Coinductive Proofs for Temporal Hyperliveness

TL;DR

This paper introduces HyCo, a coinductive framework in Coq for reasoning about complex temporal hyperproperties, especially hyperliveness, enabling more intuitive proofs for reactive systems.

Contribution

It presents a novel coinductive approach to approximate and verify hyperproperties with quantifier alternations, supported by a mechanized Coq implementation.

Findings

HyCo effectively models hyperproperties of the form ∀*∃*ψ.

The framework supports mechanized, sound proofs in Coq.

Application to reactive systems demonstrates practical utility.

Abstract

Temporal logics for hyperproperties have recently emerged as an expressive specification technique for relational properties of reactive systems. While the model checking problem for such logics has been widely studied, there is a scarcity of deductive proof systems for temporal hyperproperties. In particular, hyperproperties with an alternation of universal and existential quantification over system executions are rarely supported. In this paper, we focus on the difficult class of hyperproperties of the form $\forall^*\exists^*\psi$, where $\psi$ is a safety relation. We show that hyperproperties of this class -- which includes many hyperliveness properties of interest -- can always be approximated by coinductive relations. This enables intuitive proofs by coinduction. Based on this observation, we define HyCo (HYperproperties, COinductively), a mechanized framework to reason about temporal hyperproperties within the Coq proof assistant. We detail the construction of HyCo, provide a proof of its soundness, and exemplify its use by applying it to the verification of reactive systems modeled as imperative programs with nondeterminism and I/O.