Model Checking Algorithms for Hyperproperties

TL;DR

This paper surveys model checking algorithms for hyperproperties, focusing on temporal hyperlogics like HyperLTL, HyperQPTL, and HyperCTL*, and introduces a decidable logic MPL[E] that balances expressiveness and computational feasibility.

Contribution

It provides an overview of model checking techniques for hyperproperties and introduces MPL[E], a logic with decidable model checking that bridges existing hyperlogics.

Findings

Model checking for HyperLTL reduces to Büchi automata emptiness.

Extending HyperLTL with propositional quantification leads to HyperQPTL.

Model checking HyperQCTL* is undecidable, but MPL[E] offers a decidable alternative.

Abstract

Hyperproperties generalize trace properties by expressing relations between multiple computations. Hyperpropertes include policies from information-flow security, like observational determinism or non-interference, and many other system properties including promptness and knowledge. In this paper, we give an overview on the model checking problem for temporal hyperlogics. Our starting point is the model checking algorithm for HyperLTL, a reduction to B\"uchi automata emptiness. This basic construction can be extended with propositional quantification, resulting in an algorithm for HyperQPTL. It can also be extended with branching time, resulting in an algorithm for HyperCTL*. However, it is not possible to have both extensions at the same time: the model checking problem of HyperQCTL* is undecidable. An attractive compromise is offered by MPL[E], i.e., monadic path logic extended with the equal-level predicate. The expressiveness of MPL[E] falls strictly between that of HyperCTL* and HyperQCTL*. MPL[E] subsumes both HyperCTL* and HyperKCTL*, the extension of HyperCTL* with the knowledge operator. We show that the model checking problem for MPL[E] is still decidable.