solely of existential quantifiers.
We also denote the respective alternation-free fragments as the ∀n fragment and the ∃n fragment, with n being the number of quantifiers in the prefix.
Finite Trace Semantics.
We recap the finite trace semantics for HyperLTL [5] which is itself based on the finite trace semantics of LTL [18].
In the following, when using L(φ) we refer to the finite trace semantics of a HyperLTL formula φ.
Let Πfin:V→Σ+ be a partial function mapping trace variables to finite traces. We define ϵ[0] as the empty set.
Πfin[i⟩ denotes the trace assignment that is equal to Πfin(π)[i⟩ for all π∈dom(Πfin).
By slight abuse of notation, we write t∈Πfin to access traces t in the image of Πfin.
The satisfaction of a HyperLTL formula φ over a finite trace assignment Πfin and a set of finite traces T, denoted by Πfin⊨_Tφ, is defined as follows:
[TABLE]
Due to duality of U/R, \leavevmode\leavevmodeto7.41pt\vboxto7.41pt\pgfpicture\makeatletter\lower-1.11943ptto0.0pt\pgfsys@beginscope\pgfsys@invoke\definecolorpgfstrokecolorrgb0,0,0\pgfsys@color@rgb@stroke000\pgfsys@invoke\pgfsys@color@rgb@fill000\pgfsys@invoke\pgfsys@setlinewidth0.4pt\pgfsys@invoke\nullfontto0.0pt\pgfsys@beginscope\pgfsys@invoke\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.51666pt\pgfsys@invoke\pgfsys@moveto0.0pt2.58333pt\pgfsys@moveto3.44443pt2.58333pt\pgfsys@curveto3.44443pt4.48566pt1.90233pt6.02776pt0.0pt6.02776pt\pgfsys@curveto-1.90233pt6.02776pt-3.44443pt4.48566pt-3.44443pt2.58333pt\pgfsys@curveto-3.44443pt0.681pt-1.90233pt-0.8611pt0.0pt-0.8611pt\pgfsys@curveto1.90233pt-0.8611pt3.44443pt0.681pt3.44443pt2.58333pt\pgfsys@closepath\pgfsys@moveto0.0pt2.58333pt\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\pgfsys@discardpath\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\lxSVG@closescope\endpgfpicture/\leavevmode\leavevmodeto7.41pt\vboxto9.92pt\pgfpicture\makeatletter\lower-1.11943ptto0.0pt\pgfsys@beginscope\pgfsys@invoke\definecolorpgfstrokecolorrgb0,0,0\pgfsys@color@rgb@stroke000\pgfsys@invoke\pgfsys@color@rgb@fill000\pgfsys@invoke\pgfsys@setlinewidth0.4pt\pgfsys@invoke\nullfontto0.0pt\pgfsys@beginscope\pgfsys@invoke\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.51666pt\pgfsys@invoke\pgfsys@moveto0.0pt2.58333pt\pgfsys@moveto3.44443pt2.58333pt\pgfsys@curveto3.44443pt4.48566pt1.90233pt6.02776pt0.0pt6.02776pt\pgfsys@curveto-1.90233pt6.02776pt-3.44443pt4.48566pt-3.44443pt2.58333pt\pgfsys@curveto-3.44443pt0.681pt-1.90233pt-0.8611pt0.0pt-0.8611pt\pgfsys@curveto1.90233pt-0.8611pt3.44443pt0.681pt3.44443pt2.58333pt\pgfsys@closepath\pgfsys@moveto0.0pt2.58333pt\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.3875pt\pgfsys@invoke\pgfsys@roundcap\pgfsys@invoke\pgfsys@moveto-1.72221pt7.5347pt\pgfsys@lineto-1.39905pt7.93867pt\pgfsys@curveto-1.10196pt8.31003pt-0.5885pt8.33847pt-0.25223pt8.0022pt\pgfsys@lineto0.25223pt7.49776pt\pgfsys@curveto0.5885pt7.16148pt1.10196pt7.18993pt1.39905pt7.56128pt\pgfsys@lineto1.72221pt7.96526pt\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\pgfsys@discardpath\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\lxSVG@closescope\endpgfpicture, ∃/∀, and the standard Boolean operators, every HyperLTL formula φ can be transformed into negation normal form (NNF), i.e., for every φ there is some ψ in negation normal form such that for all Πfin and T it holds that Πfin⊨_Tφ if, and only if, Πfin⊨_Tψ.
The standard LTL semantic, written t⊨LTLfinφ, for some LTL formula φ is equal to {π↦t}_fin⊨_∅φ′, where φ′ is derived from φ by replacing every proposition p∈AP by p_π.
3 Rewriting HyperLTL
Given the body φ of a ∀2HyperLTL formula ∀π,π′.φ, and a finite trace t∈Σ+, we define alternative language characterizations.
These capture the intuitive idea that, if one fixes a finite trace t, the language of ∀π,π′.φ includes exactly those traces t′ that satisfy φ in conjunction with t.
[TABLE]
We call φ^:=φ∧φ[π′/π,π/π′] the symmetric closure of φ, where φ[π′/π,π/π′] represents the expression φ in which the trace variables π,π′ are swapped. The language of the symmetric closure, when fixing one trace variable, is equivalent to the language of φ.
Lemma 1
Given the body φ of a ∀2HyperLTL formula ∀π,π′.φ, and a finite trace t∈Σ+, it holds that
Ltπ(φ^)=Lt(φ).
We exploit this to rewrite a ∀2HyperLTL formula into an LTL formula.
We define the projection φ∣tπ of the body φ of a ∀2HyperLTL formula ∀π,π′.φ in NNF and a finite trace t∈Σ+ to an LTL formula recursively on the structure of φ:
[TABLE]
Theorem 3.1
Given a ∀2HyperLTL formula ∀π,π′.φ and any two finite traces t,t′∈Σ+ it holds that
t′∈Ltπ(φ) if, and only if t′⊨LTLfinφ∣tπ.
Proof
By induction on the size of t.
Induction Base (t=e, where e∈Σ): Let t′∈Σ+ be arbitrarily chosen.
We distinguish by structural induction the following cases over the formula φ. We begin with the base cases.
•
a_π:
we know by definition that a_π∣tπ equals ⊤ if a∈t[0] and ⊥ otherwise,
so it follows that
t′⊨LTLfina_π∣tπ⇔a∈t[0]⇔t′∈Ltπ(a_π).
φ∧ψ, \leavevmode\leavevmodeto7.41pt\vboxto9.92pt\pgfpicture\makeatletter\lower-1.11943ptto0.0pt\pgfsys@beginscope\pgfsys@invoke\definecolorpgfstrokecolorrgb0,0,0\pgfsys@color@rgb@stroke000\pgfsys@invoke\pgfsys@color@rgb@fill000\pgfsys@invoke\pgfsys@setlinewidth0.4pt\pgfsys@invoke\nullfontto0.0pt\pgfsys@beginscope\pgfsys@invoke\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.51666pt\pgfsys@invoke\pgfsys@moveto0.0pt2.58333pt\pgfsys@moveto3.44443pt2.58333pt\pgfsys@curveto3.44443pt4.48566pt1.90233pt6.02776pt0.0pt6.02776pt\pgfsys@curveto-1.90233pt6.02776pt-3.44443pt4.48566pt-3.44443pt2.58333pt\pgfsys@curveto-3.44443pt0.681pt-1.90233pt-0.8611pt0.0pt-0.8611pt\pgfsys@curveto1.90233pt-0.8611pt3.44443pt0.681pt3.44443pt2.58333pt\pgfsys@closepath\pgfsys@moveto0.0pt2.58333pt\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.3875pt\pgfsys@invoke\pgfsys@roundcap\pgfsys@invoke\pgfsys@moveto-1.72221pt7.5347pt\pgfsys@lineto-1.39905pt7.93867pt\pgfsys@curveto-1.10196pt8.31003pt-0.5885pt8.33847pt-0.25223pt8.0022pt\pgfsys@lineto0.25223pt7.49776pt\pgfsys@curveto0.5885pt7.16148pt1.10196pt7.18993pt1.39905pt7.56128pt\pgfsys@lineto1.72221pt7.96526pt\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\pgfsys@discardpath\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\lxSVG@closescope\endpgfpictureφ and φRψ are proven analogously.
Induction Step (t=e⋅t∗, where e∈Σ,t∗∈Σ+):
The induction hypothesis states that ∀t′∈Σ+.t′∈Lt∗π(φ)⇔t′⊨LTLfinφ∣t∗π (IH).
We make use of structural induction over φ. All cases without temporal operators are covered as their proofs above were independent of ∣t∣.
The structural induction hypothesis states for all strict subformulas ψ that
∀t′∈Σ+.t′∈Ltπ(ψ)⇔t′⊨LTLfinψ∣tπ (SIH2).
\leavevmode\leavevmodeto7.41pt\vboxto9.92pt\pgfpicture\makeatletter\lower-1.11943ptto0.0pt\pgfsys@beginscope\pgfsys@invoke\definecolorpgfstrokecolorrgb0,0,0\pgfsys@color@rgb@stroke000\pgfsys@invoke\pgfsys@color@rgb@fill000\pgfsys@invoke\pgfsys@setlinewidth0.4pt\pgfsys@invoke\nullfontto0.0pt\pgfsys@beginscope\pgfsys@invoke\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.51666pt\pgfsys@invoke\pgfsys@moveto0.0pt2.58333pt\pgfsys@moveto3.44443pt2.58333pt\pgfsys@curveto3.44443pt4.48566pt1.90233pt6.02776pt0.0pt6.02776pt\pgfsys@curveto-1.90233pt6.02776pt-3.44443pt4.48566pt-3.44443pt2.58333pt\pgfsys@curveto-3.44443pt0.681pt-1.90233pt-0.8611pt0.0pt-0.8611pt\pgfsys@curveto1.90233pt-0.8611pt3.44443pt0.681pt3.44443pt2.58333pt\pgfsys@closepath\pgfsys@moveto0.0pt2.58333pt\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.3875pt\pgfsys@invoke\pgfsys@roundcap\pgfsys@invoke\pgfsys@moveto-1.72221pt7.5347pt\pgfsys@lineto-1.39905pt7.93867pt\pgfsys@curveto-1.10196pt8.31003pt-0.5885pt8.33847pt-0.25223pt8.0022pt\pgfsys@lineto0.25223pt7.49776pt\pgfsys@curveto0.5885pt7.16148pt1.10196pt7.18993pt1.39905pt7.56128pt\pgfsys@lineto1.72221pt7.96526pt\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\pgfsys@discardpath\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\lxSVG@closescope\endpgfpictureφ and φRψ are proven analogously.
4 Constraint-based Monitoring
For monitoring, we need to define an incremental rewriting that accurately models the semantics of φ∣tπ while still being able to detect violations early.
To this end, we define an operation φ[π,e,i], where e∈Σ is an event and i is the current position in the trace.
φ[π,e,i] transforms φ into a propositional formula, where the variables are either indexed atomic propositions p_i for p∈AP, or a variable vφ′,i+1− and vφ′,i+1+ that act as placeholders until new information about the trace comes in.
Whenever the next event e′ occurs, the variables are defined with the result of φ′[π,e′,i+1].
If the trace ends, the variables are set to true and false for v+ and v−, respectively.
We define φ[π,e,i] of a ∀2HyperLTL formula ∀π,π′.φ in NNF, event e∈Σ, and i≥0 recursively on the structure of the body φ:
[TABLE]
We encode a ∀2HyperLTL formula and finite traces into a constraint system, which, as we will show, is satisfiable if and only if the given traces satisfy the formula w.r.t. the finite semantics of HyperLTL.
We write vφ,i to denote either vφ,i− or vφ,i+.
For e∈Σ and t∈Σ∗, we define
[TABLE]
where we use vψ,i+1∈φ[π,e,i] to denote variables vψ,i+1 occurring in the propositional formula φ[π,e,i].
enc is used to transform a trace into a propositional formula, e.g., enc{a,b}0({a}{a,b})=a_0∧¬b_0∧a_1∧b_1.
For n=0 we omit the annotation, i.e., we write encAP(t) instead of encAP0(t).
Also we omit the index AP if it is clear from the context.
By slight abuse of notation, we use constrn(φ,t) for some quantifier free HyperLTL formula φ to denote constr(vφ,n,t) if ∣t∣>0.
For a trace t′∈Σ+, we use the notation
enc(t′)⊨constr(φ,t), which evaluates to true if, and only if enc(t′)∧constr(φ,t) is satisfiable.
4.1 Algorithm
Figure 1 depicts our constraint-based algorithm. Note that this algorithm can be used in an offline and online fashion.
Before we give algorithmic details, consider again, the observational determinism example from the introduction, which is expressed as ∀2HyperLTL formula ∀π,π′.(out_π↔out_π′)W(in_π↮in_π′).
The basic idea of the algorithm is to transform the HyperLTL formula to a formula consisting partially of LTL, which expresses the requirements of the incoming trace in the current step, and partially of HyperLTL.
Assuming the event {in,out}, we transform the observational determinism formula to the following formula: ¬in∨out∧\leavevmode\leavevmodeto7.41pt\vboxto7.41pt\pgfpicture\makeatletter\lower-1.11943ptto0.0pt\pgfsys@beginscope\pgfsys@invoke\definecolorpgfstrokecolorrgb0,0,0\pgfsys@color@rgb@stroke000\pgfsys@invoke\pgfsys@color@rgb@fill000\pgfsys@invoke\pgfsys@setlinewidth0.4pt\pgfsys@invoke\nullfontto0.0pt\pgfsys@beginscope\pgfsys@invoke\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.51666pt\pgfsys@invoke\pgfsys@moveto0.0pt2.58333pt\pgfsys@moveto3.44443pt2.58333pt\pgfsys@curveto3.44443pt4.48566pt1.90233pt6.02776pt0.0pt6.02776pt\pgfsys@curveto-1.90233pt6.02776pt-3.44443pt4.48566pt-3.44443pt2.58333pt\pgfsys@curveto-3.44443pt0.681pt-1.90233pt-0.8611pt0.0pt-0.8611pt\pgfsys@curveto1.90233pt-0.8611pt3.44443pt0.681pt3.44443pt2.58333pt\pgfsys@closepath\pgfsys@moveto0.0pt2.58333pt\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\pgfsys@discardpath\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\lxSVG@closescope\endpgfpicture((out_π↔out_π′)W(in_π↮in_π′)).
A Boolean constraint system is then build incrementally: we start encoding the constraints corresponding to the LTL part (in front of the next-operator) and encode the HyperLTL part (after the next-operator) as variables that are defined when more events of the trace come in.
We continue by explaining the algorithm in detail.
In Figure 1, we construct ψ as the negation normal form of the symmetric closure of the original formula.
We build two constraint systems: C containing constraints of previous traces and C_t (built incrementally) containing the constraints for the current trace t.
Consequently, we initialize C with ⊤ and C_t with vψ,0 (lines 1 and 1).
If the trace ends, we define the remaining v variables according to their polarities and add C_t to C.
For each new event e_i in the trace t, and each “open” constraint in C_t corresponding to step i, i.e., vϕ,i∈C_t, we rewrite the formula ϕ (line 1) and define vϕ,i with the rewriting result, which, potentially introduced new open constraints vϕ′,i+1 for the next step i+1.
The constraint encoding of the current trace is aggregated in constraint t_enc (Figure 1).
If the constraint system given the encoding of the current trace turns out to be unsatisfiable, a violation to the specification is detected, which is then returned.
In the following, we sketch two algorithmic improvements.
First, instead of storing the constraints corresponding to traces individually, we use a new data structure, which is a tree maintaining nodes of formulas, their corresponding variables and also child nodes.
Such a node corresponds to already seen rewrites.
The initial node captures the (transformed) specification (similar to line 1) and it is also the root of the tree structure, representing all the generated constraints which replaces C in Fig. 1.
Whenever a trace deviates in its rewrite result a new child or branch is added to the tree.
If a rewrite result is already present in the node tree structure there is no need to create any new constraints nor new variables.
This is crucial in case we observe many equal traces or traces behaving effectively the same.
In case no new constraints were added to the constraint system, we omit a superfluous check for satisfiability.
Second, we use conjunct splitting to utilize the node tree optimization even more.
We illustrate the basic idea on an example.
Consider ∀π,π′.φ with φ=\leavevmode\leavevmodeto6.97pt\vboxto6.97pt\pgfpicture\makeatletter\lower-1.11945ptto0.0pt\pgfsys@beginscope\pgfsys@invoke\definecolorpgfstrokecolorrgb0,0,0\pgfsys@color@rgb@stroke000\pgfsys@invoke\pgfsys@color@rgb@fill000\pgfsys@invoke\pgfsys@setlinewidth0.4pt\pgfsys@invoke\nullfontto0.0pt\pgfsys@beginscope\pgfsys@invoke\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.51666pt\pgfsys@invoke\pgfsys@roundjoin\pgfsys@invoke\pgfsys@moveto0.0pt-0.86111pt\pgfsys@lineto0.0pt5.5972pt\pgfsys@lineto6.45831pt5.5972pt\pgfsys@lineto6.45831pt-0.86111pt\pgfsys@closepath\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\pgfsys@discardpath\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\lxSVG@closescope\endpgfpicture((a_π↔a_π′)∨(b_π↔b_π′)), which demands that on all executions on each position at least on of propositions a or b agree in its evaluation.
Consider the two traces t_1={a}{a}{a}, t_2={a}{a,b}{a} that satisfy the specification.
As both traces feature the same first event, they also share the same rewrite result for the first position.
Interestingly, on the second position, we get (a∨¬b)∧s_φ for t_1 and (a∨b)∧s_φ for t_2 as the rewrite results.
While these constraints are no longer equal, by the nature of invariants, both feature the same subterm on the right hand side of the conjunction.
We split the resulting constraint on its syntactic structure, such that we would no longer have to introduce a branch in the tree.
4.2 Correctness
In this technical subsection, we will formally prove correctness of our algorithm by showing that our incremental construction of the Boolean constraints is equisatisfiable to the HyperLTL rewriting presented in Section 3.
We begin by showing that satisfiability is preserved when shifting the indices, as stated by the following lemma.
Lemma 2
For any ∀2HyperLTL formula ∀π,π′.φ over atomic propositions AP, any finite traces t,t′∈Σ+ and n≥0 it holds that
encAP(t′)⊨constr(φ,t)⇔encAPn(t′)⊨constrn(φ,t).
Proof
By renaming of the positional indices.
In the following lemma and corollary, we show that the semantics of the next operators matches the finite LTL semantics.
Lemma 3
For any ∀2HyperLTL formula ∀π,π′.φ over atomic propositions AP and any finite traces t,t′∈Σ+ it holds that
enc(t′)⊨constr(\leavevmode\leavevmodeto7.41pt\vboxto7.41pt\pgfpicture\makeatletter\lower-1.11943ptto0.0pt\pgfsys@beginscope\pgfsys@invoke\definecolorpgfstrokecolorrgb0,0,0\pgfsys@color@rgb@stroke000\pgfsys@invoke\pgfsys@color@rgb@fill000\pgfsys@invoke\pgfsys@setlinewidth0.4pt\pgfsys@invoke\nullfontto0.0pt\pgfsys@beginscope\pgfsys@invoke\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.51666pt\pgfsys@invoke\pgfsys@moveto0.0pt2.58333pt\pgfsys@moveto3.44443pt2.58333pt\pgfsys@curveto3.44443pt4.48566pt1.90233pt6.02776pt0.0pt6.02776pt\pgfsys@curveto-1.90233pt6.02776pt-3.44443pt4.48566pt-3.44443pt2.58333pt\pgfsys@curveto-3.44443pt0.681pt-1.90233pt-0.8611pt0.0pt-0.8611pt\pgfsys@curveto1.90233pt-0.8611pt3.44443pt0.681pt3.44443pt2.58333pt\pgfsys@closepath\pgfsys@moveto0.0pt2.58333pt\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\pgfsys@discardpath\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\lxSVG@closescope\endpgfpictureφ,t)⇔enc(t′)⊨constr(vφ,1−,t[1⟩)⇔enc(t′[1⟩)⊨constr(vφ,0−,t[1⟩).
Proof
Let φ, t,t′ be given.
It holds that constr(\leavevmode\leavevmodeto7.41pt\vboxto7.41pt\pgfpicture\makeatletter\lower-1.11943ptto0.0pt\pgfsys@beginscope\pgfsys@invoke\definecolorpgfstrokecolorrgb0,0,0\pgfsys@color@rgb@stroke000\pgfsys@invoke\pgfsys@color@rgb@fill000\pgfsys@invoke\pgfsys@setlinewidth0.4pt\pgfsys@invoke\nullfontto0.0pt\pgfsys@beginscope\pgfsys@invoke\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.51666pt\pgfsys@invoke\pgfsys@moveto0.0pt2.58333pt\pgfsys@moveto3.44443pt2.58333pt\pgfsys@curveto3.44443pt4.48566pt1.90233pt6.02776pt0.0pt6.02776pt\pgfsys@curveto-1.90233pt6.02776pt-3.44443pt4.48566pt-3.44443pt2.58333pt\pgfsys@curveto-3.44443pt0.681pt-1.90233pt-0.8611pt0.0pt-0.8611pt\pgfsys@curveto1.90233pt-0.8611pt3.44443pt0.681pt3.44443pt2.58333pt\pgfsys@closepath\pgfsys@moveto0.0pt2.58333pt\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\pgfsys@discardpath\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\lxSVG@closescope\endpgfpictureφ,t)=constr(vφ,1−,t[1⟩) by definition.
As constr(vφ,1−,t[1⟩) by construction does not contain any variables with positional index [math], we only need to check satisfiablity with respect to enc(t′[1⟩). Thus
enc(t′)⊨constr(\leavevmode\leavevmodeto7.41pt\vboxto7.41pt\pgfpicture\makeatletter\lower-1.11943ptto0.0pt\pgfsys@beginscope\pgfsys@invoke\definecolorpgfstrokecolorrgb0,0,0\pgfsys@color@rgb@stroke000\pgfsys@invoke\pgfsys@color@rgb@fill000\pgfsys@invoke\pgfsys@setlinewidth0.4pt\pgfsys@invoke\nullfontto0.0pt\pgfsys@beginscope\pgfsys@invoke\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.51666pt\pgfsys@invoke\pgfsys@moveto0.0pt2.58333pt\pgfsys@moveto3.44443pt2.58333pt\pgfsys@curveto3.44443pt4.48566pt1.90233pt6.02776pt0.0pt6.02776pt\pgfsys@curveto-1.90233pt6.02776pt-3.44443pt4.48566pt-3.44443pt2.58333pt\pgfsys@curveto-3.44443pt0.681pt-1.90233pt-0.8611pt0.0pt-0.8611pt\pgfsys@curveto1.90233pt-0.8611pt3.44443pt0.681pt3.44443pt2.58333pt\pgfsys@closepath\pgfsys@moveto0.0pt2.58333pt\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\pgfsys@discardpath\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\lxSVG@closescope\endpgfpictureφ,t)⇔enc(t′)⊨constr(vψ,1−,t[1⟩)⇔enc1(t′[1⟩)⊨constr(vφ,1−,t[1⟩)Lem\reflem:encshiftenc(t′[1⟩)⊨constr(vφ,0−,t[1⟩).
Corollary 1
For any ∀2HyperLTL formula ∀π,π′.φ over atomic propositions AP and any finite traces t,t′∈Σ+ it holds that
enc(t′)⊨constr(\leavevmode\leavevmodeto7.41pt\vboxto9.92pt\pgfpicture\makeatletter\lower-1.11943ptto0.0pt\pgfsys@beginscope\pgfsys@invoke\definecolorpgfstrokecolorrgb0,0,0\pgfsys@color@rgb@stroke000\pgfsys@invoke\pgfsys@color@rgb@fill000\pgfsys@invoke\pgfsys@setlinewidth0.4pt\pgfsys@invoke\nullfontto0.0pt\pgfsys@beginscope\pgfsys@invoke\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.51666pt\pgfsys@invoke\pgfsys@moveto0.0pt2.58333pt\pgfsys@moveto3.44443pt2.58333pt\pgfsys@curveto3.44443pt4.48566pt1.90233pt6.02776pt0.0pt6.02776pt\pgfsys@curveto-1.90233pt6.02776pt-3.44443pt4.48566pt-3.44443pt2.58333pt\pgfsys@curveto-3.44443pt0.681pt-1.90233pt-0.8611pt0.0pt-0.8611pt\pgfsys@curveto1.90233pt-0.8611pt3.44443pt0.681pt3.44443pt2.58333pt\pgfsys@closepath\pgfsys@moveto0.0pt2.58333pt\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.3875pt\pgfsys@invoke\pgfsys@roundcap\pgfsys@invoke\pgfsys@moveto-1.72221pt7.5347pt\pgfsys@lineto-1.39905pt7.93867pt\pgfsys@curveto-1.10196pt8.31003pt-0.5885pt8.33847pt-0.25223pt8.0022pt\pgfsys@lineto0.25223pt7.49776pt\pgfsys@curveto0.5885pt7.16148pt1.10196pt7.18993pt1.39905pt7.56128pt\pgfsys@lineto1.72221pt7.96526pt\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\pgfsys@discardpath\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\lxSVG@closescope\endpgfpictureφ,t)⇔enc(t′)⊨constr(vφ,1+,t[1⟩)⇔enc(t′[1⟩)⊨constr(vφ,0+,t[1⟩).
We will now state the correctness theorem, namely that our algorithm preserves the HyperLTL rewriting semantics.
Theorem 4.1
For every ∀2HyperLTL formula ∀π,π′.φ in negation normal form over atomic propositions AP and any finite trace t∈Σ+ it holds that
∀t′∈Σ+.t′⊨LTLfinφ∣tπ⇔encAP(t′)⊨constr(φ,t).
Proof
By induction over the size of t.
Induction Base (t=e, where e∈Σ):
We choose t′∈Σ+ arbitrarily.
We distinguish by structural induction the following cases over the formula φ:
•
a_π:
constr(a_π,e)=(a_π)[π,e,0]=⊤ if, and only if, a∈e.
Thus
enc(t′)⊨constr(a_π,e)⇔a∈e⇔t′⊨LTLfina_π∣eπ.
φ∧ψ, \leavevmode\leavevmodeto7.41pt\vboxto9.92pt\pgfpicture\makeatletter\lower-1.11943ptto0.0pt\pgfsys@beginscope\pgfsys@invoke\definecolorpgfstrokecolorrgb0,0,0\pgfsys@color@rgb@stroke000\pgfsys@invoke\pgfsys@color@rgb@fill000\pgfsys@invoke\pgfsys@setlinewidth0.4pt\pgfsys@invoke\nullfontto0.0pt\pgfsys@beginscope\pgfsys@invoke\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.51666pt\pgfsys@invoke\pgfsys@moveto0.0pt2.58333pt\pgfsys@moveto3.44443pt2.58333pt\pgfsys@curveto3.44443pt4.48566pt1.90233pt6.02776pt0.0pt6.02776pt\pgfsys@curveto-1.90233pt6.02776pt-3.44443pt4.48566pt-3.44443pt2.58333pt\pgfsys@curveto-3.44443pt0.681pt-1.90233pt-0.8611pt0.0pt-0.8611pt\pgfsys@curveto1.90233pt-0.8611pt3.44443pt0.681pt3.44443pt2.58333pt\pgfsys@closepath\pgfsys@moveto0.0pt2.58333pt\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.3875pt\pgfsys@invoke\pgfsys@roundcap\pgfsys@invoke\pgfsys@moveto-1.72221pt7.5347pt\pgfsys@lineto-1.39905pt7.93867pt\pgfsys@curveto-1.10196pt8.31003pt-0.5885pt8.33847pt-0.25223pt8.0022pt\pgfsys@lineto0.25223pt7.49776pt\pgfsys@curveto0.5885pt7.16148pt1.10196pt7.18993pt1.39905pt7.56128pt\pgfsys@lineto1.72221pt7.96526pt\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\pgfsys@discardpath\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\lxSVG@closescope\endpgfpictureφ, and φRψ are proven analogously.
Induction Step (t=e⋅t∗, where e∈Σ and t∗∈Σ+):
The induction hypothesis states that
∀t′∈Σ+.t′⊨LTLfinφ∣t∗π⇔enc(t′)⊨constr(φ,t∗) (IH).
We make use of structural induction over φ.
All base cases are covered as their proofs above are independent of ∣t∣.
The structural induction hypothesis states for all strict subformulas ψ that
∀t′∈Σ+.t′⊨LTLfinψ∣tπ⇔enc(t′)⊨constr(ψ,t).
†:
⇐: trivial,
⇒: Assume a model M_φ for enc(t′)⊨φ[π,e,0]∧A. By construction, constraints by φ do not share variable with constraints by ψ.
We extend the model by assigning vψ′,1 with ⊥, for all vψ′,1∈ψ[π,e,0] and assigning the rest of the variables in ψ[π,e,0] arbitrarily.
φ∧ψ, \leavevmode\leavevmodeto7.41pt\vboxto9.92pt\pgfpicture\makeatletter\lower-1.11943ptto0.0pt\pgfsys@beginscope\pgfsys@invoke\definecolorpgfstrokecolorrgb0,0,0\pgfsys@color@rgb@stroke000\pgfsys@invoke\pgfsys@color@rgb@fill000\pgfsys@invoke\pgfsys@setlinewidth0.4pt\pgfsys@invoke\nullfontto0.0pt\pgfsys@beginscope\pgfsys@invoke\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.51666pt\pgfsys@invoke\pgfsys@moveto0.0pt2.58333pt\pgfsys@moveto3.44443pt2.58333pt\pgfsys@curveto3.44443pt4.48566pt1.90233pt6.02776pt0.0pt6.02776pt\pgfsys@curveto-1.90233pt6.02776pt-3.44443pt4.48566pt-3.44443pt2.58333pt\pgfsys@curveto-3.44443pt0.681pt-1.90233pt-0.8611pt0.0pt-0.8611pt\pgfsys@curveto1.90233pt-0.8611pt3.44443pt0.681pt3.44443pt2.58333pt\pgfsys@closepath\pgfsys@moveto0.0pt2.58333pt\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.3875pt\pgfsys@invoke\pgfsys@roundcap\pgfsys@invoke\pgfsys@moveto-1.72221pt7.5347pt\pgfsys@lineto-1.39905pt7.93867pt\pgfsys@curveto-1.10196pt8.31003pt-0.5885pt8.33847pt-0.25223pt8.0022pt\pgfsys@lineto0.25223pt7.49776pt\pgfsys@curveto0.5885pt7.16148pt1.10196pt7.18993pt1.39905pt7.56128pt\pgfsys@lineto1.72221pt7.96526pt\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\pgfsys@discardpath\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\lxSVG@closescope\endpgfpictureφ, and φRψ are proven analogously.
Corollary 2
For any ∀2HyperLTL formula ∀π,π′.φ in negation normal form over atomic propositions AP and any finite traces t,t′∈Σ+ it holds that
t′∈Lt(φ)⇔encAP(t′)⊨constr(φ^,t).
For any ∀2HyperLTL formula ∀π,π′.φ in negation normal form over atomic propositions AP and any finite traces t,t′∈Σ+ it holds that
encAP(t′)⊭constr(φ,t)⇒∀t′′∈Σ+.t′≤t′′→encAP(t′′)⊭constr(φ,t).
Proof
We proof this via contradiction. We choose t,t′ as well as φ arbitrarily, but in a way such that enc(t′)⊭constr(φ,t) holds.
Assume that there exists a continuation of t′, that we call t′′, for which enc(t′′)⊨constr(φ,t) holds.
So there has to exist a model assigning truth values to the variables in constr(φ,t), such that the constraint system is consistent.
From this model we extract all assigned truths values for positional variables for position ∣t′∣ to ∣t′′∣−1.
As t′ is a prefix of t′′, we can use these truth values to construct a valid model for enc(t′)⊨constr(φ,t), which is a contradiction.
Corollary 3
For any ∀2HyperLTL formula ∀π,π′.φ in negation normal form over atomic propositions AP and any finite set of finite traces T∈P(Σ+) and finite trace t′∈Σ+ it holds that
[TABLE]
Proof
It holds that
∀t,t′∈Σ+.t=t′→constr(φ,t)=constr(φ,t′).
Follows with same reasoning as in earlier proofs combined with 2.
5 Experimental Evaluation
We implemented two versions of the algorithm presented in this paper.
The first implementation encodes the constraint system as a Boolean satisfiability problem (SAT), whereas the second one represents it as a (reduced ordered) binary decision diagram (BDD).
The formula rewriting is implemented in a Maude [8] script.
The constraint system is solved by either CryptoMiniSat [23] or CUDD [22].
All benchmarks were executed on an Intel Core i5-6200U CPU @2.30GHz with 8GB of RAM. The set of benchmarks chosen for our evaluation is composed out of two benchmarks presented in earlier publications [12, 13] plus instances of guarded invariants at which our implementations excels.
Non-interference.
Non-interference [16, 19] is an important information flow policy demanding that an observer of a system cannot infer any high security input of a system by observing only low security input and output.
Reformulated we could also say that all low security outputs olow have to be equal on all system executions as long as the low security inputs ilow of those executions are the same:
∀π,π′.(o_lowπ↔o_lowπ′)W(i_lowπ↮i_lowπ′).
This class of benchmarks was used to evaluated RVHyper [13], an automata-based runtime verification tool for HyperLTL formulas.
We repeated the experiments and depict the results in Fig. 2.
We choose a trace length of 50 and monitored non-interference on 1000 randomly generated traces, where we distinguish between a 64 bit input (left) and an 128 bit input (right).
For 64 bit input, our BDD implementation performs comparably well to RVHyper, which statically constructs a monitor automaton.
For 128 bit input, RVHyper was not able to construct the automaton in reasonable time. Our implementation, however, shows promising results for this benchmark class that puts the automata-based construction to its limit.
Detecting Spurious Dependencies in Hardware Designs.
The problem whether input signals influence output signals in hardware designs, was considered in [13].
Formally, we specify this property as the following HyperLTL formula:
∀π_1∀π_2.(o_π_1↔o_π_2)W(i_π_1↮i_π_2),
where i denotes all inputs except i.
Intuitively, the formula asserts that for every two pairs of execution traces (π_1,π_2) the value of o has to be the same until there is a difference between π_1 and π_2 in the input vector i, i.e., the inputs on which o may depend.
We consider the same hardware and specifications as in [13]. The results are depicted in Table 1.
Again, the BDD implementation handles this set of benchmarks well.
The biggest difference can be seen between the runtimes for counter2.
This is explained by the fact that this benchmark demands the highest number of observed traces, and therefore the impact of the quadratic runtime costs in the number of traces dominates the result.
We can, in fact, clearly observe this correlation between the number of traces and the runtime on RVHyper’s performance over all benchmarks.
On the other hand our constraint-based implementations do not show this behavior.
Guarded Invariants.
We consider a new class of benchmarks, called guarded invariants, which express a certain invariant relation between two traces, which are, additionally, guarded by a precondition.
Fig. 3 shows the results of monitoring an arbitrary invariant P:Σ→B of the following form:
∀π,π′.\leavevmode\leavevmodeto8.7pt\vboxto8.7pt\pgfpicture\makeatletter\lower-1.76527ptto0.0pt\pgfsys@beginscope\pgfsys@invoke\definecolorpgfstrokecolorrgb0,0,0\pgfsys@color@rgb@stroke000\pgfsys@invoke\pgfsys@color@rgb@fill000\pgfsys@invoke\pgfsys@setlinewidth0.4pt\pgfsys@invoke\nullfontto0.0pt\pgfsys@beginscope\pgfsys@invoke\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.51666pt\pgfsys@invoke\pgfsys@roundjoin\pgfsys@invoke\pgfsys@moveto0.0pt2.58333pt\pgfsys@lineto4.09026pt6.67358pt\pgfsys@lineto8.18053pt2.58333pt\pgfsys@lineto4.09026pt-1.50694pt\pgfsys@closepath\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\pgfsys@discardpath\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\lxSVG@closescope\endpgfpicture(∨_i∈Ii_π↮i_π′)→\leavevmode\leavevmodeto6.97pt\vboxto6.97pt\pgfpicture\makeatletter\lower-1.11945ptto0.0pt\pgfsys@beginscope\pgfsys@invoke\definecolorpgfstrokecolorrgb0,0,0\pgfsys@color@rgb@stroke000\pgfsys@invoke\pgfsys@color@rgb@fill000\pgfsys@invoke\pgfsys@setlinewidth0.4pt\pgfsys@invoke\nullfontto0.0pt\pgfsys@beginscope\pgfsys@invoke\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.51666pt\pgfsys@invoke\pgfsys@roundjoin\pgfsys@invoke\pgfsys@moveto0.0pt-0.86111pt\pgfsys@lineto0.0pt5.5972pt\pgfsys@lineto6.45831pt5.5972pt\pgfsys@lineto6.45831pt-0.86111pt\pgfsys@closepath\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\pgfsys@discardpath\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\lxSVG@closescope\endpgfpicture(P(π)↔P(π′)). Our approach significantly outperforms RVHyper on this benchmark class, as the conjunct splitting optimization, described in Section 4.1, synergizes well with SAT-solver implementations.
Atomic Proposition Scalability.
While RVHyper is inherently limited in its scalability concerning formula size as the construction of the deterministic monitor automaton gets increasingly hard, the rewrite-based solution is not affected by this limitation.
To put it to the test we have ran the SAT-based implementation on guarded invariant formulas with up to 100 different atomic propositions.
Formulas have the form:
∀π,π′.(∧_i=1n_in(in_i,π↔in_i,π′))→\leavevmode\leavevmodeto6.97pt\vboxto6.97pt\pgfpicture\makeatletter\lower-1.11945ptto0.0pt\pgfsys@beginscope\pgfsys@invoke\definecolorpgfstrokecolorrgb0,0,0\pgfsys@color@rgb@stroke000\pgfsys@invoke\pgfsys@color@rgb@fill000\pgfsys@invoke\pgfsys@setlinewidth0.4pt\pgfsys@invoke\nullfontto0.0pt\pgfsys@beginscope\pgfsys@invoke\pgfsys@beginscope\pgfsys@invoke\pgfsys@setlinewidth0.51666pt\pgfsys@invoke\pgfsys@roundjoin\pgfsys@invoke\pgfsys@moveto0.0pt-0.86111pt\pgfsys@lineto0.0pt5.5972pt\pgfsys@lineto6.45831pt5.5972pt\pgfsys@lineto6.45831pt-0.86111pt\pgfsys@closepath\pgfsys@stroke\pgfsys@invoke\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\pgfsys@discardpath\pgfsys@invoke\lxSVG@closescope\pgfsys@endscope\hss\lxSVG@closescope\endpgfpicture(∨_j=1n_out(out_j,π↔out_j,π′)),
where n_in,n_out represents the number of input and output atomic propositions, respectively.
Results can be seen in Fig. 4.
Note that RVHyper already fails to build monitor automata for ∣n_in+n_out∣>10.
6 Conclusion
We pursued the success story of rewrite-based monitors for trace properties by applying the technique to the runtime verification problem of Hyperproperties. We presented an algorithm that, given a ∀2HyperLTL formula, incrementally constructs constraints that represent requirements on future traces, instead of storing traces during runtime.
Our evaluation shows that our approach scales in parameters where existing automata-based approaches reach their limits.
Acknowledgments.
We thank Bernd Finkbeiner for his valuable feedback on earlier versions of this paper.
Bibliography24
The reference list from the paper itself. Each links out to its DOI / PubMed record.
1[1] Agrawal, S., Bonakdarpour, B.: Runtime verification of k-safety hyperproperties in Hyper LTL. In: Proceedings of CSF. pp. 239–252. IEEE Computer Society (2016). https://doi.org/10.1109/CSF.2016.24
2[2] Bonakdarpour, B., Finkbeiner, B.: Runtime verification for Hyper LTL. In: Proceedings of RV. LNCS, vol. 10012, pp. 41–45. Springer (2016). https://doi.org/10.1007/978-3-319-46982-9_4
3[3] Bonakdarpour, B., Finkbeiner, B.: The complexity of monitoring hyperproperties. In: Proceedings of CSF. pp. 162–174. IEEE Computer Society (2018). https://doi.org/10.1109/CSF.2018.00019
4[4] Bonakdarpour, B., Sánchez, C., Schneider, G.: Monitoring hyperproperties by combining static analysis and runtime verification. In: Proceedings of ISOLA. LNCS, vol. 11245, pp. 8–27. Springer (2018). https://doi.org/10.1007/978-3-030-03421-4_2
5[5] Brett, N., Siddique, U., Bonakdarpour, B.: Rewriting-based runtime verification for alternation-free Hyper LTL. In: Proceedings of TACAS. LNCS, vol. 10206, pp. 77–93 (2017). https://doi.org/10.1007/978-3-662-54580-5_5
6[6] Clarkson, M.R., Finkbeiner, B., Koleini, M., Micinski, K.K., Rabe, M.N., Sánchez, C.: Temporal logics for hyperproperties. In: Proceedings of POST. LNCS, vol. 8414, pp. 265–284. Springer (2014). https://doi.org/10.1007/978-3-642-54792-8_15