Verifying Asynchronous Hyperproperties in Reactive Systems

TL;DR

This paper introduces a game-based model-checking approach for verifying asynchronous hyperproperties in reactive systems, enabling analysis of complex temporal trace relations previously hard to verify.

Contribution

It proposes a novel game-based method for verifying arbitrary $orall^*orall^*orall^*$ A-HLTL formulas, extending model-checking capabilities to asynchronous hyperproperties.

Findings

Game-based verification effectively handles arbitrary A-HLTL formulas.

The approach identifies fragments with finite-state decision procedures.

Enables verification of asynchronous hyperproperties in reactive systems.

Abstract

Hyperproperties are system properties that relate multiple execution traces and commonly occur when specifying information-flow and security policies. Logics like HyperLTL utilize explicit quantification over execution traces to express temporal hyperproperties in reactive systems, i.e., hyperproperties that reason about the temporal behavior along infinite executions. An often unwanted side-effect of such logics is that they compare the quantified traces synchronously. This prohibits the logics from expressing properties that compare multiple traces asynchronously, such as Zdancewic and Myers's observational determinism, McLean's non-inference, or stuttering refinement. We study the model-checking problem for a variant of asynchronous HyperLTL (A-HLTL), a temporal logic that can express hyperproperties where multiple traces are compared across timesteps. In addition to quantifying over system traces, A-HLTL features secondary quantification over stutterings of these traces. Consequently, A-HLTL allows for a succinct specification of many widely used asynchronous hyperproperties. Model-checking A-HLTL requires finding suitable stutterings, which, thus far, has been only possible for very restricted fragments or terminating systems. In this paper, we propose a novel game-based approach for the verification of arbitrary $\forall^*\exists^*$ A-HLTL formulas in reactive systems. In our method, we consider the verification as a game played between a verifier and a refuter, who challenge each other by controlling parts of the underlying traces and stutterings. A winning strategy for the verifier then corresponds to concrete witnesses for existentially quantified traces and asynchronous alignments for existentially quantified stutterings. We identify fragments for which our game-based interpretation is complete and thus constitutes a finite-state decision procedure.