A Temporal Logic for Strategic Hyperproperties

TL;DR

This paper introduces HyperATL*, a logic for specifying and model checking strategic hyperproperties in multi-agent systems, enabling verification of security policies involving strategic choices and asynchronous behaviors.

Contribution

It presents HyperATL*, the first logic to allow decidable model checking of strategic hyperproperties, with an automata-based algorithm and a prototype implementation.

Findings

HyperATL* can express strategic hyperproperties including information leakage avoidance.

The model checking algorithm is asymptotically optimal with a matching lower bound.

A prototype tool successfully verifies security properties on small programs.

Abstract

Hyperproperties are commonly used in computer security to define information-flow policies and other requirements that reason about the relationship between multiple computations. In this paper, we study a novel class of hyperproperties where the individual computation paths are chosen by the strategic choices of a coalition of agents in a multi-agent system. We introduce HyperATL*, an extension of computation tree logic with path variables and strategy quantifiers. HyperATL* can express strategic hyperproperties, such as that the scheduler in a concurrent system has a strategy to avoid information leakage. HyperATL* is particularly useful to specify asynchronous hyperproperties, i.e., hyperproperties where the speed of the execution on the different computation paths depends on the choices of the scheduler. Unlike other recent logics for the specification of asynchronous hyperproperties, our logic is the first to admit decidable model checking for the full logic. We present a model checking algorithm for HyperATL* based on alternating word automata and show that our algorithm is asymptotically optimal by providing a matching lower bound. We have implemented a prototype model checker for a fragment of HyperATL*, able to check various security properties on small programs.